dn42/wiki
1
Fork 0
mirror of https://git.dn42.dev/wiki/wiki.git synced 2024-11-19 04:07:25 +01:00
Code Releases Activity

Revert "Ungollum #2"

Browse Source 
This reverts commit ed1acbed
This commit is contained in:
KIOUBIT-MNT 2021-05-31 22:20:54 +03:00
parent 4af78f0286
commit 570bc4abde
40 changed files with 440 additions and 440 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Other.md
View File

@ -44,7 +44,7 @@ A wiki page dedicated to the AnoNet Network: http://wiki.qontrol.nl/Anonet
> This information is a caryover from the original dn42 wiki. most is unsubstantiated and probably invalid now. Included here for historical reasons. Keys and other parameters can be found in the registry under `tinc-key` and `tinc-keyset`
````
```
first tinc cloud
================
@ -88,6 +88,6 @@ IP IPv6 User Host ASN
172.22.255.161 fd04:de02:7af9::161 uves spline 64733
172.22.255.162 fd04:de02:7af9::162 petrus beta 64751
-------------- ------------------- --------- ----------- -----
````
```

4
howto/Address-Space.md
View File

@ -9,9 +9,9 @@ The [DN42 registry](https://git.dn42.dev/dn42/registry) is the authoritative sou
A simple way to see all the active policies in the registry is to search the registry content for policy attributes:
````sh
```sh
grep -r ^policy data/inet{,6}num/
````
```
The [filter.txt](https://git.dn42.dev/dn42/registry/src/master/data/filter.txt) and [filter6.txt](https://git.dn42.dev/dn42/registry/src/master/data/filter6.txt) files within the registry detail the network wide constraints on what address ranges are in use together with the global limits on what can be announced.

24
howto/Bird-communities.md
View File

@ -11,7 +11,7 @@ Below, you will see an example config for peers4 based on the original filter im
To properly assign the right community to your peer, please reference the table below. If you are running your own network and peering internally, please also apply the communities inside your network.
## BGP community criteria
````
```
(64511, 1) :: latency \in (0, 2.7ms]
(64511, 2) :: latency \in (2.7ms, 7.3ms]
(64511, 3) :: latency \in (7.3ms, 20ms]
@ -39,12 +39,12 @@ bw = min(up,down) for asymmetric connections
Propagation:
- - for latency pick max(received_route.latency, link_latency)
- - for encryption and bandwidth pick min between received BGP community and peer link
````
```
For example, if your peer is 12ms away and the link speed between you is 250Mbit/s and you are peering using OpenVPN P2P, then the community string would be (3, 24, 33).
Two utilites which measure round trip time and calculate community values automatically are provided, written in [ruby](https://github.com/Mic92/bird-dn42/blob/master/bgp-community.rb) and [C](https://github.com/nixnodes/bird/blob/master/misc/dn42-comgen.c).
````
```
$ ruby bgp-community.rb --help
USAGE: bgp-community.rb host mbit_speed unencrypted|unsafe|encrypted|pfs
-6, --ipv6 Assume ipv6 for ping
@ -56,11 +56,11 @@ $ ruby bgp-community.rb -6 dn42-2.higgsboson.tk 1000 pfs
# 11 ms, 1000 mbit/s, pfs tunnel (updated: 2016-02-11)
import where dn42_import_filter(3,25,34);
export where dn42_export_filter(3,25,34);
````
```
### Route Origin
According to [this mail](https://lists.nox.tf/pipermail/dn42/2015-December/001259.html) these are the communities for route origin:
````
```
(64511, 41) :: Europe
(64511, 42) :: North America-E
(64511, 43) :: North America-C
@ -74,7 +74,7 @@ According to [this mail](https://lists.nox.tf/pipermail/dn42/2015-December/00125
(64511, 51) :: Asia-SE (TH,SG,PH,ID,MY)
(64511, 52) :: Asia-E (JP,CN,KR)
(64511, 53) :: Pacific
````
```
You need to add following lines to your config(s):
- `define DN42_REGION = $VALUE_FROM_ABOVE` to your node's config (where OWNAS and OWNIP are set)
@ -83,15 +83,15 @@ just above `update_flags` in `dn42_export_filter` function
## Example configurations
````
```
# /etc/bird/peers4/tombii.conf
protocol bgp tombii from dnpeers {
neighbor 172.23.102.x as 4242420321;
import where dn42_import_filter(3,24,33);
export where dn42_export_filter(3,24,33);
};
````
````
```
```
#/etc/bird/community_filters.conf
function update_latency(int link_latency) {
bgp_community.add((64511, link_latency));
@ -159,9 +159,9 @@ function dn42_export_filter(int link_latency; int link_bandwidth; int link_crypt
reject;
}
````
```
Please remember to include /etc/bird/community_filters.conf in your bird.conf/birdc6.conf
````
```
# local configuration
######################
@ -172,7 +172,7 @@ include "bird/local4.conf";
include "/etc/bird/filter4.conf";
include "/etc/bird/community_filters.conf";
````
```
***

64
howto/Bird.md
View File

@ -7,13 +7,13 @@ In the Debian release cycle the bird packages may become outdated at times, if t
This is not necessary for Debian Stretch, which currently ships the most recent version (1.6.3) in this repositories.
````sh
```sh
wget -O - http://bird.network.cz/debian/apt.key | apt-key add -
apt-get install lsb-release
echo "deb http://bird.network.cz/debian/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/bird.list
apt-get update
apt-get install bird
````
```
# Example configuration
@ -28,7 +28,7 @@ Note: This file covers the configuration of Bird 1.x. For an example configurati
### IPv6
````
```
#/etc/bird/bird6.conf
protocol device {
scan time 10;
@ -96,9 +96,9 @@ template bgp dnpeers {
}
include "/etc/bird/peers6/*";
````
```
````
```
# /etc/bird/local6.conf
# should be a unique identifier, use same id as for ipv4
router id <GATEWAY_IP>;
@ -115,20 +115,20 @@ function is_valid_network() {
fd00::/8{44,64} # ULA address space as per RFC 4193
];
}
````
```
````
```
# /etc/bird/peers6/<PEER_NAME>
protocol bgp <PEER_NAME> from dnpeers {
neighbor <PEERING_IP> as <PEER_AS>;
# if you use link-local ipv6 addresses for peering using the following
# neighbor <PEERING_IP> % '<INTERFACE_NAME>' as <PEER_AS>;
};
````
```
### IPv4
````
```
# /etc/bird/bird.conf
# Device status
protocol device {
@ -205,9 +205,9 @@ template bgp dnpeers {
};
include "/etc/bird/peers4/*";
````
```
````
```
#/etc/bird/local4.conf
# should be a unique identifier, <GATEWAY_IP> is what most people use.
router id <GATEWAY_IP>;
@ -232,14 +232,14 @@ function is_valid_network() {
10.0.0.0/8{15,24} # Freifunk.net
];
}
````
```
````
```
# /etc/bird/peers4/<PEER_NAME>
protocol bgp <PEER_NAME> from dnpeers {
neighbor <PEERING_IP> as <PEER_AS>;
};
````
```
# Bird communities
@ -270,23 +270,23 @@ ROA files generated by [dn42regsrv](https://git.dn42.dev/burble/dn42regsrv) are
You can add cron entries to periodically update the tables:
````
```
*/15 * * * * curl -sfSLR {-o,-z}/var/lib/bird/bird6_roa_dn42.conf https://dn42.burble.com/roa/dn42_roa_bird1_6.conf && chronic birdc6 configure
*/15 * * * * curl -sfSLR {-o,-z}/var/lib/bird/bird_roa_dn42.conf https://dn42.burble.com/roa/dn42_roa_bird1_4.conf && chronic birdc configure
````
```
Debian version:
````
```
*/15 * * * * curl -sfSLR -o/var/lib/bird/bird6_roa_dn42.conf -z/var/lib/bird/bird6_roa_dn42.conf https://dn42.burble.com/roa/dn42_roa_bird1_6.conf && /usr/sbin/birdc6 configure
*/15 * * * * curl -sfSLR -o/var/lib/bird/bird_roa_dn42.conf -z/var/lib/bird/bird_roa_dn42.conf https://dn42.burble.com/roa/dn42_roa_bird1_4.conf && /usr/sbin/birdc configure
````
```
then create the directory to make sure curls can save the files:
````
```
mkdir -p /var/lib/bird/
````
```
### Use RPKI ROA for bird2
* Download gortr
@ -295,22 +295,22 @@ mkdir -p /var/lib/bird/
* Running gortr,need golang environment.
````
```
./gortr -verify=false -checktime=false -cache=https://dn42.burble.com/roa/dn42_roa_46.json
````
```
* run with docker
`docker pull cloudflare/gortr`
````
```
docker run --name dn42rpki -p 8282:8282 --restart=always -d cloudflare/gortr -verify=false -checktime=false -cache=https://dn42.burble.com/roa/dn42_roa_46.json
````
```
* Add this to your bird configure file,other ROA protocol must removed.
````
```
protocol rpki rpki_dn42{
roa4 { table dn42_roa; };
roa6 { table dn42_roa_v6; };
@ -321,26 +321,26 @@ protocol rpki rpki_dn42{
refresh keep 900;
expire keep 172800;
}
````
```
## Filter configuration
In your import filter add the following to reject invalid routes:
````
```
if (roa_check(dn42_roa, net, bgp_path.last) != ROA_VALID) then {
print "[dn42] ROA check failed for ", net, " ASN ", bgp_path.last;
reject;
}
````
```
Also, define your ROA table with:
````
```
roa table dn42_roa {
include "/var/lib/bird/bird_roa_dn42.conf";
};
````
```
**NOTE**: Make sure you setup ROA checks for both bird and bird6 (for IPv6).
@ -349,7 +349,7 @@ roa table dn42_roa {
bird can be remote controlled via the `birdc` command. Here is a list of useful bird commands:
````
```
$ birdc
BIRD 1.4.5 ready.
bird> configure # reload configuration
@ -389,7 +389,7 @@ bird> show route filtered # shows routed filtered out by rules
bird> show route protocol <somepeer> # shows the route they export to you
bird> show route export <somepeer> # shows the route you export to someone
...
````
```
# External Links
* detailed bird configuration from Mic92: https://github.com/Mic92/bird-dn42

12
howto/Bird2.md
View File

@ -19,7 +19,7 @@ When copying the configuration below onto your system, you will have to enter th
* The same goes for `<OWNNETv6>`, but it takes an IPv6 subnet (Who'd have thought).
* Keep in mind that you'll have to enter both networks in the OWNNET{,v6} and OWNNETSET{,v6}, the two variables are required due to set parsing difficulties with variables.
````
```
################################################
# Variable header #
################################################
@ -165,7 +165,7 @@ template bgp dnpeers {
include "/etc/bird/peers/*";
````
```
# Route Origin Authorization
@ -177,15 +177,15 @@ Please note: This section assumes that you've already got a tunnel to your peeri
First, make sure the /etc/bird/peers directory exists:
````
```
# mkdir -p /etc/bird/peers
````
```
Then for each peer, create a configuration file similar to this one:
`/etc/bird/peers/<NEIGHBOR_NAME>.conf`:
````
```
protocol bgp <NEIGHBOR_NAME> from dnpeers {
neighbor <NEIGHBOR_IP> as <NEIGHBOR_ASN>;
}
@ -193,6 +193,6 @@ protocol bgp <NEIGHBOR_NAME> from dnpeers {
protocol bgp <NEIGHBOR_NAME>_v6 from dnpeers {
neighbor <NEIGHBOR_IPv6>%<NEIGHBOR_INTERFACE> as <NEIGHBOR_ASN>;
}
````
```
Due to the special link local addresses of IPv6, an interface has to be specified using the %<if> syntax if a link local address is used (Which is recommended)

