Keeping track of all of these boxes, making sure they can talk to each other as needed and keeping things secure has gotten a bit out of hand. The first project was to get them all to talk to each other through some sort of private network. This would allow me to back them up to a centralized destination using a secure channel. Sure, I could've thrown a P2PTP or IPSEC concentrator somewhere and called it a day, but that's kind of complex and requires all the traffic hairpin through someplace it doesn't necessarily need to go.
Enter Tinc. Tinc is a full-mesh VPN solution that provides encryption, tamper resistance and is simple to implement and maintain. By nature of being full-mesh it's quite fault tolerant, which is great. It also trivially negotiates NAT firewalls, so I don't have to do anything special for the Linux boxes on my LAN.
The documentation for Tinc is pretty good, so I won't explain the details of how I have it setup but the important thing is that all of the boxes running Tinc are connected to the network I refer to as "darknet" or "10.1.0.0/24."
This has been up and running for probably a year, and other than I have to look up the documentation every time I want to add a node it's been rock solid. I have one server that knows about all of the other servers and serves to "boostrap" everyone else but you can also mesh the configuration. If you need a multi-datacenter private network in the cloud I can't recommend Tinc enough.
But, Tinc isn't a great fit for desktop workstations (unless they run Linux). There's no GUI to control it and it sort of violates my design goals for the "darknet" to have my laptop connected directly to it. This brings about today's project.
Today, I have added a Supernode to the Darknet that will serve as an OpenVPN gateway to the Darknet, as well as a place to tunnel traffic out of untrusted networks. It's running on an inexpensive VPS in a datacenter in Chicago, and I'm running the OpenVPN AS software package which gives me simple client configuration on Windows, Android and other platforms. Installation was as easy as adding the official OpenVPN repository to my machine and apt-get install openvpn-as. As my VPS is an OpenVZ instance, I also needed to enable tun/tap. I installed an SSL Certificate, set my IP Address ranges, enabled routing to the Darknet subnet, installed and configured Tinc, configured a BIND resolver, setup my users, and am now ready to rock and roll. It only took me about 20 minutes.
Later this weekend I'll also spend some time creating a DNS zone for the servers in Darknet to further simplify things.
Next project? A cloud development environment. Or, the real reason I did this project.
