Dieses Wiki ist ein Archiv bis 2023. Das aktuelle Wiki findet sich unter https://wiki.hamburg.ccc.de/

ChaosVPN:DebianHowto

From CCCHHWiki
Revision as of 00:22, 12 April 2010 by Haegar (talk | contribs) (6. Mail us your Infos)
Jump to: navigation, search

and AgoraLink::DebianHowto

Back

THIS DOCUMENTATION IS ONLY PARTIALLY FINISHED FOR CHAOSVPN 2.0!

QUICK HOWTO FOR DEBIAN USER

0. Install necessary helper programs

needed to use the chaosvpn client:

# apt-get install tinc iproute libssl0.9.8 zlib1g

needed to compile the chaosvpn-client if not using a precreated debian package for it:

# apt-get install build-essential git-core bison flex libssl-dev zlib1g-dev

(see below for downloadable pre-created packages)

aditionally needed to build the debian packages:

# apt-get install debhelper devscripts

1. Install tinc

# apt-get install tinc

You need either the package from Debian squeeze/unstable, or a lenny backport like from http://debian.sdinet.de/lenny/sdinet/tinc/

This should be at least tinc version 1.0.13, but may work with 1.0.10 or later.

Or visit http://tinc.nl.linux.org/, download and build yourself - at a minimum ./configure, specify the parameter --sysconfdir=/etc, and check the binary in the script

If the tinc installation gives the following error:

> ./MAKEDEV: don't know how to make device "tun"

Then create the device by hand:

# mkdir -p /dev/net
# mknod /dev/net/tun c 10 200
# chown root:root /dev/net/tun
# chmod 600 /dev/net/tun

2. Create config directory

# mkdir -p /etc/tinc/chaos

3. Generate keys

# tincd -n chaos --generate-keys=2048

and press return a few times...

4. Devise a network-nick and a unique IP range you will be using

This network-nick or sometimes called nodename is the name of the network endpoint/gateway where the vpn software will be running, not necessarily the name of the user, there may even be more than one gateway per user.

Used below where <nodename> is.

Please use only characters a-z, 0-9 and _ in it.

 

Second please select an unused IPv4 range out of IPRanges, and write yourself down in that wiki page to mark your future range as in-use. Please select from the correct ranges, 172.31.*.* for Europe, and 10.100.*.* for North America and elsewhere.

Repeat: Please do not forget to add yourself to the list at IPRanges to mark your range as used.

Used below where <ipv4 subnet in the vpn> is.

 

The usage of IPv6 networks is also possible, but we do not have a central range for this (yet), you may specify an IPv6 range you received from your (tunnel) provider to be reachable over the VPN, or a private IPv6 ULA (Unique Local Address) network described in RFC4193. For more info about ULA and a network-range generator please also see http://www.sixxs.net/tools/grh/ula/ .

Used below where <ipv6 subnet in the vpn> is.

5. Hostname

The gateway may have a DynDNS (or similar) hostname pointing to a dynamic IP, or a static hostname/fixed IP.

Used below where <clienthost> is.

6. Mail us your Infos

  • send to haegar@ccc.de for a connection in Europe.
  • send to join@agoralink.org for a connection outside of Europe ie North America, et al.

We need the following info:

[<nodename>]
# replace <nodename> with the network nick from step 4
gatewayhost=<clienthost>
# This should be the external name or ip address of the client host, not a VPN address.
# If the client is not reachable over the internet leave it out and set hidden=1 below.
network=<ipv4 subnet in the vpn>
network6=<ipv6 subnet in the vpn>
# (mandatory, must include)
# this may be more than one, IPv4 or IPv6
#
# These subnets must be unique in our vpn,
# simply renumber your home network (or use something like NETMAP) with a network block that is still free.
#
# Please use the list of assigned networks on IPRanges, and add yourself there.
owner=
# (mandatory, must include)
# Admin of the VPN gateway, with email address - a way to contact the responsible
# person in case of problems with your network link.
port=655
# (optional)
# if not specified tinc works on tcp+udp port 655
# it is better if everyone chooses a random port for this.
# either this specified port or port 655 needs to accept TCP and UDP traffic from outside.
use-tcp-only=1
# (optional)
# "I don't do udp, we only use suboptimal tcp"
hidden=1
# (optional)
# "I cannot accept inbound tunnel connections, I can only connect out."
# (e.g. behind a NAT)
indirectdata=1
# (optional)
# "I cannot accept inbound udp data packets, I can only send out."
# (e.g. behind a NAT)
silent=1
# (optional)
# "I cannot connect out, but you can connect to me."
key
# (mandatory, must include)
# rsa-public-key - contents of /etc/tinc/chaos/rsa_key.pub

7. Awaiting Response

8. goto 6 unless $success

9. chaosvpn-client download and/or compile

The easy way: Use a pre-compiled Debian package.

Download the pre-compiled Debian package from

For Debian Unstable:         http://debian.sdinet.de/sid/sdinet/chaosvpn/
For Debian Stable / Lenny:   http://debian.sdinet.de/lenny/sdinet/chaosvpn/
For Debian Oldstable / Etch: http://debian.sdinet.de/etch/sdinet/chaosvpn/

Fetch the newest *.deb file for your architecture from the correct directory above. The files ending in _i386.deb are for 32bit installs, the files ending in _amd64.deb are for 64bit installs (both intel and amd).

If there are no pre-existing files for your Debian Release and/or Architecture you need to skip to the alternative of self compiling below.

# wget http://debian.sdinet.de/lenny/sdinet/chaosvpn/chaosvpn_2.0~rc9-0.0~deb50_i386.deb

Make sure the dependencies are already installed (most likely they are):

# apt-get install tinc libssl0.9.8 zlib1g perl-base

Install the newly downloaded package:

# dpkg -i chaosvpn_2*.deb

The software should now be installed, continue with step 10 below.

Alternative: compile yourself from our git repository

Always needed to compile:

# git clone git://github.com/ryd/chaosvpn.git
# cd chaosvpn

way 1: create a git snapshot debian package

# make deb
 perhaps it throws an error about missing build dependencies, install these and retry.
# sudo dpkg -i ../chaosvpn_2.0*.deb
 install the generated package file, replace filename above with real name.
 it is also possible to copy the generated .deb package to a different machine of the same
 architecture and install it there - no need to have a full compile environment
 on your router/firewall.
 

way 2: create debian package and install this

# debuild
 Answer the "This package has a Debian revision number but there does not seem to be
 an appropriate original tar file or .orig directory in the parent directory" with "y"
# sudo dpkg -i ../chaosvpn_2.0*.deb
 install the generated package file, replace filename above with real name.

way 3: just compile and install the raw binary

# make
# sudo make install

10. Customize configfile

FIXME to be expanded

/etc/tinc/chaosvpn.conf

In the top part are the variables.

change

$my_peerid to the network nick from step 4
$my_vpn_ip to an ip address in your network range, like 172.31.x.1

After all changes (re-)start the chaosvpn client:

# /etc/init.d/chaosvpn start

If you made everything correct there should now be a tinc daemon running, and the output of 'route -n' should show lots of routes pointing to the new 'chaos_vpn' network interface.

11. script in /etc/ppp/ip-up to autostart, or to restart from time to time via cron

if you built a debian package and installed it the cron and ip-up parts are already setup, if you installed it manually with make install you have to do it yourself.


and with luck, it will function beautifully! ;)


todo: tons ;) test in particular, and adjust docs for other linux distros, and perhaps even with *bsd