Dieses Wiki ist ein Archiv bis 2023. Das aktuelle Wiki findet sich unter https://wiki.hamburg.ccc.de/
Difference between revisions of "Template:ChaosVPNMailit"
m (→Mail us your Infos) |
(adding documentation for using tinc 1.1) |
||
Line 1: | Line 1: | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
=== Devise a network-nick and a unique IP range you will be using === | === Devise a network-nick and a unique IP range you will be using === | ||
Line 28: | Line 21: | ||
Used below where <ipv6 subnet in the vpn> is. | Used below where <ipv6 subnet in the vpn> is. | ||
+ | |||
+ | === Generate keys === | ||
+ | |||
+ | ==== Generate keys with tinc 1.1+ ==== | ||
+ | |||
+ | <s> | ||
+ | # tinc --net=chaos init <nodename> | ||
+ | |||
+ | Replace <nodename> with the name your new node should get. | ||
+ | </s> | ||
+ | |||
+ | **FIXME** need some way that "tinc init" puts the public key into the seperate files and not only into the generated hosts file, which our chaosvpn daemon overwrites. | ||
+ | |||
+ | generate public/private RSA and ECDSA keypairs with | ||
+ | |||
+ | # tinc --net=chaos generate-keys 2048 | ||
+ | |||
+ | press Enter 4 times and backup the files on an external device. | ||
+ | |||
+ | ==== Generate keys with tinc 1.0.xx ==== | ||
+ | |||
+ | generate public/private keypairs with | ||
+ | |||
+ | # tincd --net=chaos --generate-keys=2048 | ||
+ | |||
+ | press Enter 2 times and backup the files on an external device. | ||
=== Hostname === | === Hostname === | ||
Line 81: | Line 100: | ||
# "I cannot connect out, but you can connect to me." | # "I cannot connect out, but you can connect to me." | ||
# Only ONE of hidden=1 or silent=1 is possible. | # Only ONE of hidden=1 or silent=1 is possible. | ||
− | + | ||
+ | ECDSAPublicKey = <something> | ||
+ | # (optional) | ||
+ | # tinc 1.1+ only, contents of your /etc/tinc/chaos/ecdsa_key.pub | ||
+ | |||
-----BEGIN RSA PUBLIC KEY----- | -----BEGIN RSA PUBLIC KEY----- | ||
.... | .... |
Revision as of 14:03, 2 August 2013
Contents
Devise a network-nick and a unique IP range you will be using
This network-nick or sometimes called nodename is the name of the network endpoint/gateway where the vpn software will be running,
not necessarily the name of the user, there may even be more than one gateway per user.
Used below where <nodename> is.
Please use only characters a-z, 0-9 and _ in it.
Second please select an unused IPv4 range out of IP Range, and write yourself down in that wiki page to mark your future range as in-use.
Please select from the correct ranges, 172.31.*.* for Europe, and 10.100.*.* for North America and elsewhere.
Repeat: Please do not forget to add yourself to the list at IP Range to mark your range as used.
Used below where <ipv4 subnet in the vpn> is.
The usage of IPv6 networks is also possible, but we do not have a central range for this (yet),
you may specify an IPv6 range you received from your (tunnel) provider to be reachable over the VPN,
or a private IPv6 ULA (Unique Local Address) network described in RFC4193.
For more info about ULA and a network-range generator please also see http://www.sixxs.net/tools/grh/ula/ .
Used below where <ipv6 subnet in the vpn> is.
Generate keys
Generate keys with tinc 1.1+
# tinc --net=chaos init <nodename>
Replace <nodename> with the name your new node should get.
- FIXME** need some way that "tinc init" puts the public key into the seperate files and not only into the generated hosts file, which our chaosvpn daemon overwrites.
generate public/private RSA and ECDSA keypairs with
# tinc --net=chaos generate-keys 2048
press Enter 4 times and backup the files on an external device.
Generate keys with tinc 1.0.xx
generate public/private keypairs with
# tincd --net=chaos --generate-keys=2048
press Enter 2 times and backup the files on an external device.
Hostname
The gateway may have a DynDNS (or similar) hostname pointing to a dynamic IP, or a static hostname/fixed IP.
Better supply a hostname than a raw IP address even if it is static, so you can change it youself and do not need to contact us when needed. (Perhaps something linke chaosvpn.yourdomain.example)
Used below where <clienthost> is.
Mail us your Infos
- send via email to chaosvpn-join@hamburg.ccc.de
We need the following info - but please be so kind and also add a short description of you/your space and your motivation to join chaosvpn - or at least make us laugh. :)
(Please remove all lines starting with # from the email, they are just descriptions)
[<nodename>] gatewayhost=<clienthost> # This should be the external hostname or ip address of the client host, not a VPN address. # If the client is not reachable over the internet leave it out and set hidden=1 below. # If possible supply a hostname (even dyndns) and not an ip address for easier changing # from your side without touching the central config. network=<ipv4 subnet in the vpn> network6=<ipv6 subnet in the vpn> # (mandatory, must include) # this may be more than one, IPv4 or IPv6, network6 with IPv6 is optional # # These subnets must be unique in our vpn, # simply renumber your home network (or use something like NETMAP) with a network block that is still free. # # Please use the list of assigned networks on ChaosVPN:IPRanges, and add yourself there. owner= # (mandatory, must include) # Admin of the VPN gateway, with email address - a way to contact the responsible # person in case of problems with your network link. port=4712 # (optional) # if not specified tinc works on tcp+udp port 655 # it is better if everyone chooses a random port for this. # either this specified port or port 655 needs to accept TCP and UDP traffic from outside. hidden=0 # (optional) # "I cannot accept inbound tunnel connections, I can only connect out." # (e.g. behind a NAT) silent=0 # (optional) # "I cannot connect out, but you can connect to me." # Only ONE of hidden=1 or silent=1 is possible.
ECDSAPublicKey = <something> # (optional) # tinc 1.1+ only, contents of your /etc/tinc/chaos/ecdsa_key.pub
-----BEGIN RSA PUBLIC KEY----- .... -----END RSA PUBLIC KEY----- # rsa-public-key - contents of your /etc/tinc/chaos/rsa_key.pub
Awaiting Response
Retry until $success