dn42/wiki
1
Fork 0
mirror of https://git.dn42.dev/wiki/wiki.git synced 2024-11-23 07:43:29 +01:00
Code Releases Activity

Revert "Ungollum #2"

Browse Source 
This reverts commit ed1acbed
This commit is contained in:
KIOUBIT-MNT 2021-05-31 22:20:54 +03:00
parent 4af78f0286
commit 570bc4abde
40 changed files with 440 additions and 440 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Other.md
View File

@ -44,7 +44,7 @@ A wiki page dedicated to the AnoNet Network: http://wiki.qontrol.nl/Anonet
> This information is a caryover from the original dn42 wiki. most is unsubstantiated and probably invalid now. Included here for historical reasons. Keys and other parameters can be found in the registry under `tinc-key` and `tinc-keyset` > This information is a caryover from the original dn42 wiki. most is unsubstantiated and probably invalid now. Included here for historical reasons. Keys and other parameters can be found in the registry under `tinc-key` and `tinc-keyset`
```` ```
first tinc cloud first tinc cloud
================ ================
@ -88,6 +88,6 @@ IP IPv6 User Host ASN
172.22.255.161 fd04:de02:7af9::161 uves spline 64733 172.22.255.161 fd04:de02:7af9::161 uves spline 64733
172.22.255.162 fd04:de02:7af9::162 petrus beta 64751 172.22.255.162 fd04:de02:7af9::162 petrus beta 64751
-------------- ------------------- --------- ----------- ----- -------------- ------------------- --------- ----------- -----
```` ```

4
howto/Address-Space.md
View File

@ -9,9 +9,9 @@ The [DN42 registry](https://git.dn42.dev/dn42/registry) is the authoritative sou
A simple way to see all the active policies in the registry is to search the registry content for policy attributes: A simple way to see all the active policies in the registry is to search the registry content for policy attributes:
````sh ```sh
grep -r ^policy data/inet{,6}num/ grep -r ^policy data/inet{,6}num/
```` ```
The [filter.txt](https://git.dn42.dev/dn42/registry/src/master/data/filter.txt) and [filter6.txt](https://git.dn42.dev/dn42/registry/src/master/data/filter6.txt) files within the registry detail the network wide constraints on what address ranges are in use together with the global limits on what can be announced. The [filter.txt](https://git.dn42.dev/dn42/registry/src/master/data/filter.txt) and [filter6.txt](https://git.dn42.dev/dn42/registry/src/master/data/filter6.txt) files within the registry detail the network wide constraints on what address ranges are in use together with the global limits on what can be announced.

24
howto/Bird-communities.md
View File

@ -11,7 +11,7 @@ Below, you will see an example config for peers4 based on the original filter im
To properly assign the right community to your peer, please reference the table below. If you are running your own network and peering internally, please also apply the communities inside your network. To properly assign the right community to your peer, please reference the table below. If you are running your own network and peering internally, please also apply the communities inside your network.
## BGP community criteria ## BGP community criteria
```` ```
(64511, 1) :: latency \in (0, 2.7ms] (64511, 1) :: latency \in (0, 2.7ms]
(64511, 2) :: latency \in (2.7ms, 7.3ms] (64511, 2) :: latency \in (2.7ms, 7.3ms]
(64511, 3) :: latency \in (7.3ms, 20ms] (64511, 3) :: latency \in (7.3ms, 20ms]
@ -39,12 +39,12 @@ bw = min(up,down) for asymmetric connections
Propagation: Propagation:
- - for latency pick max(received_route.latency, link_latency) - - for latency pick max(received_route.latency, link_latency)
- - for encryption and bandwidth pick min between received BGP community and peer link - - for encryption and bandwidth pick min between received BGP community and peer link
```` ```
For example, if your peer is 12ms away and the link speed between you is 250Mbit/s and you are peering using OpenVPN P2P, then the community string would be (3, 24, 33). For example, if your peer is 12ms away and the link speed between you is 250Mbit/s and you are peering using OpenVPN P2P, then the community string would be (3, 24, 33).
Two utilites which measure round trip time and calculate community values automatically are provided, written in [ruby](https://github.com/Mic92/bird-dn42/blob/master/bgp-community.rb) and [C](https://github.com/nixnodes/bird/blob/master/misc/dn42-comgen.c). Two utilites which measure round trip time and calculate community values automatically are provided, written in [ruby](https://github.com/Mic92/bird-dn42/blob/master/bgp-community.rb) and [C](https://github.com/nixnodes/bird/blob/master/misc/dn42-comgen.c).
```` ```
$ ruby bgp-community.rb --help $ ruby bgp-community.rb --help
USAGE: bgp-community.rb host mbit_speed unencrypted|unsafe|encrypted|pfs USAGE: bgp-community.rb host mbit_speed unencrypted|unsafe|encrypted|pfs
-6, --ipv6 Assume ipv6 for ping -6, --ipv6 Assume ipv6 for ping
@ -56,11 +56,11 @@ $ ruby bgp-community.rb -6 dn42-2.higgsboson.tk 1000 pfs
# 11 ms, 1000 mbit/s, pfs tunnel (updated: 2016-02-11) # 11 ms, 1000 mbit/s, pfs tunnel (updated: 2016-02-11)
import where dn42_import_filter(3,25,34); import where dn42_import_filter(3,25,34);
export where dn42_export_filter(3,25,34); export where dn42_export_filter(3,25,34);
```` ```
### Route Origin ### Route Origin
According to [this mail](https://lists.nox.tf/pipermail/dn42/2015-December/001259.html) these are the communities for route origin: According to [this mail](https://lists.nox.tf/pipermail/dn42/2015-December/001259.html) these are the communities for route origin:
```` ```
(64511, 41) :: Europe (64511, 41) :: Europe
(64511, 42) :: North America-E (64511, 42) :: North America-E
(64511, 43) :: North America-C (64511, 43) :: North America-C
@ -74,7 +74,7 @@ According to [this mail](https://lists.nox.tf/pipermail/dn42/2015-December/00125
(64511, 51) :: Asia-SE (TH,SG,PH,ID,MY) (64511, 51) :: Asia-SE (TH,SG,PH,ID,MY)
(64511, 52) :: Asia-E (JP,CN,KR) (64511, 52) :: Asia-E (JP,CN,KR)
(64511, 53) :: Pacific (64511, 53) :: Pacific
```` ```
You need to add following lines to your config(s): You need to add following lines to your config(s):
- `define DN42_REGION = $VALUE_FROM_ABOVE` to your node's config (where OWNAS and OWNIP are set) - `define DN42_REGION = $VALUE_FROM_ABOVE` to your node's config (where OWNAS and OWNIP are set)
@ -83,15 +83,15 @@ just above `update_flags` in `dn42_export_filter` function
## Example configurations ## Example configurations
```` ```
# /etc/bird/peers4/tombii.conf # /etc/bird/peers4/tombii.conf
protocol bgp tombii from dnpeers { protocol bgp tombii from dnpeers {
neighbor 172.23.102.x as 4242420321; neighbor 172.23.102.x as 4242420321;
import where dn42_import_filter(3,24,33); import where dn42_import_filter(3,24,33);
export where dn42_export_filter(3,24,33); export where dn42_export_filter(3,24,33);
}; };
```` ```
```` ```
#/etc/bird/community_filters.conf #/etc/bird/community_filters.conf
function update_latency(int link_latency) { function update_latency(int link_latency) {
bgp_community.add((64511, link_latency)); bgp_community.add((64511, link_latency));
@ -159,9 +159,9 @@ function dn42_export_filter(int link_latency; int link_bandwidth; int link_crypt
reject; reject;
} }
```` ```
Please remember to include /etc/bird/community_filters.conf in your bird.conf/birdc6.conf Please remember to include /etc/bird/community_filters.conf in your bird.conf/birdc6.conf
```` ```
# local configuration # local configuration
###################### ######################
@ -172,7 +172,7 @@ include "bird/local4.conf";
include "/etc/bird/filter4.conf"; include "/etc/bird/filter4.conf";
include "/etc/bird/community_filters.conf"; include "/etc/bird/community_filters.conf";
```` ```
*** ***

64
howto/Bird.md
View File

@ -7,13 +7,13 @@ In the Debian release cycle the bird packages may become outdated at times, if t
This is not necessary for Debian Stretch, which currently ships the most recent version (1.6.3) in this repositories. This is not necessary for Debian Stretch, which currently ships the most recent version (1.6.3) in this repositories.
````sh ```sh
wget -O - http://bird.network.cz/debian/apt.key | apt-key add - wget -O - http://bird.network.cz/debian/apt.key | apt-key add -
apt-get install lsb-release apt-get install lsb-release
echo "deb http://bird.network.cz/debian/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/bird.list echo "deb http://bird.network.cz/debian/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/bird.list
apt-get update apt-get update
apt-get install bird apt-get install bird
```` ```
# Example configuration # Example configuration
@ -28,7 +28,7 @@ Note: This file covers the configuration of Bird 1.x. For an example configurati
### IPv6 ### IPv6
```` ```
#/etc/bird/bird6.conf #/etc/bird/bird6.conf
protocol device { protocol device {
scan time 10; scan time 10;
@ -96,9 +96,9 @@ template bgp dnpeers {
} }
include "/etc/bird/peers6/*"; include "/etc/bird/peers6/*";
```` ```
```` ```
# /etc/bird/local6.conf # /etc/bird/local6.conf
# should be a unique identifier, use same id as for ipv4 # should be a unique identifier, use same id as for ipv4
router id <GATEWAY_IP>; router id <GATEWAY_IP>;
@ -115,20 +115,20 @@ function is_valid_network() {
fd00::/8{44,64} # ULA address space as per RFC 4193 fd00::/8{44,64} # ULA address space as per RFC 4193
]; ];
} }
```` ```
```` ```
# /etc/bird/peers6/<PEER_NAME> # /etc/bird/peers6/<PEER_NAME>
protocol bgp <PEER_NAME> from dnpeers { protocol bgp <PEER_NAME> from dnpeers {
neighbor <PEERING_IP> as <PEER_AS>; neighbor <PEERING_IP> as <PEER_AS>;
# if you use link-local ipv6 addresses for peering using the following # if you use link-local ipv6 addresses for peering using the following
# neighbor <PEERING_IP> % '<INTERFACE_NAME>' as <PEER_AS>; # neighbor <PEERING_IP> % '<INTERFACE_NAME>' as <PEER_AS>;
}; };
```` ```
### IPv4 ### IPv4
```` ```
# /etc/bird/bird.conf # /etc/bird/bird.conf
# Device status # Device status
protocol device { protocol device {
@ -205,9 +205,9 @@ template bgp dnpeers {
}; };
include "/etc/bird/peers4/*"; include "/etc/bird/peers4/*";
```` ```
```` ```
#/etc/bird/local4.conf #/etc/bird/local4.conf
# should be a unique identifier, <GATEWAY_IP> is what most people use. # should be a unique identifier, <GATEWAY_IP> is what most people use.
router id <GATEWAY_IP>; router id <GATEWAY_IP>;
@ -232,14 +232,14 @@ function is_valid_network() {
10.0.0.0/8{15,24} # Freifunk.net 10.0.0.0/8{15,24} # Freifunk.net
]; ];
} }
```` ```
```` ```
# /etc/bird/peers4/<PEER_NAME> # /etc/bird/peers4/<PEER_NAME>
protocol bgp <PEER_NAME> from dnpeers { protocol bgp <PEER_NAME> from dnpeers {
neighbor <PEERING_IP> as <PEER_AS>; neighbor <PEERING_IP> as <PEER_AS>;
}; };
```` ```
# Bird communities # Bird communities
@ -270,23 +270,23 @@ ROA files generated by [dn42regsrv](https://git.dn42.dev/burble/dn42regsrv) are
You can add cron entries to periodically update the tables: You can add cron entries to periodically update the tables:
```` ```
*/15 * * * * curl -sfSLR {-o,-z}/var/lib/bird/bird6_roa_dn42.conf https://dn42.burble.com/roa/dn42_roa_bird1_6.conf && chronic birdc6 configure */15 * * * * curl -sfSLR {-o,-z}/var/lib/bird/bird6_roa_dn42.conf https://dn42.burble.com/roa/dn42_roa_bird1_6.conf && chronic birdc6 configure
*/15 * * * * curl -sfSLR {-o,-z}/var/lib/bird/bird_roa_dn42.conf https://dn42.burble.com/roa/dn42_roa_bird1_4.conf && chronic birdc configure */15 * * * * curl -sfSLR {-o,-z}/var/lib/bird/bird_roa_dn42.conf https://dn42.burble.com/roa/dn42_roa_bird1_4.conf && chronic birdc configure
```` ```
Debian version: Debian version:
```` ```
*/15 * * * * curl -sfSLR -o/var/lib/bird/bird6_roa_dn42.conf -z/var/lib/bird/bird6_roa_dn42.conf https://dn42.burble.com/roa/dn42_roa_bird1_6.conf && /usr/sbin/birdc6 configure */15 * * * * curl -sfSLR -o/var/lib/bird/bird6_roa_dn42.conf -z/var/lib/bird/bird6_roa_dn42.conf https://dn42.burble.com/roa/dn42_roa_bird1_6.conf && /usr/sbin/birdc6 configure
*/15 * * * * curl -sfSLR -o/var/lib/bird/bird_roa_dn42.conf -z/var/lib/bird/bird_roa_dn42.conf https://dn42.burble.com/roa/dn42_roa_bird1_4.conf && /usr/sbin/birdc configure */15 * * * * curl -sfSLR -o/var/lib/bird/bird_roa_dn42.conf -z/var/lib/bird/bird_roa_dn42.conf https://dn42.burble.com/roa/dn42_roa_bird1_4.conf && /usr/sbin/birdc configure
```` ```
then create the directory to make sure curls can save the files: then create the directory to make sure curls can save the files:
```` ```
mkdir -p /var/lib/bird/ mkdir -p /var/lib/bird/
```` ```
### Use RPKI ROA for bird2 ### Use RPKI ROA for bird2
* Download gortr * Download gortr
@ -295,22 +295,22 @@ mkdir -p /var/lib/bird/
* Running gortr,need golang environment. * Running gortr,need golang environment.
```` ```
./gortr -verify=false -checktime=false -cache=https://dn42.burble.com/roa/dn42_roa_46.json ./gortr -verify=false -checktime=false -cache=https://dn42.burble.com/roa/dn42_roa_46.json
```` ```
* run with docker * run with docker
`docker pull cloudflare/gortr` `docker pull cloudflare/gortr`
```` ```
docker run --name dn42rpki -p 8282:8282 --restart=always -d cloudflare/gortr -verify=false -checktime=false -cache=https://dn42.burble.com/roa/dn42_roa_46.json docker run --name dn42rpki -p 8282:8282 --restart=always -d cloudflare/gortr -verify=false -checktime=false -cache=https://dn42.burble.com/roa/dn42_roa_46.json
```` ```
* Add this to your bird configure file,other ROA protocol must removed. * Add this to your bird configure file,other ROA protocol must removed.
```` ```
protocol rpki rpki_dn42{ protocol rpki rpki_dn42{
roa4 { table dn42_roa; }; roa4 { table dn42_roa; };
roa6 { table dn42_roa_v6; }; roa6 { table dn42_roa_v6; };
@ -321,26 +321,26 @@ protocol rpki rpki_dn42{
refresh keep 900; refresh keep 900;
expire keep 172800; expire keep 172800;
} }
```` ```
## Filter configuration ## Filter configuration
In your import filter add the following to reject invalid routes: In your import filter add the following to reject invalid routes:
```` ```
if (roa_check(dn42_roa, net, bgp_path.last) != ROA_VALID) then { if (roa_check(dn42_roa, net, bgp_path.last) != ROA_VALID) then {
print "[dn42] ROA check failed for ", net, " ASN ", bgp_path.last; print "[dn42] ROA check failed for ", net, " ASN ", bgp_path.last;
reject; reject;
} }
```` ```
Also, define your ROA table with: Also, define your ROA table with:
```` ```
roa table dn42_roa { roa table dn42_roa {
include "/var/lib/bird/bird_roa_dn42.conf"; include "/var/lib/bird/bird_roa_dn42.conf";
}; };
```` ```
**NOTE**: Make sure you setup ROA checks for both bird and bird6 (for IPv6). **NOTE**: Make sure you setup ROA checks for both bird and bird6 (for IPv6).
@ -349,7 +349,7 @@ roa table dn42_roa {
bird can be remote controlled via the `birdc` command. Here is a list of useful bird commands: bird can be remote controlled via the `birdc` command. Here is a list of useful bird commands:
```` ```
$ birdc $ birdc
BIRD 1.4.5 ready. BIRD 1.4.5 ready.
bird> configure # reload configuration bird> configure # reload configuration
@ -389,7 +389,7 @@ bird> show route filtered # shows routed filtered out by rules
bird> show route protocol <somepeer> # shows the route they export to you bird> show route protocol <somepeer> # shows the route they export to you
bird> show route export <somepeer> # shows the route you export to someone bird> show route export <somepeer> # shows the route you export to someone
... ...
```` ```
# External Links # External Links
* detailed bird configuration from Mic92: https://github.com/Mic92/bird-dn42 * detailed bird configuration from Mic92: https://github.com/Mic92/bird-dn42

