Networks, subnets, port, and corresponding access rules and rights are already complex and get more complex, the more servers and services are added. :doc:`/server/wireguard` add another layer on top of all that and changes all of these already hard to grasp parts. Therefore a clear design concept is needed for reference as we go one.
Note
All IP addresses in this document have been reserved for documentation and testing in RFC 5737 and RFC 4849 or for use in private networks according to RFC 1918. They will not work in the real world.
Make a list of all providers (hosting companies, co-location data-centers, friends, family members, employers or other companies who agreed to host a device on there premises for you). Decide on a abbreviation for each to use throughout the design.
You can find out the provider by using the :file:`whois` command of any public IP address:
$ whois 203.0.113.54
Or for a host name:
$ whois $(dig +short roll.urown.net)
Some examples:
| Provider | Short Name |
|---|---|
| Hetzner Online AG | heztner |
| OVH | ovh |
| Digital Ocean | do |
| Linode | linode |
| Rackspace | rack |
| Your Home | home |
| Your Office | office |
| Mothers House | mama |
Make a list of all geographical or physical remote locations that have one or more servers running. Most providers have their own naming.
Some examples:
| Location | Short Name |
|---|---|
| San Francisco | SFO |
| New York City | NYC |
| Toronto | TOR |
| Berlin | BER |
| London | LON |
| Amsterdam | AMS |
| Frankfurt | FRA |
| Singapore | SGP |
| Bangalore | BLR |
You get these normally from your provider and they are location based. Nowadays you should get an IPv6 as well or change your provider otherwise.
In the best case you get a subnet, maybe you get additional IPs for a price.
List the subnet with their net-mask, which tells you the size and number of IPs. A single IPv4 host has a net-mask of /32. A single IPv6 address has a net-mask of /128
Some examples:
| Provider | Location | IPv4 Subnet | IPv6 Subnet |
|---|---|---|---|
| hetzner | SFO | 203.0.113.54/32 | n/a |
| rack | LON | 198.51.100.7/32 | 2001:db8:48d1::/64 |
| roller | PHO | 192.0.2.14/32 | 2001:db8:2d07:5b57::/128 |
| home | FRA | dynamic | 2001:db8:3414::/48 |
| office | FRA | dynamic | dynamic |
| mama | BER | dynamic | n/a |
Some locations need a private subnet, if there are multiple hosts behind a NAT router. Define one from the range private network address spaces set by by RFC 1918.
See Private Network on Wikipedia:
| Network Address | Net Mask | Prefix |
|---|---|---|
| 10.0.0.0 | 255.0.0.0 | 10/8 |
| 172.16.0.0 | 255.240.0.0 | 172.16/12 |
| 192.168.0.0 | 255.255.0.0 | 192.168/16 |
| fd00::/48 | n/a | fd00::/48 |
First we define a global private subnet out of one of the private address spaces:
$ echo 172.$((RANDOM%16+16)).0.0/24 172.27.0.0/24
| Global IPv4 Subnet | Netmask | Prefix |
|---|---|---|
| 172.27.0.0 | 255.255.0.0 | 172.27.0.0/16 |
Next we define /24 subnets out of our global private subnets for locations who need that:
$ echo home 172.27.$((RANDOM%255+16)).0/24 $ echo office 172.27.$((RANDOM%255+16)).0/24 $ echo mama 172.27.$((RANDOM%255+16)).0/24
| Provider | Location | Local IPv4 Subnet | Netmask | Prefix |
|---|---|---|---|---|
| home | FRA | 172.27.88.0 | 255.255.255.0 | 172.27.88.0/24 |
| office | FRA | 172.27.126.0 | 255.255.255.0 | 172.27.126.0/24 |
| mama | BER | 172.27.74.0 | 255.255.255.0 | 172.27.74.0/24 |
For IPv6 subnets we can use the on-line tool IPv6 private address range generator.
It will create a random global ID and subnet IDs out of the unique local address (ULA) block :file:`fd00::/8`.
| Global ID | c1d89eb128 |
| Global IPv6 Subnet | Prefix |
|---|---|
| fdc1:d89e:b128::/48 | fdc1:d89e:b128::/48 |
Repeat for every location, by providing the same global ID to generate a /64 subnet for each.
https://www.ultratools.com/tools/rangeGeneratorResult?globalId=c1d89eb128&subnetId=
| Provider | Location | Subnet ID | Local IPv6 Subnet |
|---|---|---|---|
| home | FRA | 13a6 | fdc1:d89e:b128:13a6::/64 |
| office | FRA | 2615 | fdc1:d89e:b128:2615::/64 |
| mama | BER | 41c5 | fdc1:d89e:b128:41c5::/64 |
To glue all our locations subnets together we need another one. The tunnel subnet connects all the VPN hosts and gateways together.
For IPV4 Telco's traditionally choose something out of the private 10/8 block.
