Dieses Wiki ist ein Archiv bis 2023. Das aktuelle Wiki findet sich unter https://wiki.hamburg.ccc.de/

Difference between revisions of "ChaosVPN:Fonera"

From CCCHHWiki
Jump to: navigation, search
(Step 1 - Flash to Official Dev Image)
(Upgrading ChaosVPN / Tinc)
 
(25 intermediate revisions by 5 users not shown)
Line 19: Line 19:
 
== Instructions ==
 
== Instructions ==
  
=== Step 1 - Flash to Official Dev Image ===
+
=== Step 1 ===
  
Before you can install our image, or any custom image for that matter, you will need to reflash your stock fonera with a DEV image.<br>
+
Been able to access your Fonera 2.0n router over ssh.
 +
skip step 2.
  
I've included a link to a tested DEV image in the [[http://wiki.hamburg.ccc.de/ChaosVPN::Fonera#Software Software section]].  <br>
+
=== Step 2 - Flash to Official Dev Image go get SSH working ===
 +
 
 +
you will need to reflash your stock fonera with a DEV image.<br>
 +
 
 +
I've included a link to a tested DEV image in the [[ChaosVPN:Fonera#Software | Software section]].  <br>
 
You download the .tgz of the image. <br>
 
You download the .tgz of the image. <br>
 
'''Do not untar or ungzip it. ''' <br>
 
'''Do not untar or ungzip it. ''' <br>
Line 40: Line 45:
 
This can also address browser issues.
 
This can also address browser issues.
  
=== Step 2 - SCP the ChaosVPN image ===
+
=== Step 3 - upload the ChaosVPN image to your Fonera ===
  
Now that you have an official DEV image on your fonera you can access ssh on the device. <br>
+
Now you can access ssh on the device. <br>
 
<br>
 
<br>
 
'''Login:''' <br>
 
'''Login:''' <br>
Line 49: Line 54:
 
<br>
 
<br>
 
Verify you can login correctly. <br>
 
Verify you can login correctly. <br>
 +
 +
==== Without Internet ====
 
Once you have done so, scp (Secure CoPy) the ChaosVPN image tarball to the device. <br>
 
Once you have done so, scp (Secure CoPy) the ChaosVPN image tarball to the device. <br>
 
Exampel code
 
scp SourceFile user@host:directory/TargetFile
 
  
 
Programs:<br>
 
Programs:<br>
 
you can use simply scp in Linux. <br>
 
you can use simply scp in Linux. <br>
 
you can use winscp or putty in Windows. <br>
 
you can use winscp or putty in Windows. <br>
 +
 +
Exampel code
 +
scp fonera2n-chaosvpn.img admin@fonera:tmp/fonera2n-chaosvpn.img
  
 
Confirm that everything uploads nicely.<br>
 
Confirm that everything uploads nicely.<br>
 +
More about [https://secure.wikimedia.org/wikipedia/en/wiki/Secure_copy Secure CoPy]
  
More about [[https://secure.wikimedia.org/wikipedia/en/wiki/Secure_copy Secure CoPy]]
+
==== With Internet: ====
  
=== Step 3 - Setting up for reflash ===
+
cd /tmp
 +
wget http://www.music-piracy.com/fonera2n-chaosvpn.img
  
 +
 +
=== Step 4 - The flashing of the device with Backup  ===
 +
If you do not want to backup. (case: new Device / clean install) skip this step<br>
 
The tarball as included is laid out to demonstrate how you can upgrade your device properly. <br>
 
The tarball as included is laid out to demonstrate how you can upgrade your device properly. <br>
Since you won't be "upgrading" from a previous chaosvpn instance some things are slightly different. <br>
+
Since you won't be "upgrading" from a previous ChaosVPN instance some things are slightly different. <br>
 
Let's look at what is in the tarball.
 
Let's look at what is in the tarball.
  
  20100417_FON2303_2.3.5.0_DEV.img
+
  20100824_FON2303_2.3.6.1_r1730_DEV.img
  fonera20n.img
+
  fonera2n-chaosvpn.img
 
  upgrade
 
  upgrade
 
  upgrade_developer
 
  upgrade_developer
  
fonera20n.img, and upgrade are symlinks to the image and upgrade script respectively.   
+
fonera2n-chaosvpn.img, and upgrade are symlinks to the image and upgrade script respectively.   
  
