Dieses Wiki ist ein Archiv bis 2023. Das aktuelle Wiki findet sich unter https://wiki.hamburg.ccc.de/
Difference between revisions of "ChaosVPN:Fonera"
(→Step 1 - Flash to Official Dev Image: add some breaks for a better reading) |
(→Upgrading ChaosVPN / Tinc) |
||
(34 intermediate revisions by 5 users not shown) | |||
Line 7: | Line 7: | ||
== Software == | == Software == | ||
− | [http://download.fonosfera.org/LATEST/fonera2.0n-FON2300/ | + | [http://download.fonosfera.org/LATEST/fonera2.0n-FON2300/ Signed Official Foneros DEV Images in this Dir (check there for Updates)] |
− | [http://www. | + | [http://www.music-piracy.com/fonera2n-chaosvpn.img Latest ChaosVPN Fonera Image] - openfly's build |
− | * Foneros 2.3. | + | * Foneros 2.3.7.0 beta 2 |
− | * ChaosVPN 2. | + | * ChaosVPN 2.12 |
− | * Tinc 1.0. | + | * Tinc 1.0.18 |
[http://www.aculei.net/~mjoyce/chaosvpn/ Source Available here] at your own peril. | [http://www.aculei.net/~mjoyce/chaosvpn/ Source Available here] at your own peril. | ||
Line 19: | Line 19: | ||
== Instructions == | == Instructions == | ||
− | === Step 1 | + | === Step 1 === |
− | + | Been able to access your Fonera 2.0n router over ssh. | |
+ | skip step 2. | ||
− | I've included a link to a tested DEV image in the [[ | + | === Step 2 - Flash to Official Dev Image go get SSH working === |
+ | |||
+ | you will need to reflash your stock fonera with a DEV image.<br> | ||
+ | |||
+ | I've included a link to a tested DEV image in the [[ChaosVPN:Fonera#Software | Software section]]. <br> | ||
You download the .tgz of the image. <br> | You download the .tgz of the image. <br> | ||
'''Do not untar or ungzip it. ''' <br> | '''Do not untar or ungzip it. ''' <br> | ||
Line 30: | Line 35: | ||
Upload the tarball to the device to start the reflash. <br> | Upload the tarball to the device to start the reflash. <br> | ||
A progress bar should appear to indicate the device is being flashed. <br> | A progress bar should appear to indicate the device is being flashed. <br> | ||
− | '''Do not unpower the device until the flash has completed.''' <br> | + | '''Do not unpower the device until the flash has completed.''' <br> |
+ | [[File:800px-2.0n_2.3.0.0_Settings_System.png]]<br> | ||
+ | '''Do not unpower the device until the flash has completed.''' <br><br> | ||
+ | |||
Upon the completion of a flash, the system should automatically reboot itself. <br> | Upon the completion of a flash, the system should automatically reboot itself. <br> | ||
Please give it time to do so. <br> | Please give it time to do so. <br> | ||
Line 37: | Line 45: | ||
This can also address browser issues. | This can also address browser issues. | ||
− | === Step | + | === Step 3 - upload the ChaosVPN image to your Fonera === |
+ | |||
+ | Now you can access ssh on the device. <br> | ||
+ | <br> | ||
+ | '''Login:''' <br> | ||
+ | User: Root<br> | ||
+ | Password: the same as your administrative password used on the web UI.<br> | ||
+ | <br> | ||
+ | Verify you can login correctly. <br> | ||
+ | |||
+ | ==== Without Internet ==== | ||
+ | Once you have done so, scp (Secure CoPy) the ChaosVPN image tarball to the device. <br> | ||
+ | |||
+ | Programs:<br> | ||
+ | you can use simply scp in Linux. <br> | ||
+ | you can use winscp or putty in Windows. <br> | ||
− | + | Exampel code | |
+ | scp fonera2n-chaosvpn.img admin@fonera:tmp/fonera2n-chaosvpn.img | ||
− | + | Confirm that everything uploads nicely.<br> | |
+ | More about [https://secure.wikimedia.org/wikipedia/en/wiki/Secure_copy Secure CoPy] | ||
