Dieses Wiki ist ein Archiv bis 2023. Das aktuelle Wiki findet sich unter https://wiki.hamburg.ccc.de/

Difference between revisions of "ChaosVPN:OpenWRTHowto"

From CCCHHWiki
Jump to: navigation, search
(5. Lift off)
Line 24: Line 24:
 
{{Template:ChaosVPNMailit}}
 
{{Template:ChaosVPNMailit}}
  
= 1. Preparations =
+
= Preparations =
In five steps. Really.
+
so get ready. Read the full Howto befor you start!
 +
 
 
== 1. Get Started ==
 
== 1. Get Started ==
* Unpack your Router and power on
+
Unpack your Router and power on <br>
* Connect wired or wireless (use information provided with your router: manual/quick install guide)  
+
Connect wired or wireless (use information provided with your router: manual/quick install guide) <br>
* Go directly to your routers Webinterface (192.168.1.1 or 192.168.178.1) and search for something like ''System -> Firmware Upgrade''
+
Go directly to your routers Webinterface (192.168.1.1 or 192.168.178.1) and search for something like ''System -> Firmware Upgrade'' <br>
* (There is no need to change any of the configuration)
+
(There is no need to change any of the configuration)
  
 
== 2. Install OpenWRT ==
 
== 2. Install OpenWRT ==
Line 36: Line 37:
  
 
== 3. Start and Setup OpenWRT ==
 
== 3. Start and Setup OpenWRT ==
* Restart the network connection between PC <-> Router
+
Restart the network connection between PC <-> Router <br>
* <pre>telnet 192.168.1.1</pre>
+
Connect via telnet and change your root password
* <pre>passwd #set a root password </pre>
+
 
* REMEMBER IT
+
telnet 192.168.1.1  
* Connect the yellow (WAN) port on your router to current infrastructure
+
passwd #set a root password  
  
* Go to Webinterface at 192.168.1.1
+
Connect the (WAN) port on your router to current infrastructure <br>
* Go to ''Network -> Interfaces'' and activate WAN Connection with DHCP or your custom internet configuration
+
Go to the Webinterface via Browser ''Network -> Interfaces'' and activate WAN Connection with DHCP or your custom internet configuration <br>
* Navigate to ''System -> Software'' and press ''Update Lists''
+
Navigate to ''System -> Software'' and press ''Update Lists'' Press ''Available Software'' Search for ChaosVPN and press ''install'' <br>
* Press ''Available Software'' tab and select ''C''
 
* Search for ChaosVPN and press ''install''
 
 
(I did also install ''screen'' at this point)
 
(I did also install ''screen'' at this point)
  
Line 60: Line 59:
 
  $my_vpn_ip = 172.31.<your Subnet>.[1-255]
 
  $my_vpn_ip = 172.31.<your Subnet>.[1-255]
  
Copy over your public/private keypairs to your OpenWRT Box /etc/tinc/chaos/
+
Copy over your public/private keypairs to your router /etc/tinc/chaos/
  
 
== 5. Lift off ==
 
== 5. Lift off ==
start chaosvpn
+
start chaosvpn with:
 +
 
 
  /etc/init.de/chaosvpn start
 
  /etc/init.de/chaosvpn start
  
Line 75: Line 75:
 
Check /etc/tinc/chaos/hosts/ see if a whole bunch of node info has appeared.
 
Check /etc/tinc/chaos/hosts/ see if a whole bunch of node info has appeared.
  
Wait several minutes from first execution then test ping some of the "test ping" addresses as defined in the IP Ranges wiki page.
+
Wait several minutes from first execution then test ping some of the "test ping" addresses as defined in the IP Ranges wiki page. <br>
10.100.69.1 is the NYC Resistor fonera.
+
10.100.69.1 is the NYC Resistor fonera. See if you can ping it from the router.
See if you can ping it from the router.
 
