This is a real world example explaining how we actually connect our own office branches with RBridge. Of course we wanted to go with a maximum of security and confidentiality, therefore we generated true random key material for each pair of RBridges.
Not changing the default cipher we are implicitly using ChaCha20, which is faster, has a very good reputation and is more uncommon (for the case that AES-256 becomes too weak or is getting broken – if it isn’t already, who really knows …).
Here’s the link to the method and the true random number generator we use: Generating True Random Key Material with the Quantis USB Device.
The remaining part is very easy:
The configuration file on each device is the same except the information for licensing purposes. Implicitly we are using our default registry (absolutely no security related information is revealed towards the registry).
The configuration file /etc/rbridge.conf looks as follows (only the licence key is different):
serial= RPI-FREE
lickey= 84846058e4654ee11cb350xxxxxxxxxx
interface= eth0
true_random_keymaterial= /home/rbridge/keymaterialCD.bin
machash= CD
key= CD
registry_linkname= CD
The final step is to start RBridge automatically with cron as explained here: Installation and Deinstallation of RBridge.
Just moving the devices, restarting and – voilà – the two Ethernet LANs are securely connected through NAT on both sides (IPv4 or IPv6 is automatically chosen).
The licensing for the Raspberry Pi platform is free of charge, you find the needed credentials directly on the RBridge License Keyfactory Page.