diff --git a/content/u/blog/ipv6-vpn-dns-entries/contents.lr b/content/u/blog/ipv6-vpn-dns-entries/contents.lr new file mode 100644 index 0000000..7ef5ae6 --- /dev/null +++ b/content/u/blog/ipv6-vpn-dns-entries/contents.lr @@ -0,0 +1,200 @@ +title: IPv6, VPN and DNS entries +--- +pub_date: 2021-10-13 +--- +author: Nico Schottelius +--- +twitter_handle: NicoSchottelius +--- +_hidden: no +--- +_discoverable: yes +--- +abstract: +Looking at how the patterns of VPN and DNS names changes with IPv6 +--- +body: + +## TL; DR + +With IPv6, DNS management of protected networks can be +simplified. IPv6 VPNs can use simplified DNS configurations to +simplify the network configurations by just using public, restricted +DNS entries. + +## VPN and DNS in the IPv4 world + +VPNs in the IPv4 world are often used to create site-to-site tunnels, +allowing different networks to talk to each other. A typical case is +that organisation A needs to access protected resources of +organisation B and maybe even vice-versa. So a typical VPN looks like +this: + +``` +Organisation A +-------------- + +Protected Host A ---------- Router/VPN gateway +(10.0.0.42/24) | + | + | +Organisation B (Internet) +-------------- | + | + | +Protected Host B ---------- Router/VPN gateway +(10.20.0.42/24) +Host name: lakeside.int.org-b.example.com +``` + +Now if the Protected Host A and Protected Host B want to communicate +with each other on IP basis, this is no problem (I am not elaborating +on the problems of IP collisions in this article, a follow up article +will follow soon). + +However if Protected Host A wants to reach the Protected Host B via +its internal DNS name **lakeside.int.org-b.example.com**, this is +usually a problem, for multiple reasons: + +* Protected Host A might not know the right internal DNS server to + query for int.org-b.example.com. +* Protected Host A might know the right internal DNS server to + query for int.org-b.example.com, but might not have access to it via + the VPN +* The DNS records for int.org-b.example.com often are intentionally + not published to public DNS for multiple reasons: privacy related or + because administrators don't like to publish RFC1918 records into + public DNS records + + +## VPN and DNS in the IPv6 world + +There are multiple ways of how VPNs can be built in the IPv6 world, +including usage of the private IPv4 addresses equivalent named Unique +Local Address (ULA). However instead of using ULA, I will today show +an approach that is more "IPv6 native", using Global Unique Addresses +(GUA), or what is simply known as "public IPv6 address". + +While you might have heard it, I will repeat nonetheless: there are +enough IPv6 addresses for every practical use case that we imagine at +the moment. This is important, because we can use **globally unique +IPv6 addresses** inside the VPN. + +Isn't that a problem? Publicly reachable IPv6 addresses inside a VPN? +It would, if the addresses were **globally reachable**. In the IPv6 +world nothing speaks against having **globally unique, but non-routed +IPv6 addresses**. This is actually a perfect match and much better +than we can do in the IPv4 world: + +* Both organisations A and B can acquire globally unique + addresses. Let's say they organisation A acquires 2001:db8:0::/48 and + organisation B acquires 2001:db8:1::/48. +* Both organisations have two options: they can announce their IPv6 + range to the Internet and block access to their internal network or +* both they can even consider not to announce their network at all + (there is not route in the Internet for it) + +In either case, both organisations will usually select a sub network +of size /64 for the resources they want to expose via the VPN. Let's +say organisation A chooses 2001:db8:0:cafe::/64 and organisation B +chooses 2001:db8:1:7ea::/64. Putting this in context, their VPN now +looks like this: + +``` +Organisation A +-------------- + +Protected Host A ---------- Router/VPN gateway +(2001:db8:0:cafe::42/64) | + | + | +Organisation B (Internet) +-------------- | + | + | +Protected Host B ---------- Router/VPN gateway +(2001:db8:1:7ea::42/64) | +Host name: lakeside.int.org-b.example.com +``` + +Now, how does this change the DNS server situation? Because we are +using IPv6, we have many more options: + +* a) We can publish the DNS records of the domain + int.org-b.example.com