[TriLUG] Wanted to share about Hyprspace - an IPFS based, extremely secure P2P or Mesh "VPN").

brian mullan via TriLUG trilug at trilug.org
Tue Aug 23 13:16:08 EDT 2022 

I wanted to share something with you all regarding
*regarding Hyprspace <https://github.com/hyprspace/hyprspace> which uses
IPFS <https://docs.ipfs.tech/concepts/what-is-ipfs/> to create fully
encrypted full-mesh private network that allows connection at L2 to any
LXD/Docker etc container on any Host, anywhere.   Or you can use Hyprspace
to interconnect Servers only.*

Hyprspace is not a traditional VPN but does support L2 and L3 fully
encrypted communication among "peers".

Over the past couple years I worked with ALOT of Mesh VPNs (*Wireguard,
Nebula *etc)...   NONE of them are as easy/simple to setup/configure
as *Hyprspace
<https://github.com/hyprspace/hyprspace>* primarily because of the use of
DHT & IPFS.

*https://github.com/hyprspace/hyprspace
> <https://github.com/hyprspace/hyprspace>*
>

I just followed the above steps and immediately got my Mesh VPN up between
containers at my home Digital Ocean and Hetzner Cloud in Germany.

Its probably obvious you would install IPFS in all your servers pr
containers (its small & lightweight) Initialize each IPFS* Edit each
container's IPFS YAML file to identify "Peers"*

*at the bottom of each YAML  you will see:*

>
>
> *Change:peers: {}*
>  to
> peers:
>    10.1.1.2:
>      id: <ID> from YAML of that Peer
>    10.1.1.3:
>      id: <ID> from YAML of that Peer
>
> etc... for rest of the MESH
>
> For IP addresses just use a *Non-Routable Address Space:*

Ranges of IP addresses defined by RFC1918 are –

   - 10.0.0.0/8 ( Range: 10.0.0.0 – 10.255.255.255 )
   - 172.16.0.0/12 ( Range: 172.16.0.0 – 172.31.255.255 )
   - 192.168.0.0/16 ( Range: 192.168.0.0 – 192.168.255.255 )


After that you just bring UP the HyperSpace interface on each Node and you
are good to go.

My Ping times between my Home machine containers, Digital Ocean containers,
and Hetzner container *is around 32-33msec.*

Anyway I think this is the absolute simplest Mesh system I've seen to
implement, gives good performance and *extreme security.*


*If you are  connecting containers(s) on "each" Host's directly to any
other Host's container(s) in a Mesh or just P2P *


*** You do not have to configure anything Hosts (unless you want to)! *

============================================================

> A Bit of Backstory
>
> Libp2p is a networking library created by Protocol Labs that allows nodes
> to discover each other using a Distributed Hash Table. Paired with NAT hole
> punching this
> allows Hyprspace to create a direct encrypted tunnel between two nodes
> even if they're both behind firewalls.
>
> *Moreover! Each node doesn't even need to know the other's ip address
> prior to starting up the connection.*
> This makes Hyprspace perfect for devices that frequently migrate between
> locations but still require a constant virtual ip address.
> So How Does Hyprspace Compare to Something Like Wireguard?
>
> WireGuard is an amazing VPN written by Jason A. Donenfeld. If you haven't
> already, definitely go check it out! WireGuard actually inspired me to
> write Hyprspace.
>
> That said, although WireGuard is in a class of its own as a great VPN, it
> requires at least one of your nodes to have a public IP address. In this
> mode, as long as one of your nodes is publicly accessible, it can be used
> as a central relay to reach the other nodes in the network.
>
> However, this means that all of the traffic for your entire system is
> going through that one system which can slow down your network and make it
> fragile in the case that node goes down and you lose the whole network.
>
> So instead say that you want each node to be able to directly connect to
> each other as they do in Hyprspace.
>
> Unfortunately through WireGuard this would require every node to be
> publicly addressable which means manual port forwarding and no travelling
> nodes.
>
>
> *By contrast Hyprspace allows all of your nodes to connect directly to
> each other creating a strong reliable network even if they're all behind
> their own NATs/firewalls. *
>
> *No manual port forwarding required!*
>
*============================================================*

More information about the TriLUG mailing list