Hello deon;

deon wrote to N1uro <=-

So things werent adding up for me with your explaination of what you
were doing. I think we were coming from 2 different contexts.

Not really. I think you're just over thinking the whole process.

I was lead to believe that "the network" as 44/9 and that the OpenVPN server surved that subnet to clients. So as a client on the network,
your address would have been a /9. (I should have picked that up when
you gave your ping output.)

The /9 is part of the overall network, but we're also broken down into smaller subnets with point-to-point routing between each subnet.

But in your message, you shared this:

it like OpenVPN would do. So in the policy route table I have for 44/9

this

is one of hundreds of routes:

44.64.10.32/27 via 24.0.91.254 dev tunl0 proto 44 onlink window 840

So its not really a single /9 vpn network, its multiple networks, and
you have a /27 vpn network and you route 44/9 over it.

It's both.

And given that 44.0.0.1 goes "offline" without loss of connectivity to
you to 44.88.0.9 that means that the other end of your OpenVPN link
also has an alternative link to 44.88.0.9 (directly or indirectly).

It's a point to multipoint mesh network.

Anyway, OpenVPN is a viable "vpn" alternative - I agree, but I think it requires too many management points, sets of servers running OpenVPN
and configuration to multiple parts of the network to provide
redundancy. (Too much for a simple BBS network.)

Not really -if- it's done correctly and that's the key, however for most
who aren't european BBS, it's not an issue. I believe the necessity is to protect the user in and through europe no?

In contrast (which is how this thread started), ZeroTier is peer to
peer and just requires you to run a client and me. Since I'm managing
"my" network, I'm using a personal "controller" (not zerotiers) - and
you find me by requesting the controllers network address. Once I authorise you on the network, you dont route your traffic through my controller, you connect direct to me point to point.

As we do with 44-net.

Where the concern also was, is that ZeroTier's root servers are
required for you to find me - implying if they turned them off you couldnt. That's not true however, since I can define a personal root server (called a moon and more for redundancy), which you configure to find me without ZeroTiers invovlement.

That sounds like a lot more management on the part of the sysop though. We've simplified this and we've also made accomodations for those who are on ISPs that dish out dynamic IPs.

I recall reading at some point that ZeroTier were going to enable you
to advertise your own "root servers" (since the root server's address
is harded coded in the client - in much the same way that DNS servers
(the DNS analogy) have a standard root server configuration). If and
when they do that, then ZeroTier could turn off their root servers and
you would still be able to find me (and no moons required).

What we did was as I mentioned (you may have passed it by) have a server
in the U.K. that we call the portal. Those on dynamic IPs create a dyndns
host and instead of entering in an IP they enter in their dyndns address. Hourly the portal does dns queries to see if there's any changes in IPs and
if so it does 2 things:
- it creates a route file with the new changes so those who wish to manually
download it may do so
- it sends that file to amprgate which then sends out a broadcast in RIP that
we slightly rewrote. The client runs a tiny daemon that picks up the route
broadcasts and makes it's changes to the local node's route table in their
policy routing.

I don't think windows has the ability to use this daemon but in the command
to load it, you specify which route table you're using. The lower the table number the higher the priority... as standard. The broadcasts if no changes
are made are done hourly. If a node's IP changes then it's done fairly
quickly.

Unfortunately I don't think OpenVPN by itself has the ability to change routes on the fly... the newer version may I haven't looked. I do know in Germany they're doing this 100% on OpenVPN and it's quite successful since Germany
is BGP hosted and doesn't use amprgate at all - there's no need - but they
are using OpenVPN for the clients and they're all point to multipoint. If
the main hub/server goes down, they will lose routing to the rest of 44-net
BUT they still maintain connectivity to each other.

I know it sounds a bit complicated, but it really isn't and it's quite slick. we've been doing things this way now for almost 10 years with almost no issues.

- N1URO

... AD&D Famous Last Words: Am I seeing things or is that a dragon?
--- MultiMail/Linux v0.52
* Origin: Carnage - risen from the dead now on SBBS (21:4/107)

N1uro wrote (2021-05-14):

I agree. It also would not qualify as Open Source software /
license.

Just to try and help offer another possible solution to this issue as a network engineer:

Why not investigate OpenVPN?

p2p connections work by default in ZeroTier. Does OpenVPN do any NAT hole punching? A known and simpler alternative would be tinc. OpenVPN has also become kind of old-tech. Is there anything wireguard wouldn't do simpler and better (for our use case)?