16
howto/EMail.md
View File

@ -18,7 +18,7 @@ Running email in dn42 is not very complicated. Your SMTP daemon probably alread
~~Send an email to `test@evenet.dn42` to check if your mail setup is correct.~~ This host will reply using the following
sieve filter:
````
```
require ["regex", "variables", "vacation-seconds"];
if header :contains "To" ["test@evenet.dn42"] {
if header :matches "Subject" "*" {
@ -26,7 +26,7 @@ if header :contains "To" ["test@evenet.dn42"] {
}
vacation :addresses ["test@evenet.dn42"] :seconds 60 :subject "Re: ${subject_was}" "Your dn42 email setup works!";
}
````
```
## Exim tips
@ -65,25 +65,25 @@ This should to the trick for sending mails via your DN42-IP
If you use `smtpd_recipient_restrictions` you can use the following rule to white-list dn42 as sender.
This can circumvent certain rdns configuration failure or in case you use rbl lists:
````
```
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated,
check_client_access cidr:/etc/postfix/dn42.cidr,
reject_non_fqdn_sender,
# ...
permit
````
```
````
```
#/etc/postfix/dn42.cidr
172.16.0.0/12 OK
10.0.0.0/8 OK
fc00::/7 OK
````
```
````
```
$ postmap /etc/postfix/dn42.cidr
````
```
### Receiving emails

6
howto/EdgeOS-Config-Example.md
View File

@ -12,7 +12,7 @@ This is the config I (Felicitus) am running on an Ubiquiti EdgeRouter Lite (AS76
## Upcoming
* AICCU integration (SIXXS), probably not possible with the config, so ````apt-get install aiccu```` should do the trick
* AICCU integration (SIXXS), probably not possible with the config, so ```apt-get install aiccu``` should do the trick
* dn42 IPv6 routing (probably)
Ask me if you want to know if I have implemented those items already.
@ -20,7 +20,7 @@ Ask me if you want to know if I have implemented those items already.
# Configuration
````
```
firewall {
all-ping enable
broadcast-ping disable
@ -376,4 +376,4 @@ traffic-policy {
/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:dhcp-relay@1:dhcp-server@4:firewall@4:ipsec@3:nat@3:qos@1:quagga@2:system@4:ubnt-pptp@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v1.3.0.4605130.131011.1754 */
````
```

8
howto/GRE-on-FreeBSD.md
View File

@ -10,18 +10,18 @@ This page describes how to configure GRE tunnels on FreeBSD.
## Create a temporary gre tunnel
````bash
```bash
ifconfig gre$INDEX create
ifconfig gre$INDEX tunnel $TUNNEL_SRC $TUNNEL_DST
ifconfig gre$INDEX inet $LOCAL $REMOTE netmask 0xffffffff
ifconfig gre$INDEX descr $DESCR
````
```
## Create a persistent gre tunnel
Add this to your `rc.conf`.
````
```
cloned_interfaces="$cloned_interfaces gre0"
ifconfig_gre0="10.0.0.1 10.0.0.2 netmask 0xffffffff tunnel 1.2.3.4 5.6.7.8 descr foo"
````
```

20
howto/GRE-on-OpenBSD.md
View File

@ -9,10 +9,10 @@ Let `fd42::` and `fd42::1` be the IPs of *A* and *D* respectively where both are
## pseudo interface
Populate [`/etc/hostname.gre0`](https://man.openbsd.org/hostname.if.5) with:
````
```
tunnel A.example.com D.example.net
inet6 fd42::/127
````
```
This will resolve FQDNs at parse time, set *A*'s and *D*'s IPs as source and destination tunnel address and set *A*'s assigned IP as point-to-point address on the interface.
Replace hostnames in the `tunnel` line with literal IPs if DNS is not available (at system boot).
@ -21,14 +21,14 @@ Reboot or run [`sh /etc/netstart gre0`](https://man.openbsd.org/netstart.8) to b
## miscellaneous
Populate `/etc/sysctl.conf` with:
````
```
net.inet.gre.allow=1
````
```
Reboot or run `sysctl net.inet.gre.allow=1` to allow GRE packet processing.
-
At this point, `gre0` will be administratively *UP*:
````
```
$ ifconfig gre0
gre0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1476
index 22 priority 0 llprio 6
@ -37,10 +37,10 @@ gre0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1476
tunnel: inet6 2001:db8::a --> 2001:db9::d ttl 64 nodf ecn
inet6 fe80::221:28ff:fef9:c1d8%gre0 --> prefixlen 64 scopeid 0x16
inet6 fd42:: --> prefixlen 127
````
```
All traffic destined to `fd42::1/127` will be encapsulated and routed to *D*:
````
```
$ route show
[...]
Internet6:
@ -53,8 +53,8 @@ fe80::221:28ff:fef9:c1d8%gre0 fe80::221:28ff:fef9:c1d8%gre0 UHl 0
ff01::%gre0/32 fe80::221:28ff:fef9:c1d8%gre0 Um 0 1 - 4 gre0
ff02::%gre0/32 fe80::221:28ff:fef9:c1d8%gre0 Um 0 1 - 4 gre0
[...]
````
````
```
```
$ route -n get fd42::1
route to: fd42::1
destination: fd42::1
@ -65,7 +65,7 @@ destination: fd42::1
flags: <UP,HOST,DONE,CLONED>
use mtu expire
3181 0 0
````
```
# Security
GRE may be protected with IPsec to encrypt and authenticate traffic, [OpenIKED](http://www.openiked.org/) can be used to establish an IKEv2 session between *A* and *D*.

44
howto/Getting-Started.md
View File

@ -65,14 +65,14 @@ Common authentication methods are:
- SSH Key: `auth: ssh-{rsa,ed25519} <key>`
Example: data/mntner/FOO-MNT
````
```
mntner: FOO-MNT
admin-c: FOO-DN42
tech-c: FOO-DN42
mnt-by: FOO-MNT
auth: pgp-fingerprint 0123456789ABCDEF0123456789ABCDEF01234567
source: DN42
````
```
### Create person objects
@ -91,13 +91,13 @@ Contact attributes are optional but DN42 is a dynamic network and being able to
Example: data/person/FOO-DN42
````
```
person: John Doe
e-mail: john.doe@example.com
nic-hdl: FOO-DN42
mnt-by: FOO-MNT
source: DN42
````
```
---
@ -114,14 +114,14 @@ If you intend to register resources for an organisation (e.g. your hackerspace),
- don't forget to set `mnt-by` to `<FOO>-MNT`, since you're managing this object on behalf of your organisation.
Example: data/organisation/ORG-EXAMPLE
````
```
organisation: ORG-FOO
org-name: Foo Organisation
admin-c: FOO-DN42
tech-c: FOO-DN42
mnt-by: FOO-MNT
source: DN42
````
```
### Guidelines for resource objects
@ -151,14 +151,14 @@ Internet ASNs may be used, but you must take care to clearly separate Internet a
If unsure, ask on the mailing list or IRC.
Example: data/aut-num/AS4242423999
````
```
aut-num: AS4242423999
as-name: AS-FOO-DN42
admin-c: FOO-DN42
tech-c: FOO-DN42
mnt-by: FOO-MNT
source: DN42
````
```
### Register a network prefix
@ -177,7 +177,7 @@ A few websites can generate random ULA prefixes for you:
or a small script is available: [ulagen.py](https://git.dn42.dev/netravnen/dn42-repo-utils/src/master/ulagen.py)
example: data/inet6num/fd35:4992:6a6d::_48
````
```
inet6num: fd35:4992:6a6d:0000:0000:0000:0000:0000 - fd35:4992:6a6d:ffff:ffff:ffff:ffff:ffff
cidr: fd35:4992:6a6d::/48
netname: FOO-NETWORK
@ -188,7 +188,7 @@ tech-c: FOO-DN42
mnt-by: FOO-MNT
status: ASSIGNED
source: DN42
````
```
#### IPv4 (Legacy)
@ -219,7 +219,7 @@ If you need a /24 or larger, please ask in the IRC chan or on the mailing list a
**Note:** Reverse DNS works with _any_ prefix length, as long as your [recursive nameserver](/services/DNS) supports [RFC 2317](https://www.ietf.org/rfc/rfc2317.txt). Don't go for a /24 _just to have RDNS_.
example: data/inetnum/172.20.150.0_27
````
```
inetnum: 172.20.150.0 - 172.20.150.31
cidr: 172.20.150.0/27
netname: FOO-NETWORK
@ -228,28 +228,28 @@ tech-c: FOO-DN42
mnt-by: FOO-MNT
status: ASSIGNED
source: DN42
````
```
#### Create route objects
If you plan to announce your prefixes in dn42, which you probably want in most cases, you will also need to create a `route6` object for ipv6 prefixes and a `route` object for ipv4 prefixes. This information is used for Route Origin Authorization (ROA) checks. If you skip this step, your network will probably get filtered by most major peers. Checking ROA will prevent (accidental) hijacking of other people's prefixes.
example: data/route6/fd35:4992:6a6d::_48
````
```
route6: fd35:4992:6a6d::/48
origin: AS4242423999
max-length: 48
mnt-by: FOO-MNT
source: DN42
````
```
example data/route/172.20.150.0_27:
````
```
route: 172.20.150.0/27
origin: AS4242423999
mnt-by: FOO-MNT
source: DN42
````
```
#### DNS and Domain Registration
@ -258,7 +258,7 @@ To register a domain name, create a `dns` object in the data/dns directory.
Domain names and nserver attributes must be lowercase.
example: data/dns/foo.dn42
````
```
domain: foo.dn42
admin-c: FOO-DN42
tech-c: FOO-DN42
@ -268,17 +268,17 @@ nserver: ns1.foo.dn42 fd35:4992:6a6d:53::1
nserver: ns2.foo.dn42 172.20.150.2
nserver: ns2.foo.dn42 fd35:4992:6a6d:53::2
source: DN42
````
```
You can also add DNSSEC delegations using `ds-rdata` attributes to your domain:
````
```
ds-rdata: 61857 13 2 bd35e3efe3325d2029fb652e01604a48b677cc2f44226eeabee54b456c67680c
````
```
For reverse DNS, add `nserver` attributes to you inet{,6}num objects:
````
```
inet6num: fd35:4992:6a6d:0000:0000:0000:0000:0000 - fd35:4992:6a6d:ffff:ffff:ffff:ffff:ffff
cidr: fd35:4992:6a6d::/48
netname: FOO-NETWORK
@ -291,7 +291,7 @@ status: ASSIGNED
nserver: ns1.foo.dn42
nserver: ns2.foo.dn42
source: DN42
````
```
# Get some peers

8
howto/IPsec-on-FreeBSD.md
View File

@ -10,17 +10,17 @@ These instructions are for IPsec in transport mode not IPsec in tunnel mode. IPs
## Kernel configuration
The FreeBSD GENERIC kernel lacks support for in-kernel IPsec processing. Add this two lines to your kernel config and (re-)build your own kernel.
If you're new to FreeBSD check Chapters [15.9.1](http://www.freebsd.org/doc/handbook/ipsec.html) and [9](http://www.freebsd.org/doc/handbook/kernelconfig.html) of the FreeBSD handbook.
````
```
options IPSEC #IP security
device crypto
````
```
Reboot into your new kernel.
## Userland configuration
Install the racoon daemon. It's included in the [security/ipsec-tools](http://www.freshports.org/security/ipsec-tools/) port.
Racoon is pain in the ass to configure the first time because it's error messages aren't helping and the complexity of IPsec. Don't let this stop you.
````
```
path pre_shared_key "/usr/local/etc/racoon/psk";
path certificate "/usr/local/etc/racoon/certs";
log info;
@ -69,4 +69,4 @@ sainfo (address a.b.c.d gre address b.c.d.e gre) {
authentication_algorithm hmac_sha1;
}
````
```

