Merge branch 'master' of code.ungleich.ch:ungleich-public/ungleich-staticcms

This commit is contained in:
sanghee 2021-11-22 15:34:17 +01:00
commit 0b9d60e6d4
8 changed files with 338 additions and 33 deletions

View File

@ -0,0 +1,200 @@
title: IPv6, VPN and DNS entries
---
pub_date: 2021-10-13
---
author: Nico Schottelius
---
twitter_handle: NicoSchottelius
---
_hidden: no
---
_discoverable: yes
---
abstract:
Looking at how the patterns of VPN and DNS names changes with IPv6
---
body:
## TL; DR
With IPv6, DNS management of protected networks can be
simplified. IPv6 VPNs can use simplified DNS configurations to
simplify the network configurations by just using public, restricted
DNS entries.
## VPN and DNS in the IPv4 world
VPNs in the IPv4 world are often used to create site-to-site tunnels,
allowing different networks to talk to each other. A typical case is
that organisation A needs to access protected resources of
organisation B and maybe even vice-versa. So a typical VPN looks like
this:
```
Organisation A
--------------
Protected Host A ---------- Router/VPN gateway
(10.0.0.42/24) |
|
|
Organisation B (Internet)
-------------- |
|
|
Protected Host B ---------- Router/VPN gateway
(10.20.0.42/24)
Host name: lakeside.int.org-b.example.com
```
Now if the Protected Host A and Protected Host B want to communicate
with each other on IP basis, this is no problem (I am not elaborating
on the problems of IP collisions in this article, a follow up article
will follow soon).
However if Protected Host A wants to reach the Protected Host B via
its internal DNS name **lakeside.int.org-b.example.com**, this is
usually a problem, for multiple reasons:
* Protected Host A might not know the right internal DNS server to
query for int.org-b.example.com.
* Protected Host A might know the right internal DNS server to
query for int.org-b.example.com, but might not have access to it via
the VPN
* The DNS records for int.org-b.example.com often are intentionally
not published to public DNS for multiple reasons: privacy related or
because administrators don't like to publish RFC1918 records into
public DNS records
## VPN and DNS in the IPv6 world
There are multiple ways of how VPNs can be built in the IPv6 world,
including usage of the private IPv4 addresses equivalent named Unique
Local Address (ULA). However instead of using ULA, I will today show
an approach that is more "IPv6 native", using Global Unique Addresses
(GUA), or what is simply known as "public IPv6 address".
While you might have heard it, I will repeat nonetheless: there are
enough IPv6 addresses for every practical use case that we imagine at
the moment. This is important, because we can use **globally unique
IPv6 addresses** inside the VPN.
Isn't that a problem? Publicly reachable IPv6 addresses inside a VPN?
It would, if the addresses were **globally reachable**. In the IPv6
world nothing speaks against having **globally unique, but non-routed
IPv6 addresses**. This is actually a perfect match and much better
than we can do in the IPv4 world:
* Both organisations A and B can acquire globally unique
addresses. Let's say they organisation A acquires 2001:db8:0::/48 and
organisation B acquires 2001:db8:1::/48.
* Both organisations have two options: they can announce their IPv6
range to the Internet and block access to their internal network or
* both they can even consider not to announce their network at all
(there is not route in the Internet for it)
In either case, both organisations will usually select a sub network
