SYSRETURN.NET

SYSRETURN.NET is a closed, membership only network of friends operating a virtual LAN between their homes. This arrangement re-discovers the original wonder of the inter-net allowing easy direct communications between peers without corporate intermediaries. Whether it be for LAN parties, smol internet experiments , media sharing, collaborative development, or self-hosting, SYSRETURN.NET provides a way for members to have fun on the inter-net without the rest of the Internet.

This site serves as a public document about how SYSRETURN.NET is put together, how it works, and give members and friends an idea of what's going on under the hood.

Background and Inspiration

Our approach to the virtual lan structure is based on the published work by The Promised LAN. They're setup is what inspired us to get our own "Promised LAN" in place. While they did inspire the initial development, we chose a different setup and management approach due to differences in expertise and resources available that we will document here.

Like The Promised LAN, SYSRETURN.NET only runs in a high trust environment where all the core maintainers have known each other for a decade or more. Membership may be extended in the future, but only to those by unanimous agreement.

Another important background element to our approach is that all original core maintainers had attempted to build this kind of network using services from Tailscale. Tailscale is a great service, but has a core monetary responsibility that limits it to being suitable only to single-household deployments or corporate networks. Because someone has to hold the credit card, even if you are on a free-tier, it's not suitable for a true peer-responsibility deployment without some sort of incorporated entity getting involved.

The Name

The name comes from a portmanteau of the founding maintainer's preferred online usernames. It was registered as a domain name for shared projects long ago, but only recently does the .net top-level domain finally carry literal meaning.

Overlay Network

Membership to the SYSRETURN network is accomplished by being a peer on a site to site Wireguard VPN. Each site hosts a home network with a gateway device dedicated to packaging and routing traffic into and out of the Wireguard VPN.

This has advantages and disadvantages. Directly connecting LANs is simpler to start as there are fewer layers to setup to get connectivity. Wireguard abstracts a lot of the configuration details so there is not much choice in cryptographic or network configuration to maintain between peers. Wireguard can maintain connectivity as IPs change so a set of dedicated IPs are not required to maintain the network.

While more scalable than traditional ipsec, directly connecting multiple lans like this can grow too large to be easily maintained. However, we have a pretty small number of network segments in operation, and we can bring in a backbone layer if and when we need to while still using the same site-to-site technology.

Network Address Allocations

To allow all the peer networks to address each other, a /16 IPv4 prefix space has been chosen to hold all SYSRETURN network nodes. The x.y.0.0/24 space is reserved for gateways to each peer. Each peer gateway gets one address, like x.y.0.1 and x.y.0.2. Each physical network behind each gateway is assigned one or more /24 address spaces under x.y.z.0. By default the local network is assigned the network corresponding to their gateway, e.g. x.y.0.1 routes to addresses ranging over x.y.1.0/24.

The prefix is chosen to be one that is unlikely to be pre-allocated by a home-router to avoid conflicts with existing networks. If a member is setting up a new network, they can just set their router to use their assigned address space and be on the shared network with no further setup. For existing networks, however, that can be a major chore to re-allocate all their devices to a new address space. A member may also want some opt-in control for adding services or devices into the network. All this can be accomplished using the VLAN features of the member's network routers and switches.

DNS

DNS is maintained over on a public DNS service. This means that we are allowing private names addresses to be accessible on a public service. This choice is made to avoid maintaining private nameservers and names at the cost of having to be slightly more careful about what names we put where. Split-Horizon DNS is still possible per site, but won't have the same over-arching effect that publishing to the public zone would. If and when backbone nodes enter the network, split-horizon becomes more viable to maintain as a major feature of the network.

The zone file is maintained using an OctoDNS automation in a private, intra-network git repository. Members can update the configuration there and the public DNS host service is updated to match.