20
howto/IPsecWithPublicKeys/GRE-plus-IPsec-Debian.md
View File

@ -12,26 +12,26 @@
## Define an IPsec security policy
Example policy on 1.2.3.4:
````bash
```bash
#!/usr/sbin/setkey -f
spdadd 1.2.3.4 5.6.7.8 gre -P out ipsec esp/transport//require;
spdadd 5.6.7.8 1.2.3.4 gre -P in ipsec esp/transport//require;
````
```
Change the direction on 5.6.7.8.
## Load the IPsec security policy into the IPsec security policy database
Load the policy with the setkey command.
````
```
setkey -f /etc/ipsec-tools.conf
````
```
Afterward check the policy database with:
````
```
setkey -DP
````
```
## Configure the racoon daemon
An example /etc/racoon/racoon.conf.
````
```
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
log info;
@ -72,11 +72,11 @@ sainfo address 1.2.3.4 47 address 5.6.7.8 47 {
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
````
```
## Configure a GRE tunnel
Add this to /etc/network/interfaces:
````
```
auto gre1
iface gre1 inet tunnel
mode gre
@ -86,4 +86,4 @@ iface gre1 inet tunnel
endpoint 5.6.7.8
local 1.2.3.4
ttl 255
````
```

8
howto/IPsecWithPublicKeys/RacoonExample.md
View File

@ -4,7 +4,7 @@ See also [strongswan](howto/IPsecWithPublicKeys/strongSwan5Example)
The keys are generated with plainrsa-gen.
````
```
Usage: plainrsa-gen [options]
-b bits Generate <bits> long RSA key (default=1024)
@ -12,12 +12,12 @@ Usage: plainrsa-gen [options]
-f filename Filename to store the key to (default=stdout)
-i filename Input source for format conversion
-h Help
````
```
I'd probably go with 4096 bits.
in your racoon.conf:
````
```
path certificate "/etc/racoon/keys";
listen {
@ -36,7 +36,7 @@ remote 192.168.255.2 {
dh_group modp1024;
}
}
````
```
## Se also

24
howto/IPv6-Multicast.md
View File

@ -5,14 +5,14 @@ The following guide illustrates how to set up an IPv6 multicast router using [PI
## Quickstart
* Install pim6sd from here: https://github.com/troglobit/pim6sd/
````sh
```sh
cd /usr/src
git clone https://github.com/troglobit/pim6sd.git
cd pim6sd
./autogen.sh
./configure
make
````
```
* Find a peer who is already connected to the dn42 multicast backbone
* Calculate your personal, embedded-RP multicast prefix matching your network prefix via [RFC3956](https://tools.ietf.org/html/rfc3956)
* Example:
@ -26,7 +26,7 @@ The following guide illustrates how to set up an IPv6 multicast router using [PI
* Create a dummy interface to hold your calculated unicast Rendezvous Point address. This one needs to be reachable from within dn42. Also set "multicast on" on this dummy interface. Example:
````
```
# /etc/network/interfaces.d/pim6sd
auto pim-router-id
iface pim-router-id inet manual
@ -34,11 +34,11 @@ The following guide illustrates how to set up an IPv6 multicast router using [PI
post-up ip link set multicast on dev $IFACE
post-up ip -6 a a fd00:2001:db8::2/128 dev $IFACE
post-down ip link del $IFACE
````
```
* Create the configuration file:
````sh
```sh
# /etc/pim6sd.conf
# disable all interfaces by default
default_phyint_status disable;
@ -52,7 +52,7 @@ The following guide illustrates how to set up an IPv6 multicast router using [PI
# configure rendezvous point for the personal multicast prefix
cand_rp pim-router-id;
group_prefix ff7e:230:fd00:2001:db8::/96;
````
```
The `phyint` statement enables [PIM](https://tools.ietf.org/html/rfc7761) and [MLD](https://tools.ietf.org/html/rfc2710) on the target interface - by default all interfaces are in the disable state. Enable an interface if it is directed towards a multicast-capable peer or other multicast-capable routers in your autonomous system. Also enable it for downstream network segments with multicast listeners and senders, like for example your home (W)LAN segments.
@ -66,7 +66,7 @@ The following guide illustrates how to set up an IPv6 multicast router using [PI
On your router:
````sh
```sh
allow-hotplug pim-ns0
iface pim-ns0 inet manual
pre-up ip link add pim-ns0 type veth peer name pim-ns1
@ -78,24 +78,24 @@ iface pim-ns0 inet manual
post-up ip netns exec pim-ns0 ip -6 r a default via fdd5:69d5:c530:1::1
post-down ip link del pim-ns0
post-down ip netns del pim-ns0
````
```
You can now switch into this test network namespace via "ip netns exec /bin/bash". Inside this network namespace you can try:
### Creating a test multicast listener
````
```
$ socat -u UDP6-RECV:1234,reuseaddr,ipv6-join-group="[ff7e:230:fdd5:69d5:c530::123]:eth0" -
````
```
### Creating a test multicast sender
First select which interface should be the default one for your multicast traffic. Then send multicast packets via ICMPv6:
````
```
$ ip -6 route add ff7e:230:fdd5:69d5:c530::/96 dev eth0 table local
$ ping6 -t 16 ff7e:230:fdd5:69d5:c530::123
````
```
The "-t 16", a hop-limit of 16, is important here as **by default all multicast traffic is usually send with a hop-limit of just 1**.

4
howto/IPv6.md
View File

@ -65,10 +65,10 @@ Enter NPT. Address your services using a reserved private block, and map that bl
For example, if you've been assigned a public /48 prefix, and want to be reachable on DN42 aswell, you can use only ULA addresses from DN42 internally (or your own!), then map them to outside prefixes. Note that they'll need to all use the same prefix size to maintain the one-to-one mapping, so you may have to subnet the public prefix.
In Linux's netfilter, this can be implemented through the use of the NETMAP target, for the example above:
````
```
ip6tables -t nat -A POSTROUTING -d 2000::/3 -s <DN42-PREFIX>:<SUBNET>::/56 -j NETMAP --to <PUBLIC-PREFIX>:<SUBNET>::/56; # Map ULA to the public prefix for outgoing packets
ip6tables -t nat -A PREROUTING -s 2000::/3 -d <PUBLIC-PREFIX>:<SUBNET>::/56 -j NETMAP --to <DN42-PREFIX>:<SUBNET>::/56; # Map public prefix to ULA for incoming packets
````
```
### With Multiple Prefixes

20
howto/Munin.md
View File

@ -1,7 +1,7 @@
## Number of routes by AS
IPv4:
````bash
```bash
#!/bin/bash
if [ "$1" = "config" ];then
echo graph_title Number of routes
@ -14,10 +14,10 @@ if [ "$1" = "config" ];then
else
ip r|sed 's/.* dev //;s/ .*//'|sort|uniq -c|grep as|awk '{print $2".value "$1}'
fi
````
```
IPv6:
````bash
```bash
#!/bin/bash
if [ "$1" = "config" ];then
echo graph_title Number of routes
@ -30,7 +30,7 @@ if [ "$1" = "config" ];then
else
ip -6 r|sed 's/.* dev //;s/ .*//'|sort|uniq -c|grep as|awk '{print $2".value "$1}'
fi
````
```
(hint: The difference just the -6 on the ip command)
## Graph routes and activity for every neighbour
@ -39,19 +39,19 @@ This munin-plugin makes it very easy to graph the announced routes and activity
https://github.com/luben/bird-multigraph-plugin
It's also possible to get notified by Munin when a problem with the peering persists. You have to define a critical value in line 138:
````
```
imported.critical 1:
````
```
This will send execute the command (set in munin-node.conf) to alert you, if the imported route count falls under 1.
You might also want to change line 125 from
````
```
graph_title $proto->{title} routes
````
```
to
````
```
graph_title $name routes
````
```
Example installation:
http://stats.tbspace.de/munin-cgi/munin-cgi-graph/tbspace.de/server.tbspace.de/dn42_crest_routes-day.png

36
howto/OpenBGPD.md
View File

@ -16,7 +16,7 @@ By default, [bgpd(8)](http://man.openbsd.org/bgpd.8) listens on all local addres
## local host
Information such as ASN, router ID and allocated networks are required:
````
```
# macros
ASN="4242421234"
@ -27,21 +27,21 @@ router-id 1.2.3.4
prefix-set mynetworks {
fd00:12:34::/48
}
````
```
These can be used in subsequent filter rules.
The local peer's announcements is then defined as follows:
````
```
# Generate routes for the networks our ASN will originate.
# The communities (read 'tags') are later used to match on what
# is announced to EBGP neighbors
network prefix-set mynetworks set large-community $ASN:1:1
````
```
## neighbors
For each neighbor its ASN and transfer ULA is required.
An optional description is provided such that [bgpctl(8)](http://man.openbsd.org/bgpctl.8) for example can be used with mnemonic names instead of AS numbers:
````
```
# peer A, transport over IPSec/GRE
$A_local="fd00:12:34:A::1"
$A_remote="fd00:12:34:A::2"
@ -53,7 +53,7 @@ neighbor $A_remote {
remote-as $A_ASN
descr "A"
}
````
```
## filter rules
**bgpd** blocks all BGP __UPDATE__ messages by default.
@ -61,35 +61,35 @@ The filter rules are evaluated in sequential order, form first to last.
The last matching allow or deny rule decides what action is taken.
Start off with basic protection and sanity rules:
````
```
# deny more-specifics of our own originated prefixes
deny quick from ebgp prefix-set mynetworks or-longer
# filter out too long paths, establish more peerings instead
deny quick from any max-as-len 8
````
```
`quick` rules are considered the last matching rule, and evaluation of subsequent rules is skipped.
Allow own announcements:
````
```
# Outbound EBGP: only allow self originated networks to ebgp peers
# Don't leak any routes from upstream or peering sessions. This is done
# by checking for routes that are tagged with the large-community $ASN:1:1
allow to ebgp prefix-set kn large-community $ASN:1:1
````
```
Allow all remaining UPDATES based on **O**rigin **V**alidation **S**tates:
````
```
# enforce ROA
allow from ebgp ovs valid
````
```
Note how the `ovs` filter requires the `roa-set {...}` to be defined; see the `ROA` section below.
### path attributes
Besides `allow` and `deny` statements, filter rules can modify UPDATE messages, e.g.
````
```
# Scrub normal and large communities relevant to our ASN from EBGP neighbors
# https://tools.ietf.org/html/rfc7454#section-11
match from ebgp set { large-community delete $ASN:*:* }
@ -97,7 +97,7 @@ match from ebgp set { large-community delete $ASN:*:* }
# Honor requests to gracefully shutdown BGP sessions
# https://tools.ietf.org/html/rfc8326
match from any community GRACEFUL_SHUTDOWN set { localpref 0 }
````
```
# ROA
@ -114,19 +114,19 @@ ROA files generated by [dn42regsrv](https://git.dn42.dev/burble/dn42regsrv) are
|[https://dn42.burble.com/roa/dn42_roa_obgpd_6.conf](https://dn42.burble.com/roa/dn42_roa_obgpd_6.conf) &nbsp; | &nbsp;IPv6 Only&nbsp; |
`/etc/dn42.roa-set` is the generated set:
````
```
roa-set {
fd00:12:34::/48 source-as 4242421234
fd00:ab:cd::/44 maxlen 64 source-as 4242427890
...
}
````
```
Include it in `/etc/bgpd.conf`:
````
```
# defines roat-set, see _rpki-client crontab
include "/etc/dn42.roa-set"
````
```
# Looking glass
This is mostly OpenBSD specific since [bgplg(8)](http://man.openbsd.org/bgplg.8) and [httpd(8)](http://man.openbsd.org/httpd.8) ship as part of the operating system.

