have you considered trying Host Identity Protocol (HIP). It's described in detail in RFC4423 and RFC5201 but I'll explain it in a nutshell and try to motivate why it might be interesting for Amahi community.
In brief, HIP is a VPN alternative that supports IP address mobility and offers very nice support for NAT traversal. Thus, I believe it could be used to simplify access control and privacy for Amahi-based services (VNC, back up, etc). HIP is implemented by three open-source software:
- - OpenHIP: OS X, Windows, Linux
- HIP for inter.net: BSD platforms, Linux
- HIP for Linux: Fedora, CentOS, Debian, Ubuntu, Maemo and OpenWRT binary images
In more detail, HIP could be described as a hybrid of VPN and SSH. To compare it with VPN, HIP has the following characteristics:
Similarities with VPNs:
- - Uses IPsec tunnels
- Uses virtual addresses
- - The gateway is optional (people typically run HIP directly between the client and server)
- Supports IP address changes both at the client and server side
Similarities with SSH:
- - Public-key based authentication
- Uses fingerprints (e.g. hashes of public keys)
- Public keys can optionally be published in DNS
- - SSH tunnels are usually created manually, HIP tunnels are automatic (policy or DNS based).
- For IPv6 applications, the fingerprint represents the virtual IPv6 address (secure access control lists)
- As mentioned earlier, supports IP address changes both at the client and server side
HIP supports both IPv4 and IPv6 connectivity - both at the application and network level. With HIP, IPv4 applications can talk with IPv6 apps and vice versa. At the network level, HIP supports handovers between IPv4 and IPv6 addresses.
All implementations offer varying levels of DNS support. HIPL implementation has integrated support for DynDNS-like service for human-friendly hostnames and readdressing. Unpatched Bind nameserver supports HIP records as "binary blobs" (try "dig -t any crossroads.infrahip.net").
If this seems interesting, I can give you further information on the topic? We have been also experimenting with bridging uPnP networks on Linux, but this requires probably another discussion thread