A dedicated hub feed to a european hub
can set up DNS locally to feed a hub in europe over OpenVPN using either TCP or UDP and choose ports, and maintain custom certs that may have a
long expiration date on them... and then it'd be up to that european hub
to feed the rest of europe - insuring that their laws are followed.

Personally I'm not interested in a top-down approach with admin(s) maintaining certs and granting and revoking access. I would call it unnecessary centralization (bullshit power & small bus factor). FTN are on the lower layer decentralized and designed as "cooperative anarchy".

It's not that I don't appreciate your initiative to setup OpenVPN for the network, I just doubt that standard VPNs are a good fit for FTN.

(not sure what the European hub and laws part is about)

---
* Origin: . (21:3/102)

Oli wrote to N1uro <=-

N1uro wrote (2021-05-14):

p2p connections work by default in ZeroTier. Does OpenVPN do any NAT
hole punching? A known and simpler alternative would be tinc. OpenVPN
has also become kind of old-tech. Is there anything wireguard wouldn't
do simpler and better (for our use case)?

If you're doing straight UNencrypted connections you don't need any VPN.
You could do it all with policy routing and a simple route table. It would
be 100% point to multipoint, no centralized hub required nor DNS in reality. Just an IP address... which one already gets from their ISP.

Personally I'm not interested in a top-down approach with admin(s) maintaining certs and granting and revoking access. I would call it unnecessary centralization (bullshit power & small bus factor). FTN are
on the lower layer decentralized and designed as "cooperative anarchy".

I think the whole conversation steered away from the original claim which is European Law requires a user's data be protected.

It's not that I don't appreciate your initiative to setup OpenVPN for
the network, I just doubt that standard VPNs are a good fit for FTN.

With the brain power on FTN nets, I'm sure we could develop our own solutions.

(not sure what the European hub and laws part is about)

See above. It was suggested that we needed to insure encryption in/out
of European nodes which require certs and such. Being in the west I don't -need- to do such but it was also suggested that those going into european points also must encrypt.

... G*t th*s* trib*les out*of m* ta*-lin* n*w!
--- MultiMail/Linux v0.52
* Origin: Carnage - risen from the dead now on SBBS (21:4/107)

Oli wrote to deon <=-

[snip]

I agree. It also would not qualify as Open Source software / license.

Just to try and help offer another possible solution to this issue as a
network engineer:

Why not investigate OpenVPN? A dedicated hub feed to a european hub
can set up DNS locally to feed a hub in europe over OpenVPN using either
TCP or UDP and choose ports, and maintain custom certs that may have a long expiration date on them... and then it'd be up to that european hub to
feed the rest of europe - insuring that their laws are followed.

Of course since the feed just got turned on today for me I may have missed a good part of the context of the thread but from what I did see this seems
like it could be a possible solution if deployed properly.



... Internal Error: The system has been taken over by sheep at line 19960
--- MultiMail/Linux v0.52
* Origin: Carnage - risen from the dead now on SBBS (21:4/107)

Re: fsxNet Feedback (ZeroTier
By: N1uro to Oli on Fri May 14 2021 06:04 pm

Howdy,

Why not investigate OpenVPN? A dedicated hub feed to a european hub

Good suggestion, but I dont think it would be a scalable option.

OpenVPN is not point to point, but rather point to Hub. And sure an OpenVPN network could be created so that each hub was an OpenVPN hub, but then me communicating to you (eg: crashing something to you) is dependant on our hubs being up.

ZeroTier is peer to peer - so if you are a node, and I am a node, we can find each other. While we find each other via the root nodes (called planets) provided by zerotier itself - we could also find each other via "our" roots (called moons) - and each hub could be a moon as well as anybody else who wanted to be one.

You only need to find one active moon to find me.

...ëîåï

... Nothing is true. Everything is permitted.
--- SBBSecho 3.14-Linux
* Origin: I'm playing with ANSI+videotex - wanna play too? (21:2/116)

Hello deon;

deon wrote to N1uro <=-

OpenVPN is not point to point, but rather point to Hub. And sure an OpenVPN network could be created so that each hub was an OpenVPN hub,
but then me communicating to you (eg: crashing something to you) is dependant on our hubs being up.

Any VPN has to have some sort of a hub. Even ZeroTier. At least with OpenVPN it's open source, and we could customize it to how we see fit and we need
not announce which port or which protocol type we decide to use.

ZeroTier is peer to peer - so if you are a node, and I am a node, we
can find each other. While we find each other via the root nodes
(called planets) provided by zerotier itself - we could also find each other via "our" roots (called moons) - and each hub could be a moon as well as anybody else who wanted to be one.

