Threads for brycv
-
At work we run tinc as a quasi-VPC clone in production and it’s been good to us so far.
The only complaints I have is that under a lot of network load it’ll eat up a good amount of processing power on a DO droplet.
It took some time getting up a lot of the infrastructure in place to manage and hand out keys and configs – FWIW I think had we started with something more zerconf like this might have been easier on us.
-
I am usually recommending ipsec as VPC between hosts. Do you have performance numbers? The only downside I saw with these setups was that they add some latency. I did not see unreasonably huge CPU usage even when under heavy load. How is tinc performing. Sparing one core for tinc will usually be ok, if latency is improved.
-
In our testing across datacenters tinc did not add any noticable latency. In our tests with iperf bandwidth capped out at about 150Mb/s whereas without it we’d hit line speed (1 Gb/s) we’re not network constrained so that wasnt a deal killer for us – You’re right about it eating up a core, but that’s still a core you’re paying for.
Prior to selecting tinc we looked at using ipsec but the management burden of it seemed really high. There’s a good talk by Fran Garcia from hostedgraphite who went into their problems with it https://www.usenix.org/sites/default/files/conference/protected-files/srecon16europe_slides_garcia.pdf That presentation and doing some reading pretty much steered us away from ipsec
In the end I think we’ll probably up switching to a provider who provides a VPC like service and then we’ll do site to site vpns across providers if only to relieve us from the management and overhead burdens of tinc.
-
Prior to selecting tinc we looked at using ipsec but the management burden of it seemed really high. There’s a good talk by Fran Garcia from hostedgraphite who went into their problems with it https://www.usenix.org/sites/default/files/conference/protected-files/srecon16europe_slides_garcia.pdf
Decent write-up. TL;DR: Don’t use Racoon.
-
-
-
-
-
-
I really enjoy tinc, probably one of the easiest to set up and maintain VPNs for the devices + vps setup. Used it for a long time.
Only big problem I have with it, is their mobile support is still predicated on having a rooted phone (see: https://github.com/Vilbrekin/tinc_gui/issues/5 ). This ended up making it useless for a big subset of hopes I had for my VPN, so I’ve moved on to much sadder configurations so all my devices can connect to the VPN.
-
Yes, that is a problem for mobile devices. I solved that in my own use case by using OpenBSD with npppd for L2TP over IPSec from iOS devices. The L2TP over IPSec VPN allows access into my larger tinc mesh which I am now looking at running in switch mode instead of router and using OpenOSPFD for the routing. It is really nice to turn on my OpenBSD machines and connect right into tinc wherever I am.
-
-
-
I love this. Often we don’t get a glimpse of how one gets started doing what they do. Some might assume people are naturally born with certain skills. Turns out we all start at the bottom.
This type of encouragement from within the community goes a long way in helping drive those who feel less likely to contribute because of self doubt.
-
-
You win. This adequately trolls me enough to join lobste.rs
My primary BSDs are FreeBSD-related and OpenBSD, resulting in a small arsenal of aging ThinkPads and as of this week, a ThinkCentre. Brain dump:
Preferred architectures: Sandy Bridge “2’s” and Ivy Bridge “3’s”, i.e. T420 and x230. SB: Classic keyboard layout. I can operate them in the dark: console switching, scrolling, huge ESC for vi… IB: Fixed IOMMU for Xen and VT-d, fixed GPT support for FreeBSD (later fixed in FreeBSD and SOME derivatives) Lesson: Lenovo BIOS can be crap and I hope to try coreboot and friends, given that the x220, plus probably others are supported.
The CPUs also have the “2” in the name, i.e. i5-2540M for a Sandy Bridge one. They share the same “barrel” power connector as quite a few models back and the “T” models have UltraBay drives, allowing for additional disks, albeit at 3Gbps and some weird boot delays. I have seen hacks to fit “SB” keyboards into “IB” models but some keys do not map correctly with the factory BIOS. No surprise given that the “IB” “chicklet” ones removed… 7 keys.
