Dieses Wiki ist ein Archiv bis 2023. Das aktuelle Wiki findet sich unter https://wiki.hamburg.ccc.de/

Difference between revisions of "ChaosVPN:DebianHowto"

From CCCHHWiki
Jump to: navigation, search
(The easiest way: Using our ChaosVPN Debian-Repository)
(copy-paste friendly)
Line 90: Line 90:
 
We need the following info:
 
We need the following info:
  
[<nodename>]
+
<pre>
# replace <nodename> with the network nick from step 4
+
[<nodename>]
 +
# replace <nodename> with the network nick from step 4
 +
gatewayhost=<clienthost>
 +
# This should be the external name or ip address of the client host, not a VPN address.
 +
# If the client is not reachable over the internet leave it out and set hidden=1 below.
 +
network=<ipv4 subnet in the vpn>
 +
network6=<ipv6 subnet in the vpn>
 +
# (mandatory, must include)
 +
# this may be more than one, IPv4 or IPv6
 +
#
 +
# These subnets must be unique in our vpn,
 +
# simply renumber your home network (or use something like NETMAP) with a network block that is still free.
 +
#
 +
# Please use the list of assigned networks on [[ChaosVPN::IPRanges]], and add yourself there.
  
gatewayhost=<clienthost>
+
owner=
# This should be the external name or ip address of the client host, not a VPN address.
+
# (mandatory, must include)
# If the client is not reachable over the internet leave it out and set hidden=1 below.
+
# Admin of the VPN gateway, with email address - a way to contact the responsible
 +
# person in case of problems with your network link.
  
network=<ipv4 subnet in the vpn>
+
port=655
network6=<ipv6 subnet in the vpn>
+
# (optional)
# (mandatory, must include)
+
# if not specified tinc works on tcp+udp port 655
# this may be more than one, IPv4 or IPv6
+
# it is better if everyone chooses a random port for this.
#
+
# either this specified port or port 655 needs to accept TCP and UDP traffic from outside.
# These subnets must be unique in our vpn,
 
# simply renumber your home network (or use something like NETMAP) with a network block that is still free.
 
#
 
# Please use the list of assigned networks on [[ChaosVPN::IPRanges]], and add yourself there.
 
  
owner=
+
use-tcp-only=1
# (mandatory, must include)
+
# (optional)
# Admin of the VPN gateway, with email address - a way to contact the responsible
+
# "I don't do udp, we only use suboptimal tcp"
# person in case of problems with your network link.
 
  
port=655
+
hidden=1
# (optional)
+
# (optional)
# if not specified tinc works on tcp+udp port 655
+
# "I cannot accept inbound tunnel connections, I can only connect out."
# it is better if everyone chooses a random port for this.
+
# (e.g. behind a NAT)
# either this specified port or port 655 needs to accept TCP and UDP traffic from outside.
+
indirectdata=1
 +
# (optional)
 +
# "I cannot accept inbound udp data packets, I can only send out."
 +
# (e.g. behind a NAT)
  
use-tcp-only=1
+
silent=1
# (optional)
+
# (optional)
# "I don't do udp, we only use suboptimal tcp"
+
# "I cannot connect out, but you can connect to me."
 
 
hidden=1
 
# (optional)
 
# "I cannot accept inbound tunnel connections, I can only connect out."
 
# (e.g. behind a NAT)
 
 
 
indirectdata=1
 
# (optional)
 
# "I cannot accept inbound udp data packets, I can only send out."
 
# (e.g. behind a NAT)
 
 
 
silent=1
 
# (optional)
 
# "I cannot connect out, but you can connect to me."
 
 
 
key
 
# (mandatory, must include)
 
# rsa-public-key - contents of /etc/tinc/chaos/rsa_key.pub
 
  
 +
key
 +
# (mandatory, must include)
 +
# rsa-public-key - contents of /etc/tinc/chaos/rsa_key.pub
 +
</pre>
 
== 7. Awaiting Response ==
 
== 7. Awaiting Response ==
  

Revision as of 15:46, 17 February 2011

and AgoraLink::DebianHowto

Back


QUICK HOWTO FOR DEBIAN USER

0. Install necessary helper programs

needed to use the chaosvpn client:

# apt-get install tinc iproute libssl0.9.8 zlib1g

needed to compile the chaosvpn-client if not using a precreated debian package for it:

# apt-get install build-essential git-core bison flex libssl-dev zlib1g-dev

(see below for downloadable pre-created packages)

aditionally needed to build the debian packages:

# apt-get install debhelper devscripts

1. Install tinc

# apt-get install tinc

You need either the package from Debian squeeze/unstable, or a lenny backport like from http://debian.sdinet.de/lenny/sdinet/tinc/

This should be at least tinc version 1.0.13, but may work with 1.0.10 or later.

