[lxc-users] LAN for LXD containers (with multiple LXD servers)?

brian mullan bmullan.mail at gmail.com
Tue Sep 20 13:10:57 UTC 2016 

Serge,


>
>
>
> *> Automatically builds tunnels through firewalls and NATs without any
> further> setup (for example, port forwarding).I would not appreciate
> something which "automatically" (whatever itmeans) traverse my firewalls,
> to be honest. We should treat our dataseriously, Brian.*


First, a sysadmin person has to install/setup/configure PeerVPN on each
server so I guess like installing/configuring TINC or any other VPN
solution there is some assumption of some sort of "trust" in that person's
work.

Second, in PeerVPN's configuration file
<https://github.com/peervpn/peervpn/blob/master/peervpn.conf> on each
server  you (re the sysadmin) have to
specify 2 security related items:

PORT xxxxx    # the Port to be opened/used by PeerVPN

But you point out a good question -
regarding that bullet by the author on the PeerVPN web page.   Tobias Volk
may be referring to something  else as *it CLEARLY states in the short
PeerVPN tutorial <https://peervpn.net/tutorial/> you MUST port-forward the
"port" configured for PeerVPN to use if Nodes are behind a NAT.   *

*I know PeerVPN doesn't work if you have not done that from my own use.:*


*Configuration of node A*


> Create the peervpn.conf of Node A with the following content:



port 7000
> networkname ExampleNet
> psk mysecretpassword
> enabletunneling yes
> interface peervpn0
> ifconfig4 10.8.0.1/24



This will open UDP port 7000 and create a virtual ethernet interface with
> the name peervpn0 and the IP address 10.8.0.1.



Please note that Node A needs to be directly reachable from Node B.
> *If Node A is behind a NAT device, you will have to forward port 7000. *



*Configuration of node B*


> Create the peervpn.conf of Node B with the following content:



port 7000
> networkname ExampleNet
> psk mysecretpassword
> enabletunneling yes
> interface peervpn0
> ifconfig4 10.8.0.2/24
> initpeers node-a.example.com 7000



Replace node-a.example.com with the real address of Node A.

Further there is the shared PSK crypto key generation that also limits
connections to "peers" sharing the "same" PSK "seed" in the configuration
file.

In a PeerVPN mesh different server/hosts can have multiple PSK "seed"
configured to allow any 1 host to "peer" with different specific systems in
the "mesh" who have a matching PSK "seed" configured.
I can email Tobias and ask for clarification as to what "bullet" means.

Brian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20160920/228c3c8e/attachment.html>

More information about the lxc-users mailing list