I have been working with a certain hypervisor and the VT-x/EPT features in the “Core” processors is need. I have one first generation Core i7 (Rusty Bridge?) that I could not pass up. Note that the first generation do not have UEFI.
Models: T’s and x’s all the way. The T’s have UltraBay bays and all have mSATA slots. Yes, you could run a 3-disk RaidZ array on one with the penalty of the slower UltraBay interface, for those running OpenZFS.
Price: DAMN CHEAP. ThinkPads generally exist in two conditions: Trashed and mint. Most for sale on eBay are in fact close to new, being lease spares and perhaps former property of the CEO who always used a desktop. I have seen double digit HD hours on “used” models plus all the original stickers, zero space bar gloss etc. (!)
Average price: $180 to $225 USD, $400 for fancy models like a quad-core 1920x1080 15"
RAM: I use 16GB Corsair “Mac” RAM on all models or left over RAM from upgraded models. I still cannot tell if they will take 2X16GB modules but I have one unit I would like to truly max out.
Models: x220i, x220, x230, T510, T420, T530 and T400, T61 just because and the majority around $200 in near-new condition.
Note that the “T4” and “T5” indicate 14" and 15" screens. I guess “x2*” is 12"?
The “i” models like the x220i are “Celeron” models but support VT-x/EPT (!). For some reason, I think Lenovo punishes Europeans with things like T530i’s with Celeron or i3 processors. Beefy machine, anemic processor. Kinda pointless on the used market given that you can have an i7 for a few <currency> more.
Note that the x2n0’s and all IB’s appear to need low-profile HDs or SSDs. Generally not a problem with SSDs.
I avoid the x*20T “Tablet” models and “s” models which are “slim” T series ones. I have heard of overheating issues with them and they would take a slimmer UltraBay caddy. They may have USB3 for those who must have it.
UltraBay caddys: http://www.newmodeus.com/
As for the ThinkCentre. It was $100 with no RAM or HD. It’s louder than I expected and the odd-ball power supply is quite big. It’s a quad-core i5 but will probably perform some network serving task. Maybe as a PXE server with a low-profile network card…
I finally have dock (looks new, $10) and am mostly happy with the “travel” keyboard that has both the NavNub and a trackpad. These are reportedly fragile and for some reason have ESC above F1, rather than left of it. To its credit, it does not ghost-tap like crazy like the other models. (Sees if the trackpad can be disabled in BIOS…) It can! Not sure why I didn’t do that long ago. So. I love trackpads but have muscle memory for MacBook ones (and the command key for that matter). FreeBSD specifically enables trackpad touch/clicking by default and let’s just say the butterfly effect is in full effect. Everyone says to disable something in xorg.conf but recent FreeBSD tags seem to just work out of the box with an empty /etc/X11/ (Anyone know the fix? If I fixed it however, I would then want to know how to get two-finger scrolling working, which seems to work quite well in OpenBSD… out of the box.)
Pros: Sturdy, interchangeable parts, three mouse buttons!, affordable. I thought I would add a used MacBook Air as I get off of Mac: $650 min? Cons: I want my function keys back, plus the classic layout. Sandy Bridge BIOS bugs. 3Gbps UltraBay bays. HEAVY by today’s standards, especially if you travel with a few of them.
Either way, I have not used a desktop since about 2000. I want the computer to follow me, rather than me follow it. Nor can I stand the noise of most desktops. Nor can I give a presentation from a desktop. This does however make NAS software developers think I’m crazy given that most of my NAS use is on a ThinkPad for support, testing, documentation, training etc. Portable bare metal is really, really useful.
What was the question?
Update: Many T models include NVidia graphics. This was critical to use on FreeBSD but now might even be less-supported than the on-board Intel. You can choose in BIOS and with one I didn’t realize for some time that it also had NVidia. FreeBSD suspect and resume (formerly reboot) works quite well. I’m sure OpenBSD’s has worked a long time.
