You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Transition to bare metal - Ansible scripts for OS install, Docker, WireGuard
Setup WireGuard in MicroVM (FireCracker)
Make WireGuard MicroVM boot on demand (a la wake-on-lan) and shutdown on idle
Protecting user's identity
Upon the payment we issue a voucher. Voucher has no PII. Client uses voucher to pay for CloudPal. To make it simple, voucher QR code should include WireGuard's QR code data.
Payment voucher pays for a time period (month, 6 months, year). See below about IP leasing, which is directly related to payments.
Make sure WireGuard logging is disabled or goes to RAM Disk (see initrd_path field of the /boot-source API).
Examine any other type of Linux logging and disable them.
Release V2
Mobility: move to a server in another data center, country. WireGuard config should be dynamically modified to point to a different server (with different IP. Different public key too?).
WireGuard is said to dynamically adjust to IP changes both on servers and clients. How can we leverage that?
WireGuard is said to support routing when it was defined in one namespace but moved to another. How can we leverage that?
Optional WireGuard config to preserve client's IP (this is the default option in CloudFlair's 1.1.1.1 Warp). Pro: Avoids blocking by sites, Con: de-anonymization. Is there any other alternative to avoid Captcha by Google, being blocked from logging in to Apple with Apple ID, etc.?
Dynamic IP assignment to clients, like DHCP (but not using DHCP as not supported by WireGuard). We can implement HTTPS server to lease IP address from a subnet range in exchange for a payment (maybe client will pay with the voucher and server will issue a new voucher for a smaller amount?). The problem is that Algo VPN creates 3 static configs (phone, laptop, desktop). It is easy for the user to screwup and have the same IP for 2 different machines. This becomes unmanageable as we extend to families and teams. See discussion 1, discussion 2
Option for using IP Anonymization: Two-hop VPN, SOCKS5 proxy, etc.
See the list of extra features.
Add freemium mode: add metering: voucher pays for consumed resources
Optimizations
Configure split tunnel to avoid some traffic going through VPN.
One candidate is Push Notifications. iOS and Android employ long polling from the device and if that goes through VPN, it will make VPN MicroVM activate every 30-90 seconds. E.g. iOS uses long polling on http://oscp.apple.com. For more context on this, see this. Need to provide a disclaimer for this. How can this problem be solved differently?
shall we use PersistentKeepalive = 25 ? This may have MicroVM to be constantly re-launched. Any workaround?
(clear how to do). Do not route LAN traffic via VPN. Open config in WireGuard app, check the "Exclude private IPs" checkbox and copy the list of IPs in AllowedIPs. Then add 10.64.0.0/10 to the end of AllowedIPs. Search AllowedIPs in https://mullvad.net/en/help/wireguard-macos-app/
Modify WireGuard MicroVM: for lower size, to boot and run faster (use unikernel ?)
Modify WireGuard MicroVM: use FireCracker snapshot to boot faster. Restoring from snapshots was added as a developer preview in Oct. Research what is this new dirty pages snapshot option?
MVP (Release V1)
/32 CIDR)Release V2
Additional capabilities
See the list of extra features.
Optimizations
https://www.reddit.com/r/WireGuard/comments/k3ic7i/how_config_client_file_to_use_internet_without/
Resources
PiVPN is like AlgoVPN with extra goodies, DNS, Ad block, IP allocation?
https://github.com/pivpn/pivpn
The text was updated successfully, but these errors were encountered: