[Babel-users] tunnels

Justin Kilpatrick justin at altheamesh.com
Sat Oct 13 14:40:05 BST 2018 

Althea makes heavy use of Wireguard tunnels and Babel. 

For those that aren't familiar Althea bills per kb of traffic using payments between devices. While most of the time the L2 network between any two peers is secure and isolated there are situations where it is not (802.11s as a connectivity layer for example) we use Wireguard tunnels between peers and run Babel on top of that in order to ensure that traffic billing can't be spoofed easily. 

Then we need to secure user traffic as it traverses the network, for that we use a second Wireguard tunnel to a vpn server. 

Some tricks to note with Wireguard

* Unless you want to setup unicast Babel you need an individual port and tunnel for every Babel connection. 

Wireguard's secure IP's feature won't allow you to use the peer discovery broadcast address twice on the same tunnel. 

* To dramatically reduce convergence time configure endpoints on both ends of the tunnel and enable the keepalive feature at an aggressive sub 10 seconds. 

Wireguard can deal with just one endpoint being configured but if you're running Babel over Wireguard a lot you'll want to have your setup daemon be more aggressive than that or peer discovery will be quite slow. 

You can find the firmware builder and images to play with here. 

https://github.com/althea-mesh/althea-firmware 

And the daemon that manages the tunnels here. 

https://github.com/althea-mesh/althea_rs

I even took some flame graphs of performance. 

https://forum.altheamesh.com/t/althea-performance/44/6

End conclusion there is that mips devices struggle a bit with the encryption but modern ARM devices are very well optimized and would see very little performance hit if you could get the forwarding offloads interacting gracefully with Wireguard. See my progress on that here. 

https://github.com/althea-mesh/althea-firmware/pull/54


-- 
  Justin Kilpatrick
  justin at altheamesh.com

On Sat, Oct 13, 2018, at 8:00 AM, Juliusz Chroboczek wrote:
> > I keep seeing people talk about running tunnels via babel. Is there a howto
> > about how to do it? With wireguard? ipsec ? ssh? Or ?
> 
> We've had good success with both GRE (insecure) and OpenVPN over UDP.
> In both cases, it's pretty trivial:
> 
>   - start the tunnel;
>   - make sure the tunnel endpoints have link-local IPv6 addresses;
>   - assign IPv4 addresses to the tunnel endpoints;
>   - run babeld with
> 
>        interface tun0 type tunnel
> 
> -- Juliusz
> 
> _______________________________________________
> Babel-users mailing list
> Babel-users at alioth-lists.debian.net
> https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/babel-users

More information about the Babel-users mailing list