dn42/wiki
1
Fork 0
mirror of https://git.dn42.dev/wiki/wiki.git synced 2024-11-23 07:43:29 +01:00
Code Releases Activity

backport (cosmetic) changes from wiki-ng

Browse Source
This commit is contained in:
lare 2023-04-08 22:08:13 +02:00
parent 4c127e7c98
commit 37d7831fd4
46 changed files with 961 additions and 824 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Other.md
View File

@ -19,7 +19,7 @@
- **RetroShare** can be run as a darknet (friend-to-friend) by default to perform anonymous file transfers if DHT and Discovery features are disabled.
- **GNUnet** is a darknet if the "F2F (network) topology" option is enabled.
- **Syndie** is software used to publish distributed forums over the anonymous networks of I2P, Tor and Freenet.
OneSwarm can be run as a darknet for friend-to-friend file-sharing.
- OneSwarm can be run as a darknet for friend-to-friend file-sharing.
- **Tribler** can be run as a darknet for file-sharing.
## BGP Routed IP

40
howto/Bird.md
View File

@ -26,7 +26,7 @@ Note: This file covers the configuration of Bird 1.x. For an example configurati
## IPv6
```
```conf
#/etc/bird/bird6.conf
protocol device {
scan time 10;
@ -96,7 +96,7 @@ template bgp dnpeers {
include "/etc/bird/peers6/*";
```
```
```conf
# /etc/bird/local6.conf
# should be a unique identifier, use same id as for ipv4
router id <GATEWAY_IP>;
@ -115,7 +115,7 @@ function is_valid_network() {
}
```
```
```conf
# /etc/bird/peers6/<PEER_NAME>
protocol bgp <PEER_NAME> from dnpeers {
neighbor <PEERING_IP> as <PEER_AS>;
@ -126,7 +126,7 @@ protocol bgp <PEER_NAME> from dnpeers {
### IPv4
```
```conf
# /etc/bird/bird.conf
# Device status
protocol device {
@ -205,7 +205,7 @@ template bgp dnpeers {
include "/etc/bird/peers4/*";
```
```
```conf
#/etc/bird/local4.conf
# should be a unique identifier, <GATEWAY_IP> is what most people use.
router id <GATEWAY_IP>;
@ -232,7 +232,7 @@ function is_valid_network() {
}
```
```
```conf
# /etc/bird/peers4/<PEER_NAME>
protocol bgp <PEER_NAME> from dnpeers {
neighbor <PEERING_IP> as <PEER_AS>;
@ -276,27 +276,27 @@ ROA files generated by [roa_wizard](https://git.dn42.dev/Kioubit/roa_wizard) are
You can add cron entries to periodically update the tables:
```
```conf
*/15 * * * * curl -sfSLR {-o,-z}/var/lib/bird/bird6_roa_dn42.conf https://dn42.burble.com/roa/dn42_roa_bird1_6.conf && chronic birdc6 configure
*/15 * * * * curl -sfSLR {-o,-z}/var/lib/bird/bird_roa_dn42.conf https://dn42.burble.com/roa/dn42_roa_bird1_4.conf && chronic birdc configure
```
Debian version:
```
```conf
*/15 * * * * curl -sfSLR -o/var/lib/bird/bird6_roa_dn42.conf -z/var/lib/bird/bird6_roa_dn42.conf https://dn42.burble.com/roa/dn42_roa_bird1_6.conf && /usr/sbin/birdc6 configure
*/15 * * * * curl -sfSLR -o/var/lib/bird/bird_roa_dn42.conf -z/var/lib/bird/bird_roa_dn42.conf https://dn42.burble.com/roa/dn42_roa_bird1_4.conf && /usr/sbin/birdc configure
```
then create the directory to make sure curls can save the files:
```
```sh
mkdir -p /var/lib/bird/
```
Or use a systemd timer: (check the commands before copy-pasting)
```
```conf
# /etc/systemd/system/dn42-roa.service
[Unit]
Description=Update DN42 ROA
@ -308,7 +308,7 @@ ExecStart=curl -sfSLR -o /etc/bird/roa_dn42_v6.conf -z /etc/bird/roa_dn42_v6.con
ExecStart=birdc configure
```
```
```conf
# /etc/systemd/system/dn42-roa.timer
[Unit]
Description=Update DN42 ROA periodically
@ -328,26 +328,28 @@ then enable and start the timer with `systemctl enable --now dn42-roa.timer`.
* Download gortr
`https://github.com/cloudflare/gortr/releases`
<https://github.com/cloudflare/gortr/releases>
* Run gortr.
```
```sh
./gortr -verify=false -checktime=false -cache=https://dn42.burble.com/roa/dn42_roa_46.json
```
* Run with docker
`docker pull cloudflare/gortr`
```sh
docker pull cloudflare/gortr
```
```sh
docker run --name dn42rpki -p 8282:8282 --restart=always -d cloudflare/gortr -verify=false -checktime=false -cache=https://dn42.burble.com/roa/dn42_roa_46.json
```
* Add this to your bird configure file,other ROA protocol must removed.
```
```conf
protocol rpki rpki_dn42{
roa4 { table dn42_roa; };
roa6 { table dn42_roa_v6; };
@ -364,7 +366,7 @@ protocol rpki rpki_dn42{
In your import filter add the following to reject invalid routes:
```
```conf
if (roa_check(dn42_roa, net, bgp_path.last) != ROA_VALID) then {
print "[dn42] ROA check failed for ", net, " ASN ", bgp_path.last;
reject;
@ -373,7 +375,7 @@ if (roa_check(dn42_roa, net, bgp_path.last) != ROA_VALID) then {
Also, define your ROA table with:
```
```conf
roa table dn42_roa {
include "/var/lib/bird/bird_roa_dn42.conf";
};
@ -386,7 +388,7 @@ roa table dn42_roa {
bird can be remote controlled via the `birdc` command. Here is a list of useful bird commands:
```
```sh
$ birdc
BIRD 1.4.5 ready.
bird> configure # reload configuration

10
howto/Bird2.md
View File

@ -26,7 +26,7 @@ When copying the configuration below onto your system, you will have to enter th
* The same goes for `<OWNNETv6>`, but it takes an IPv6 subnet (Who'd have thought).
* Keep in mind that you'll have to enter both networks in the OWNNET{,v6} and OWNNETSET{,v6}, the two variables are required due to set parsing difficulties with variables.
```
```conf
################################################
# Variable header #
################################################
@ -182,7 +182,7 @@ The example config above relies on ROA configuration files in `/etc/bird/roa_dn4
To use an RTR server for ROA information, replace this config in your bird2 configuration file:
```
```conf
protocol static {
roa4 { table dn42_roa; };
include "/etc/bird/roa_dn42.conf";
@ -196,7 +196,7 @@ protocol static {
... with this one (by changing address and port so it points to your RTR server)
```
```conf
protocol rpki roa_dn42 {
roa4 { table dn42_roa; };
roa6 { table dn42_roa_v6; };
@ -228,7 +228,7 @@ Please note: This section assumes that you've already got a tunnel to your peeri
First, make sure the /etc/bird/peers directory exists:
```
```sh
# mkdir -p /etc/bird/peers
```
@ -246,4 +246,4 @@ protocol bgp <NEIGHBOR_NAME>_v6 from dnpeers {
}
```
Due to the special link local addresses of IPv6, an interface has to be specified using the %<if> syntax if a link local address is used (Which is recommended)
Due to the special link local addresses of IPv6, an interface has to be specified using the `%<if>` syntax if a link local address is used (Which is recommended)

18
howto/EMail.md
View File

@ -11,14 +11,14 @@ Running email in dn42 is not very complicated. Your SMTP daemon probably alread
| Handle | Alias | Redirection |
|:------------ |:-------------- |:--------------------- |
| `STV0G-DN42` | stv0g@dn42.org | post@steffenvogel.de` |
| `STV0G-DN42` | stv0g@dn42.org | `post@steffenvogel.de` |
## Test email
~~Send an email to `test@evenet.dn42` to check if your mail setup is correct.~~ This host will reply using the following
sieve filter:
```
```conf
require ["regex", "variables", "vacation-seconds"];
if header :contains "To" ["test@evenet.dn42"] {
if header :matches "Subject" "*" {
@ -41,31 +41,35 @@ This is controlled by the `ignore_target_hosts` variable in the configuration fi
### Receiving emails
Don't forget to add your dn42 domains to the list of local domains, so that you accept incoming emails. On Debian, it is controlled by `dc_other_hostnames` in `update-exim4.conf.conf`. For instance:
```conf
dc_other_hostnames='myself.org;myself.dn42;myserver.myself.dn42'
```
## Postfix
### Sending Mails
If your machine sends/receives Mails in "clearnet" with specific bound IP's you need to create an additional transport in master.cf
```conf
out_dn42 unix - - n - - smtp
-o smtp_bind_address=172.23.67.1
-o smtp_bind_address6=fd70:96c9:ef25::1
-o smtp_helo_name=ns1.mhm.dn42
-o syslog_name=postfix-dn42
```
and add this transport to /etc/postfix/transport for dn42 (and dont forget to postmap)
```
.dn42 out_dn42:
```
This should to the trick for sending mails via your DN42-IP
If you use `smtpd_recipient_restrictions` you can use the following rule to white-list dn42 as sender.
This can circumvent certain rdns configuration failure or in case you use rbl lists:
```
```conf
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated,
check_client_access cidr:/etc/postfix/dn42.cidr,
@ -74,14 +78,14 @@ smtpd_recipient_restrictions = permit_mynetworks,
permit
```
```
```conf
#/etc/postfix/dn42.cidr
172.16.0.0/12 OK
10.0.0.0/8 OK
fc00::/7 OK
```
```
```sh
$ postmap /etc/postfix/dn42.cidr
```

2
howto/EdgeOS-Config-Example.md
View File

@ -20,7 +20,7 @@ Ask me if you want to know if I have implemented those items already.
# Configuration
```
```conf
firewall {
all-ping enable
broadcast-ping disable