8
howto/Quagga.md
View File

@ -98,7 +98,7 @@ Apply a prefix list for incoming prefixes to your peer group:
ipv6 prefix-list vpn-in seq 15 deny any
#### Example filter list script
````
```
#!/bin/bash
vtysh -c 'conf t' -c "no ip prefix-list dn42"; #drop old prefix list
@ -109,7 +109,7 @@ do
done < <(curl -s https://ca.dn42.us/reg/filter.txt | grep -e ^[0-9] | awk '{ print "ip prefix-list dn42 seq " $1 " " $2 " " $3 " ge " $4 " le " $5}' | sed "s_/\([0-9]\+\) ge \1_/\1_g;s_/\([0-9]\+\) le \1_/\1_g");
vtysh -c "wr" #write new prefix list
````
```
## show bpg session status
@ -118,7 +118,7 @@ in this example:
* no (vpn) connection at all exists with peer 64692
* a (vpn) connection with 4242421375 exists, but no bgp session
````
```
vtysh> show ip bgp summary
BGP router identifier 172.22.100.254, local AS number 64698
RIB entries 938, using 103 KiB of memory
@ -132,4 +132,4 @@ Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
....
172.23.64.1 4 4242421375 0 0 0 0 0 never Active
fe80::deca:fbad 4 64699 902 694 0 0 0 01:23:57 486
````
```

84
howto/Registry-Authentication.md
View File

@ -19,13 +19,13 @@ The signature and verification process varies depending on the type of public ke
#### Finding the commit hash
`git log` will list all the recent commits and show the commit hash:
````
```
commit 6e2e9ac540e2e4e3c3a135ad90c8575bb8fa1784 (HEAD -> master)
Author: foo <foo@baz.com>
Date: Mon Jan 01 01:01:01 2020 +0000
Change some stuff
````
```
## Authentication with PGP Key
@ -34,9 +34,9 @@ PGP keys may be uploaded to a public keyserver for verification, or added in the
#### Using a public keyserver
- Use the following `auth` attribute in your `mntner` object:
````
```
auth: pgp-fingerprint <fingerprint>
````
```
Where `<fingerprint>` is your full 40-digit key fingerprint, without spaces.
- Ensure that your public key has been uploaded to a public keyserver, e.g. [SKS](https://sks-keyservers.net/), [OpenPGP](https://keys.openpgp.org/), [keybase](https://keybase.io/).
@ -44,9 +44,9 @@ Where `<fingerprint>` is your full 40-digit key fingerprint, without spaces.
#### Adding to the registry
- Use the following `auth` attribute in your `mntner` object:
````
```
auth: PGPKEY-<fprint>
````
```
Where `<fprint>` is the last 8 digits from your key fingerprint.
- Create a `key-cert` object for your public key, using `PGPKEY-<fprint>` for the filename. Do browse the registry and check the existing objects for examples.
@ -56,9 +56,9 @@ Where `<fprint>` is the last 8 digits from your key fingerprint.
- Use `git commit -S` to commit and sign your change. See the [github guide](https://help.github.com/en/github/authenticating-to-github/signing-commits).
- If you have already committed your change, you can sign it using.
````
```
git commit --amend --no-edit -S
````
```
#### Verifying the signature
@ -67,9 +67,9 @@ git commit --amend --no-edit -S
## Authentication using an SSH key
The generic format for authentication using an SSH key is as follows:
````
```
auth: ssh-<keytype> <pubkey>
````
```
There are examples below for each specific key type.
#### Generic process for signing with an SSH key
@ -77,9 +77,9 @@ There are examples below for each specific key type.
OpenSSH v8 introduced new functionality for creating signatures using SSH keys. If you have an older version, you can compile the latest version of ssh-keygen from the [openssh-portable repo](https://github.com/openssh/openssh-portable).
Use the following to sign the latest `<commit hash>` (that you found using `git log`)
````sh
```sh
echo "<commit hash>" | ssh-keygen -Y sign -f <private key file> -n dn42
````
```
Post the signature in to the 'Conversation' section of your pull request to allow the registry maintainers to verify it. It can help to also include the commit hash that you have signed, to avoid any confusion.
@ -88,25 +88,25 @@ Post the signature in to the 'Conversation' section of your pull request to allo
The following procedure will verify the signature (using the `<commit hash>`, your `<pubkey>` and the `<signature>` generated in the previous step.
Create a temporary file containing the signature
````sh
```sh
echo "<signature>" > sig.tmp
````
```
Create a temporary 'allowed users' file
````sh
```sh
echo "YOU-MNT ssh-<keytype> <pubkey>" > allowed.tmp
````
```
Verify the signature
````sh
```sh
echo "<commit hash>" | \
ssh-keygen -Y verify -f allowed.tmp -n dn42 -I YOU-MNT -s sig.tmp
````
```
### Authentication with an SSH RSA key
- Use the following `auth` attribute in your `mntner` object:
````
```
auth: ssh-rsa <pubkey>
````
```
Where `<pubkey>` is the ssh public key copied from your id_rsa.pub file.
#### Signing your commits
@ -114,19 +114,19 @@ Where `<pubkey>` is the ssh public key copied from your id_rsa.pub file.
If you cannot use the generic SSH process described above then RSA signatures can also be created using openssl.
Use the following to sign your `<commit hash>` (that you found using `git log`)
````sh
```sh
openssl pkeyutl \
-sign \
-inkey ~/.ssh/id_rsa \
-in <(echo "<commit hash>") | base64
````
```
Post the signature in to the 'Conversation' section of your pull request to allow the registry maintainers to verify it. It can help to also include the commit hash that you have signed, to avoid any confusion.
#### Verifying the signature
The following script will verify the signature (using the `<commit hash>`, your rsa `<pubkey>` and the `<signature>` generated in the previous step.
````sh
```sh
openssl pkeyutl \
-verify \
-pubin \
@ -137,14 +137,14 @@ openssl pkeyutl \
-f <(echo "ssh-rsa <pubkey>")\
) \
-sigfile <(echo "<signature>" | base64 -d)
````
```
### Authentication with an SSH ed25519 key
- Use the following `auth` attribute in your `mntner` object:
````
```
auth: ssh-ed25519 <pubkey>
````
```
Where `<pubkey>` is the ssh public key copied from your id_ed25519.pub file.
#### Signing your commits
@ -152,9 +152,9 @@ Where `<pubkey>` is the ssh public key copied from your id_ed25519.pub file.
There is no alternative process for signing using ed25519 keys, you must use the generic process described above. The process only works with ssh-keygen versions >= v8.
Use the following to sign your `<commit hash>` (that you found using `git log`)
````sh
```sh
echo "<commit hash>" | ssh-keygen -Y sign -f ~/.ssh/id_ed25519 -n dn42
````
```
Post the signature in to the 'Conversation' section of your pull request to allow the registry maintainers to verify it. It can help to also include the commit hash that you have signed, to avoid any confusion.
@ -163,25 +163,25 @@ Post the signature in to the 'Conversation' section of your pull request to allo
The following procedure will verify the signature (using the `<commit hash>`, your ed25519 `<pubkey>` and the `<signature>` generated in the previous step.
Create a temporary file containing the signature
````sh
```sh
echo "<signature>" > sig.tmp
````
```
Create a temporary 'allowed users' file
````sh
```sh
echo "YOU-MNT ssh-ed25519 <pubkey>" > allowed.tmp
````
```
Verify the signature
````sh
```sh
echo "<commit hash>" | \
ssh-keygen -Y verify -f allowed.tmp -n dn42 -I YOU-MNT -s sig.tmp
````
```
### Authentication with an SSH ecdsa key
- Use the following `auth` attribute in your `mntner` object:
````
```
auth: ecdsa-sha2-nistp256 <pubkey>
````
```
Where `<pubkey>` is the ssh public key copied from your id_ecdsa.pub file.
#### Signing your commits
@ -193,23 +193,23 @@ Make a copy and use the copy as the ssh-keygen command below will overwrite the
Convert your private ssh key to a file that openssl can read:
**DO THIS ON A COPY OF YOUR SSH KEY**
````sh
```sh
ssh-keygen -p -m pem -f <private key file copy>
````
```
Sign the commit hash using your ecdsa key, using openssl:
````sh
```sh
openssl pkeyutl -sign \
-inkey <converted key file> \
-in <(echo "<commit hash>") | base64
````
```
Post the signature in to the 'Conversation' section of your pull request to allow the registry maintainers to verify it. It can help to also include the commit hash that you have signed, to avoid any confusion.
#### Verifying the signature
The following script will verify the signature (using the `<commit hash>`, your ecdsa `<pubkey>` and the `<signature>` generated in the previous step.
````sh
```sh
openssl pkeyutl \
-verify \
-pubin \
@ -220,4 +220,4 @@ openssl pkeyutl \
-f <(echo "ecdsa-sha2-nistp256 <pubkey>")\
) \
-sigfile <(echo "<signature>" | base64 -d)
````
```

4
howto/Static-routes-on-Windows.md
View File

@ -1,6 +1,6 @@
Modern versions of Windows do not support OSPF and manually adding static routes every time after a reboot is annoying. Below is a batch script you can edit and run to help make adding routes easier. This script assumes that your BGP router and Windows computer are on the same LAN.
````
```
@echo off
REM fill in YOUR network information
REM right click and RUN AS ADMIN
@ -60,4 +60,4 @@ ping %gateway4%
pause
ping %gateway6%
pause
````
```