12
howto/Bird2.md
View File

@ -19,7 +19,7 @@ When copying the configuration below onto your system, you will have to enter th
* The same goes for `<OWNNETv6>`, but it takes an IPv6 subnet (Who'd have thought). * The same goes for `<OWNNETv6>`, but it takes an IPv6 subnet (Who'd have thought).
* Keep in mind that you'll have to enter both networks in the OWNNET{,v6} and OWNNETSET{,v6}, the two variables are required due to set parsing difficulties with variables. * Keep in mind that you'll have to enter both networks in the OWNNET{,v6} and OWNNETSET{,v6}, the two variables are required due to set parsing difficulties with variables.
```` ```
################################################ ################################################
# Variable header # # Variable header #
################################################ ################################################
@ -165,7 +165,7 @@ template bgp dnpeers {
include "/etc/bird/peers/*"; include "/etc/bird/peers/*";
```` ```
# Route Origin Authorization # Route Origin Authorization
@ -177,15 +177,15 @@ Please note: This section assumes that you've already got a tunnel to your peeri
First, make sure the /etc/bird/peers directory exists: First, make sure the /etc/bird/peers directory exists:
```` ```
# mkdir -p /etc/bird/peers # mkdir -p /etc/bird/peers
```` ```
Then for each peer, create a configuration file similar to this one: Then for each peer, create a configuration file similar to this one:
`/etc/bird/peers/<NEIGHBOR_NAME>.conf`: `/etc/bird/peers/<NEIGHBOR_NAME>.conf`:
```` ```
protocol bgp <NEIGHBOR_NAME> from dnpeers { protocol bgp <NEIGHBOR_NAME> from dnpeers {
neighbor <NEIGHBOR_IP> as <NEIGHBOR_ASN>; neighbor <NEIGHBOR_IP> as <NEIGHBOR_ASN>;
} }
@ -193,6 +193,6 @@ protocol bgp <NEIGHBOR_NAME> from dnpeers {
protocol bgp <NEIGHBOR_NAME>_v6 from dnpeers { protocol bgp <NEIGHBOR_NAME>_v6 from dnpeers {
neighbor <NEIGHBOR_IPv6>%<NEIGHBOR_INTERFACE> as <NEIGHBOR_ASN>; neighbor <NEIGHBOR_IPv6>%<NEIGHBOR_INTERFACE> as <NEIGHBOR_ASN>;
} }
```` ```
Due to the special link local addresses of IPv6, an interface has to be specified using the %<if> syntax if a link local address is used (Which is recommended) Due to the special link local addresses of IPv6, an interface has to be specified using the %<if> syntax if a link local address is used (Which is recommended)

16
howto/EMail.md
View File

@ -18,7 +18,7 @@ Running email in dn42 is not very complicated. Your SMTP daemon probably alread
~~Send an email to `test@evenet.dn42` to check if your mail setup is correct.~~ This host will reply using the following ~~Send an email to `test@evenet.dn42` to check if your mail setup is correct.~~ This host will reply using the following
sieve filter: sieve filter:
```` ```
require ["regex", "variables", "vacation-seconds"]; require ["regex", "variables", "vacation-seconds"];
if header :contains "To" ["test@evenet.dn42"] { if header :contains "To" ["test@evenet.dn42"] {
if header :matches "Subject" "*" { if header :matches "Subject" "*" {
@ -26,7 +26,7 @@ if header :contains "To" ["test@evenet.dn42"] {
} }
vacation :addresses ["test@evenet.dn42"] :seconds 60 :subject "Re: ${subject_was}" "Your dn42 email setup works!"; vacation :addresses ["test@evenet.dn42"] :seconds 60 :subject "Re: ${subject_was}" "Your dn42 email setup works!";
} }
```` ```
## Exim tips ## Exim tips
@ -65,25 +65,25 @@ This should to the trick for sending mails via your DN42-IP
If you use `smtpd_recipient_restrictions` you can use the following rule to white-list dn42 as sender. If you use `smtpd_recipient_restrictions` you can use the following rule to white-list dn42 as sender.
This can circumvent certain rdns configuration failure or in case you use rbl lists: This can circumvent certain rdns configuration failure or in case you use rbl lists:
```` ```
smtpd_recipient_restrictions = permit_mynetworks, smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated, permit_sasl_authenticated,
check_client_access cidr:/etc/postfix/dn42.cidr, check_client_access cidr:/etc/postfix/dn42.cidr,
reject_non_fqdn_sender, reject_non_fqdn_sender,
# ... # ...
permit permit
```` ```
```` ```
#/etc/postfix/dn42.cidr #/etc/postfix/dn42.cidr
172.16.0.0/12 OK 172.16.0.0/12 OK
10.0.0.0/8 OK 10.0.0.0/8 OK
fc00::/7 OK fc00::/7 OK
```` ```
```` ```
$ postmap /etc/postfix/dn42.cidr $ postmap /etc/postfix/dn42.cidr
```` ```
### Receiving emails ### Receiving emails

6
howto/EdgeOS-Config-Example.md
View File

@ -12,7 +12,7 @@ This is the config I (Felicitus) am running on an Ubiquiti EdgeRouter Lite (AS76
## Upcoming ## Upcoming
* AICCU integration (SIXXS), probably not possible with the config, so ````apt-get install aiccu```` should do the trick * AICCU integration (SIXXS), probably not possible with the config, so ```apt-get install aiccu``` should do the trick
* dn42 IPv6 routing (probably) * dn42 IPv6 routing (probably)
Ask me if you want to know if I have implemented those items already. Ask me if you want to know if I have implemented those items already.
@ -20,7 +20,7 @@ Ask me if you want to know if I have implemented those items already.
# Configuration # Configuration
```` ```
firewall { firewall {
all-ping enable all-ping enable
broadcast-ping disable broadcast-ping disable
@ -376,4 +376,4 @@ traffic-policy {
/* Warning: Do not remove the following line. */ /* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:dhcp-relay@1:dhcp-server@4:firewall@4:ipsec@3:nat@3:qos@1:quagga@2:system@4:ubnt-pptp@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */ /* === vyatta-config-version: "config-management@1:dhcp-relay@1:dhcp-server@4:firewall@4:ipsec@3:nat@3:qos@1:quagga@2:system@4:ubnt-pptp@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v1.3.0.4605130.131011.1754 */ /* Release version: v1.3.0.4605130.131011.1754 */
```` ```

8
howto/GRE-on-FreeBSD.md
View File

@ -10,18 +10,18 @@ This page describes how to configure GRE tunnels on FreeBSD.
## Create a temporary gre tunnel ## Create a temporary gre tunnel
````bash ```bash
ifconfig gre$INDEX create ifconfig gre$INDEX create
ifconfig gre$INDEX tunnel $TUNNEL_SRC $TUNNEL_DST ifconfig gre$INDEX tunnel $TUNNEL_SRC $TUNNEL_DST
ifconfig gre$INDEX inet $LOCAL $REMOTE netmask 0xffffffff ifconfig gre$INDEX inet $LOCAL $REMOTE netmask 0xffffffff
ifconfig gre$INDEX descr $DESCR ifconfig gre$INDEX descr $DESCR
```` ```
## Create a persistent gre tunnel ## Create a persistent gre tunnel
Add this to your `rc.conf`. Add this to your `rc.conf`.
```` ```
cloned_interfaces="$cloned_interfaces gre0" cloned_interfaces="$cloned_interfaces gre0"
ifconfig_gre0="10.0.0.1 10.0.0.2 netmask 0xffffffff tunnel 1.2.3.4 5.6.7.8 descr foo" ifconfig_gre0="10.0.0.1 10.0.0.2 netmask 0xffffffff tunnel 1.2.3.4 5.6.7.8 descr foo"
```` ```

20
howto/GRE-on-OpenBSD.md
View File

@ -9,10 +9,10 @@ Let `fd42::` and `fd42::1` be the IPs of *A* and *D* respectively where both are
## pseudo interface ## pseudo interface
Populate [`/etc/hostname.gre0`](https://man.openbsd.org/hostname.if.5) with: Populate [`/etc/hostname.gre0`](https://man.openbsd.org/hostname.if.5) with:
```` ```
tunnel A.example.com D.example.net tunnel A.example.com D.example.net
inet6 fd42::/127 inet6 fd42::/127
```` ```
This will resolve FQDNs at parse time, set *A*'s and *D*'s IPs as source and destination tunnel address and set *A*'s assigned IP as point-to-point address on the interface. This will resolve FQDNs at parse time, set *A*'s and *D*'s IPs as source and destination tunnel address and set *A*'s assigned IP as point-to-point address on the interface.
Replace hostnames in the `tunnel` line with literal IPs if DNS is not available (at system boot). Replace hostnames in the `tunnel` line with literal IPs if DNS is not available (at system boot).
@ -21,14 +21,14 @@ Reboot or run [`sh /etc/netstart gre0`](https://man.openbsd.org/netstart.8) to b
## miscellaneous ## miscellaneous
Populate `/etc/sysctl.conf` with: Populate `/etc/sysctl.conf` with:
```` ```
net.inet.gre.allow=1 net.inet.gre.allow=1
```` ```
Reboot or run `sysctl net.inet.gre.allow=1` to allow GRE packet processing. Reboot or run `sysctl net.inet.gre.allow=1` to allow GRE packet processing.
- -
At this point, `gre0` will be administratively *UP*: At this point, `gre0` will be administratively *UP*:
```` ```
$ ifconfig gre0 $ ifconfig gre0
gre0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1476 gre0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1476
index 22 priority 0 llprio 6 index 22 priority 0 llprio 6
@ -37,10 +37,10 @@ gre0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1476
tunnel: inet6 2001:db8::a --> 2001:db9::d ttl 64 nodf ecn tunnel: inet6 2001:db8::a --> 2001:db9::d ttl 64 nodf ecn
inet6 fe80::221:28ff:fef9:c1d8%gre0 --> prefixlen 64 scopeid 0x16 inet6 fe80::221:28ff:fef9:c1d8%gre0 --> prefixlen 64 scopeid 0x16
inet6 fd42:: --> prefixlen 127 inet6 fd42:: --> prefixlen 127
```` ```
All traffic destined to `fd42::1/127` will be encapsulated and routed to *D*: All traffic destined to `fd42::1/127` will be encapsulated and routed to *D*:
```` ```
$ route show $ route show
[...] [...]
Internet6: Internet6:
@ -53,8 +53,8 @@ fe80::221:28ff:fef9:c1d8%gre0 fe80::221:28ff:fef9:c1d8%gre0 UHl 0
ff01::%gre0/32 fe80::221:28ff:fef9:c1d8%gre0 Um 0 1 - 4 gre0 ff01::%gre0/32 fe80::221:28ff:fef9:c1d8%gre0 Um 0 1 - 4 gre0
ff02::%gre0/32 fe80::221:28ff:fef9:c1d8%gre0 Um 0 1 - 4 gre0 ff02::%gre0/32 fe80::221:28ff:fef9:c1d8%gre0 Um 0 1 - 4 gre0
[...] [...]
```` ```
```` ```
$ route -n get fd42::1 $ route -n get fd42::1
route to: fd42::1 route to: fd42::1
destination: fd42::1 destination: fd42::1
@ -65,7 +65,7 @@ destination: fd42::1
flags: <UP,HOST,DONE,CLONED> flags: <UP,HOST,DONE,CLONED>
use mtu expire use mtu expire
3181 0 0 3181 0 0
```` ```
# Security # Security
GRE may be protected with IPsec to encrypt and authenticate traffic, [OpenIKED](http://www.openiked.org/) can be used to establish an IKEv2 session between *A* and *D*. GRE may be protected with IPsec to encrypt and authenticate traffic, [OpenIKED](http://www.openiked.org/) can be used to establish an IKEv2 session between *A* and *D*.

44
howto/Getting-Started.md
View File

@ -65,14 +65,14 @@ Common authentication methods are:
- SSH Key: `auth: ssh-{rsa,ed25519} <key>` - SSH Key: `auth: ssh-{rsa,ed25519} <key>`
Example: data/mntner/FOO-MNT Example: data/mntner/FOO-MNT
```` ```
mntner: FOO-MNT mntner: FOO-MNT
admin-c: FOO-DN42 admin-c: FOO-DN42
tech-c: FOO-DN42 tech-c: FOO-DN42
mnt-by: FOO-MNT mnt-by: FOO-MNT
auth: pgp-fingerprint 0123456789ABCDEF0123456789ABCDEF01234567 auth: pgp-fingerprint 0123456789ABCDEF0123456789ABCDEF01234567
source: DN42 source: DN42
```` ```
### Create person objects ### Create person objects
@ -91,13 +91,13 @@ Contact attributes are optional but DN42 is a dynamic network and being able to
Example: data/person/FOO-DN42 Example: data/person/FOO-DN42
```` ```
person: John Doe person: John Doe
e-mail: john.doe@example.com e-mail: john.doe@example.com
nic-hdl: FOO-DN42 nic-hdl: FOO-DN42
mnt-by: FOO-MNT mnt-by: FOO-MNT
source: DN42 source: DN42
```` ```
--- ---
@ -114,14 +114,14 @@ If you intend to register resources for an organisation (e.g. your hackerspace),
- don't forget to set `mnt-by` to `<FOO>-MNT`, since you're managing this object on behalf of your organisation. - don't forget to set `mnt-by` to `<FOO>-MNT`, since you're managing this object on behalf of your organisation.
Example: data/organisation/ORG-EXAMPLE Example: data/organisation/ORG-EXAMPLE
```` ```
organisation: ORG-FOO organisation: ORG-FOO
org-name: Foo Organisation org-name: Foo Organisation
admin-c: FOO-DN42 admin-c: FOO-DN42
tech-c: FOO-DN42 tech-c: FOO-DN42
mnt-by: FOO-MNT mnt-by: FOO-MNT
source: DN42 source: DN42
```` ```
### Guidelines for resource objects ### Guidelines for resource objects
@ -151,14 +151,14 @@ Internet ASNs may be used, but you must take care to clearly separate Internet a
If unsure, ask on the mailing list or IRC. If unsure, ask on the mailing list or IRC.
Example: data/aut-num/AS4242423999 Example: data/aut-num/AS4242423999
```` ```
aut-num: AS4242423999 aut-num: AS4242423999
as-name: AS-FOO-DN42 as-name: AS-FOO-DN42
admin-c: FOO-DN42 admin-c: FOO-DN42
tech-c: FOO-DN42 tech-c: FOO-DN42
mnt-by: FOO-MNT mnt-by: FOO-MNT
source: DN42 source: DN42
```` ```
### Register a network prefix ### Register a network prefix
@ -177,7 +177,7 @@ A few websites can generate random ULA prefixes for you:
or a small script is available: [ulagen.py](https://git.dn42.dev/netravnen/dn42-repo-utils/src/master/ulagen.py) or a small script is available: [ulagen.py](https://git.dn42.dev/netravnen/dn42-repo-utils/src/master/ulagen.py)
example: data/inet6num/fd35:4992:6a6d::_48 example: data/inet6num/fd35:4992:6a6d::_48
```` ```
inet6num: fd35:4992:6a6d:0000:0000:0000:0000:0000 - fd35:4992:6a6d:ffff:ffff:ffff:ffff:ffff inet6num: fd35:4992:6a6d:0000:0000:0000:0000:0000 - fd35:4992:6a6d:ffff:ffff:ffff:ffff:ffff
cidr: fd35:4992:6a6d::/48 cidr: fd35:4992:6a6d::/48
netname: FOO-NETWORK netname: FOO-NETWORK
@ -188,7 +188,7 @@ tech-c: FOO-DN42
mnt-by: FOO-MNT mnt-by: FOO-MNT
status: ASSIGNED status: ASSIGNED
source: DN42 source: DN42
```` ```
#### IPv4 (Legacy) #### IPv4 (Legacy)
@ -219,7 +219,7 @@ If you need a /24 or larger, please ask in the IRC chan or on the mailing list a
**Note:** Reverse DNS works with _any_ prefix length, as long as your [recursive nameserver](/services/DNS) supports [RFC 2317](https://www.ietf.org/rfc/rfc2317.txt). Don't go for a /24 _just to have RDNS_. **Note:** Reverse DNS works with _any_ prefix length, as long as your [recursive nameserver](/services/DNS) supports [RFC 2317](https://www.ietf.org/rfc/rfc2317.txt). Don't go for a /24 _just to have RDNS_.
example: data/inetnum/172.20.150.0_27 example: data/inetnum/172.20.150.0_27
```` ```
inetnum: 172.20.150.0 - 172.20.150.31 inetnum: 172.20.150.0 - 172.20.150.31
cidr: 172.20.150.0/27 cidr: 172.20.150.0/27
netname: FOO-NETWORK netname: FOO-NETWORK
@ -228,28 +228,28 @@ tech-c: FOO-DN42
mnt-by: FOO-MNT mnt-by: FOO-MNT
status: ASSIGNED status: ASSIGNED
source: DN42 source: DN42
```` ```
#### Create route objects #### Create route objects
If you plan to announce your prefixes in dn42, which you probably want in most cases, you will also need to create a `route6` object for ipv6 prefixes and a `route` object for ipv4 prefixes. This information is used for Route Origin Authorization (ROA) checks. If you skip this step, your network will probably get filtered by most major peers. Checking ROA will prevent (accidental) hijacking of other people's prefixes. If you plan to announce your prefixes in dn42, which you probably want in most cases, you will also need to create a `route6` object for ipv6 prefixes and a `route` object for ipv4 prefixes. This information is used for Route Origin Authorization (ROA) checks. If you skip this step, your network will probably get filtered by most major peers. Checking ROA will prevent (accidental) hijacking of other people's prefixes.
example: data/route6/fd35:4992:6a6d::_48 example: data/route6/fd35:4992:6a6d::_48
```` ```
route6: fd35:4992:6a6d::/48 route6: fd35:4992:6a6d::/48
origin: AS4242423999 origin: AS4242423999
max-length: 48 max-length: 48
mnt-by: FOO-MNT mnt-by: FOO-MNT
source: DN42 source: DN42
```` ```
example data/route/172.20.150.0_27: example data/route/172.20.150.0_27:
```` ```
route: 172.20.150.0/27 route: 172.20.150.0/27
origin: AS4242423999 origin: AS4242423999
mnt-by: FOO-MNT mnt-by: FOO-MNT
source: DN42 source: DN42
```` ```
#### DNS and Domain Registration #### DNS and Domain Registration
@ -258,7 +258,7 @@ To register a domain name, create a `dns` object in the data/dns directory.
Domain names and nserver attributes must be lowercase. Domain names and nserver attributes must be lowercase.
example: data/dns/foo.dn42 example: data/dns/foo.dn42
```` ```
domain: foo.dn42 domain: foo.dn42
admin-c: FOO-DN42 admin-c: FOO-DN42
tech-c: FOO-DN42 tech-c: FOO-DN42
@ -268,17 +268,17 @@ nserver: ns1.foo.dn42 fd35:4992:6a6d:53::1
nserver: ns2.foo.dn42 172.20.150.2 nserver: ns2.foo.dn42 172.20.150.2
nserver: ns2.foo.dn42 fd35:4992:6a6d:53::2 nserver: ns2.foo.dn42 fd35:4992:6a6d:53::2
source: DN42 source: DN42
```` ```
You can also add DNSSEC delegations using `ds-rdata` attributes to your domain: You can also add DNSSEC delegations using `ds-rdata` attributes to your domain:
```` ```
ds-rdata: 61857 13 2 bd35e3efe3325d2029fb652e01604a48b677cc2f44226eeabee54b456c67680c ds-rdata: 61857 13 2 bd35e3efe3325d2029fb652e01604a48b677cc2f44226eeabee54b456c67680c
```` ```
For reverse DNS, add `nserver` attributes to you inet{,6}num objects: For reverse DNS, add `nserver` attributes to you inet{,6}num objects:
```` ```
inet6num: fd35:4992:6a6d:0000:0000:0000:0000:0000 - fd35:4992:6a6d:ffff:ffff:ffff:ffff:ffff inet6num: fd35:4992:6a6d:0000:0000:0000:0000:0000 - fd35:4992:6a6d:ffff:ffff:ffff:ffff:ffff
cidr: fd35:4992:6a6d::/48 cidr: fd35:4992:6a6d::/48
netname: FOO-NETWORK netname: FOO-NETWORK
@ -291,7 +291,7 @@ status: ASSIGNED
nserver: ns1.foo.dn42 nserver: ns1.foo.dn42
nserver: ns2.foo.dn42 nserver: ns2.foo.dn42
source: DN42 source: DN42
```` ```
# Get some peers # Get some peers

8
howto/IPsec-on-FreeBSD.md
View File

@ -10,17 +10,17 @@ These instructions are for IPsec in transport mode not IPsec in tunnel mode. IPs
## Kernel configuration ## Kernel configuration
The FreeBSD GENERIC kernel lacks support for in-kernel IPsec processing. Add this two lines to your kernel config and (re-)build your own kernel. The FreeBSD GENERIC kernel lacks support for in-kernel IPsec processing. Add this two lines to your kernel config and (re-)build your own kernel.
If you're new to FreeBSD check Chapters [15.9.1](http://www.freebsd.org/doc/handbook/ipsec.html) and [9](http://www.freebsd.org/doc/handbook/kernelconfig.html) of the FreeBSD handbook. If you're new to FreeBSD check Chapters [15.9.1](http://www.freebsd.org/doc/handbook/ipsec.html) and [9](http://www.freebsd.org/doc/handbook/kernelconfig.html) of the FreeBSD handbook.
```` ```
options IPSEC #IP security options IPSEC #IP security
device crypto device crypto
```` ```
Reboot into your new kernel. Reboot into your new kernel.
## Userland configuration ## Userland configuration
Install the racoon daemon. It's included in the [security/ipsec-tools](http://www.freshports.org/security/ipsec-tools/) port. Install the racoon daemon. It's included in the [security/ipsec-tools](http://www.freshports.org/security/ipsec-tools/) port.
Racoon is pain in the ass to configure the first time because it's error messages aren't helping and the complexity of IPsec. Don't let this stop you. Racoon is pain in the ass to configure the first time because it's error messages aren't helping and the complexity of IPsec. Don't let this stop you.
```` ```
path pre_shared_key "/usr/local/etc/racoon/psk"; path pre_shared_key "/usr/local/etc/racoon/psk";
path certificate "/usr/local/etc/racoon/certs"; path certificate "/usr/local/etc/racoon/certs";
log info; log info;
@ -69,4 +69,4 @@ sainfo (address a.b.c.d gre address b.c.d.e gre) {
authentication_algorithm hmac_sha1; authentication_algorithm hmac_sha1;
} }
```` ```

20
howto/IPsecWithPublicKeys/GRE-plus-IPsec-Debian.md
View File

@ -12,26 +12,26 @@
## Define an IPsec security policy ## Define an IPsec security policy
Example policy on 1.2.3.4: Example policy on 1.2.3.4:
````bash ```bash
#!/usr/sbin/setkey -f #!/usr/sbin/setkey -f
spdadd 1.2.3.4 5.6.7.8 gre -P out ipsec esp/transport//require; spdadd 1.2.3.4 5.6.7.8 gre -P out ipsec esp/transport//require;
spdadd 5.6.7.8 1.2.3.4 gre -P in ipsec esp/transport//require; spdadd 5.6.7.8 1.2.3.4 gre -P in ipsec esp/transport//require;
```` ```
Change the direction on 5.6.7.8. Change the direction on 5.6.7.8.
## Load the IPsec security policy into the IPsec security policy database ## Load the IPsec security policy into the IPsec security policy database
Load the policy with the setkey command. Load the policy with the setkey command.
```` ```
setkey -f /etc/ipsec-tools.conf setkey -f /etc/ipsec-tools.conf
```` ```
Afterward check the policy database with: Afterward check the policy database with:
```` ```
setkey -DP setkey -DP
```` ```
## Configure the racoon daemon ## Configure the racoon daemon
An example /etc/racoon/racoon.conf. An example /etc/racoon/racoon.conf.
```` ```
path pre_shared_key "/etc/racoon/psk.txt"; path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs"; path certificate "/etc/racoon/certs";
log info; log info;
@ -72,11 +72,11 @@ sainfo address 1.2.3.4 47 address 5.6.7.8 47 {
authentication_algorithm hmac_sha1; authentication_algorithm hmac_sha1;
compression_algorithm deflate; compression_algorithm deflate;
} }
```` ```
## Configure a GRE tunnel ## Configure a GRE tunnel
Add this to /etc/network/interfaces: Add this to /etc/network/interfaces:
```` ```
auto gre1 auto gre1
iface gre1 inet tunnel iface gre1 inet tunnel
mode gre mode gre
@ -86,4 +86,4 @@ iface gre1 inet tunnel
endpoint 5.6.7.8 endpoint 5.6.7.8
local 1.2.3.4 local 1.2.3.4
ttl 255 ttl 255
```` ```

8
howto/IPsecWithPublicKeys/RacoonExample.md
View File

@ -4,7 +4,7 @@ See also [strongswan](howto/IPsecWithPublicKeys/strongSwan5Example)
The keys are generated with plainrsa-gen. The keys are generated with plainrsa-gen.
```` ```
Usage: plainrsa-gen [options] Usage: plainrsa-gen [options]
-b bits Generate <bits> long RSA key (default=1024) -b bits Generate <bits> long RSA key (default=1024)
@ -12,12 +12,12 @@ Usage: plainrsa-gen [options]
-f filename Filename to store the key to (default=stdout) -f filename Filename to store the key to (default=stdout)
-i filename Input source for format conversion -i filename Input source for format conversion
-h Help -h Help
```` ```
I'd probably go with 4096 bits. I'd probably go with 4096 bits.
in your racoon.conf: in your racoon.conf:
```` ```
path certificate "/etc/racoon/keys"; path certificate "/etc/racoon/keys";
listen { listen {
@ -36,7 +36,7 @@ remote 192.168.255.2 {
dh_group modp1024; dh_group modp1024;
} }
} }
```` ```
## Se also ## Se also

24
howto/IPv6-Multicast.md
View File

@ -5,14 +5,14 @@ The following guide illustrates how to set up an IPv6 multicast router using [PI
## Quickstart ## Quickstart
* Install pim6sd from here: https://github.com/troglobit/pim6sd/ * Install pim6sd from here: https://github.com/troglobit/pim6sd/
````sh ```sh
cd /usr/src cd /usr/src
git clone https://github.com/troglobit/pim6sd.git git clone https://github.com/troglobit/pim6sd.git
cd pim6sd cd pim6sd
./autogen.sh ./autogen.sh
./configure ./configure
make make
```` ```
* Find a peer who is already connected to the dn42 multicast backbone * Find a peer who is already connected to the dn42 multicast backbone
* Calculate your personal, embedded-RP multicast prefix matching your network prefix via [RFC3956](https://tools.ietf.org/html/rfc3956) * Calculate your personal, embedded-RP multicast prefix matching your network prefix via [RFC3956](https://tools.ietf.org/html/rfc3956)
* Example: * Example:
@ -26,7 +26,7 @@ The following guide illustrates how to set up an IPv6 multicast router using [PI
* Create a dummy interface to hold your calculated unicast Rendezvous Point address. This one needs to be reachable from within dn42. Also set "multicast on" on this dummy interface. Example: * Create a dummy interface to hold your calculated unicast Rendezvous Point address. This one needs to be reachable from within dn42. Also set "multicast on" on this dummy interface. Example:
```` ```
# /etc/network/interfaces.d/pim6sd # /etc/network/interfaces.d/pim6sd
auto pim-router-id auto pim-router-id
iface pim-router-id inet manual iface pim-router-id inet manual
@ -34,11 +34,11 @@ The following guide illustrates how to set up an IPv6 multicast router using [PI
post-up ip link set multicast on dev $IFACE post-up ip link set multicast on dev $IFACE
post-up ip -6 a a fd00:2001:db8::2/128 dev $IFACE post-up ip -6 a a fd00:2001:db8::2/128 dev $IFACE
post-down ip link del $IFACE post-down ip link del $IFACE
```` ```
* Create the configuration file: * Create the configuration file:
````sh ```sh
# /etc/pim6sd.conf # /etc/pim6sd.conf
# disable all interfaces by default # disable all interfaces by default
default_phyint_status disable; default_phyint_status disable;
@ -52,7 +52,7 @@ The following guide illustrates how to set up an IPv6 multicast router using [PI
# configure rendezvous point for the personal multicast prefix # configure rendezvous point for the personal multicast prefix
cand_rp pim-router-id; cand_rp pim-router-id;
group_prefix ff7e:230:fd00:2001:db8::/96; group_prefix ff7e:230:fd00:2001:db8::/96;
```` ```
The `phyint` statement enables [PIM](https://tools.ietf.org/html/rfc7761) and [MLD](https://tools.ietf.org/html/rfc2710) on the target interface - by default all interfaces are in the disable state. Enable an interface if it is directed towards a multicast-capable peer or other multicast-capable routers in your autonomous system. Also enable it for downstream network segments with multicast listeners and senders, like for example your home (W)LAN segments. The `phyint` statement enables [PIM](https://tools.ietf.org/html/rfc7761) and [MLD](https://tools.ietf.org/html/rfc2710) on the target interface - by default all interfaces are in the disable state. Enable an interface if it is directed towards a multicast-capable peer or other multicast-capable routers in your autonomous system. Also enable it for downstream network segments with multicast listeners and senders, like for example your home (W)LAN segments.
@ -66,7 +66,7 @@ The following guide illustrates how to set up an IPv6 multicast router using [PI
On your router: On your router:
````sh ```sh
allow-hotplug pim-ns0 allow-hotplug pim-ns0
iface pim-ns0 inet manual iface pim-ns0 inet manual
pre-up ip link add pim-ns0 type veth peer name pim-ns1 pre-up ip link add pim-ns0 type veth peer name pim-ns1
@ -78,24 +78,24 @@ iface pim-ns0 inet manual
post-up ip netns exec pim-ns0 ip -6 r a default via fdd5:69d5:c530:1::1 post-up ip netns exec pim-ns0 ip -6 r a default via fdd5:69d5:c530:1::1
post-down ip link del pim-ns0 post-down ip link del pim-ns0
post-down ip netns del pim-ns0 post-down ip netns del pim-ns0
```` ```
You can now switch into this test network namespace via "ip netns exec /bin/bash". Inside this network namespace you can try: You can now switch into this test network namespace via "ip netns exec /bin/bash". Inside this network namespace you can try:
### Creating a test multicast listener ### Creating a test multicast listener
```` ```
$ socat -u UDP6-RECV:1234,reuseaddr,ipv6-join-group="[ff7e:230:fdd5:69d5:c530::123]:eth0" - $ socat -u UDP6-RECV:1234,reuseaddr,ipv6-join-group="[ff7e:230:fdd5:69d5:c530::123]:eth0" -
```` ```
### Creating a test multicast sender ### Creating a test multicast sender
First select which interface should be the default one for your multicast traffic. Then send multicast packets via ICMPv6: First select which interface should be the default one for your multicast traffic. Then send multicast packets via ICMPv6:
```` ```
$ ip -6 route add ff7e:230:fdd5:69d5:c530::/96 dev eth0 table local $ ip -6 route add ff7e:230:fdd5:69d5:c530::/96 dev eth0 table local
$ ping6 -t 16 ff7e:230:fdd5:69d5:c530::123 $ ping6 -t 16 ff7e:230:fdd5:69d5:c530::123
```` ```
The "-t 16", a hop-limit of 16, is important here as **by default all multicast traffic is usually send with a hop-limit of just 1**. The "-t 16", a hop-limit of 16, is important here as **by default all multicast traffic is usually send with a hop-limit of just 1**.

4
howto/IPv6.md
View File

@ -65,10 +65,10 @@ Enter NPT. Address your services using a reserved private block, and map that bl
For example, if you've been assigned a public /48 prefix, and want to be reachable on DN42 aswell, you can use only ULA addresses from DN42 internally (or your own!), then map them to outside prefixes. Note that they'll need to all use the same prefix size to maintain the one-to-one mapping, so you may have to subnet the public prefix. For example, if you've been assigned a public /48 prefix, and want to be reachable on DN42 aswell, you can use only ULA addresses from DN42 internally (or your own!), then map them to outside prefixes. Note that they'll need to all use the same prefix size to maintain the one-to-one mapping, so you may have to subnet the public prefix.
In Linux's netfilter, this can be implemented through the use of the NETMAP target, for the example above: In Linux's netfilter, this can be implemented through the use of the NETMAP target, for the example above:
```` ```
ip6tables -t nat -A POSTROUTING -d 2000::/3 -s <DN42-PREFIX>:<SUBNET>::/56 -j NETMAP --to <PUBLIC-PREFIX>:<SUBNET>::/56; # Map ULA to the public prefix for outgoing packets ip6tables -t nat -A POSTROUTING -d 2000::/3 -s <DN42-PREFIX>:<SUBNET>::/56 -j NETMAP --to <PUBLIC-PREFIX>:<SUBNET>::/56; # Map ULA to the public prefix for outgoing packets
ip6tables -t nat -A PREROUTING -s 2000::/3 -d <PUBLIC-PREFIX>:<SUBNET>::/56 -j NETMAP --to <DN42-PREFIX>:<SUBNET>::/56; # Map public prefix to ULA for incoming packets ip6tables -t nat -A PREROUTING -s 2000::/3 -d <PUBLIC-PREFIX>:<SUBNET>::/56 -j NETMAP --to <DN42-PREFIX>:<SUBNET>::/56; # Map public prefix to ULA for incoming packets
```` ```
### With Multiple Prefixes ### With Multiple Prefixes

20
howto/Munin.md
View File

@ -1,7 +1,7 @@
## Number of routes by AS ## Number of routes by AS
IPv4: IPv4:
````bash ```bash
#!/bin/bash #!/bin/bash
if [ "$1" = "config" ];then if [ "$1" = "config" ];then
echo graph_title Number of routes echo graph_title Number of routes
@ -14,10 +14,10 @@ if [ "$1" = "config" ];then
else else
ip r|sed 's/.* dev //;s/ .*//'|sort|uniq -c|grep as|awk '{print $2".value "$1}' ip r|sed 's/.* dev //;s/ .*//'|sort|uniq -c|grep as|awk '{print $2".value "$1}'
fi fi
```` ```
IPv6: IPv6:
````bash ```bash
#!/bin/bash #!/bin/bash
if [ "$1" = "config" ];then if [ "$1" = "config" ];then
echo graph_title Number of routes echo graph_title Number of routes
@ -30,7 +30,7 @@ if [ "$1" = "config" ];then
else else
ip -6 r|sed 's/.* dev //;s/ .*//'|sort|uniq -c|grep as|awk '{print $2".value "$1}' ip -6 r|sed 's/.* dev //;s/ .*//'|sort|uniq -c|grep as|awk '{print $2".value "$1}'
fi fi
```` ```
(hint: The difference just the -6 on the ip command) (hint: The difference just the -6 on the ip command)
## Graph routes and activity for every neighbour ## Graph routes and activity for every neighbour
@ -39,19 +39,19 @@ This munin-plugin makes it very easy to graph the announced routes and activity
https://github.com/luben/bird-multigraph-plugin https://github.com/luben/bird-multigraph-plugin
It's also possible to get notified by Munin when a problem with the peering persists. You have to define a critical value in line 138: It's also possible to get notified by Munin when a problem with the peering persists. You have to define a critical value in line 138:
```` ```
imported.critical 1: imported.critical 1:
```` ```
This will send execute the command (set in munin-node.conf) to alert you, if the imported route count falls under 1. This will send execute the command (set in munin-node.conf) to alert you, if the imported route count falls under 1.
You might also want to change line 125 from You might also want to change line 125 from
```` ```
graph_title $proto->{title} routes graph_title $proto->{title} routes
```` ```
to to
```` ```
graph_title $name routes graph_title $name routes
```` ```
Example installation: Example installation:
http://stats.tbspace.de/munin-cgi/munin-cgi-graph/tbspace.de/server.tbspace.de/dn42_crest_routes-day.png http://stats.tbspace.de/munin-cgi/munin-cgi-graph/tbspace.de/server.tbspace.de/dn42_crest_routes-day.png

36
howto/OpenBGPD.md
View File

@ -16,7 +16,7 @@ By default, [bgpd(8)](http://man.openbsd.org/bgpd.8) listens on all local addres
## local host ## local host
Information such as ASN, router ID and allocated networks are required: Information such as ASN, router ID and allocated networks are required:
```` ```
# macros # macros
ASN="4242421234" ASN="4242421234"
@ -27,21 +27,21 @@ router-id 1.2.3.4
prefix-set mynetworks { prefix-set mynetworks {
fd00:12:34::/48 fd00:12:34::/48
} }
```` ```
These can be used in subsequent filter rules. These can be used in subsequent filter rules.
The local peer's announcements is then defined as follows: The local peer's announcements is then defined as follows:
```` ```
# Generate routes for the networks our ASN will originate. # Generate routes for the networks our ASN will originate.
# The communities (read 'tags') are later used to match on what # The communities (read 'tags') are later used to match on what
# is announced to EBGP neighbors # is announced to EBGP neighbors
network prefix-set mynetworks set large-community $ASN:1:1 network prefix-set mynetworks set large-community $ASN:1:1
```` ```
## neighbors ## neighbors
For each neighbor its ASN and transfer ULA is required. For each neighbor its ASN and transfer ULA is required.
An optional description is provided such that [bgpctl(8)](http://man.openbsd.org/bgpctl.8) for example can be used with mnemonic names instead of AS numbers: An optional description is provided such that [bgpctl(8)](http://man.openbsd.org/bgpctl.8) for example can be used with mnemonic names instead of AS numbers:
```` ```
# peer A, transport over IPSec/GRE # peer A, transport over IPSec/GRE
$A_local="fd00:12:34:A::1" $A_local="fd00:12:34:A::1"
$A_remote="fd00:12:34:A::2" $A_remote="fd00:12:34:A::2"
@ -53,7 +53,7 @@ neighbor $A_remote {
remote-as $A_ASN remote-as $A_ASN
descr "A" descr "A"
} }
```` ```
## filter rules ## filter rules
**bgpd** blocks all BGP __UPDATE__ messages by default. **bgpd** blocks all BGP __UPDATE__ messages by default.
@ -61,35 +61,35 @@ The filter rules are evaluated in sequential order, form first to last.
The last matching allow or deny rule decides what action is taken. The last matching allow or deny rule decides what action is taken.
Start off with basic protection and sanity rules: Start off with basic protection and sanity rules:
```` ```
# deny more-specifics of our own originated prefixes # deny more-specifics of our own originated prefixes
deny quick from ebgp prefix-set mynetworks or-longer deny quick from ebgp prefix-set mynetworks or-longer
# filter out too long paths, establish more peerings instead # filter out too long paths, establish more peerings instead
deny quick from any max-as-len 8 deny quick from any max-as-len 8
```` ```
`quick` rules are considered the last matching rule, and evaluation of subsequent rules is skipped. `quick` rules are considered the last matching rule, and evaluation of subsequent rules is skipped.
Allow own announcements: Allow own announcements:
```` ```
# Outbound EBGP: only allow self originated networks to ebgp peers # Outbound EBGP: only allow self originated networks to ebgp peers
# Don't leak any routes from upstream or peering sessions. This is done # Don't leak any routes from upstream or peering sessions. This is done
# by checking for routes that are tagged with the large-community $ASN:1:1 # by checking for routes that are tagged with the large-community $ASN:1:1
allow to ebgp prefix-set kn large-community $ASN:1:1 allow to ebgp prefix-set kn large-community $ASN:1:1
```` ```
Allow all remaining UPDATES based on **O**rigin **V**alidation **S**tates: Allow all remaining UPDATES based on **O**rigin **V**alidation **S**tates:
```` ```
# enforce ROA # enforce ROA
allow from ebgp ovs valid allow from ebgp ovs valid
```` ```
Note how the `ovs` filter requires the `roa-set {...}` to be defined; see the `ROA` section below. Note how the `ovs` filter requires the `roa-set {...}` to be defined; see the `ROA` section below.
### path attributes ### path attributes
Besides `allow` and `deny` statements, filter rules can modify UPDATE messages, e.g. Besides `allow` and `deny` statements, filter rules can modify UPDATE messages, e.g.
```` ```
# Scrub normal and large communities relevant to our ASN from EBGP neighbors # Scrub normal and large communities relevant to our ASN from EBGP neighbors
# https://tools.ietf.org/html/rfc7454#section-11 # https://tools.ietf.org/html/rfc7454#section-11
match from ebgp set { large-community delete $ASN:*:* } match from ebgp set { large-community delete $ASN:*:* }
@ -97,7 +97,7 @@ match from ebgp set { large-community delete $ASN:*:* }
# Honor requests to gracefully shutdown BGP sessions # Honor requests to gracefully shutdown BGP sessions
# https://tools.ietf.org/html/rfc8326 # https://tools.ietf.org/html/rfc8326
match from any community GRACEFUL_SHUTDOWN set { localpref 0 } match from any community GRACEFUL_SHUTDOWN set { localpref 0 }
```` ```
# ROA # ROA
@ -114,19 +114,19 @@ ROA files generated by [dn42regsrv](https://git.dn42.dev/burble/dn42regsrv) are
|[https://dn42.burble.com/roa/dn42_roa_obgpd_6.conf](https://dn42.burble.com/roa/dn42_roa_obgpd_6.conf) &nbsp; | &nbsp;IPv6 Only&nbsp; | |[https://dn42.burble.com/roa/dn42_roa_obgpd_6.conf](https://dn42.burble.com/roa/dn42_roa_obgpd_6.conf) &nbsp; | &nbsp;IPv6 Only&nbsp; |
`/etc/dn42.roa-set` is the generated set: `/etc/dn42.roa-set` is the generated set:
```` ```
roa-set { roa-set {
fd00:12:34::/48 source-as 4242421234 fd00:12:34::/48 source-as 4242421234
fd00:ab:cd::/44 maxlen 64 source-as 4242427890 fd00:ab:cd::/44 maxlen 64 source-as 4242427890
... ...
} }
```` ```
Include it in `/etc/bgpd.conf`: Include it in `/etc/bgpd.conf`:
```` ```
# defines roat-set, see _rpki-client crontab # defines roat-set, see _rpki-client crontab
include "/etc/dn42.roa-set" include "/etc/dn42.roa-set"
```` ```
# Looking glass # Looking glass
This is mostly OpenBSD specific since [bgplg(8)](http://man.openbsd.org/bgplg.8) and [httpd(8)](http://man.openbsd.org/httpd.8) ship as part of the operating system. This is mostly OpenBSD specific since [bgplg(8)](http://man.openbsd.org/bgplg.8) and [httpd(8)](http://man.openbsd.org/httpd.8) ship as part of the operating system.

8
howto/Quagga.md
View File

@ -98,7 +98,7 @@ Apply a prefix list for incoming prefixes to your peer group:
ipv6 prefix-list vpn-in seq 15 deny any ipv6 prefix-list vpn-in seq 15 deny any
#### Example filter list script #### Example filter list script
```` ```
#!/bin/bash #!/bin/bash
vtysh -c 'conf t' -c "no ip prefix-list dn42"; #drop old prefix list vtysh -c 'conf t' -c "no ip prefix-list dn42"; #drop old prefix list
@ -109,7 +109,7 @@ do
done < <(curl -s https://ca.dn42.us/reg/filter.txt | grep -e ^[0-9] | awk '{ print "ip prefix-list dn42 seq " $1 " " $2 " " $3 " ge " $4 " le " $5}' | sed "s_/\([0-9]\+\) ge \1_/\1_g;s_/\([0-9]\+\) le \1_/\1_g"); done < <(curl -s https://ca.dn42.us/reg/filter.txt | grep -e ^[0-9] | awk '{ print "ip prefix-list dn42 seq " $1 " " $2 " " $3 " ge " $4 " le " $5}' | sed "s_/\([0-9]\+\) ge \1_/\1_g;s_/\([0-9]\+\) le \1_/\1_g");
vtysh -c "wr" #write new prefix list vtysh -c "wr" #write new prefix list
```` ```
## show bpg session status ## show bpg session status
@ -118,7 +118,7 @@ in this example:
* no (vpn) connection at all exists with peer 64692 * no (vpn) connection at all exists with peer 64692
* a (vpn) connection with 4242421375 exists, but no bgp session * a (vpn) connection with 4242421375 exists, but no bgp session
```` ```
vtysh> show ip bgp summary vtysh> show ip bgp summary
BGP router identifier 172.22.100.254, local AS number 64698 BGP router identifier 172.22.100.254, local AS number 64698
RIB entries 938, using 103 KiB of memory RIB entries 938, using 103 KiB of memory
@ -132,4 +132,4 @@ Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
.... ....
172.23.64.1 4 4242421375 0 0 0 0 0 never Active 172.23.64.1 4 4242421375 0 0 0 0 0 never Active
fe80::deca:fbad 4 64699 902 694 0 0 0 01:23:57 486 fe80::deca:fbad 4 64699 902 694 0 0 0 01:23:57 486
```` ```

84
howto/Registry-Authentication.md
View File

@ -19,13 +19,13 @@ The signature and verification process varies depending on the type of public ke
#### Finding the commit hash #### Finding the commit hash
`git log` will list all the recent commits and show the commit hash: `git log` will list all the recent commits and show the commit hash:
```` ```
commit 6e2e9ac540e2e4e3c3a135ad90c8575bb8fa1784 (HEAD -> master) commit 6e2e9ac540e2e4e3c3a135ad90c8575bb8fa1784 (HEAD -> master)
Author: foo <foo@baz.com> Author: foo <foo@baz.com>
Date: Mon Jan 01 01:01:01 2020 +0000 Date: Mon Jan 01 01:01:01 2020 +0000
Change some stuff Change some stuff
```` ```
## Authentication with PGP Key ## Authentication with PGP Key
@ -34,9 +34,9 @@ PGP keys may be uploaded to a public keyserver for verification, or added in the
#### Using a public keyserver #### Using a public keyserver
- Use the following `auth` attribute in your `mntner` object: - Use the following `auth` attribute in your `mntner` object:
```` ```
auth: pgp-fingerprint <fingerprint> auth: pgp-fingerprint <fingerprint>
```` ```
Where `<fingerprint>` is your full 40-digit key fingerprint, without spaces. Where `<fingerprint>` is your full 40-digit key fingerprint, without spaces.
- Ensure that your public key has been uploaded to a public keyserver, e.g. [SKS](https://sks-keyservers.net/), [OpenPGP](https://keys.openpgp.org/), [keybase](https://keybase.io/). - Ensure that your public key has been uploaded to a public keyserver, e.g. [SKS](https://sks-keyservers.net/), [OpenPGP](https://keys.openpgp.org/), [keybase](https://keybase.io/).
@ -44,9 +44,9 @@ Where `<fingerprint>` is your full 40-digit key fingerprint, without spaces.
#### Adding to the registry #### Adding to the registry
- Use the following `auth` attribute in your `mntner` object: - Use the following `auth` attribute in your `mntner` object:
```` ```
auth: PGPKEY-<fprint> auth: PGPKEY-<fprint>
```` ```
Where `<fprint>` is the last 8 digits from your key fingerprint. Where `<fprint>` is the last 8 digits from your key fingerprint.
- Create a `key-cert` object for your public key, using `PGPKEY-<fprint>` for the filename. Do browse the registry and check the existing objects for examples. - Create a `key-cert` object for your public key, using `PGPKEY-<fprint>` for the filename. Do browse the registry and check the existing objects for examples.
@ -56,9 +56,9 @@ Where `<fprint>` is the last 8 digits from your key fingerprint.
- Use `git commit -S` to commit and sign your change. See the [github guide](https://help.github.com/en/github/authenticating-to-github/signing-commits). - Use `git commit -S` to commit and sign your change. See the [github guide](https://help.github.com/en/github/authenticating-to-github/signing-commits).
- If you have already committed your change, you can sign it using. - If you have already committed your change, you can sign it using.
```` ```
git commit --amend --no-edit -S git commit --amend --no-edit -S
```` ```
#### Verifying the signature #### Verifying the signature
@ -67,9 +67,9 @@ git commit --amend --no-edit -S
## Authentication using an SSH key ## Authentication using an SSH key
The generic format for authentication using an SSH key is as follows: The generic format for authentication using an SSH key is as follows:
```` ```
auth: ssh-<keytype> <pubkey> auth: ssh-<keytype> <pubkey>
```` ```
There are examples below for each specific key type. There are examples below for each specific key type.
#### Generic process for signing with an SSH key #### Generic process for signing with an SSH key
@ -77,9 +77,9 @@ There are examples below for each specific key type.
OpenSSH v8 introduced new functionality for creating signatures using SSH keys. If you have an older version, you can compile the latest version of ssh-keygen from the [openssh-portable repo](https://github.com/openssh/openssh-portable). OpenSSH v8 introduced new functionality for creating signatures using SSH keys. If you have an older version, you can compile the latest version of ssh-keygen from the [openssh-portable repo](https://github.com/openssh/openssh-portable).
Use the following to sign the latest `<commit hash>` (that you found using `git log`) Use the following to sign the latest `<commit hash>` (that you found using `git log`)
````sh ```sh
echo "<commit hash>" | ssh-keygen -Y sign -f <private key file> -n dn42 echo "<commit hash>" | ssh-keygen -Y sign -f <private key file> -n dn42
```` ```
Post the signature in to the 'Conversation' section of your pull request to allow the registry maintainers to verify it. It can help to also include the commit hash that you have signed, to avoid any confusion. Post the signature in to the 'Conversation' section of your pull request to allow the registry maintainers to verify it. It can help to also include the commit hash that you have signed, to avoid any confusion.
@ -88,25 +88,25 @@ Post the signature in to the 'Conversation' section of your pull request to allo
The following procedure will verify the signature (using the `<commit hash>`, your `<pubkey>` and the `<signature>` generated in the previous step. The following procedure will verify the signature (using the `<commit hash>`, your `<pubkey>` and the `<signature>` generated in the previous step.
Create a temporary file containing the signature Create a temporary file containing the signature
````sh ```sh
echo "<signature>" > sig.tmp echo "<signature>" > sig.tmp
```` ```
Create a temporary 'allowed users' file Create a temporary 'allowed users' file
````sh ```sh
echo "YOU-MNT ssh-<keytype> <pubkey>" > allowed.tmp echo "YOU-MNT ssh-<keytype> <pubkey>" > allowed.tmp
```` ```
Verify the signature Verify the signature
````sh ```sh
echo "<commit hash>" | \ echo "<commit hash>" | \
ssh-keygen -Y verify -f allowed.tmp -n dn42 -I YOU-MNT -s sig.tmp ssh-keygen -Y verify -f allowed.tmp -n dn42 -I YOU-MNT -s sig.tmp
```` ```
### Authentication with an SSH RSA key ### Authentication with an SSH RSA key
- Use the following `auth` attribute in your `mntner` object: - Use the following `auth` attribute in your `mntner` object:
```` ```
auth: ssh-rsa <pubkey> auth: ssh-rsa <pubkey>
```` ```
Where `<pubkey>` is the ssh public key copied from your id_rsa.pub file. Where `<pubkey>` is the ssh public key copied from your id_rsa.pub file.
#### Signing your commits #### Signing your commits
@ -114,19 +114,19 @@ Where `<pubkey>` is the ssh public key copied from your id_rsa.pub file.
If you cannot use the generic SSH process described above then RSA signatures can also be created using openssl. If you cannot use the generic SSH process described above then RSA signatures can also be created using openssl.
Use the following to sign your `<commit hash>` (that you found using `git log`) Use the following to sign your `<commit hash>` (that you found using `git log`)
````sh ```sh
openssl pkeyutl \ openssl pkeyutl \
-sign \ -sign \
-inkey ~/.ssh/id_rsa \ -inkey ~/.ssh/id_rsa \
-in <(echo "<commit hash>") | base64 -in <(echo "<commit hash>") | base64
```` ```
Post the signature in to the 'Conversation' section of your pull request to allow the registry maintainers to verify it. It can help to also include the commit hash that you have signed, to avoid any confusion. Post the signature in to the 'Conversation' section of your pull request to allow the registry maintainers to verify it. It can help to also include the commit hash that you have signed, to avoid any confusion.
#### Verifying the signature #### Verifying the signature
The following script will verify the signature (using the `<commit hash>`, your rsa `<pubkey>` and the `<signature>` generated in the previous step. The following script will verify the signature (using the `<commit hash>`, your rsa `<pubkey>` and the `<signature>` generated in the previous step.
````sh ```sh
openssl pkeyutl \ openssl pkeyutl \
-verify \ -verify \
-pubin \ -pubin \
@ -137,14 +137,14 @@ openssl pkeyutl \
-f <(echo "ssh-rsa <pubkey>")\ -f <(echo "ssh-rsa <pubkey>")\
) \ ) \
-sigfile <(echo "<signature>" | base64 -d) -sigfile <(echo "<signature>" | base64 -d)
```` ```
### Authentication with an SSH ed25519 key ### Authentication with an SSH ed25519 key
- Use the following `auth` attribute in your `mntner` object: - Use the following `auth` attribute in your `mntner` object:
```` ```
auth: ssh-ed25519 <pubkey> auth: ssh-ed25519 <pubkey>
```` ```
Where `<pubkey>` is the ssh public key copied from your id_ed25519.pub file. Where `<pubkey>` is the ssh public key copied from your id_ed25519.pub file.
#### Signing your commits #### Signing your commits
@ -152,9 +152,9 @@ Where `<pubkey>` is the ssh public key copied from your id_ed25519.pub file.
There is no alternative process for signing using ed25519 keys, you must use the generic process described above. The process only works with ssh-keygen versions >= v8. There is no alternative process for signing using ed25519 keys, you must use the generic process described above. The process only works with ssh-keygen versions >= v8.
Use the following to sign your `<commit hash>` (that you found using `git log`) Use the following to sign your `<commit hash>` (that you found using `git log`)
````sh ```sh
echo "<commit hash>" | ssh-keygen -Y sign -f ~/.ssh/id_ed25519 -n dn42 echo "<commit hash>" | ssh-keygen -Y sign -f ~/.ssh/id_ed25519 -n dn42
```` ```
Post the signature in to the 'Conversation' section of your pull request to allow the registry maintainers to verify it. It can help to also include the commit hash that you have signed, to avoid any confusion. Post the signature in to the 'Conversation' section of your pull request to allow the registry maintainers to verify it. It can help to also include the commit hash that you have signed, to avoid any confusion.
@ -163,25 +163,25 @@ Post the signature in to the 'Conversation' section of your pull request to allo
The following procedure will verify the signature (using the `<commit hash>`, your ed25519 `<pubkey>` and the `<signature>` generated in the previous step. The following procedure will verify the signature (using the `<commit hash>`, your ed25519 `<pubkey>` and the `<signature>` generated in the previous step.
Create a temporary file containing the signature Create a temporary file containing the signature
````sh ```sh
echo "<signature>" > sig.tmp echo "<signature>" > sig.tmp
```` ```
Create a temporary 'allowed users' file Create a temporary 'allowed users' file
````sh ```sh
echo "YOU-MNT ssh-ed25519 <pubkey>" > allowed.tmp echo "YOU-MNT ssh-ed25519 <pubkey>" > allowed.tmp
```` ```
Verify the signature Verify the signature
````sh ```sh
echo "<commit hash>" | \ echo "<commit hash>" | \
ssh-keygen -Y verify -f allowed.tmp -n dn42 -I YOU-MNT -s sig.tmp ssh-keygen -Y verify -f allowed.tmp -n dn42 -I YOU-MNT -s sig.tmp
```` ```
### Authentication with an SSH ecdsa key ### Authentication with an SSH ecdsa key
- Use the following `auth` attribute in your `mntner` object: - Use the following `auth` attribute in your `mntner` object:
```` ```
auth: ecdsa-sha2-nistp256 <pubkey> auth: ecdsa-sha2-nistp256 <pubkey>
```` ```
Where `<pubkey>` is the ssh public key copied from your id_ecdsa.pub file. Where `<pubkey>` is the ssh public key copied from your id_ecdsa.pub file.
#### Signing your commits #### Signing your commits
@ -193,23 +193,23 @@ Make a copy and use the copy as the ssh-keygen command below will overwrite the
Convert your private ssh key to a file that openssl can read: Convert your private ssh key to a file that openssl can read:
**DO THIS ON A COPY OF YOUR SSH KEY** **DO THIS ON A COPY OF YOUR SSH KEY**
````sh ```sh
ssh-keygen -p -m pem -f <private key file copy> ssh-keygen -p -m pem -f <private key file copy>
```` ```
Sign the commit hash using your ecdsa key, using openssl: Sign the commit hash using your ecdsa key, using openssl:
````sh ```sh
openssl pkeyutl -sign \ openssl pkeyutl -sign \
-inkey <converted key file> \ -inkey <converted key file> \
-in <(echo "<commit hash>") | base64 -in <(echo "<commit hash>") | base64
```` ```
Post the signature in to the 'Conversation' section of your pull request to allow the registry maintainers to verify it. It can help to also include the commit hash that you have signed, to avoid any confusion. Post the signature in to the 'Conversation' section of your pull request to allow the registry maintainers to verify it. It can help to also include the commit hash that you have signed, to avoid any confusion.
#### Verifying the signature #### Verifying the signature
The following script will verify the signature (using the `<commit hash>`, your ecdsa `<pubkey>` and the `<signature>` generated in the previous step. The following script will verify the signature (using the `<commit hash>`, your ecdsa `<pubkey>` and the `<signature>` generated in the previous step.
````sh ```sh
openssl pkeyutl \ openssl pkeyutl \
-verify \ -verify \
-pubin \ -pubin \
@ -220,4 +220,4 @@ openssl pkeyutl \
-f <(echo "ecdsa-sha2-nistp256 <pubkey>")\ -f <(echo "ecdsa-sha2-nistp256 <pubkey>")\
) \ ) \
-sigfile <(echo "<signature>" | base64 -d) -sigfile <(echo "<signature>" | base64 -d)
```` ```