Or visit http://tinc.nl.linux.org/, download and build yourself - at a minimum ./configure, specify the parameter --sysconfdir=/etc, and check the binary in the script

If the tinc installation gives the following error:

> ./MAKEDEV: don't know how to make device "tun"

Then create the device by hand:

# mkdir -p /dev/net
# mknod /dev/net/tun c 10 200
# chown root:root /dev/net/tun
# chmod 600 /dev/net/tun

2. Create config directory

# mkdir -p /etc/tinc/chaos

3. Generate keys

# tincd -n chaos --generate-keys=2048

and press return a few times...

4. Devise a network-nick and a unique IP range you will be using

This network-nick or sometimes called nodename is the name of the network endpoint/gateway where the vpn software will be running, not necessarily the name of the user, there may even be more than one gateway per user.

Used below where <nodename> is.

Please use only characters a-z, 0-9 and _ in it.

 

Second please select an unused IPv4 range out of IPRanges, and write yourself down in that wiki page to mark your future range as in-use. Please select from the correct ranges, 172.31.*.* for Europe, and 10.100.*.* for North America and elsewhere.

Repeat: Please do not forget to add yourself to the list at IPRanges to mark your range as used.

Used below where <ipv4 subnet in the vpn> is.

 

The usage of IPv6 networks is also possible, but we do not have a central range for this (yet), you may specify an IPv6 range you received from your (tunnel) provider to be reachable over the VPN, or a private IPv6 ULA (Unique Local Address) network described in RFC4193. For more info about ULA and a network-range generator please also see http://www.sixxs.net/tools/grh/ula/ .

Used below where <ipv6 subnet in the vpn> is.

5. Hostname

The gateway may have a DynDNS (or similar) hostname pointing to a dynamic IP, or a static hostname/fixed IP.

Better supply a hostname than a raw IP address even if it is static, so you can change it youself and do not need to contact us when needed. (Perhaps something linke chaosvpn.yourdomain.example)

Used below where <clienthost> is.

6. Mail us your Infos

  • send to haegar@ccc.de for a connection in Europe.
  • send to join@agoralink.org for a connection outside of Europe ie North America, et al.

We need the following info:

[<nodename>]
# replace <nodename> with the network nick from step 4
gatewayhost=<clienthost>
# This should be the external name or ip address of the client host, not a VPN address.
# If the client is not reachable over the internet leave it out and set hidden=1 below.
network=<ipv4 subnet in the vpn>
network6=<ipv6 subnet in the vpn>
# (mandatory, must include)
# this may be more than one, IPv4 or IPv6
#
# These subnets must be unique in our vpn,
# simply renumber your home network (or use something like NETMAP) with a network block that is still free.
#
# Please use the list of assigned networks on [[ChaosVPN::IPRanges]], and add yourself there.

owner=
# (mandatory, must include)
# Admin of the VPN gateway, with email address - a way to contact the responsible
# person in case of problems with your network link.

port=655
# (optional)
# if not specified tinc works on tcp+udp port 655
# it is better if everyone chooses a random port for this.
# either this specified port or port 655 needs to accept TCP and UDP traffic from outside.

use-tcp-only=1
# (optional)
# "I don't do udp, we only use suboptimal tcp"

hidden=1
# (optional)
# "I cannot accept inbound tunnel connections, I can only connect out."
# (e.g. behind a NAT)
indirectdata=1
# (optional)
# "I cannot accept inbound udp data packets, I can only send out."
# (e.g. behind a NAT)

silent=1
# (optional)
# "I cannot connect out, but you can connect to me."

key
# (mandatory, must include)
# rsa-public-key - contents of /etc/tinc/chaos/rsa_key.pub

7. Awaiting Response

8. goto 6 unless $success

9. chaosvpn-client download and/or compile

The easiest way: Using our ChaosVPN Debian-Repository

Add the following lines to your /etc/apt/sources.list:

For Debian Lenny (Stable):

 deb http://debian.sdinet.de/ lenny chaosvpn
 deb-src http://debian.sdinet.de/ lenny chaosvpn

For Debian Squeeze (Testing):

 deb http://debian.sdinet.de/ squeeze chaosvpn
 deb-src http://debian.sdinet.de/ squeeze chaosvpn

For Debian Sid (Unstable):

 deb http://debian.sdinet.de/ sid chaosvpn
 deb-src http://debian.sdinet.de/ sid chaosvpn

Make the Repository-Key known:

 apt-get update
 apt-get install debian-sdinet-keyring

Answer "y" to the one warning about unauthenticated content.

Run apt-get update a second time:

 apt-get update

Finally install the ChaosVPN software:

 apt-get install chaosvpn

Install Done, proceed to next step some pages below.

PS: The repositories may also be usable for Ubuntu, but that has not been tested at all.

PPS: The repositories are available for i386 (Intel+AMD x86 32bit) and amd64 (Intel+AMD x86 64bit) - users of other architectures will have to compile the chaosvpn client on their own.

The easy way: Use a pre-compiled Debian package.

Download the pre-compiled Debian package from

For Debian Unstable:         http://debian.sdinet.de/sid/sdinet/chaosvpn/
For Debian Testing:          http://debian.sdinet.de/squeeze/sdinet/chaosvpn/
For Debian Stable / Lenny:   http://debian.sdinet.de/lenny/sdinet/chaosvpn/
For Debian Oldstable / Etch: http://debian.sdinet.de/etch/sdinet/chaosvpn/

Fetch the newest *.deb file for your architecture from the correct directory above. The files ending in _i386.deb are for 32bit installs, the files ending in _amd64.deb are for 64bit installs (both intel and amd).

If there are no pre-existing files for your Debian Release and/or Architecture you need to skip to the alternative of self compiling below.

# wget http://debian.sdinet.de/lenny/sdinet/chaosvpn/chaosvpn_2.0~rc9-0.0~deb50_i386.deb
(Replace link with correct file, the above is outdated and the correct changes from time to time as new packages get released)

Make sure the dependencies are already installed (most likely they are):

# apt-get install tinc libssl0.9.8 zlib1g perl-base

Install the newly downloaded package:

# dpkg -i chaosvpn_2*.deb

The software should now be installed, continue with step 10 below.

Alternative: compile yourself from our git repository

Always needed to compile:

# git clone git://github.com/ryd/chaosvpn.git
# cd chaosvpn

way 1: create a git snapshot debian package

# make deb
 perhaps it throws an error about missing build dependencies, install these and retry.
# sudo dpkg -i ../chaosvpn_2.0*.deb
 install the generated package file, replace filename above with real name.
 it is also possible to copy the generated .deb package to a different machine of the same
 architecture and install it there - no need to have a full compile environment
 on your router/firewall.
 

way 2: create debian package and install this

# debuild
 Answer the "This package has a Debian revision number but there does not seem to be
 an appropriate original tar file or .orig directory in the parent directory" with "y"
# sudo dpkg -i ../chaosvpn_2.0*.deb
 install the generated package file, replace filename above with real name.

way 3: just compile and install the raw binary

# make
# sudo make install

10. Customize configfile

FIXME to be expanded

/etc/tinc/chaosvpn.conf

In the top part are the variables.

change

$my_peerid to the network nick from step 4
$my_vpn_ip to an ip address in your network range, like 172.31.x.1

11. Enable Starting of ChaosVPN

If you installed ChaosVPN through our Debian packages it is not started by default.

To enable this edit the file /etc/default/chaosvpn and change the RUN= line to RUN="yes"

After all changes (re-)start the chaosvpn client:

# /etc/init.d/chaosvpn start

If you made everything correct there should now be a tinc daemon running, and the output of 'route -n' should show lots of routes pointing to the new 'chaos_vpn' network interface.

11. script in /etc/ppp/ip-up to autostart, or to restart from time to time via cron

if you built a debian package and installed it the cron and ip-up parts are already setup, if you installed it manually with make install you have to do it yourself.


and with luck, it will function beautifully! ;)


todo: tons ;) test in particular, and adjust docs for other linux distros, and perhaps even with *bsd