20100824_FON2303_2.3.6.1_r1730_DEV.img is the image you will be upgrading to. (check the [[http://wiki.hamburg.ccc.de/ChaosVPN::Fonera#Software Software Seccion]] for newer images)
+
fonera2n-chaosvpn.img is the image you will be upgrading to. (check the [[ChaosVPN:Fonera#Software | Software Seccion]] for newer images)
  
 
Let's look at upgrade_developer:
 
Let's look at upgrade_developer:
Line 91: Line 103:
 
  uci commit
 
  uci commit
 
  tar cvzf /tmp/sysupgrade.tgz /etc/passwd /etc/group /etc/dropbear /etc/samba/smbpasswd /etc/samba/secrets.tdb /etc/config/firewall /etc/config/upnpd /etc/config/umtsd /etc/config/registered /etc/config/gdata /etc/config/facebook /etc/config/flickr /etc/config/mountd /etc/config/fon /etc/config/ddns /etc/config/wizard /etc/pureftpd.pdb /etc/pureftpd.passwd /etc/config/luci_dlmanager /etc/config/twitter /etc/config /firewall /etc/tinc /etc/init.d/firewall
 
  tar cvzf /tmp/sysupgrade.tgz /etc/passwd /etc/group /etc/dropbear /etc/samba/smbpasswd /etc/samba/secrets.tdb /etc/config/firewall /etc/config/upnpd /etc/config/umtsd /etc/config/registered /etc/config/gdata /etc/config/facebook /etc/config/flickr /etc/config/mountd /etc/config/fon /etc/config/ddns /etc/config/wizard /etc/pureftpd.pdb /etc/pureftpd.passwd /etc/config/luci_dlmanager /etc/config/twitter /etc/config /firewall /etc/tinc /etc/init.d/firewall
  mtd -j /tmp/sysupgrade.tgz -r write fonera20n.img image > /dev/null 2>&1  
+
  mtd -j /tmp/sysupgrade.tgz -r write fonera2n-chaosvpn.img image > /dev/null 2>&1  
 
  return 0
 
  return 0
 
  else
 
  else
Line 99: Line 111:
  
 
Okay so there's '''only 2 important lines''' in the script.  <br>
 
Okay so there's '''only 2 important lines''' in the script.  <br>
The '''tar creation call''', <br>
+
The '''tar''' creation call, <br>
and the '''call to mtd'''.  <br>
+
and the call to '''mtd'''.  <br>
 
 
Depending on what you need to do with your device the tar creation call may not be needed. <br>
 
  
 
What the tar creation call does, is it creates a tarball in /tmp of the fonera called "sysupgrade.tgz".  <br>
 
What the tar creation call does, is it creates a tarball in /tmp of the fonera called "sysupgrade.tgz".  <br>
 
Everything you tar up into it ( using an absolute directory path ), will be saved there and deployed after the firmware is upgraded.<br>
 
Everything you tar up into it ( using an absolute directory path ), will be saved there and deployed after the firmware is upgraded.<br>
 
What this allows you to do is save settings of your device.<br>
 
What this allows you to do is save settings of your device.<br>
'''Importen''' Do it befor and save lots of rage<br>
 
 
You will need to specify the paths of areas of the file structure you want preserved manually.<br>
 
You will need to specify the paths of areas of the file structure you want preserved manually.<br>
''Please don't use my command as written, it will not work most likely.''
 
  
Assuming you don't want to preserve any settings on your device, <br>
+
The mtd call is the upgrade call.
or you have already created the sysupgrade.tgz file in /tmp, we can just get started on the firmware installation.<br>
 
  
The mtd call in the upgrade script is the upgrade call.
+
mtd -j /tmp/sysupgrade.tgz -r write fonera2n-chaosvpn.img image
  
==== Case 1 ( '''with sysupgrade.tgz''' ) ====
+
=== Step 5 - The flashing of the device without Backup ===
  
mtd -j /tmp/sysupgrade.tgz -r write fonera20n.img image
+
The flashing of the device without Backup. <br>
 +
for New Device / clean install
  
==== Case 2 ( '''without sysupgrade.tgz''' ) ====
+
mtd -r write fonera2n-chaosvpn.img image
  
  mtd -r write 20100824_FON2303_2.3.6.1_r1730_DEV.img image
+
=== Step 6 - The long waiting ===
  
Now you should see some dialogue that says the firmware is flashing with an oscillating w / e thing going.<br>
 
 
Eventually this will end and the device will reboot. <br>
 
Eventually this will end and the device will reboot. <br>
 
This is expected.  Anything else, is not.
 