52
howto/mikrotik.md
View File

@ -30,26 +30,26 @@ Peer most likely provided you with encryption details.
If not, ask them about it.
Here we're gonna use aes256-sha256-modp1536
````
```
/ip ipsec peer
add address=1.1.1.1 comment=gre-dn42-peer dh-group=modp1536 \
enc-algorithm=aes-256 hash-algorithm=sha256 local-address=2.2.2.2 secret=PASSWORD
````
````
```
```
/ip ipsec policy
add comment=gre-dn42-peer dst-address=1.1.1.1/32 proposal=dn42 protocol=gre \
sa-dst-address=1.1.1.1 sa-src-address=2.2.2.2 src-address=2.2.2.2/32
````
```
### GRE
Pretty straightforward here
````
```
/interface gre
add allow-fast-path=no comment="DN42 somepeer" local-address=2.2.2.2 name=gre-dn42-peer \
remote-address=1.1.1.1
````
```
### IPs inside the GRE tunnel
Your peer most likely provided you with IP adresses for GRE tunnel.
@ -60,18 +60,18 @@ Add the IP your peer provided you:
#### IPv4
````
```
/ip address
add address=192.168.200.130/30 interface=gre-dn42-peer network=192.168.200.128
````
```
#### IPv6
Here we can use /127, so it's simple:
````
```
/ipv6 address
add address=fdc8:c633:5319:3300::41/127 advertise=no interface=gre-dn42-peer
````
```
If you configured everything correctly, you should be able to ping
@ -83,74 +83,74 @@ In this example, we will be filtering IN: 192.168.0.0/16 and 169.254.0.0/16
OUT: 192.168.0.0/16 and 169.254.0.0/16, you really don't want to advertise this networks.
This filter will not only catch /8 or /16 networks, but smaller networks inside this subnets as well.
````
```
/routing filter
add action=discard address-family=ip chain=dn42-in prefix=192.168.0.0/16 prefix-length=16-32 protocol=bgp
add action=discard address-family=ip chain=dn42-in prefix=169.254.0.0/16 prefix-length=16-32 protocol=bgp
add action=discard address-family=ip chain=dn42-out prefix=192.168.0.0/16 prefix-length=16-32 protocol=bgp
add action=discard address-family=ip chain=dn42-out prefix=169.254.0.0/16 prefix-length=16-32 protocol=bgp
````
```
Now, if you want only DN42 connection, you can filter IN 10.0.0.0/8 (ChaosVPN / freifunk networks):
````
```
/routing filter
add action=discard address-family=ip chain=dn42-in prefix=10.0.0.0/8 prefix-length=8-32 protocol=bgp
````
```
### BGP
Now, for actual BGP configuration.
````
```
/routing bgp instance
set default disabled=yes
add as=YOUR_AS client-to-client-reflection=no name=bgp-dn42-somename out-filter=dn42-in \
router-id=1.1.1.1
````
```
Let's add some peers. Right now we have just one, but we still need two connections - to IPv4 and IPv6
IPv4:
````
```
/routing bgp peer
add comment="DN42: somepeer IPv4" in-filter=dn42-in instance=bgp-dn42-somename multihop=yes \
name=dn42-somepeer-ipv4 out-filter=dn42-out remote-address=192.168.200.129 remote-as=PEER_AS \
route-reflect=yes ttl=default
````
```
IPv6 (if needed):
````
```
/routing bgp peer
add address-families=ipv6 comment="DN42: somepeer IPv6" in-filter=dn42-in \
instance=bgp-dn42-somename multihop=yes name=dn42-somepeer-ipv6 out-filter=dn42-out \
remote-address=fd42:c644:5222:3222::40 remote-as=PEER_AS route-reflect=yes ttl=default
````
```
Also, as a note, Mikrotik doesn't deal well with BGP running over link-local addresses (the address starting with fe80). You need to use a fd42:: address in your BGP session, otherwise, BGP will not install any received route.
### BGP Advertisements
You want to advertise your allocated network (most likely), it's very simple:
````
```
/routing bgp network
add network=YOUR_ALLOCATED_SUBNET synchronize=no
````
```
You can repeat that with as much IPv4 and IPv6 networks which you own.
## Split DNS
Separate dns requests for dn42 tld from your default dns traffic with L7 filter in Mikrotik.
Change network and LAN GW to mach your network configuration.
````
```
/ip firewall layer7-protocol
add name=DN42-DNS regexp="\\x04dn42.\\x01"
/ip firewall nat
add action=src-nat chain=srcnat comment="NAT to DN42 DNS" dst-address=172.23.0.53 dst-port=53 protocol=udp src-address=192.168.0.0/24 to-addresses=192.168.0.1
add action=dst-nat chain=dstnat dst-address-type=local dst-port=53 layer7-protocol=DN42-DNS protocol=udp src-address=192.168.0.0/24 to-addresses=172.23.0.53 to-ports=53
````
```
Since version 6.47 have added functionality that can redirect DNS queries according to special rules. If you used to do Layer-7 rules in the firewall, now it's simple and elegant:
````
```
/ip dns static
add comment=DN42 forward-to=172.23.0.53 regexp=".*\\.dn42" type=FWD
````
```

32
howto/mikrotik/ptp32.md
View File

@ -22,49 +22,49 @@ How can we workaround these issues? Simple. We setup a /32 on the Point-to-Point
You create the GRE interface in the same way the [Mikrotik Guide](/howto/mikrotik) does.
````
```
/interface gre
add allow-fast-path=no comment="DN42 somepeer" local-address=2.2.2.2 name=gre-dn42-peer \
remote-address=1.1.1.1
````
```
Next you add the /32 address on the interface. You can install this address on a loop interface (on RouterOS this means an empty bridge) if you plan to use the same address over several GRE tunnels or other OpenVPN interfaces.
````
```
/ip address add address=172.24.0.1/32 interface=gre-dn42-peer
````
```
Next, we add the direct route as next-hop using the interface
````
```
/ip route add distance=1 dst-address=172.26.2.2/32 gateway=gre-dn42-peer pref-src=172.24.0.1
````
```
At this point, the ping with the peer should work. Also, the bgp session can be established, but the routes will not work. We need a input filter to fix the next-hop routes.
````
```
/routing filter add chain=bgp-dn42-peer-in protocol=bgp set-in-nexthop-direct=gre-dn42-peer
````
```
if you have other global input chain filters, you should add a jump in the same chain, like this:
````
```
/routing filter add action=jump chain=bgp-dn42-peer-in protocol=bgp jump-target=bgp-global-dn42-input
````
```
If you haven't created the BGP session, create it now from the [Mikrotik guide](/howto/mikrotik#how-to-connect-to-dn42-using-mikrotik-routeros_bgp). Change the peer input filter to use the chain we've just created:
````
```
/routing bgp peer set bgp-dn42-somename in-filter=bgp-dn42-peer-in
````
```
With this fix, all the routes will have set next-hop the GRE interface and there will be no need to use RouterOS' recursive route resolve.
Check the routes with:
````
```
/ip routes print detail where received-from=bgp-dn42-somename
````
```
There should an attribute like:
````
```
gateway=gre-dn42-peer gateway-status=gre-dn42-peer reachable
````
```

16
howto/networksettings.md
View File

@ -13,24 +13,24 @@ That is why `rp_filter` needs to be disabled.
**Note** using sysctl is not persistent. Depending on your linux distribution put it into `/etc/sysctl.conf` or `/etc/sysctl.d`
````
```
sysctl -w net.ipv4.conf.all.rp_filter=0 net.ipv4.conf.default.rp_filter=0
````
```
Check that its really disabled:
````
```
sysctl -a | grep rp_filter
````
```
Also the following options must be set.
````
```
$ sysctl -w net.ipv4.conf.all.forwarding=1 net.ipv6.conf.all.forwarding=1
````
```
Check that ALL your vpn interfaces allow ip forwarding for ipv6/ipv4.
````
```
$ sysctl -a | grep forwarding
````
```
### Note on firewalls, conntrack and asymmetric routing

26
howto/openvpn.md
View File

@ -10,7 +10,7 @@
* Replace `<REMOTE_GATEWAY_IP>` with dn42 ip address of your peer
* `<LOCAL_GATEWAY_IPV6> <REMOTE_GATEWAY_IPV6>` same as ipv4, but both ip addresses needs to be in the same subnet. For simplicity you can always use an address from link-local ipv6 range (fe80::/64)
````
```
#/etc/openvpn/<PEER_NAME>
proto <PROTO>
mode p2p
@ -35,19 +35,19 @@ secret /etc/openvpn/<PEER_NAME>.key
# <secret>
# ... Key File contents go here ...
# </secret>
````
```
then create a new key and share it with your peer
````
```
$ openvpn --genkey --secret /etc/openvpn/<PEER_NAME>.key
````
```
# Example Configuration if one peer has a floating ip
## peer with fixed ip
````
```
proto <PROTO>
mode p2p
dev-type tun
@ -63,7 +63,7 @@ port <LOCAL_PORT>
ifconfig-ipv6 <LOCAL_GATEWAY_IPV6> <REMOTE_GATEWAY_IPV6>
ifconfig <LOCAL_GATEWAY_IP> <REMOTE_GATEWAY_IP>
secret /etc/openvpn/<PEER_NAME>.key
````
```
## peer with floating ip
@ -72,7 +72,7 @@ secret /etc/openvpn/<PEER_NAME>.key
* `<REMOTE_HOST>` is the ip address of your peer
* `<REMOTE_PORT>` is openvpn port, where your peer listen for traffic
````
```
proto <PROTO>
mode p2p
remote <REMOTE_HOST>
@ -89,7 +89,7 @@ resolv-retry infinite
ifconfig <LOCAL_GATEWAY_IP> <REMOTE_GATEWAY_IP>
ifconfig-ipv6 <LOCAL_GATEWAY_IPV6> <LOCAL_GATEWAY_IPV6>
secret /etc/openvpn/<PEER_NAME>.key
````
```
# Example configuration for connecting roaming clients to dn42
@ -99,7 +99,7 @@ Clients connect using certificates, and simply get attributed dn42 IPs in the or
Replace `<PORT>` with the UDP port you want OpenVPN to listen to, and change the IP ranges (`ifconfig` and `route-gateway` options).
````
```
mode server
tls-server
@ -146,13 +146,13 @@ push "route-gateway 172.22.X.145"
push "route 172.22.0.0 255.254.0.0"
###push "route 172.31.0.0 255.255.0.0"
###push "route 10.0.0.0 255.0.0.0"
````
```
## Client configuration
Change `<SERVER>` and `<PORT>`.
````
```
client
ca ca.crt
@ -176,7 +176,7 @@ persist-tun
resolv-retry infinite
verb 3
````
```
## Certificate management
@ -184,7 +184,7 @@ Use easy-rsa, it's easy to use. Below is a very short description, find a real
Build the CA: `. vars`, `./build-ca`, then generate the server key: `./build-key-server roaming-dn42`.
Then, for each client, generate a private key and a certificate: ````./build-key myclient````. The Common Name is the only important information (it will be used to identify the client, for instance in the logs).
Then, for each client, generate a private key and a certificate: ```./build-key myclient```. The Common Name is the only important information (it will be used to identify the client, for instance in the logs).
# See also
* [Network settings](https://internal.dn42/howto/networksettings)

12
howto/systemd-networkd-configuration-example.md
View File

@ -5,16 +5,16 @@ This is the config that is used on ZOTAN Networks (AS4242422341). Full network c
# Configuration
## loopback device (lo.network)
````
```
[Match]
Name=lo
[Network]
Address=fdff:b02d:2ef7::2/128
````
```
## wireguard netdev (dn42p1.netdev)
````
```
[NetDev]
Name = dn42p1
Kind = wireguard
@ -28,10 +28,10 @@ PrivateKeyFile = /etc/wireguard/private.key
PublicKey = <peer wg pubkey>
Endpoint = <peer wg endpoint>:<peer wg port>
AllowedIPs = 172.16.0.0/12,10.0.0.0/8,fd00::/8,fe80::/10,ff00::/8
````
```
## wireguard network (dn42p1.network)
````
```
[Match]
Name = dn42p1
@ -43,4 +43,4 @@ Peer = <peer tunnel linklocal address>/128
Address = <your DN42 ipv4>/32
Peer = <peer DN42 ipv4>/32
````
```