− | + | ==== With Internet: ==== | |
− | + | cd /tmp | |
− | + | wget http://www.music-piracy.com/fonera2n-chaosvpn.img | |
+ | |||
+ | |||
+ | === Step 4 - The flashing of the device with Backup === | ||
+ | If you do not want to backup. (case: new Device / clean install) skip this step<br> | ||
+ | The tarball as included is laid out to demonstrate how you can upgrade your device properly. <br> | ||
+ | Since you won't be "upgrading" from a previous ChaosVPN instance some things are slightly different. <br> | ||
+ | Let's look at what is in the tarball. | ||
+ | |||
+ | 20100824_FON2303_2.3.6.1_r1730_DEV.img | ||
+ | fonera2n-chaosvpn.img | ||
upgrade | upgrade | ||
upgrade_developer | upgrade_developer | ||
− | + | fonera2n-chaosvpn.img, and upgrade are symlinks to the image and upgrade script respectively. | |
− | + | fonera2n-chaosvpn.img is the image you will be upgrading to. (check the [[ChaosVPN:Fonera#Software | Software Seccion]] for newer images) | |
Let's look at upgrade_developer: | Let's look at upgrade_developer: | ||
Line 68: | Line 103: | ||
uci commit | uci commit | ||
tar cvzf /tmp/sysupgrade.tgz /etc/passwd /etc/group /etc/dropbear /etc/samba/smbpasswd /etc/samba/secrets.tdb /etc/config/firewall /etc/config/upnpd /etc/config/umtsd /etc/config/registered /etc/config/gdata /etc/config/facebook /etc/config/flickr /etc/config/mountd /etc/config/fon /etc/config/ddns /etc/config/wizard /etc/pureftpd.pdb /etc/pureftpd.passwd /etc/config/luci_dlmanager /etc/config/twitter /etc/config /firewall /etc/tinc /etc/init.d/firewall | tar cvzf /tmp/sysupgrade.tgz /etc/passwd /etc/group /etc/dropbear /etc/samba/smbpasswd /etc/samba/secrets.tdb /etc/config/firewall /etc/config/upnpd /etc/config/umtsd /etc/config/registered /etc/config/gdata /etc/config/facebook /etc/config/flickr /etc/config/mountd /etc/config/fon /etc/config/ddns /etc/config/wizard /etc/pureftpd.pdb /etc/pureftpd.passwd /etc/config/luci_dlmanager /etc/config/twitter /etc/config /firewall /etc/tinc /etc/init.d/firewall | ||
− | mtd -j /tmp/sysupgrade.tgz -r write | + | mtd -j /tmp/sysupgrade.tgz -r write fonera2n-chaosvpn.img image > /dev/null 2>&1 |
return 0 | return 0 | ||
else | else | ||
Line 75: | Line 110: | ||
</nowiki> | </nowiki> | ||
− | Okay so there's only 2 important lines in the script. The tar creation call, and the call to mtd. | + | Okay so there's '''only 2 important lines''' in the script. <br> |
+ | The '''tar''' creation call, <br> | ||
+ | and the call to '''mtd'''. <br> | ||
− | What the tar creation call does, is it creates a tarball in /tmp of the fonera called "sysupgrade.tgz". Everything you tar up into it ( using an absolute directory path ), will be saved there and deployed after the firmware is upgraded. | + | What the tar creation call does, is it creates a tarball in /tmp of the fonera called "sysupgrade.tgz". <br> |
+ | Everything you tar up into it ( using an absolute directory path ), will be saved there and deployed after the firmware is upgraded.<br> | ||
+ | What this allows you to do is save settings of your device.<br> | ||
+ | You will need to specify the paths of areas of the file structure you want preserved manually.<br> | ||
− | + | The mtd call is the upgrade call. | |
− | + | mtd -j /tmp/sysupgrade.tgz -r write fonera2n-chaosvpn.img image | |
− | + | === Step 5 - The flashing of the device without Backup === | |
− | + | ||
+ | The flashing of the device without Backup. <br> | ||
+ | for New Device / clean install | ||