4
howto/Static-routes-on-Windows.md
View File

@ -1,6 +1,6 @@
Modern versions of Windows do not support OSPF and manually adding static routes every time after a reboot is annoying. Below is a batch script you can edit and run to help make adding routes easier. This script assumes that your BGP router and Windows computer are on the same LAN. Modern versions of Windows do not support OSPF and manually adding static routes every time after a reboot is annoying. Below is a batch script you can edit and run to help make adding routes easier. This script assumes that your BGP router and Windows computer are on the same LAN.
```` ```
@echo off @echo off
REM fill in YOUR network information REM fill in YOUR network information
REM right click and RUN AS ADMIN REM right click and RUN AS ADMIN
@ -60,4 +60,4 @@ ping %gateway4%
pause pause
ping %gateway6% ping %gateway6%
pause pause
```` ```

52
howto/mikrotik.md
View File

@ -30,26 +30,26 @@ Peer most likely provided you with encryption details.
If not, ask them about it. If not, ask them about it.
Here we're gonna use aes256-sha256-modp1536 Here we're gonna use aes256-sha256-modp1536
```` ```
/ip ipsec peer /ip ipsec peer
add address=1.1.1.1 comment=gre-dn42-peer dh-group=modp1536 \ add address=1.1.1.1 comment=gre-dn42-peer dh-group=modp1536 \
enc-algorithm=aes-256 hash-algorithm=sha256 local-address=2.2.2.2 secret=PASSWORD enc-algorithm=aes-256 hash-algorithm=sha256 local-address=2.2.2.2 secret=PASSWORD
```` ```
```` ```
/ip ipsec policy /ip ipsec policy
add comment=gre-dn42-peer dst-address=1.1.1.1/32 proposal=dn42 protocol=gre \ add comment=gre-dn42-peer dst-address=1.1.1.1/32 proposal=dn42 protocol=gre \
sa-dst-address=1.1.1.1 sa-src-address=2.2.2.2 src-address=2.2.2.2/32 sa-dst-address=1.1.1.1 sa-src-address=2.2.2.2 src-address=2.2.2.2/32
```` ```
### GRE ### GRE
Pretty straightforward here Pretty straightforward here
```` ```
/interface gre /interface gre
add allow-fast-path=no comment="DN42 somepeer" local-address=2.2.2.2 name=gre-dn42-peer \ add allow-fast-path=no comment="DN42 somepeer" local-address=2.2.2.2 name=gre-dn42-peer \
remote-address=1.1.1.1 remote-address=1.1.1.1
```` ```
### IPs inside the GRE tunnel ### IPs inside the GRE tunnel
Your peer most likely provided you with IP adresses for GRE tunnel. Your peer most likely provided you with IP adresses for GRE tunnel.
@ -60,18 +60,18 @@ Add the IP your peer provided you:
#### IPv4 #### IPv4
```` ```
/ip address /ip address
add address=192.168.200.130/30 interface=gre-dn42-peer network=192.168.200.128 add address=192.168.200.130/30 interface=gre-dn42-peer network=192.168.200.128
```` ```
#### IPv6 #### IPv6
Here we can use /127, so it's simple: Here we can use /127, so it's simple:
```` ```
/ipv6 address /ipv6 address
add address=fdc8:c633:5319:3300::41/127 advertise=no interface=gre-dn42-peer add address=fdc8:c633:5319:3300::41/127 advertise=no interface=gre-dn42-peer
```` ```
If you configured everything correctly, you should be able to ping If you configured everything correctly, you should be able to ping
@ -83,74 +83,74 @@ In this example, we will be filtering IN: 192.168.0.0/16 and 169.254.0.0/16
OUT: 192.168.0.0/16 and 169.254.0.0/16, you really don't want to advertise this networks. OUT: 192.168.0.0/16 and 169.254.0.0/16, you really don't want to advertise this networks.
This filter will not only catch /8 or /16 networks, but smaller networks inside this subnets as well. This filter will not only catch /8 or /16 networks, but smaller networks inside this subnets as well.
```` ```
/routing filter /routing filter
add action=discard address-family=ip chain=dn42-in prefix=192.168.0.0/16 prefix-length=16-32 protocol=bgp add action=discard address-family=ip chain=dn42-in prefix=192.168.0.0/16 prefix-length=16-32 protocol=bgp
add action=discard address-family=ip chain=dn42-in prefix=169.254.0.0/16 prefix-length=16-32 protocol=bgp add action=discard address-family=ip chain=dn42-in prefix=169.254.0.0/16 prefix-length=16-32 protocol=bgp
add action=discard address-family=ip chain=dn42-out prefix=192.168.0.0/16 prefix-length=16-32 protocol=bgp add action=discard address-family=ip chain=dn42-out prefix=192.168.0.0/16 prefix-length=16-32 protocol=bgp
add action=discard address-family=ip chain=dn42-out prefix=169.254.0.0/16 prefix-length=16-32 protocol=bgp add action=discard address-family=ip chain=dn42-out prefix=169.254.0.0/16 prefix-length=16-32 protocol=bgp
```` ```
Now, if you want only DN42 connection, you can filter IN 10.0.0.0/8 (ChaosVPN / freifunk networks): Now, if you want only DN42 connection, you can filter IN 10.0.0.0/8 (ChaosVPN / freifunk networks):
```` ```
/routing filter /routing filter
add action=discard address-family=ip chain=dn42-in prefix=10.0.0.0/8 prefix-length=8-32 protocol=bgp add action=discard address-family=ip chain=dn42-in prefix=10.0.0.0/8 prefix-length=8-32 protocol=bgp
```` ```
### BGP ### BGP
Now, for actual BGP configuration. Now, for actual BGP configuration.
```` ```
/routing bgp instance /routing bgp instance
set default disabled=yes set default disabled=yes
add as=YOUR_AS client-to-client-reflection=no name=bgp-dn42-somename out-filter=dn42-in \ add as=YOUR_AS client-to-client-reflection=no name=bgp-dn42-somename out-filter=dn42-in \
router-id=1.1.1.1 router-id=1.1.1.1
```` ```
Let's add some peers. Right now we have just one, but we still need two connections - to IPv4 and IPv6 Let's add some peers. Right now we have just one, but we still need two connections - to IPv4 and IPv6
IPv4: IPv4:
```` ```
/routing bgp peer /routing bgp peer
add comment="DN42: somepeer IPv4" in-filter=dn42-in instance=bgp-dn42-somename multihop=yes \ add comment="DN42: somepeer IPv4" in-filter=dn42-in instance=bgp-dn42-somename multihop=yes \
name=dn42-somepeer-ipv4 out-filter=dn42-out remote-address=192.168.200.129 remote-as=PEER_AS \ name=dn42-somepeer-ipv4 out-filter=dn42-out remote-address=192.168.200.129 remote-as=PEER_AS \
route-reflect=yes ttl=default route-reflect=yes ttl=default
```` ```
IPv6 (if needed): IPv6 (if needed):
```` ```
/routing bgp peer /routing bgp peer
add address-families=ipv6 comment="DN42: somepeer IPv6" in-filter=dn42-in \ add address-families=ipv6 comment="DN42: somepeer IPv6" in-filter=dn42-in \
instance=bgp-dn42-somename multihop=yes name=dn42-somepeer-ipv6 out-filter=dn42-out \ instance=bgp-dn42-somename multihop=yes name=dn42-somepeer-ipv6 out-filter=dn42-out \
remote-address=fd42:c644:5222:3222::40 remote-as=PEER_AS route-reflect=yes ttl=default remote-address=fd42:c644:5222:3222::40 remote-as=PEER_AS route-reflect=yes ttl=default
```` ```
Also, as a note, Mikrotik doesn't deal well with BGP running over link-local addresses (the address starting with fe80). You need to use a fd42:: address in your BGP session, otherwise, BGP will not install any received route. Also, as a note, Mikrotik doesn't deal well with BGP running over link-local addresses (the address starting with fe80). You need to use a fd42:: address in your BGP session, otherwise, BGP will not install any received route.
### BGP Advertisements ### BGP Advertisements
You want to advertise your allocated network (most likely), it's very simple: You want to advertise your allocated network (most likely), it's very simple:
```` ```
/routing bgp network /routing bgp network
add network=YOUR_ALLOCATED_SUBNET synchronize=no add network=YOUR_ALLOCATED_SUBNET synchronize=no
```` ```
You can repeat that with as much IPv4 and IPv6 networks which you own. You can repeat that with as much IPv4 and IPv6 networks which you own.
## Split DNS ## Split DNS
Separate dns requests for dn42 tld from your default dns traffic with L7 filter in Mikrotik. Separate dns requests for dn42 tld from your default dns traffic with L7 filter in Mikrotik.
Change network and LAN GW to mach your network configuration. Change network and LAN GW to mach your network configuration.
```` ```
/ip firewall layer7-protocol /ip firewall layer7-protocol
add name=DN42-DNS regexp="\\x04dn42.\\x01" add name=DN42-DNS regexp="\\x04dn42.\\x01"
/ip firewall nat /ip firewall nat
add action=src-nat chain=srcnat comment="NAT to DN42 DNS" dst-address=172.23.0.53 dst-port=53 protocol=udp src-address=192.168.0.0/24 to-addresses=192.168.0.1 add action=src-nat chain=srcnat comment="NAT to DN42 DNS" dst-address=172.23.0.53 dst-port=53 protocol=udp src-address=192.168.0.0/24 to-addresses=192.168.0.1
add action=dst-nat chain=dstnat dst-address-type=local dst-port=53 layer7-protocol=DN42-DNS protocol=udp src-address=192.168.0.0/24 to-addresses=172.23.0.53 to-ports=53 add action=dst-nat chain=dstnat dst-address-type=local dst-port=53 layer7-protocol=DN42-DNS protocol=udp src-address=192.168.0.0/24 to-addresses=172.23.0.53 to-ports=53
```` ```
Since version 6.47 have added functionality that can redirect DNS queries according to special rules. If you used to do Layer-7 rules in the firewall, now it's simple and elegant: Since version 6.47 have added functionality that can redirect DNS queries according to special rules. If you used to do Layer-7 rules in the firewall, now it's simple and elegant:
```` ```
/ip dns static /ip dns static
add comment=DN42 forward-to=172.23.0.53 regexp=".*\\.dn42" type=FWD add comment=DN42 forward-to=172.23.0.53 regexp=".*\\.dn42" type=FWD
```` ```

32
howto/mikrotik/ptp32.md
View File

@ -22,49 +22,49 @@ How can we workaround these issues? Simple. We setup a /32 on the Point-to-Point
You create the GRE interface in the same way the [Mikrotik Guide](/howto/mikrotik) does. You create the GRE interface in the same way the [Mikrotik Guide](/howto/mikrotik) does.
```` ```
/interface gre /interface gre
add allow-fast-path=no comment="DN42 somepeer" local-address=2.2.2.2 name=gre-dn42-peer \ add allow-fast-path=no comment="DN42 somepeer" local-address=2.2.2.2 name=gre-dn42-peer \
remote-address=1.1.1.1 remote-address=1.1.1.1
```` ```
Next you add the /32 address on the interface. You can install this address on a loop interface (on RouterOS this means an empty bridge) if you plan to use the same address over several GRE tunnels or other OpenVPN interfaces. Next you add the /32 address on the interface. You can install this address on a loop interface (on RouterOS this means an empty bridge) if you plan to use the same address over several GRE tunnels or other OpenVPN interfaces.
```` ```
/ip address add address=172.24.0.1/32 interface=gre-dn42-peer /ip address add address=172.24.0.1/32 interface=gre-dn42-peer
```` ```
Next, we add the direct route as next-hop using the interface Next, we add the direct route as next-hop using the interface
```` ```
/ip route add distance=1 dst-address=172.26.2.2/32 gateway=gre-dn42-peer pref-src=172.24.0.1 /ip route add distance=1 dst-address=172.26.2.2/32 gateway=gre-dn42-peer pref-src=172.24.0.1
```` ```
At this point, the ping with the peer should work. Also, the bgp session can be established, but the routes will not work. We need a input filter to fix the next-hop routes. At this point, the ping with the peer should work. Also, the bgp session can be established, but the routes will not work. We need a input filter to fix the next-hop routes.
```` ```
/routing filter add chain=bgp-dn42-peer-in protocol=bgp set-in-nexthop-direct=gre-dn42-peer /routing filter add chain=bgp-dn42-peer-in protocol=bgp set-in-nexthop-direct=gre-dn42-peer
```` ```
if you have other global input chain filters, you should add a jump in the same chain, like this: if you have other global input chain filters, you should add a jump in the same chain, like this:
```` ```
/routing filter add action=jump chain=bgp-dn42-peer-in protocol=bgp jump-target=bgp-global-dn42-input /routing filter add action=jump chain=bgp-dn42-peer-in protocol=bgp jump-target=bgp-global-dn42-input
```` ```
If you haven't created the BGP session, create it now from the [Mikrotik guide](/howto/mikrotik#how-to-connect-to-dn42-using-mikrotik-routeros_bgp). Change the peer input filter to use the chain we've just created: If you haven't created the BGP session, create it now from the [Mikrotik guide](/howto/mikrotik#how-to-connect-to-dn42-using-mikrotik-routeros_bgp). Change the peer input filter to use the chain we've just created:
```` ```
/routing bgp peer set bgp-dn42-somename in-filter=bgp-dn42-peer-in /routing bgp peer set bgp-dn42-somename in-filter=bgp-dn42-peer-in
```` ```
With this fix, all the routes will have set next-hop the GRE interface and there will be no need to use RouterOS' recursive route resolve. With this fix, all the routes will have set next-hop the GRE interface and there will be no need to use RouterOS' recursive route resolve.
Check the routes with: Check the routes with:
```` ```
/ip routes print detail where received-from=bgp-dn42-somename /ip routes print detail where received-from=bgp-dn42-somename
```` ```
There should an attribute like: There should an attribute like:
```` ```
gateway=gre-dn42-peer gateway-status=gre-dn42-peer reachable gateway=gre-dn42-peer gateway-status=gre-dn42-peer reachable
```` ```

16
howto/networksettings.md
View File

@ -13,24 +13,24 @@ That is why `rp_filter` needs to be disabled.
**Note** using sysctl is not persistent. Depending on your linux distribution put it into `/etc/sysctl.conf` or `/etc/sysctl.d` **Note** using sysctl is not persistent. Depending on your linux distribution put it into `/etc/sysctl.conf` or `/etc/sysctl.d`
```` ```
sysctl -w net.ipv4.conf.all.rp_filter=0 net.ipv4.conf.default.rp_filter=0 sysctl -w net.ipv4.conf.all.rp_filter=0 net.ipv4.conf.default.rp_filter=0
```` ```
Check that its really disabled: Check that its really disabled:
```` ```
sysctl -a | grep rp_filter sysctl -a | grep rp_filter
```` ```
Also the following options must be set. Also the following options must be set.
```` ```
$ sysctl -w net.ipv4.conf.all.forwarding=1 net.ipv6.conf.all.forwarding=1 $ sysctl -w net.ipv4.conf.all.forwarding=1 net.ipv6.conf.all.forwarding=1
```` ```
Check that ALL your vpn interfaces allow ip forwarding for ipv6/ipv4. Check that ALL your vpn interfaces allow ip forwarding for ipv6/ipv4.
```` ```
$ sysctl -a | grep forwarding $ sysctl -a | grep forwarding
```` ```
### Note on firewalls, conntrack and asymmetric routing ### Note on firewalls, conntrack and asymmetric routing