-
Lenovo BIOS can be crap and I hope to try coreboot and friends, given that the x220, plus probably others are supported.
You should give Libreboot a shot on an x200! Unfortunately it doesn’t support models newer than that – Intel’s/Lenovo’s BIOS is locked down pretty hard.
-
Well, I am only interested in SB/IB so it may not be a problem! https://www.ericholzbach.net/blog/x230_coreboot/
-
-
-
I like ThinkPad build quality and keyboards (I hear the new ones aren’t as bad as people let on) but the screens and batteries are terrible. The modern high-end IPS panels and the old FlexView panels were good, but anything other than those are dim, low res, and have poor viewing angles. The batteries might be OK when new, but they deteriorate rapidly and you’re often lucky to get an hour or two. If you have a secondary battery, it will suck the battery dry; a fast way to kill LiIon ones.
My dream laptop would be some kind of MacBook in a ThinkPad chassis, as long as Apple provides the battery and screen. (I’d like the retina MacBook in a slightly slimmed X-series body. Jam it full of batteries, no fan, and all-day life. I’d carry that around.)
-
Good point about the IPS screens. They are tricky to find used and I have never bought one. The 1920X1080 is the best I’ve had while yes, the other screens are kinda crappy. The biggest shock was the T510 which is shockingly low res for its size. The VGA does however interface with about 90% of the projectors/displays I have used and a crazy 42" touchscreen I have looks great.
The batteries have treated me well and I have made a point of having slim and extended ones. I don’t have the massive ones that work like a base or the UltraBay ones. What one SHOULD take a minute to note is the 70++ or whatever versioning numbers they use. They seem to be backwards-compatible but not forward-compabile. That is, a T420 battery will not work with a T430. But, the reverse should work.
As for MacBook like. I am hearing good things about the X1 Carbons from the TrueOS folks. I confess I love UltraBay drives… pull out your data in seconds and run like hell…
-
-
-
Update 2: brycv and I reminded ourselves of the W530… the Workstation that will take 32GB RAM using four modules. They will cost more than a similar T530 but may even take multiple hard drives.
Others made good points about the IPS screens. Do try to get one unless of course you work mostly from a docking station and only need the built-in display periodically.
If anyone at Lenovo is listening… I think my dream ThinkPad is “X” sized with a decent display and FOUR easily-accessible mSATA devices for file systems work.
Capital “X”! My bad.
Update 3: The battery numbering: Within reach I see:
T510: 55+ Low-profile battery - Doesn’t extend past back surface - Maybe from a Sandy Bridge model?
T420: 55++ Extended battery - Extends on cell width (guessing that’s ++)
X220: 29+ Low-profile battery
X220: 29++ Extended battery
X230: 44++ Extended battery
Somewhere: 70+ (T series 1, 2 and 3)
Somewhat helpful: https://support.lenovo.com/us/en/documents/pd012165
N = 4 cell N+ = 6 cell N++ = 9 cell
But, the chart does not have the 55++ in my hand which is seems is for T series 1 and 2.
-
RAM: I use 16GB Corsair “Mac” RAM on all models or left over RAM from upgraded models. I still cannot tell if they will take 2X16GB modules but I have one unit I would like to truly max out.
Let me save you some time & money with the short answer: No, 2x16GB module will not work.
Long answer: Intel Core series prior to Skylake only supports up to 4Gb DRAM packages (don’t confuse that with the actual SoDIMMcapacity). Take a look at this picture on this Newegg product:
www.newegg.com/Product/Product.aspx?Item=N82E16820148679
That’s the SoDIMM for a single 8GB laptop RAM stick, front and back, there are a total of 16 DRAM packages, each one is 4Gb in size.
For a single 16GB SoDIMM stick, there will still only be 16 packages, but each DRAM package must be 8Gb in size. However, as per the Intel spec sheet (page 19), the maximum supported DRAM package is 4Gb for Intel Core Generation 5 (Broadwell).
