From 5a7841a3d5e7e4d34730071e5a9f603861668fe2 Mon Sep 17 00:00:00 2001 From: Florian Maurer Date: Thu, 30 May 2024 01:34:33 +0200 Subject: [PATCH] Add documentation for evaluation of mesh protocols T-X created a pretty cool table to evaluate mesh protocols on this hedgedoc: https://md.chaotikum.org/zRkW6JXXQs-8WCnwdtig5w?view To give it more visibility, I would like to add it to the docs as suggested somewhere --- docs/features/vpn.rst | 63 ++++++++++++++++++++++++++++++++++++++++--- docs/user/mtu.rst | 1 + 2 files changed, 60 insertions(+), 4 deletions(-) diff --git a/docs/features/vpn.rst b/docs/features/vpn.rst index 29be9624471..a8dc3d91a1d 100644 --- a/docs/features/vpn.rst +++ b/docs/features/vpn.rst @@ -1,14 +1,69 @@ +.. _mesh-vpn: + Mesh VPN ======== Gluon integrates several layer 2 tunneling protocols to allow connections between local meshes through the internet. -Protocol handlers -^^^^^^^^^^^^^^^^^ +Protocols overview +^^^^^^^^^^^^^^^^^^ + +For a comprehensive comparison and evaluation of the supported and formerly supported VPN methods that best suit your needs, refer to the following table (Be sure to scroll to the right): + + ++---------------------------------------+------+----------+----------------+----------------------------+------------------------+------------------+----------------+--------------------------+ +| Gluon VPN method | IPv4 | IPv6 | Authentication | Encryption | Kernelspace forwarding | MTU overhead | Multithreading | Single interface for all | +| | | | | (no→faster,insecure [1]_) | (yes→faster) | (bytes @v4) [7]_ | | peers | ++=======================================+======+==========+================+============================+========================+==================+================+==========================+ +| fastd, encrypted | yes | yes | optional [2]_ | yes | no | low (98) | no | optional | ++---------------------------------------+------+----------+----------------+----------------------------+------------------------+------------------+----------------+--------------------------+ +| fastd, null | yes | yes | optional [2]_, | no | no | low (98) | no | optional | +| | | | partial [3]_ | | | | | | ++---------------------------------------+------+----------+----------------+----------------------------+------------------------+------------------+----------------+--------------------------+ +| fastd, ``null@l2tp``, with offloading | yes | yes | optional [2]_, | no | yes | low (82) | | optional | +| | | | partial [3]_ | | | | | | ++---------------------------------------+------+----------+----------------+----------------------------+------------------------+------------------+----------------+--------------------------+ +| fastd, ``null@l2tp``, no offloading | yes | yes | optional [2]_, | no | no | low (82) | no | optional | +| | | | partial [3]_ | | | | | | ++---------------------------------------+------+----------+----------------+----------------------------+------------------------+------------------+----------------+--------------------------+ +| Tunneldigger (L2TP - deprecated) [6]_ | yes | no [4]_ | no | no | yes | low (82) | | no | ++---------------------------------------+------+----------+----------------+----------------------------+------------------------+------------------+----------------+--------------------------+ +| WireGuard + VXLAN | yes | yes | yes | yes | yes | high (162) | yes [5]_ | yes | ++---------------------------------------+------+----------+----------------+----------------------------+------------------------+------------------+----------------+--------------------------+ + + + + + + + + + + +.. [1] No encryption allows internet providers to read and alter mesh traffic. +.. [2] The Gateway can ignore authentication for the initial connection request, via ``"on verify 'true'"``. However, a node→gateway handshake authentication with valid fastd keys in the site.conf is still required. +.. [3] Initial connection request can be authenticated, however payload data is not authenticated afterward. + + +.. [4] https://github.com/wlanslovenija/tunneldigger/issues/75 +.. [5] https://www.wireguard.com/performance/ +.. [6] https://github.com/ffac/community-packages/tree/master/ff-mesh-vpn-tunneldigger +.. [7] :ref:`mtu` + +Additional, notable compatibility features +"""""""""""""""""""""""""""""""""""""""""" + +* fastd: multiple encrypted and unencrypted methods can be handled by one daemon +* fastd: a ``null@l2tp`` peer with offloading is fully compatible with a peer with ``null@l2tp`` without offloading +* fastd+WireGuard: a single secret can be used for both fastd and WireGuard via :ref:`gluon-mesh-vpn-key-translate `, so no need for a node owner switching to (or from) Wireguard from (or to) fastd to submit a new key + + +Core Protocol handlers +^^^^^^^^^^^^^^^^^^^^^^ -There are currently two protocol handlers which can be selected -as a feature: +There are currently two supported protocol handlers which +can be selected as a feature: mesh-vpn-fastd """""""""""""" diff --git a/docs/user/mtu.rst b/docs/user/mtu.rst index 33cf0a8ee80..5b39c145625 100644 --- a/docs/user/mtu.rst +++ b/docs/user/mtu.rst @@ -1,3 +1,4 @@ +.. _mtu: MTU for Mesh-VPN ================