26
howto/openvpn.md
View File

@ -10,7 +10,7 @@
* Replace `<REMOTE_GATEWAY_IP>` with dn42 ip address of your peer * Replace `<REMOTE_GATEWAY_IP>` with dn42 ip address of your peer
* `<LOCAL_GATEWAY_IPV6> <REMOTE_GATEWAY_IPV6>` same as ipv4, but both ip addresses needs to be in the same subnet. For simplicity you can always use an address from link-local ipv6 range (fe80::/64) * `<LOCAL_GATEWAY_IPV6> <REMOTE_GATEWAY_IPV6>` same as ipv4, but both ip addresses needs to be in the same subnet. For simplicity you can always use an address from link-local ipv6 range (fe80::/64)
```` ```
#/etc/openvpn/<PEER_NAME> #/etc/openvpn/<PEER_NAME>
proto <PROTO> proto <PROTO>
mode p2p mode p2p
@ -35,19 +35,19 @@ secret /etc/openvpn/<PEER_NAME>.key
# <secret> # <secret>
# ... Key File contents go here ... # ... Key File contents go here ...
# </secret> # </secret>
```` ```
then create a new key and share it with your peer then create a new key and share it with your peer
```` ```
$ openvpn --genkey --secret /etc/openvpn/<PEER_NAME>.key $ openvpn --genkey --secret /etc/openvpn/<PEER_NAME>.key
```` ```
# Example Configuration if one peer has a floating ip # Example Configuration if one peer has a floating ip
## peer with fixed ip ## peer with fixed ip
```` ```
proto <PROTO> proto <PROTO>
mode p2p mode p2p
dev-type tun dev-type tun
@ -63,7 +63,7 @@ port <LOCAL_PORT>
ifconfig-ipv6 <LOCAL_GATEWAY_IPV6> <REMOTE_GATEWAY_IPV6> ifconfig-ipv6 <LOCAL_GATEWAY_IPV6> <REMOTE_GATEWAY_IPV6>
ifconfig <LOCAL_GATEWAY_IP> <REMOTE_GATEWAY_IP> ifconfig <LOCAL_GATEWAY_IP> <REMOTE_GATEWAY_IP>
secret /etc/openvpn/<PEER_NAME>.key secret /etc/openvpn/<PEER_NAME>.key
```` ```
## peer with floating ip ## peer with floating ip
@ -72,7 +72,7 @@ secret /etc/openvpn/<PEER_NAME>.key
* `<REMOTE_HOST>` is the ip address of your peer * `<REMOTE_HOST>` is the ip address of your peer
* `<REMOTE_PORT>` is openvpn port, where your peer listen for traffic * `<REMOTE_PORT>` is openvpn port, where your peer listen for traffic
```` ```
proto <PROTO> proto <PROTO>
mode p2p mode p2p
remote <REMOTE_HOST> remote <REMOTE_HOST>
@ -89,7 +89,7 @@ resolv-retry infinite
ifconfig <LOCAL_GATEWAY_IP> <REMOTE_GATEWAY_IP> ifconfig <LOCAL_GATEWAY_IP> <REMOTE_GATEWAY_IP>
ifconfig-ipv6 <LOCAL_GATEWAY_IPV6> <LOCAL_GATEWAY_IPV6> ifconfig-ipv6 <LOCAL_GATEWAY_IPV6> <LOCAL_GATEWAY_IPV6>
secret /etc/openvpn/<PEER_NAME>.key secret /etc/openvpn/<PEER_NAME>.key
```` ```
# Example configuration for connecting roaming clients to dn42 # Example configuration for connecting roaming clients to dn42
@ -99,7 +99,7 @@ Clients connect using certificates, and simply get attributed dn42 IPs in the or
Replace `<PORT>` with the UDP port you want OpenVPN to listen to, and change the IP ranges (`ifconfig` and `route-gateway` options). Replace `<PORT>` with the UDP port you want OpenVPN to listen to, and change the IP ranges (`ifconfig` and `route-gateway` options).
```` ```
mode server mode server
tls-server tls-server
@ -146,13 +146,13 @@ push "route-gateway 172.22.X.145"
push "route 172.22.0.0 255.254.0.0" push "route 172.22.0.0 255.254.0.0"
###push "route 172.31.0.0 255.255.0.0" ###push "route 172.31.0.0 255.255.0.0"
###push "route 10.0.0.0 255.0.0.0" ###push "route 10.0.0.0 255.0.0.0"
```` ```
## Client configuration ## Client configuration
Change `<SERVER>` and `<PORT>`. Change `<SERVER>` and `<PORT>`.
```` ```
client client
ca ca.crt ca ca.crt
@ -176,7 +176,7 @@ persist-tun
resolv-retry infinite resolv-retry infinite
verb 3 verb 3
```` ```
## Certificate management ## Certificate management
@ -184,7 +184,7 @@ Use easy-rsa, it's easy to use. Below is a very short description, find a real
Build the CA: `. vars`, `./build-ca`, then generate the server key: `./build-key-server roaming-dn42`. Build the CA: `. vars`, `./build-ca`, then generate the server key: `./build-key-server roaming-dn42`.
Then, for each client, generate a private key and a certificate: ````./build-key myclient````. The Common Name is the only important information (it will be used to identify the client, for instance in the logs). Then, for each client, generate a private key and a certificate: ```./build-key myclient```. The Common Name is the only important information (it will be used to identify the client, for instance in the logs).
# See also # See also
* [Network settings](https://internal.dn42/howto/networksettings) * [Network settings](https://internal.dn42/howto/networksettings)

12
howto/systemd-networkd-configuration-example.md
View File

@ -5,16 +5,16 @@ This is the config that is used on ZOTAN Networks (AS4242422341). Full network c
# Configuration # Configuration
## loopback device (lo.network) ## loopback device (lo.network)
```` ```
[Match] [Match]
Name=lo Name=lo
[Network] [Network]
Address=fdff:b02d:2ef7::2/128 Address=fdff:b02d:2ef7::2/128
```` ```
## wireguard netdev (dn42p1.netdev) ## wireguard netdev (dn42p1.netdev)
```` ```
[NetDev] [NetDev]
Name = dn42p1 Name = dn42p1
Kind = wireguard Kind = wireguard
@ -28,10 +28,10 @@ PrivateKeyFile = /etc/wireguard/private.key
PublicKey = <peer wg pubkey> PublicKey = <peer wg pubkey>
Endpoint = <peer wg endpoint>:<peer wg port> Endpoint = <peer wg endpoint>:<peer wg port>
AllowedIPs = 172.16.0.0/12,10.0.0.0/8,fd00::/8,fe80::/10,ff00::/8 AllowedIPs = 172.16.0.0/12,10.0.0.0/8,fd00::/8,fe80::/10,ff00::/8
```` ```
## wireguard network (dn42p1.network) ## wireguard network (dn42p1.network)
```` ```
[Match] [Match]
Name = dn42p1 Name = dn42p1
@ -43,4 +43,4 @@ Peer = <peer tunnel linklocal address>/128
Address = <your DN42 ipv4>/32 Address = <your DN42 ipv4>/32
Peer = <peer DN42 ipv4>/32 Peer = <peer DN42 ipv4>/32
```` ```

28
howto/tinc.md
View File

@ -10,7 +10,7 @@ One advantage of tinc is that you can have multiple peering over the same VPN co
Example `/etc/tinc/dn42_yourpeer/tinc.conf`: Example `/etc/tinc/dn42_yourpeer/tinc.conf`:
```` ```
Interface = dn42_yourpeer Interface = dn42_yourpeer
Name = your_host Name = your_host
# Only switch mode is feasible for dn42 peerings, since in router mode tinc takes care of routing decisions on its own # Only switch mode is feasible for dn42 peerings, since in router mode tinc takes care of routing decisions on its own
@ -19,14 +19,14 @@ Mode = switch
ConnectTo = remote_host ConnectTo = remote_host
# In newer versions (>= 1.1) you can use AutoConnect instead # In newer versions (>= 1.1) you can use AutoConnect instead
#AutoConnect = yes #AutoConnect = yes
```` ```
Tinc requires to add manually ip addresses and routes to the tap/tun interfaces. On startup it will execute `/etc/tinc/dn42_yourpeer/tinc-up` if it exists **and** is executable: Tinc requires to add manually ip addresses and routes to the tap/tun interfaces. On startup it will execute `/etc/tinc/dn42_yourpeer/tinc-up` if it exists **and** is executable:
Example `/etc/tinc/dn42_yourpeer/tinc-up`: Example `/etc/tinc/dn42_yourpeer/tinc-up`:
**Linux/iproute2** **Linux/iproute2**
```` ```
#!/bin/sh #!/bin/sh
# set the interface up # set the interface up
@ -38,19 +38,19 @@ ip addr add fe80::1/64 dev $INTERFACE
# add routes # add routes
ip route add 172.16.0.1/30 dev $INTERFACE table peers ip route add 172.16.0.1/30 dev $INTERFACE table peers
```` ```
For authentication tinc uses public key authentication instead of certificates or pre-shared keys. For authentication tinc uses public key authentication instead of certificates or pre-shared keys.
For each key tinc should connect to or allow to connect, a file with the name of the peer in tincd -n twwh -K For each key tinc should connect to or allow to connect, a file with the name of the peer in tincd -n twwh -K
is required. To generate a public/private key pair use: is required. To generate a public/private key pair use:
```` ```
$ tincd -K $ tincd -K
```` ```
Import for each other party the key like this `/etc/tinc/dn42_yourpeer/hosts/<peername>`: Import for each other party the key like this `/etc/tinc/dn42_yourpeer/hosts/<peername>`:
```` ```
# address/port are optional, in case they're missing you only expect connections from that host # address/port are optional, in case they're missing you only expect connections from that host
Address = <fqdn/ip_addr> Address = <fqdn/ip_addr>
Port = <port|655> Port = <port|655>
@ -62,7 +62,7 @@ tcJpbgbYRzBTUPdSL3OB8k0qlmFI2ZYTnCzOSpgxRQARIB1ecoqOYVxQISK2pzxi
MHQQlVbquwldaKiVoj7tD7PFW4oQxpiMHZnHIA6dnZCsT3ktTOzCjhf2XMi8o8u5 MHQQlVbquwldaKiVoj7tD7PFW4oQxpiMHZnHIA6dnZCsT3ktTOzCjhf2XMi8o8u5
P9C5dYrmVWrVAWQznlbuq/w1z+PrTYquoQIDAQAB P9C5dYrmVWrVAWQznlbuq/w1z+PrTYquoQIDAQAB
-----END RSA PUBLIC KEY----- -----END RSA PUBLIC KEY-----
```` ```
## Fun with tinc-pre ## Fun with tinc-pre
@ -74,21 +74,21 @@ Installation:
* Freebsd: Use this [port repo](https://github.com/Mic92/ports/tree/master/security/tinc) * Freebsd: Use this [port repo](https://github.com/Mic92/ports/tree/master/security/tinc)
Set up a new tinc network Set up a new tinc network
```` ```
# tinc -n dn42_yourpeer init dn42_yourself # tinc -n dn42_yourpeer init dn42_yourself
```` ```
Invite your peering partner. Tinc will print the invitaion which you need to copy to your peering partner. Invite your peering partner. Tinc will print the invitaion which you need to copy to your peering partner.
```` ```
$ tinc invite yourpeer $ tinc invite yourpeer
<ip-or-address>/nIRp5pJCnfnhuV13JUomscGs1q5HqEbz3AydZer7wRaMcpUB <ip-or-address>/nIRp5pJCnfnhuV13JUomscGs1q5HqEbz3AydZer7wRaMcpUB
```` ```
On the other node you can join by using: On the other node you can join by using:
```` ```
$ tinc join <invitation-url> $ tinc join <invitation-url>
```` ```
This node will then automatically generate configuration, private/public keys and will exchange this key with the other node on connection. This node will then automatically generate configuration, private/public keys and will exchange this key with the other node on connection.

36
howto/vyos.md
View File

@ -7,18 +7,18 @@ It can be downloaded here https://www.vyos.io/rolling-release/.
We will configure firewall access lists for inbound connections on our peer Wireguard interfaces as well as block all inbound connections to our router with the exception of BGP. This should be a good baseline firewall ruleset to filter inbound traffic on your networks edge. Modifications may be needed depending on your specific goals. If your router has an uplink back to a larger internal network (outside of DN42), an outbound firewall ruleset will need to be applied to that interface. The examples here only cover **IPv4**, but the same concepts can be applied to **IPv6** rulesets. We will configure firewall access lists for inbound connections on our peer Wireguard interfaces as well as block all inbound connections to our router with the exception of BGP. This should be a good baseline firewall ruleset to filter inbound traffic on your networks edge. Modifications may be needed depending on your specific goals. If your router has an uplink back to a larger internal network (outside of DN42), an outbound firewall ruleset will need to be applied to that interface. The examples here only cover **IPv4**, but the same concepts can be applied to **IPv6** rulesets.
By default, VyOS is a **stateless** firewall. To enable **stateful** packet inspection globally enter the following commands. By default, VyOS is a **stateless** firewall. To enable **stateful** packet inspection globally enter the following commands.
```` ```
set firewall state-policy established action 'accept' set firewall state-policy established action 'accept'
set firewall state-policy related action 'accept' set firewall state-policy related action 'accept'
```` ```
We also need to accept invalids on our networks edge. However, this should not become common practice elsewhere. We also need to accept invalids on our networks edge. However, this should not become common practice elsewhere.
```` ```
set firewall state-policy invalid action 'accept' set firewall state-policy invalid action 'accept'
```` ```
The below commands create **in** and **local** baseline templates to be applied to all Wireguard interfaces that are facing peers. In this example, **172.20.20.0/24** is your assigned address space. The below commands create **in** and **local** baseline templates to be applied to all Wireguard interfaces that are facing peers. In this example, **172.20.20.0/24** is your assigned address space.
```` ```
#Create Groups #Create Groups
set firewall group network-group Allowed-Transit-v4 network '10.0.0.0/8' set firewall group network-group Allowed-Transit-v4 network '10.0.0.0/8'
set firewall group network-group Allowed-Transit-v4 network '172.20.0.0/14' set firewall group network-group Allowed-Transit-v4 network '172.20.0.0/14'
@ -59,17 +59,17 @@ set firewall name Tunnels_Local_v4 rule 98 state invalid 'enable'
set firewall name Tunnels_Local_v4 rule 99 action 'drop' set firewall name Tunnels_Local_v4 rule 99 action 'drop'
set firewall name Tunnels_Local_v4 rule 99 description 'Black Hole' set firewall name Tunnels_Local_v4 rule 99 description 'Black Hole'
set firewall name Tunnels_Local_v4 rule 99 log 'enable' set firewall name Tunnels_Local_v4 rule 99 log 'enable'
```` ```
## Wireguard ## Wireguard
### Setup Keys ### Setup Keys
```` ```
generate wireguard default-keypair generate wireguard default-keypair
show wireguard keypairs pubkey default show wireguard keypairs pubkey default
```` ```
_Grab your public key and save it for later. This will be shared with peers._ _Grab your public key and save it for later. This will be shared with peers._
### Configure First Peer ### Configure First Peer
```` ```
#Your DN42 Address #Your DN42 Address
set interfaces wireguard wg92 address '172.20.20.1/32' set interfaces wireguard wg92 address '172.20.20.1/32'
@ -93,7 +93,7 @@ set interfaces wireguard wg92 port '12345'
#Set static interface route to first peers /32 DN42 IPv4 on their tunnel endpoint #Set static interface route to first peers /32 DN42 IPv4 on their tunnel endpoint
set protocols static interface-route 172.20.50.1/32 next-hop-interface wg92 set protocols static interface-route 172.20.50.1/32 next-hop-interface wg92
```` ```
@ -119,9 +119,9 @@ _Your peers ASN_
###Setup RPKI Caching Server ###Setup RPKI Caching Server
Burble has made this super easy. More info can be found [here](https://wiki.dn42/howto/ROA-slash-RPKI) on this wiki. Get started by running the below command on a Linux server with Docker installed. Burble has made this super easy. More info can be found [here](https://wiki.dn42/howto/ROA-slash-RPKI) on this wiki. Get started by running the below command on a Linux server with Docker installed.
```` ```
sudo docker run -ti -p 8082:8082 cloudflare/gortr -cache https://dn42.burble.com/roa/dn42_roa_46.json -verify=false -checktime=false -bind :8082 sudo docker run -ti -p 8082:8082 cloudflare/gortr -cache https://dn42.burble.com/roa/dn42_roa_46.json -verify=false -checktime=false -bind :8082
```` ```
This will start a docker container that listens on the host server's IP at port 8082. This setup is using Cloudflare's GoRTR and automatically reaching out and downloading a custom JSON file generated by Burble just for the DN42 network. This will start a docker container that listens on the host server's IP at port 8082. This setup is using Cloudflare's GoRTR and automatically reaching out and downloading a custom JSON file generated by Burble just for the DN42 network.
@ -133,24 +133,24 @@ This will start a docker container that listens on the host server's IP at port
You can check the connection with `show rpki cache-connection` and the received prefix-table with `show rpki prefix-table`. You can check the connection with `show rpki cache-connection` and the received prefix-table with `show rpki prefix-table`.
###Create Route Map ###Create Route Map
```` ```
set policy route-map DN42-ROA rule 10 action 'permit' set policy route-map DN42-ROA rule 10 action 'permit'
set policy route-map DN42-ROA rule 10 match rpki 'valid' set policy route-map DN42-ROA rule 10 match rpki 'valid'
set policy route-map DN42-ROA rule 20 action 'permit' set policy route-map DN42-ROA rule 20 action 'permit'
set policy route-map DN42-ROA rule 20 match rpki 'notfound' set policy route-map DN42-ROA rule 20 match rpki 'notfound'
set policy route-map DN42-ROA rule 30 action 'deny' set policy route-map DN42-ROA rule 30 action 'deny'
set policy route-map DN42-ROA rule 30 match rpki 'invalid' set policy route-map DN42-ROA rule 30 match rpki 'invalid'
```` ```
This example allows all routes in unless they are marked invalid or in other words possibly been a victim of BGP hijacking. This example allows all routes in unless they are marked invalid or in other words possibly been a victim of BGP hijacking.
###Assign Route Map to Neighbor ###Assign Route Map to Neighbor
```` ```
set protocols bgp 424242XXXX neighbor x.x.x.x address-family ipv4-unicast route-map import DN42-ROA set protocols bgp 424242XXXX neighbor x.x.x.x address-family ipv4-unicast route-map import DN42-ROA
set protocols bgp 424242XXXX neighbor x.x.x.x address-family ipv4-unicast route-map export DN42-ROA set protocols bgp 424242XXXX neighbor x.x.x.x address-family ipv4-unicast route-map export DN42-ROA
```` ```
## Example Route Map ## Example Route Map
### No RPKI/ROA and Internal Network Falls Into DN42 Range ### No RPKI/ROA and Internal Network Falls Into DN42 Range
```` ```
##Build prefix list to match personal internal network ##Build prefix list to match personal internal network
set policy prefix-list BlockIPConflicts description 'Prevent Conflicting Routes' set policy prefix-list BlockIPConflicts description 'Prevent Conflicting Routes'
set policy prefix-list BlockIPConflicts rule 10 action 'permit' set policy prefix-list BlockIPConflicts rule 10 action 'permit'
@ -207,7 +207,7 @@ set protocols bgp 4242421099 neighbor x.x.x.x address-family ipv4-unicast route-
set protocols bgp 4242421099 neighbor x.x.x.x address-family ipv4-unicast route-map import 'Default-Peering' set protocols bgp 4242421099 neighbor x.x.x.x address-family ipv4-unicast route-map import 'Default-Peering'
set protocols bgp 4242421099 neighbor x.x.x.x address-family ipv6-unicast route-map export 'Default-Peering' set protocols bgp 4242421099 neighbor x.x.x.x address-family ipv6-unicast route-map export 'Default-Peering'
set protocols bgp 4242421099 neighbor x.x.x.x address-family ipv6-unicast route-map import 'Default-Peering' set protocols bgp 4242421099 neighbor x.x.x.x address-family ipv6-unicast route-map import 'Default-Peering'
```` ```
This page is a work-in-progress by Owens Research. If you have any suggestions or questions please reach out. This page is a work-in-progress by Owens Research. If you have any suggestions or questions please reach out.