It is only with Skylake that support for 8Gb DRAM packages were added Intel spec sheet (page 20-21).
Apparently AMD CPUs don’t have this limitation and have been able to address 8Gb DRAM packages for quite a few generations now (I’ve seen this chalked up to as “bug” with the Core architecture that was resolved in Skylake, but I can no longer find the source where I originally read this).
EDIT: Found the source for the claim that Intel CPU’s is “buggy” and AMD CPU’s support this fine:
http://www.anandtech.com/show/7742/im-intelligent-memory-to-release-16gb-unregistered-ddr3-modules
-
I think some Broadwell chips (like with some NUC models) will support 2x16GB DDR3L modules but that’s mostly based on Amazon reviews and a Crucial 2x16GB DDR3L set of SODIMMs. I have been considering buying to test but it’s $330 or so for the memory. Not worth it when a 2x16GB DDR4 set of SODIMMs is $130.
-
Thank you! Every conversation I have read on the matter to date had came before the modules were available, making for pointless analysis.
-
-
-
I have many, many desktop and server machines that are running OpenBSD. On the laptop side of things, I used to run OpenBSD on the most recent and one before MacBook Air machines. That’s always a little bit of a mixed bag but now that (U)EFI support is in OpenBSD, things are much better. I have a lot of Apple hardware for other reasons and it was logical to test but I wouldn’t necessarily recommend Apple hardware specifically for OpenBSD (wireless doesn’t work, etc.). I can also identify with the frustrations of OS X and now macOS. I have used OS X since it was released but this recent “Core Rot” problem is very frustrating. I have been particularly frustrated with memory leaks in Safari that only seem to show up on my late 2013 Mac Pro with 64GB of memory. It’s a sad problem when the most expensive Apple machine has problems that don’t manifest on cheaper machines. Running out of memory frequently in Safari is not acceptable on a $5000+ machine. I can’t get rid of macOS completely for various reasons but I do a large part of my work on OpenBSD systems these days. I would not shy away from trying an OpenBSD install on your MacBook Pro though. Even installing on a USB flash drive works fine (although suspend and resume will never work in that scenario) but having a system with only Intel graphics is better since NVIDIA isn’t supported by OpenBSD.
I have a ThinkPad X230, ThinkPad X1 Carbon (1st generation with Ivy Bridge), and ThinkPad X260. All are the fastest Core i7 CPU available at that time and the X230 and X260 have the IPS screens (huge advantage in my opinion). The X260 also has the 1920x1080 option which is fantastic. Unfortunately, there is no inteldrm(4) for the Skylake chips yet so Ivy Bridge, Haswell, or to some extent Broadwell are better choices right now. Hopefully we will see that support before too long. (As a side note, running a 4K display with OpenBSD works great with Haswell inteldrm(4). I’m using a Xeon E3 1275 v3 system to drive a Dell P4317Q 43-inch 4K display which works great. I haven’t tried Broadwell inteldrm(4) for a 4K display yet but have been looking around at the Core i5 5675C and Core i7 5775C for testing.)
The X230 is what Theo uses with OpenBSD and many other developers have similar machines. Everything works great including suspend and resume. On the X260, it is still too new for everything to work perfectly but, once inteldrm(4) support arrives, things should work as well as with the X230. As michaeldexter pointed out, the X230 and older machines use that common “barrel” connector which is very convenient. I’m not thrilled with the rectangular plug that the X1 Carbon and X260 use but it’s not that bad. Fortunately, the power supplies are quite inexpensive ($12-$18 on Amazon). In order to use Xorg on the X260, I use wsfb(4) which works well enough to get by just fine.
I am using the X260 along with a 12-inch Retina MacBook (can’t get away from macOS completely due to work) as my main portable machines these days. (I also do lots of work on my iPad Pro 9.7-inch with the Smart Keyboard which is mostly web stuff and logging into my FreeBSD storage boxes and OpenBSD boxes via ssh.) If I could, I would run OpenBSD on the Retina MacBook but it is pretty limited with only that single USB-C port and a non-standard flash storage interface. Not having any wireless without a very annoying dongle would not be great.