  
 
If all went well you are now pinging.<br>  
 
If all went well you are now pinging.<br>  
Line 85: Line 84:
 
= 2. Configure a Moonlander =
 
= 2. Configure a Moonlander =
 
While building a ChaosVPN-only access node, use either Webclient or [[http://wiki.openwrt.org/doc/howto/generic.backup | Console Backup]] continously
 
While building a ChaosVPN-only access node, use either Webclient or [[http://wiki.openwrt.org/doc/howto/generic.backup | Console Backup]] continously
 +
 
== 1. Add Interface for [[ChaosVPN]] ==
 
== 1. Add Interface for [[ChaosVPN]] ==
* Go to ''Network -> Interfaces''
+
* go to ''Network -> Interfaces''
* Klick ''Add new interface..'' Button at the bottom of the page
+
* click ''Add new interface..'' Button at the bottom of the page
* Type ''ChaosVPN'' into name field  
+
* enter ''ChaosVPN'' into name field  
* Select ''Unmanaged''
+
* select ''Unmanaged''
* Select ''Ethernet Adapter: "chaos_vpn"''
+
* select ''Ethernet Adapter: "chaos_vpn"''
* Save
+
* save
  
 
== 2. Add Zone for [[ChaosVPN]] ==
 
== 2. Add Zone for [[ChaosVPN]] ==
* Go to ''Network -> Firewall''
+
* go to ''Network -> Firewall''
* In the ''Zones'' Tab, klick ''Add''
+
* in the ''Zones'' Tab, klick ''Add''
* Type ''ChaosVPN'' into name field
+
* enter ''ChaosVPN'' into name field
* At ''Covered Networks'' select ''ChaosVPN''
+
* for ''Covered Networks'' select ''ChaosVPN''
  
  
 
== 3. Make WLAN an [[ChaosVPN]] only AP ==
 
== 3. Make WLAN an [[ChaosVPN]] only AP ==
=== Caution! Pozor! ===
+
 
 
# '''The following is varies with your persional use case - please post your configuration with an short description if you like'''
 
# '''The following is varies with your persional use case - please post your configuration with an short description if you like'''
 
# The default WAN will be still reachable via wired network.
 
# The default WAN will be still reachable via wired network.
Line 108: Line 108:
 
# '''Pressing save will only cache the setting - press ''apply'' to make sure settings are set'''
 
# '''Pressing save will only cache the setting - press ''apply'' to make sure settings are set'''
  
 +
=== Setup ===
 +
* go to ''Network -> Interfaces''
 +
* click ''Add new interface''
 +
* enter ''wlan'' into name field
 +
* select ''Static address''
 +
* check ''Create a bridge'' if you like to bridge 2.4GhZ and 5GhZ
 +
* select (both) wlan devices
  
* Go to ''Network -> Interfaces''
+
* In the Edit mask
* Klick ''Add new interface''
+
IPv4 Address: 172.31.<your subnet>.[1-255] //this have to not be the ip of chaosvpn device!
* Type ''wlan'' into name field
+
Netmask: 255.255.255.0
* Select ''Static address''
 
* Check ''Create a bridge'' if you like to bridge 2.4GhZ and 5GhZ
 
* Select (both) wlan devices
 
 
 
 
 
* In Edit mask
 
*<pre> IPv4 Address: 172.31.<your subnet>.[1-255] //this must not be the ip of chaosvpn device!</pre>
 
 
 
* <pre>Netmask: 255.255.255.0</pre>
 
  
  
* Add a DHCP Server to server some addresses in range 100-150
+
Add a DHCP Server to server some addresses in range 100-150 ''Advanced Settings'' to propagate internal nameservers <br>
* ''Advanced Settings'' to propagate internal nameservers
+
DHCP Options: 6,172.31.116.1,195.24.78.86,172.22.228.6
*<pre>DHCP Options: 6,172.31.116.1,195.24.78.86,172.22.228.6</pre>
 
  
* Go to ''Network -> Firewall''
+
* go to ''Network -> Firewall''
* In the ''Zones'' Tab, klick ''Add''
+
* in the ''Zones'' Tab, klick ''Add''
* Type ''wlan'' into name field
+
* enter ''wlan'' into name field
* At ''Covered Networks'' select ''wlan'' device
+
* at ''Covered Networks'' select ''wlan'' device
* Check ''Allow forward to destination zones: ChaosVPN''
+
* check ''Allow forward to destination zones: ChaosVPN''
 +
ping irc.hackint.hack
  
== 4. Save & Apply & ReConnect & ReBoot | ReTry ==
 
* <pre>ping irc.hackint.hack</pre>
 
 
* tests your successful landing with stable communication uplink
 
* tests your successful landing with stable communication uplink
  
 
... to be continued
 
... to be continued

Revision as of 15:39, 25 April 2012

This is Howto for setting up an independent Box providing ChaosVPN


-1. Introduction

If someone knows about OpenWRT compiling/packages and is interested in ChaosVPN - contact User:Waldmeister.

