Dieses Wiki ist ein Archiv bis 2023. Das aktuelle Wiki findet sich unter https://wiki.hamburg.ccc.de/
Difference between revisions of "ChaosVPN:DebianHowto"
m |
Souterrain (talk | contribs) (Translated to English) |
||
| Line 146: | Line 146: | ||
vor allem testen, anpassen und anleitung schreiben mit anderen | vor allem testen, anpassen und anleitung schreiben mit anderen | ||
linux-varianten, und vielleicht sogar mit *bsd | linux-varianten, und vielleicht sogar mit *bsd | ||
| + | |||
| + | = QUICK HOWTO FOR DEBIAN USER (English) = | ||
| + | |||
| + | == 0. Install necessary perl modules and helper programs == | ||
| + | |||
| + | # apt-get install libwww-perl | ||
| + | # apt-get install libcrypt-ssleay-perl | ||
| + | |||
| + | Alternatively these may be installed via CPAN, but of course these each have many prerequisite modules. | ||
| + | |||
| + | # apt-get install iproute | ||
| + | |||
| + | == 1. tinc instalieren == | ||
| + | |||
| + | # apt-get install tinc | ||
| + | |||
| + | Either the package from Debian unstable, or my sarge backport of [http://debian.sdinet.de/sarge/sdinet/tinc/ http://debian.sdinet.de/sarge/sdinet/tinc/] | ||
| + | |||
| + | This should be at least version 1.0.4, but to reach some subnets (due to an error) tincd SVN r1450 or 1.0.5 (when released) | ||
| + | |||
| + | Or visit [http://tinc.nl.linux.org/ http://tinc.nl.linux.org/], download and build yourself - | ||
| + | at a minimum ./configure, specify the parameter --sysconfdir=/etc, and check the binary in the script | ||
| + | |||
| + | If the tinc installation gives the following error: | ||
| + | |||
| + | > ./MAKEDEV: don't know how to make device "tun" | ||
| + | |||
| + | Then create the device by hand: | ||
| + | |||
| + | # mkdir -p /dev/net | ||
| + | # mknod /dev/net/tun c 10 200 | ||
| + | # chown root:root /dev/net/tun | ||
| + | # chmod 600 /dev/net/tun | ||
| + | |||
| + | == 2. Create config directory == | ||
| + | |||
| + | # mkdir -p /etc/tinc/chaos | ||
| + | |||
| + | == 3. Generate keys == | ||
| + | |||
| + | # tincd -n chaos --generate-keys=2048 | ||
| + | |||
| + | and press return a few times... | ||
| + | |||
| + | == 4. Devise a network-nick == | ||
| + | |||
| + | This is the name of the network endpoints/gatewways, not necessarily the users, | ||
| + | it may even be more gateways per user. | ||
| + | |||
| + | Used below where <nodename> is. | ||
| + | |||
| + | == 5. Hostname == | ||
| + | |||
| + | The gateway may have a DynDNS (or similar) hostname pointing to a dynamic IP, or a static hostname/fixed IP. | ||
| + | |||
| + | Used below where <clienthost> is. | ||
| + | |||
| + | == 6. Mail haegar@ccc.de the info == | ||
| + | |||
| + | I need the following info: | ||
| + | |||
| + | nodename=<nodename> | ||
| + | gatewayhost=<clienthost> | ||
| + | network=<ipv4 subnet in the vpn> | ||
| + | network6=<ipv6 subnet in the vpn> | ||
| + | this may be more than one, IPv4 or IPv6 | ||
| + | |||
| + | These subnets must be unique in our vpn, | ||
| + | simply renumber your home network with a network block that is still free. | ||
| + | |||
| + | *.23.*, *.42.*, *.0.* and *.1.* are bad candidates ;) | ||
| + | |||
| + | Currently, there is no searchable list of assigned subnets. | ||
| + | |||
| + | owner= | ||
| + | Admin of the VPN gateway, with email address. | ||
| + | |||
| + | key | ||
| + | rsa-public-key - contents of /etc/tinc/chaos/rsa_key.pub | ||
| + | |||
| + | optional the following details: | ||
| + | |||
| + | use-tcp-only=1 | ||
| + | "I don't do udp, we only use suboptimal tcp" | ||
| + | |||
| + | hidden=1 | ||