5
howto/EdgeOS-GRE-IPsec-Example.md
View File

@ -12,16 +12,20 @@ This configuration assumes that both peers have static public IPs.
You'll need to generate a public/private keypair for your router if you intend to use "plainrsa" authentication for your IPsec connections. The local public key listed in the output is what you'll send to your peer.
```sh
ryan@edge1:~$ generate vpn rsa-key bits 4096
ryan@edge1:~$ show vpn ike rsa-keys
Local public key (/config/ipsec.d/rsa-keys/localhost.key):
0sAQPNdF370ZEbN+kZUJQ10qnBlZujrg39ujfk20ILTjELksOIdJw/4jiU1MfpqFDKuB/XxERwJQp2POsFyV/n76jAgxIYBfFYfuaBcIH1rdNQtDhCnkmWzlueRXGEsz0Af79n8TKyQ9otzNhJ2cPE1CWCJbKqbIUN3piviLgGlItWNeya+Tl3Oj3ZfEVwr1QOvUAw32+m4L8T9jf1vqSlOTHpRpxxPWBrLEzstk0FOcZISji2JBpDOCU8Kpyyf74JM+LxsOIHwmS15b6iFZR3U9KZLqbbd0dSy/cM8P4XjrwM5UMyRDjrLqvuA/K/33BgtnxdQR3e9DJoYH3Qr8eRgSkR+jHyq06LvgHkHbMvrEjUnc3n8bg+YfR4oyJpIWsKjfIXmN1Q51KzxAPIAww+YSYUYtamSsQsspVAtMIQqR4e0r1In1qyoSn8VCPlksNMWpqYHbSjDo5HJYoSwxf2epzMtCvhenn0OuiH0xlgzziA+wBi6txksTMvJYcPJYnBVR2NIBjkWftOfmkY+rKMozViGjyd6kB7C8lqd8W7Ha5Ds2WxIY22DM3HcYH/zTp9z2xbuMOsbIgib/Y12Kh0wHyCz0lzFvs+d6CZwinyIXNKB/Vo4iiwT5luL5mGqf3pZx4zB+30GYSs/6MaELRF9BxD7tfqYCkOLXUtxyZ4Pdl2sw==
```
If your peer sends you a key in PEM format (starts with `-----BEGIN PUBLIC KEY-----`), you'll need to convert it to the format used by EdgeOS (begins with `0s`) in order to insert it into the configuration. See [this forum post](http://community.ubnt.com/t5/EdgeMAX/ERL-lt-gt-Mikrotik-IPsec-Connections/m-p/534682#M13015) for a script to convert between the two key formats.
## Configuration
```conf
firewall {
all-ping enable
broadcast-ping disable
@ -499,3 +503,4 @@ If your peer sends you a key in PEM format (starts with `-----BEGIN PUBLIC KEY--
interface eth0
}
}
```

2
howto/GRE-on-FreeBSD.md
View File

@ -21,7 +21,7 @@ ifconfig gre$INDEX descr $DESCR
Add this to your `rc.conf`.
```
```conf
cloned_interfaces="$cloned_interfaces gre0"
ifconfig_gre0="10.0.0.1 10.0.0.2 netmask 0xffffffff tunnel 1.2.3.4 5.6.7.8 descr foo"
```

4
howto/GRE-on-OpenBSD.md
View File

@ -9,7 +9,7 @@ Let `fd42::` and `fd42::1` be the IPs of *A* and *D* respectively where both are
## pseudo interface
Populate [`/etc/hostname.gre0`](https://man.openbsd.org/hostname.if.5) with:
```
```conf
tunnel A.example.com D.example.net
inet6 fd42::/127
```
@ -21,7 +21,7 @@ Reboot or run [`sh /etc/netstart gre0`](https://man.openbsd.org/netstart.8) to b
## miscellaneous
Populate `/etc/sysctl.conf` with:
```
```conf
net.inet.gre.allow=1
```
Reboot or run `sysctl net.inet.gre.allow=1` to allow GRE packet processing.

22
howto/Getting-Started.md
View File

@ -67,7 +67,7 @@ Common authentication methods are:
- SSH Key: `auth: ssh-{rsa,ed25519} <key>`
Example: data/mntner/FOO-MNT
```
```conf
mntner: FOO-MNT
admin-c: FOO-DN42
tech-c: FOO-DN42
@ -93,7 +93,7 @@ Contact attributes are optional but DN42 is a dynamic network and being able to
Example: data/person/FOO-DN42
```
```conf
person: John Doe
e-mail: john.doe@example.com
nic-hdl: FOO-DN42
@ -116,7 +116,7 @@ If you intend to register resources for an organisation (e.g. your hackerspace),
- don't forget to set `mnt-by` to `<FOO>-MNT`, since you're managing this object on behalf of your organisation.
Example: data/organisation/ORG-EXAMPLE
```
```conf
organisation: ORG-FOO
org-name: Foo Organisation
admin-c: FOO-DN42
@ -153,7 +153,7 @@ Internet ASNs may be used, but you must take care to clearly separate Internet a
If unsure, ask on the mailing list or IRC.
Example: data/aut-num/AS4242423999
```
```conf
aut-num: AS4242423999
as-name: AS-FOO-DN42
admin-c: FOO-DN42
@ -179,7 +179,7 @@ A few websites can generate random ULA prefixes for you:
or a small script is available: [ulagen.py](https://git.dn42.dev/netravnen/dn42-repo-utils/src/master/ulagen.py)
example: data/inet6num/fd35:4992:6a6d::_48
```
```conf
inet6num: fd35:4992:6a6d:0000:0000:0000:0000:0000 - fd35:4992:6a6d:ffff:ffff:ffff:ffff:ffff
cidr: fd35:4992:6a6d::/48
netname: FOO-NETWORK
@ -223,7 +223,7 @@ If you need a /24 or larger, please ask in the IRC chan or on the mailing list a
**Note:** Reverse DNS works with _any_ prefix length, as long as your [recursive nameserver](/services/DNS) supports [RFC 2317](https://www.ietf.org/rfc/rfc2317.txt). Don't go for a /24 _just to have RDNS_.
example: data/inetnum/172.20.150.0_27
```
```conf
inetnum: 172.20.150.0 - 172.20.150.31
cidr: 172.20.150.0/27
netname: FOO-NETWORK
@ -241,7 +241,7 @@ source: DN42
If you plan to announce your prefixes in dn42, which you probably want in most cases, you will also need to create a `route6` object for ipv6 prefixes and a `route` object for ipv4 prefixes. This information is used for Route Origin Authorization (ROA) checks. If you skip this step, your network will probably get filtered by most major peers. Checking ROA will prevent (accidental) hijacking of other people's prefixes.
example: data/route6/fd35:4992:6a6d::_48
```
```conf
route6: fd35:4992:6a6d::/48
origin: AS4242423999
max-length: 48
@ -250,7 +250,7 @@ source: DN42
```
example data/route/172.20.150.0_27:
```
```conf
route: 172.20.150.0/27
origin: AS4242423999
max-length: 27
@ -266,7 +266,7 @@ To register a domain name, create a `dns` object in the data/dns directory.
Domain names and nserver attributes must be lowercase.
example: data/dns/foo.dn42
```
```conf
domain: foo.dn42
admin-c: FOO-DN42
tech-c: FOO-DN42
@ -280,13 +280,13 @@ source: DN42
You can also add DNSSEC delegations using `ds-rdata` attributes to your domain:
```
```conf
ds-rdata: 61857 13 2 bd35e3efe3325d2029fb652e01604a48b677cc2f44226eeabee54b456c67680c
```
For reverse DNS, add `nserver` attributes to you inet{,6}num objects:
```
```conf
inet6num: fd35:4992:6a6d:0000:0000:0000:0000:0000 - fd35:4992:6a6d:ffff:ffff:ffff:ffff:ffff
cidr: fd35:4992:6a6d::/48
netname: FOO-NETWORK

4
howto/IPsec-on-FreeBSD.md
View File

@ -10,7 +10,7 @@ These instructions are for IPsec in transport mode not IPsec in tunnel mode. IPs
## Kernel configuration
The FreeBSD GENERIC kernel lacks support for in-kernel IPsec processing. Add this two lines to your kernel config and (re-)build your own kernel.
If you're new to FreeBSD check Chapters [15.9.1](http://www.freebsd.org/doc/handbook/ipsec.html) and [9](http://www.freebsd.org/doc/handbook/kernelconfig.html) of the FreeBSD handbook.
```
```conf
options IPSEC #IP security
device crypto
```
@ -20,7 +20,7 @@ Reboot into your new kernel.
Install the racoon daemon. It's included in the [security/ipsec-tools](http://www.freshports.org/security/ipsec-tools/) port.
Racoon is pain in the ass to configure the first time because it's error messages aren't helping and the complexity of IPsec. Don't let this stop you.
```
```conf
path pre_shared_key "/usr/local/etc/racoon/psk";
path certificate "/usr/local/etc/racoon/certs";
log info;

13
howto/IPsecWithPublicKeys/CiscoIOSExample.md
View File

@ -5,20 +5,25 @@ _Note: You may already have completed this step, since it's required to enable S
1. Configure a hostname and domain name.
```
Router#conf t
Router(config)#hostname foo
foo(config)#ip domain-name bar
```
2. Generate an RSA key. The maximum length was increased from 2048 to 4096 as of release 15.1(1)T
```
foo(config)#crypto key generate rsa general-keys modulus 2048
% The key modulus size is 2048 bits
% Generating 2048 bit RSA keys, keys will be non-exportable...
foo(config)#exit
```
### Exchange public keys with your peer
1. Display the public key. Send the key data portion to your peer.
```
foo#show crypto key mypubkey rsa foo.bar
% Key pair was generated at: 19:24:02 UTC Jul 19 2014
Key name: foo.bar
@ -36,6 +41,7 @@ _Note: You may already have completed this step, since it's required to enable S
C248D554 D0D68508 3EA53F0F 971DA7A6 203CA186 A79F9D93 0D2E54EF F7E311B2
F7A8B486 D980661D DEB6C0B3 80A82583 4936F131 57C6D204 0AA5ED7F 7749F044
8F020301 0001
```
2. Convert your peer's public key to the hexadecimal DER format using the [pubkey-converter][pubkey-converter] script, if necessary.
@ -56,6 +62,7 @@ In this example, we'll use the following settings:
1. Add your peer's public key
```
foo#conf t
Enter configuration commands, one per line. End with CNTL/Z.
foo(config)#crypto key pubkey-chain rsa
@ -76,9 +83,11 @@ In this example, we'll use the following settings:
foo(config-pubkey)#quit
foo(config-pubkey-key)#exit
foo(config-pubkey-chain)#exit
```
2. Configure an ISAKMP policy
```
foo(config)#crypto isakmp policy 10
foo(config-isakmp)#encryption aes
foo(config-isakmp)#hash sha
@ -86,10 +95,13 @@ In this example, we'll use the following settings:
foo(config-isakmp)#lifetime 28800
foo(config-isakmp)#authentication rsa-sig
foo(config-isakmp)#exit
```
3. All done! Configure the phase 2 parameters as you otherwise would.
## Full GRE/IPsec example
```
crypto key pubkey-chain rsa
addressed-key 192.0.2.2
address 192.0.2.2
@ -129,3 +141,4 @@ In this example, we'll use the following settings:
description WAN
ip address 192.0.2.1 255.255.255.0
duplex full
```