As of 2012-04-14

Einziges Problem ist dass die ChaosVPN-Version in OpenWRT knapp 2 Jahre 
alt ist, und sich seit dem doch so einiges getan hat.
(OpenWRT trunk hat v2.0, aktuell ist v2.0.12)

c'ya
haegar

0. Fulfil Requirements

  • Buy Hardware form this List
  • You have to read the basic Howto precisely
  • generate your keys, choose nodename and subnet and send pubkey to ChaosVPN team

Get your new node added to the central configuration

Devise a network-nick and a unique IP range you will be using

This network-nick or sometimes called nodename is the name of the network endpoint/gateway where the vpn software will be running,
not necessarily the name of the user, there may even be more than one gateway per user.

Used below where <nodename> is.

Please use only characters a-z, 0-9 and _ in it. Note that only lowercase letters are supported.

Second please select an unused IPv4 range out of IP Range, and write yourself down in that wiki page to mark your future range as in-use.
Please select from the correct ranges, 172.31.*.* for Europe, and 10.100.*.* for North America and elsewhere.

Repeat: Please do not forget to add yourself to the list at IP Range to mark your range as used.

Used below where <ipv4 subnet in the vpn> is.

The usage of IPv6 networks is also possible, but we do not have a central range for this (yet),
you may specify an IPv6 range you received from your (tunnel) provider to be reachable over the VPN,
or a private IPv6 ULA (Unique Local Address) network described in RFC4193.
For more info about ULA and a network-range generator please also see http://www.sixxs.net/tools/grh/ula/ .

Used below where <ipv6 subnet in the vpn> is.

Hostname

The gateway may have a DynDNS (or similar) hostname pointing to a dynamic IP, or a static hostname/fixed IP.

Better supply a hostname than a raw IP address even if it is static, so you can change it youself and do not need to contact us when needed. (Perhaps something like chaosvpn.yourdomain.example)

Used below where <clienthost> is.

Generate keys

Generate keys with tinc 1.1+

# tinc --net=chaos init <nodename>

Replace <nodename> with the name your new node should get.

**FIXME** need some way that "tinc init" puts the public key into the seperate files and not only into the generated hosts file, which our chaosvpn daemon overwrites.

generate public/private RSA and ECDSA keypairs with

# tinc --net=chaos generate-keys 2048

press Enter 4 times and backup the files /etc/tinc/chaos/ecdsa_key.priv, ecdsa_key.pub, rsa_key.priv and rsa_key.pub on an external device.

Generate keys with tinc 1.0.xx

create chaos config folder with

# mkdir /etc/tinc/chaos/

generate public/private keypairs with

# tincd --net=chaos --generate-keys=2048

press Enter 2 times and backup the files /etc/tinc/chaos/rsa_key.priv and rsa_key.pub on an external device.

Mail us your Infos

  • send via email to chaosvpn-join@hamburg.ccc.de

We need the following info - but please be so kind and also add a short description of you/your space and your motivation to join chaosvpn - or at least make us laugh. :)

(Please remove all lines starting with # from the email, they are just descriptions)

[<nodename>]

sponsor=
# Name a person/nickname/nodename or organisation/hackerspace already on ChaosVPN that will
# vouch for you getting access.

gatewayhost=<clienthost>
# This should be the external hostname or ip address of the client host, not a VPN address.
# If the client is not reachable over the internet leave it out and set hidden=1 below.
# If possible supply a hostname (even dyndns) and not an ip address for easier changing
# from your side without touching the central config.

network=<ipv4 subnet in the vpn>
network6=<ipv6 subnet in the vpn>
# (mandatory, must include)
# this may be more than one, IPv4 or IPv6, network6 with  IPv6 is optional
#
# These subnets must be unique in our vpn,
# simply renumber your home network (or use something like NETMAP) with a network block that is still free.
#
# Please use the list of assigned networks on ChaosVPN:IPRanges, and add yourself there.

owner=
# (mandatory, must include)
# Admin of the VPN gateway, with email address - a way to contact the responsible
# person in case of problems with your network link.

port=4712
# (optional)
# if not specified tinc works on tcp+udp port 655
# it is better if everyone chooses a random port for this.
# either this specified port or port 655 should accept TCP and UDP traffic from internet.

hidden=0
# (optional)
# "I cannot accept inbound tunnel connections, I can only connect out."
# (e.g. behind a NAT)
silent=0
# (optional)
# "I cannot connect out, but you can connect to me."
# Only ONE of hidden=1 or silent=1 is possible. 