| + | "I cannot accept inbound tunnel connections, I can only connect out." | ||
| + | (e.g. behind a NAT) | ||
| + | |||
| + | silent=1 | ||
| + | "I cannot connect out, but you can connect to me." | ||
| + | |||
| + | == 7. Awaiting Response == | ||
| + | |||
| + | == 8. goto 6 unless $success == | ||
| + | |||
| + | == 9. chaos-client download: == | ||
| + | |||
| + | # cd /usr/local/bin | ||
| + | # wget -nd [https://www.vpn.hamburg.ccc.de/chaosvpn-client.pl https://www.vpn.hamburg.ccc.de/chaosvpn-client.pl] | ||
| + | |||
| + | Newer wget versions may require: | ||
| + | |||
| + | # cd /usr/local/bin | ||
| + | # wget -nd --no-check-certificate [https://www.vpn.hamburg.ccc.de/chaosvpn-client.pl https://www.vpn.hamburg.ccc.de/chaosvpn-client.pl] | ||
| + | |||
| + | Make executable, set ownership: | ||
| + | |||
| + | # chmod 700 /usr/local/bin/chaosvpn-client.pl | ||
| + | # chown root.root /usr/local/bin/chaosvpn-client.pl | ||
| + | |||
| + | == 10. config-template download: == | ||
| + | |||
| + | # cd /etc/tinc | ||
| + | # wget -nd [https://www.vpn.hamburg.ccc.de/chaosvpn.conf https://www.vpn.hamburg.ccc.de/chaosvpn.conf] | ||
| + | |||
| + | Newer wget versions may require: | ||
| + | |||
| + | # cd /etc/tinc | ||
| + | # wget -nd --no-check-certificate [https://www.vpn.hamburg.ccc.de/chaosvpn.conf https://www.vpn.hamburg.ccc.de/chaosvpn.conf] | ||
| + | |||
| + | == 11. Customize configfile == | ||
| + | |||
| + | In the top part are the variables. | ||
| + | |||
| + | == 12. script in /etc/ppp/ip-up to autostart, or to restart from time to time via cron == | ||
| + | |||
| + | and with luck, it will function beautifully! ;) | ||
| + | |||
| + | |||
| + | todo: | ||
| + | tons ;) | ||
| + | test in particular, and adjust docs for other linux distros, and perhaps even with *bsd | ||
Revision as of 23:09, 9 December 2009
Contents
- 1 QUICK HOWTO FUER DEBIAN USER
- 1.1 0. noetige perl module und helper-programme installieren
- 1.2 1. tinc instalieren
- 1.3 2. config verzeichnis anlegen
- 1.4 3. keys erzeugen
- 1.5 4. netz-nick ausdenken
- 1.6 5. gateway-rechner mit dyndns-hostname versehen
- 1.7 6. infos an haegar@ccc.de mailen
- 1.8 7. auf reaktion warten
- 1.9 8. goto 6 unless $success
- 1.10 9. chaos-client downloaden:
- 1.11 10. config-template downloaden:
- 1.12 11. configfile anpassen
- 1.13 12. script in /etc/ppp/ip-up o.ae. integrieren, oder von zeit-zu-zeit per cron restarten
- 2 QUICK HOWTO FOR DEBIAN USER (English)
- 2.1 0. Install necessary perl modules and helper programs
- 2.2 1. tinc instalieren
- 2.3 2. Create config directory
- 2.4 3. Generate keys
- 2.5 4. Devise a network-nick
- 2.6 5. Hostname
- 2.7 6. Mail haegar@ccc.de the info
- 2.8 7. Awaiting Response
- 2.9 8. goto 6 unless $success
- 2.10 9. chaos-client download:
- 2.11 10. config-template download:
- 2.12 11. Customize configfile
- 2.13 12. script in /etc/ppp/ip-up to autostart, or to restart from time to time via cron
QUICK HOWTO FUER DEBIAN USER
0. noetige perl module und helper-programme installieren
# apt-get install libwww-perl # apt-get install libcrypt-ssleay-perl
geht natuerlich auch von hand oder per CPAN, aber die beiden obigen module brauchen noch selbst weiter diverse andere
# apt-get install iproute
1. tinc instalieren
# apt-get install tinc
entweder das Packet aus Debian Unstable, oder meinen Sarge Backport von http://debian.sdinet.de/sarge/sdinet/tinc/
es sollte mindestens Version 1.0.4 sein, zum Erreichen einiger der verwendeten Subnetze ist wegen eines Tinc-Fehlers mindestens SVN Rev 1450 nötig, oder 1.0.5 wenn es denn mal released ist.