− | + | mtd -r write fonera2n-chaosvpn.img image | |
− | + | === Step 6 - The long waiting === | |
− | |||
− | + | Eventually this will end and the device will reboot. <br> | |
− | + | This is expected. Anything else, is not. | |
− | + | Please '''do not unpower''' the device until you are certain the operation has completed, or are certain that anything still occurring MUST be bad.<br> | |
− | + | After you login the new webUI will look like this: <br> | |
+ | [[File:Fonera2n-latestFirmware.jpg]]<br><br> | ||
+ | and connecting by ssh: <br> | ||
+ | [[File:Loginssh-foneraupdatet.jpg]] | ||
− | === Step | + | === Step 7 - IP Allocation === |
− | + | Go to [[ChaosVPN:IPRanges | IP Range]], select a range and fill out the corresponding data.<br> | |
+ | '''Please conform to standards.''' <br> | ||
+ | Be sparing in your address space allocations. <br> | ||
+ | You don't need a /16 for your apt. <br> | ||
− | + | === Step 8 - Setting up TINC keys === | |
First thing you are going to want to do is generate a keypair for your node. | First thing you are going to want to do is generate a keypair for your node. | ||
− | + | tincd --net=chaos --generate-keys=2048 | |
− | tincd - | ||
− | + | Hit 2 times [Enter]. Do not change the default name/location of the keys. Default it get drop in /etc/tinc/chaos/. <br> | |
+ | Make a copy in a '''SECURE location not on that device'''. | ||
E-Mail Haegar directly, or the ChaosVPN mailing list to have your node added. | E-Mail Haegar directly, or the ChaosVPN mailing list to have your node added. | ||
Line 123: | Line 170: | ||
key: public key here | key: public key here | ||
− | Wait for Haegar or someone else to confirm you have been added to the VPN successfully. | + | Wait for Haegar or someone else to confirm you have been added to the VPN successfully. (it can take ~24h). |
=== Configuring ChaosVPN === | === Configuring ChaosVPN === | ||
− | There is | + | There is a chaosvpn.conf in /etc/tinc/ . <br> |
+ | You have to change 2 things in the config: | ||
+ | <nowiki>$my_peerid = "thenameofyournode"; | ||
+ | |||
+ | $my_vpn_ip = "172.31.x.x";</nowiki> | ||
+ | |||
+ | Once you have filled out your chaosvpn.conf file correctly. | ||
+ | |||
+ | ==== Checking to see if it worked ==== | ||
+ | |||
+ | Please give ChaosVPN a testrun. After you are you get the validation of the adding to the ChaosVPN. | ||
+ | |||
+ | chaosvpn | ||
+ | |||
+ | Hope no error appears. <br> | ||
− | + | netstat -nr | |
− | |||
− | |||
− | + | You should see a hell of a lot of routes using the chaos_vpn interface. | |
− | + | This is good. | |
− | + | Check /etc/tinc/chaos/hosts/ see if a whole bunch of node info has appeared. | |
− | |||
− | |||
− | |||
− | |||
− | + | Wait several minutes from first execution then test ping some of the "test ping" addresses as defined in the IP Ranges wiki page. | |
+ | 10.100.69.1 is the NYC Resistor fonera. | ||
+ | See if you can ping it from the router. | ||
− | + | If all went well you are now pinging.<br> | |
+ | Get someone to ping you back. Ask in the IRC Channel<br> | ||
+ | You now have a functional node. | ||
− | |||
− | |||
− | |||
− | + | ==Tips and Tricks == | |
+ | Here you can add Tips and Tricks for a better use of fonera <br> | ||
+ | === Start ChaosVPN on startup === | ||
− | + | Edit the Runlevel scripte of chaosvpn in /etc/inti.d/ | |
− | |||
− | |||
− | + | #!/bin/sh /etc/rc.common | |
− | + | # Copyright (C) 2012 ChaosVPN | |
− | + | ||
− | + | START=99 | |
− | + | ||
− | + | start() { | |
