0

I need to connect several servers on various public IPs together to form a virtual encrypted network, where ports and services on the servers are accessible only to those servers in the network and where all communication is authenticated and encrypted.

One obvious solution is VPN made of IPs in one of the private ranges, say 10.1.0.0/16. But this requires assigning each server additional IP address, which I'd like to avoid.

Is it possible to use e.g. OpenVPN or other software to create such network of public IPs, without assigning new IPs from private range?

Ján Lalinský
  • 282
  • 1
  • 11
  • The IP assignment would work automatically in the moment you establish the VPN connection. What is the problem you want to avoid by assigning additional IP addresses? – Sven Mar 07 '17 at 11:55
  • @Sven, I'd like to avoid assigning additional IP addresses because one server already has many IP addresses and there is no need for it to have one more. – Ján Lalinský Mar 07 '17 at 12:26
  • 1
    @JánLalinský There can be no problem with having any number of IP addresses and there is no such thing as "too much" of them... – Anubioz Mar 07 '17 at 12:29
  • Given that the alternative (if it works at all) is much more complicated, I would say there *is* very good reason to add another IP. – Sven Mar 07 '17 at 12:30
  • But you may go with IPSec VPN, which as @Sven mentioned is much more complicated, but it do seem to avoid adding any additional addresses somehow... – Anubioz Mar 07 '17 at 12:32
  • @JánLalinský If your server has fewer than 4 billion IP addresses, then it is no danger of having too many. – Mike Scott Mar 07 '17 at 21:26

2 Answers2

1

No, if you use OpenVPN or similar, you will still have to assign other IP addresses for the VPN connections. The only way to do it that technically answers your question would be to assign additional addresses from part of the public IP V4 space that you don't ever expect to have to route to, and just treat that part of the public space as if it were private. But while it would be an answer to your question as written, it would also be silly. Just go ahead and assign additional IP addresses, it's not like you're in danger of exhausting the 10.0.0.0/8 address space.

Mike Scott
  • 7,993
  • 31
  • 26
  • Thanks, perhaps it would be silly, but you got me curious: how would one go around treating those public IPs as private ones? (I need only the encryption software to treat them + one special port as private, those public IPs still need to accept incoming connectios on globally allowed ports from any IP). – Ján Lalinský Mar 07 '17 at 12:33
  • @JánLalinský You can't treat your actual assigned public IP addresses as private ones (well, you _can_, but you'll lose your Internet connection). You can only use a public IP address that's _not yours_ as an additional IP address, as a (bad) alternative to using one from the defined private ranges. – Mike Scott Mar 07 '17 at 21:24
1

Using IPSEC, it would be possible to set this up. It may also be the case that OpenVPN can do it, but I am not sure how one would go about that.

For IPSEC, this link has a very nice overview: https://libreswan.org/wiki/HOWTO:_Opportunistic_IPsec

I am not sure how portable that setup is to other IPSEC solutions (notably, for Strongswan, this suggests such a setup may not be possible).

That being said, Opportunistic Encryption is not the only solution to your situation: as long as there was a policy applying encryption to packets between your nodes, then you can drop the Opportunistic aspect of things, and you would be using regular IPSEC.

So yes, I suspect you could have traffic between any two nodes you operate encrypted, and leave everything else alone, as well as avoid adding more IPs to your hosts.

iwaseatenbyagrue
  • 3,688
  • 15
  • 24