The root nodes in this case would be hubs. There needs to be a central point within each network to host and serve the proper security certs. Even with OpenVPN, a point/node would still be able to see another point/node within the private IP network. That would be the purpose of designing it with a wide enough subnet so everyone could fit in.

You only need to find one active moon to find me.

With full control over our own VPN and DNS, it'd be a no brainer not to
at the minimum do a full investigation of such a setup.

</$0.02> :)

... G*t th*s* trib*les out*of m* ta*-lin* n*w!
--- MultiMail/Linux v0.52
* Origin: Carnage - risen from the dead now on SBBS (21:4/107)

deon wrote to N1uro <=-

So I dont agree with you.

That's perfectly fine and I'm happy to accept this. I will however
say that what you describe is not how I've had OpenVPN working in a
major corporate environment nor is it how IP works when you factor in the netmask of a subnet.

I'm on a subnet of 44/9 which is somewhat of a vpn minus the encryption. 44.0.0.1 is the host and where BGP is announced. My IP is 44.88.0.9 however
my path to a point in New Jersey does NOT go to 44.0.0.1, it is direct:

traceroute to wb2snn.ampr.org (44.64.10.33), 30 hops max, 60 byte packets
1 gw.n1uro.ampr.org (44.88.0.1) 5.670 ms 6.102 ms 6.095 ms
2 wb2ona.ampr.org (44.64.255.225) 41.601 ms 45.571 ms 46.421 ms

It all depends on how one sets it up.

... Book Title: Chirpin' and Jumpin': Katie Didd
--- MultiMail/Linux v0.52
* Origin: Carnage - risen from the dead now on SBBS (21:4/107)

Re: fsxNet Feedback (ZeroTier
By: N1uro to deon on Sat May 15 2021 01:13 am

Hey,

So I dont agree with you.

That's perfectly fine and I'm happy to accept this. I will however
say that what you describe is not how I've had OpenVPN working in a
major corporate environment nor is it how IP works when you factor in the netmask of a subnet.

Right I agree - I'm not talking about OpenVPN - I'm comparing it's architecture to that of ZeroTier. (I've been a long time OpenVPN user as well.)

I'm on a subnet of 44/9 which is somewhat of a vpn minus the encryption. 44.0.0.1 is the host and where BGP is announced. My IP is
44.88.0.9 however
my path to a point in New Jersey does NOT go to 44.0.0.1, it is direct:

Its direct via the "hub" though right?

44/9 includes both 44.88.0.9 and 44.0.0.1 (and 44.64.10.33)

Network: 44.0.0.0/9 00101100.0 0000000.00000000.00000000
HostMin: 44.0.0.1 00101100.0 0000000.00000000.00000001
HostMax: 44.127.255.254 00101100.0 1111111.11111111.11111110
Broadcast: 44.127.255.255 00101100.0 1111111.11111111.11111111

If you did a tcpdump -ni tun0 on 44.0.0.1 you would see the packets coming in (from your real IP) and going out again (to the other IP). Traceroute doest show it because you are not technically traversing a router (because it is a /9 network).

traceroute to wb2snn.ampr.org (44.64.10.33), 30 hops max, 60 byte packets
1 gw.n1uro.ampr.org (44.88.0.1) 5.670 ms 6.102 ms 6.095 ms
2 wb2ona.ampr.org (44.64.255.225) 41.601 ms 45.571 ms 46.421 ms

So, if you turn off 44.0.0.1, can you still ping 44.64.10.33 from 44.88.0.9?

Further the performance of your network traffic to 44.64.10.33 is limited by the your link, 44.0.0.1's link and 44.64.10.33. If any of those links gets "busy", especially 44.0.0.1 your peformance is impacted.

...ëîåï
--- SBBSecho 3.14-Linux
* Origin: I'm playing with ANSI+videotex - wanna play too? (21:2/116)

Hello deon;

deon wrote to N1uro <=-

Its direct via the "hub" though right?

No it is not.

44/9 includes both 44.88.0.9 and 44.0.0.1 (and 44.64.10.33)

Network: 44.0.0.0/9 00101100.0 0000000.00000000.00000000 HostMin: 44.0.0.1 00101100.0 0000000.00000000.00000001 HostMax: 44.127.255.254 00101100.0 1111111.11111111.11111110 Broadcast: 44.127.255.255 00101100.0 1111111.11111111.11111111

Correct.

If you did a tcpdump -ni tun0 on 44.0.0.1 you would see the packets
coming in (from your real IP) and going out again (to the other IP). Traceroute doest show it because you are not technically traversing a router (because it is a /9 network).