Ed25519PublicKey=<something>
# (optional)
# tinc 1.1pre11+ only, contents of your /etc/tinc/chaos/ed25519_key.pub

-----BEGIN RSA PUBLIC KEY-----
....
-----END RSA PUBLIC KEY-----
# (mandatory)
# rsa-public-key - contents of your /etc/tinc/chaos/rsa_key.pub


Awaiting Response, give us some days, your request is processed manually

Retry until $success or $reject - but do not spam us.

Preparations

so get ready. Read the full Howto befor you start!

1. Get Started

Unpack your Router and power on
Connect wired or wireless (use information provided with your router: manual/quick install guide)
Go directly to your routers Webinterface (192.168.1.1 or 192.168.178.1) and search for something like System -> Firmware Upgrade
(There is no need to change any of the configuration)

2. Install OpenWRT

Follow the install guide on the OpenWRT Wiki

3. Start and Setup OpenWRT

Restart the network connection between PC <-> Router
Connect via telnet and change your root password

telnet 192.168.1.1 
passwd #set a root password 

Connect the (WAN) port on your router to current infrastructure
Go to the Webinterface via Browser Network -> Interfaces and activate WAN Connection with DHCP or your custom internet configuration
Navigate to System -> Software and press Update Lists Press Available Software Search for ChaosVPN and press install
(I did also install screen at this point)

4. Prepare for launch

Connete with SSH to your device

ssh root@192.168.1.1 

telnet won't work anymore.

edit the chaosvpn.conf in /etc/tinc/

$my_peerid = <nodename>

$my_vpn_ip = 172.31.<your Subnet>.[1-255]

Copy over your public/private keypairs to your router /etc/tinc/chaos/

5. Lift off

start chaosvpn with:

/etc/init.de/chaosvpn start

Hope no error appears.

netstat -nr

You should see a hell of a lot of routes using the chaos_vpn interface. This is good.

Check /etc/tinc/chaos/hosts/ see if a whole bunch of node info has appeared.

Wait several minutes from first execution then test ping some of the "test ping" addresses as defined in the IP Ranges wiki page.
10.100.69.1 is the NYC Resistor fonera. See if you can ping it from the router.

If all went well you are now pinging.
Get someone to ping you back. Ask in the IRC Channel
You now have a functional node.

2. Configure a Moonlander

While building a ChaosVPN-only access node, use either Webclient or [| Console Backup] continously

1. Add Interface for ChaosVPN

  • go to Network -> Interfaces
  • click Add new interface.. Button at the bottom of the page
  • enter ChaosVPN into name field
  • select Unmanaged
  • select Ethernet Adapter: "chaos_vpn"
  • save

2. Add Zone for ChaosVPN

  • go to Network -> Firewall
  • in the Zones Tab, klick Add
  • enter ChaosVPN into name field
  • for Covered Networks select ChaosVPN


3. Make WLAN an ChaosVPN only AP

  1. The following is varies with your persional use case - please post your configuration with an short description if you like
  2. The default WAN will be still reachable via wired network.
  3. The wireless network will have no access to WAN - ChaosVPN only.
  4. At any state you can use the IP 192.168.1.1 to reach your router.
  5. Pressing save will only cache the setting - press apply to make sure settings are set

Setup

  • go to Network -> Interfaces
  • click Add new interface
  • enter wlan into name field
  • select Static address
  • check Create a bridge if you like to bridge 2.4GhZ and 5GhZ
  • select (both) wlan devices
  • In the Edit mask
IPv4 Address: 172.31.<your subnet>.[1-255] //this have to not be the ip of chaosvpn device!
Netmask: 255.255.255.0


Add a DHCP Server to server some addresses in range 100-150 Advanced Settings to propagate internal nameservers

DHCP Options: 6,172.31.116.1,195.24.78.86,172.22.228.6
  • go to Network -> Firewall
  • in the Zones Tab, klick Add
  • enter wlan into name field
  • at Covered Networks select wlan device
  • check Allow forward to destination zones: ChaosVPN
ping irc.hackint.hack
  • tests your successful landing with stable communication uplink

... to be continued