28
howto/tinc.md
View File

@ -10,7 +10,7 @@ One advantage of tinc is that you can have multiple peering over the same VPN co
Example `/etc/tinc/dn42_yourpeer/tinc.conf`:
````
```
Interface = dn42_yourpeer
Name = your_host
# Only switch mode is feasible for dn42 peerings, since in router mode tinc takes care of routing decisions on its own
@ -19,14 +19,14 @@ Mode = switch
ConnectTo = remote_host
# In newer versions (>= 1.1) you can use AutoConnect instead
#AutoConnect = yes
````
```
Tinc requires to add manually ip addresses and routes to the tap/tun interfaces. On startup it will execute `/etc/tinc/dn42_yourpeer/tinc-up` if it exists **and** is executable:
Example `/etc/tinc/dn42_yourpeer/tinc-up`:
**Linux/iproute2**
````
```
#!/bin/sh
# set the interface up
@ -38,19 +38,19 @@ ip addr add fe80::1/64 dev $INTERFACE
# add routes
ip route add 172.16.0.1/30 dev $INTERFACE table peers
````
```
For authentication tinc uses public key authentication instead of certificates or pre-shared keys.
For each key tinc should connect to or allow to connect, a file with the name of the peer in tincd -n twwh -K
is required. To generate a public/private key pair use:
````
```
$ tincd -K
````
```
Import for each other party the key like this `/etc/tinc/dn42_yourpeer/hosts/<peername>`:
````
```
# address/port are optional, in case they're missing you only expect connections from that host
Address = <fqdn/ip_addr>
Port = <port|655>
@ -62,7 +62,7 @@ tcJpbgbYRzBTUPdSL3OB8k0qlmFI2ZYTnCzOSpgxRQARIB1ecoqOYVxQISK2pzxi
MHQQlVbquwldaKiVoj7tD7PFW4oQxpiMHZnHIA6dnZCsT3ktTOzCjhf2XMi8o8u5
P9C5dYrmVWrVAWQznlbuq/w1z+PrTYquoQIDAQAB
-----END RSA PUBLIC KEY-----
````
```
## Fun with tinc-pre
@ -74,21 +74,21 @@ Installation:
* Freebsd: Use this [port repo](https://github.com/Mic92/ports/tree/master/security/tinc)
Set up a new tinc network
````
```
# tinc -n dn42_yourpeer init dn42_yourself
````
```
Invite your peering partner. Tinc will print the invitaion which you need to copy to your peering partner.
````
```
$ tinc invite yourpeer
<ip-or-address>/nIRp5pJCnfnhuV13JUomscGs1q5HqEbz3AydZer7wRaMcpUB
````
```
On the other node you can join by using:
````
```
$ tinc join <invitation-url>
````
```
This node will then automatically generate configuration, private/public keys and will exchange this key with the other node on connection.

36
howto/vyos.md
View File

@ -7,18 +7,18 @@ It can be downloaded here https://www.vyos.io/rolling-release/.
We will configure firewall access lists for inbound connections on our peer Wireguard interfaces as well as block all inbound connections to our router with the exception of BGP. This should be a good baseline firewall ruleset to filter inbound traffic on your networks edge. Modifications may be needed depending on your specific goals. If your router has an uplink back to a larger internal network (outside of DN42), an outbound firewall ruleset will need to be applied to that interface. The examples here only cover **IPv4**, but the same concepts can be applied to **IPv6** rulesets.
By default, VyOS is a **stateless** firewall. To enable **stateful** packet inspection globally enter the following commands.
````
```
set firewall state-policy established action 'accept'
set firewall state-policy related action 'accept'
````
```
We also need to accept invalids on our networks edge. However, this should not become common practice elsewhere.
````
```
set firewall state-policy invalid action 'accept'
````
```
The below commands create **in** and **local** baseline templates to be applied to all Wireguard interfaces that are facing peers. In this example, **172.20.20.0/24** is your assigned address space.
````
```
#Create Groups
set firewall group network-group Allowed-Transit-v4 network '10.0.0.0/8'
set firewall group network-group Allowed-Transit-v4 network '172.20.0.0/14'
@ -59,17 +59,17 @@ set firewall name Tunnels_Local_v4 rule 98 state invalid 'enable'
set firewall name Tunnels_Local_v4 rule 99 action 'drop'
set firewall name Tunnels_Local_v4 rule 99 description 'Black Hole'
set firewall name Tunnels_Local_v4 rule 99 log 'enable'
````
```
## Wireguard
### Setup Keys
````
```
generate wireguard default-keypair
show wireguard keypairs pubkey default
````
```
_Grab your public key and save it for later. This will be shared with peers._
### Configure First Peer
````
```
#Your DN42 Address
set interfaces wireguard wg92 address '172.20.20.1/32'
@ -93,7 +93,7 @@ set interfaces wireguard wg92 port '12345'
#Set static interface route to first peers /32 DN42 IPv4 on their tunnel endpoint
set protocols static interface-route 172.20.50.1/32 next-hop-interface wg92
````
```
@ -119,9 +119,9 @@ _Your peers ASN_
###Setup RPKI Caching Server
Burble has made this super easy. More info can be found [here](https://wiki.dn42/howto/ROA-slash-RPKI) on this wiki. Get started by running the below command on a Linux server with Docker installed.
````
```
sudo docker run -ti -p 8082:8082 cloudflare/gortr -cache https://dn42.burble.com/roa/dn42_roa_46.json -verify=false -checktime=false -bind :8082
````
```
This will start a docker container that listens on the host server's IP at port 8082. This setup is using Cloudflare's GoRTR and automatically reaching out and downloading a custom JSON file generated by Burble just for the DN42 network.
@ -133,24 +133,24 @@ This will start a docker container that listens on the host server's IP at port
You can check the connection with `show rpki cache-connection` and the received prefix-table with `show rpki prefix-table`.
###Create Route Map
````
```
set policy route-map DN42-ROA rule 10 action 'permit'
set policy route-map DN42-ROA rule 10 match rpki 'valid'
set policy route-map DN42-ROA rule 20 action 'permit'
set policy route-map DN42-ROA rule 20 match rpki 'notfound'
set policy route-map DN42-ROA rule 30 action 'deny'
set policy route-map DN42-ROA rule 30 match rpki 'invalid'
````
```
This example allows all routes in unless they are marked invalid or in other words possibly been a victim of BGP hijacking.
###Assign Route Map to Neighbor
````
```
set protocols bgp 424242XXXX neighbor x.x.x.x address-family ipv4-unicast route-map import DN42-ROA
set protocols bgp 424242XXXX neighbor x.x.x.x address-family ipv4-unicast route-map export DN42-ROA
````
```
## Example Route Map
### No RPKI/ROA and Internal Network Falls Into DN42 Range
````
```
##Build prefix list to match personal internal network
set policy prefix-list BlockIPConflicts description 'Prevent Conflicting Routes'
set policy prefix-list BlockIPConflicts rule 10 action 'permit'
@ -207,7 +207,7 @@ set protocols bgp 4242421099 neighbor x.x.x.x address-family ipv4-unicast route-
set protocols bgp 4242421099 neighbor x.x.x.x address-family ipv4-unicast route-map import 'Default-Peering'
set protocols bgp 4242421099 neighbor x.x.x.x address-family ipv6-unicast route-map export 'Default-Peering'
set protocols bgp 4242421099 neighbor x.x.x.x address-family ipv6-unicast route-map import 'Default-Peering'
````
```
This page is a work-in-progress by Owens Research. If you have any suggestions or questions please reach out.

36
howto/wireguard.md
View File

@ -9,13 +9,13 @@ to allow your BGP daemon instead to do routing. This approach is comparable to [
First generate on each peer public and private keys.
````
```
$ wg genkey | tee privatekey | wg pubkey > publickey
````
```
## Configuration
````
```
# tunnel.conf
[Interface]
PrivateKey = <private_key>
@ -31,14 +31,14 @@ Endpoint = <end_point_hostname_or_ip:port>
# however it is easier to do this with iptables/bgp filters/routing table
# instead just like for openvpn-based peerings
AllowedIPs = 0.0.0.0/0,::/0
````
```
## Configure tunnel:
Wireguard comes with its own interface type.
It supports link-local addresses for IPv6 and single /32 addresses for IPv4, which can be used for peering.
````
```
$ ip link add dev <interface_name> type wireguard
$ wg setconf <interface_name> tunnel.conf
# both side pick a different link-local ipv6 address
@ -46,7 +46,7 @@ $ ip addr add fe80::<some_random_suffix>/64 dev <interface_name>
# choose the first ip from your subnet and the second one from the peer
$ ip addr add 172.xx.xx.xx/32 peer 172.xx.xx.xx/32 dev <interface_name>
$ ip link set <interface_name> up
````
```
<!-- Nurtic-Vibe has another [script](https://git.dn42.us/Nurtic-Vibe/grmml-helper/src/master/create_wg.sh) to interactively automate the peering process. -->
@ -54,9 +54,9 @@ Maybe you should check the MTU to your peer with e.g. `ping -s 1472 <end_point_h
## Testing
````
```
ping fe80::<your_peers_suffix>%<interface_name>
````
```
(For older iputils, use `ping6`.)
@ -68,15 +68,15 @@ The wireguard kernel module on linux has support for enabling dynamic debugging.
Debug messages are logged via dmesg and can be enabled using:
````sh
```sh
$ echo 'module wireguard +p' > /sys/kernel/debug/dynamic_debug/control
````
```
To disable debug:
````sh
```sh
$ echo 'module wireguard -p' > /sys/kernel/debug/dynamic_debug/control
````
```
## wg-quick
@ -94,7 +94,7 @@ The script makes some changes that are not valid when used for DN42 tunnels, and
An example wg-quick script that incorporates the above two workarounds is below, where `<MyIPv[46]>` are the DN42 IP addresses of your node and `<PeerIPv[46]>` are the IP addresses for your peer.
````
```
[Interface]
PrivateKey = <your private key>
Address = <your link-local address, if any>
@ -106,7 +106,7 @@ Table = off
Endpoint = <your peer's wireguard endpoint>
PublicKey = <your peer's public key>
AllowedIPs = 172.16.0.0/12, 10.0.0.0/8, fd00::/8, fe80::/10
````
```
Use `which ip` to get the full path to your ip binary.
## systemd-networkd
@ -114,7 +114,7 @@ Use `which ip` to get the full path to your ip binary.
Example configuration for systemd-networkd.
peer.netdev
````text
```text
[NetDev]
Name=<ifname>
Kind=wireguard
@ -131,10 +131,10 @@ Endpoint=<peer host and port, e.g. 1.2.3.4:9876>
AllowedIPs=fe80::/64
AllowedIPs=fd00::/8
AllowedIPs=0.0.0.0/0
````
```
peer.network
````text
```text
[Match]
Name=<ifname>
@ -165,5 +165,5 @@ Peer=<your peer's IPv6 address>/128
[Address]
Address=<your IPv4 address>/32
Peer=<your peer's IPv4 address>/32
````
```

16
internal/Historical-Services.md
View File

@ -84,23 +84,23 @@ Some people runs [Tahoe LAFS](/services/Tahoe-LAFS) nodes to provide a secure de
### ipfs
bootstrap peers
````
```
/ip4/172.20.161.135/tcp/4001/ipfs/QmYgD1wdPjx5oWzYJ195K84PqAXRnw9mcqbyZYAdXfaYkD
/ip4/172.20.52.220/tcp/4001/ipfs/QmW5ZhZFav8MZLJyvKuK6pKaR4vnQ5MVHfXY3LuMXqa4kc
````
```
test hashes
````
```
/ipfs/QmQ7psrGrXS3GFNC4BtU6pJXq6G7ps5NbYrhS2VYFufj9T
/ipfs/QmYLapmcSU7q93Ta4eHMh8fq9ios2HTSdbpHDRQwGG6ocJ
````
```
cdn (currently only jquery
````
```
/ipns/QmW5ZhZFav8MZLJyvKuK6pKaR4vnQ5MVHfXY3LuMXqa4kc/cdn/jquery
````
```
Until browsers have ipfs access (either through native support or js), one can use the http gateway
````
```
https://rest.dn42/
````
```
### Torrent Search Engine

