Subj : fsxNet Feedback (ZeroTier To : deon From : N1uro Date : Sun May 16 2021 07:36 am Hello deon; -=> deon wrote to N1uro <=- de> So things werent adding up for me with your explaination of what you de> were doing. I think we were coming from 2 different contexts. Not really. I think you're just over thinking the whole process. de> I was lead to believe that "the network" as 44/9 and that the OpenVPN de> server surved that subnet to clients. So as a client on the network, de> your address would have been a /9. (I should have picked that up when de> you gave your ping output.) The /9 is part of the overall network, but we're also broken down into smaller subnets with point-to-point routing between each subnet. de> But in your message, you shared this: N1> it like OpenVPN would do. So in the policy route table I have for 44/9 this de> is one of hundreds of routes: N1> 44.64.10.32/27 via 24.0.91.254 dev tunl0 proto 44 onlink window 840 de> So its not really a single /9 vpn network, its multiple networks, and de> you have a /27 vpn network and you route 44/9 over it. It's both. de> And given that 44.0.0.1 goes "offline" without loss of connectivity to de> you to 44.88.0.9 that means that the other end of your OpenVPN link de> also has an alternative link to 44.88.0.9 (directly or indirectly). It's a point to multipoint mesh network. de> Anyway, OpenVPN is a viable "vpn" alternative - I agree, but I think it de> requires too many management points, sets of servers running OpenVPN de> and configuration to multiple parts of the network to provide de> redundancy. (Too much for a simple BBS network.) Not really -if- it's done correctly and that's the key, however for most who aren't european BBS, it's not an issue. I believe the necessity is to protect the user in and through europe no? de> In contrast (which is how this thread started), ZeroTier is peer to de> peer and just requires you to run a client and me. Since I'm managing de> "my" network, I'm using a personal "controller" (not zerotiers) - and de> you find me by requesting the controllers network address. Once I de> authorise you on the network, you dont route your traffic through my de> controller, you connect direct to me point to point. As we do with 44-net. de> Where the concern also was, is that ZeroTier's root servers are de> required for you to find me - implying if they turned them off you de> couldnt. That's not true however, since I can define a personal root de> server (called a moon and more for redundancy), which you configure to de> find me without ZeroTiers invovlement. That sounds like a lot more management on the part of the sysop though. We've simplified this and we've also made accomodations for those who are on ISPs that dish out dynamic IPs. de> I recall reading at some point that ZeroTier were going to enable you de> to advertise your own "root servers" (since the root server's address de> is harded coded in the client - in much the same way that DNS servers de> (the DNS analogy) have a standard root server configuration). If and de> when they do that, then ZeroTier could turn off their root servers and de> you would still be able to find me (and no moons required). What we did was as I mentioned (you may have passed it by) have a server in the U.K. that we call the portal. Those on dynamic IPs create a dyndns host and instead of entering in an IP they enter in their dyndns address. Hourly the portal does dns queries to see if there's any changes in IPs and if so it does 2 things: - it creates a route file with the new changes so those who wish to manually download it may do so - it sends that file to amprgate which then sends out a broadcast in RIP that we slightly rewrote. The client runs a tiny daemon that picks up the route broadcasts and makes it's changes to the local node's route table in their policy routing. I don't think windows has the ability to use this daemon but in the command to load it, you specify which route table you're using. The lower the table number the higher the priority... as standard. The broadcasts if no changes are made are done hourly. If a node's IP changes then it's done fairly quickly. Unfortunately I don't think OpenVPN by itself has the ability to change routes on the fly... the newer version may I haven't looked. I do know in Germany they're doing this 100% on OpenVPN and it's quite successful since Germany is BGP hosted and doesn't use amprgate at all - there's no need - but they are using OpenVPN for the clients and they're all point to multipoint. If the main hub/server goes down, they will lose routing to the rest of 44-net BUT they still maintain connectivity to each other. I know it sounds a bit complicated, but it really isn't and it's quite slick. we've been doing things this way now for almost 10 years with almost no issues. - N1URO .... AD&D Famous Last Words: Am I seeing things or is that a dragon? --- MultiMail/Linux v0.52 * Origin: Carnage - risen from the dead now on SBBS (21:4/107) .