qo.is/infrastructure
1
0
Fork 0
Code Issues 8 Pull requests Projects Releases Packages Activity Actions

Improve VPN Setup for Production Use #4

New issue
Open
opened 2024-10-02 18:56:40 +02:00 by fabianhauser · 0 comments
fabianhauser commented 2024-10-02 18:56:40 +02:00
Owner
Copy link

headscale

  • Add Web-UI to manage?
  • Different exit nodes dependent on who is connection (i.e. chur, winti)
  • DNS is currently not working properly if client has IPv6 (server doesn't currently)
  • Backup stateful configuration on clients (exit nodes) and servers (incl. database)
  • Refactor tailscale client nix config to module
  • NAT loopback breaks indirect service access (direct vpn ip's are currently used for cloud.qo.is etc.)
    • Currently, as a workaround, magicDNS entries for these services were created.

wgautomesh

  • Migrate proxy backend raphiz to use the backbone network
  • Refactor nix config to module

Future considerations

headscale

  • DNS should be handled more gracefully
    • Currently, headscale's magicdns allows in-between-vpn-hosts connectivity
    • Internal wgautomesh hosts are (still) in public dns
    • Search domains in VPN are not working somehow (see headscale warnings - bug in headscale?)

Docs

See defaults/vpn/README.md

Exit nodes

# Secret to put into `/secrets/wireguard/tailscale-key`
headscale --user srv preauthkeys create --reusable --expiration 24h
`headscale` - [ ] Add Web-UI to manage? - [ ] Different exit nodes dependent on who is connection (i.e. chur, winti) - [ ] DNS is currently not working properly if client has IPv6 (server doesn't currently) - [ ] Backup stateful configuration on clients (exit nodes) and servers (incl. database) - [ ] Refactor tailscale client nix config to module - [ ] NAT loopback breaks indirect service access (direct vpn ip's are currently used for cloud.qo.is etc.) - Currently, as a workaround, magicDNS entries for these services were created. `wgautomesh` - [ ] Migrate proxy backend raphiz to use the backbone network - [ ] Refactor nix config to module ## Future considerations `headscale` - [ ] DNS should be handled more gracefully - Currently, headscale's magicdns allows in-between-vpn-hosts connectivity - Internal wgautomesh hosts are (still) in public dns - Search domains in VPN are not working somehow (see `headscale` warnings - bug in headscale?) ## Docs See [defaults/vpn/README.md](defaults/vpn/README.md) ## Exit nodes ``` # Secret to put into `/secrets/wireguard/tailscale-key` headscale --user srv preauthkeys create --reusable --expiration 24h ```
fabianhauser added the
enhancement
help wanted
 labels 2024-10-02 18:56:40 +02:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
No results found.
Labels
Clear labels   
bug

Something is not working

  
duplicate

This issue or pull request already exists

  
enhancement

New feature

  
help wanted

Need some help

  
invalid

Something is wrong

  
question

More information is needed

  
urgent

This issue should be tackled soon

  
wontfix

This won't be fixed

No labels
bug
duplicate
enhancement
help wanted
invalid
question
urgent
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: qo.is/infrastructure#4
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?