I am interested in some tutorial how to build independent decentralized P2P VPN (with open-source software on Gnu/Linux) similar to ChaosVPN or dn42. Purpose is to link couple of hackerspaces/communities in region, and have our own services inside our network.
And if this could be done with WireGuard, but TincVPN/OpenVPN are welcome too.
Or should I have posted this question on /r/VPN?
Thanks!
This is probably one of the closest subreddits you’ll get to help you out with this.
Why do you want to use wireguard, openvpn, and tinc? Do you want people to be able to connect with more than one piece of vpn software? How many locations or machines are you targeting?
ChaosVPN already sort of does this in mission on a large scale but requires you to use tinc. dn42 let’s node operators choose their vpn software in order to spread the network, and then handle routing with bgp over the whole thing, but the vpn software can differ from node to node based on what the operator can or will run.
I could easily see you having suboptimal routing if no geographically close nodes run the software you want to use. Also, bgp is a fun technology to play with, but is a bit overkill and possibly a headache to maintain over your use-case.
I’m biased, but I would really see this as a situation that you could just through cjdns at and use to create a private net.
Disclaimer: I dont knw shit,
This sounds like a standard networking question. “How do I protect sensitive information from A to B?”
From my perspective /r/darknetplan tries to solve that problem by physically building networks for highly controllable environments.
You mention being in a region and there being multiple users on the network.
How complex is this system?
What distance does it need to cover?
Are servers hosting public infrastructure that need to be accessible inside the VPN system?
What protocols will it be using (is this just code hosting over ssh)?
What volume of traffic does it need to support?
Every problem can be solved, you just need to break it down more. 
Thank you for posting! There’s a good knowledge base here that loves a good puzzle.
It’s reasonably simple to setup IPsec tunnels using libreswan and iptables (possibly with some openvswitch thrown in, but it may not be necessary; can’t really remember right now). Don’t really have time to get into it fully right now, but you can poke around on libreswan.org and find a lot. That should get you a good bit of the way. Network configuration (e.g. adding/discovering nodes) could be a challenge if you don’t want to do it manually though, so that could be an opportunity for development…
Disclaimer, I wouldn’t run this with more than 5 points. It does not scale well, as overhead at a management/setup level is annoying.
If you have access to the routers at each point. A simple IPSEC tunnel between each location will sort this out. With each location handling their own DNS for the internal services.
You will have to handle your own IP space to make sure your local subnets do not overlap. So the local dhcp is 10.y.x.x where Y is incremented per IPsec tunnel
Then, once you have picked a domain name, hackerspace.local (for example). For real failover / easy routing you need to setup the DNS entries on the router’s to use each others routers. Eg router 10.1.1.1 uses 10.2.1.1 and 10.3.1.1 as secondary name servers
Then each router (or subnet) will have a name server that will be linked to each other DNS server.
P2P VPN complete.
Problems:
Then I would suggest you to use I2Pd, the C++ implementation of I2P. So far, seen as a VPN for internal services, it is the best thing I 've seen.
Thanks, that was very helpful.
WireGuard as new modern VPN software – that is basically why.
Yes, It would be cool to be like our own dn42, and people to choose software to connect, but I do not want to maintain it on weekly level. I was thinking of 5+ spaces, probably later some in neighbouring countries.
Physical connection simply not possible to be final solution. For start inside city there are couple of locations but air distance is couple of miles. And then there is idea to connect with hackerspaces/makerspaces from other cities in my country, and maybe neighbouring countries.
I think of it more like A,B and C simultaneously communicating to each other.
Thanks, I herd of LibreSwan while ago, didn’t remember it while thinking of this idea tough. Yes, network discovery could be challenging, but if every node new all the rest, and could simply gossip that to any new connected, or something like that, so new nodes joining network need to know any existing node, and immediately become friends to everyone already inside.
I don’t know this actually
Thanks. Tried it year ago. It is nice indeed.
It might be worth it to just start with wireguard for now and force everyone to use it. Maintaining bgp on top of several vpn suites would drive me insane.
Keep in mind that wireguard seems to be the easiest to use software by far from the perspective of all the VPN software I’ve seen, but setup can be a bitch when it comes to hosting on VPS providers because of the kernel-space stuff wireguard does. Wireguard does however look to be easy to configure after that. It looks like it also handles its own routing, so in theory you could peer to several nodes from one node and it works out the routing for you, but I haven’t seen config examples for that specifically. It might be worthwhile to test with 3 nodes, connecting a to b to c and try to communicate from a to c and then add peerings with multiple nodes in each config file and through a random node offline to see if it self-heals.
After that, you’d probably be fine to start running your own network services like DNS and really build things out.
EDIT: From some anecdata, it looks like it doesn’t do adhoc meshing like tinc or openvpn or failover, so it probably is just a lot of one-to-one tunnels.
Yes. You’ve got it. You just need some endpoints to actually send and receive those gossip messages and perform the configuration. Most likely that’s something to develop rather than find whole-cloth, but it should be fairly simple.