From dc51f3d392e1f3c76647eaaf2fd7247a6ac4a124 Mon Sep 17 00:00:00 2001 From: Florian Maurer <f.maurer@outlook.de> Date: Wed, 10 Jul 2024 15:45:33 +0200 Subject: [PATCH] Add documentation for evaluation of mesh-vpn protocols (#3267) T-X created a pretty cool table to evaluate mesh-vpn protocols on this hedgedoc: https://md.chaotikum.org/zRkW6JXXQs-8WCnwdtig5w?view To give it more visibility, I would like to add it to the docs as suggested somewhere --- docs/features/vpn.rst | 55 +++++++++++++++++++++++++++++++++++++++---- docs/user/mtu.rst | 2 ++ 2 files changed, 52 insertions(+), 5 deletions(-) diff --git a/docs/features/vpn.rst b/docs/features/vpn.rst index 2eca048b9..1d599276b 100644 --- a/docs/features/vpn.rst +++ b/docs/features/vpn.rst @@ -1,14 +1,59 @@ +.. _mesh-vpn: + Mesh VPN ======== Gluon integrates several layer 2 tunneling protocols to allow connections between local meshes through the internet. -Protocol handlers -^^^^^^^^^^^^^^^^^ - -There are currently two protocol handlers which can be selected -as a feature: +Protocols overview +^^^^^^^^^^^^^^^^^^ + +For a comprehensive comparison and evaluation of the supported and formerly supported VPN methods that best suit your needs, refer to the following table (Be sure to scroll to the right): + ++---------------------------------------+------+----------+----------------+----------------------------+------------------------+------------------+----------------+--------------------------+ +| Gluon VPN method | IPv4 | IPv6 | Authentication | Encryption | Kernelspace forwarding | MTU overhead | Multithreading | Single interface for all | +| | | | | (no→faster,insecure [1]_) | (yes→faster) | (bytes @v4) [7]_ | | peers | ++=======================================+======+==========+================+============================+========================+==================+================+==========================+ +| fastd, encrypted | yes | yes | optional [2]_ | yes | no | low (98) | no | optional | ++---------------------------------------+------+----------+----------------+----------------------------+------------------------+------------------+----------------+--------------------------+ +| fastd, null | yes | yes | optional [2]_, | no | no | low (98) | no | optional | +| | | | partial [3]_ | | | | | | ++---------------------------------------+------+----------+----------------+----------------------------+------------------------+------------------+----------------+--------------------------+ +| fastd, ``null@l2tp``, with offloading | yes | yes | optional [2]_, | no | yes | low (82) | | optional | +| | | | partial [3]_ | | | | | | ++---------------------------------------+------+----------+----------------+----------------------------+------------------------+------------------+----------------+--------------------------+ +| fastd, ``null@l2tp``, no offloading | yes | yes | optional [2]_, | no | no | low (82) | no | optional | +| | | | partial [3]_ | | | | | | ++---------------------------------------+------+----------+----------------+----------------------------+------------------------+------------------+----------------+--------------------------+ +| Tunneldigger (L2TP - deprecated) [6]_ | yes | no [4]_ | no | no | yes | low (82) | | no | ++---------------------------------------+------+----------+----------------+----------------------------+------------------------+------------------+----------------+--------------------------+ +| WireGuard + VXLAN | yes | yes | yes | yes | yes | high (162) | yes [5]_ | yes | ++---------------------------------------+------+----------+----------------+----------------------------+------------------------+------------------+----------------+--------------------------+ + +.. [1] No encryption allows internet providers to read and alter mesh traffic. +.. [2] The Gateway can ignore authentication for the initial connection request, via ``"on verify 'true'"``. However, a node→gateway handshake authentication with valid fastd keys in the site.conf is still required. +.. [3] Initial connection request can be authenticated, however, payload data is not authenticated afterward. + + +.. [4] https://github.com/wlanslovenija/tunneldigger/issues/75 +.. [5] https://www.wireguard.com/performance/ +.. [6] https://github.com/ffac/community-packages/tree/master/ff-mesh-vpn-tunneldigger +.. [7] :ref:`mtu` + +Additional, notable compatibility features +"""""""""""""""""""""""""""""""""""""""""" + +* fastd: multiple encrypted and unencrypted methods can be handled by one daemon +* fastd: a ``null@l2tp`` peer with offloading is fully compatible with a peer with ``null@l2tp`` without offloading +* fastd+WireGuard: a single secret can be used for both fastd and WireGuard via :ref:`gluon-mesh-vpn-key-translate <gluon-mesh-vpn-key-translate>`, so no need for a node owner switching to (or from) Wireguard from (or to) fastd to submit a new key + + +Core Protocol handlers +^^^^^^^^^^^^^^^^^^^^^^ + +There are currently two supported protocol handlers which +can be selected as a feature: mesh-vpn-fastd """""""""""""" diff --git a/docs/user/mtu.rst b/docs/user/mtu.rst index 33cf0a8ee..d5bfec96b 100644 --- a/docs/user/mtu.rst +++ b/docs/user/mtu.rst @@ -1,3 +1,5 @@ +.. _mtu: + MTU for Mesh-VPN ================ -- GitLab