36
howto/wireguard.md
View File

@ -9,13 +9,13 @@ to allow your BGP daemon instead to do routing. This approach is comparable to [
First generate on each peer public and private keys. First generate on each peer public and private keys.
```` ```
$ wg genkey | tee privatekey | wg pubkey > publickey $ wg genkey | tee privatekey | wg pubkey > publickey
```` ```
## Configuration ## Configuration
```` ```
# tunnel.conf # tunnel.conf
[Interface] [Interface]
PrivateKey = <private_key> PrivateKey = <private_key>
@ -31,14 +31,14 @@ Endpoint = <end_point_hostname_or_ip:port>
# however it is easier to do this with iptables/bgp filters/routing table # however it is easier to do this with iptables/bgp filters/routing table
# instead just like for openvpn-based peerings # instead just like for openvpn-based peerings
AllowedIPs = 0.0.0.0/0,::/0 AllowedIPs = 0.0.0.0/0,::/0
```` ```
## Configure tunnel: ## Configure tunnel:
Wireguard comes with its own interface type. Wireguard comes with its own interface type.
It supports link-local addresses for IPv6 and single /32 addresses for IPv4, which can be used for peering. It supports link-local addresses for IPv6 and single /32 addresses for IPv4, which can be used for peering.
```` ```
$ ip link add dev <interface_name> type wireguard $ ip link add dev <interface_name> type wireguard
$ wg setconf <interface_name> tunnel.conf $ wg setconf <interface_name> tunnel.conf
# both side pick a different link-local ipv6 address # both side pick a different link-local ipv6 address
@ -46,7 +46,7 @@ $ ip addr add fe80::<some_random_suffix>/64 dev <interface_name>
# choose the first ip from your subnet and the second one from the peer # choose the first ip from your subnet and the second one from the peer
$ ip addr add 172.xx.xx.xx/32 peer 172.xx.xx.xx/32 dev <interface_name> $ ip addr add 172.xx.xx.xx/32 peer 172.xx.xx.xx/32 dev <interface_name>
$ ip link set <interface_name> up $ ip link set <interface_name> up
```` ```
<!-- Nurtic-Vibe has another [script](https://git.dn42.us/Nurtic-Vibe/grmml-helper/src/master/create_wg.sh) to interactively automate the peering process. --> <!-- Nurtic-Vibe has another [script](https://git.dn42.us/Nurtic-Vibe/grmml-helper/src/master/create_wg.sh) to interactively automate the peering process. -->
@ -54,9 +54,9 @@ Maybe you should check the MTU to your peer with e.g. `ping -s 1472 <end_point_h
## Testing ## Testing
```` ```
ping fe80::<your_peers_suffix>%<interface_name> ping fe80::<your_peers_suffix>%<interface_name>
```` ```
(For older iputils, use `ping6`.) (For older iputils, use `ping6`.)
@ -68,15 +68,15 @@ The wireguard kernel module on linux has support for enabling dynamic debugging.
Debug messages are logged via dmesg and can be enabled using: Debug messages are logged via dmesg and can be enabled using:
````sh ```sh
$ echo 'module wireguard +p' > /sys/kernel/debug/dynamic_debug/control $ echo 'module wireguard +p' > /sys/kernel/debug/dynamic_debug/control
```` ```
To disable debug: To disable debug:
````sh ```sh
$ echo 'module wireguard -p' > /sys/kernel/debug/dynamic_debug/control $ echo 'module wireguard -p' > /sys/kernel/debug/dynamic_debug/control
```` ```
## wg-quick ## wg-quick
@ -94,7 +94,7 @@ The script makes some changes that are not valid when used for DN42 tunnels, and
An example wg-quick script that incorporates the above two workarounds is below, where `<MyIPv[46]>` are the DN42 IP addresses of your node and `<PeerIPv[46]>` are the IP addresses for your peer. An example wg-quick script that incorporates the above two workarounds is below, where `<MyIPv[46]>` are the DN42 IP addresses of your node and `<PeerIPv[46]>` are the IP addresses for your peer.
```` ```
[Interface] [Interface]
PrivateKey = <your private key> PrivateKey = <your private key>
Address = <your link-local address, if any> Address = <your link-local address, if any>
@ -106,7 +106,7 @@ Table = off
Endpoint = <your peer's wireguard endpoint> Endpoint = <your peer's wireguard endpoint>
PublicKey = <your peer's public key> PublicKey = <your peer's public key>
AllowedIPs = 172.16.0.0/12, 10.0.0.0/8, fd00::/8, fe80::/10 AllowedIPs = 172.16.0.0/12, 10.0.0.0/8, fd00::/8, fe80::/10
```` ```
Use `which ip` to get the full path to your ip binary. Use `which ip` to get the full path to your ip binary.
## systemd-networkd ## systemd-networkd
@ -114,7 +114,7 @@ Use `which ip` to get the full path to your ip binary.
Example configuration for systemd-networkd. Example configuration for systemd-networkd.
peer.netdev peer.netdev
````text ```text
[NetDev] [NetDev]
Name=<ifname> Name=<ifname>
Kind=wireguard Kind=wireguard
@ -131,10 +131,10 @@ Endpoint=<peer host and port, e.g. 1.2.3.4:9876>
AllowedIPs=fe80::/64 AllowedIPs=fe80::/64
AllowedIPs=fd00::/8 AllowedIPs=fd00::/8
AllowedIPs=0.0.0.0/0 AllowedIPs=0.0.0.0/0
```` ```
peer.network peer.network
````text ```text
[Match] [Match]
Name=<ifname> Name=<ifname>
@ -165,5 +165,5 @@ Peer=<your peer's IPv6 address>/128
[Address] [Address]
Address=<your IPv4 address>/32 Address=<your IPv4 address>/32
Peer=<your peer's IPv4 address>/32 Peer=<your peer's IPv4 address>/32
```` ```

16
internal/Historical-Services.md
View File

@ -84,23 +84,23 @@ Some people runs [Tahoe LAFS](/services/Tahoe-LAFS) nodes to provide a secure de
### ipfs ### ipfs
bootstrap peers bootstrap peers
```` ```
/ip4/172.20.161.135/tcp/4001/ipfs/QmYgD1wdPjx5oWzYJ195K84PqAXRnw9mcqbyZYAdXfaYkD /ip4/172.20.161.135/tcp/4001/ipfs/QmYgD1wdPjx5oWzYJ195K84PqAXRnw9mcqbyZYAdXfaYkD
/ip4/172.20.52.220/tcp/4001/ipfs/QmW5ZhZFav8MZLJyvKuK6pKaR4vnQ5MVHfXY3LuMXqa4kc /ip4/172.20.52.220/tcp/4001/ipfs/QmW5ZhZFav8MZLJyvKuK6pKaR4vnQ5MVHfXY3LuMXqa4kc
```` ```
test hashes test hashes
```` ```
/ipfs/QmQ7psrGrXS3GFNC4BtU6pJXq6G7ps5NbYrhS2VYFufj9T /ipfs/QmQ7psrGrXS3GFNC4BtU6pJXq6G7ps5NbYrhS2VYFufj9T
/ipfs/QmYLapmcSU7q93Ta4eHMh8fq9ios2HTSdbpHDRQwGG6ocJ /ipfs/QmYLapmcSU7q93Ta4eHMh8fq9ios2HTSdbpHDRQwGG6ocJ
```` ```
cdn (currently only jquery cdn (currently only jquery
```` ```
/ipns/QmW5ZhZFav8MZLJyvKuK6pKaR4vnQ5MVHfXY3LuMXqa4kc/cdn/jquery /ipns/QmW5ZhZFav8MZLJyvKuK6pKaR4vnQ5MVHfXY3LuMXqa4kc/cdn/jquery
```` ```
Until browsers have ipfs access (either through native support or js), one can use the http gateway Until browsers have ipfs access (either through native support or js), one can use the http gateway
```` ```
https://rest.dn42/ https://rest.dn42/
```` ```
### Torrent Search Engine ### Torrent Search Engine

42
services/Automatic-CA.md
View File

@ -90,7 +90,7 @@ Read more on this [stack exchange post][osx-2]
How to Run How to Run
========== ==========
```` ```
Usage: # OWNER is your MNT handle. Usage: # OWNER is your MNT handle.
./ca.dn42 user-gen OWNER EMAIL # Output to OWNER.csr and OWNER.key ./ca.dn42 user-gen OWNER EMAIL # Output to OWNER.csr and OWNER.key
./ca.dn42 user-sig OWNER # Output to OWNER.crt and OWNER.p12 ./ca.dn42 user-sig OWNER # Output to OWNER.crt and OWNER.p12
@ -104,14 +104,14 @@ Revoke Reasons: unspecified, keyCompromise, affiliationChanged,
Environtment Options: Environtment Options:
DN42CA_PKCS12 = 1 # Generate pkcs12 file for certificate. DN42CA_PKCS12 = 1 # Generate pkcs12 file for certificate.
```` ```
Example Example
======= =======
Generate the user key Generate the user key
```` ```
$ ./ca.dn42 user-gen XUU-MNT xuu@sour.is $ ./ca.dn42 user-gen XUU-MNT xuu@sour.is
Generating a 2048 bit RSA private key Generating a 2048 bit RSA private key
...............................+++ ...............................+++
@ -122,11 +122,11 @@ writing new private key to 'XUU-MNT.key'
= You need to have this pin added to your mnt object before proceeding to the next step. = You need to have this pin added to your mnt object before proceeding to the next step.
= =
|MNT Key Pin| remarks: pin-sha256:HdqCid0sedWXX3Q0uG98rYjJyTNOzaT13WfWpr1GvIw= |MNT Key Pin| remarks: pin-sha256:HdqCid0sedWXX3Q0uG98rYjJyTNOzaT13WfWpr1GvIw=
```` ```
## Sign the user key ## Sign the user key
````` ````
$ ./ca.dn42 user-sign XUU-MNT xuu@sour.is $ ./ca.dn42 user-sign XUU-MNT xuu@sour.is
== USER CERT == == USER CERT ==
C:XD C:XD
@ -139,11 +139,11 @@ $ ./ca.dn42 user-sign XUU-MNT xuu@sour.is
OK https://ca.dn42/crt/XUU-MNT.crt OK https://ca.dn42/crt/XUU-MNT.crt
Enter Export Password: Enter Export Password:
Verifying - Enter Export Password: Verifying - Enter Export Password:
```` ```
## Generate the server key ## Generate the server key
```` ```
$ ./ca.dn42 tls-gen ca.dn42 XUU-MNT xuu@sour.is DNS:ca.dn42 $ ./ca.dn42 tls-gen ca.dn42 XUU-MNT xuu@sour.is DNS:ca.dn42
Generating a 2048 bit RSA private key Generating a 2048 bit RSA private key
@ -156,18 +156,18 @@ writing RSA key
= |DNS Key Pin| You need to have this pin added to your dns records before proceeding to the next step. = |DNS Key Pin| You need to have this pin added to your dns records before proceeding to the next step.
= =
_dn42_tlsverify.ca.dn42. IN TXT XUU-MNT:pin-sha256:Qu/X5GNqOo05TdL7oexkamE34OUuDE60T+f0xc60UPQ= _dn42_tlsverify.ca.dn42. IN TXT XUU-MNT:pin-sha256:Qu/X5GNqOo05TdL7oexkamE34OUuDE60T+f0xc60UPQ=
```` ```
After you set this TXT-Record for your domain, you can verify it with the following command (by replacing the domain with your own): After you set this TXT-Record for your domain, you can verify it with the following command (by replacing the domain with your own):
```` ```
$ dig +short TXT _dn42_tlsverify.ca.dn42. $ dig +short TXT _dn42_tlsverify.ca.dn42.
"XUU-MNT:pin-sha256:Qu/X5GNqOo05TdL7oexkamE34OUuDE60T+f0xc60UPQ=" "XUU-MNT:pin-sha256:Qu/X5GNqOo05TdL7oexkamE34OUuDE60T+f0xc60UPQ="
```` ```
## Sign the server key ## Sign the server key
```` ```
$ ./ca.dn42 tls-sign ca.dn42 XUU-MNT $ ./ca.dn42 tls-sign ca.dn42 XUU-MNT
== USER CERT == == USER CERT ==
C:XD C:XD
@ -191,17 +191,17 @@ $ ./ca.dn42 tls-sign ca.dn42 XUU-MNT
OK https://ca.dn42/crt/XUU-MNT_ca.dn42.crt OK https://ca.dn42/crt/XUU-MNT_ca.dn42.crt
Enter Export Password: **** Enter Export Password: ****
Verifying - Enter Export Password: **** Verifying - Enter Export Password: ****
```` ```
The generated certificate will be valid for 3 months, to renew it simply run ````./ca.dn42 tls-sign ca.dn42 XUU-MNT```` again. This could be also automated in cron: The generated certificate will be valid for 3 months, to renew it simply run ```./ca.dn42 tls-sign ca.dn42 XUU-MNT``` again. This could be also automated in cron:
```` ```
0 0 1 * * /etc/ssl/dn42/ca.dn42 tls-sign wiki.dn42 MIC92-MNT 0 0 1 * * /etc/ssl/dn42/ca.dn42 tls-sign wiki.dn42 MIC92-MNT
```` ```
or with a systemd timer: or with a systemd timer:
```` ```
# update-dn42-ca.timer # update-dn42-ca.timer
[Timer] [Timer]
OnBootSec=1h OnBootSec=1h
@ -210,9 +210,9 @@ Persistent=yes
[Install] [Install]
WantedBy=timers.target WantedBy=timers.target
```` ```
```` ```
[Service] [Service]
Type=oneshot Type=oneshot
WorkingDirectory=/etc/ssl/dn42 WorkingDirectory=/etc/ssl/dn42
@ -220,11 +220,11 @@ ExecStart=/etc/ssl/dn42/ca.dn42 tls-sign wiki.dn42 MIC92-MNT
# accept multiple ExecStart lines for other certificates # accept multiple ExecStart lines for other certificates
#ExecStart=/etc/ssl/dn42/ca.dn42 tls-sign foobar.dn42 MIC92-MNT #ExecStart=/etc/ssl/dn42/ca.dn42 tls-sign foobar.dn42 MIC92-MNT
ExecStart=/usr/bin/nginx -s reload ExecStart=/usr/bin/nginx -s reload
```` ```
## Revoke a certificate. ## Revoke a certificate.
```` ```
$ ./ca.dn42 revoke XUU-MNT XUU-MNT.crt $ ./ca.dn42 revoke XUU-MNT XUU-MNT.crt
== USER CERT == == USER CERT ==
C:XD C:XD
@ -236,7 +236,7 @@ $ ./ca.dn42 revoke XUU-MNT XUU-MNT.crt
pin-sha256:HdqCid0sedWXX3Q0uG98rYjJyTNOzaT13WfWpr1GvIw= pin-sha256:HdqCid0sedWXX3Q0uG98rYjJyTNOzaT13WfWpr1GvIw=
== REVOKE CERT == == REVOKE CERT ==
OK OK
```` ```
## Certificate transparency ## Certificate transparency
All issued certificates will be logged to [xuu's mattermost instance](https://teams.dn42/dn42/channels/tls-certificates). All issued certificates will be logged to [xuu's mattermost instance](https://teams.dn42/dn42/channels/tls-certificates).