oder halt von http://tinc.nl.linux.org/ downloaden und selber compilieren - dort solltet ihr beim ./configure nur mindestens den parameter --sysconfdir=/etc mit angeben, und im script (unten) muss der pfad zum binary gecheckt werden
wenn bei der tinc-installation folgende Fehlermeldung kommt:
> ./MAKEDEV: don't know how to make device "tun"
dann das Device von Hand anlegen
# mkdir -p /dev/net # mknod /dev/net/tun c 10 200 # chown root:root /dev/net/tun # chmod 600 /dev/net/tun
2. config verzeichnis anlegen
# mkdir -p /etc/tinc/chaos
3. keys erzeugen
# tincd -n chaos --generate-keys=2048
und ein paar mal return druecken
4. netz-nick ausdenken
dies ist der name des netz-teils/gateways, nicht unbedingt der name des users - es kann ja mehr gateways pro user geben
immer dort einsetzen wo im foldenden text <nodename> steht
5. gateway-rechner mit dyndns-hostname versehen
oder halt bei statischer ip den festen hostname/die feste ip verwenden
immer dort einsetzen wo im foldenden text <clienthost> steht
6. infos an haegar@ccc.de mailen
ich brauche folgende infos:
nodename=<nodename> gatewayhost=<clienthost> network=<ipv4 subnetzrange im vpn> network6=<ipv6 subnetzrange im vpn> kann auch mehr als eins sein, ipv4 und/oder ipv6
dieses subnetz muss in unserem vpn eindeutig sein, schlagt einfach euer wunsch-netz/das bisher zuhause verwendete netz vor, und mit glueck ists noch frei
*.23.*, *.42.*, *.0.* und *.1.* sind schlechte kanditaten ;)
bisher gibts noch keine abfragbare liste der schon zugeordneten subnetze
owner= admin des vpn-teils, mit email-adresse
key rsa-public-key - inhalt von /etc/tinc/chaos/rsa_key.pub
optional sind noch folgende angaben moeglich:
use-tcp-only=1 "ich kann kein udp machen, beschraenken wir uns auf das fuer tunnel suboptimale tcp"
hidden=1 "zu mir koennen keine verbindungen aufgemacht werden, ich kann nur rausconnecten" (z.b. hinter nat)
silent=1 "ich kann nicht rausconnecten, aber ihr koennt zu mir connections aufbauen"
7. auf reaktion warten
8. goto 6 unless $success
9. chaos-client downloaden:
# cd /usr/local/bin # wget -nd https://www.vpn.hamburg.ccc.de/chaosvpn-client.pl
mit neueren wget Versionen ist evtl auch folgendes noetig:
# cd /usr/local/bin # wget -nd --no-check-certificate https://www.vpn.hamburg.ccc.de/chaosvpn-client.pl
Datei executable machen und Permissions setzen:
# chmod 700 /usr/local/bin/chaosvpn-client.pl # chown root.root /usr/local/bin/chaosvpn-client.pl
10. config-template downloaden:
# cd /etc/tinc # wget -nd https://www.vpn.hamburg.ccc.de/chaosvpn.conf
mit neueren wget Versionen ist evtl auch folgendes noetig:
# cd /etc/tinc # wget -nd --no-check-certificate https://www.vpn.hamburg.ccc.de/chaosvpn.conf
11. configfile anpassen
im oberen teil befinden sich die configurations-variablen
12. script in /etc/ppp/ip-up o.ae. integrieren, oder von zeit-zu-zeit per cron restarten
und mit glueck funktioniert das dann sogar schon ;)
todo:
massig ;)
vor allem testen, anpassen und anleitung schreiben mit anderen
linux-varianten, und vielleicht sogar mit *bsd
QUICK HOWTO FOR DEBIAN USER (English)
0. Install necessary perl modules and helper programs
# apt-get install libwww-perl # apt-get install libcrypt-ssleay-perl
Alternatively these may be installed via CPAN, but of course these each have many prerequisite modules.