6
howto/IPsecWithPublicKeys/GRE-plus-IPsec-Debian.md
View File

@ -21,17 +21,17 @@ Change the direction on 5.6.7.8.
## Load the IPsec security policy into the IPsec security policy database
Load the policy with the setkey command.
```
```sh
setkey -f /etc/ipsec-tools.conf
```
Afterward check the policy database with:
```
```sh
setkey -DP
```
## Configure the racoon daemon
An example /etc/racoon/racoon.conf.
```
```conf
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
log info;

8
howto/IPsecWithPublicKeys/OpenBSDExample.md
View File

@ -34,14 +34,17 @@ Next, add the right flow parameters to [`/etc/ipsec.conf`](http://man.openbsd.or
The configuration file should look like this:
```conf
mymachine = "3.4.5.6"
mypeer = "1.3.3.7"
ike esp transport proto gre from $mymachine to $mypeer \
main auth hmac-sha1 enc aes-128 group modp1536 lifetime 28800 \
quick auth hmac-sha1 enc aes-128 group modp1536 lifetime 3600
```
Load the configuration file into isakmpd: `ipsecctl -f /etc/ipsec.conf`. Once the connection is established, the IPSec flows can be listed with `ipsecctl -sa`:
```
# ipsecctl -sa
FLOWS:
flow esp in proto gre from 1.3.3.7 to 3.4.5.6 peer 1.3.3.7 srcid 3.4.5.6/32 dstid 1.3.3.7/32 type use
@ -50,16 +53,21 @@ Load the configuration file into isakmpd: `ipsecctl -f /etc/ipsec.conf`. Once th
SAD:
esp transport from 1.3.3.7 to 3.4.5.6 spi 0xdeadbeef auth hmac-sha1 enc aes
esp transport from 3.4.5.6 to 1.3.3.7 spi 0xf00df00d auth hmac-sha1 enc aes
```
# GRE Setup
Next, we will set up the GRE device. The [gre(4)](http://man.openbsd.org/gre.4) device encapsulates IPv4 and IPv6 traffic, which allows you to speak both address families over one tunnel if you only have native connectivity for one address family. The addresses configured onto the GRE device should come from a private address range that is not used anywhere in DN42, or a registered transfer net. For IPv6, you should use either ULAs or Link-Local addresses. In this example, we assume you are using 10.20.30.0/31 as the IPv4 transfer "net" (it has only two addresses, so calling it a network is a bit of an overstatement) and Link-Local addresses for IPv6.
```sh
# ifconfig gre0 tunnel 3.4.5.6 1.3.3.7
# ifconfig gre0 inet 10.20.30.0 10.20.30.1 # reverse these on your peer's side
# ifconfig gre0 inet6 eui64
```
These settings should also be added to [`/etc/hostname.gre0`](http://man.openbsd.org/hostname.if.5), .i.e.
```conf
tunnel 3.4.5.6 1.3.3.7
inet 10.20.30.0 10.20.30.1
inet6 eui64
```