This is expected.  Anything else, is not.
  
 
Please '''do not unpower''' the device until you are certain the operation has completed, or are certain that anything still occurring MUST be bad.<br>
 
Please '''do not unpower''' the device until you are certain the operation has completed, or are certain that anything still occurring MUST be bad.<br>
For instance, zombie velociraptors would precipitate running away, and or cutting power to avoid detection.
 
  
=== Step 5 - IP Allocation ===
+
After you login the new webUI will look like this: <br>
 +
[[File:Fonera2n-latestFirmware.jpg]]<br><br>
 +
and connecting by ssh: <br>
 +
[[File:Loginssh-foneraupdatet.jpg]]
 +
 
 +
=== Step 7 - IP Allocation ===
  
Go to [[ChaosVPN::IPRanges]], select a range and fill out the corresponding data.<br>
+
Go to [[ChaosVPN:IPRanges | IP Range]], select a range and fill out the corresponding data.<br>
 
'''Please conform to standards.'''  <br>
 
'''Please conform to standards.'''  <br>
 
Be sparing in your address space allocations.  <br>
 
Be sparing in your address space allocations.  <br>
 
You don't need a /16 for your apt.  <br>
 
You don't need a /16 for your apt.  <br>
No really, you don't. <br>
 
If you do, well kudos to you man... use IPV6 and don't be a jerk.
 
 
=== Step 4 - Setting up TINC keys ===
 
 
So by now your fonera should have rebooted. <br>
 
You should have set up an administrative password, and made the device network accessible. <br>
 
Happy day.<br>
 
  
So ssh to the device.  <br>
+
=== Step 8 - Setting up TINC keys ===
You should see some ChaosVPN / Agora messages in the MoTD, take this as a sign you've gotten this far without error.  <br>
 
You rock, but no cookies yet.
 
  
 
First thing you are going to want to do is generate a keypair for your node.   
 
First thing you are going to want to do is generate a keypair for your node.   
  
  tincd -n chaos --generate-keys=2048
+
  tincd --net=chaos --generate-keys=2048
  
You will be prompted to drop the keys somewhere. Place a copy in /etc/tinc/chaos/.  <br>
+
Hit 2 times [Enter]. Do not change the default name/location of the keys. Default it get drop in /etc/tinc/chaos/.  <br>
Save a copy in a '''SECURE location not on that device''' ( just in case ).
+
Make a copy in a '''SECURE location not on that device'''.
  
 
E-Mail Haegar directly, or the ChaosVPN mailing list to have your node added.   
 
E-Mail Haegar directly, or the ChaosVPN mailing list to have your node added.   
Line 169: Line 170:
 
  key: public key here  
 
  key: public key here  
  
Wait for Haegar or someone else to confirm you have been added to the VPN successfully. (can take >24h we all have a life=)
+
Wait for Haegar or someone else to confirm you have been added to the VPN successfully. (it can take ~24h).
  
 
=== Configuring ChaosVPN ===
 
=== Configuring ChaosVPN ===
  
There is an example config in /etc/tinc/ .  This config is not 100% accurate for Foneras. Some path information is different on these embedded devices.
+
There is a chaosvpn.conf in /etc/tinc/ .  <br>
 +
You have to change 2 things in the config:
 +
<nowiki>$my_peerid = "thenameofyournode";
 +
 
 +
$my_vpn_ip = "172.31.x.x";</nowiki>
  
Please look at this SAMPLE fonera config:
+
Once you have filled out your chaosvpn.conf file correctly.
<nowiki>
 
# achtung: dies configfile ist perl ;)
 
# Warning: this configfile is written in perl
 
# name of this node:
 
$my_peerid              = "notyou";
 
  
# locale IPs form this node/gateways
+
==== Checking to see if it worked ====
# if you dont want only ipv6 or ipv4
 
# left the line blank
 
  
$my_vpn_ip              = "10.100.xxx.1";
+
Please give ChaosVPN a testrun. After you are you get the validation of the adding to the ChaosVPN.
$my_vpn_netmask        = "255.255.255.0";
+
 +
chaosvpn
  
$my_vpn_ip6            = "2001::1";
+
Hope no error appears. <br>
  
$my_ip                  = ""; # unused for now
+
netstat -nr
  
# The exclude parameter can contain a list of node names. A VPN connection
+
You should see a hell of a lot of routes using the chaos_vpn interface.
# will not established to them. You may want to use it if you have another
+
This is good.
# VPN, or direct connection to these nodes.
 
