[lxc-users] LAN for LXD containers (with multiple LXD servers)?
brian mullan
bmullan.mail at gmail.com
Tue Sep 20 21:47:29 UTC 2016
I got a response back from Tobias Volk (the PeerVPN author)
He changed the bullet on the main web page to help clarify that there is no
automatic tunnel through firewalls..
text was...
*Automatically builds tunnels through firewalls and NATs without any
further setup (for example, port forwarding).*
text changed to...
*No NAT reconfiguration necessary, only one node with a public address is
required*
On Tue, Sep 20, 2016 at 9:10 AM, brian mullan <bmullan.mail at gmail.com>
wrote:
> Serge,
>
>
>>
>>
>>
>> *> Automatically builds tunnels through firewalls and NATs without any
>> further> setup (for example, port forwarding).I would not appreciate
>> something which "automatically" (whatever itmeans) traverse my firewalls,
>> to be honest. We should treat our dataseriously, Brian.*
>
>
> First, a sysadmin person has to install/setup/configure PeerVPN on each
> server so I guess like installing/configuring TINC or any other VPN
> solution there is some assumption of some sort of "trust" in that person's
> work.
>
> Second, in PeerVPN's configuration file
> <https://github.com/peervpn/peervpn/blob/master/peervpn.conf> on each
> server you (re the sysadmin) have to
> specify 2 security related items:
>
> PORT xxxxx # the Port to be opened/used by PeerVPN
>
> But you point out a good question -
> regarding that bullet by the author on the PeerVPN web page. Tobias Volk
> may be referring to something else as *it CLEARLY states in the short
> PeerVPN tutorial <https://peervpn.net/tutorial/> you MUST port-forward the
> "port" configured for PeerVPN to use if Nodes are behind a NAT. *
>
> *I know PeerVPN doesn't work if you have not done that from my own use.:*
>
>
> *Configuration of node A*
>
>
>> Create the peervpn.conf of Node A with the following content:
>
>
>
> port 7000
>> networkname ExampleNet
>> psk mysecretpassword
>> enabletunneling yes
>> interface peervpn0
>> ifconfig4 10.8.0.1/24
>
>
>
> This will open UDP port 7000 and create a virtual ethernet interface with
>> the name peervpn0 and the IP address 10.8.0.1.
>
>
>
> Please note that Node A needs to be directly reachable from Node B.
>> *If Node A is behind a NAT device, you will have to forward port 7000. *
>
>
>
> *Configuration of node B*
>
>
>> Create the peervpn.conf of Node B with the following content:
>
>
>
> port 7000
>> networkname ExampleNet
>> psk mysecretpassword
>> enabletunneling yes
>> interface peervpn0
>> ifconfig4 10.8.0.2/24
>> initpeers node-a.example.com 7000
>
>
>
> Replace node-a.example.com with the real address of Node A.
>
> Further there is the shared PSK crypto key generation that also limits
> connections to "peers" sharing the "same" PSK "seed" in the configuration
> file.
>
> In a PeerVPN mesh different server/hosts can have multiple PSK "seed"
> configured to allow any 1 host to "peer" with different specific systems in
> the "mesh" who have a matching PSK "seed" configured.
> I can email Tobias and ask for clarification as to what "bullet" means.
>
> Brian
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20160920/3df14da2/attachment.html>
More information about the lxc-users
mailing list