4
howto/IPsecWithPublicKeys/RacoonExample.md
View File

@ -17,7 +17,7 @@ I'd probably go with 4096 bits.
in your racoon.conf:
```
```conf
path certificate "/etc/racoon/keys";
listen {
@ -38,6 +38,6 @@ remote 192.168.255.2 {
}
```
## Se also
## See also
[Debian specific configuration](/howto/IPsecWithPublicKeys/GRE-plus-IPsec-Debian)

12
howto/IPsecWithPublicKeys/RouterOSExample.md
View File

@ -2,6 +2,7 @@
## Setup
### Generate an RSA keypair
```
[admin@mtk1] > /ip ipsec key
[admin@mtk1] /ip ipsec key> generate-key mykey key-size=4096
For key bigger than 1024bit this may take a while..
@ -9,18 +10,22 @@
Flags: P - private-key, R - rsa
# NAME KEY-SIZE
0 PR mykey 4096-bit
```
## Exchange public keys with your peer
1. Export the public key to a file.
```
[admin@mtk1] /ip ipsec key> export-pub-key mykey file-name=mykey.pub
[admin@mtk1] /ip ipsec key> /file print where name=mykey.pub
# NAME TYPE SIZE CREATION-TIME
2 mykey.pub ssh key 451 jul/20/2014 12:35:33
```
2. Copy the file to your workstation and send it to your peer. The contents of the file should look like this:
```
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv4RHohMZP4F5qTJKqoSL
TqefoZZRt1RVI5dOocjV1pJZnqcXMtHfQ/5+O+igUCAX+yBv0hie+U32FWcy5cQO
@ -30,6 +35,7 @@
QOvIM7fvs5s0YWaUdT+vz8F0SHtb6Q/IdWc4JJPH/Q2t4HKTkk7FUnvvub2GxVbs
8QIDAQAB
-----END PUBLIC KEY-----
```
3. Convert your peer's public key to the PEM format using the [pubkey-converter][pubkey-converter] script, if necessary.
@ -50,6 +56,7 @@ In this example, we'll use the following settings:
1. Copy your peer's PEM-encoded public key to the router and import it. (Hit enter when it asks for a passphrase)
```
[admin@mtk1] /ip ipsec key> import peer-key.pub name=peer-key
passphrase:
@ -58,9 +65,11 @@ In this example, we'll use the following settings:
# NAME KEY-SIZE
0 PR mykey 4096-bit
1 R peer-key 4096-bit
```
2. Configure your peer definition to use the public key
```
[admin@mtk1] /ip ipsec peer> add address=192.0.2.2 local-address=192.0.2.1 enc-algorithm=aes-128 hash-algorithm=sha1 dh-group=modp1536 lifetime=28800 key=mykey remote-key=peer-key auth-method=rsa-key
[admin@mtk1] /ip ipsec peer> print
Flags: X - disabled
@ -70,10 +79,12 @@ In this example, we'll use the following settings:
proposal-check=obey hash-algorithm=sha1 enc-algorithm=aes-128
dh-group=modp1536 lifetime=8h lifebytes=0 dpd-interval=2m
dpd-maximum-failures=5
```
3. All done! Configure the phase 2 parameters as you otherwise would.
## Full GRE/IPsec example
```
# jul/20/2014 13:00:04 by RouterOS 6.15
# software id = HBCA-0B2J
#
@ -90,3 +101,4 @@ In this example, we'll use the following settings:
/ip ipsec policy
add dst-address=192.0.2.2/32 protocol=gre sa-dst-address=192.0.2.2 \
sa-src-address=192.0.2.1 src-address=192.0.2.1/32
```

13
howto/IPsecWithPublicKeys/VyOSExample.md
View File

@ -2,6 +2,7 @@
## Setup
### Generate an RSA keypair
```sh
ubnt@ubnt:~$ generate vpn rsa-key bits 4096 random /dev/urandom
Generating rsa-key to /config/ipsec.d/rsa-keys/localhost.key
@ -9,15 +10,18 @@
The public portion of the key is:
0sAQPNdF370ZEbN+kZUJQ10qnBlZujrg39ujfk20ILTjELksOIdJw/4jiU1MfpqFDKuB/XxERwJQp2POsFyV/n76jAgxIYBfFYfuaBcIH1rdNQtDhCnkmWzlueRXGEsz0Af79n8TKyQ9otzNhJ2cPE1CWCJbKqbIUN3piviLgGlItWNeya+Tl3Oj3ZfEVwr1QOvUAw32+m4L8T9jf1vqSlOTHpRpxxPWBrLEzstk0FOcZISji2JBpDOCU8Kpyyf74JM+LxsOIHwmS15b6iFZR3U9KZLqbbd0dSy/cM8P4XjrwM5UMyRDjrLqvuA/K/33BgtnxdQR3e9DJoYH3Qr8eRgSkR+jHyq06LvgHkHbMvrEjUnc3n8bg+YfR4oyJpIWsKjfIXmN1Q51KzxAPIAww+YSYUYtamSsQsspVAtMIQqR4e0r1In1qyoSn8VCPlksNMWpqYHbSjDo5HJYoSwxf2epzMtCvhenn0OuiH0xlgzziA+wBi6txksTMvJYcPJYnBVR2NIBjkWftOfmkY+rKMozViGjyd6kB7C8lqd8W7Ha5Ds2WxIY22DM3HcYH/zTp9z2xbuMOsbIgib/Y12Kh0wHyCz0lzFvs+d6CZwinyIXNKB/Vo4iiwT5luL5mGqf3pZx4zB+30GYSs/6MaELRF9BxD7tfqYCkOLXUtxyZ4Pdl2sw==
```
### Exchange public keys with your peer
1. Display the public key. Send the key data portion to your peer.
```sh
ubnt@ubnt:~$ show vpn ike rsa-keys
Local public key (/config/ipsec.d/rsa-keys/localhost.key):
0sAQPNdF370ZEbN+kZUJQ10qnBlZujrg39ujfk20ILTjELksOIdJw/4jiU1MfpqFDKuB/XxERwJQp2POsFyV/n76jAgxIYBfFYfuaBcIH1rdNQtDhCnkmWzlueRXGEsz0Af79n8TKyQ9otzNhJ2cPE1CWCJbKqbIUN3piviLgGlItWNeya+Tl3Oj3ZfEVwr1QOvUAw32+m4L8T9jf1vqSlOTHpRpxxPWBrLEzstk0FOcZISji2JBpDOCU8Kpyyf74JM+LxsOIHwmS15b6iFZR3U9KZLqbbd0dSy/cM8P4XjrwM5UMyRDjrLqvuA/K/33BgtnxdQR3e9DJoYH3Qr8eRgSkR+jHyq06LvgHkHbMvrEjUnc3n8bg+YfR4oyJpIWsKjfIXmN1Q51KzxAPIAww+YSYUYtamSsQsspVAtMIQqR4e0r1In1qyoSn8VCPlksNMWpqYHbSjDo5HJYoSwxf2epzMtCvhenn0OuiH0xlgzziA+wBi6txksTMvJYcPJYnBVR2NIBjkWftOfmkY+rKMozViGjyd6kB7C8lqd8W7Ha5Ds2WxIY22DM3HcYH/zTp9z2xbuMOsbIgib/Y12Kh0wHyCz0lzFvs+d6CZwinyIXNKB/Vo4iiwT5luL5mGqf3pZx4zB+30GYSs/6MaELRF9BxD7tfqYCkOLXUtxyZ4Pdl2sw==
```
2. Convert your peer's public key to the Base64 RFC 3110 format using the [pubkey-converter][pubkey-converter] script, if necessary.
@ -38,12 +42,15 @@ In this example, we'll use the following settings:
1. Add your peer's public key
```sh
vyos@vyos:~$ configure
[edit]
vyos@vyos# set vpn rsa-keys rsa-key-name my-peer rsa-key 0sAwEAAb4ETtKRLxcFNty56regsR61pq7hQl3NnjwABL16wZXGynKxZlj11VbdqcNwaTaqHZLV4Xfy867nImSs0DD9Cko5LzWwyM1Ih4SB+rIjfmBt7nRUrilnYvfWAONG1CLTI2tXnM/miNqiY+PxlCiMPr1KrTJWBWOknqqhhL2dOBfp3Ryx1yRxDACFG4wgpwmndJOnmefnV6qZXWiOdoIsBsBqQKiDY0g2uI+S3KxK27JL3KZWcA2ehhvtxmq4vwcMXplYeedei3EEmWxtddAZCApXor9bkVoVp2io+a0D1ALevYMD5SIygu55Q888n5puYNry/cUjX20/F/YK+J9u2UExWewN4AIt/jMNm7nJNWpuFHfLX1V/igHrdGzoEM0E/i+nGz9CWTVTLoFUmkTjpt31FPmomSVEI7MbNXG7cpa+X55PWd1apheR52XJZPZfCnMf1DjilYbLMRG05RK8zI3QlX3UXHira0dq4OBZ+Aow+dGp+jLmwjgdBDnkQdVu0iP6bp+5/oz6mWvDQ65EVECAIXKR5zIsiKn9ZU18H+lp4xWMjiSw3Y+87Y5KeQPmX73Ygolow6VvtCBvX8CS4Plszn3i0Qp8184eLEWIY314Z8Z+HwBAjUv3MkqI93leokAjMbt23ttaJbWlWgG47BAJOEcWlMFkDNcZtOngUrzF
```
2. Configure an ISAKMP policy
```sh
[edit]
vyos@vyos# edit vpn ipsec ike-group FOO
[edit vpn ipsec ike-group FOO]
@ -56,9 +63,11 @@ In this example, we'll use the following settings:
vyos@vyos# set proposal 1 dh-group 5
[edit vpn ipsec ike-group FOO]
vyos@vyos# commit
```
3. Set your peer definition to use the public key
```sh
[edit vpn ipsec ike-group FOO]
vyos@vyos# up
[edit vpn ipsec]
@ -67,10 +76,13 @@ In this example, we'll use the following settings:
vyos@vyos# set authentication mode rsa
[edit vpn ipsec site-to-site peer 192.0.2.2]
vyos@vyos# set authentication rsa-key-name my-peer
```
4. All done! Configure the phase 2 parameters as you otherwise would.
## Full GRE/IPsec example
```conf
interfaces {
ethernet eth0 {
address 192.0.2.1/30
@ -133,3 +145,4 @@ In this example, we'll use the following settings:
}
}
}
```

9
howto/IPsecWithPublicKeys/strongSwan4Example.md
View File

@ -2,14 +2,17 @@
## Setup
### Generate an RSA keypair
```sh
root@debian:~# mkdir /etc/ipsec.d/public
root@debian:~# ipsec pki --gen --type rsa --outform pem --size 4096 > /etc/ipsec.d/private/mykey.pem
root@debian:~# ipsec pki --pub --in /etc/ipsec.d/private/mykey.pem --outform pem > /etc/ipsec.d/public/mykey.pub
root@debian:~# echo ": RSA mykey.pem" >> /etc/ipsec.secrets
```
### Exchange public keys with your peer
1. Display the public key. Send the key data to your peer.
```sh
root@debian:~# more /etc/ipsec.d/public/mykey.pub
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA2/FWIJuVUtfsLovavNp+
@ -25,6 +28,7 @@
PpCkdMfSOJ0SqCUcVze+xD8GlInUQsPgbDGvxT73jT6Ie+wSA94Cgs3mq7FS6cNo
ZAASv7cT9DG+xfQmjrJC9SUCAwEAAQ==
-----END PUBLIC KEY-----
```
2. Convert your peer's public key to the Base64 RFC 3110 format using the [pubkey-converter][pubkey-converter] script, if necessary.
@ -47,6 +51,7 @@ _Note: strongSwan < 5.0.0 will read PEM-formatted **private** keys, but requires
1. Configure a connection policy in ipsec.conf for your peer. The `leftrsasigkey` attribute is your host's public key in Base64 RFC 3110 format enclosed in double quotes, and `rightrsasigkey` is your peer's key.
```sh
root@debian:~# cat << EOF >> /etc/ipsec.conf
conn MYPEER
# peer IPs
@ -60,10 +65,13 @@ _Note: strongSwan < 5.0.0 will read PEM-formatted **private** keys, but requires
leftrsasigkey="0sAwEAAdvxViCblVLX7C6L2rzafpz0rE9pkKDSt2VFMLhCnwY0+5oYo3V0R4dUgLSGlNmnp+fneauntu7zAgmDkC2oJ/QpCmrQaueMxjbw0s0BKc9JiLGgcfcY74bIKgJigk6S7SrjM+nGWx/MvKPf2WfCr/iYbeu0/AQyl3M4DoOSCGl/OFKQq5UoJp0rymCrtz157fdW2euh2g2SYz3/WojDXH77lKlXxVp7FdsyOhxbxv7sJKi2pbJz2gMFXiFpdjr8tic3Y9BkS0mMfO3p3kgaPu7Y5VEUE7nQI9fud0hTpAXAj0p8z2KSAt4QX2fGcPK/9uZqFt8X/E5SyyaoAIedGLVcr8lUr9TCmAXY2XBbBF1HHguSyPSWa8gf0nq6tEfuP/2YkdyxLXrVSjb3KPW3CCR16/PBzNl3mEX0TwAesHpmyBDCmHcCIcGADzwLS/pQx7WQYgQCAKdMtBYWqM0s5TEq8vLWyUdnw/4vP8l6+YrFX4yWXcPFitCwHfGvM75jSBSoIilo6A4CMnDOR60Q/q2NAa/cTjZDXYAey8/8DxMlLIiImaWsDP0uLWl+xMSuFot6XcZDhy59mcmlirHYVz6QpHTH0jidEqglHFc3vsQ/BpSJ1ELD4Gwxr8U+940+iHvsEgPeAoLN5quxUunDaGQAEr+3E/QxvsX0Jo6yQvUl"
rightrsasigkey="0sAwEAAbkNYV9/gBIi4rOKeY75mCHxIGqvePPBlNp5LkdYGSuPwqYa3HJs7YAA1P05IhOSDjqO8yj6Wq3JfHWcCX1/o/aCBH7yB6lmxfKyJJiQwJ+WUADQ7FSklb7vJ6jWYQLJQZBVMNSJeiia3WRMFeCCy42Zj4zf0yKcz0rbn3ii31K+zqHRZyV3b1hltTsEVUfGD2T/td0tp22qqISWWLpU8xHBGlhYV0Ss5tXcV6rdh9Evd5r+Qk9Cc1VAL9+ZQd/TTKnEcK4ORbMNM+OPJ5Xp0qSA5z/ACD5ubITX/ZGSQpLDhPRnzzM+SmQzqEd61j772qWP2bPkgc/Haz8B62WoRio8Vdk8Ze12JBRFr63vq6YlkonSLJ84sxAUNXmuiJ8HemNvbs5kC4brNTj34ZwiJAFcnCvrLQmTmz5emm6JpP2r2k/hcJ40YEmc5KLZWwNiB4BIxduguGt2VBgcA2fu61NgOwymx0TfOH+tgXDMomaWr1z75OAFEA+fpUSLWxQw3mWLaCHR2/YJjHDR1rBi/GFcRdgPCAL6+0NU0H8JtljwFr42otq25esPGWIkAT1MJBbVAE11O18hnC5owhiRoB2aAKjx3XV9c+x6LBSHfkknO7oAp1DbcEmB6vg3MwVXU2uuWj7++fM8Xis1KiQSspj+B5Lx5RJlxz9qAEOBuj05"
EOF
```
2. All done! Configure the phase 2 parameters as you otherwise would.
## Full GRE/IPsec example
```sh
root@debian:~# ip addr show dev gre1
11: gre1@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1400 qdisc noqueue state UNKNOWN
link/gre 192.0.2.1 peer 192.0.2.2
@ -102,3 +110,4 @@ _Note: strongSwan < 5.0.0 will read PEM-formatted **private** keys, but requires
# startup
auto=route
keyingtries=%forever
```

12
howto/IPsecWithPublicKeys/strongSwan5Example.md
View File

@ -6,14 +6,17 @@ For IPsec with Public Keys you'll need the package _strongswan-plugin-pubkey_ in
Don't forget to disable selinux :)
### Generate an RSA keypair
```sh
root@debian:~# mkdir /etc/ipsec.d/public
root@debian:~# ipsec pki --gen --type rsa --outform pem --size 4096 > /etc/ipsec.d/private/mykey.pem
root@debian:~# ipsec pki --pub --in /etc/ipsec.d/private/mykey.pem --outform pem > /etc/ipsec.d/public/mykey.pem
root@debian:~# echo ": RSA mykey.pem" >> /etc/ipsec.secrets
```
### Exchange public keys with your peer
1. Display the public key. Send the key data to your peer.
```sh
root@debian:~# more /etc/ipsec.d/public/mykey.pem
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA2/FWIJuVUtfsLovavNp+
@ -29,6 +32,7 @@ Don't forget to disable selinux :)
PpCkdMfSOJ0SqCUcVze+xD8GlInUQsPgbDGvxT73jT6Ie+wSA94Cgs3mq7FS6cNo
ZAASv7cT9DG+xfQmjrJC9SUCAwEAAQ==
-----END PUBLIC KEY-----
```
2. Convert your peer's public key to the PEM format using the [pubkey-converter][pubkey-converter] script, if necessary.
@ -49,6 +53,7 @@ In this example, we'll use the following settings:
1. Add your peer's public key
```sh
root@debian:~# cat << EOF > /etc/ipsec.d/public/peerkey.pem
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAuQ1hX3+AEiLis4p5jvmY
@ -65,9 +70,11 @@ In this example, we'll use the following settings:
mP4HkvHlEmXHP2oAQ4G6PTkCAwEAAQ==
-----END PUBLIC KEY-----
EOF
```
2. Configure a connection policy in ipsec.conf for your peer
```sh
root@debian:~# cat << EOF >> /etc/ipsec.conf
conn MYPEER
# peer IPs
@ -81,10 +88,12 @@ In this example, we'll use the following settings:
leftrsasigkey=/etc/ipsec.d/public/mykey.pem
rightrsasigkey=/etc/ipsec.d/public/peerkey.pem
EOF
```
3. All done! Configure the phase 2 parameters as you otherwise would.
## Full GRE/IPsec example
```sh
root@debian:~# ip addr show dev gre1
11: gre1@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1400 qdisc noqueue state UNKNOWN
link/gre 192.0.2.1 peer 192.0.2.2
@ -121,10 +130,13 @@ In this example, we'll use the following settings:
# startup
auto=route
keyingtries=%forever
```
If your peer is using a Cisco router and is behind NAT, then you might need to add the following option:
```
rightid=NATIP
```
# See also
* [Network settings](/howto/networksettings)

18
howto/IPv6-Multicast.md
View File

@ -28,7 +28,7 @@ rfc8815 deprecated pim-sm, please take a look at the new multicast page about pi
* Create a dummy interface to hold your calculated unicast Rendezvous Point address. This one needs to be reachable from within dn42. Also set "multicast on" on this dummy interface. Example:
```
```conf
# /etc/network/interfaces.d/pim6sd
auto pim-router-id
iface pim-router-id inet manual
@ -86,7 +86,7 @@ You can now switch into this test network namespace via "ip netns exec /bin/bash
### Creating a test multicast listener
```
```sh
$ socat -u UDP6-RECV:1234,reuseaddr,ipv6-join-group="[ff7e:230:fdd5:69d5:c530::123]:eth0" -
```
@ -94,7 +94,7 @@ $ socat -u UDP6-RECV:1234,reuseaddr,ipv6-join-group="[ff7e:230:fdd5:69d5:c530::1
First select which interface should be the default one for your multicast traffic. Then send multicast packets via ICMPv6:
```
```sh
$ ip -6 route add ff7e:230:fdd5:69d5:c530::/96 dev eth0 table local
$ ping6 -t 16 ff7e:230:fdd5:69d5:c530::123
```
@ -145,18 +145,18 @@ However you can usually just announce and use both RFC3306 and RFC3956 based mul
#### Bootstrap Router
If you want to be participate as a bootstrap router candidate, please read up on how PIM works first. If you join with a bootstrap router candidate add it here below with contact information and join #dn42-multicast on HackInt:
* <BSR-ADDR1> - foo@example.com, foo@HackInt
* <BSR-ADDR2> - ...
* \<BSR-ADDR1> - foo@example.com, foo@HackInt
* \<BSR-ADDR2> - ...
#### Shared multicast addresses
Next to personal multicast prefixes generated by network prefix (RFC3306 or RFC3956) there can also be multicast addresses not owned by a specific AS. In general any one can just set up a multicast sender or listener for those. However to work, they need a reliable RP for coordination.
If you want to offer an RP candidate for a shared multicast address, please read up on how PIM works first. If you join with an RP candidate for a shared multicast address add it here below with contact information and join #dn42-multicast on HackInt:
* <multicast-address1>/128:
- <RP-address1> - foo@example.com, foo@HackInt
- <RP-address2> - bar@example.com, bar@HackInt
* <multicast-address2>/128:
* \<multicast-address1>/128:
- \<RP-address1> - foo@example.com, foo@HackInt
- \<RP-address2> - bar@example.com, bar@HackInt
* \<multicast-address2>/128:
- ...
## Questions?

2
howto/IPv6.md
View File

@ -65,7 +65,7 @@ Enter NPT. Address your services using a reserved private block, and map that bl
For example, if you've been assigned a public /48 prefix, and want to be reachable on DN42 aswell, you can use only ULA addresses from DN42 internally (or your own!), then map them to outside prefixes. Note that they'll need to all use the same prefix size to maintain the one-to-one mapping, so you may have to subnet the public prefix.
In Linux's netfilter, this can be implemented through the use of the NETMAP target, for the example above:
```
```sh
ip6tables -t nat -A POSTROUTING -d 2000::/3 -s <DN42-PREFIX>:<SUBNET>::/56 -j NETMAP --to <PUBLIC-PREFIX>:<SUBNET>::/56; # Map ULA to the public prefix for outgoing packets
ip6tables -t nat -A PREROUTING -s 2000::/3 -d <PUBLIC-PREFIX>:<SUBNET>::/56 -j NETMAP --to <DN42-PREFIX>:<SUBNET>::/56; # Map public prefix to ULA for incoming packets
```

