While people are launching airplanes from a window, practicing proxy server settings, or even installing dante on a VPS , the mixed-sized business is faced with the real consequences of massive locks in its processes.

You can have different attitudes to what is happening, but when the G Suite stops working or the cloud structure stops, it looks like a natural disaster. And promptly rake the consequences accounted for ordinary system administrators. Therefore, in this article I share options for the survival and rethinking of business processes - a kind of chronicles from the fields.

The solution of the problem can be a variety of options, up to renting an apartment in Svetogorsk and installing a 4G modem with a Finnish sim card there. Or bribe a familiar provider to install in its data center a server connected to bypass the “Revizor” system. But I will focus on a couple of reasonable and legitimate options.

Virtual private network

When monitoring reports the unavailability of your servers, and in the process of clarifying the situation, you understand that the subnet of a foreign data center has been blocked, then the first censorship thought will be to deploy a VPN. Virtual $ 5 droplets save the situation. Although their addresses can also fall under the distribution.

Let me remind you that you can check the IP-address for blocking on the official website of Roskomnadzor. You can use and bots - they are abundant in the vast search.

If suddenly you have to “jump” over the data centers of some network supplier of capacities (while a normal solution is being looked for), here’s a little advice to simplify the process: create a snapshot of the virtual machine, make it available for the desired region and create a new virtual machine in the target region based on old snapshot.

Select available regions for the virtual machine image.

I was lucky, and until the blocked address was caught on the third attempt.

Anything can be used as a VPN solution. OpenVPN is configured quickly and easily, but may require additional software installation. L2TP \ IPSec is more complicated, but it is supported on fresh versions of IOS and Android.

Below is a list of ready-made solutions in case you need to act quickly, and there is no time to understand:

• Streisand . An all-in-one VPN server, including Shadowsocks and Tor. At the same time helps to begin to understand Ansible.
• Algo VPN . Without OpenVPN and Tor, but with IKEv2.
• Openvpn-install . A simple script to install OpenVPN.
• IPsec VPN . A simple script to install the L2TP \ IPSec server.

Now that the organization has got some kind of access to its services, we need to think about what to do next - because at any moment, our VPN virtual machine can be distributed.

IP version six

One of the options for restoring functionality was the transition to IPv6, the benefit of modern data centers provide this protocol. In addition to access to cloud servers, IPv6 will help restore the work of Google services - such as G Suite, - which are tied to the business processes of many organizations.

If you are lucky and your provider supports the new protocol - half the work is done. If not so lucky, then one of the options would be to configure the 6to4 \ 6in4 tunnel.

A list of providers that support IPv6 can be found on the wiki-portal version6.ru .

Most routers support such tunnels. In particular, setting up IPv6 on MikroTik equipment is described in the article “ MikroTik - 6in4 or IPv6 without provider support ”. The general principle is extremely simple: register with a broker, create a tunnel, assign an addressing, prescribe routes, use. You can check the work on one of the sites to test IPv6 .

Checking IPv6 performance - now Google services will work again.

An important point to consider when setting up IPv6 is that the protocol works without NAT, and all devices on the local network are on the “big internet”. If you turned off the firewall on workstations, now is the time to turn it on and configure it. Providing a little more protection will help configure the firewall on the router. For example, on MikroTik I used the following settings:

/ipv6 firewall filter #  ICMP- add chain=input limit=100,5 protocol=icmpv6 add action=drop chain=input protocol=icmpv6 #  ICMP- add chain=forward limit=100,5 protocol=icmpv6 add action=drop chain=forward protocol=icmpv6 #    established  related add chain=input connection-state=established,related #         SSH\etc #      add action=drop chain=input in-interface=**StF** #    established  related add chain=forward connection-state=established,related #           #   add action=drop chain=forward in-interface=**StF** 

Where StF is the name of the 6to4 tunnel.

An alternative to setting up IPv6 on the router is setting up a tunnel on the workstation, since Windows supports the Teredo protocol. The configuration option is described in the “ IPv6 / Teredo configuration in Windows 7 ” material. The peculiarity of this protocol is the ability to work because of NAT.

IPv6 in work.

Unfortunately, the lack of tunnels remains the potential for blocking tunnel brokers, and constantly changing servers is not the most elegant solution.

Reorganization of business processes

When everything works, it's time to think about creating an infrastructure that will not be afraid of all these disasters. Of course, if a company has enough funds to organize a geo-distributed cluster with one, or even several nodes in the Russian Federation, this will be a good solution.

But if there are no funds, then you have to look for analogues of the G Suite. The same Mail.ru and Yandex offer services like text collaboration and mail for a domain.

Other organizations are increasingly thinking about a step back, towards their own infrastructure. Clouds are good, but availability in modern realities is more expensive. Therefore, a good option seems to be leasing your server, or renting colocation in domestic data centers.

By the way, share your news from the fields - suddenly it will come in handy in the bright future.