I’m curious, if we have a hub and spoke vpn, could we have peer to peer end to end encryption, with the exchange between them facilitated by an untrusted hub on a cloud instance?
So, the phone wants to connect to a media server at home. In hub and spoke vpn, both connect to a vpn server. The problem is, the traffic decrypted on VPS. I want the packers from phone go to vps then to home, with end to end encryption. The VPS acts as a relay.
The connection between peers need not be direct (peer to peer). The traffic could go through the central hub if needed. I just don’t want the hub to access the decrypted traffic.
Mesh VPN is one way. The VPS node will be the coordination server.
Tor is another, onion layers of tunnels.
But maybe there is an easy networking solution, like creating a route table on VPS implementing a relay or STUN server , that says traffic coming from the peers public key is exchanged on VPS server.
So, is this basically a service which simulates a managed VPN, but establishes secure P2P connections between devices to maximize throughput? If so, I'm very curious about pricing.
while that would partially help, i think there are better use cases for this type of setup. it is less about discovering endpoint addresses of peers (you could setup a statically configured mesh network too) and more about moving packets efficiently between peers. it can reduce load, latency and bandwidth requirements all while being more resilient to outages... a full mesh network should still work after any other node/peer fails, making only itself unreachable to others. a mesh network could even be able to reroute packets avoiding the failing paths if possible at all. for example your phone could be connected to your home network and your mobile ISP network, so when your home network loses internet connection peers could still route traffic through your phones mobile isp network to other peers in your home network. if you use your VPN to connect home from abroad it is pretty useless though. a mesh network between two computers makes no sense and probably should not be called like that. However, just connecting few sites and some road warriors makes this option quite attractive already.
I feel like you are answering your own question though... while a VPN hub and spoke can be faster than standard internet (by having peering relationships which are better than the users local telco - i.e., effectively circumvent and improve their standard BGP), you can do this on steroids with a mesh VPN by being able to deploy the relays into many diverse locations so that any user anywhere gets these benefits, even if they change location and access different resources.
Its basically the same but more dynamic and distributed.
Yes, you can have VPN endpoints to your VPC, where the other end is in whatever external network you want.
And if you don't want any external communication at all (barring your VPN), just remove the 'IGW' from your VPC (or make a new VPC without one). Or modify the VPC's routing tables. Or don't assign any public IPs to anything in the VPC. Or probably a few other methods :)
How about the old solution of devices connecting to an access VPN running on a nearby AWS VPS?
I have my private network right now. As a plus, devices can make direct connection when they are in restrictive corporate networks (allowing only 443/tcp). Less third parties involved. Seems more secure for personal use.
Sure, it’s not a mesh network, but that doesn’t matter if VPS and devices are in the same region.
But I get that mesh VPN products can be valuable to small businesses: ease of use, ACLs, SSO, central management.
I wonder if it's feasible to make a VPN network where you peer with only _one_ other individual but that individual is selected somewhat randomly. As in, you offer your residential IP to one other person and one other person offers their residential IP to you.
The only services I've seen involve a few people offering their servers as n-ary client exit nodes which obviously ends up with saturation problems like the tor network. Obviously the legal concerns are a big deal but if companies like Mullvad aren't liable for illegal web traffic, one might be able to get similar protections for people that install this VPN.
A hub-and-spoke VPN is slower and it can be more expensive. It's easier if you're configuring each tunnel by hand, but now that mesh VPNs are easy to use you might as well use mesh.
If the traffic is encrypted how do you guarantee that the device doesn't spy on user and doesn't have backdoors preinstalled?
And why would a device need full Internet access? Shouldn't it be only accessible in home network with maybe some (user selected) servers from Internet it is allowed to connect to?
We could use some sort of VPN (from device to other owner's devices) so that even if it is connected to Internet directly it doesn't accept any packets coming not from its owner. VPN also provides encryption while allowing user to examine traffic in clear text.
I think we need some type of easyly deployed, ubiquitous, simple, snandartised VPN type protocol so that the users can build protected networks over public insecure infrastructure.
Today if you connect your device to Internet you connect it directly to NSA and chinese hackers.
And if your device is disconnected from public network hackers cannot break into it even if they have exploits.
I think mesh VPNs and VPS-based solutions are the same in terms of privacy. They all involve third parties that you have to trust. Mesh VPNs might even be slightly better because it uses P2P connections whenever it can.
The best solution IMHO would be to use mesh VPNs and secure inter-node connections with an additional layer of encryption. SSH and TLS should cover most use cases here, and both are widely supported and easy to set up.
I've been thinking about the same thing. There are actually a lot of benefits to routing all of your traffic through a VPN to a gateway you control. You can work around your last-mile ISP snooping, censoring, or manipulating your traffic. You can obfuscate your meatspace location. You can get as many static or dynamic IPv4 and IPv6 addresses as you want. You can transition between landline and cellular connections without changing IP address(es) or breaking your open connections. You can bond together multiple connections. The only problem is actually getting IP addresses that haven't already been blacklisted by half of the internet for spam/fraud.
I think the killer app would be to combine this with a mesh networking protocol like CJDNS and some kind of cryptocurrency based micropayments for bandwidth. We could build the data equivalent of a microgrid, a p2p internet operating in parallel with but connected to the hierarchical one.
No, but it requires you to either have some kind of peering, Client VPN Endpoint or a bastion host. I prefer a VPN or bastion host, since you add another layer of authentication in between. With Client VPN Endpoint you can also limit network access on a per-user basis to further lock down things.
So, the phone wants to connect to a media server at home. In hub and spoke vpn, both connect to a vpn server. The problem is, the traffic decrypted on VPS. I want the packers from phone go to vps then to home, with end to end encryption. The VPS acts as a relay.
The connection between peers need not be direct (peer to peer). The traffic could go through the central hub if needed. I just don’t want the hub to access the decrypted traffic.
reply