Skip to content

Home

Jump to bottom
Riccardo Giuntoli EA4343URE edited this page May 30, 2022 · 1 revision

OpenBSD "guerrilla" services network

A full configured, secure by default, encrypted network, a pile of services binded using virtual routing, domains and tables, concept.

Especially focused above security in every ISO/OSI pile level.

Theory behind

Concepts and layouts.

Political Map

In my project I consider Earth divided into three big groups which size is ruled by longitude:

[ $long -ge -180 && $long -le -60 ] && group=12 
[ $long -ge -60 && $long -le 60 ] && group=34
[ $long -ge 60 && $long -le 180 ] && group=56

Those are named as decimals or substantives:

  • 12, west
  • 34, center
  • 56, east

Network is IKEv2 based full mesh layout, every host is connected to all the others:

Network layoutFor example:

flow esp in proto gre from 65.20.98.172 to 78.141.201.0 peer 65.20.98.172 srcid ASN1_DN//C=UK/ST=England/L=London/CN=uk.telecomlobby.com dstid ASN1_DN//C=ES/ST=Madrid/L=Madrid/O=Telecom Lobby/OU=VPNC/CN=choopa.telecomlobby.com type require
flow esp in proto gre from 94.72.143.163 to 78.141.201.0 peer 94.72.143.163 srcid ASN1_DN//C=UK/ST=England/L=London/CN=uk.telecomlobby.com dstid ASN1_DN//C=BG/ST=Lovech/L=Troyan/O=Telecom Lobby/OU=VPNC/CN=bg.telecomlobby.com type require
flow esp in proto gre from 139.180.165.223 to 78.141.201.0 peer 139.180.165.223 srcid ASN1_DN//C=UK/ST=England/L=London/CN=uk.telecomlobby.com dstid ASN1_DN//C=AU/ST=New South Wales/L=Sidney/CN=au.telecomlobby.com type require
flow esp in proto gre from 139.180.206.19 to 78.141.201.0 peer 139.180.206.19 srcid ASN1_DN//C=UK/ST=England/L=London/CN=uk.telecomlobby.com dstid ASN1_DN//C=JP/ST=Tokyo/L=Heiwajima/CN=jp.telecomlobby.com type require
flow esp in proto gre from 155.138.247.27 to 78.141.201.0 peer 155.138.247.27 srcid ASN1_DN//C=UK/ST=England/L=London/CN=uk.telecomlobby.com dstid ASN1_DN//C=US/ST=Texas/L=Dallas/O=Telecom Lobby/OU=VPNC/CN=us.telecomlobby.com type require
flow esp in proto gre from 216.238.100.26 to 78.141.201.0 peer 216.238.100.26 srcid ASN1_DN//C=UK/ST=England/L=London/CN=uk.telecomlobby.com dstid ASN1_DN//C=BR/ST=Sao Paulo/L=Sao Paulo/O=Telecom Lobby/OU=VPNC/CN=br.telecomlobby.com type require
flow esp out proto gre from 78.141.201.0 to 65.20.98.172 peer 65.20.98.172 srcid ASN1_DN//C=UK/ST=England/L=London/CN=uk.telecomlobby.com dstid ASN1_DN//C=ES/ST=Madrid/L=Madrid/O=Telecom Lobby/OU=VPNC/CN=choopa.telecomlobby.com type require
flow esp out proto gre from 78.141.201.0 to 94.72.143.163 peer 94.72.143.163 srcid ASN1_DN//C=UK/ST=England/L=London/CN=uk.telecomlobby.com dstid ASN1_DN//C=BG/ST=Lovech/L=Troyan/O=Telecom Lobby/OU=VPNC/CN=bg.telecomlobby.com type require
flow esp out proto gre from 78.141.201.0 to 139.180.165.223 peer 139.180.165.223 srcid ASN1_DN//C=UK/ST=England/L=London/CN=uk.telecomlobby.com dstid ASN1_DN//C=AU/ST=New South Wales/L=Sidney/CN=au.telecomlobby.com type require
flow esp out proto gre from 78.141.201.0 to 139.180.206.19 peer 139.180.206.19 srcid ASN1_DN//C=UK/ST=England/L=London/CN=uk.telecomlobby.com dstid ASN1_DN//C=JP/ST=Tokyo/L=Heiwajima/CN=jp.telecomlobby.com type require
flow esp out proto gre from 78.141.201.0 to 155.138.247.27 peer 155.138.247.27 srcid ASN1_DN//C=UK/ST=England/L=London/CN=uk.telecomlobby.com dstid ASN1_DN//C=US/ST=Texas/L=Dallas/O=Telecom Lobby/OU=VPNC/CN=us.telecomlobby.com type require
flow esp out proto gre from 78.141.201.0 to 216.238.100.26 peer 216.238.100.26 srcid ASN1_DN//C=UK/ST=England/L=London/CN=uk.telecomlobby.com dstid ASN1_DN//C=BR/ST=Sao Paulo/L=Sao Paulo/O=Telecom Lobby/OU=VPNC/CN=br.telecomlobby.com type require

When we rent a VPS instance in a provider we've got to understand that it is a virtual machine guest, normally qemu driven, that runs as a process of a KVM server, normally Linux based, perhaps also clustered with others that bind resources as CPU, GPU, networking and storage resources administrated by the host system operative, Xen or similars, that resides into a physical rack in a data center; the data center itself normally is part of an Internet exchange point to guarantee awesome BGP peering.

By the way we add more abstraction to this very complicated environment. In our design concept VPS are considered as divided into different routing domains, rdomain(4) as they're known in OpenBSD. Is important to understand that there are some fixed rdomains in our design with some specifics functions:

  • rdomain 0: IKEv2 service.
  • rdomain 1: OSPFv2 stub area 1.1.1.1
  • rdomain 2: GRE tunnels local networks and OSPFv2 backbone area 0.0.0.0
  • rdomain 3: WG tunnels LTE appliance connections and OSPFv2 area 3.3.3.3.
  • rdomain id mayor than 10: isolated Internet services.
  • rdomain id mayor than 100: isolated services rented to public.

SD wiki!

Clone this wiki locally