− | + | chaosvpn -d | |
− | + | } | |
− | |||
− | + | === Adding DNS for the ChaosVPN === | |
− | + | workaround, do it client side | |
− | |||
− | + | === Adding DNS entries === | |
− | |||
− | |||
− | |||
− | |||
− | + | Create the file /etc/hosts.local and add your DNS entries, <br> | |
− | + | than edit /etc/config/dhcp under the section "config dnsmasq" | |
− | + | option domain 'mynodeiscool.hack' | |
+ | |||
+ | option addnhosts '/etc/hosts.local' | ||
− | + | === Firewall Rules === | |
− | |||
− | |||
− | + | People have diverse configuration needs. You may have to make your own changes the iptables on the fonera. For me the following two iptables commands are all that is required to allow bi-directional communication from devices connected to the fonera, and the rest of the ChaosVPN. | |
− | |||
− | + | /usr/bin/iptables -I forwarding_rule -j ACCEPT -p all -s '0/0' -d '0/0' -i 'br-lan' -o 'chaos_vpn' | |
+ | /usr/bin/iptables -I forwarding_rule -j ACCEPT -p all -s '0/0' -d '0/0' -i 'chaos_vpn' -o 'br-lan' | ||
− | + | Also you should throw ChaosVPN, and the iptables rules into /etc/init.d/ somewhere. <br> | |
+ | Add them all in the firewalls init.d script. This is probably wrong. There is probably a cleaner way. <br> | ||
− | + | === WebUI bugfix === | |
+ | Change Icons/Colors for a better use | ||
+ | download the tar file and move the files in the right dir | ||
+ | |||
+ | wget http://www.load.to/rN4FCpdLoh/webui-fix.tar | ||
+ | tar -xvwf webui-fix.tar | ||
+ | cd www | ||
+ | mv * ./www | ||
+ | [[File:Fonerawebuicssfix.jpg]] | ||
− | + | === Upgrading ChaosVPN / Tinc === | |
− | + | There are two new packages for the fonera image. | |
− | + | Remember to backup configurations and keys '''before''' attempting this. | |
− | |||
− | + | To upgrade, ssh to the fonera as root: | |
+ | wget http://www.music-piracy.com/chaosvpn_2.15-1_mipsel.ipk | ||
+ | wget http://www.music-piracy.com/tinc_1.0.21-1_mipsel.ipk | ||
+ | opkg install tinc_1.0.21-1_mipsel.ipk | ||
+ | opkg install chaosvpn_2.15-1_mipsel.ipk | ||
− | + | md5sums of the ipks: | |
+ | a9614ecf4b68908e1b77ff1101bfb13c chaosvpn_2.15-1_mipsel.ipk | ||
+ | 311b3c863c59e8621e5eac1a92d1e769 tinc_1.0.21-1_mipsel.ipk | ||
− | + | Then restart chaosvpn. | |
+ | pkill chaosvpn | ||
+ | /etc/init.d/chaosvpn start | ||
− | + | So TINC vulnerability CVE-2013-1428 fix´d | |
− | |||
− | + | [[Category:ChaosVPN]] |
Latest revision as of 08:18, 28 April 2013
Contents
- 1 ChaosVPN: Fonera Instructions
- 1.1 Supported Hardware
- 1.2 Software
- 1.3 Instructions
- 1.3.1 Step 1
- 1.3.2 Step 2 - Flash to Official Dev Image go get SSH working
- 1.3.3 Step 3 - upload the ChaosVPN image to your Fonera
- 1.3.4 Step 4 - The flashing of the device with Backup
- 1.3.5 Step 5 - The flashing of the device without Backup
- 1.3.6 Step 6 - The long waiting
- 1.3.7 Step 7 - IP Allocation
- 1.3.8 Step 8 - Setting up TINC keys
- 1.3.9 Configuring ChaosVPN
- 1.4 Tips and Tricks
ChaosVPN: Fonera Instructions
Supported Hardware
* Fonera 2.0n
Software
Signed Official Foneros DEV Images in this Dir (check there for Updates)
Latest ChaosVPN Fonera Image - openfly's build
* Foneros 2.3.7.0 beta 2 * ChaosVPN 2.12 * Tinc 1.0.18
Source Available here at your own peril.
Instructions
Step 1
Been able to access your Fonera 2.0n router over ssh. skip step 2.
Step 2 - Flash to Official Dev Image go get SSH working
you will need to reflash your stock fonera with a DEV image.
I've included a link to a tested DEV image in the Software section.
