Network/VPN

From 31C3_Public_Wiki
Jump to: navigation, search

VPN for Congress Everywhere

Current status

  • 2014-12-17, 01:00 UTC: VPN box up & running, software being installed and network connection being established. Signup not running yet.

What'll be available?

There will be VPN again this year. As last year, this is a set services:

(note "IP" refers to "IPv4 and IPv6")

  • IP VPN for event locations, including an assignment of Congress public IP space
  • Ethernet VPN for event locations, including an assignment of Congress public IP space
  • dn42 peerings with your own dn42/ChaosVPN IP space

Restrictions

The same rules as with the normal guest Network apply. Note that we can't guarantee availability or quality of service.

You will be asked what kind of event you're doing in what kind of location, in particular related to assignment of Congress IP space. This is supposed to be a service for public spaces around the world where hackers can go meet up, watch a talk or two while drinking some mate tea, and hack on stuff. Your home couch is not eligible. You may still get a tunnel and IPv6 space, but probably not IPv4 space.

Service types

IP VPN

This is:

  • IP over GRE (with IPsec hopefully)
  • IP over OpenVPN (tun mode)

This is layer 3/IP VPN, using a tunnel between the Congress VPN box and your hackerspace to do IP routing. You need to do your own routing at the far end of the tunnel. You also need to run your own DHCP server.

Note that the Congress VPN box is inside the congress network, so you will need to configure some special routing -- otherwise it'll loop the tunnel inside the tunnel inside the tunnel inside ...

Ethernet VPN

This is:

  • Ethernet over GRE (again IPsec hopefully), sometimes called "GREtap"
  • Ethernet over OpenVPN (tap mode)

This is a layer 2 service, meaning you bridge your LAN/WLAN directly onto the tunnel. You don't need to do routing, and you need to switch off any other DHCP servers running on your LAN/WLAN. The bridge/tunnel endpoint needs to have IP connectivity towards the Congress VPN box.

dn42

This is a variation of "IP VPN", where we run a BGP session over the tunnel. You need to have a dn42 ASN and dn42 or ChaosVPN IP space. If you have that, you should already know what to do. The ASN used for Congress will probably be 64600.

Things we cannot/will not do

  • ChaosVPN - sorry, we don't know the tinc ChaosVPN infrastructure well enough
  • accepting your public IP ranges - too much work to verify these
  • L2TP VPN - too much hassle to set up
  • PPTP VPN - the 90s called, they want their insecure VPN back
  • SSL VPN - just no.
Retrieved from "/congress/2014/wiki/index.php?title=Static:Network/VPN&oldid=6142"