  
@exclude                = ();
+
Check /etc/tinc/chaos/hosts/ see if a whole bunch of node info has appeared.
  
 +
Wait several minutes from first execution then test ping some of the "test ping" addresses as defined in the IP Ranges wiki page.
 +
10.100.69.1 is the NYC Resistor fonera.
 +
See if you can ping it from the router.
  
# ============================================================================
+
If all went well you are now pinging.<br>
# you should'nt need to change anything below,
+
Get someone to ping you back. Ask in the IRC Channel<br>
# at least not for linux and chaosvpn
+
You now have a functional node.
  
$networkname            = "chaos";
 
$tincd_bin              = "/usr/sbin/tincd";
 
$routemetric            = "0";
 
$routeadd              = "/usr/sbin/ip -4 route add %s metric $routemetric dev \$INTERFACE";
 
$routeadd6              = "/usr/sbin/ip -6 route add %s metric $routemetric dev \$INTERFACE";
 
$routedel              = "/usr/sbin/ip -4 route del %s metric $routemetric dev \$INTERFACE";
 
$routedel6              = "/usr/sbin/ip -6 route del %s metric $routemetric dev \$INTERFACE";
 
$ifconfig              = "/sbin/ifconfig \$INTERFACE $my_vpn_ip netmask $my_vpn_netmask";
 
$ifconfig6              = "/usr/sbin/ip addr add $my_vpn_ip6/128 dev \$INTERFACE";
 
  
$master_url            = "http://www.vpn.hamburg.ccc.de/chaosvpn-data/$my_peerid.dat";
+
==Tips and Tricks ==
# public key of key used to sign the file at $master_url:
+
Here you can add Tips and Tricks for a better use of fonera <br>
$masterdata_signkey    = "HAXX()R";
 
  
$base                  = "/etc/tinc/$networkname";
+
=== Start ChaosVPN on startup ===
$pidfile                = "/var/run/tinc.$networkname.pid";
 
$tmpconffile            = "$base/chaosvpn-config.temp";
 
$tincd_debuglevel      = 2;
 
#$tincd_graphdumpfile  = "/var/run/tinc.$networkname.dump";
 
  
# Number of seconds to wait before tincd is restarted after it has
+
Edit the Runlevel scripte of chaosvpn in /etc/inti.d/
# unexpectedly terminated
 
$tincd_restart_delay = 5;
 
  
 +
#!/bin/sh /etc/rc.common
 +
# Copyright (C) 2012 ChaosVPN
 +
 +
START=99
 +
 +
start() {
 +
chaosvpn -d
 +
}
  
# Number of seconds to wait between refetching the remote config
+
=== Adding DNS for the ChaosVPN ===
$update_interval = 3600;
+
workaround, do it client side
  </nowiki>
+
 
 +
=== Adding DNS entries ===
 +
 
 +
Create the file /etc/hosts.local and add your DNS entries, <br>
 +
than edit /etc/config/dhcp under  the section "config dnsmasq"
 +
option domain  'mynodeiscool.hack'
 +
 +
  option addnhosts        '/etc/hosts.local'
 +
 
 +
 
 +
=== Firewall Rules ===
  
Once you have filled out your chaosvpn.conf file correctly, please do a test run of the chaosvpn by simply executing
+
People have diverse configuration needs.  You may have to make your own changes the iptables on the fonera. For me the following two iptables commands are all that is required to allow bi-directional communication from devices connected to the fonera, and the rest of the ChaosVPN.
chaosvpn
 