of size /64 for the resources they want to expose via the VPN. Let's
say organisation A chooses 2001:db8:0:cafe::/64 and organisation B
chooses 2001:db8:1:7ea::/64. Putting this in context, their VPN now
looks like this:
```
Organisation A
--------------
Protected Host A ---------- Router/VPN gateway
(2001:db8:0:cafe::42/64) |
|
|
Organisation B (Internet)
-------------- |
|
|
Protected Host B ---------- Router/VPN gateway
(2001:db8:1:7ea::42/64) |
Host name: lakeside.int.org-b.example.com
```
Now, how does this change the DNS server situation? Because we are
using IPv6, we have many more options:
* a) We can publish the DNS records of the domain
int.org-b.example.com globally. While access to the network
2001:db8:1:7ea::/64 is only possible via VPN, nothing speaks against
having the records in a public DNS server. However, some
administrators advocate to not publish them publicly for privacy
reasons. That is the same logic as publishing or not publish the
RFC1918 (10.x.y.z) addresses in the IPv4 world.
* b) We can publicly/globally delegate the domain
int.org-b.example.com to a nameserver that is only reachable via the
VPN.
* c) We can proceed the same as in the IPv4 world and have a
disconnect, internal DNS server that is responsible for
int.org-b.example.com.
Option (a) is often seen as a security risk and it can be debated
whether someone who can already guess the correct hostname and
retrieve it's IP address is really a significant higher security
thread than anybody just guessing IP addresses.
Option (c) is the typical case for IPv4 based VPNs and is causing
above illustrated issues.
Option (b) is the one that makes IPv6 VPNs much more interesting than
IPv4 based VPNs:
* The world can know that there is an internal domain
**int.org-b.example.com** and find out which DNS servers are
responsible for it.
* However an attacker easily guesses that internal networks exist
anyway.
Let's have a look at sample nameserver entries in detail:
```
int.org-b.example.com. NS ns-int1.org-b.example.com.
int.org-b.example.com. NS ns-int2.org-b.example.com.
```
What does that mean? Anyone in the world can retrieve the information
that int.org-b.example.com has two DNS servers. However the DNS
servers responsible for org-b.example.com can hide the IP addresses of
ns-int1.org-b.example.com and ns-int2.org-b.example.com for everyone,
but hosts coming from organisation A. Or even if the IP addressses of
ns-int1.org-b.example.com and ns-int2.org-b.example.com are world
known, access to them can easily be prevented.
The measures for this can for instance be DNS views or firewall
entries. In practice this means for VPNs in the IPv6 world:
```
Organisation A
--------------
Protected Host A: what is the IP address of lakeside.int.org-b.example.com?
DNS Server of Organisation B: 2001:db8:1:7ea::42
Outside party
-------------
Outside Hosts: what is the IP address of lakeside.int.org-b.example.com?
a) DNS Server of Organisation B: there is no domain
int.org-b.example.com (DNS view restriction)
b) DNS Server of Organisation B: these are the nameserver for
int.org-b.example.com, but you cannot reach them (firewall protection)
```
## Summary
For IPv6 based VPNs you can get away without reconfiguring your source
networks for DNS servers of the destination party. The target party
always needs to ensure proper access control to internal resources, so
there is no additional overhead.
DNS, correctly used in the IPv6 VPN world, is a really smooth
operation. This is why we recommend to use
[IPv6 as a basis for VPNs](https://ipv6vpn.ch).