globally. While access to the network + 2001:db8:1:7ea::/64 is only possible via VPN, nothing speaks against + having the records in a public DNS server. However, some + administrators advocate to not publish them publicly for privacy + reasons. That is the same logic as publishing or not publish the + RFC1918 (10.x.y.z) addresses in the IPv4 world. +* b) We can publicly/globally delegate the domain + int.org-b.example.com to a nameserver that is only reachable via the + VPN. +* c) We can proceed the same as in the IPv4 world and have a + disconnect, internal DNS server that is responsible for + int.org-b.example.com. + +Option (a) is often seen as a security risk and it can be debated +whether someone who can already guess the correct hostname and +retrieve it's IP address is really a significant higher security +thread than anybody just guessing IP addresses. + +Option (c) is the typical case for IPv4 based VPNs and is causing +above illustrated issues. + +Option (b) is the one that makes IPv6 VPNs much more interesting than +IPv4 based VPNs: + +* The world can know that there is an internal domain + **int.org-b.example.com** and find out which DNS servers are + responsible for it. +* However an attacker easily guesses that internal networks exist + anyway. + +Let's have a look at sample nameserver entries in detail: + +``` +int.org-b.example.com. NS ns-int1.org-b.example.com. +int.org-b.example.com. NS ns-int2.org-b.example.com. +``` + +What does that mean? Anyone in the world can retrieve the information +that int.org-b.example.com has two DNS servers. However the DNS +servers responsible for org-b.example.com can hide the IP addresses of +ns-int1.org-b.example.com and ns-int2.org-b.example.com for everyone, +but hosts coming from organisation A. Or even if the IP addressses of +ns-int1.org-b.example.com and ns-int2.org-b.example.com are world +known, access to them can easily be prevented. + +The measures for this can for instance be DNS views or firewall +entries. In practice this means for VPNs in the IPv6 world: + + +``` +Organisation A +-------------- + +Protected Host A: what is the IP address of lakeside.int.org-b.example.com? +DNS Server of Organisation B: 2001:db8:1:7ea::42 + + +Outside party +------------- +Outside Hosts: what is the IP address of lakeside.int.org-b.example.com? + +a) DNS Server of Organisation B: there is no domain + int.org-b.example.com (DNS view restriction) +b) DNS Server of Organisation B: these are the nameserver for + int.org-b.example.com, but you cannot reach them (firewall protection) +``` + +## Summary + +For IPv6 based VPNs you can get away without reconfiguring your source +networks for DNS servers of the destination party. The target party +always needs to ensure proper access control to internal resources, so +there is no additional overhead. + +DNS, correctly used in the IPv6 VPN world, is a really smooth +operation. This is why we recommend to use +[IPv6 as a basis for VPNs](https://ipv6vpn.ch). diff --git a/content/u/blog/testtesttest/contents.lr b/content/u/blog/testtesttest/contents.lr deleted file mode 100644 index c0e930b..0000000 --- a/content/u/blog/testtesttest/contents.lr +++ /dev/null @@ -1,18 +0,0 @@ -title: something i want to talk about ---- -pub_date: 2020-04-11 ---- -author: Sanghee Kim ---- -twitter_handle: ungleich ---- -_hidden: yes ---- -_discoverable: no ---- -abstract: -this is test post ---- -body: - -This is test post \ No newline at end of file diff --git a/content/u/offers/dedicated-december-2021/contents.lr b/content/u/offers/dedicated-december-2021/contents.lr new file mode 100644 index 0000000..42e327b --- /dev/null +++ b/content/u/offers/dedicated-december-2021/contents.lr @@ -0,0 +1,82 @@ +_model: product +--- +_discoverable: yes +--- +_hidden: no +--- +title: Dedicated December 2021 +--- +subtitle: Access to dedicated servers +--- +headline1: Dedicated Servers +--- +headline2: Exclusive Access +--- +header_background_color: #211C1E +--- +header_text_color: text-light +--- +nav_classes: navbar-dark +--- +description1: + +## Dedicated December Highlights + +This December you have the chance to get 1 out of 10 +dedicated servers hosted in Data Center Light: + +* Real, dedicated hardware +* 24 logical cores +* 48 GB RAM +* 2x 2TB SSD +* Remove access via IPMIView +* Dedicated, routed /48 IPv6 network +* Dedicated layer 2 