<div dir="ltr">I got a response back from Tobias Volk (the PeerVPN author)<div><br></div><div>He changed the bullet on the main web page to help clarify that there is no automatic tunnel through firewalls..</div><div><br></div><div>text was...</div><div><div class="gmail_quote"><b>Automatically builds tunnels through firewalls and NATs without any further setup (for example, port forwarding).</b></div><div class="gmail_quote"><br></div><div class="gmail_quote">text changed to...</div><div class="gmail_quote"><span style="color:rgb(0,0,0);font-family:verdana,arial"><b>No NAT reconfiguration necessary, only one node with a public address is required</b></span></div></div><div class="gmail_quote"><span style="color:rgb(0,0,0);font-family:verdana,arial;font-size:16px"><br></span></div><div class="gmail_quote"><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Sep 20, 2016 at 9:10 AM, brian mullan <span dir="ltr"><<a href="mailto:bmullan.mail@gmail.com" target="_blank">bmullan.mail@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Serge,<div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><i><span><span style="font-size:12.8px">> Automatically builds tunnels through firewalls and NATs without any further<br></span><span style="font-size:12.8px">> setup (for example, port forwarding).</span><br style="font-size:12.8px"></span><span style="font-size:12.8px">I would not appreciate something which "automatically" (whatever it<br></span><span style="font-size:12.8px">means) traverse my firewalls, to be honest. We should treat our data<br></span><span style="font-size:12.8px">seriously, Brian.</span></i></blockquote><div><br></div><div>First, a sysadmin person has to install/setup/configure PeerVPN on each server so I guess like installing/configuring TINC or any other VPN solution there is some assumption of some sort of "trust" in that person's work.</div><div><br></div><div>Second, in <a href="https://github.com/peervpn/peervpn/blob/master/peervpn.conf" target="_blank">PeerVPN's configuration file</a> on each server you (re the sysadmin) have to</div><div>specify 2 security related items:</div><div><br></div><div>PORT xxxxx # the Port to be opened/used by PeerVPN</div><div><br></div><div>But you point out a good question - </div><div>regarding that bullet by the author on the PeerVPN web page. Tobias Volk may be referring to something else as <i><a href="https://peervpn.net/tutorial/" target="_blank">it CLEARLY states in the short PeerVPN tutorial</a> you MUST port-forward the "port" configured for PeerVPN to use if Nodes are behind a NAT. </i></div><div><i><br></i></div><div><i>I know PeerVPN doesn't work if you have not done that from my own use.:</i></div><div><br></div><div><br></div><div><blockquote style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex" class="gmail_quote"><b>Configuration of node A</b> </blockquote><blockquote style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex" class="gmail_quote"><br>Create the peervpn.conf of Node A with the following content: </blockquote><blockquote style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex" class="gmail_quote"> </blockquote><blockquote style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex" class="gmail_quote"><code>port 7000<br></code><code>networkname ExampleNet<br></code><code>psk mysecretpassword<br></code><code>enabletunneling yes<br></code><code>interface peervpn0<br></code><code>ifconfig4 <a href="http://10.8.0.1/24" target="_blank">10.8.0.1/24</a></code> </blockquote><blockquote style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex" class="gmail_quote"> </blockquote><blockquote style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex" class="gmail_quote"><code></code>This will open UDP port 7000 and create a virtual ethernet interface with the name peervpn0 and the IP address 10.8.0.1. </blockquote><blockquote style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex" class="gmail_quote"> </blockquote><blockquote style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex" class="gmail_quote">Please note that Node A needs to be directly reachable from Node B. <br><u><b><i>If Node A is behind a NAT device, you will have to forward port 7000.</i></b> </u></blockquote><blockquote style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex" class="gmail_quote"> </blockquote><blockquote style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex" class="gmail_quote"><b><i></i>Configuration of node B</b> </blockquote><blockquote style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex" class="gmail_quote"><br>Create the peervpn.conf of Node B with the following content: </blockquote><blockquote style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex" class="gmail_quote"> </blockquote><blockquote style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex" class="gmail_quote"><code>port 7000<br></code><code>networkname ExampleNet<br></code><code>psk mysecretpassword<br></code><code>enabletunneling yes<br></code><code>interface peervpn0<br></code><code>ifconfig4 <a href="http://10.8.0.2/24" target="_blank">10.8.0.2/24</a><br></code><code>initpeers <a href="http://node-a.example.com" target="_blank">node-a.example.com</a> 7000</code> </blockquote><blockquote style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex" class="gmail_quote"> </blockquote><blockquote style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex" class="gmail_quote"><code></code>Replace <a href="http://node-a.example.com" target="_blank">node-a.example.com</a> with the real address of Node A.</blockquote><p style="color:rgb(0,0,0);font-family:verdana,arial">Further there is the shared PSK crypto key generation that also limits connections to "peers" sharing the "same" PSK "seed" in the configuration file.</p><p style="color:rgb(0,0,0);font-family:verdana,arial">In a PeerVPN mesh different server/hosts can have multiple PSK "seed" configured to allow any 1 host to "peer" with different specific systems in the "mesh" who have a matching PSK "seed" configured.</p></div><div>I can email Tobias and ask for clarification as to what "bullet" means.</div><span><font color="#888888"><div><br></div><div>Brian</div><div><br></div><div><br></div></font></span></div>
</blockquote></div><br></div></div>