View File

@ -1,18 +0,0 @@
title: something i want to talk about
---
pub_date: 2020-04-11
---
author: Sanghee Kim
---
twitter_handle: ungleich
---
_hidden: yes
---
_discoverable: no
---
abstract:
this is test post
---
body:
This is test post

View File

@ -0,0 +1,82 @@
_model: product
---
_discoverable: yes
---
_hidden: no
---
title: Dedicated December 2021
---
subtitle: Access to dedicated servers
---
headline1: Dedicated Servers
---
headline2: Exclusive Access
---
header_background_color: #211C1E
---
header_text_color: text-light
---
nav_classes: navbar-dark
---
description1:
## Dedicated December Highlights
This December you have the chance to get 1 out of 10
dedicated servers hosted in Data Center Light:
* Real, dedicated hardware
* 24 logical cores
* 48 GB RAM
* 2x 2TB SSD
* Remove access via IPMIView
* Dedicated, routed /48 IPv6 network
* Dedicated layer 2 network
* (optional, add on) IPv4 addresses (mapped via NAT64)
* **No setup fee**
* Minimum contract duration: 3 months
* Powered by 100% hydro power
## The offer in detail
The offer is valid for all orders received between 2021-12-01 to
2021-12-31. The monthly price is 250 CHF. The price
On order, you get access to an empty server without operating system
or Alpine Linux installed on the first SSD (your choice).
You have remote access (keyboard/mouse/video) via IPMIview (access
protected using Wireguard VPN).
It has power efficient Intel Xeon L5640 CPUs running at 2.27GHz.
You can configure the SSDs in as one operating system disk or in a
software raid.
The supplied power is 100% renewable hydro power.
The server includes 15TB traffic per month. Additional 30TB traffic
can be added for 75 CHF/month.
The offer is limited to 10 dedicated servers on a first come, first
serve basis.
## What can you do with it?
You can use this server to host your own services, virtual machines or
even Kubernetes clusters on it.
You can host your photos and data (f.i. via Nextcloud), run a
community chat (f.i. via Matrix) or host your company website
(f.i. via wordpress) on it.
## What if it hardware breaks?
As this is real hardware, hardware failures can occur and they will be
repaired without any extra cost. It is however your responsibility to
inform the Data Center Light team about issues.
## How can I order?
The order link will be placed here when the offer starts.

View File

@ -140,9 +140,9 @@ Let us know if you want tracked or untracked shipping.
### Price
**Update 2021-09-14: we are sold out!**
**Update 2021-11-01: Back in stock!**
Thanks to your love, we ran out of our stock of VIGIR. You can preorder now and we will start shipping our next batch of VIGIR from 2021-10-21 again.
Thank you for waiting, VIIRB is back in stock again!
**The price of the VIGIR is 250 CHF**, including the LTE modem,
6 antennas and the power supply.

View File

@ -270,9 +270,9 @@ for **145 CHF** (203 CHF including the VIIRB).
### Price
**Update 2021-09-14: we are sold out!**
**Update 2021-11-01: Back in stock!**
Thanks to your love, we ran out of our stock of VIIRB. You can preorder now and we will start shipping our next batch of VIIRB from 2021-10-21 again.
Thank you for waiting, VIIRB is back in stock again!
**The price of the VIIRB is 58 CHF**.

View File

@ -94,9 +94,9 @@ the VIWIB and just get started with IPv6.
### Price
**Update 2021-09-14: we are sold out!**
**Update 2021-11-01: Back in stock!**
Thanks to your love, we ran out of our stock of VIWIB. You can preorder now and we will start shipping our next batch of VIWIB from 2021-10-21 again.
Thank you for waiting, VIWIB is back in stock again!
**The price of the VIWIB is 68 CHF**.