network +* (optional, add on) IPv4 addresses (mapped via NAT64) +* **No setup fee** +* Minimum contract duration: 3 months +* Powered by 100% hydro power + +## The offer in detail + +The offer is valid for all orders received between 2021-12-01 to +2021-12-31. The monthly price is 250 CHF. The price + +On order, you get access to an empty server without operating system +or Alpine Linux installed on the first SSD (your choice). + +You have remote access (keyboard/mouse/video) via IPMIview (access +protected using Wireguard VPN). + +It has power efficient Intel Xeon L5640 CPUs running at 2.27GHz. + +You can configure the SSDs in as one operating system disk or in a +software raid. + +The supplied power is 100% renewable hydro power. + +The server includes 15TB traffic per month. Additional 30TB traffic +can be added for 75 CHF/month. + +The offer is limited to 10 dedicated servers on a first come, first +serve basis. + +## What can you do with it? + +You can use this server to host your own services, virtual machines or +even Kubernetes clusters on it. + +You can host your photos and data (f.i. via Nextcloud), run a +community chat (f.i. via Matrix) or host your company website +(f.i. via wordpress) on it. + + +## What if it hardware breaks? + +As this is real hardware, hardware failures can occur and they will be +repaired without any extra cost. It is however your responsibility to +inform the Data Center Light team about issues. + +## How can I order? + +The order link will be placed here when the offer starts. diff --git a/content/u/products/vigir/contents.lr b/content/u/products/vigir/contents.lr index 80cc561..41c6979 100644 --- a/content/u/products/vigir/contents.lr +++ b/content/u/products/vigir/contents.lr @@ -140,9 +140,9 @@ Let us know if you want tracked or untracked shipping. ### Price -**Update 2021-09-14: we are sold out!** +**Update 2021-11-01: Back in stock!** -Thanks to your love, we ran out of our stock of VIGIR. You can preorder now and we will start shipping our next batch of VIGIR from 2021-10-21 again. +Thank you for waiting, VIIRB is back in stock again! **The price of the VIGIR is 250 CHF**, including the LTE modem, 6 antennas and the power supply. diff --git a/content/u/products/viirb-ipv6-box/contents.lr b/content/u/products/viirb-ipv6-box/contents.lr index ec24b9c..5d94ce3 100644 --- a/content/u/products/viirb-ipv6-box/contents.lr +++ b/content/u/products/viirb-ipv6-box/contents.lr @@ -270,9 +270,9 @@ for **145 CHF** (203 CHF including the VIIRB). ### Price -**Update 2021-09-14: we are sold out!** +**Update 2021-11-01: Back in stock!** -Thanks to your love, we ran out of our stock of VIIRB. You can preorder now and we will start shipping our next batch of VIIRB from 2021-10-21 again. +Thank you for waiting, VIIRB is back in stock again! **The price of the VIIRB is 58 CHF**. diff --git a/content/u/products/viwib-wifi-ipv6-box/contents.lr b/content/u/products/viwib-wifi-ipv6-box/contents.lr index c6e012a..667fda6 100644 --- a/content/u/products/viwib-wifi-ipv6-box/contents.lr +++ b/content/u/products/viwib-wifi-ipv6-box/contents.lr @@ -94,9 +94,9 @@ the VIWIB and just get started with IPv6. ### Price -**Update 2021-09-14: we are sold out!** +**Update 2021-11-01: Back in stock!** -Thanks to your love, we ran out of our stock of VIWIB. You can preorder now and we will start shipping our next batch of VIWIB from 2021-10-21 again. +Thank you for waiting, VIWIB is back in stock again! **The price of the VIWIB is 68 CHF**. diff --git a/content/u/products/zero-carbon-cloud/contents.lr b/content/u/products/zero-carbon-cloud/contents.lr index ffa4231..c593498 100644 --- a/content/u/products/zero-carbon-cloud/contents.lr +++ b/content/u/products/zero-carbon-cloud/contents.lr @@ -76,7 +76,7 @@ offer1_text: * **One free IPv6 VPN** included for increased security * Datacenter location: Glarus, Switzerland * Enhanced security by limiting access to only your devices -* Suitable for 1-5 ppeople with no additioal appps +* Suitable for 1-5 people with no additioal appps * The cloud will run on a virtual machine with 1 Core, 2 GB RAM, 10 GB SSD, 100 GB HDD * [1 time initial setup fee 35 CHF](https://ungleich.ch/product/0carboncloud-setup/) @@ -92,11 +92,11 @@ offer2_text: * **One free IPv6 VPN** included for increased security * Datacenter location: Glarus, Switzerland * Enhanced security