OpenVPN IP Scheme

As a Proposal for VPN IP address scheme, an organized mapping for tun interface IPs in the reserved VPN IP block would be required to make managing tunnels easier. It is still untested for direct tunnels off shared tun devices so the ability to map them efficiently and logically would be most preferred.

The PTPnet IP block of 10.11.255.0/24 is already reserved for this idea. Right now in the basic stages of the network the IP addresses are just paired in two between the core servers and the "SuperNodes". As for each SuperNode will require its own tunnel to each server, I believe it would be a good idea to group the IP addresses that are for each SuperNode. Note that this example would be used only for the links between the Core servers and each SuperNode.

Example:

Core Servers

SuperNodes

10.11.255.1

<=>

10.11.255.6

10.11.255.2

<=>

10.11.255.7

10.11.255.3

<=>

10.11.255.8

10.11.255.4

<=>

10.11.255.9


10.11.255.11

<->

10.11.255.16

10.11.255.12

<->

10.11.255.17

10.11.255.13

<->

10.11.255.18

10.11.255.14

<->

10.11.255.19


10.11.255.21

<=>

10.11.255.26

10.11.255.22

<=>

10.11.255.27

10.11.255.23

<=>

10.11.255.28

10.11.255.24

<=>

10.11.255.29



Now with only having roughly one SuperNode for each 10 IP addresses seems excessive but between having upto 5 core servers (only 3 are now used but the ability to add two extra servers would be good planning) and using a base 10 counting between SuperNodes allows for an administrator to easily figure out what SuperNode the core servers are tunneled with just by the IP pair. This is done by taking the base IP for the server (example: 10.11.255.x1) then adding 5 to that base IP (giving you 10.11.255.x6).

Another reason to have extra IP pairs possible between the group of Core IPs and SuperNode IPs would be if direct links via wireless or a different ISP was provided for failsafe tunnels that could be made between the SuperNodes and the Core Servers.

Now this situation will scale up to 25 SuperNodes for the exsisting VPN IP block. This should be plenty enough for the initial setup of the core VPN network. Thinking ahead having more than 25 SuperNodes is a possibility, so the idea of having a few extra reserve 24 bit subnets might have to come into consideration. ZeroConf is also an option if the tun interfaces are tested with it in a OpenVPN tunnel.

The testing for sharing the same tun interface IP is not complete, but having one VPN reserve IP per Node is the best solution and having those IP be negotated via ZeroConf to reduce maintence of the VPN tunnels. The IP addresses for the reserved VPN subnet would not be routable IPs but would be used as gateway IPs for subnets on the destination end of the VPN tunnel. The routes to the destination subnets would be configured via iBGP and allow the VPN tunnels to be dynamically assigned then the routes setup by BGP.

References:

http://openvpn.sourceforge.net/

http://www.quagga.net/

http://www.zeroconf.org/

OpenvpnNamingScheme

OpenvpnPortScheme


Created By: JimmySchmierbach


CategorySoftware

OpenvpnIpScheme (last edited 2007-11-23 18:01:00 by localhost)