[Swan] VPN setup

Michael Schwartzkopff ms at sys4.de
Mon Jan 19 20:21:39 EET 2015


Am Montag, 19. Januar 2015, 13:41:14 schrieb Darko Luketic:
> Hello,
> 
> I'm not sure if ipsec/libreswan is the way to go.
> 
> What I want is 2 (or more) servers to share the same private subnet.

No. IPsec is a layer 3 protocol. You can connect two networks. What you are 
lookting for is a layer2 tunnel over a layer3 network. I would suggest that 
you have a look at

 http://lartc.org/howto/lartc.tunnel.gre.html

Additionally you could (and perhaps you should) encrypt the traffic of the GRE 
tunnel. Here IPsec and StrongS/WAN can help you.

 
> Let's take the 2 servers scenario for starters.
> 
> Both servers have 1 public ipv4 address and a /64 ipv6 prefix.
> Both servers should share the same private subnet. 10.0.0.0
> s1 should have 10.0.0.1
> s2 should have 10.0.0.2
> (and likewise sX should have 10.0.0.X for 4,6,8... servers)
> 
> I'm not sure where to start or what the configuration should be.
> 
> I have created hostkeys on both
> s1s2.conf
> ###
> config setup
>         protostack=netkey
> 
> conn s1s2
>         leftid=@s1 #does this need the fqdn?
>         left=publicIPv4_of_s1
>         leftrsasigkey=theleftkey_s1
>         rightid=@s2 #or is this just an internal identifier?
>         right=publicIPv4_of_s2
>         rightrsasigkey=therightkey_s2
>         authby=rsasig
>         auto=add
> ###
> 
> I'm not sure how to proceed next.
> 
> So the end result should be something like:
> mongodb replicaset_s1s2 listen 10.0.0.1:27017 & 10.0.0.2:27017
> website1 service listen 10.0.0.1:10000 10.0.0.2:10000
> So I can have nginx listening on s1_public_IPs & s2_public_IPs
> and this should load balance to 10.0.0.1:10000 & 10.0.0.2:10000
> and those should likewise connect to 10.0.0.1:27017 & 10.0.0.2:27017
> so I don't need TLS overhead for DB connections.
> ^ this is just to visualize what I had in mind, so that it's clear why I
> need a specific subnet for each server
> 
> And the next question is,
> let's say I expand those 2 servers to 3 ( because mongodb needs an
> arbiter, a 3rd server to decide who's the primary and replica)
> and the 3rd server should be part of the VPN as 10.0.0.3


Perhaps a loadbalancer is what you are looking for?

Mit freundlichen Grüßen,

Michael Schwartzkopff

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein


More information about the Swan mailing list