E2E VPN

[darkdrgn2k]

^{This initial comment is collaborative and open to modification by all.}

Task Summary

🎟️ Re-ticketed from: #
📅 Due date: N/A
🎯 Success criteria: Arrive at model for E2E VPN Criteria

...

To Do

• [ ] Hardware
• [ ] VPN server deployment

[darkdrgn2k]

Idea for EXIT NODE + VPN SERVICE model

Route a IP address at the exit node past the exit node. Have every exit node do this.

In this model when connecting to a WireGuard instance

• VPN asks for the IP that does not exist on the mesh
• Babeld takes you out to the nearest exit node to egress traffic (0.0.0.0)
• Exit Node has a static route to the VPN's ip address sitting on the other side of the node

Since BABELD has no knowledge of the SPECIFIC IP address its routing to (its just routing to 0.0.0.0), each exit node can route to its own companion VPN with the same IP address making it transparent for the user.

Things to consider

• what happens when an exit node without a VPN companion springs up
• Deal with KEY exchange (generating client-side keys)

[benhylau]

Discussed this with @darkdrgn2k @ASoTNetworks it sounds like the work involved is:

• Figure out legal liabilities with running an Internet exit not as an ISP, then it can go in two directions:
  1. Running our own
     • Procure server that can run a VPN serving many clients
     • Install this at a datacentre with procured bandwidth
     • Commit to maintaining it
  2. Use a third-party provider VPN

Then we have to:

• Procure hardware such as the gl-inet routers with WireGuard pre-installed
• Prototype this e2e
• Draft guides like this on our docs site

Note that traffic to services hosted within TCN is still unencrypted.

We cannot install these on our current exit nodes as they are temporary, and don't have the capacity to encrypt traffic for everyone. This may be possible in the near future at Cisco DC, but it's WIP.

For now, if anyone is concerned about the traffic, just buy VPN from your favourite provider and connect from your endpoint. You'll be basically doing Option 2 without doing the router prototyping and documentational work here.