Again semi-correct. It'd be tunl0 not tun0... and you'd want to use the ethernet interface not the tunneled interface to watch.

traceroute to wb2snn.ampr.org (44.64.10.33), 30 hops max, 60 byte packets
1 gw.n1uro.ampr.org (44.88.0.1) 5.670 ms 6.102 ms 6.095 ms
2 wb2ona.ampr.org (44.64.255.225) 41.601 ms 45.571 ms 46.421 ms

So, if you turn off 44.0.0.1, can you still ping 44.64.10.33 from 44.88.0.9?

Absolutely! They do have to take 44.0.0.1 offline on occasion to do maintenance, software upgrades, etc but that doesn't affect the rest of us. AmprGate as it's known is a BSD box hosted at the University of California/
San Diego where the primary BGP announcement is done.

Further the performance of your network traffic to 44.64.10.33 is
limited by the your link, 44.0.0.1's link and 44.64.10.33. If any of
those links gets "busy", especially 44.0.0.1 your peformance is
impacted.

Not at all! Because of the encapsulation and ISPs doing what we've termed as SAFE routing (Source Address FilterEd) we incorporate policy routing into our systems and we get a "push" from a 3rd party site in the U.K. as dynamic IP hosted systems report updates to it like OpenVPN would do. So in the policy route table I have for 44/9 this is one of hundreds of routes:
44.64.10.32/27 via 24.0.91.254 dev tunl0 proto 44 onlink window 840
My route/path to 44.64.10.33 doesn't go near California!.. and since we're
on the same ISP, we're about as direct as we can possibly be without line
of site 802.11 :)

Years go this might not have been true depending on who you were and what your needs were. If you were SAFEd you needed a non-SAFEd host to forward your routing via. Since I was on a non-SAFEd ISP I was one of a handful of hosts
for those that were. Of course, general traffic from the global internet would still filter through 44.0.0.1 which would take the standard frame and convert it to an encapsulated frame destined for the final hop. If we're looking to accomodate encryption for european links/feeds I don't think this would be
an issue :)

... Backstage Pass -- "Shake Your Booty" World Tour 1995-96
--- MultiMail/Linux v0.52
* Origin: Carnage - risen from the dead now on SBBS (21:4/107)

Re: fsxNet Feedback (ZeroTier
By: N1uro to deon on Sat May 15 2021 02:50 pm

Howdy,

So things werent adding up for me with your explaination of what you were doing. I think we were coming from 2 different contexts.

I was lead to believe that "the network" as 44/9 and that the OpenVPN server surved that subnet to clients. So as a client on the network, your address would have been a /9. (I should have picked that up when you gave your ping output.)

But in your message, you shared this:

it like OpenVPN would do. So in the policy route table I have for 44/9 this is one of hundreds of routes:
44.64.10.32/27 via 24.0.91.254 dev tunl0 proto 44 onlink window 840

So its not really a single /9 vpn network, its multiple networks, and you have a /27 vpn network and you route 44/9 over it.

traceroute to wb2snn.ampr.org (44.64.10.33), 30 hops max, 60 byte packets
1 gw.n1uro.ampr.org (44.88.0.1) 5.670 ms 6.102 ms 6.095 ms
2 wb2ona.ampr.org (44.64.255.225) 41.601 ms 45.571 ms 46.421 ms

And given that 44.0.0.1 goes "offline" without loss of connectivity to you to 44.88.0.9 that means that the other end of your OpenVPN link also has an alternative link to 44.88.0.9 (directly or indirectly).

Anyway, OpenVPN is a viable "vpn" alternative - I agree, but I think it requires too many management points, sets of servers running OpenVPN and configuration to multiple parts of the network to provide redundancy. (Too much for a simple BBS network.)

In contrast (which is how this thread started), ZeroTier is peer to peer and just requires you to run a client and me. Since I'm managing "my" network, I'm using a personal "controller" (not zerotiers) - and you find me by requesting the controllers network address. Once I authorise you on the network, you dont route your traffic through my controller, you connect direct to me point to point.

Where the concern also was, is that ZeroTier's root servers are required for you to find me - implying if they turned them off you couldnt. That's not true however, since I can define a personal root server (called a moon and more for redundancy), which you configure to find me without ZeroTiers invovlement.

I recall reading at some point that ZeroTier were going to enable you to advertise your own "root servers" (since the root server's address is harded coded in the client - in much the same way that DNS servers (the DNS analogy) have a standard root server configuration). If and when they do that, then ZeroTier could turn off their root servers and you would still be able to find me (and no moons required).

...ëîåï
--- SBBSecho 3.14-Linux
* Origin: I'm playing with ANSI+videotex - wanna play too? (21:2/116)