Network Design

Networks, subnets, port, and corresponding access rules and rights are already complex and get more complex, the more servers and services are added. Virtual Private Network add another layer on top of all that and changes all all these already hard to grasp parts. Therefore a clear design concept is needed for reference as we go one.


All IP addresses in this document have been reserved for documentation and testing in RFC 5737 and RFC 4849 or for use in private networks according to RFC 1918. They will not work in the real world.


Make a list of all providers (hosting companies, co-location data-centers, friends, family members, employers or other companies who agreed to host a device on there premises for you). Decide on a abbreviation for each to use throughout the design.

You can find out the provider by using the whois command of any public IP address:

$ whois

Or for a host name:

$ whois $(dig +short

Some examples:

Provider Short Name
Hetzner Online AG heztner
OVH ovh
Digital Ocean do
Linode linode
Rackspace rack
Your Home home
Your Office office
Mothers House mama


Make a list of all geographical or physical remote locations that have one or more servers running. Most providers have their own naming.

Some examples:

Location Short Name
San Francisco SFO
New York City NYC
Toronto TOR
Berlin BER
London LON
Amsterdam AMS
Frankfurt FRA
Singapore SGP
Bangalore BLR

Public IPs and Subnets

You get these normally from your provider and they are location based. Nowadays you should get an IPv6 as well or change your provider otherwise.

In the best case you get a subnet, maybe you get additional IPs for a price.

List the subnet with their net-mask, which tells you the size and number of IPs. A single IPv4 host has a net-mask of /32. A single IPv6 address has a net-mask of /128

Some examples:

Provider Location IPv4 Subnet IPv6 Subnet
hetzner SFO n/a
rack LON 2001:db8:48d1::/64
roller PHO 2001:db8:2d07:5b57::/128
home FRA dynamic 2001:db8:3414::/48
office FRA dynamic dynamic
mama BER dynamic n/a

Private Subnets

Some locations need a private subnet, if there are multiple hosts behind a NAT router. Define one from the range private network address spaces set by by RFC 1918.

See Private Network on Wikipedia:

Private IPv4 Addresses

Network Address Net Mask Prefix 10/8 255.240..0.0 172.16/12 192.168/16
fd00::/48 n/a fd00::/48

First we define a global private subnet out of one of the private address spaces:

$ echo 172.$((RANDOM%16+16)).0.0/24
Global IPv4 Subnet Netmask Prefix

Next we define /24 subnets out of our global private subnets for locations who need that:

$ echo home 172.27.$((RANDOM%255+16)).0/24
$ echo office 172.27.$((RANDOM%255+16)).0/24
$ echo mama 172.27.$((RANDOM%255+16)).0/24
Provider Location Local IPv4 Subnet Netmask Prefix
home FRA
office FRA
mama BER

Private IPv6 Addresses

For IPv6 subnets we can use the on-line tool IPv6 private address range generator.

It will create a random global ID and subnet IDs out of the unique local address (ULA) block fd00::/8.

Global ID c1d89eb128
Global IPv6 Subnet Prefix
fdc1:d89e:b128::/48 fdc1:d89e:b128::/48

Repeat for every location, by providing the same global ID to generate a /64 subnet for each.

Provider Location Subnet ID Local IPv6 Subnet
home FRA 13a6 fdc1:d89e:b128:13a6::/64
office FRA 2615 fdc1:d89e:b128:2615::/64
mama BER 41c5 fdc1:d89e:b128:41c5::/64

The VPN Subnet

To glue all our locations subnets together we need another one. The tunnel subnet connects all the VPN hosts and gateways together.

IPv4 VPN Addresses

For IPV4 Telco’s traditionally choose something out of the private 10/8 block.

This makes it easy to distinguish the virtual space from the physical locations within the 172.16/12 space:

$ echo 10.$((RANDOM%255+16)).$((RANDOM%255+16)).0/24

IPv6 VPN Addresses

The IPv6 address of the tunnel subnet we define an additional subnet ID.

Global ID c1d89eb128
Subnet ID 6a04

Combined IPv4 and IPv6 together it may look like the following:

Provider Location IPv4 Subnet IPv6 Subnet
n/a Global fdc1:d89e:b128::/48
home FRA fdc1:d89e:b128:13a6::/64
office FRA fdc1:d89e:b128:2615::/64
mama BER fdc1:d89e:b128:41c5::/64
VPN Virtual fdc1:d89e:b128:6a04::/64

Register a Domain

Register a domain for where all your networks and hosts reside in.

It doesn’t matter if it is the same domain where our public services are hosted or a different one. The important thing is, that all subnets, sub- domains and host-names reside under one domain-name which we fully control.

That way we can establish trust between all entities based on DNS information secured by DNSSEC. This will simplify things in many areas (e.g. trusting SSH servers keys).

Domain Registrar

Sub-Domains for Sub-Nets

Locations with multiple hosts and IP subnets, get their own sub-domain. Standalone rented servers in data-centers don’t need sub-domains.

Subdomain Location IPv4 Subnet IPv6 Subnet
. Global fdc1:d89e:b128::/48
home FRA fdc1:d89e:b128:13a6::/64
office FRA fdc1:d89e:b128:2615::/64
mama BER fdc1:d89e:b128:41c5::/64

VPN Sub-domain

The VPN sub-domain allows us to make sure, that a connection is authenticated and encrypted at a glance, without memorizing IP addresses. Since the VPN stretches throughout the planet, only is needed.

Let’s call this vpn.

Subdomain Location IPv4 Subnet IPv6 Subnet
vpn Virtual fdc1:d89e:b128:6a04::/64

Host Names

Over time you will iterate trough many physical and virtual devices, providing similar services and devices changing their roles and locations, its best to avoid service names, role names, company names, real peoples (e.g. owners) names or household names for devices.

Just take a list, any list, of names or words, preferably a long one and iterate over it.

Here is a good starting point.

I leave it up to you, the reader, to guess from which list the following host names are coming from …

Host Location Provider Role
dolores SFO hetzner Server
maeve LON rack Server
bernard PHO roller Server
arnold FRA home Router
hector FRA home NAS
kiki FRA home Wi-Fi
charlotte FRA home Server
teddy FRA office Router
logan FRA office NAS
armistice BER mama Router

DNS Records

We now have all the information needed to document our network design in DNS under the domain.

Top-Level Domain

E.g. (public hosts):

Here we only register the hosts who need to be accessible from the global public Internet (read: from the outside) for some reason, like servers routers and VPN gateways.

Some of these won’t get a fixed IP address, due to the providers policy. For these we need a DynDNS solution not discussed here.

Domain Name IPv4 Address IPv6 Address N/A 2001:db8:48d1::1 2001:db8:2d07:5b57::0 dynamic 2001:db8:3414:6b1d::1 dynamic 2001:db8:3414:6b1d::10 dynamic dynamic

VPN Sub-Domain

Domain Name IPv4 Address IPv6 Address fdc1:d89e:b128:6a04::7de4 fdc1:d89e:b128:6a04::961 fdc1:d89e:b128:6a04::3354 fdc1:d89e:b128:6a04::29ab

Location Sub-Domains

Domain Name IPv4 Address IPv6 Address fdc1:d89e:b128:13a6::1 fdc1:d89e:b128:13a6::10 fdc1:d89e:b128:13a6::3


Domain Name IPv4 Address IPv6 Address fdc1:d89e:b128:2615::1 fdc1:d89e:b128:2615::10


Domain Name IPv4 Address IPv6 Address fdc1:d89e:b128:41c5::1