16
howto/OpenBGPD.md
View File

@ -16,7 +16,7 @@ By default, [bgpd(8)](http://man.openbsd.org/bgpd.8) listens on all local addres
## local host
Information such as ASN, router ID and allocated networks are required:
```
```conf
# macros
ASN="4242421234"
@ -31,7 +31,7 @@ prefix-set mynetworks {
These can be used in subsequent filter rules.
The local peer's announcements is then defined as follows:
```
```conf
# Generate routes for the networks our ASN will originate.
# The communities (read 'tags') are later used to match on what
# is announced to EBGP neighbors
@ -41,7 +41,7 @@ network prefix-set mynetworks set large-community $ASN:1:1
## neighbors
For each neighbor its ASN and transfer ULA is required.
An optional description is provided such that [bgpctl(8)](http://man.openbsd.org/bgpctl.8) for example can be used with mnemonic names instead of AS numbers:
```
```conf
# peer A, transport over IPSec/GRE
$A_local="fd00:12:34:A::1"
$A_remote="fd00:12:34:A::2"
@ -61,7 +61,7 @@ The filter rules are evaluated in sequential order, form first to last.
The last matching allow or deny rule decides what action is taken.
Start off with basic protection and sanity rules:
```
```conf
# deny more-specifics of our own originated prefixes
deny quick from ebgp prefix-set mynetworks or-longer
@ -72,7 +72,7 @@ deny quick from any max-as-len 8
`quick` rules are considered the last matching rule, and evaluation of subsequent rules is skipped.
Allow own announcements:
```
```conf
# Outbound EBGP: only allow self originated networks to ebgp peers
# Don't leak any routes from upstream or peering sessions. This is done
# by checking for routes that are tagged with the large-community $ASN:1:1
@ -80,7 +80,7 @@ allow to ebgp prefix-set mynetworks large-community $ASN:1:1
```
Allow all remaining UPDATES based on **O**rigin **V**alidation **S**tates:
```
```conf
# enforce ROA
allow from ebgp ovs valid
```
@ -89,7 +89,7 @@ Note how the `ovs` filter requires the `roa-set {...}` to be defined; see the `
### path attributes
Besides `allow` and `deny` statements, filter rules can modify UPDATE messages, e.g.
```
```conf
# Scrub normal and large communities relevant to our ASN from EBGP neighbors
# https://tools.ietf.org/html/rfc7454#section-11
match from ebgp set { large-community delete $ASN:*:* }
@ -123,7 +123,7 @@ roa-set {
```
Include it in `/etc/bgpd.conf`:
```
```conf
# defines roat-set, see _rpki-client crontab
include "/etc/dn42.roa-set"
```

12
howto/OpenWRT.md
View File

@ -28,9 +28,11 @@ This is needed so that OpenWRT is aware of the new interfaces (for firewall and
In `/etc/config/network`, add entries for each dn42 interface:
```conf
config interface dn42peer1
option ifname tun-peer1
option proto none
```
## Firewall
@ -43,28 +45,36 @@ Everything is done in `/etc/config/firewall`.
### Zone declaration
```conf
config zone
option name dn42
option network 'dn42peer1 dn42peer2 dn42peer3'
option input REJECT
option output ACCEPT
option forward REJECT
```
If you need to NAT your home network into dn42, you probably just need to add:
```conf
option masq 1
```
### dn42 ↔ LAN forwarding
```conf
config forwarding
option src lan
option dest dn42
```
If you're confident enough, you can also forward dn42 into your LAN:
```conf
config forwarding
option src dn42
option dest lan
```
Or you can forward only certain ports, to certain hosts, etc (standard `config rule` stuff)
@ -72,7 +82,9 @@ Or you can forward only certain ports, to certain hosts, etc (standard `config r
This is more tricky. In theory, all you have to do is to set
```conf
option forward ACCEPT
```
in the definition of the zone. However, due to a bug in Attitude Adjustment (see <https://dev.openwrt.org/ticket/12945>), this will allow forwarding **everything everywhere**.

