Just wanted to share some information about a small project I’m building with my friends – that’s simply has the main core of – sharing among a selected few.
The main point of this exercise is to build a mesh network experience built with VPN’s. No single point connects all, since we all have friends that don’t know each other (, but when they do, they can simply build the connections between themselves :), ) we limit the reach with a mesh design.
Since I happen to have knowledge and access to certain firewall hardware/software, the mesh itself contains just that with IPSEC as the main tunnels.
Then comes the second part – enabling your friends to access their own network via VPN. Earlier we based that on PPTP, since well – it’s more or less supported across all kinds of devices.
Main aspect here is also building a catalogue service that enables centralized authentication and authorization. Problem here is.. Most of the NAS-devices supports AD/LDAP, but getting something sufficient running in this department has proven.. hard. Since we also use a centralized RADIUS (for the shared wifi .. ;) ) we wanna (or, I since it looks like I’m the lead designer atm :S ) have something that can enable the ‘always on’ NAS’es to use the LDAP-auth, and the Capture portals / host to network endpoints to use the RADIUS – hopefully from the same source.
And here’s the kicker – it looks like we’ll have to construct this ( I have to.. ) by ourselves, because I’d like a tie-in with the google authenticator. Why? Well, because we all in this case have smartphones, and it adds a nice layer. This means, mappings and such can be used with accounts not tied in to the google authenticator for their local storage, but for something that is across the ‘mesh’, needs to be re-authenticated when the timeout hits (possibly, since that would fsck up data in motion from point to point). It would also grant the user to have the same account and ability with the host to network solution.