# apt-get install iproute
1. tinc instalieren
# apt-get install tinc
Either the package from Debian unstable, or my sarge backport of http://debian.sdinet.de/sarge/sdinet/tinc/
This should be at least version 1.0.4, but to reach some subnets (due to an error) tincd SVN r1450 or 1.0.5 (when released)
Or visit http://tinc.nl.linux.org/, download and build yourself - at a minimum ./configure, specify the parameter --sysconfdir=/etc, and check the binary in the script
If the tinc installation gives the following error:
> ./MAKEDEV: don't know how to make device "tun"
Then create the device by hand:
# mkdir -p /dev/net # mknod /dev/net/tun c 10 200 # chown root:root /dev/net/tun # chmod 600 /dev/net/tun
2. Create config directory
# mkdir -p /etc/tinc/chaos
3. Generate keys
# tincd -n chaos --generate-keys=2048
and press return a few times...
4. Devise a network-nick
This is the name of the network endpoints/gatewways, not necessarily the users, it may even be more gateways per user.
Used below where <nodename> is.
5. Hostname
The gateway may have a DynDNS (or similar) hostname pointing to a dynamic IP, or a static hostname/fixed IP.
Used below where <clienthost> is.
6. Mail haegar@ccc.de the info
I need the following info:
nodename=<nodename> gatewayhost=<clienthost> network=<ipv4 subnet in the vpn> network6=<ipv6 subnet in the vpn> this may be more than one, IPv4 or IPv6
These subnets must be unique in our vpn, simply renumber your home network with a network block that is still free.
*.23.*, *.42.*, *.0.* and *.1.* are bad candidates ;)
Currently, there is no searchable list of assigned subnets.
owner= Admin of the VPN gateway, with email address.
key rsa-public-key - contents of /etc/tinc/chaos/rsa_key.pub
optional the following details:
use-tcp-only=1 "I don't do udp, we only use suboptimal tcp"
hidden=1 "I cannot accept inbound tunnel connections, I can only connect out." (e.g. behind a NAT)
silent=1 "I cannot connect out, but you can connect to me."
7. Awaiting Response
8. goto 6 unless $success
9. chaos-client download:
# cd /usr/local/bin # wget -nd https://www.vpn.hamburg.ccc.de/chaosvpn-client.pl
Newer wget versions may require:
# cd /usr/local/bin # wget -nd --no-check-certificate https://www.vpn.hamburg.ccc.de/chaosvpn-client.pl
Make executable, set ownership:
# chmod 700 /usr/local/bin/chaosvpn-client.pl # chown root.root /usr/local/bin/chaosvpn-client.pl
10. config-template download:
# cd /etc/tinc # wget -nd https://www.vpn.hamburg.ccc.de/chaosvpn.conf
Newer wget versions may require:
# cd /etc/tinc # wget -nd --no-check-certificate https://www.vpn.hamburg.ccc.de/chaosvpn.conf
11. Customize configfile
In the top part are the variables.
12. script in /etc/ppp/ip-up to autostart, or to restart from time to time via cron
and with luck, it will function beautifully! ;)
todo:
tons ;)
test in particular, and adjust docs for other linux distros, and perhaps even with *bsd