18
howto/Quagga.md
View File

@ -6,16 +6,20 @@ Quagga is probably one of the oldest software router around. It still works, of
Use this in your `zebra.conf`:
```conf
route-map RM_SET_SRC permit 10
set src 172.22.XX.XX
ip protocol bgp route-map RM_SET_SRC
```
Unfortunately, this is not possible with IPv6...
## Important bgp commands
To connect to bgpd use:
```sh
$ vtysh
```
Which provides an interactive interface.
In this interface '?' can be used to list the available commands or subcommands.
@ -23,16 +27,19 @@ In this interface '?' can be used to list the available commands or subcommands.
## Configure Quagga
a minimal config would look like this:
```sh
vtysh> configure terminal
vtysh(config)> router bgp <your-asn>
vtysh(config-router)> neighbor <neighbor-ip> remote-as <neighbor-asn>
vtysh(config-router)> neighbor <neighbor-ip> interface <interface>
vtysh(config-router)> exit
vtysh(config)> exit
```
### IPv6
for IPv6 do something like
```sh
vtysh> configure terminal
vtysh(config)> router bgp <your-asn>
vtysh(config-router)> neighbor <neighbor-ip> remote-as <neighbor-asn>
@ -43,24 +50,32 @@ for IPv6 do something like
vtysh(config-router-af)> exit
vtysh(config-router)> exit
vtysh(config)> exit
```
### peer groups, prefix lists and such
If you want to use 'prefix-list' to filter some of the prefixes quagga is receiving, you can use a 'peer-group' instead of apply the prefix list to every neighbor.
Define a peer group:
```sh
vtysh(config-router)> neighbor <peer-group-name> peer-group
```
Apply to a neighbor:
```sh
vtysh(config-router)> neighbor <neighbor-ip> peer-group <name>
```
Apply a prefix list for incoming prefixes to your peer group:
```sh
vtysh(config-router)> neighbor <peer-group-name> prefix-list <prefix-list-name> in
```
#### Example filter list
```sh
ip prefix-list vpn-in description BGP IPv4 import filter
!old network:
ip prefix-list vpn-in seq 5 permit 172.22.0.0/15 ge 22 le 28
@ -96,9 +111,10 @@ Apply a prefix list for incoming prefixes to your peer group:
ipv6 prefix-list vpn-in seq 10 permit fd00::/8 ge 9
ipv6 prefix-list vpn-in seq 15 deny any
```
#### Example filter list script
```
```sh
#!/bin/bash
vtysh -c 'conf t' -c "no ip prefix-list dn42"; #drop old prefix list

9
howto/ROA-slash-RPKI.md
View File

@ -32,11 +32,12 @@ You can find a hosted example of dn42regsrv at <https://explorer.burble.com/>
Instructions on how to host dn42regsrv yourself can be found on the git repo of [dn42regsrv](https://git.burble.com/burble.dn42/dn42regsrv).
You can also run dn42regsrv via docker (then available at 127.0.0.1:8042):
```sh
git checkout https://git.burble.com/burble.dn42/dn42regsrv.git .
cd contrib/docker
./build.sh
docker-compose up -d
```
Documentation for the api endpoints can be found here: <https://git.burble.com/burble.dn42/dn42regsrv/src/master/API.md>
@ -48,7 +49,9 @@ burble kindly provides ready-to-use files for gortr here:
You can use these to simply run gortr via docker:
```sh
docker run -ti -p 8082:8082 cloudflare/gortr -cache https://dn42.burble.com/roa/dn42_roa_46.json -verify=false -checktime=false -bind :8082
```
### rtrtr
@ -56,10 +59,13 @@ rtrtr is a RTR server from NLNet Labs. It's compatible with the dn42regsrv ROA-J
NLNet Labs provides an official docker image. You just have to bind mount a suitable configuration file:
```sh
docker run -d -v /etc/rtrtr.conf:/etc/rtrtr.conf -p 323:323/tcp nlnetlabs/rtrtr -c /etc/rtrtr.conf
```
This is a working configuration file for dn42. Maybe change the listen addresses:
```conf
log_level = "debug"
log_target = "stderr"
http-listen = []
@ -71,6 +77,7 @@ This is a working configuration file for dn42. Maybe change the listen addresses
type = "rtr"
listen = ["0.0.0.0:323", "[::]:323"]
unit = "dn42-json"
```
For more information cosult the official documentation: <https://rtrtr.docs.nlnetlabs.nl/en/stable/>

26
howto/Registry-Authentication.md
View File

@ -50,7 +50,7 @@ There are three options for doing this. but you only need to do **one** of these
### `auth` attribute format, when your public key is in gitea or a public keyserver
- Use the following `auth` attribute in your `mntner` object:
```
```conf
auth: pgp-fingerprint <fingerprint>
```
Where `<fingerprint>` is your **full 40-digit** key fingerprint, without spaces.
@ -62,7 +62,7 @@ Where `<fingerprint>` is your **full 40-digit** key fingerprint, without spaces.
*Tip: look at the existing key-cert objects for examples of how to add your public key*
- In this case the `auth` attribute must refer to the new key-cert object so use the following in your `mntner` object:
```
```conf
auth: PGPKEY-<short fingerprint>
```
Where `<short fingerprint>` is the last **8** digits from your key fingerprint.
@ -76,7 +76,7 @@ Where `<short fingerprint>` is the last **8** digits from your key fingerprint.
- Use `git commit -S` to commit and sign your change.
- If you have already committed your change without signing it, you can sign the existing commit using:
```
```sh
git commit --amend --no-edit -S
```
If you had already pushed your change to gitea, you must also do a force push (`git push --force`) to update the remote copy.
@ -105,17 +105,17 @@ If you cannot get the above to work you may also:
### `auth` attribute format when using an ssh key
The generic format for authentication using an SSH key is as follows:
```
```conf
auth: ssh-<keytype> <pubkey>
```
Common examples:
```
```conf
auth: ssh-ed25519 <pubkey>
```
```
```conf
auth: ssh-rsa <pubkey>
```
@ -131,13 +131,13 @@ Brief instructions are below, however there are also more detailed guides availa
- Set your git signature format to be SSH
```
```sh
git config --global gpg.format ssh
```
- Tell git which SSH key to use
```
```sh
git config --global user.signingKey '<ssh public key>'
```
@ -167,13 +167,13 @@ The registry includes a script that uses ssh-keygen signatures to sign your chan
#### How to sign
```
```sh
./sign-my-commit --ssh --key <path to your SSH private key> --push <MNTNER>
```
e.g.
```
```sh
./sign-my-commit --ssh --key /home/foo/.ssh/id_ed25519 --push FOO-MNT
```
@ -181,7 +181,7 @@ e.g.
The script can also verify your signature:
```
```sh
./sign-my-commit --ssh --verify <MNTNER>
```
@ -231,7 +231,7 @@ Please try and upgrade your ssh-keygen version and use the generic ssh-keygen me
### Authentication with an SSH RSA key
- Use the following `auth` attribute in your `mntner` object:
```
```conf
auth: ssh-rsa <pubkey>
```
Where `<pubkey>` is the ssh public key copied from your id_rsa.pub file.
@ -269,7 +269,7 @@ openssl pkeyutl \
### Authentication with an SSH ecdsa key
- Use the following `auth` attribute in your `mntner` object:
```
```conf
auth: ecdsa-sha2-nistp256 <pubkey>
```
Where `<pubkey>` is the ssh public key copied from your id_ecdsa.pub file.

2
howto/Static-routes-on-Windows.md
View File

@ -1,6 +1,6 @@
Modern versions of Windows do not support OSPF and manually adding static routes every time after a reboot is annoying. Below is a batch script you can edit and run to help make adding routes easier. This script assumes that your BGP router and Windows computer are on the same LAN.
```
```sh
@echo off
REM fill in YOUR network information
REM right click and RUN AS ADMIN

24
howto/lglass.md
View File

@ -1,6 +1,8 @@
lglass is a Python software package designed for Internet Registries like the DN42. You can generate zone files for DNS and rDNS IPv4/v6, and handle the registry. It is available on GitHub as free software:
```sh
$ git clone git://github.com/fritz0705/lglass.git
```
## Links
- [Fritz Gihub repo](https://github.com/fritz0705/lglass)
@ -10,13 +12,17 @@ lglass is a Python software package designed for Internet Registries like the DN
lglass provides an event-based whois daemon with internal caching, which was written in Python. It is very simple to run an instance:
```sh
$ ./bin/lglass-whoisd
```
without the configfile:
```sh
$ ./bin/lglass-regtool whoisd -H $HOST -p $PORT
.
```
```
usage: lglass-whoisd [-h] [-4] [-6] [--host HOST] [--port PORT]
[--cidr] [--no-cidr] [--inverse] [--no-inverse]
@ -30,7 +36,7 @@ without the configfile:
--no-cidr Do not perform CIDR matching on queries
--inverse, -i Perform inverse matching on queries
--no-inverse Do not perform inverse matching on queries
```
## Generate zone files
@ -38,32 +44,42 @@ lglass also provides a script to generate zone files from the registry. It's nam
To generate DNS zones:
```sh
$ ./bin/lglass-zonegen -d $PATH_TO_DATA_DIR -n ns1... -n ns2... -e foo.bar.com dns -z dn42
```
To generate IPv4 rDNS zones:
```sh
$ ./bin/lglass-zonegen -d $PATH_TO_DATA_DIR -n ns1... -n ns2... -e foo.bar.com rdns4 -N 172.22.0.0/16
```
To generate IPv6 rDNS zones:
```sh
$ ./bin/lglass-zonegen -d $PATH_TO_DATA_DIR -n ns1... -n ns2... -e foo.bar.com rdns6 -N fd00::/8
```
## Reformat RPSL files
You can also reformat RPSL files using lglass by using the lglass.rpsl module:
```sh
$ ./bin/lglass-rpsl < $DATA/inetnum/172.22.0.53_32
```
lglass.rpsl also supports in-place operation:
```sh
$ ./bin/lglass-rpsl -i $DATA/inetnum/172.22.0.53_32
```
This opens the file, reads the content into memory, seeks to position 0, writes the formatted object and truncates the file.
Simple web interface
lglass also comes with a simple web interface written in Python3 using Bottle and Jinja2. It also provides a binary to run it using wsgiref:
```sh
$ ./bin/lglass-web
```
Furthermore you can use any WSGI server like Gunicorn by using lglass.web.application:app as WSGI callback. You can provide a path to the configuration file in the environment variable `LGLASS_WEB_CFG`.

8
howto/networksettings.md
View File

@ -13,22 +13,22 @@ That is why `rp_filter` needs to be disabled.
**Note** using sysctl is not persistent. Depending on your linux distribution put it into `/etc/sysctl.conf` or `/etc/sysctl.d`
```
```sh
sysctl -w net.ipv4.conf.all.rp_filter=0 net.ipv4.conf.default.rp_filter=0
```
Check that its really disabled:
```
```sh
sysctl -a | grep rp_filter
```
Also the following options must be set.
```
```sh
$ sysctl -w net.ipv4.conf.all.forwarding=1 net.ipv6.conf.all.forwarding=1
```
Check that ALL your vpn interfaces allow ip forwarding for ipv6/ipv4.
```
```sh
$ sysctl -a | grep forwarding
```

3
howto/nixos.md
View File

@ -176,8 +176,7 @@ Like ferm, Bird2 is configured by ```services.bird2.config``` containing a strin
Sample example to update ROA's :
```nix
{ pkgs, lib, ... }:
let
script = pkgs.writeShellScriptBin "update-roa" ''
let script = pkgs.writeShellScriptBin "update-roa" ''
mkdir -p /etc/bird/
${pkgs.curl}/bin/curl -sfSLR {-o,-z}/etc/bird/roa_dn42_v6.conf https://dn42.burble.com/roa/dn42_roa_bird2_6.conf
${pkgs.curl}/bin/curl -sfSLR {-o,-z}/etc/bird/roa_dn42.conf https://dn42.burble.com/roa/dn42_roa_bird2_4.conf