I don’t do that much custom configuration. I use cwm which is part of OpenBSD as my window manager. Firefox, Iridium, Chromium, mutt, msmtp, offlineimap, vim, Adobe Source Code Pro font, and a few other things round out most of my installs. I tend to prefer a minimalist environment but Gnome 3.x and XFCE4 work really well if you’re so inclined. I know KDE is around but I haven’t tried that recently.
Also, jcs has a lot of dotfiles available on GitHub which are helpful for some configuration stuff too. I have been meaning to put up some of my dotfiles as well but have not gotten around to it yet. Lots of other OpenBSD users have configuration details up as well.
-
- Swift will be open source later this year, standard library will be released for Linux
- iOS 9 will support side-by-side apps but only on the iPad Air 2
- Mac OS 10.whatever will be called “El Capitan” (dumb, IMO) and gets a quick side-by-side tiling mode
- Apple watch gets native apps, but still no custom 3rd party watchfaces
Edit: and apparently anyone can run apps on their iOS devices without needing a developer account
-
And Metal APIs for everyone or something.
-
-
I’ve considered using an iPod touch rather than an iPhone before and using Bria with encrypted VoIP for calls but the problem then is needing WiFi everywhere. We’re just not quite there yet but it’s close. I would pay a lot for an iPhone with a data only plan that could do this. Basically exactly what an iPad with cellular has but in the iPhone form factor.
-
I’m all for anything that attempts to secure our email.
-
There’s some interesting discussion about this article following this tweet from the author.
-
Anyone here planning to go?
-
-
As a former owner of an ISP that provided broadband, it is a very tough market unless you are in a very unique area where the telcos and cable companies don’t want to invest. Even then, it’s hard to compete unless you can achieve sufficient scale. I don’t like where the market is going with more and more centralized control. There wasn’t much point in the anti-monopoly telephone company breakup now that pretty much everything is back to at&t and Verizon now.
-
I hate this so much. Yeah, sure… the government is totally regulating this market well. It totally promotes and cultivates innovation. TOTALLY.
-
-
From the about page:
Some of the articles on this site are satire.
-
More conclusively, the article itself is tagged ‘Satire’ – it’s written right under the article title.
-
-
-
brycv
10 years ago
|
link
| on:
Show Lobsters: pom -- a minimalist command-line pomodoro-style time-tracker
It has some errors on OpenBSD including the -s option for which. I’ll open an issue about it if you’d like.
-
-
tedu
10 years ago
|
link
| on:
Encryped Root Filesystem using softraid(4) on OpenBSD with an SLC SSD
One of these days I’m hoping a diff turns up to enable encryption support in boot. I didn’t want to use a keydisk (100% chance the keydisk would be in the machine when it was stolen), so I only encrypted /home.
That was on an X200s, with a lowly 1.8 Core 2, and using an SSD made it way faster than the encryption overhead. If you only have a 24G drive, you don’t have enough space for files big enough to notice the performance hit. :) I’ve noticed hardware AES making a difference when writing out files ~1G in size, but below a 100M, never. Also, the buffer cache is kept decrypted, so it’s not like you have to decrypt /bin/ls every time you run it.
On the whole, good article. I’ve also been looking at the seagate momentus xt drives. 16GB of cache nand would be more than enough to cache my entire openbsd working set, but still let me carry a media collection around on the same drive.
-
-
-
I would love to have encryption support in boot. I never take my keydisk out either which defeats the purpose. That’s good to know on the performance for files less than 1GB in size. That makes a lot of sense on the buffer cache as well.
I installed a 750GB Momentus XT for a relative and the difference from a regular 5400RPM laptop drive was staggering. It’s still not as good as an SSD but you get lots of storage for nothing compared to what an SSD would be. I bought the XT for ~$150 where my Crucial M4 512GB SSD was ~$400. Now the XT is as inexpensive as ~$130.
