[Swan] VPN setup
Darko Luketic
info at icod.de
Mon Jan 19 14:41:14 EET 2015
Hello,
I'm not sure if ipsec/libreswan is the way to go.
What I want is 2 (or more) servers to share the same private subnet.
Let's take the 2 servers scenario for starters.
Both servers have 1 public ipv4 address and a /64 ipv6 prefix.
Both servers should share the same private subnet. 10.0.0.0
s1 should have 10.0.0.1
s2 should have 10.0.0.2
(and likewise sX should have 10.0.0.X for 4,6,8... servers)
I'm not sure where to start or what the configuration should be.
I have created hostkeys on both
s1s2.conf
###
config setup
protostack=netkey
conn s1s2
leftid=@s1 #does this need the fqdn?
left=publicIPv4_of_s1
leftrsasigkey=theleftkey_s1
rightid=@s2 #or is this just an internal identifier?
right=publicIPv4_of_s2
rightrsasigkey=therightkey_s2
authby=rsasig
auto=add
###
I'm not sure how to proceed next.
So the end result should be something like:
mongodb replicaset_s1s2 listen 10.0.0.1:27017 & 10.0.0.2:27017
website1 service listen 10.0.0.1:10000 10.0.0.2:10000
So I can have nginx listening on s1_public_IPs & s2_public_IPs
and this should load balance to 10.0.0.1:10000 & 10.0.0.2:10000
and those should likewise connect to 10.0.0.1:27017 & 10.0.0.2:27017
so I don't need TLS overhead for DB connections.
^ this is just to visualize what I had in mind, so that it's clear why I
need a specific subnet for each server
And the next question is,
let's say I expand those 2 servers to 3 ( because mongodb needs an
arbiter, a 3rd server to decide who's the primary and replica)
and the 3rd server should be part of the VPN as 10.0.0.3
What would the configuration look like?
Do I need to assign the IPs before starting ipsec?
And what if I'd like one server to have both 10.0.0.3 and 10.0.0.4?
--
Best regards
Darko Luketic
More information about the Swan
mailing list