  
You will see a lot of text. <br>
+
/usr/bin/iptables -I forwarding_rule -j ACCEPT -p all -s '0/0' -d '0/0' -i 'br-lan' -o 'chaos_vpn'
Some errors are okay. Some are not. 
+
  /usr/bin/iptables -I forwarding_rule -j ACCEPT -p all -s '0/0' -d '0/0' -i 'chaos_vpn' -o 'br-lan'
Have fun figuring out which are which =P
 
  
==== Checking to see if it worked ====
+
Also you should throw ChaosVPN, and the iptables rules into /etc/init.d/ somewhere. <br>
 +
Add them all in the firewalls init.d script.  This is probably wrong.  There is probably a cleaner way. <br>
  
  netstat -nr
+
=== WebUI bugfix ===
 +
Change Icons/Colors for a better use
 +
download the tar file and move the files in the right dir
 +
   
 +
wget http://www.load.to/rN4FCpdLoh/webui-fix.tar
 +
tar -xvwf webui-fix.tar
 +
cd www
 +
mv * ./www
 +
[[File:Fonerawebuicssfix.jpg]]
  
You should see a hell of a lot of routes using the chaos_vpn interface.
+
=== Upgrading ChaosVPN / Tinc ===
This is good.
 
  
Check /etc/tinc/chaos/hosts/ see if a whole bunch of node info has appeared.
+
There are two new packages for the fonera image.
  
Wait several minutes from first execution then test ping some of the "test ping" addresses as defined in the IP Ranges wiki page.
+
Remember to backup configurations and keys '''before''' attempting this.
10.100.69.1 is the NYC Resistor fonera.
 
See if you can ping it from the router.
 
  
If all went well you are now pinging.   
+
To upgrade, ssh to the fonera as root:
Get someone to ping you back.
+
wget http://www.music-piracy.com/chaosvpn_2.15-1_mipsel.ipk
You now have a functional node.
+
  wget http://www.music-piracy.com/tinc_1.0.21-1_mipsel.ipk
 +
opkg install tinc_1.0.21-1_mipsel.ipk
 +
opkg install chaosvpn_2.15-1_mipsel.ipk
  
=== Firewall Rules ===
+
md5sums of the ipks:
 +
a9614ecf4b68908e1b77ff1101bfb13c  chaosvpn_2.15-1_mipsel.ipk
 +
311b3c863c59e8621e5eac1a92d1e769  tinc_1.0.21-1_mipsel.ipk
  
People have diverse configuration needsYou may have to make your own changes the iptables on the fonera. For me the following two iptables commands are all that is required to allow bi-directional communication from devices connected to the fonera, and the rest of the ChaosVPN.
+
Then restart chaosvpn.   
 +
pkill chaosvpn
 +
  /etc/init.d/chaosvpn start
  
/usr/bin/iptables -I forwarding_rule -j ACCEPT -p all -s '0/0' -d '0/0' -i 'br-lan' -o 'chaos_vpn'
+
So TINC vulnerability CVE-2013-1428 fix´d
/usr/bin/iptables -I forwarding_rule -j ACCEPT -p all -s '0/0' -d '0/0' -i 'chaos_vpn' -o 'br-lan'
 
  
Also you should throw ChaosVPN, and the iptables rules into /etc/init.d/ somewhere. I put them all in the firewalls init.d script.  This is probably wrong.  There is probably a better way.
+
[[Category:ChaosVPN]]

Latest revision as of 09:18, 28 April 2013

ChaosVPN: Fonera Instructions

Supported Hardware

 * Fonera 2.0n

Software

Signed Official Foneros DEV Images in this Dir (check there for Updates)

Latest ChaosVPN Fonera Image - openfly's build 

 * Foneros 2.3.7.0 beta 2
 * ChaosVPN 2.12
 * Tinc 1.0.18

Source Available here at your own peril.

Instructions

Step 1

Been able to access your Fonera 2.0n router over ssh. skip step 2.

Step 2 - Flash to Official Dev Image go get SSH working

you will need to reflash your stock fonera with a DEV image.

I've included a link to a tested DEV image in the Software section.
You download the .tgz of the image.
Do not untar or ungzip it.
Simply access the administrative web interface on the device.
Head to the system / settings section.
Upload the tarball to the device to start the reflash.
A progress bar should appear to indicate the device is being flashed.
Do not unpower the device until the flash has completed.

