Create a 4 nodes peer to peer VPN

Congelli501 asked:

Is there a way to create a peer to peer virtual private between a small number of nodes (4) where every packet goes directly to its destination ?

Every node would have a public address and will be hosting some VMs with addresses on the private network. Every node will be able to connect directly to the other nodes throw their public address.

The need be would be:

  1. Uncentered network (no single point of failure)
  2. A packet goes directly to its destination (node to node)
  3. It should be a single network (no routing)

I can think of some solutions, but they don’t check those three points:

The first solution (S1 in the image) would be, create a bridged VPN on a node, and connect the other nodes to it.
The two points are not respected. Indeed, there is a single point of failure (the VPN server), and a packet that goes from a VPN client to another will have to go threw the VPN server (point 2).

Another solution (S2 in the image) would be to make a bridge between each node (with a VPN client – server), and enable the spanning tree to clear the loops.
Here, we respect the first rule as STP will reshape the network in case of a node failure, but we still don’t respect point 2 as the spanning tree protocol will cut some links.

For the third (S3 in the image) solution, it would be possible to create 3 different private network (for example, for node 1, for node 2… and route packet between the servers using node to node link.
This solution will satisfy the need be 1 and 2, but, of course, not the 3.

In fact, I would like all node to act as a distributed switch, by sending packet only to the node that holds the destination IP.

Is there a solution that would match those three points ?

Representation of the solutions

My answer:

IPsec in transport mode would do this, but this really isn’t scalable. Four nodes is about the most at which I would even think about it.

I’m currently using strongSwan for IPsec on Linux, which is easy enough to set up this way.

Since you edited your question and changed the requirements a bit, I’m going to recommend you take a look at Open vSwitch instead.

View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.