[tahoe-dev] questions about a public grid

[Vladimir Arseniev]

I'd like to create public Tahoe-LAFS grids where nodes are mutually
pseudoanonymous, and all internode traffic is disguised. I've used the
I2P grid, and it's far too slow. I gather that a Tor hidden service grid
might be somewhat faster, but I'm sure that it would still be too slow
for my needs.

I've tested a VPN-connected grid, and it's obviously much faster. On the
other hand, it obviously provides less anonymity than the I2P or Tor
implementations. There are also some failover issues that need to be
addressed. But at the moment, I would appreciate comment about the
security vulnerabilities of the grid that I'm proposing.

All of the nodes have Internet connectivity through nested OpenVPN
tunnels (typically using two two-hop VPN services, one tunneled through
the other). There are no open ports. Each node connects individually
(using a third VPN tunnel, which is tunneled through its nested VPN
tunnels) to an OpenVPN Access Server (currently an AWS instance) which
is configured to allow "client-to-client" connectivity through the
server's openvpn process. The OpenVPN Access Server has no private LAN.
Each node/client has its own access credentials, and gets a fixed IP
address (e.g., 10.10.10.10 for the introducer). The nodes/clients have
Internet connectivity only through the OpenVPN server's WAN interface.

The nodes can only see each other through the OpenVPN Access Server.
They know each other's IP addresses on that server's VPN, but don't know
any true IP addresses, except for that of the access server. Also, the
access server doesn't know the true IP addresses of the nodes (unless
the VPN providers collude for traffic analysis).

A few questions occur to me. The OpenVPN Access Server sees internode
traffic. Is that problematic? While some of the nodes may be untrusted,
I believe that's common for Tahoe-LAFS grids. Right? What am I missing?

Has something like this been implemented and documented?

Thank you.