Dieses Wiki ist ein Archiv bis 2023. Das aktuelle Wiki findet sich unter https://wiki.hamburg.ccc.de/

Difference between revisions of "ChaosVPN:DebianHowto"

From CCCHHWiki
Jump to: navigation, search
(6. Mail us your Infos)
(4. Devise a network-nick)
Line 56: Line 56:
 
and press return a few times...
 
and press return a few times...
  
== 4. Devise a network-nick ==
+
== 4. Devise a network-nick and a unique IP Range you will be using ==
  
This is the name of the network endpoints/gatewways, not necessarily the users,
+
This network-nick or sometimes called nodename is the name of the network endpoint/gateway where the vpn software will be running, not necessarily the name of the user, there may even be more than one gateway per user.
it may even be more gateways per user.
 
  
 
Used below where <nodename> is.
 
Used below where <nodename> is.
  
 
Please use only characters a-z, 0-9 and _ in it.
 
Please use only characters a-z, 0-9 and _ in it.
 +
 +
Second please select an unused IP range out of [[ChaosVPN::IPRanges]], and write yourself down in that wiki page to mark your future range as in-use. Please select from the correct ranges, 172.31.*.* for Europe, and 10.100.*.* for the US and elsewhere.
  
 
== 5. Hostname ==
 
== 5. Hostname ==

Revision as of 22:04, 18 January 2010

and AgoraLink::DebianHowto

Back

THIS DOCUMENTATION IS ONLY PARTIALLY FINISHED FOR CHAOSVPN 2.0!

QUICK HOWTO FOR DEBIAN USER

0. Install necessary helper programs

needed to use the chaosvpn client:

# apt-get install iproute

needed to compile the chaosvpn-client if not using a precreated debian package for it:

# apt-get install build-essential git-core bison flex libcurl4-openssl-dev

aditionally needed to build the debian packages:

# apt-get install debhelper devscripts quilt
.
the quilt version in debian lenny is too old, you need quilt (>= 0.46-7) either
available in debian squeeze or from backports.org

1. Install tinc

# apt-get install tinc

Either the package from Debian unstable, or my lenny backport of http://debian.sdinet.de/lenny/sdinet/tinc/

This should be at least version 1.0.10.

Or visit http://tinc.nl.linux.org/, download and build yourself - at a minimum ./configure, specify the parameter --sysconfdir=/etc, and check the binary in the script

If the tinc installation gives the following error:

> ./MAKEDEV: don't know how to make device "tun"

Then create the device by hand:

# mkdir -p /dev/net
# mknod /dev/net/tun c 10 200
# chown root:root /dev/net/tun
# chmod 600 /dev/net/tun

2. Create config directory

# mkdir -p /etc/tinc/chaos

3. Generate keys

# tincd -n chaos --generate-keys=2048

and press return a few times...

4. Devise a network-nick and a unique IP Range you will be using

This network-nick or sometimes called nodename is the name of the network endpoint/gateway where the vpn software will be running, not necessarily the name of the user, there may even be more than one gateway per user.

Used below where <nodename> is.

Please use only characters a-z, 0-9 and _ in it.

Second please select an unused IP range out of IPRanges, and write yourself down in that wiki page to mark your future range as in-use. Please select from the correct ranges, 172.31.*.* for Europe, and 10.100.*.* for the US and elsewhere.

5. Hostname

The gateway may have a DynDNS (or similar) hostname pointing to a dynamic IP, or a static hostname/fixed IP.

Used below where <clienthost> is.

6. Mail us your Infos

  • send to haegar@ccc.de for a connection in Europe.
  • send to join@agoralink.org for a connection outside of Europe ie North America, et al.

We need the following info:

[<nodename>]
 replace <nodename> with the network nick from step 4
 .
gatewayhost=<clienthost>
 This should be the external name or ip address of the client host, not a VPN address.
 If the client is not reachable over the internet leave it out and set hidden=1 below.
 .
network=<ipv4 subnet in the vpn>
network6=<ipv6 subnet in the vpn>
 this may be more than one, IPv4 or IPv6
 .
 These subnets must be unique in our vpn,
 simply renumber your home network (or use something like NETMAP) with a network block that is still free.
 .
 Please use the list of assigned networks on IPRanges, and add yourself there.
owner=
 Admin of the VPN gateway, with email address - a way to contact the responsible
 person in case of problems with your network link.
key
 rsa-public-key - contents of /etc/tinc/chaos/rsa_key.pub
optional the following details:
port=655
 if not specified tinc works on tcp+udp port 655
 it is better if everyone chooses a random port for this.
 either this specified port or port 655 needs to accept TCP and UDP traffic from outside.
use-tcp-only=1
 "I don't do udp, we only use suboptimal tcp"
hidden=1
 "I cannot accept inbound tunnel connections, I can only connect out."
 (e.g. behind a NAT)
indirectdata=1
 "I cannot accept inbound udp data packets, I can only send out."
 (e.g. behind a NAT)
silent=1
 "I cannot connect out, but you can connect to me."

7. Awaiting Response

8. goto 6 unless $success

9. chaosvpn-client download and compile

    • TODO: THIS PART NEEDS TO BE EXPANDED **
If on Debian Lenny you currently (to be fixed) you need two backports from unstable
to compile:
.
# wget -nd http://debian.sdinet.de/lenny/sdinet/debhelper/debhelper_7.4.10~sdinetD1_all.deb
# wget -nd http://debian.sdinet.de/lenny/sdinet/quilt/quilt_0.46-8~bpo50+1_all.deb
# dpkg -i debhelper_7.4.10~sdinetD1_all.deb
# dpkg -i quilt_0.46-8~bpo50+1_all.deb
# git clone git://github.com/ryd/chaosvpn.git
# cd chaosvpn

way 1: create a git snapshot debian package

# make deb
 perhaps it throws an error about missing build dependencies, install these and retry.
# sudo dpkg -i ../chaosvpn_2.0*.deb
 install the generated package file, replace filename above with real name.

way 2: create debian package and install this

# debuild
 Answer the "This package has a Debian revision number but there does not seem to be
 an appropriate original tar file or .orig directory in the parent directory" with "y"
# sudo dpkg -i ../chaosvpn_2.0*.deb
 install the generated package file, replace filename above with real name.

way 3: just compile and install the raw binary

# make
# sudo make install

10. Customize configfile

FIXME to be expanded

/etc/tinc/chaosvpn.conf

In the top part are the variables.

change

$my_peerid to the network nick from step 4
$my_vpn_ip to an ip address in your network range, like 172.31.x.1

11. script in /etc/ppp/ip-up to autostart, or to restart from time to time via cron

if you built a debian package and installed it the cron and ip-up parts are already setup, if you installed it manually with make install you have to do it yourself.


and with luck, it will function beautifully! ;)


todo: tons ;) test in particular, and adjust docs for other linux distros, and perhaps even with *bsd