16

I have my personal VPN, connecting several devices so they can have fixed IP addresses on an always-reachable network (as long as they are connected to the Internet). This is necessary for me, since my devices can be on the move, on different and unpredictable networks (4G network cellphone, laptop at university, home server at home), and I have a backup server that needs to connect to them (and sometimes, I also have to).

I am also thinking about installing something like syncthing, which may also benefit from lower latencies and closer nodes.

Also, I'm lazy, and I like to play/pause the music playing on my home server from my smartphone, that might not be on the same network (it should, but it isn't always the case).

This means I have one OpenVPN server, and the openvpn client running on every device. They all connect to the server, and any traffic from any two nodes has to go through the server, which is relatively far away, and has a very limited throughput. This means latency and slowness. And when I press the "Pause" button, it can take up to 10 seconds to actually pause the music. Even if both nodes are actually on the same LAN (since they talk through the VPN). Meh.

Ideally, there should exist some way of creating a VPN that was able to find shortest paths between nodes, and attempt to connect them directly. Something like the way Skype worked with supernodes?

While the server is far away from here, one of the nodes has a public IP address, and can be reached by the other nodes. It could act as a server from them - even if it isn't the server itself, although it would be a better choice for some nodes.

I imagine I could do something akin to run both a client and a server, and bridge them on that node, but that doesn't look elegant. It's hackish, it complicates the PKI, it splits the VPN. I don't like it.

While I could use a simple VPN like PPTP that really doesn't ensure the communications are secure, I decided I didn't want to bother configuring Bacula to encrypt the connections between the nodes, which means that traffic is plain inside the VPN. The VPN encapsulation is the only security, so it shouldn't be weak. However, anything that solves the "mesh"-like VPN without confidentiality would already be a good start - I'd make sure the traffic started going through SSL/TLS.

This looks like a problem that someone else might've had, and solved by now. Is there anything like this?

There's also the chance I'm looking at this the wrong way, but so far it looks like the best approach to ensure I can always connect to any of my devices remotely, no matter where I am, or they are.

5 Answers5

7

I'm not sure whether it completely fulfils your needs, but you should probably take a look at tinc: http://www.tinc-vpn.org/. It quite closely matches the mesh network orchestrated by a central server as you described, but I'm not sure whether it will succeed in discovering peers in your local network.

Steffan Karger
  • 504
  • 2
  • 3
4

The easiest mesh vpn I have found and used is PeerVPN (http://www.peervpn.net/).

PeerVPN Features

  • Ethernet tunneling support using TAP devices.
  • IPv6 support.
  • Full mesh network topology.
  • Automatically builds tunnels through firewalls and NATs without any further setup (for example, port forwarding).
  • Shared key encryption and authentication support.

Configuration is simple.. one config file you edit and for basic mesh vpn there are only 6 settings you need to specify see the PeerVPN tutorial which is only 1 page: http://www.peervpn.net/tutorial/

The PSK encryption/authentication key can be upto 512 bits (64 bytes).

I've set peervpn up so far on multiple remote servers and it works very well. Also, there is no requirement for a "super-node" as you may encounter in other mesh vpn implementations.

Nodes in peervpn learn about newly added nodes to the VPN automatically w/no need to change configurations. Node to node traffic is also direct and not thru some central vpn hub.

Note: read the default peervpn.conf file to learn about alot of other options you "can" take advantage of. But for the basic mesh vpn as I stated you only need to set 6 options (name of vpn, PSK, local tunnel end point IP address, interface "name" you want to see/use on your linux system & port number to use for "that" vpn ... note you can use peervpn for multiple independent VPNs on a server)

bmullan
  • 276
  • 1
  • 4
1

Nebula was released in late 2019 by Slack, and provides a VPN-like mesh overlay network.

Tailscale also launched in early 2019, using WireGuard as its data plane.

ZeroTier launched in 2015.

For something a little more old-school and proprietary:

lid
  • 255
  • 2
  • 7
0

You definitely need to check out https://mysterium.network/

Mysterium is building a decentralised P2P VPN and other tools that allow you to browse the internet freely, earn by sharing your connection, and build censorship-resistant applications.

0

I had the exact same problem years ago. I had ~30 offices that all needed to be able to directly communicate, but they were set up in a 'hub-and-spoke' configuration. I wrote a tool in Python to automatically generate the n x (n-1)/2 number of connections in OpenVPN between the offices. Later on I added in support for RIP routing between the sites after a bizarre Comcast issue where one office could see all the others, but not the main office. Finally I added the ability to auto-generate reverse DNS for the link IPs and the ability to push the packages out to each router.

Take a look at OpenMesher. Just this morning I decided to dust it off for an upcoming project. Hopefully it does what you want. If not, feel free to submit an issue and I'll help.

Aaron C. de Bruyn
  • 578
  • 10
  • 28