42
services/Automatic-CA.md
View File

@ -90,7 +90,7 @@ Read more on this [stack exchange post][osx-2]
How to Run
==========
````
```
Usage: # OWNER is your MNT handle.
./ca.dn42 user-gen OWNER EMAIL # Output to OWNER.csr and OWNER.key
./ca.dn42 user-sig OWNER # Output to OWNER.crt and OWNER.p12
@ -104,14 +104,14 @@ Revoke Reasons: unspecified, keyCompromise, affiliationChanged,
Environtment Options:
DN42CA_PKCS12 = 1 # Generate pkcs12 file for certificate.
````
```
Example
=======
Generate the user key
````
```
$ ./ca.dn42 user-gen XUU-MNT xuu@sour.is
Generating a 2048 bit RSA private key
...............................+++
@ -122,11 +122,11 @@ writing new private key to 'XUU-MNT.key'
= You need to have this pin added to your mnt object before proceeding to the next step.
=
|MNT Key Pin| remarks: pin-sha256:HdqCid0sedWXX3Q0uG98rYjJyTNOzaT13WfWpr1GvIw=
````
```
## Sign the user key
`````
````
$ ./ca.dn42 user-sign XUU-MNT xuu@sour.is
== USER CERT ==
C:XD
@ -139,11 +139,11 @@ $ ./ca.dn42 user-sign XUU-MNT xuu@sour.is
OK https://ca.dn42/crt/XUU-MNT.crt
Enter Export Password:
Verifying - Enter Export Password:
````
```
## Generate the server key
````
```
$ ./ca.dn42 tls-gen ca.dn42 XUU-MNT xuu@sour.is DNS:ca.dn42
Generating a 2048 bit RSA private key
@ -156,18 +156,18 @@ writing RSA key
= |DNS Key Pin| You need to have this pin added to your dns records before proceeding to the next step.
=
_dn42_tlsverify.ca.dn42. IN TXT XUU-MNT:pin-sha256:Qu/X5GNqOo05TdL7oexkamE34OUuDE60T+f0xc60UPQ=
````
```
After you set this TXT-Record for your domain, you can verify it with the following command (by replacing the domain with your own):
````
```
$ dig +short TXT _dn42_tlsverify.ca.dn42.
"XUU-MNT:pin-sha256:Qu/X5GNqOo05TdL7oexkamE34OUuDE60T+f0xc60UPQ="
````
```
## Sign the server key
````
```
$ ./ca.dn42 tls-sign ca.dn42 XUU-MNT
== USER CERT ==
C:XD
@ -191,17 +191,17 @@ $ ./ca.dn42 tls-sign ca.dn42 XUU-MNT
OK https://ca.dn42/crt/XUU-MNT_ca.dn42.crt
Enter Export Password: ****
Verifying - Enter Export Password: ****
````
```
The generated certificate will be valid for 3 months, to renew it simply run ````./ca.dn42 tls-sign ca.dn42 XUU-MNT```` again. This could be also automated in cron:
The generated certificate will be valid for 3 months, to renew it simply run ```./ca.dn42 tls-sign ca.dn42 XUU-MNT``` again. This could be also automated in cron:
````
```
0 0 1 * * /etc/ssl/dn42/ca.dn42 tls-sign wiki.dn42 MIC92-MNT
````
```
or with a systemd timer:
````
```
# update-dn42-ca.timer
[Timer]
OnBootSec=1h
@ -210,9 +210,9 @@ Persistent=yes
[Install]
WantedBy=timers.target
````
```
````
```
[Service]
Type=oneshot
WorkingDirectory=/etc/ssl/dn42
@ -220,11 +220,11 @@ ExecStart=/etc/ssl/dn42/ca.dn42 tls-sign wiki.dn42 MIC92-MNT
# accept multiple ExecStart lines for other certificates
#ExecStart=/etc/ssl/dn42/ca.dn42 tls-sign foobar.dn42 MIC92-MNT
ExecStart=/usr/bin/nginx -s reload
````
```
## Revoke a certificate.
````
```
$ ./ca.dn42 revoke XUU-MNT XUU-MNT.crt
== USER CERT ==
C:XD
@ -236,7 +236,7 @@ $ ./ca.dn42 revoke XUU-MNT XUU-MNT.crt
pin-sha256:HdqCid0sedWXX3Q0uG98rYjJyTNOzaT13WfWpr1GvIw=
== REVOKE CERT ==
OK
````
```
## Certificate transparency
All issued certificates will be logged to [xuu's mattermost instance](https://teams.dn42/dn42/channels/tls-certificates).

20
services/Certificate-Authority.md
View File

@ -5,7 +5,7 @@ If you would like to have a certificate signed by this CA there is [an automated
The CA certificate ([dn42](https://ca.dn42/crt/root-ca.crt), [iana](https://ca.dn42.us/crt/root-ca.crt)):
````
```
Certificate:
Data:
Version: 3 (0x2)
@ -95,21 +95,21 @@ P6v/P0WrfgdFTk0LGEA9OwKcTqkPpcI/SjB3rmZcs42yQWvimAF94GtScE09uKlI
1zAi8vbktPY7OMprTOc8pHDL3q8KFP8jJcoEzZ5Jw0vkCrULhLXvtFtjB0djzVxQ
C0IKqQ==
-----END CERTIFICATE-----
````
```
## Testing constraints
The name constraints can be verified for example by using openssl:
````
```
openssl x509 -in dn42.crt -text -noout
````
```
which will show among other things:
````
```
X509v3 Name Constraints:
Permitted:
DNS:.dn42
````
```
## Importing the certificate
@ -123,19 +123,19 @@ Install `ca-certificates-dn42` from [AUR](https://aur.archlinux.org/packages/ca-
#### Unofficial Debian Package
````bash
```bash
wget https://ca.dn42.us/ca-dn42_20161122.0_all.deb
# If you're on a dn42-only network:
# wget --no-check-certificate https://ca.dn42/ca-dn42_20161122.0_all.deb
sudo dpkg -i ca-dn42_20161122.0_all.deb
sudo dpkg-reconfigure ca-certificates
````
```
You will be asked which certificates you would like to enabled. By default, the dn42 root certifcate (dn42/root-ca.crt) is not enable, be sure to enable it. This package is waiting for inclusion in Debian (Debian bug [#845351](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=845351)).
#### Manual Installation
````bash
```bash
$ mkdir /usr/share/ca-certificates/extra
$ cat > /usr/share/ca-certificates/extra/dn42.crt <<EOF
-----BEGIN CERTIFICATE-----
@ -164,7 +164,7 @@ C0IKqQ==
-----END CERTIFICATE-----
EOF
$ update-ca-certificates
````
```
## PKI Store

8
services/DNS.md
View File

@ -24,17 +24,17 @@ service and configure the other service as the secondary or backup nameserver.
Example resolv.conf, preferring a0.recursive-servers.dn42 and IPv4:
````text
```text
nameserver 172.20.0.53
nameserver 172.23.0.53
nameserver fd42:d42:d42:54::1
nameserver fd42:d42:d42:53::1
search dn42
````
```
Example resolv.conf, preferring a3.recursive-servers.dn42 and IPv6:
````text
```text
nameserver fd42:d42:d42:53::1
nameserver fd42:d42:d42:54::1
nameserver 172.23.0.53
@ -42,7 +42,7 @@ nameserver 172.20.0.53
option inet6 # Linux/glibc
family inet6 inet4 # BSD
search dn42
````
```
## Advanced Configuration

40
services/Distributed-Wiki.md
View File

@ -39,7 +39,7 @@ Since gollum is built on top of Git, it is not overly complicated to keep the lo
+ **wiki-sync.sh**:
````sh
```sh
#!/bin/bash
WIKI_PATH=<repo path>
@ -50,7 +50,7 @@ ${GIT} push
${GIT} pull
exit 0
````
```
+ **Cron entry**:
@ -64,13 +64,13 @@ exit 0
- Start two gollum instances, read-only and read/write on `127.0.0.1`:
Read/write (SSL only):
````
```
RACK_ENV=production gollum --css --host 127.0.0.1 --port 4568 <path>
````
```
Read-only:
````
```
RACK_ENV=production gollum --css --host 127.0.0.1 --port 4567 --no-edit <path>
````
```
Set `<path>` to the location where wiki Git repo was cloned.
@ -82,13 +82,13 @@ RACK_ENV=production gollum --css --host 127.0.0.1 --port 4567 --no-edit <path>
- Generate a [CSR](/services/Certificate-Authority) and send DNS Key Pin to [xuu@sour.is](mailto:xuu@sour.is):
- \<AS> is the as number with the prefix `as` like `as64737-ca.wiki.dn42`
````
```
./ca.dn42 tls-gen \
<AS>-<CC>(-<UID>).wiki.dn42 \
EXAMPLE-MNT \
mail@example.com \
DNS:<AS>-<CC>(-<ID>).wiki.dn42,DNS:wiki.dn42,DNS:www.wiki.dn42,DNS:internal.dn42,DNS:www.internal.dn42
````
```
Wait for a reply and then sign the certificate:
@ -107,15 +107,15 @@ A custom header `X-SiteID` identifies the site you're connecting to:
- Extract base64 encoded SPKI fingerprint from private key `wiki.key`:
````
```
openssl rsa -in wiki.key -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64
````
```
- Configure Nginx to send the fingerprint in header (SSL block):
````
```
add_header Public-Key-Pins pin-sha256="<primary>"; pin-sha256="<backup>"; max-age=5184000; includeSubDomains';
````
```
+ `<primary>` - the fingerprint extracted from `wiki.key`
+ `<backup>` - the CA fingerprint: `of00RDinhPeVRNnXm1jXQDagktOL75qQo1pT+xc7VIE=`
@ -135,7 +135,7 @@ Nginx should listen on a unicast address as well, so your site can be reached ex
#### Config example
````
```
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_session_cache shared:SSL:2m;
@ -184,7 +184,7 @@ server {
}
}
````
```
## ExaBGP
@ -194,7 +194,7 @@ The prefix AS-PATH should show the announcement is originating from your AS. Aft
#### Configuration
````
```
# exabgp.conf
group gollum-watchdog {
@ -228,7 +228,7 @@ group gollum-watchdog {
}
}
````
```
#### Watchdog script
@ -236,7 +236,7 @@ Watchdog runs in an infinite loop, sending the appropriate commands to stdout. [
Run `gollum-watchdog.sh` in a shell first to validate it's working:
````sh
```sh
#!/bin/bash
CURL=curl
@ -297,7 +297,7 @@ while [ 1 ]; do
done
exit 0
````
```
#### Run
@ -305,7 +305,7 @@ exit 0
`USAGE: /etc/exabgp/run.sh [start|stop|restart]`
````sh
```sh
#!/bin/bash
PID_FILE=/var/run/exaBGP/exabgp_PID
@ -352,7 +352,7 @@ case ${1} in
esac
exit 0
````
```

8
services/Route-Collector.md
View File

@ -25,7 +25,7 @@ The collector uses the dynamic peering capability in Bird2 to allow anyone to pe
Example bird2 config:
````text
```text
protocol bgp ROUTE_COLLECTOR
{
local as ***YOUR_ASN***;
@ -66,7 +66,7 @@ protocol bgp ROUTE_COLLECTOR
};
};
}
````
```
## Querying the collector
@ -106,7 +106,7 @@ The collector bird instance can be queried directly using a birdc shell.
- ssh shell@collector.dn42
````sh
```sh
$ ssh shell@collector.dn42
------------------------------------
* DN42 Global Route Collector *
@ -129,5 +129,5 @@ bird> 297441 of 297441 routes for 502 networks in table master4
Total: 586116 of 586116 routes for 3597 networks in 4 tables
bird>
````
```