Error creating thumbnail: Unable to save thumbnail to destination


Do not unpower the device until the flash has completed.

Upon the completion of a flash, the system should automatically reboot itself.
Please give it time to do so.
There have been instances where it has hung just after a reflash, or simply acted oddly.
I've simply waited until I was certain no more was going on on the device and then gave it a quick reboot.
This can also address browser issues.

Step 3 - upload the ChaosVPN image to your Fonera

Now you can access ssh on the device.

Login:
User: Root
Password: the same as your administrative password used on the web UI.

Verify you can login correctly.

Without Internet

Once you have done so, scp (Secure CoPy) the ChaosVPN image tarball to the device.

Programs:
you can use simply scp in Linux.
you can use winscp or putty in Windows.

Exampel code 

scp fonera2n-chaosvpn.img admin@fonera:tmp/fonera2n-chaosvpn.img

Confirm that everything uploads nicely.
More about Secure CoPy

With Internet:

cd /tmp
wget http://www.music-piracy.com/fonera2n-chaosvpn.img


Step 4 - The flashing of the device with Backup

If you do not want to backup. (case: new Device / clean install) skip this step
The tarball as included is laid out to demonstrate how you can upgrade your device properly.
Since you won't be "upgrading" from a previous ChaosVPN instance some things are slightly different.
Let's look at what is in the tarball. 

20100824_FON2303_2.3.6.1_r1730_DEV.img	
fonera2n-chaosvpn.img
upgrade
upgrade_developer

fonera2n-chaosvpn.img, and upgrade are symlinks to the image and upgrade script respectively.

fonera2n-chaosvpn.img is the image you will be upgrading to. (check the Software Seccion for newer images)

Let's look at upgrade_developer: 

 #!/bin/ash

 VERSION=$(cat /etc/fon_version)
 # FAILSAFE=$(cat /etc/failsafe)
 DEVICE=$(cat /etc/fon_device)

 if [ "$DEVICE" = "fonera20n" ]
 then
 uci set registered.fonreg.dev=1
 uci commit
 tar cvzf /tmp/sysupgrade.tgz /etc/passwd /etc/group /etc/dropbear /etc/samba/smbpasswd /etc/samba/secrets.tdb /etc/config/firewall /etc/config/upnpd /etc/config/umtsd /etc/config/registered /etc/config/gdata /etc/config/facebook /etc/config/flickr /etc/config/mountd /etc/config/fon /etc/config/ddns /etc/config/wizard /etc/pureftpd.pdb /etc/pureftpd.passwd /etc/config/luci_dlmanager /etc/config/twitter /etc/config /firewall /etc/tinc /etc/init.d/firewall
 mtd -j /tmp/sysupgrade.tgz -r write fonera2n-chaosvpn.img image > /dev/null 2>&1 
 return 0
 else
 return 1
 fi

Okay so there's only 2 important lines in the script.
The tar creation call,
and the call to mtd.

What the tar creation call does, is it creates a tarball in /tmp of the fonera called "sysupgrade.tgz".
Everything you tar up into it ( using an absolute directory path ), will be saved there and deployed after the firmware is upgraded.
What this allows you to do is save settings of your device.
You will need to specify the paths of areas of the file structure you want preserved manually.

The mtd call is the upgrade call. 

mtd -j /tmp/sysupgrade.tgz -r write fonera2n-chaosvpn.img image

Step 5 - The flashing of the device without Backup

The flashing of the device without Backup.
for New Device / clean install 

mtd -r write fonera2n-chaosvpn.img image

Step 6 - The long waiting

Eventually this will end and the device will reboot.
This is expected. Anything else, is not.

Please do not unpower the device until you are certain the operation has completed, or are certain that anything still occurring MUST be bad.

After you login the new webUI will look like this:

Error creating thumbnail: Unable to save thumbnail to destination



and connecting by ssh:

Error creating thumbnail: Unable to save thumbnail to destination

Step 7 - IP Allocation

Go to IP Range, select a range and fill out the corresponding data.
Please conform to standards.
Be sparing in your address space allocations.
You don't need a /16 for your apt.

Step 8 - Setting up TINC keys

First thing you are going to want to do is generate a keypair for your node. 

tincd --net=chaos --generate-keys=2048

Hit 2 times [Enter]. Do not change the default name/location of the keys. Default it get drop in /etc/tinc/chaos/.
Make a copy in a SECURE location not on that device.

