"A group of friends and I took what we know from work and learning, to the next level."
In Information Technology, it can be often fun to solve problems at work, or accomplish a task you've done before. Same goes for me and things in my personal lab. A group of friends and I took what we know from work and learning, to the next level. This level being a site-to-site vpn to our houses using GRE and IPSec. Along with using BGP for routing.
The Architecture
My friend had already worked on getting parts of his personal lab and environment together with a classic hub-and-spoke topology. With his house being the hub, and my house being a spoke. This made it pretty simple architecture and for when adding someone to 'the network' like another friend that joined later, makes it so only one person needs to handle things.
Building the Tunnel
Tunnel
Setting up a GRE/IPsec VPN tunnel was not too complex when it came the tunnel configuration. In Mikrotik you start by setting up a GRE Tunnel Interface. Set your MTU, the remote address and your IPSec Secret. Entering in your IPSec Secret in the GRE Interface window allowed Mikrotik to take care of the IPSec part itself. Our endpoints were public dns names that pointed to our house public ips via Mikrotiks built in DDNS. This way if our ips ever changed, then our tunnels stay up
On the gre-tunnel interface, following this setup i had to also assign an ip address on it. So that once the tunnels came up over the gre it would then be able to communicate back and forth over the ips. I took on an ip scheme provided by my friend as he is the hub.
Routing
After the tunnels came up, we had to setup routing otherwise our traffic wouldnt know how to reach each other. For this, we decided to do BGP, and utilize routing filtering to determine what routes to send/receive.
When setting up BGP my friends an I utilize a shared document and documented specific ASN numbers for each other. Being sure to utilize the Private use numbers according to the spec. Setting up a peer you need to specify the RouterID and the RemoteAddress. The remote address is the otherside of the GRE Tunnel IP I set before. The RouterID, was the ip address of my router. The role we selected was "ebgp".
The Filter
if (dst in 10.0.0.0/8 { accept }
else{reject}
Mikrotik allows for if/else statements for advertising and receiving routes. In my case, i did not separate these as i want all routes from my friends and they can have all my routes as well.
DNS Integration
Following the setup and getting the ips working together, the next step was to get DNS working. How else would i reach my friends services by hostname? I dont want to type IPs in all the time. With that we added a forward for each individuals domains to their respected routers/dns server that they use. So now if i try to go to a url such as friend.internal.com it goes to their specific internal dns resolver.
The Result
This was a couple hours of work on weekend for us. Allowing us to bond and talk over discord to get this setup. Had no impact to my internet connection, and showcase how we learned to implement near enterprise level architecture at home. But the question might be WHY? For FUN! This is fun, fun of the hobby and tinkering around with friends. Being able to show off a cool app that you have in your home lab and have them be able to access it directly from their home network. Without exposure to the public!