20
services/Statistics.md
View File

@ -11,18 +11,18 @@ Channel statistics for #dn42@hackint are available at: https://dev.0l.dn42/stats
#### collectd.conf
````
```
LoadPlugin exec
<Plugin exec>
Exec nobody "/etc/collectd/bgp_prefixes-quagga.sh"
</Plugin>
````
```
collectd refuses to exec scripts as root. On Debian vtysh is compiled with PAM support: adding nobody to the quaggavty group suffices.
#### bgp_prefixes-quagga.sh
````sh
```sh
#!/bin/bash
INTERVAL=10
@ -37,11 +37,11 @@ echo "PUTVAL $HOSTNAME/quagga-bgpd/routes-IPv6 interval=$INTERVAL N:$n6"
sleep $INTERVAL
done
````
```
#### Number of prefixes per neighbour for bird
````sh
```sh
#!/bin/sh
#
# Collectd script for collecting the number of routes going through each
@ -65,19 +65,19 @@ do
echo "PUTVAL $HOSTNAME/bird-bgpd/routes-all interval=$INTERVAL N:$totalroutes"
sleep $INTERVAL
done
````
```
### munin plugin
* add the following to /etc/munin/plugin-conf.d/munin-node
````
```
[quagga_bgp]
user root
````
```
* place the script as quagga_bgp in /etc/munin/plugins
````sh
```sh
#!/bin/sh
#
#
@ -111,5 +111,5 @@ user root
echo bgproutes.value $data
fi
# Measure Section ##########
````
```
* restart munin-node

4
services/Tahoe-LAFS.md
View File

@ -19,10 +19,10 @@ To run a node you have to install tahoe-lafs at least in version 1.10.2. You can
Before the first start you have to create a node with `bin/tahoe create-node` or a client (doesn't provide storage) with `bin/tahoe create-client`. This will create the folder .tahoe in your home dir. In the file .tahoe/tahoe.cfg you have to enter on `introducer.furl` the link to our introducer node (UPDATED):
````
```
introducer.furl = pb://shvdnad4bqey27ff7ngtschexamvdmmr@tahoe-lafs.e-utp.dn42:44412/kmvmrcforeeet7isgq7ftuymywqp3obb
helper.furl = pb://ru7miwm74bfkd6ytchfoq4wgvo3vikq3@fido.e-utp.dn42:44412/iiiopiclr2gszw2fmckbx3eob6krxk7x
````
```
With `bin/tahoe start` you start your local node.

12
services/Whois.md
View File

@ -102,13 +102,13 @@ We have anycast IPv4 and IPv6, both reachable under whois.dn42. IPs are 172.22.0
| weiti | whois.weiti.dn42 | 172.20.175.253 / fdf7:17d5:de49::43 |
## Usage
````sh
```sh
whois -h $host $query
````
```
## Using a whois config
````sh
```sh
$ cat /etc/whois.conf
\.dn42$ whois.dn42
\-DN42$ whois.dn42
@ -124,18 +124,18 @@ $ cat /etc/whois.conf
# dn42 ula ipv6 address space
^fd**:****:****:****:****:****:****:**** whois.dn42
````
```
You can then use whois without specifying the server. Works at least with Marco d'Itri's whois client.
## Running your own whoisd
````sh
```sh
cd /home/some/path/to/store/branch
sudo aptitude install ruby rubygems
sudo gem install netaddr
cd whoisd/ruby
sudo ruby whoisd.rb nobody
````
```
## Whois restful API
Note: this service is in beta testing, use at your own risk.
https://whois.rest.dn42/

40
services/dns/Configuration.md
View File

@ -4,9 +4,9 @@ Configuration of common resolver softwares to forward DNS queries for `.dn42` (a
You can use any *.recursive-servers.dn42 (where * is a letter) for resolving .dn42 domains. The current list is available at the [DN42 registry](https://git.dn42.dev/dn42/registry/src/master/data/dns/recursive-servers.dn42) or through querying SRV records of recursive-servers.dn42:
````sh
```sh
drill -D SRV _dns._udp.recursive-servers.dn42. @172.20.0.53
````
```
Two independent anycast services are also provided:
@ -27,7 +27,7 @@ DN42 is [interconnected](/internal/Interconnections) with the Inter City VPN or
If you already run a local DNS server, you can tell it to query the dn42 anycast servers for the relevant domains
by adding the following to /etc/bind/named.conf.local
````
```
zone "dn42" {
type forward;
forwarders { 172.20.0.53; fd42:d42:d42:54::1; };
@ -66,12 +66,12 @@ options {
# [...]
};
````
```
**Note**: With DNSSEC enabled, bind might refuse to accept query results from the dn42 zone: `validating dn42/SOA: got insecure response; parent indicates it should be secure`.
To disable DNSSEC validation only for certain TLDs include the following in the options section:
````
```
options {
# [...]
@ -87,13 +87,13 @@ options {
# [...]
};
````
```
## dnsmasq
If you are running dnsmasq under openwrt, you just have to add
````
```
config dnsmasq
option boguspriv '0'
option rebind_protection '1'
@ -106,7 +106,7 @@ config dnsmasq
list server '/10.in-addr.arpa/172.20.0.53'
list server '/d.f.ip6.arpa/fd42:d42:d42:54::1'
````
```
to `/etc/config/dhcp` and run `/etc/init.d/dnsmasq restart`. After that you are able to resolve `.dn42`
with the anycast DNS-Server, while your normal requests go to your standard DNS-resolver.
@ -115,7 +115,7 @@ Attention: If you go with the default config you'll have to disable "boguspriv"
For normal dnsmasq use
````
```
server=/dn42/172.20.0.53
server=/20.172.in-addr.arpa/172.20.0.53
server=/21.172.in-addr.arpa/172.20.0.53
@ -123,21 +123,21 @@ server=/22.172.in-addr.arpa/172.20.0.53
server=/23.172.in-addr.arpa/172.20.0.53
server=/10.in-addr.arpa/172.20.0.53
server=/d.f.ip6.arpa/fd42:d42:d42:54::1
````
```
in `dnsmasq.conf`.
## PowerDNS recursor
Add this to /etc/powerdns/recursor.conf (at least in Debian and CentOS), the **forward-zone-recurse** is _**one line**_.
````
```
dont-query=127.0.0.0/8, 192.168.0.0/16, ::1/128, fe80::/10
forward-zones-recurse=dn42=172.20.0.53,hack=172.20.0.53,ffhh=172.20.0.53,ffac=172.20.0.53,020=172.20.0.53,adm=172.20.0.53,ffa=172.20.0.53,ffhb=172.20.0.53,ffc=172.20.0.53,ffda=172.20.0.53,ffdh=172.20.0.53,ff3l=172.20.0.53,fffl=172.20.0.53,ffffm=172.20.0.53,fffr=172.20.0.53,fffd=172.20.0.53,ffgl=172.20.0.53,fflln=172.20.0.53,ffbcd=172.20.0.53,ffbgl=172.20.0.53,ffgoe=172.20.0.53,ffgt=172.20.0.53,ffh=172.20.0.53,helgo=172.20.0.53,ffhef=172.20.0.53,ffj=172.20.0.53,ffka=172.20.0.53,ffki=172.20.0.53,ffhl=172.20.0.53,fflux=172.20.0.53,ffms=172.20.0.53,mueritz=172.20.0.53,ffnord=172.20.0.53,ffnw=172.20.0.53,ffoh=172.20.0.53,ffpb=172.20.0.53,ffpi=172.20.0.53,ffrade=172.20.0.53,ffrgb=172.20.0.53,ffrg=172.20.0.53,rzl=172.20.0.53,ffsaar=172.20.0.53,fftr=172.20.0.53,fftdf=172.20.0.53,ffwk=172.20.0.53,ffgro=172.20.0.53,ffwk=172.20.0.53,ffwp=172.20.0.53,ffw=172.20.0.53,20.172.in-addr.arpa=172.20.0.53,21.172.in-addr.arpa=172.20.0.53,22.172.in-addr.arpa=172.20.0.53,23.172.in-addr.arpa=172.20.0.53,31.172.in-addr.arpa=172.20.0.53,10.in-addr.arpa=172.20.0.53,c.f.ip6.arpa=172.20.0.53
````
```
## MaraDNS
Put this in your mararc:
````
```
ipv4_alias["dn42_root"] = "172.20.0.53"
root_servers["dn42."] = "dn42_root"
root_servers["20.172.in-addr.arpa."] = "dn42_root"
@ -145,14 +145,14 @@ root_servers["21.172.in-addr.arpa."] = "dn42_root"
root_servers["22.172.in-addr.arpa."] = "dn42_root"
root_servers["23.172.in-addr.arpa."] = "dn42_root"
root_servers["10.in-addr.arpa."] = "dn42_root"
````
```
## Unbound
Make sure to disable `auto-trust-anchor-file` and manually configure `trust-anchor-file` to
point to a file with DNSKEY records for dn42.
````
```
server:
local-zone: "20.172.in-addr.arpa." nodefault
local-zone: "21.172.in-addr.arpa." nodefault
@ -195,15 +195,15 @@ forward-zone:
name: "d.f.ip6.arpa"
forward-addr: fd42:d42:d42:54::1
forward-addr: 172.20.0.53
````
```
## JunOS (SRX 12.1X46)
Should also work in 12.1X44 and 12.1X45. After making the changes below you may need to run:
````
```
restart named-service
````
```
Config (vlan.0 is presumed to be your LAN/Trust interface)
````
```
system {
services {
dns {
@ -251,7 +251,7 @@ system {
}
}
}
````
```
## MS DNS
Add a "Conditional Forward" (de: "Bedingte Weiterleitung") for each of "dn42", "20.172.in-addr.arpa", "21.172.in-addr.arpa", "22.172.in-addr.arpa", "23.172.in-addr.arpa", "10.in-addr.arpa" using 172.20.0.53 as forwarder. Ignore the error message that the server is not authoritative.

2
services/dns/Providing-Anycast-DNS.md
View File

@ -8,7 +8,7 @@ Configuration requirements for all members of the anycast group are:
* maintain your own zones based on whois database (scripts included in monotone repository)
* allow recursion (including `.`)
* listen on a unicast IP too for testing/debugging reasons
* with bind, please use ````minimal-responses yes;```` (goes into ````options````/````view````)
* with bind, please use ```minimal-responses yes;``` (goes into ```options```/```view```)
It is _really_ good to hang around in [IRC](/IRC) to get things sorted out, if something doesn't work. Letting some people test your DNS behavior before joining the anycast-group is considered best practice - better safe than sorry.

12
services/dns/Recursive-DNS-resolver.md
View File

@ -8,7 +8,7 @@ You may use some servers listed in the [table of anycast servers](/Providing-Any
Configuration for `unbound.conf`
````
```
server:
local-zone: "22.172.in-addr.arpa." nodefault
local-zone: "23.172.in-addr.arpa." nodefault
@ -30,12 +30,12 @@ stub-zone:
stub-prime: yes
stub-addr: 172.22.119.160
stub-addr: 172.22.119.163
````
```
### Unbound with root-hints
Alternatively you can put dn42 root servers in the root-hints file for recursive resolving.
````
```
# /etc/unbound/unbound.conf.d/dn42.conf
server:
# DNSSEC validation will fail
@ -52,10 +52,10 @@ server:
remote-control:
control-enable: no
````
```
The `/etc/unbound/dn42.hints` file:
````
```
. NS a.root-servers.dn42.
a.root-servers.dn42. 3600000 A 172.22.177.6
. NS m.root-servers.dn42.
@ -64,4 +64,4 @@ m.root-servers.dn42. 3600000 A 172.23.67.67
t.root-servers.dn42. 3600000 A 172.22.102.141
. NS x.root-servers.dn42.
x.root-servers.dn42. 3600000 A 172.22.141.1
````
```