E-Mail Haegar directly, or the ChaosVPN mailing list to have your node added.

Send info such as the following: 

nodename: hackerspace  ( short, no spaces, no non chars, descriptive )
network: 10.100.xxx.xxx/24 ( use the address space you allocated in the IP ranges wiki )
owner: you@youremail.com ( make this legitimate )
gatewayhost: your external address if you have a static one
network6: same as network, but for ipv6.

key: public key here

Wait for Haegar or someone else to confirm you have been added to the VPN successfully. (it can take ~24h).

Configuring ChaosVPN

There is a chaosvpn.conf in /etc/tinc/ .
You have to change 2 things in the config: 

$my_peerid		= "thenameofyournode";

$my_vpn_ip		= "172.31.x.x";

Once you have filled out your chaosvpn.conf file correctly.

Checking to see if it worked

Please give ChaosVPN a testrun. After you are you get the validation of the adding to the ChaosVPN. 

chaosvpn

Hope no error appears. 

netstat -nr

You should see a hell of a lot of routes using the chaos_vpn interface. This is good.

Check /etc/tinc/chaos/hosts/ see if a whole bunch of node info has appeared.

Wait several minutes from first execution then test ping some of the "test ping" addresses as defined in the IP Ranges wiki page. 10.100.69.1 is the NYC Resistor fonera. See if you can ping it from the router.

If all went well you are now pinging.
Get someone to ping you back. Ask in the IRC Channel
You now have a functional node.


Tips and Tricks

Here you can add Tips and Tricks for a better use of fonera

Start ChaosVPN on startup

Edit the Runlevel scripte of chaosvpn in /etc/inti.d/ 

#!/bin/sh /etc/rc.common
# Copyright (C) 2012 ChaosVPN

START=99

start() {
chaosvpn -d
}

Adding DNS for the ChaosVPN

workaround, do it client side

Adding DNS entries

Create the file /etc/hosts.local and add your DNS entries,
than edit /etc/config/dhcp under the section "config dnsmasq" 

option domain   'mynodeiscool.hack'

option addnhosts        '/etc/hosts.local'


Firewall Rules

People have diverse configuration needs. You may have to make your own changes the iptables on the fonera. For me the following two iptables commands are all that is required to allow bi-directional communication from devices connected to the fonera, and the rest of the ChaosVPN. 

/usr/bin/iptables -I forwarding_rule -j ACCEPT -p all -s '0/0' -d '0/0' -i 'br-lan' -o 'chaos_vpn'
/usr/bin/iptables -I forwarding_rule -j ACCEPT -p all -s '0/0' -d '0/0' -i 'chaos_vpn' -o 'br-lan'

Also you should throw ChaosVPN, and the iptables rules into /etc/init.d/ somewhere.
Add them all in the firewalls init.d script. This is probably wrong. There is probably a cleaner way.

WebUI bugfix

Change Icons/Colors for a better use download the tar file and move the files in the right dir 

wget http://www.load.to/rN4FCpdLoh/webui-fix.tar
tar -xvwf webui-fix.tar
cd www
mv * ./www
Error creating thumbnail: Unable to save thumbnail to destination

Upgrading ChaosVPN / Tinc

There are two new packages for the fonera image.

Remember to backup configurations and keys before attempting this.

To upgrade, ssh to the fonera as root: 

wget http://www.music-piracy.com/chaosvpn_2.15-1_mipsel.ipk
wget http://www.music-piracy.com/tinc_1.0.21-1_mipsel.ipk
opkg install tinc_1.0.21-1_mipsel.ipk
opkg install chaosvpn_2.15-1_mipsel.ipk

md5sums of the ipks: 

a9614ecf4b68908e1b77ff1101bfb13c  chaosvpn_2.15-1_mipsel.ipk
311b3c863c59e8621e5eac1a92d1e769  tinc_1.0.21-1_mipsel.ipk

Then restart chaosvpn. 

pkill chaosvpn
/etc/init.d/chaosvpn start

So TINC vulnerability CVE-2013-1428 fix´d

Retrieved from "https://oldwiki.hamburg.ccc.de/index.php?title=ChaosVPN:Fonera&oldid=8916"