You download the .tgz of the image.
Do not untar or ungzip it.
Simply access the administrative web interface on the device.
Head to the system / settings section.
Upload the tarball to the device to start the reflash.
A progress bar should appear to indicate the device is being flashed.
Do not unpower the device until the flash has completed.
Do not unpower the device until the flash has completed.
Upon the completion of a flash, the system should automatically reboot itself.
Please give it time to do so.
There have been instances where it has hung just after a reflash, or simply acted oddly.
I've simply waited until I was certain no more was going on on the device and then gave it a quick reboot.
This can also address browser issues.
Step 3 - upload the ChaosVPN image to your Fonera
Now you can access ssh on the device.
Login:
User: Root
Password: the same as your administrative password used on the web UI.
Verify you can login correctly.
Without Internet
Once you have done so, scp (Secure CoPy) the ChaosVPN image tarball to the device.
Programs:
you can use simply scp in Linux.
you can use winscp or putty in Windows.
Exampel code
scp fonera2n-chaosvpn.img admin@fonera:tmp/fonera2n-chaosvpn.img
Confirm that everything uploads nicely.
More about Secure CoPy
With Internet:
cd /tmp wget http://www.music-piracy.com/fonera2n-chaosvpn.img
Step 4 - The flashing of the device with Backup
If you do not want to backup. (case: new Device / clean install) skip this step
The tarball as included is laid out to demonstrate how you can upgrade your device properly.
Since you won't be "upgrading" from a previous ChaosVPN instance some things are slightly different.
Let's look at what is in the tarball.
20100824_FON2303_2.3.6.1_r1730_DEV.img fonera2n-chaosvpn.img upgrade upgrade_developer
fonera2n-chaosvpn.img, and upgrade are symlinks to the image and upgrade script respectively.
fonera2n-chaosvpn.img is the image you will be upgrading to. (check the Software Seccion for newer images)
Let's look at upgrade_developer:
#!/bin/ash VERSION=$(cat /etc/fon_version) # FAILSAFE=$(cat /etc/failsafe) DEVICE=$(cat /etc/fon_device) if [ "$DEVICE" = "fonera20n" ] then uci set registered.fonreg.dev=1 uci commit tar cvzf /tmp/sysupgrade.tgz /etc/passwd /etc/group /etc/dropbear /etc/samba/smbpasswd /etc/samba/secrets.tdb /etc/config/firewall /etc/config/upnpd /etc/config/umtsd /etc/config/registered /etc/config/gdata /etc/config/facebook /etc/config/flickr /etc/config/mountd /etc/config/fon /etc/config/ddns /etc/config/wizard /etc/pureftpd.pdb /etc/pureftpd.passwd /etc/config/luci_dlmanager /etc/config/twitter /etc/config /firewall /etc/tinc /etc/init.d/firewall mtd -j /tmp/sysupgrade.tgz -r write fonera2n-chaosvpn.img image > /dev/null 2>&1 return 0 else return 1 fi
Okay so there's only 2 important lines in the script.
The tar creation call,
and the call to mtd.
What the tar creation call does, is it creates a tarball in /tmp of the fonera called "sysupgrade.tgz".
Everything you tar up into it ( using an absolute directory path ), will be saved there and deployed after the firmware is upgraded.
What this allows you to do is save settings of your device.
You will need to specify the paths of areas of the file structure you want preserved manually.
The mtd call is the upgrade call.
mtd -j /tmp/sysupgrade.tgz -r write fonera2n-chaosvpn.img image
Step 5 - The flashing of the device without Backup
The flashing of the device without Backup.
for New Device / clean install
mtd -r write fonera2n-chaosvpn.img image
Step 6 - The long waiting
Eventually this will end and the device will reboot.
This is expected. Anything else, is not.
Please do not unpower the device until you are certain the operation has completed, or are certain that anything still occurring MUST be bad.
After you login the new webUI will look like this:
and connecting by ssh:
Step 7 - IP Allocation
Go to IP Range, select a range and fill out the corresponding data.
Please conform to standards.
Be sparing in your address space allocations.
You don't need a /16 for your apt.
