[Battlemesh] TincVPN with routing protocols for WBMv13?

Bernd Naumann bernd at kr217.de
Fri Oct 16 11:31:43 CEST 2020

On 16.10.20 09:35, Benjamin Henrion wrote:
> On Fri, Oct 16, 2020 at 12:43 AM Vincent Wiemann
> <vincent.wiemann at ironai.com> wrote:
>> Hi,
>> tinc's performance is bad on devices with little resources. That's why we
>> use fastd. We have experimentally implemented io_uring support. With that fastd is
>> the fastest userspace VPN and we run it seamlessly with Babel as it supports
>> TAP (you lose some MTU bytes because of the ethernet header).
>> There is a pull-request on Github in freifunk-gluon for a WireGuard broker.
>> WireGuard is the preferred way in my eyes because of its unmatchable performance,
>> but the broker needs some security measures to be implemented for large-scale deployment.
>> I'd love to see you find a solution we can all profit from.
> Can the encryption be disabled in Wireguard?
> In Fastd I see that there is a mode "Methods without security":
> https://fastd.readthedocs.io/en/stable/manual/methods.html

No, wireguard has fix encryption and no knobs.

But the biggest issue with wireguard remains: no multicast multicast :/ 
and no auto-generation of link-local v6 addresses. /* The LLA can be 
fixed with
`# ipv6calc --quiet --in prefix+mac fe80:: ${mac}` */

Babel and OSPF are using multicast by default for a good reason. 
Otherwise you need a lot of p2p configuration or rely on the 
implementation on auto detect. `bird` for example can decide to either 
use multicast or if for instance a `/30` or `/31` || `/127` is 
confgiured, then to use unicast.

GRE is not an option? yes, you have to setup each link with every peer, 
but no extra deamon and config is required and you get a layer-2 and can 
use it as you like.

Also how would you/we ensure that nobody screws up the routing table? 
I'm only aware of `bird` which can setup filter to setup what to accept 
via a protocol and what is actually exported to the kernerl RT.


More information about the Battlemesh mailing list