I’ll add some updates to the article to reflect the additional details. Thank you.
-
-
Not personally, but that’s why the code was added. There’s more CPU overhead just moving network packets back and forth, so you have less headroom. And tiny delays affect network traffic. Then again, are we talking about a home router on DSL or a gigabit corporate gateway?
Don’t get me wrong, AES-NI is wicked fast. I should clarify it’s not really file size, just amount of disk traffic that matters, but it’s rare (for me) to have a desktop need 100MB of uncached data read yesterday.
-
I see. I was basically thinking about the comparison between something like a Xeon E3 1220 (quad core 3.1GHz w/o HT but with AES-NI) and a Pentium G630 (dual core 2.7GHz w/HT but without AES-NI) for a firewall with a dozen IPSEC tunnels. There won’t be more than 50Mb/s of traffic initially but later there will be more.
-
-
-
-
-
Anyone have any thoughts about the feasibility of running OpenBSD on this type of board?
-
In my comment on that post, I specifically mentioned that I thought it was news because he handles Twitter bootstrap, which is used by basically everyone. Things that would affect its future are relevant to everyone here.
-
I think that’s fair, Steve; and, I wasn’t intending to single you out or attack you in some passive-aggressive way. That said, I disagree that “basically everyone” uses Twitter Bootstrap; aside from when it was the subject of the “Great Semicolon Debate of 2012,” I didn’t know anyone who knew or cared anything about it.
While I do understand your motivations, I’d have been much happier seeing a link to a blog post from Fat talking about why he left and what he’s going to do or, even better, a post directly about the future of Bootstrap, than a link to a Tweet saying that he left the building for the last time.
-
No worries, no bad juju here. I considered this exact topic, but decided it was worth posting in the end. We’re all still figuring out what goes here. For example, I had another post get voted down to -1 that I thought was very, very relevant here; I think people just read the title and not the article.
I don’t think that Twitter will want to blog about ‘the future of Bootstrap now that a creator is gone,’ especially given their new marketing-focused culture. Fat doesn’t blog about this kind of thing at all, he blogs about sweet literature stuff. So I don’t think either of those scenarios are going to come about.
And I’m surprised you don’t know anyone using bootstrap or any site that uses it; every time there’s a post about ‘my new project’ on HN or Reddit, there’s a whole thread of ‘omg stop it will all the Bootstrap sites already!’
-
I think my lack of exposure comes from revolving in different circles than the typical HN reader; I’m not involved in the startup scene at present; so, I end up with an entirely different perspective on what’s big / important at any given time.
-
-
-
-
-
Thanks for spreading the word. USB 3 has been out for a while, but I’ve never read anything about back compat and had to discover it for myself.
-
I appreciate you bringing up the subject to begin with. It’s very confusing for those buying boards that have both native USB 3.0 and ASMedia USB 3.0 or similar. I would rather boards not have any third party controllers but that isn’t too common except for genuine Intel boards like the DQ77KB. The situation is potentially much more complicated for laptop users though.
-
-
Pretty sure only difference is the S1200KPR supports the low end IB Xeons like the e3-1270v2.
-
I think you’re right. Looking at the latest BIOS release for the S1200KP, the release notes say E3 v2 only on the S1200KPR.
http://downloadmirror.intel.com/20826/eng/ReleaseNotes.txt
It’s too bad it requires a separate board for that. Other C206-based boards such as the Asus P8B WS can use Ivy Bridge chips with only a simple BIOS update.
-
-
-
This shouldn’t surprise anyone at all but it should outrage us!
There are enough VPN solutions in the OpenBSD base system for my needs:
I consider the various VPN solutions in ports only where interop with a specific VPN software is needed. They all lack proper privilege separation and sandboxing, so why use them in favour of base VPN tools?
Years ago I used OpenVPN a lot but I found that ssh’s VPN is a good enough replacement (TCP only, no UDP, but if you need stateless VPN connections that much why not just use IPsec).
