search

StreisandEffect / discussions

30 stars 3 forks source link

GoVPN, Vpn-WS #7

Open cpu opened 7 years ago

cpu commented 7 years ago

Suggested by @gsdu8g9 in https://github.com/jlund/streisand/issues/536

The author of govpn said that it works in China. http://www.govpn.info/Modes-of-operation.html https://github.com/stargrave/govpn

Also this vpn looks interesting. But I am not sure that it will work everywhere. https://github.com/unbit/vpn-ws

damko commented 6 years ago

I've been playing a little with tinc recently.

I've tested tinc with the 2 different android clients available on Android 7 (Lineageos on several OnePlus). TincApp works on android 7 however it can not be set as "always on" vpn differently from OpenVPN. This alone can be a problem.

Despite this I believe that there is at least one case making Tinc really valuable in the Streisand project. I will explain below.

I've tested the mesh network generated by Tinc and I have to say that it's pretty simple to setup and works well (in version 1. I expect even better results in 1.1).

Show case: Alice uses Streisand to connect to the internet and also has a some VPS (A and B) providing some services which should be accessed only through VPN. Let's say that her provider, like Digital Ocean, offers a Shared Private Network among all the VPS located in the same webfarm/area. This means that all the traffic going thorugh the VPSs is not counted nor billed. This said, Alice, might want to run a Tinc inside Streisand and bond it the the internal network device provided by the ISP. The same for VPS A and B so that a secure mesh network will be established between the 3 VPSs. Once the proper routing is set, Alice would connect to her Streisand server through any of the available VPNs and from there she would access her VPS A or B via the tinc network without increasing her networking consumption.

cpu commented 6 years ago

@damko That sounds interesting but complex & a fair deviation from the services/deployment model of the existing project. I would encourage you to experiment with a fork of Streisand & seeing what the diff ends up looking like. Maybe I overestimate the complexity and a running demo with an associated PR would make things clearer.

damko commented 6 years ago

It's definitely not as complex as it might seem. Basically, in this scenario, Streisand acts as gateway for a mesh network made of N nodes. Each node can provide services (ex. Nextcloud) to the mesh network provided by tinc. The client connects to Streisand through any VPN and from there access any node in the mesh. Nothing complicated and nothing that REQUIRES tinc. Fact is, thought, many ISPs (like DO) provide an internal network interface which is not countered which can route traffic (unprotected) to any node belonging to the same webfarm. Considering that it's quite hard to use tinc from client (ex. openvpn works much better than tinc on android) I think it would be nice to bind tinc on Streisand's internal network interface so that it can securely communcate to any other host in the same webfarm. Tell me if it's clear.

Yes, I'm currently experimentin on this. If I get to something interesting I will post back.