This makes it easy to distinguish the virtual space from the physical locations within the 172.16/12 space:
$ echo 10.$((RANDOM%255+16)).$((RANDOM%255+16)).0/24 10.195.171.0/24
The IPv6 address of the tunnel subnet we define an additional subnet ID.
| Global ID | c1d89eb128 |
|---|---|
| Subnet ID | 6a04 |
Combined IPv4 and IPv6 together it may look like the following:
| Provider | Location | IPv4 Subnet | IPv6 Subnet |
|---|---|---|---|
| n/a | Global | 172.27.0.0/16 | fdc1:d89e:b128::/48 |
| home | FRA | 172.27.88.0/24 | fdc1:d89e:b128:13a6::/64 |
| office | FRA | 172.27.126.0/24 | fdc1:d89e:b128:2615::/64 |
| mama | BER | 172.27.74.0/24 | fdc1:d89e:b128:41c5::/64 |
| VPN | Virtual | 10.195.171.0/24 | fdc1:d89e:b128:6a04::/64 |
Register a domain for where all your networks and hosts reside in.
It doesn't matter if it is the same domain where our public services are hosted or a different one. The important thing is, that all subnets, sub- domains and host-names reside under one domain-name which we fully control.
That way we can establish trust between all entities based on DNS information secured by DNSSEC. This will simplify things in many areas (e.g. trusting SSH servers keys).
| Domain | Registrar |
|---|---|
| example.net | name.com |
Locations with multiple hosts and IP subnets, get their own sub-domain. Standalone rented servers in data-centers don't need sub-domains.
| Subdomain | Location | IPv4 Subnet | IPv6 Subnet |
|---|---|---|---|
| . | Global | 172.27.0.0/16 | fdc1:d89e:b128::/48 |
| home | FRA | 172.27.88.0/24 | fdc1:d89e:b128:13a6::/64 |
| office | FRA | 172.27.126.0/24 | fdc1:d89e:b128:2615::/64 |
| mama | BER | 172.27.74.0/24 | fdc1:d89e:b128:41c5::/64 |
The VPN sub-domain allows us to make sure, that a connection is authenticated and encrypted at a glance, without memorizing IP addresses. Since the VPN stretches throughout the planet, only is needed.
Let's call this vpn.
| Subdomain | Location | IPv4 Subnet | IPv6 Subnet |
|---|---|---|---|
| vpn | Virtual | 10.195.171.0/24 | fdc1:d89e:b128:6a04::/64 |
Over time you will iterate trough many physical and virtual devices, providing similar services and devices changing their roles and locations, its best to avoid service names, role names, company names, real peoples (e.g. owners) names or household names for devices.
Just take a list, any list, of names or words, preferably a long one and iterate over it.
Here is a good starting point.
I leave it up to you, the reader, to guess from which list the following host names are coming from ...
| Host | Location | Provider | Role |
|---|---|---|---|
| dolores | SFO | hetzner | Server |
| maeve | LON | rack | Server |
| bernard | PHO | roller | Server |
| arnold | FRA | home | Router |
| hector | FRA | home | NAS |
| kiki | FRA | home | Wi-Fi |
| charlotte | FRA | home | Server |
| teddy | FRA | office | Router |
| logan | FRA | office | NAS |
| armistice | BER | mama | Router |
We now have all the information needed to document our network design in DNS under the example.net domain.
E.g. example.net (public hosts):
Here we only register the hosts who need to be accessible from the global public Internet (read: from the outside) for some reason, like servers routers and VPN gateways.
Some of these won't get a fixed IP address, due to the providers policy. For these we need a DynDNS solution not discussed here.
| Domain Name | IPv4 Address | IPv6 Address |
|---|---|---|
| dolores.example.net | 203.0.113.54 | N/A |
| maeve.example.net | 198.51.100.7 | 2001:db8:48d1::1 |
| bernard.example.net | 192.0.2.14 | 2001:db8:2d07:5b57::0 |
| arnold.example.net | dynamic | 2001:db8:3414:6b1d::1 |
| charlotte.example.net | dynamic | 2001:db8:3414:6b1d::10 |
| teddy.example.net | dynamic | dynamic |
vpn.example.net:
| Domain Name | IPv4 Address | IPv6 Address |
|---|---|---|
| dolores.vpn.example.net | 10.195.171.142 | fdc1:d89e:b128:6a04::7de4 |
| maeve.vpn.example.net | 10.195.171.47 | fdc1:d89e:b128:6a04::961 |
| bernard.vpn.example.net | 10.195.171.174 | fdc1:d89e:b128:6a04::3354 |
| charlotte.vpn.example.net | 10.195.171.241 | fdc1:d89e:b128:6a04::29ab |
home.example.net:
| Domain Name | IPv4 Address | IPv6 Address |
|---|---|---|
| arnold.home.example.net | 172.27.88.1 | fdc1:d89e:b128:13a6::1 |
| charlotte.home.example.net | 172.27.88.10 | fdc1:d89e:b128:13a6::10 |
| kiki.home.example.net | 172.27.88.3 | fdc1:d89e:b128:13a6::3 |
Sub-domain office.example.net:
| Domain Name | IPv4 Address | IPv6 Address |
|---|---|---|
| teddy.office.example.net | 172.27.126.1 | fdc1:d89e:b128:2615::1 |
| logan.office.example.net | 172.27.126.10 | fdc1:d89e:b128:2615::10 |
Sub-domain mama.example.net:
| Domain Name | IPv4 Address | IPv6 Address |
|---|---|---|
| armistice.mama.example.net | 172.27.74.1 | fdc1:d89e:b128:41c5::1 |
TBD.