View File

@ -76,7 +76,7 @@ offer1_text:
* **One free IPv6 VPN** included for increased security
* Datacenter location: Glarus, Switzerland
* Enhanced security by limiting access to only your devices
* Suitable for 1-5 ppeople with no additioal appps
* Suitable for 1-5 people with no additioal appps
* The cloud will run on a virtual machine with 1 Core, 2 GB RAM, 10 GB SSD, 100 GB HDD
* [1 time initial setup fee 35 CHF](https://ungleich.ch/product/0carboncloud-setup/)
@ -92,11 +92,11 @@ offer2_text:
* **One free IPv6 VPN** included for increased security
* Datacenter location: Glarus, Switzerland
* Enhanced security by limiting access to only your devices
* Suitable for 1-5 ppeople with no additioal appps
* Suitable for 1-5 people with no additioal appps
* The cloud will run on a virtual machine with 1 Core, 2 GB RAM, 10 GB SSD, 500 GB HDD
* [1 time initial setup fee 35 CHF](https://ungleich.ch/product/0carboncloud-setup/)
Recommended for your private use or for a smaller project.
Recommended for your private use or for a smaller project.
---
offer2_link: https://ungleich.ch/product/0carboncloud-s-500GB/
@ -108,7 +108,7 @@ offer3_text:
* **One free IPv6 VPNs** included for increased security
* Datacenter location: Glarus, Switzerland
* Enhanced security by limiting access to only your devices
* Suitable for 5-10 ppeople with 1-2 enable appps
* Suitable for 5-10 people with 1-2 enable appps
* The cloud will run on a virtual machine with 2 Core, 4 GB RAM, 10 GB SSD, 500 GB HDD
* [1 time initial setup fee 35 CHF](https://ungleich.ch/product/0carboncloud-setup/)
@ -124,7 +124,7 @@ offer4_text:
* **Two free IPv6 VPNs** included for increased security
* Datacenter location: Glarus, Switzerland
* Enhanced security by limiting access to only your devices
* Suitable for 5-10 ppeople with 1-2 enable appps
* Suitable for 5-10 people with 1-2 enable appps
* The cloud will run on a virtual machine with 2 Core, 4 GB RAM, 10 GB SSD, 5 TB HDD
* [1 time initial setup fee 35 CHF](https://ungleich.ch/product/0carboncloud-setup/)
@ -137,10 +137,10 @@ offer5_title: Cloud L-1 TB @ 76 CHF/month
---
offer5_text:
* **One free IPv6 VPNs** included for increased security
* **Two free IPv6 VPNs** included for increased security
* Datacenter location: Glarus, Switzerland
* Enhanced security by limiting access to only your devices
* Suitable for 10-20 ppeople with 3-4 enable appps
* Suitable for 10-20 people with 3-4 enable appps
* The cloud will run on a virtual machine with 4 Core, 8 GB RAM, 10 GB SSD, 1 TB HDD
* [1 time initial setup fee 35 CHF](https://ungleich.ch/product/0carboncloud-setup/)
@ -153,10 +153,10 @@ offer6_title: Cloud L-10 TB @ 256 CHF/month
---
offer6_text:
* **Three free IPv6 VPNs** included for increased security
* **Five free IPv6 VPNs** included for increased security
* Datacenter location: Glarus, Switzerland
* Enhanced security by limiting access to only your devices
* Suitable for 10-20 ppeople with 3-4 enable appps
* Suitable for 10-20 people with 3-4 enable appps
* The cloud will run on a virtual machine with 4 Core, 8 GB RAM, 10 GB SSD, 10 TB HDD
* [1 time initial setup fee 35 CHF](https://ungleich.ch/product/0carboncloud-setup/)

View File

@ -0,0 +1,41 @@
title: Privacy Policy
---
subtitle: ungleich's policy on your privacy
---
description1:
## Introduction
This is version 0.1 of our privacy policy from 2021-10-04.
## Privacy by default
At ungleich we are strong believers of **privacy by default**. That
means: you don't need to opt-in for privacy and you don't need to
opt-out for newsletters or marketing information. Privacy is a big
concern for us and our customers.
## Logging and data submission
By default all our services are configured to a minimum amount of
logging. We cannot claim a **zero log policy**, because for
operational measures (spammers, denial of service attacks, for
billing) we need to log some data.
We however **do not sell your data**. Our business is providing
services, not making money of your information.
## Third party access
We minimise the amount of data that is seen by third parties. At the
moment some of our websites use google analytics (for historic
reasons). We plan to remove this by the beginning of 2022.
Services like our [data storage](/u/products/data-storage/),
[the hosted matrix chat](/u/products/hosted-matrix-chat/),
[zero carbon VPS hosting](/u/products/virtual-machine-hosting/),
[zero carbon chat](/u/products/zero-carbon-chat/) and
[zero carbon cloud](/u/products/zero-carbon-cloud/) do not send any
data to third parties by default. There might be plugins or settings
that allow you to enable communication with third parties, but we do
not configure them by default. Above list is not exhaustive.