by limiting access to only your devices -* Suitable for 1-5 ppeople with no additioal appps +* Suitable for 1-5 people with no additioal appps * The cloud will run on a virtual machine with 1 Core, 2 GB RAM, 10 GB SSD, 500 GB HDD * [1 time initial setup fee 35 CHF](https://ungleich.ch/product/0carboncloud-setup/) -Recommended for your private use or for a smaller project. +Recommended for your private use or for a smaller project. --- offer2_link: https://ungleich.ch/product/0carboncloud-s-500GB/ @@ -108,7 +108,7 @@ offer3_text: * **One free IPv6 VPNs** included for increased security * Datacenter location: Glarus, Switzerland * Enhanced security by limiting access to only your devices -* Suitable for 5-10 ppeople with 1-2 enable appps +* Suitable for 5-10 people with 1-2 enable appps * The cloud will run on a virtual machine with 2 Core, 4 GB RAM, 10 GB SSD, 500 GB HDD * [1 time initial setup fee 35 CHF](https://ungleich.ch/product/0carboncloud-setup/) @@ -124,7 +124,7 @@ offer4_text: * **Two free IPv6 VPNs** included for increased security * Datacenter location: Glarus, Switzerland * Enhanced security by limiting access to only your devices -* Suitable for 5-10 ppeople with 1-2 enable appps +* Suitable for 5-10 people with 1-2 enable appps * The cloud will run on a virtual machine with 2 Core, 4 GB RAM, 10 GB SSD, 5 TB HDD * [1 time initial setup fee 35 CHF](https://ungleich.ch/product/0carboncloud-setup/) @@ -137,10 +137,10 @@ offer5_title: Cloud L-1 TB @ 76 CHF/month --- offer5_text: -* **One free IPv6 VPNs** included for increased security +* **Two free IPv6 VPNs** included for increased security * Datacenter location: Glarus, Switzerland * Enhanced security by limiting access to only your devices -* Suitable for 10-20 ppeople with 3-4 enable appps +* Suitable for 10-20 people with 3-4 enable appps * The cloud will run on a virtual machine with 4 Core, 8 GB RAM, 10 GB SSD, 1 TB HDD * [1 time initial setup fee 35 CHF](https://ungleich.ch/product/0carboncloud-setup/) @@ -153,10 +153,10 @@ offer6_title: Cloud L-10 TB @ 256 CHF/month --- offer6_text: -* **Three free IPv6 VPNs** included for increased security +* **Five free IPv6 VPNs** included for increased security * Datacenter location: Glarus, Switzerland * Enhanced security by limiting access to only your devices -* Suitable for 10-20 ppeople with 3-4 enable appps +* Suitable for 10-20 people with 3-4 enable appps * The cloud will run on a virtual machine with 4 Core, 8 GB RAM, 10 GB SSD, 10 TB HDD * [1 time initial setup fee 35 CHF](https://ungleich.ch/product/0carboncloud-setup/) diff --git a/content/u/projects/privacy-policy/contents.lr b/content/u/projects/privacy-policy/contents.lr new file mode 100644 index 0000000..4c9ec6d --- /dev/null +++ b/content/u/projects/privacy-policy/contents.lr @@ -0,0 +1,41 @@ +title: Privacy Policy +--- +subtitle: ungleich's policy on your privacy +--- +description1: + +## Introduction + +This is version 0.1 of our privacy policy from 2021-10-04. + +## Privacy by default + +At ungleich we are strong believers of **privacy by default**. That +means: you don't need to opt-in for privacy and you don't need to +opt-out for newsletters or marketing information. Privacy is a big +concern for us and our customers. + +## Logging and data submission + +By default all our services are configured to a minimum amount of +logging. We cannot claim a **zero log policy**, because for +operational measures (spammers, denial of service attacks, for +billing) we need to log some data. + +We however **do not sell your data**. Our business is providing +services, not making money of your information. + +## Third party access + +We minimise the amount of data that is seen by third parties. At the +moment some of our websites use google analytics (for historic +reasons). We plan to remove this by the beginning of 2022. + +Services like our [data storage](/u/products/data-storage/), +[the hosted matrix chat](/u/products/hosted-matrix-chat/), +[zero carbon VPS hosting](/u/products/virtual-machine-hosting/), +[zero carbon chat](/u/products/zero-carbon-chat/) and +[zero carbon cloud](/u/products/zero-carbon-cloud/) do not send any +data to third parties by default. There might be plugins or settings +that allow you to enable communication with third parties, but we do +not configure them by default. Above list is not exhaustive.