ip_schema/README.md

**Please make an issue on this repo for any questions. PR's are welcome for
suggestions of changes.**


# IP Schema

## Definitions

**todo**

* VPN
* WireGuard
* routable
* LAN
* Site: A physical location with its own, standalone Internet that is part of
	the VPN.
* Site id: A integer from 0-255 that represents the routable octet for a site.

## WireGuard VPN network

| -				     | -			  |
| ------------------ | -------------- |
| CIDR Range	     | 172.24.0.0/13  |
| Netmask	         | 255.248.0.0    |
| Wildcard Bits	     | 0.7.255.255    |
| First IP	         | 172.24.0.0     |
| Last IP	         | 172.31.255.255 |
| First IP (Decimal) | 2887254016     |
| Last IP (Decimal)	 | 2887778303     |
| Total Host	     | 524,288        |

This network rage will power the WireGuard network and does not need to routable
on site.

The last octet will match the site id. For the moment, all sites will be in
`172.24.0.{site id}` and the third octet reserved.

## Global site network

| -				     | -			        |
| ------------------ | -------------------- |
| CIDR Range	     | 10.{site id}.0.0/16  |
| Netmask	         | 255.255.0.0          |
| Wildcard Bits	     | 0.0.255.255          |
| First IP	         | 10.{site id}.0.0     |
| Last IP	         | 10.{site id}.255.255 |
| First IP (Decimal) | 170524672            |
| Last IP (Decimal)	 | 170590207            |
| Total Host	     | 65,536               |

Site id has to match for local WireGuard node site id and the sites assigned
site id. A lose Schema of this a site Schema should be created. At the moment,
if and how `10.{site id}.0.0/16` is broken up is up to the local site admin.

## Private site network

| -				     | -    	      |
| ------------------ | -------------- |
| CIDR Range	     | 172.16.0.0/13  |
| Netmask	         | 255.248.0.0    |
| Wildcard Bits	     | 0.7.255.255    |
| First IP	         | 172.16.0.0     |
| Last IP	         | 172.23.255.255 |
| First IP (Decimal) | 2886729728     |
| Last IP (Decimal)  | 2887254015     |
| Total Host	     | 524,288        |

and

| -				     | -	           |
| ------------------ | --------------- |
| CIDR Range	     | 192.168.0.0/16  |
| Netmask	         | 255.255.0.0     |
| Wildcard Bits	     | 0.0.255.255     |
| First IP	         | 192.168.0.0     |
| First IP (Decimal) | 3232235520      |
| Last IP	         | 192.168.255.255 |
| Last IP (Decimal)  | 3232301055      |
| Total Host	     | 65,536          |

This network range(s) are for private LAN nodes and should NOT be routable via
the WireGuard VPN. The site admin is fully responsible for the management of
these networks. The rest of this document will assume you have a private site
network of `192.168.1.0/24`. Any time you see `192.168.1.0/24` swap it for your
chosen private site network.

# Site Configuration

## WireGuard Node

The wireGaurd node needs to get a static IP and be accessible on both the VPN
global network and should be accessible on the site private network.

The IP of `10.{site id}.0.1` is reserved the WireGuard node.

If you want the global VPN network to be accessible from the site private
network, the container needs to be address able on the site private network as
well. The recommended IP is .10. for example, if your default gateway is
`192.168.1.1`, the WireGaurd node should be `192.168.1.10`, if the gateway is
`172.16.0.1`, the WireGuard node should be `172.16.0.10`.


## Default Gateway

A route entry for `10.0.0.0/8` - > `192.168.1.10` needs to be added if you wish
for the global VPN network to be accessible from the private site network.

# Useful links

https://en.wikipedia.org/wiki/Reserved_IP_addresses

https://www.ipaddressguide.com/cidr

https://www.vpscheap.net/pricing.aspx

https://vps.us/openvz-vps-hosting/