To facilitate cross-datacenter relplication of your Couchbase buckets we add a requirement that a site-to-site VPN must connect the two sites. The reason is that the cluster operates in an overlay network with RFC1918 addresses, these are encoded into the cluster map thus a cluster in site A must have L3 connectivity to these addresses in site B.

This is a pure L3 routed solution, and daemon set containers must be installed on the Couchbase nodes which add a static route for the remote prefix or prefixes whose next hop is the VPN gateway. While we could just use SNAT within the VPN gateway to mitigate the requirement for static routes, we avoid this as it would add state to the system, and connection tracking tables are only a finite size. Therefore we sacrifice simplicity for reliability in that connections won't randomly get dropped.

make

STRONGSWAN_LEFTID

The local gateway's identity

STRONGSWAN_LEFTSUBNET

The local gateway's subnet(s) e.g. 10.0.0.0/16

STRONGSWAN_RIGHT

The remote gateway's public IP address

STRONGSWAN_RIGHTID

The remote gateway's identity

STRONGSWAN_RIGHTSUBNET

The remote gateways subnet(s) e.g. 10.10.0.0/16,10.16.0.0/24

STRONGSWAN_PSK

The pre-shared key to authenticate with

docker run \
  -p 500:500/udp \
  -p 4500:4500/udp \
  -e STRONGSWAN_LEFTID=aws-us-west \
  -e STRONGSWAN_LEFTSUBNET=10.0.0.0/16 \
  -e STRONGSWAN_RIGHT=85.254.56.102 \
  -e STRONGSWAN_RIGHTID=aws-us-east \
  -e STRONGSWAN_RIGHTSUBNET=10.1.0.0/16 \
  -e STRONGSWAN_PSK=supersecret \
  --cap-add NET_ADMIN \
  couchbase/strongswan:1.0.0