wiki.ohea.xyz/wiki
11
1
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
master
wiki/projects/alamesh/dn42_notes.md
T
Fisher Darling 5aadd455e5 dn42 notes
2022-10-17 23:04:09 +02:00

2.5 KiB
Raw Permalink Blame History

A big dynamic VPN

dn42 is essentially what we want to setup, albeit much, much larger.

They use tunnels for the peering (OpenVPN, WireGuard, GRE, etc), BGP for routing, and private AS numbers.

We can cannibalize most of what they have; I'll summarize here.

Requirements

  • One router running 24/7. Any linux box can be turned into a router (even OpenWRT home routers!).
  • Can establish a tunnel. Not too hard, but dn42 does not that that traffic may be filtered.
  • Are generally knowledgable about networking (right, right, yep, definitely). They mainly say you should have heard of BGP/routing and are willing to set things up.

Actually connecting

There's a registry that needs some "objects" in it. It's just a git repo! So we can essentially just copy them or be inspired by them (don't need things to be automated that heavily just yet).

I didn't want to create an account to look at the repo just yet, but here's a summary from the page.

There are:

  • maintainer objects, which are authenticated which only you can edit.
  • person objects, which describe people or orgs (too much for us for now).
  • resource objects, which are AS numbers, subnets, DNS zones, etc. The meat and potatoes of what we're doing.

Auth is done through SSH or PGP keys and it looks like it's checked on each commit. I guess resource objects are just signed by a special key and that's it...? We can use our peering keys for this if we want (bad idea?).

So in order you:

  • Create a maintainer object that has auth keys.
  • Create a person object. I think we'd skip this.
  • Choose and register an AS number. We should choose an empty range and just use values in there.
  • Register an IPv6 prefix.
  • Create a route object which let's you announce your prefix to others. This is I believe more of an auth step, so it may not be as necessary for us. (?)

Now you just need to peer!

  • Just means you need to establish tunnels.

Then you gotta speak BGP with your peers. They have a guide for bird that we will probably heavily use. Doesn't look too bad... (right)

Then you just need to configure DNS. They recommend hosting your own for security and privacy reasons. We can think about what we want to do. We could use anycast and have some DNS reliablity, that'd be pretty interesting.

Conclusion

Seems pretty doable! Definitely should manually peer for now with a couple of us, then maybe spec out some way to automate peering and go from there.

Time to get a cheap linux box in some cloud now...

Reference in New Issue View Git Blame Copy Permalink