12
howto/openvpn.md
View File

@ -10,7 +10,7 @@
* Replace `<REMOTE_GATEWAY_IP>` with dn42 ip address of your peer
* `<LOCAL_GATEWAY_IPV6> <REMOTE_GATEWAY_IPV6>` same as ipv4, but both ip addresses needs to be in the same subnet. For simplicity you can always use an address from link-local ipv6 range (fe80::/64)
```
```conf
#/etc/openvpn/<PEER_NAME>
proto <PROTO>
mode p2p
@ -39,7 +39,7 @@ secret /etc/openvpn/<PEER_NAME>.key
then create a new key and share it with your peer
```
```sh
$ openvpn --genkey --secret /etc/openvpn/<PEER_NAME>.key
```
@ -47,7 +47,7 @@ $ openvpn --genkey --secret /etc/openvpn/<PEER_NAME>.key
## peer with fixed ip
```
```conf
proto <PROTO>
mode p2p
dev-type tun
@ -72,7 +72,7 @@ secret /etc/openvpn/<PEER_NAME>.key
* `<REMOTE_HOST>` is the ip address of your peer
* `<REMOTE_PORT>` is openvpn port, where your peer listen for traffic
```
```conf
proto <PROTO>
mode p2p
remote <REMOTE_HOST>
@ -99,7 +99,7 @@ Clients connect using certificates, and simply get attributed dn42 IPs in the or
Replace `<PORT>` with the UDP port you want OpenVPN to listen to, and change the IP ranges (`ifconfig` and `route-gateway` options).
```
```conf
mode server
tls-server
@ -152,7 +152,7 @@ push "route 172.22.0.0 255.254.0.0"
Change `<SERVER>` and `<PORT>`.
```
```conf
client
ca ca.crt

6
howto/systemd-networkd-configuration-example.md
View File

@ -5,7 +5,7 @@ This is the config that is used on ZOTAN Networks (AS4242422341). Full network c
# Configuration
## loopback device (lo.network)
```
```conf
[Match]
Name=lo
@ -14,7 +14,7 @@ Address=fdff:b02d:2ef7::2/128
```
## wireguard netdev (dn42p1.netdev)
```
```conf
[NetDev]
Name = dn42p1
Kind = wireguard
@ -31,7 +31,7 @@ AllowedIPs = 172.16.0.0/12,10.0.0.0/8,fd00::/8,fe80::/10,ff00::/8
```
## wireguard network (dn42p1.network)
```
```conf
[Match]
Name = dn42p1

14
howto/tinc.md
View File

@ -10,7 +10,7 @@ One advantage of tinc is that you can have multiple peering over the same VPN co
Example `/etc/tinc/dn42_yourpeer/tinc.conf`:
```
```conf
Interface = dn42_yourpeer
Name = your_host
# Only switch mode is feasible for dn42 peerings, since in router mode tinc takes care of routing decisions on its own
@ -26,7 +26,7 @@ Tinc requires to add manually ip addresses and routes to the tap/tun interfaces.
Example `/etc/tinc/dn42_yourpeer/tinc-up`:
**Linux/iproute2**
```
```sh
#!/bin/sh
# set the interface up
@ -44,13 +44,13 @@ For authentication tinc uses public key authentication instead of certificates o
For each key tinc should connect to or allow to connect, a file with the name of the peer in tincd -n twwh -K
is required. To generate a public/private key pair use:
```
```sh
$ tincd -K
```
Import for each other party the key like this `/etc/tinc/dn42_yourpeer/hosts/<peername>`:
```
```conf
# address/port are optional, in case they're missing you only expect connections from that host
Address = <fqdn/ip_addr>
Port = <port|655>
@ -74,19 +74,19 @@ Installation:
* Freebsd: Use this [port repo](https://github.com/Mic92/ports/tree/master/security/tinc)
Set up a new tinc network
```
```sh
# tinc -n dn42_yourpeer init dn42_yourself
```
Invite your peering partner. Tinc will print the invitaion which you need to copy to your peering partner.
```
```sh
$ tinc invite yourpeer
<ip-or-address>/nIRp5pJCnfnhuV13JUomscGs1q5HqEbz3AydZer7wRaMcpUB
```
On the other node you can join by using:
```
```sh
$ tinc join <invitation-url>
```

16
howto/wireguard.md
View File

@ -9,13 +9,13 @@ to allow your BGP daemon instead to do routing. This approach is comparable to [
First generate on each peer public and private keys.
```
```sh
$ wg genkey | tee privatekey | wg pubkey > publickey
```
## Configuration
```
```conf
# tunnel.conf
[Interface]
PrivateKey = <private_key>
@ -38,7 +38,7 @@ AllowedIPs = 0.0.0.0/0,::/0
Wireguard comes with its own interface type.
It supports link-local addresses for IPv6 and single /32 addresses for IPv4, which can be used for peering.
```
```sh
$ ip link add dev <interface_name> type wireguard
$ wg setconf <interface_name> tunnel.conf
# both side pick a different link-local ipv6 address
@ -54,7 +54,7 @@ Maybe you should check the MTU to your peer with e.g. `ping -s 1472 <end_point_h
## Testing
```
```sh
ping fe80::<your_peers_suffix>%<interface_name>
```
@ -94,7 +94,7 @@ The script makes some changes that are not valid when used for DN42 tunnels, and
An example wg-quick script that incorporates the above two workarounds is below, where `<MyIPv[46]>` are the DN42 IP addresses of your node and `<PeerIPv[46]>` are the IP addresses for your peer.
```
```conf
[Interface]
PrivateKey = <your private key>
Address = <your link-local address, if any>
@ -114,7 +114,7 @@ Use `which ip` to get the full path to your ip binary.
Example configuration for systemd-networkd.
peer.netdev
```text
```conf
[NetDev]
Name=<ifname>
Kind=wireguard
@ -134,7 +134,7 @@ AllowedIPs=0.0.0.0/0
```
peer.network
```text
```conf
[Match]
Name=<ifname>
@ -172,6 +172,6 @@ Peer=<your peer's IPv4 address>/32
As wireguard are only resolving the hostname to IP only on start, dynamics DNS will stop working after a while without further configuration. The Following is a [script](https://github.com/WireGuard/wireguard-tools/blob/master/contrib/reresolve-dns/reresolve-dns.sh) from wireguard which will "re-resolve" the DNS and update the wireguard.
You can add cron entries to periodically "re-resolve" the DNS:
```
```sh
* * * * * /path-to-the-script/reresolve-dns.sh
```

6
internal/Internal-Services.md
View File

@ -186,9 +186,9 @@ Providers of shell access:
| Person | Hostname | Net | Description | Contact |
|:------------- |:-------------------------------------- |:---------------- |:---------------- |:------------- |
| mc36 | telnet test.nop.dn42 | dn42 only |looking glass | - |
| JerryXiao | ssh lg@lg.jerry.dn42 | dn42 and icvpn |looking glass | - |
| burble | ssh <mntner>@shell.fr-rbx1.burble.dn42 <br/> ssh <mntner>@shell.ca-bhs2.burble.dn42 | dn42 |Full shell account| See below |
| mc36 | `telnet test.nop.dn42` | dn42 only |looking glass | - |
| JerryXiao | `ssh lg@lg.jerry.dn42` | dn42 and icvpn |looking glass | - |
| burble | `ssh <mntner>@shell.fr-rbx1.burble.dn42` <br/> `ssh <mntner>@shell.ca-bhs2.burble.dn42` | dn42 | Full shell account | See below |
### burble.dn42 shell access

18
services/Automatic-CA.md
View File

@ -55,7 +55,9 @@ Server certificates are signed for 45 days. To renew follow the steps above star
get the script here:
```sh
curl https://ca.dn42/ca.dn42 > ca.dn42; chmod +x ca.dn42
```
available via git: anon@git.dn42:dn42/ca-client
@ -106,7 +108,7 @@ Environtment Options:
Generate the user key
```
```sh
$ ./ca.dn42 user-gen XUU-MNT xuu@sour.is
Generating a 2048 bit RSA private key
...............................+++
@ -121,7 +123,7 @@ writing new private key to 'XUU-MNT.key'
### Sign the user key
```
```sh
$ ./ca.dn42 user-sign XUU-MNT xuu@sour.is
== USER CERT ==
C:XD
@ -138,7 +140,7 @@ Verifying - Enter Export Password:
### Generate the server key
```
```sh
$ ./ca.dn42 tls-gen ca.dn42 XUU-MNT xuu@sour.is DNS:ca.dn42
Generating a 2048 bit RSA private key
@ -162,7 +164,7 @@ $ dig +short TXT _dn42_tlsverify.ca.dn42.
### Sign the server key
```
```sh
$ ./ca.dn42 tls-sign ca.dn42 XUU-MNT
== USER CERT ==
C:XD
@ -190,13 +192,13 @@ Verifying - Enter Export Password: ****
The generated certificate will be valid for 3 months, to renew it simply run ```./ca.dn42 tls-sign ca.dn42 XUU-MNT``` again. This could be also automated in cron:
```
```sh
0 0 1 * * /etc/ssl/dn42/ca.dn42 tls-sign wiki.dn42 MIC92-MNT
```
or with a systemd timer:
```
```conf
# update-dn42-ca.timer
[Timer]
OnBootSec=1h
@ -207,7 +209,7 @@ Persistent=yes
WantedBy=timers.target
```
```
```conf
[Service]
Type=oneshot
WorkingDirectory=/etc/ssl/dn42
@ -219,7 +221,7 @@ ExecStart=/usr/bin/nginx -s reload
### Revoke a certificate.
```
```sh
$ ./ca.dn42 revoke XUU-MNT XUU-MNT.crt
== USER CERT ==
C:XD

4
services/Certificate-Authority.md
View File

@ -101,11 +101,11 @@ C0IKqQ==
## Testing constraints
The name constraints can be verified for example by using openssl:
```
```sh
openssl x509 -in dn42.crt -text -noout
```
which will show among other things:
```
```text
X509v3 Name Constraints:
Permitted:
DNS:.dn42

