Dieses Wiki ist ein Archiv bis 2023. Das aktuelle Wiki findet sich unter https://wiki.hamburg.ccc.de/
ChaosVPN:geekend1
Contents
what?
Lets do a geekend and get things done on the chaosvpn.
where
Hamburg. In the new Hackerspace of attraktor and CCC Hamburg.
when
The Geekend will be on January 28th - 30th.
participants
- arrived:
+ mc.fly + guus + crest
- still missing
+ Jens + hc + nomaam + wopot + zocker
Issues
monitoring
User:mc.fly wants to build a munin / nagios server for chaosvpn.
- the server itself is up and running.
- munin running, but no chaosvpn node configured so far
- nagios installed but not configured.
- Haegar recommends icinga
dns
Improve dns usage in ChaosVPN.
- which dnsd (pro and con. discusion)
- anycast
connect people
connect the router at some spaces
packages
build debian and openwrt packages
- debian
- build Packages
- get in squeeze?
- OpenWRT
- package
- image with tinc and config for fonera 2.0n
Goals
- Set up warzone properly
- Get dns in the default images and improve dns use by adding nodes to the zonefile
- rework the Doku
infrastructure
lodging
- best western queens hotel hamburg around the corner
- limited sleeping in the hackerspace is possible
attendes
suggested topics
- a) maintaining the chaosvpn.net content
- b) making chaosvpn more secure - hc's nonroot changes alone are not enough
- c) (re)define a joining policy/policies
- d) getting rid of the spof vpn.hamburg.ccc.de by allowing multiple urls to be specified in chaosvpn.conf and by replicating the info on vpn.hamburg... to other nodes
- e) getting a very reliable dns that works with chaosvpn up and with chaosvpn temporarily down
Update Policy for the client
I would like to suggest the following policy:
- The central configuration is signed and encrypted
- The Signature and/or the signed configuration contains the signing timestamp
- The configuration is signed automatically at least once within 24 hours
- The signed configuration is pushed to multiple servers
When a client downloads the configuration, he executes the following steps:
- Get a list l of (ip-adresses) of servers via the local configuration and/or DNS
- Sort l randomly
- c = local config
- t = age of local config
- for (i = 0; i < l.length; i++)
- d = get config from server l[i]
- check signature of d
- if signature is correct:
- u = now - timestamp of d
- if u < t
- c = d
- t = u
- if c < 24h + delta, then break for-loop
- if t > 24h + delta
- Warn the user
In short words, get a configuration from a random mirror, if it is older than 24 hours, try all other mirrors, until you have found a configuration not older than 24 hours. If all mirrors have been tried, use the newest available configuration with a correct signature, and warn the user.
Suggestion by hc: warning the user won't help; if the configuration is older than, say, 7 weeks, disconnect from chaosvpn till situation resolved.
questions? answers!
join the irc #chaosvpn @ spaceboyz.net