VPN

[pierreozoux]

to have #109 we need to have a VPN

I think about tinc.

Here are some useful resources:

http://tinc-vpn.org/documentation-1.1/ https://www.digitalocean.com/community/tutorials/how-to-install-tinc-and-set-up-a-basic-vpn-on-ubuntu-14-04 https://gist.github.com/pierreozoux/0f5751e500fa0592eefc (more docker specific, but could be interesting) https://github.com/botto/docker-tinc https://github.com/discordianfish/tinc-docker https://github.com/JensErat/docker-tinc

[pierreozoux]

@almereyda the vpn discussion is here :)

Can you tell me the conclusion of these links:

• https://arbofaktur.de/node/137.html
• https://arbofaktur.de/blog/raspberry-pi-im-crypto-mesh-teil-2-tinc.html

My secret dream is to have a small tinc configuration that configures a network the way kubernetes want it :)

[almereyda]

Oh, hadn't seen it before. Seems we're still quite close. Had k8s once on a Raspi cluster, but this was still configured with flannel.

No, the gist is just that it worked out with relatively few hours of approaching it. But in the end it was @mrstibbons who made it work.

[almereyda@neocortex EFnet] $ pwd
/home/almereyda/.config/hexchat/scrollback/EFnet
[almereyda@neocortex EFnet] $ cat \#cjdns.txt | grep tinc
T 1462397237 2almereyd30  And how does it compare to tinc?
T 1462397331 1ircerr1>does tinc work on raw ethernet frames? or prevent spoofing? or allow others to join w/ unique keys and passwords per link but not share a master pass or key?

But why do I have the intuition cjdns can play a viable role here?

[almereyda]

Also would we differentiate between the internal overlay network, and a VPN appliance to log in from 3rd parties? Not talking about different subnets, but different technologies (to maintain).

There's a bit more to see in https://github.com/stars/almereyda?utf8=%E2%9C%93&q=vpn

[pierreozoux]

I didn't know cjdns, looks cool indeed. I think tinck can do it, and looks easy to configure (still need some public key infrastructure).

I have to play around cjdns to have a better opinion.

About the purpose, it is definitely for the internal overlay. The original issue is just ceph that doesn't encrypt, so if we want ceph, we need to deploy it on top of a vpn. And they used tinc, looks cool stuff: https://www.irit.fr/~Jean-Denis.Durou/PUBLICATIONS/mmedia_2015.pdf

[pierreozoux]

Ok, I think we'll use swarm: https://github.com/docker/swarm/issues/1458