Dieses Wiki ist ein Archiv bis 2023. Das aktuelle Wiki findet sich unter https://wiki.hamburg.ccc.de/

ChaosVPN:NetBSDHowto

From CCCHHWiki
Revision as of 04:21, 24 October 2013 by Othtim (talk | contribs) (Create working directories)
Jump to: navigation, search



Install software

The following is written assuming a fresh install of NetBSD 5.2 using the GENERIC kernel, with a pkgsrc repository and networking already configured.

Install necessary programs from pkgsrc

# pkg_add  zlib
# pkg_add  bison (will install m4 as a dependancy)
# pkg_add  flex
# pkg_add  openssl
# pkg_add  gmake

we will also need to install git. Installing git from pkgsrc brings in a long list of other packages (mostly related to Perl) which I list below. If you know a netbsd git client in main that has fewer dependancies, please let me know...

# pkg_add  scmgit

adds the following packages as dependancies:

scmgit-base
scmgit-docs
tcl
tk
scmgit-gitk
perl-5
p5-Error
p5-MIME-Base64
p5-TimeDate
p5-MailTools
p5-Digest-SHA
p5-Digest-MD5
p5-Digest-HMAC
p5-Net-IP
p5-Sockets
p5-Net-DNS
p5-IO-Socket-INET6
p5-Email-Valid
p5-Net-LibIDN
p5-Net-SSLeay
p5-IO-Socket-SSL
p5-Net-SMTP
p5-GSSAPI
p5-Authen-SASL
libffi
python27
curl


Create working directories

Create a directory that will story the chaosvpn application.

# mkdir -p /usr/local/etc/tinc/chaos



Download and Install Tinc

Create a directory to store your tinc source code. This is the directory you will compile tinc from.

# mkdir -p /root/tinc

Download and extract the tinc source. As of this writing the latest stable version available is 1.0.23. It is available here:

http://tinc-vpn.org/download/
http://tinc-vpn.org/packages/tinc-1.0.23.tar.gz

Extract the file in your /root/tinc directory. You can the move into the newly extracted directory containing the tinc source. You can run the following command to configure, build, and install tinc in the appropriate directories under /usr/local :

# ./configure --disable-lzo ; make ; make install

Install ChaosVPN

Security concerns

It’s best to create a new, non-root user specifically for running ChaosVPN. This user will need to be listed in the sudoers file, and will need to be a member of the wheel group, so you can run the sudo and su commands, respectively. In the file /usr/local/etc/tinc/chaosvpn.conf, change the option $tincd_user to that new user.

Get the ChaosVPN source from the git repository

Always needed to compile:

$ git clone git://github.com/ryd/chaosvpn.git
$ cd chaosvpn


The supplied /etc/rc.d/chaosvpn file won't work on netbsd. You'll have to edit it.


Build and Install the application

After editing the makefile, we need to make and install the application.

$ gmake
$ su -
# gmake bsdinstall


Editing the Configuration Files

Open up /usr/pkg/etc/tinc/chaosvpn.conf using your favorite text editor. Change the following lines:

line 48
$tincd_bin =    "/usr/local/sbin/tincd";
needs to change to:
$tincd_bin =    "/usr/pkg/sbin/tincd";
line 51
$routeadd = "/sbin/route add -net %s $my_vpn_ip -interface \$INTERFACE"
needs to change to:
$routeadd = "/sbin/route add %s $my_vpn_ip -iface \$INTERFACE"
line 52
$routedel = "/sbin/route delete -net %s $my_vpn_ip -interface \$INTERFACE"
needs to change to:
$routedel = "/sbin/route delete %s $my_vpn_ip -iface \$INTERFACE"
line 80
$base =    "/usr/local/etc/tinc/$networkname";
needs to change to:
$base =    "/usr/pkg/etc/tinc/$networkname";


You may or may not have to edit the path to the PID file to get that to work correctly as well.



And now you're good to go!

Get your new node added to the central configuration

Devise a network-nick and a unique IP range you will be using

This network-nick or sometimes called nodename is the name of the network endpoint/gateway where the vpn software will be running,
not necessarily the name of the user, there may even be more than one gateway per user.

Used below where <nodename> is.

Please use only characters a-z, 0-9 and _ in it. Note that only lowercase letters are supported.

Second please select an unused IPv4 range out of IP Range, and write yourself down in that wiki page to mark your future range as in-use.
Please select from the correct ranges, 172.31.*.* for Europe, and 10.100.*.* for North America and elsewhere.

Repeat: Please do not forget to add yourself to the list at IP Range to mark your range as used.

