Dieses Wiki ist ein Archiv bis 2023. Das aktuelle Wiki findet sich unter https://wiki.hamburg.ccc.de/
ChaosVPN:DebianHowto
and AgoraLink::DebianHowto
Contents
- 1 QUICK HOWTO FOR DEBIAN USER
- 1.1 0. Install necessary helper programs
- 1.2 1. Install tinc
- 1.3 2. Create config directory
- 1.4 3. Generate keys
- 1.5 4. Devise a network-nick and a unique IP range you will be using
- 1.6 5. Hostname
- 1.7 6. Mail us your Infos
- 1.8 7. Awaiting Response
- 1.9 8. goto 6 unless $success
- 1.10 9. chaosvpn-client download and compile
- 1.11 10. Customize configfile
- 1.12 11. script in /etc/ppp/ip-up to autostart, or to restart from time to time via cron
QUICK HOWTO FOR DEBIAN USER
0. Install necessary helper programs
needed to use the chaosvpn client:
# apt-get install tinc iproute libssl0.9.8 zlib1g
needed to compile the chaosvpn-client if not using a precreated debian package for it:
# apt-get install build-essential git-core bison flex libssl-dev zlib1g-dev
aditionally needed to build the debian packages:
# apt-get install debhelper devscripts
1. Install tinc
# apt-get install tinc
You need either the package from Debian squeeze/unstable, or a lenny backport like from http://debian.sdinet.de/lenny/sdinet/tinc/
This has to be at least version 1.0.10, better 1.0.11 or later.
Or visit http://tinc.nl.linux.org/, download and build yourself - at a minimum ./configure, specify the parameter --sysconfdir=/etc, and check the binary in the script
If the tinc installation gives the following error:
> ./MAKEDEV: don't know how to make device "tun"
Then create the device by hand:
# mkdir -p /dev/net # mknod /dev/net/tun c 10 200 # chown root:root /dev/net/tun # chmod 600 /dev/net/tun
2. Create config directory
# mkdir -p /etc/tinc/chaos
3. Generate keys
# tincd -n chaos --generate-keys=2048
and press return a few times...
4. Devise a network-nick and a unique IP range you will be using
This network-nick or sometimes called nodename is the name of the network endpoint/gateway where the vpn software will be running, not necessarily the name of the user, there may even be more than one gateway per user.
Used below where <nodename> is.
Please use only characters a-z, 0-9 and _ in it.
Second please select an unused IPv4 range out of IPRanges, and write yourself down in that wiki page to mark your future range as in-use. Please select from the correct ranges, 172.31.*.* for Europe, and 10.100.*.* for North America and elsewhere.
Used below where <ipv4 subnet in the vpn> is.
The usage of IPv6 networks is also possible, but we do not have a central range for this (yet), you may specify an IPv6 range you received from your (tunnel) provider to be reachable over the VPN, or a private IPv6 ULA (Unique Local Address) network described in RFC4193. For more info about ULA and a network-range generator please also see http://www.sixxs.net/tools/grh/ula/ .
Used below where <ipv6 subnet in the vpn> is.
5. Hostname
The gateway may have a DynDNS (or similar) hostname pointing to a dynamic IP, or a static hostname/fixed IP.
Used below where <clienthost> is.
6. Mail us your Infos
- send to haegar@ccc.de for a connection in Europe.
- send to join@agoralink.org for a connection outside of Europe ie North America, et al.
We need the following info:
[<nodename>] replace <nodename> with the network nick from step 4 . gatewayhost=<clienthost> This should be the external name or ip address of the client host, not a VPN address. If the client is not reachable over the internet leave it out and set hidden=1 below. . network=<ipv4 subnet in the vpn> network6=<ipv6 subnet in the vpn> this may be more than one, IPv4 or IPv6 . These subnets must be unique in our vpn, simply renumber your home network (or use something like NETMAP) with a network block that is still free. . Please use the list of assigned networks on IPRanges, and add yourself there.
owner= Admin of the VPN gateway, with email address - a way to contact the responsible person in case of problems with your network link.
key rsa-public-key - contents of /etc/tinc/chaos/rsa_key.pub
optional the following details:
port=655 if not specified tinc works on tcp+udp port 655 it is better if everyone chooses a random port for this. either this specified port or port 655 needs to accept TCP and UDP traffic from outside.
use-tcp-only=1 "I don't do udp, we only use suboptimal tcp"
hidden=1 "I cannot accept inbound tunnel connections, I can only connect out." (e.g. behind a NAT)
indirectdata=1 "I cannot accept inbound udp data packets, I can only send out." (e.g. behind a NAT)
silent=1 "I cannot connect out, but you can connect to me."
7. Awaiting Response
8. goto 6 unless $success
9. chaosvpn-client download and compile
Always needed to compile:
# git clone git://github.com/ryd/chaosvpn.git # cd chaosvpn
way 1: create a git snapshot debian package
# make deb perhaps it throws an error about missing build dependencies, install these and retry. # sudo dpkg -i ../chaosvpn_2.0*.deb install the generated package file, replace filename above with real name. it is also possible to copy the generated .deb package to a different machine of the same architecture and install it there - no need to have a full compile environment on your router/firewall.
way 2: create debian package and install this
# debuild Answer the "This package has a Debian revision number but there does not seem to be an appropriate original tar file or .orig directory in the parent directory" with "y" # sudo dpkg -i ../chaosvpn_2.0*.deb install the generated package file, replace filename above with real name.
way 3: just compile and install the raw binary
# make # sudo make install
10. Customize configfile
FIXME to be expanded
/etc/tinc/chaosvpn.conf
In the top part are the variables.
change
$my_peerid to the network nick from step 4 $my_vpn_ip to an ip address in your network range, like 172.31.x.1
11. script in /etc/ppp/ip-up to autostart, or to restart from time to time via cron
if you built a debian package and installed it the cron and ip-up parts are already setup, if you installed it manually with make install you have to do it yourself.
and with luck, it will function beautifully! ;)
todo:
tons ;)
test in particular, and adjust docs for other linux distros, and perhaps even with *bsd