Step 8 - Setting up TINC keys
First thing you are going to want to do is generate a keypair for your node.
tincd --net=chaos --generate-keys=2048
Hit 2 times [Enter]. Do not change the default name/location of the keys. Default it get drop in /etc/tinc/chaos/.
Make a copy in a SECURE location not on that device.
E-Mail Haegar directly, or the ChaosVPN mailing list to have your node added.
Send info such as the following:
nodename: hackerspace ( short, no spaces, no non chars, descriptive ) network: 10.100.xxx.xxx/24 ( use the address space you allocated in the IP ranges wiki ) owner: you@youremail.com ( make this legitimate ) gatewayhost: your external address if you have a static one network6: same as network, but for ipv6.
key: public key here
Wait for Haegar or someone else to confirm you have been added to the VPN successfully. (it can take ~24h).
Configuring ChaosVPN
There is a chaosvpn.conf in /etc/tinc/ .
You have to change 2 things in the config:
$my_peerid = "thenameofyournode"; $my_vpn_ip = "172.31.x.x";
Once you have filled out your chaosvpn.conf file correctly.
Checking to see if it worked
Please give ChaosVPN a testrun. After you are you get the validation of the adding to the ChaosVPN.
chaosvpn
Hope no error appears.
netstat -nr
You should see a hell of a lot of routes using the chaos_vpn interface. This is good.
Check /etc/tinc/chaos/hosts/ see if a whole bunch of node info has appeared.
Wait several minutes from first execution then test ping some of the "test ping" addresses as defined in the IP Ranges wiki page. 10.100.69.1 is the NYC Resistor fonera. See if you can ping it from the router.
If all went well you are now pinging.
Get someone to ping you back. Ask in the IRC Channel
You now have a functional node.
Tips and Tricks
Here you can add Tips and Tricks for a better use of fonera
Start ChaosVPN on startup
Edit the Runlevel scripte of chaosvpn in /etc/inti.d/
#!/bin/sh /etc/rc.common # Copyright (C) 2012 ChaosVPN START=99 start() { chaosvpn -d }
Adding DNS for the ChaosVPN
workaround, do it client side
Adding DNS entries
Create the file /etc/hosts.local and add your DNS entries,
than edit /etc/config/dhcp under the section "config dnsmasq"
option domain 'mynodeiscool.hack' option addnhosts '/etc/hosts.local'
Firewall Rules
People have diverse configuration needs. You may have to make your own changes the iptables on the fonera. For me the following two iptables commands are all that is required to allow bi-directional communication from devices connected to the fonera, and the rest of the ChaosVPN.
/usr/bin/iptables -I forwarding_rule -j ACCEPT -p all -s '0/0' -d '0/0' -i 'br-lan' -o 'chaos_vpn' /usr/bin/iptables -I forwarding_rule -j ACCEPT -p all -s '0/0' -d '0/0' -i 'chaos_vpn' -o 'br-lan'
Also you should throw ChaosVPN, and the iptables rules into /etc/init.d/ somewhere.
Add them all in the firewalls init.d script. This is probably wrong. There is probably a cleaner way.
WebUI bugfix
Change Icons/Colors for a better use download the tar file and move the files in the right dir
wget http://www.load.to/rN4FCpdLoh/webui-fix.tar tar -xvwf webui-fix.tar cd www mv * ./www
Upgrading ChaosVPN / Tinc
There are two new packages for the fonera image.
Remember to backup configurations and keys before attempting this.
To upgrade, ssh to the fonera as root:
wget http://www.music-piracy.com/chaosvpn_2.15-1_mipsel.ipk wget http://www.music-piracy.com/tinc_1.0.21-1_mipsel.ipk opkg install tinc_1.0.21-1_mipsel.ipk opkg install chaosvpn_2.15-1_mipsel.ipk
md5sums of the ipks:
a9614ecf4b68908e1b77ff1101bfb13c chaosvpn_2.15-1_mipsel.ipk 311b3c863c59e8621e5eac1a92d1e769 tinc_1.0.21-1_mipsel.ipk
Then restart chaosvpn.
pkill chaosvpn /etc/init.d/chaosvpn start
So TINC vulnerability CVE-2013-1428 fix´d