4
services/DNS.md
View File

@ -24,7 +24,7 @@ service and configure the other service as the secondary or backup nameserver.
Example resolv.conf, preferring a0.recursive-servers.dn42 and IPv4:
```text
```conf
nameserver 172.20.0.53
nameserver 172.23.0.53
nameserver fd42:d42:d42:54::1
@ -34,7 +34,7 @@ search dn42
Example resolv.conf, preferring a3.recursive-servers.dn42 and IPv6:
```text
```conf
nameserver fd42:d42:d42:53::1
nameserver fd42:d42:d42:54::1
nameserver 172.23.0.53

10
services/Distributed-Wiki.md
View File

@ -84,7 +84,7 @@ RACK_ENV=production gollum --css --host 127.0.0.1 --port 4567 --no-edit <path>
- Generate a [CSR](/services/Certificate-Authority) and send DNS Key Pin to [xuu@sour.is](mailto:xuu@sour.is):
- \<AS> is the as number with the prefix `as` like `as64737-ca.wiki.dn42`
```
```sh
./ca.dn42 tls-gen \
<AS>-<CC>(-<UID>).wiki.dn42 \
EXAMPLE-MNT \
@ -109,13 +109,13 @@ A custom header `X-SiteID` identifies the site you're connecting to:
- Extract base64 encoded SPKI fingerprint from private key `wiki.key`:
```
```sh
openssl rsa -in wiki.key -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64
```
- Configure Nginx to send the fingerprint in header (SSL block):
```
```conf
add_header Public-Key-Pins pin-sha256="<primary>"; pin-sha256="<backup>"; max-age=5184000; includeSubDomains';
```
@ -137,7 +137,7 @@ Nginx should listen on a unicast address as well, so your site can be reached ex
#### Config example
```
```conf
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_session_cache shared:SSL:2m;
@ -196,7 +196,7 @@ The prefix AS-PATH should show the announcement is originating from your AS. Aft
#### Configuration
```
```conf
# exabgp.conf
group gollum-watchdog {

1
services/IRC.md
View File

@ -3,7 +3,6 @@
We have an IRC Chatroom on the [hackint-Network](http://www.hackint.org). It is reachable from within DN42, ChaosVPN and the public internet. A connection is only possible via TLS on port 6697.
| Network | Hostname | SSL | IPv4 | IPv6 |
|:--------|:------------------------------------------|:------ |:-------------------------- |:------------ |
| DN42 | [irc.hackint.dn42](ircs://irc.hackint.dn42:6697) | Yes | 172.20.66.67 | fd42:d42:d42:6667::1 |

14
services/IXP-frnte.md
View File

@ -48,15 +48,19 @@ A Ruby script to calculate the IPv6 can be found on [ixp\_frnte\_dn42\_prefix.rb
An example configuration for Debian based Linux distributions would be:
```sh
iface ensXX inet6 static
address fde0:93fa:7a0:2:0:fcde:3558:1/64
```
Here `ensXX` is the dn42 VLAN interface. This can be determined by comparing the MAC address of the interface with the MAC address of the dn42 VLAN in Proxmox. The MAC address can be determined on Linux with `ip l`:
```sh
ensXX: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu
1500 qdisc pfifo_fast state UP mode DEFAULT group
default qlen 1000
link/ether MAC brd ff:ff:ff:ff:ff:ff
```
`MAC` would be the MAC address. After that you can activate the interface with ifup or a reboot of the VM.
Of course there are other configuration possibilities. This is only an example for Debian-based Linux distributions.
@ -71,6 +75,7 @@ You can now enter this configuration into your routing daemon and it will connec
An example configuration for bird2 would be the following:
```conf
protocol bgp ixp_rs from dnpeers {
neighbor fde0:93fa:7a0:2:0:fcde:3559:1 as 4242421081;
@ -82,6 +87,7 @@ An example configuration for bird2 would be the following:
extended next hop;
};
}
```
**What does this configuration do?**
@ -107,8 +113,8 @@ Furthermore, you can display different routes (in case of bird with `birdc show
One can also try to ping the IP of some at the IXP. From the latency you can also see if everything is working:
* Burble's pingable
* 172.20.129.5
* fd42:4242:2601:ac05::1
* `172.20.129.5`
* `fd42:4242:2601:ac05::1`
* Bandura's pingable:
* 172.22.149.224
* fd04:234e:fc31::
* `172.22.149.224`
* `fd04:234e:fc31::`

2
services/Route-Collector.md
View File

@ -25,7 +25,7 @@ The collector uses the dynamic peering capability in Bird2 to allow anyone to pe
Example bird2 config:
```text
```conf
protocol bgp ROUTE_COLLECTOR
{
local as ***YOUR_ASN***;

2
services/Statistics.md
View File

@ -11,7 +11,7 @@ Channel statistics for #dn42@hackint are available at: <https://dev.0l.dn42/stat
#### collectd.conf
```
```conf
LoadPlugin exec
<Plugin exec>
Exec nobody "/etc/collectd/bgp_prefixes-quagga.sh"

2
services/Whois.md
View File

@ -66,8 +66,10 @@ Mirrors are hosted at `asn.grmml.dn42` and `asn.lorkep.dn42`.
Example:
```sh
$ dig +short AS4242420000.asn.dn42 TXT
"4242420000 | DN42 | dn42 | | PYROPETER-AS PyroPeters AS"
```
The Python code for generating the zone from the registry is available on the monotone repository.

26
services/dns/Configuration.md
View File

@ -27,7 +27,7 @@ DN42 is [interconnected](/internal/Interconnections) with the Inter City VPN or
If you already run a local DNS server, you can tell it to query the dn42 anycast servers for the relevant domains
by adding the following to /etc/bind/named.conf.local
```
```conf
zone "dn42" {
type forward;
forwarders { 172.20.0.53; fd42:d42:d42:54::1; };
@ -71,7 +71,7 @@ options {
**Note**: With DNSSEC enabled, bind might refuse to accept query results from the dn42 zone: `validating dn42/SOA: got insecure response; parent indicates it should be secure`.
To disable DNSSEC validation only for certain TLDs include the following in the options section:
```
```conf
options {
# [...]
@ -93,7 +93,7 @@ options {
If you are running dnsmasq under openwrt, you just have to add
```
```conf
config dnsmasq
option boguspriv '0'
option rebind_protection '1'
@ -115,7 +115,7 @@ Attention: If you go with the default config you'll have to disable "boguspriv"
For normal dnsmasq use
```
```conf
server=/dn42/172.20.0.53
server=/20.172.in-addr.arpa/172.20.0.53
server=/21.172.in-addr.arpa/172.20.0.53
@ -129,7 +129,7 @@ in `dnsmasq.conf`.
## PowerDNS recursor
Add this to /etc/powerdns/recursor.conf (at least in Debian and CentOS).
```
```conf
dont-query=127.0.0.0/8, 192.168.0.0/16, ::1/128, fe80::/10
forward-zones-recurse=dn42=172.20.0.53
forward-zones-recurse+=20.172.in-addr.arpa=172.20.0.53
@ -143,7 +143,7 @@ forward-zones-recurse+=d.f.ip6.arpa=172.20.0.53
## MaraDNS
Put this in your mararc:
```
```conf
ipv4_alias["dn42_root"] = "172.20.0.53"
root_servers["dn42."] = "dn42_root"
root_servers["20.172.in-addr.arpa."] = "dn42_root"
@ -158,7 +158,7 @@ root_servers["10.in-addr.arpa."] = "dn42_root"
Make sure to disable `auto-trust-anchor-file` and manually configure `trust-anchor-file` to
point to a file with DNSKEY records for dn42.
```
```conf
server:
local-zone: "20.172.in-addr.arpa." nodefault
local-zone: "21.172.in-addr.arpa." nodefault
@ -205,11 +205,11 @@ forward-zone:
## JunOS (SRX 12.1X46)
Should also work in 12.1X44 and 12.1X45. After making the changes below you may need to run:
```
```sh
restart named-service
```
Config (vlan.0 is presumed to be your LAN/Trust interface)
```
```conf
system {
services {
dns {
@ -289,17 +289,17 @@ All delegation servers have DNSSEC support and all record are signed, for more i
Following is a list of links to the DS record for TLD and reverse zone, to configure the key file, extract the value of ds-rdata and format it as follows, you must add all ds-rdata to the key file for dnssec to work. P.S. each ds-rdata or DS record should contain 4 numbers.
This is an example for dn42. and (fake) ds-rdata of 1 2 3 456
```
```conf
dn42. 86400 IN DS 1 2 3 456
```
This is an example for 172.20.0.0/16 and (fake) ds-rdata of 1 2 3 456
```
```conf
20.172.in-addr.arpa. 86400 IN DS 1 2 3 456
```
This is an example for fd00::/8 and (fake) ds-rdata of 1 2 3 456
```
```conf
d.f.ip6.arpa. 86400 IN DS 1 2 3 456
```
@ -323,7 +323,7 @@ d.f.ip6.arpa. 86400 IN DS 1 2 3 456
## Unbound
```
```conf
trust-anchor-file: <path to key file>
server:

6
services/dns/Recursive-DNS-resolver.md
View File

@ -8,7 +8,7 @@ You may use some servers listed in the [table of anycast servers](/services/dns/
Configuration for `unbound.conf`
```
```conf
server:
local-zone: "22.172.in-addr.arpa." nodefault
local-zone: "23.172.in-addr.arpa." nodefault
@ -35,7 +35,7 @@ stub-zone:
### Unbound with root-hints
Alternatively you can put dn42 root servers in the root-hints file for recursive resolving.
```
```conf
# /etc/unbound/unbound.conf.d/dn42.conf
server:
# DNSSEC validation will fail
@ -55,7 +55,7 @@ remote-control:
```
The `/etc/unbound/dn42.hints` file:
```
```conf
. NS a.root-servers.dn42.
a.root-servers.dn42. 3600000 A 172.22.177.6
. NS m.root-servers.dn42.