Please make an issue on this repo for any questions. PR's are welcome for suggestions of changes.
IP Schema
Definitions
todo
- VPN
- WireGuard
- routable
- LAN
- Site: A physical location with its own, standalone Internet that is part of the VPN.
- Site id: A integer from 0-255 that represents the routable octet for a site.
WireGuard VPN network
| - | - |
|---|---|
| CIDR Range | 172.24.0.0/13 |
| Netmask | 255.248.0.0 |
| Wildcard Bits | 0.7.255.255 |
| First IP | 172.24.0.0 |
| Last IP | 172.31.255.255 |
| First IP (Decimal) | 2887254016 |
| Last IP (Decimal) | 2887778303 |
| Total Host | 524,288 |
This network rage will power the WireGuard network and does not need to routable on site.
The last octet will match the site id. For the moment, all sites will be in
172.24.0.{site id} and the third octet reserved.
Global site network
| - | - |
|---|---|
| CIDR Range | 10.{site id}.0.0/16 |
| Netmask | 255.255.0.0 |
| Wildcard Bits | 0.0.255.255 |
| First IP | 10.{site id}.0.0 |
| Last IP | 10.{site id}.255.255 |
| First IP (Decimal) | 170524672 |
| Last IP (Decimal) | 170590207 |
| Total Host | 65,536 |
Site id has to match for local WireGuard node site id and the sites assigned
site id. A lose Schema of this a site Schema should be created. At the moment,
if and how 10.{site id}.0.0/16 is broken up is up to the local site admin.
Private site network
| - | - |
|---|---|
| CIDR Range | 172.16.0.0/13 |
| Netmask | 255.248.0.0 |
| Wildcard Bits | 0.7.255.255 |
| First IP | 172.16.0.0 |
| Last IP | 172.23.255.255 |
| First IP (Decimal) | 2886729728 |
| Last IP (Decimal) | 2887254015 |
| Total Host | 524,288 |
and
| - | - |
|---|---|
| CIDR Range | 192.168.0.0/16 |
| Netmask | 255.255.0.0 |
| Wildcard Bits | 0.0.255.255 |
| First IP | 192.168.0.0 |
| First IP (Decimal) | 3232235520 |
| Last IP | 192.168.255.255 |
| Last IP (Decimal) | 3232301055 |
| Total Host | 65,536 |
This network range(s) are for private LAN nodes and should NOT be routable via
the WireGuard VPN. The site admin is fully responsible for the management of
these networks. The rest of this document will assume you have a private site
network of 192.168.1.0/24. Any time you see 192.168.1.0/24 swap it for your
chosen private site network.
Site Configuration
WireGuard Node
The wireGaurd node needs to get a static IP and be accessible on both the VPN global network and should be accessible on the site private network.
The IP of 10.{site id}.0.1 is reserved the WireGuard node.
If you want the global VPN network to be accessible from the site private
network, the container needs to be address able on the site private network as
well. The recommended IP is .10. for example, if your default gateway is
192.168.1.1, the WireGaurd node should be 192.168.1.10, if the gateway is
172.16.0.1, the WireGuard node should be 172.16.0.10.
ip link add dev wg0 type wireguard
wg setconf wg0 myconfig.conf
ip link set up dev wg0
Default Gateway
A route entry for 10.0.0.0/8 - > 192.168.1.10 needs to be added if you wish
for the global VPN network to be accessible from the private site network.
Useful links
https://en.wikipedia.org/wiki/Reserved_IP_addresses
https://www.ipaddressguide.com/cidr
VPS providers
https://www.vpscheap.net/pricing.aspx