[Freedombox-discuss] Request for Comment: FreedomBuddy-VPN Setup

Nick M. Daly nick.m.daly at gmail.com
Tue Jun 26 01:44:48 UTC 2012

Hi FreedomBoxers,

I'd appreciate your review and comments on the following, so I can
improve it and take any holes out before the hackfest rolls around.

I believe this pretty effectively solves the magic routing problem, at
least between friends.  This system should allow friends to organize
VPNs over dynamic IPs, without relying on the existing DNS system.
There's some hand-waving here, because a lot of the underlying system is
documented elsewhere [0].  Let me know if things are unclear or
insufficiently described.

Alice and Bob mutually know and trust one another.  Bob has previously
agreed to host a SSH VPN service for Alice.  Alice now wants to connect
to Bob's VPN host.

Alice, as the client, will run:

    $ freedombuddy-ssh-client (Bob's Key Id)

This will:

1. Attmept to connect to all of Bob's ssh servers that Alice has locally
   cached and trusts.

2. If none of those connect, Alice will iterate through each of Bob's
   known FreedomBuddies, doing the following, and stopping when a
   connection is successfully made:

   A. Connect to the FreedomBuddy, querying for the "ssh-vpn" service.

   B. Bob replies to Alice's requesting FreedomBuddy with zero or more
      "ssh-vpn" service locations.

   C. Alice attempts to connect to each of the locations she's learned.

Note: Alice doesn't need to carry out step 2 sequentially.  She could
complete step 2 in a single burst, querying all of Bob's FreedomBuddies
at once, or sequentially, in any defined (or random) order.  The current
structure doesn't support that, though, we'd need to include a random
request ID with each request (with a request-specific timeout) to
support that.  Not difficult, just needs to be documented as a different
protocol version, because it's an incompatible protocol change.

I don't believe there are any holes in that system, but I'd appreciate
your review.

In summary:

1. If Alice has a list of still valid locations that start hosting for
   her (through necessary heartbeat testing), we're done, she's just
   connected to a working location.

2. If none of Alice's known locations reply, she'll query Bob's
   FreedomBuddy service for new ssh locations, and then connect to

Thanks for your time,

0: https://github.com/NickDaly/Plinth/tree/santiago/ugly_hacks/santiago
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/freedombox-discuss/attachments/20120625/10f5da93/attachment.pgp>

More information about the Freedombox-discuss mailing list