Used below where <ipv4 subnet in the vpn> is.

The usage of IPv6 networks is also possible, but we do not have a central range for this (yet),
you may specify an IPv6 range you received from your (tunnel) provider to be reachable over the VPN,
or a private IPv6 ULA (Unique Local Address) network described in RFC4193.
For more info about ULA and a network-range generator please also see http://www.sixxs.net/tools/grh/ula/ .

Used below where <ipv6 subnet in the vpn> is.

Hostname

The gateway may have a DynDNS (or similar) hostname pointing to a dynamic IP, or a static hostname/fixed IP.

Better supply a hostname than a raw IP address even if it is static, so you can change it youself and do not need to contact us when needed. (Perhaps something like chaosvpn.yourdomain.example)

Used below where <clienthost> is.

Generate keys

Generate keys with tinc 1.1+

# tinc --net=chaos init <nodename>

Replace <nodename> with the name your new node should get.

**FIXME** need some way that "tinc init" puts the public key into the seperate files and not only into the generated hosts file, which our chaosvpn daemon overwrites.

generate public/private RSA and ECDSA keypairs with

# tinc --net=chaos generate-keys 2048

press Enter 4 times and backup the files /etc/tinc/chaos/ecdsa_key.priv, ecdsa_key.pub, rsa_key.priv and rsa_key.pub on an external device.

Generate keys with tinc 1.0.xx

create chaos config folder with

# mkdir /etc/tinc/chaos/

generate public/private keypairs with

# tincd --net=chaos --generate-keys=2048

press Enter 2 times and backup the files /etc/tinc/chaos/rsa_key.priv and rsa_key.pub on an external device.

Mail us your Infos

  • send via email to chaosvpn-join@hamburg.ccc.de

We need the following info - but please be so kind and also add a short description of you/your space and your motivation to join chaosvpn - or at least make us laugh. :)

(Please remove all lines starting with # from the email, they are just descriptions)

[<nodename>]

sponsor=
# Name a person/nickname/nodename or organisation/hackerspace already on ChaosVPN that will
# vouch for you getting access.

gatewayhost=<clienthost>
# This should be the external hostname or ip address of the client host, not a VPN address.
# If the client is not reachable over the internet leave it out and set hidden=1 below.
# If possible supply a hostname (even dyndns) and not an ip address for easier changing
# from your side without touching the central config.

network=<ipv4 subnet in the vpn>
network6=<ipv6 subnet in the vpn>
# (mandatory, must include)
# this may be more than one, IPv4 or IPv6, network6 with  IPv6 is optional
#
# These subnets must be unique in our vpn,
# simply renumber your home network (or use something like NETMAP) with a network block that is still free.
#
# Please use the list of assigned networks on ChaosVPN:IPRanges, and add yourself there.

owner=
# (mandatory, must include)
# Admin of the VPN gateway, with email address - a way to contact the responsible
# person in case of problems with your network link.

port=4712
# (optional)
# if not specified tinc works on tcp+udp port 655
# it is better if everyone chooses a random port for this.
# either this specified port or port 655 should accept TCP and UDP traffic from internet.

hidden=0
# (optional)
# "I cannot accept inbound tunnel connections, I can only connect out."
# (e.g. behind a NAT)
silent=0
# (optional)
# "I cannot connect out, but you can connect to me."
# Only ONE of hidden=1 or silent=1 is possible. 

Ed25519PublicKey=<something>
# (optional)
# tinc 1.1pre11+ only, contents of your /etc/tinc/chaos/ed25519_key.pub

-----BEGIN RSA PUBLIC KEY-----
....
-----END RSA PUBLIC KEY-----
# (mandatory)
# rsa-public-key - contents of your /etc/tinc/chaos/rsa_key.pub


Awaiting Response, give us some days, your request is processed manually

Retry until $success or $reject - but do not spam us.



Enable Starting of ChaosVPN

You will have to run the following at least one time to update the /usr/pkg/etc/tinc/chaos/tinc-up and /usr/pkg/etc/tinc/chaos/tinc-down files with the new structure.

# chaosvpn -o 


Start the daemon however you want. The /etc/rc.d/chaosvpn that comes by default is not right for a default install of NetBSD. I would recommend removing it.

You may want to use the following in your /etc/rc.d:

Sample chaosvpn rc.d

Dont forget to run # chmod +x /etc/rc.d/chaosvpn

Uninstall

But why would you want to? :)

rm /etc/rc.d/chaosvpn
rm /usr/pkg/sbin/chaosvpn
rm -rf /usr/pkg/etc/tinc/*