It looks like privsep does not even exist as a faint idea in tinc. At best you can expose your tun/tap device to the entire tinc process and let any RCE in tinc inject packets. The only alternative is to make any arbitrary RCE in tinc run with root privileges to begin with.
https://www.tinc-vpn.org/documentation/Interface-configuration.html
This kind of software design would never be accepted into OpenBSD base.
Even better, OpenBSD’s VPN stuff is based on actual standards! OpenIKED works with Windows’ built in VPN client, which does IKEv2. (Because you know, PPTP won’t cut the mustard.)
OpenVPN always smelled like jank, but sadly it got popular over IPSec based VPNs.
Besides OpenBSD and FreeBSD, I also use macOS a fair amount for work reasons. I have not tried using IKEv2 with macOS or iOS but there have been some bugs that came across the OpenBSD mailing lists but hopefully those have been ironed out. I used to use PPTP and tried to get L2TP over IPSec working before npppd but never got it working on OpenBSD. Once npppd arrived, everything just worked.
I had forgotten about SSH-based VPNs. That’s a good idea. Thank you.
My experience in the past with IPSec has been that it is not very tolerant of any sort of changing network conditions. Do you use IPSec (either isakmpd or iked) with NAT on laptops running OpenBSD or only from servers with fixed addresses?
The way tinc works reminds me somewhat of PepVPN/SpeedFusion by Peplink. I also use Peplink routers frequently for out of band management because of their embedded cellular modems and so forth. I would love to have an ISC licensed alternative to tinc that worked in a somewhat similar way and very nicely through NAT as tinc does. The two big advantages to tinc as I see it are that it can work in a mesh and also that it automatically reconnects if anything goes wrong with the connection. Is there a way to get the automatic, quick, and reliable reconnect with IPSec that I am overlooking?
I use SSH for the road-warrior use case (laptop connects home), isakmpd+npppd for my android phone, and plain IPsec (with gif(4) for routing) for permant tunnels, e.g. I provide public wifi where all traffic is tunneled to a dedicated server’s IP before it hits the internet.
For the IPSec case, are you using tunnel or transport mode? I had not considered using gif(4) with IPSec. That would make routing easier.
ESP (tunnel) mode.
Configure ipsec.conf as usual. The IPs used in ipsec.conf are the ones that ‘ifconfig gif’ shows on the ‘tunnel:’ line (i.e. the outer layer of IP-IP encapsulation).
Use the ‘inner’ (tunelled) IPs on the gif interface for routing purposes. E.g. hosts on the LAN behind the VPN box may refer to these IPs.
It does not work well if any of the IPs involved ever changes (road warrior), but in a fully static setup it works well (even with NAT).
Very interesting. I will give that a shot. I never thought about setting up IPSec that way. Are you using route-to in pf.conf to tunnel the public WiFi traffic somewhere else? Thank you for the suggestions!
Yes, incoming traffic over wifi is tagged, followed by some exceptions that override with a different and otherwise unused tag. Tagged connections are then routed with route-to.
The relevant pf rules look something like:
pass in on $wifi_if tag tunnelpass in on $wifi_if proto tcp to self port {http, ssh} tag notunnelpass out tagged tunnel route-to $tunnel_ifOh, and by the way, you can set the MTU of a gif interface to 1500 (append the line “mtu 1500” to /etc/hostname.gif0).
The default gif MTU is smaller than 1500 which avoids fragmentation of encapsulating packets. However, with the default MTU setting I saw MTU path discovery issues on machines that aren’t aware of the VPN. I have seen no apparent problems after bumping the MTU. Large encapsulating packets will now be fragmented, but that is the lesser of the two evils and is handled automatically (definitely works for UDP encap packets to port 4500 which is your only option if behind NAT; plain ESP might work just as well but I have not tried it).
Thanks for all that info! I was wondering about MTU. That makes things simpler if 1500 will work fine.