Dieses Wiki ist ein Archiv bis 2023. Das aktuelle Wiki findet sich unter https://wiki.hamburg.ccc.de/
Difference between revisions of "ChaosVPN"
(→short term) |
(→long term) |
||
Line 59: | Line 59: | ||
That will be [http://wiki.hamburg.ccc.de/index.php/ChaosVPN#ChaosVPN_3.0 ChaosVPN 3.0] | That will be [http://wiki.hamburg.ccc.de/index.php/ChaosVPN#ChaosVPN_3.0 ChaosVPN 3.0] | ||
− | * Participants can fake network ranges my intention or mistake. (control informations inside tinc are not proper authentificated) | + | * Participants can fake network ranges my intention or mistake. (control informations inside tinc are not proper authentificated) (not true anymore with latest chaosvpn.git where we do not import infos from the tinc-network anymore (TunnelServer=yes)) |
* http://www.cs.auckland.ac.nz/~pgut001/pubs/linux_vpn.txt | * http://www.cs.auckland.ac.nz/~pgut001/pubs/linux_vpn.txt | ||
Revision as of 21:57, 18 January 2010
the big picture
What is this all about?
mc.fly will write some stuff about it. In case you have awesome ideas just add them.
A view on the connected nodes inside the ChaosVPN. Refreshed every minute: http://comyn.ainex.net/chaosvpn.png
ChaosVPN 2.0
redesign
The Rebuild of the ChaosVPN became nessesary at some point, as the vermittlung is blackholed. Furthermore we would like to put live back to the ChaosVPN and use it to interconnect the hackerspaces.
So we thought its a good time to redesign stuff. We will climb up to tinc 1.0.10.
software
An unfinshed Howto for Debian systems is available at Debian - users of other systems need to adapt it likewise, more documentation will hopefully follow in the future.
Config builder
Currently we are porting haegars script from perl to c and strip off curl and openssl, so it fits in a OpenWRT box.
OpenWRT Packages
Blogic will build a special OpenWRT package, which is called chaosvpn at the moment and a recent tinc 1.0.10 for that.
See also http://0x1.net/openwrt Packages may be in flux for awhile, if you have trouble with any of the binaries, email cjp.
Debian Packages
Haegar updated (backported) tinc 1.0.11 packages for debian. They are availible at:
- Debian Etch: http://debian.sdinet.de/etch/sdinet/tinc/
- Debian Lenny: http://debian.sdinet.de/lenny/sdinet/tinc/
I will also create Debian packages of the config builder once it is in a usable state.
ArchLinux
helios maintains an AUR-package: http://aur.archlinux.org/packages.php?ID=33307
sources
The source code repository is available at: http://github.com/ryd/chaosvpn
You can download the source with git
git clone git://github.com/ryd/chaosvpn.git
IP Ranges and Participants:
Please see IPRanges for more Infos.
wanted changes
short term
- clients don't have to authentificate themself - everybody can see the config.
- if admins are lazy and don't rebuild the config file properly we will have old routes in the network that don't dissapear (at least until the tinc is reconfigured and restarted) (not a problem anymore with a current .git snapshot, the problem will only affect the non-updating participant with it)
long term
tinc does have some problems. That is the reason why we want to replace that in the forseable future. That will be ChaosVPN 3.0
- Participants can fake network ranges my intention or mistake. (control informations inside tinc are not proper authentificated) (not true anymore with latest chaosvpn.git where we do not import infos from the tinc-network anymore (TunnelServer=yes))
- http://www.cs.auckland.ac.nz/~pgut001/pubs/linux_vpn.txt
ChaosVPN 3.0
ChaosVPN 1.0 (historic)
ChaosVPN 1.0 is obsolete, please see above for the next implementation.
TINC SETUP
At the moment the Hamburg ccc Erfa uses TINC together with some dirty perl-scripts, which are used to read the routes and peers.
For this Setup we have howtos for
Debian and Gentoo (in german).
Beginninig in 2003
(haegar:)
For me the whole setup with Openvpn was to complicated. It would take some time till its done and the scaling problems were forseable.
Therefore i took time today to get a working mini-solution with tinc running real quick.
The bigger issues with ip-submission and database are able to be added later without any big effort.
Most importand design goals were:
- data traffic between participants must not rely on the ccc infrastructure.
- failure of any parts of the infrastructure must not shut down the network completely
- no work needed for participants just because a new participant is joining or a old one quitting.
system requirements
- linux only first
- tinc is availible for nearly all unix variants and windows, but my perl script is only working on linux so far.
- perl with LWP and https support
- working dyndns hostname that conains the actual router-ip or static ip
Update 2006
Today (2006) i would implement things different than i did before, but when this happens is completely up in the stars.
Until there is a better setup we will use the old setup.