20
services/Certificate-Authority.md
View File

@ -5,7 +5,7 @@ If you would like to have a certificate signed by this CA there is [an automated
The CA certificate ([dn42](https://ca.dn42/crt/root-ca.crt), [iana](https://ca.dn42.us/crt/root-ca.crt)): The CA certificate ([dn42](https://ca.dn42/crt/root-ca.crt), [iana](https://ca.dn42.us/crt/root-ca.crt)):
```` ```
Certificate: Certificate:
Data: Data:
Version: 3 (0x2) Version: 3 (0x2)
@ -95,21 +95,21 @@ P6v/P0WrfgdFTk0LGEA9OwKcTqkPpcI/SjB3rmZcs42yQWvimAF94GtScE09uKlI
1zAi8vbktPY7OMprTOc8pHDL3q8KFP8jJcoEzZ5Jw0vkCrULhLXvtFtjB0djzVxQ 1zAi8vbktPY7OMprTOc8pHDL3q8KFP8jJcoEzZ5Jw0vkCrULhLXvtFtjB0djzVxQ
C0IKqQ== C0IKqQ==
-----END CERTIFICATE----- -----END CERTIFICATE-----
```` ```
## Testing constraints ## Testing constraints
The name constraints can be verified for example by using openssl: The name constraints can be verified for example by using openssl:
```` ```
openssl x509 -in dn42.crt -text -noout openssl x509 -in dn42.crt -text -noout
```` ```
which will show among other things: which will show among other things:
```` ```
X509v3 Name Constraints: X509v3 Name Constraints:
Permitted: Permitted:
DNS:.dn42 DNS:.dn42
```` ```
## Importing the certificate ## Importing the certificate
@ -123,19 +123,19 @@ Install `ca-certificates-dn42` from [AUR](https://aur.archlinux.org/packages/ca-
#### Unofficial Debian Package #### Unofficial Debian Package
````bash ```bash
wget https://ca.dn42.us/ca-dn42_20161122.0_all.deb wget https://ca.dn42.us/ca-dn42_20161122.0_all.deb
# If you're on a dn42-only network: # If you're on a dn42-only network:
# wget --no-check-certificate https://ca.dn42/ca-dn42_20161122.0_all.deb # wget --no-check-certificate https://ca.dn42/ca-dn42_20161122.0_all.deb
sudo dpkg -i ca-dn42_20161122.0_all.deb sudo dpkg -i ca-dn42_20161122.0_all.deb
sudo dpkg-reconfigure ca-certificates sudo dpkg-reconfigure ca-certificates
```` ```
You will be asked which certificates you would like to enabled. By default, the dn42 root certifcate (dn42/root-ca.crt) is not enable, be sure to enable it. This package is waiting for inclusion in Debian (Debian bug [#845351](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=845351)). You will be asked which certificates you would like to enabled. By default, the dn42 root certifcate (dn42/root-ca.crt) is not enable, be sure to enable it. This package is waiting for inclusion in Debian (Debian bug [#845351](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=845351)).
#### Manual Installation #### Manual Installation
````bash ```bash
$ mkdir /usr/share/ca-certificates/extra $ mkdir /usr/share/ca-certificates/extra
$ cat > /usr/share/ca-certificates/extra/dn42.crt <<EOF $ cat > /usr/share/ca-certificates/extra/dn42.crt <<EOF
-----BEGIN CERTIFICATE----- -----BEGIN CERTIFICATE-----
@ -164,7 +164,7 @@ C0IKqQ==
-----END CERTIFICATE----- -----END CERTIFICATE-----
EOF EOF
$ update-ca-certificates $ update-ca-certificates
```` ```
## PKI Store ## PKI Store

8
services/DNS.md
View File

@ -24,17 +24,17 @@ service and configure the other service as the secondary or backup nameserver.
Example resolv.conf, preferring a0.recursive-servers.dn42 and IPv4: Example resolv.conf, preferring a0.recursive-servers.dn42 and IPv4:
````text ```text
nameserver 172.20.0.53 nameserver 172.20.0.53
nameserver 172.23.0.53 nameserver 172.23.0.53
nameserver fd42:d42:d42:54::1 nameserver fd42:d42:d42:54::1
nameserver fd42:d42:d42:53::1 nameserver fd42:d42:d42:53::1
search dn42 search dn42
```` ```
Example resolv.conf, preferring a3.recursive-servers.dn42 and IPv6: Example resolv.conf, preferring a3.recursive-servers.dn42 and IPv6:
````text ```text
nameserver fd42:d42:d42:53::1 nameserver fd42:d42:d42:53::1
nameserver fd42:d42:d42:54::1 nameserver fd42:d42:d42:54::1
nameserver 172.23.0.53 nameserver 172.23.0.53
@ -42,7 +42,7 @@ nameserver 172.20.0.53
option inet6 # Linux/glibc option inet6 # Linux/glibc
family inet6 inet4 # BSD family inet6 inet4 # BSD
search dn42 search dn42
```` ```
## Advanced Configuration ## Advanced Configuration

40
services/Distributed-Wiki.md
View File

@ -39,7 +39,7 @@ Since gollum is built on top of Git, it is not overly complicated to keep the lo
+ **wiki-sync.sh**: + **wiki-sync.sh**:
````sh ```sh
#!/bin/bash #!/bin/bash
WIKI_PATH=<repo path> WIKI_PATH=<repo path>
@ -50,7 +50,7 @@ ${GIT} push
${GIT} pull ${GIT} pull
exit 0 exit 0
```` ```
+ **Cron entry**: + **Cron entry**:
@ -64,13 +64,13 @@ exit 0
- Start two gollum instances, read-only and read/write on `127.0.0.1`: - Start two gollum instances, read-only and read/write on `127.0.0.1`:
Read/write (SSL only): Read/write (SSL only):
```` ```
RACK_ENV=production gollum --css --host 127.0.0.1 --port 4568 <path> RACK_ENV=production gollum --css --host 127.0.0.1 --port 4568 <path>
```` ```
Read-only: Read-only:
```` ```
RACK_ENV=production gollum --css --host 127.0.0.1 --port 4567 --no-edit <path> RACK_ENV=production gollum --css --host 127.0.0.1 --port 4567 --no-edit <path>
```` ```
Set `<path>` to the location where wiki Git repo was cloned. Set `<path>` to the location where wiki Git repo was cloned.
@ -82,13 +82,13 @@ RACK_ENV=production gollum --css --host 127.0.0.1 --port 4567 --no-edit <path>
- Generate a [CSR](/services/Certificate-Authority) and send DNS Key Pin to [xuu@sour.is](mailto:xuu@sour.is): - Generate a [CSR](/services/Certificate-Authority) and send DNS Key Pin to [xuu@sour.is](mailto:xuu@sour.is):
- \<AS> is the as number with the prefix `as` like `as64737-ca.wiki.dn42` - \<AS> is the as number with the prefix `as` like `as64737-ca.wiki.dn42`
```` ```
./ca.dn42 tls-gen \ ./ca.dn42 tls-gen \
<AS>-<CC>(-<UID>).wiki.dn42 \ <AS>-<CC>(-<UID>).wiki.dn42 \
EXAMPLE-MNT \ EXAMPLE-MNT \
mail@example.com \ mail@example.com \
DNS:<AS>-<CC>(-<ID>).wiki.dn42,DNS:wiki.dn42,DNS:www.wiki.dn42,DNS:internal.dn42,DNS:www.internal.dn42 DNS:<AS>-<CC>(-<ID>).wiki.dn42,DNS:wiki.dn42,DNS:www.wiki.dn42,DNS:internal.dn42,DNS:www.internal.dn42
```` ```
Wait for a reply and then sign the certificate: Wait for a reply and then sign the certificate:
@ -107,15 +107,15 @@ A custom header `X-SiteID` identifies the site you're connecting to:
- Extract base64 encoded SPKI fingerprint from private key `wiki.key`: - Extract base64 encoded SPKI fingerprint from private key `wiki.key`:
```` ```
openssl rsa -in wiki.key -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64 openssl rsa -in wiki.key -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64
```` ```
- Configure Nginx to send the fingerprint in header (SSL block): - Configure Nginx to send the fingerprint in header (SSL block):
```` ```
add_header Public-Key-Pins pin-sha256="<primary>"; pin-sha256="<backup>"; max-age=5184000; includeSubDomains'; add_header Public-Key-Pins pin-sha256="<primary>"; pin-sha256="<backup>"; max-age=5184000; includeSubDomains';
```` ```
+ `<primary>` - the fingerprint extracted from `wiki.key` + `<primary>` - the fingerprint extracted from `wiki.key`
+ `<backup>` - the CA fingerprint: `of00RDinhPeVRNnXm1jXQDagktOL75qQo1pT+xc7VIE=` + `<backup>` - the CA fingerprint: `of00RDinhPeVRNnXm1jXQDagktOL75qQo1pT+xc7VIE=`
@ -135,7 +135,7 @@ Nginx should listen on a unicast address as well, so your site can be reached ex
#### Config example #### Config example
```` ```
ssl_protocols TLSv1.2 TLSv1.1 TLSv1; ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_session_cache shared:SSL:2m; ssl_session_cache shared:SSL:2m;
@ -184,7 +184,7 @@ server {
} }
} }
```` ```
## ExaBGP ## ExaBGP
@ -194,7 +194,7 @@ The prefix AS-PATH should show the announcement is originating from your AS. Aft
#### Configuration #### Configuration
```` ```
# exabgp.conf # exabgp.conf
group gollum-watchdog { group gollum-watchdog {
@ -228,7 +228,7 @@ group gollum-watchdog {
} }
} }
```` ```
#### Watchdog script #### Watchdog script
@ -236,7 +236,7 @@ Watchdog runs in an infinite loop, sending the appropriate commands to stdout. [
Run `gollum-watchdog.sh` in a shell first to validate it's working: Run `gollum-watchdog.sh` in a shell first to validate it's working:
````sh ```sh
#!/bin/bash #!/bin/bash
CURL=curl CURL=curl
@ -297,7 +297,7 @@ while [ 1 ]; do
done done
exit 0 exit 0
```` ```
#### Run #### Run
@ -305,7 +305,7 @@ exit 0
`USAGE: /etc/exabgp/run.sh [start|stop|restart]` `USAGE: /etc/exabgp/run.sh [start|stop|restart]`
````sh ```sh
#!/bin/bash #!/bin/bash
PID_FILE=/var/run/exaBGP/exabgp_PID PID_FILE=/var/run/exaBGP/exabgp_PID
@ -352,7 +352,7 @@ case ${1} in
esac esac
exit 0 exit 0
```` ```

8
services/Route-Collector.md
View File

@ -25,7 +25,7 @@ The collector uses the dynamic peering capability in Bird2 to allow anyone to pe
Example bird2 config: Example bird2 config:
````text ```text
protocol bgp ROUTE_COLLECTOR protocol bgp ROUTE_COLLECTOR
{ {
local as ***YOUR_ASN***; local as ***YOUR_ASN***;
@ -66,7 +66,7 @@ protocol bgp ROUTE_COLLECTOR
}; };
}; };
} }
```` ```
## Querying the collector ## Querying the collector
@ -106,7 +106,7 @@ The collector bird instance can be queried directly using a birdc shell.
- ssh shell@collector.dn42 - ssh shell@collector.dn42
````sh ```sh
$ ssh shell@collector.dn42 $ ssh shell@collector.dn42
------------------------------------ ------------------------------------
* DN42 Global Route Collector * * DN42 Global Route Collector *
@ -129,5 +129,5 @@ bird> 297441 of 297441 routes for 502 networks in table master4
Total: 586116 of 586116 routes for 3597 networks in 4 tables Total: 586116 of 586116 routes for 3597 networks in 4 tables
bird> bird>
```` ```

20
services/Statistics.md
View File

@ -11,18 +11,18 @@ Channel statistics for #dn42@hackint are available at: https://dev.0l.dn42/stats
#### collectd.conf #### collectd.conf
```` ```
LoadPlugin exec LoadPlugin exec
<Plugin exec> <Plugin exec>
Exec nobody "/etc/collectd/bgp_prefixes-quagga.sh" Exec nobody "/etc/collectd/bgp_prefixes-quagga.sh"
</Plugin> </Plugin>
```` ```
collectd refuses to exec scripts as root. On Debian vtysh is compiled with PAM support: adding nobody to the quaggavty group suffices. collectd refuses to exec scripts as root. On Debian vtysh is compiled with PAM support: adding nobody to the quaggavty group suffices.
#### bgp_prefixes-quagga.sh #### bgp_prefixes-quagga.sh
````sh ```sh
#!/bin/bash #!/bin/bash
INTERVAL=10 INTERVAL=10
@ -37,11 +37,11 @@ echo "PUTVAL $HOSTNAME/quagga-bgpd/routes-IPv6 interval=$INTERVAL N:$n6"
sleep $INTERVAL sleep $INTERVAL
done done
```` ```
#### Number of prefixes per neighbour for bird #### Number of prefixes per neighbour for bird
````sh ```sh
#!/bin/sh #!/bin/sh
# #
# Collectd script for collecting the number of routes going through each # Collectd script for collecting the number of routes going through each
@ -65,19 +65,19 @@ do
echo "PUTVAL $HOSTNAME/bird-bgpd/routes-all interval=$INTERVAL N:$totalroutes" echo "PUTVAL $HOSTNAME/bird-bgpd/routes-all interval=$INTERVAL N:$totalroutes"
sleep $INTERVAL sleep $INTERVAL
done done
```` ```
### munin plugin ### munin plugin
* add the following to /etc/munin/plugin-conf.d/munin-node * add the following to /etc/munin/plugin-conf.d/munin-node
```` ```
[quagga_bgp] [quagga_bgp]
user root user root
```` ```
* place the script as quagga_bgp in /etc/munin/plugins * place the script as quagga_bgp in /etc/munin/plugins
````sh ```sh
#!/bin/sh #!/bin/sh
# #
# #
@ -111,5 +111,5 @@ user root
echo bgproutes.value $data echo bgproutes.value $data
fi fi
# Measure Section ########## # Measure Section ##########
```` ```
* restart munin-node * restart munin-node

4
services/Tahoe-LAFS.md
View File

@ -19,10 +19,10 @@ To run a node you have to install tahoe-lafs at least in version 1.10.2. You can
Before the first start you have to create a node with `bin/tahoe create-node` or a client (doesn't provide storage) with `bin/tahoe create-client`. This will create the folder .tahoe in your home dir. In the file .tahoe/tahoe.cfg you have to enter on `introducer.furl` the link to our introducer node (UPDATED): Before the first start you have to create a node with `bin/tahoe create-node` or a client (doesn't provide storage) with `bin/tahoe create-client`. This will create the folder .tahoe in your home dir. In the file .tahoe/tahoe.cfg you have to enter on `introducer.furl` the link to our introducer node (UPDATED):
```` ```
introducer.furl = pb://shvdnad4bqey27ff7ngtschexamvdmmr@tahoe-lafs.e-utp.dn42:44412/kmvmrcforeeet7isgq7ftuymywqp3obb introducer.furl = pb://shvdnad4bqey27ff7ngtschexamvdmmr@tahoe-lafs.e-utp.dn42:44412/kmvmrcforeeet7isgq7ftuymywqp3obb
helper.furl = pb://ru7miwm74bfkd6ytchfoq4wgvo3vikq3@fido.e-utp.dn42:44412/iiiopiclr2gszw2fmckbx3eob6krxk7x helper.furl = pb://ru7miwm74bfkd6ytchfoq4wgvo3vikq3@fido.e-utp.dn42:44412/iiiopiclr2gszw2fmckbx3eob6krxk7x
```` ```
With `bin/tahoe start` you start your local node. With `bin/tahoe start` you start your local node.

12
services/Whois.md
View File

@ -102,13 +102,13 @@ We have anycast IPv4 and IPv6, both reachable under whois.dn42. IPs are 172.22.0
| weiti | whois.weiti.dn42 | 172.20.175.253 / fdf7:17d5:de49::43 | | weiti | whois.weiti.dn42 | 172.20.175.253 / fdf7:17d5:de49::43 |
## Usage ## Usage
````sh ```sh
whois -h $host $query whois -h $host $query
```` ```
## Using a whois config ## Using a whois config
````sh ```sh
$ cat /etc/whois.conf $ cat /etc/whois.conf
\.dn42$ whois.dn42 \.dn42$ whois.dn42
\-DN42$ whois.dn42 \-DN42$ whois.dn42
@ -124,18 +124,18 @@ $ cat /etc/whois.conf
# dn42 ula ipv6 address space # dn42 ula ipv6 address space
^fd**:****:****:****:****:****:****:**** whois.dn42 ^fd**:****:****:****:****:****:****:**** whois.dn42
```` ```
You can then use whois without specifying the server. Works at least with Marco d'Itri's whois client. You can then use whois without specifying the server. Works at least with Marco d'Itri's whois client.
## Running your own whoisd ## Running your own whoisd
````sh ```sh
cd /home/some/path/to/store/branch cd /home/some/path/to/store/branch
sudo aptitude install ruby rubygems sudo aptitude install ruby rubygems
sudo gem install netaddr sudo gem install netaddr
cd whoisd/ruby cd whoisd/ruby
sudo ruby whoisd.rb nobody sudo ruby whoisd.rb nobody
```` ```
## Whois restful API ## Whois restful API
Note: this service is in beta testing, use at your own risk. Note: this service is in beta testing, use at your own risk.
https://whois.rest.dn42/ https://whois.rest.dn42/

40
services/dns/Configuration.md
View File

@ -4,9 +4,9 @@ Configuration of common resolver softwares to forward DNS queries for `.dn42` (a
You can use any *.recursive-servers.dn42 (where * is a letter) for resolving .dn42 domains. The current list is available at the [DN42 registry](https://git.dn42.dev/dn42/registry/src/master/data/dns/recursive-servers.dn42) or through querying SRV records of recursive-servers.dn42: You can use any *.recursive-servers.dn42 (where * is a letter) for resolving .dn42 domains. The current list is available at the [DN42 registry](https://git.dn42.dev/dn42/registry/src/master/data/dns/recursive-servers.dn42) or through querying SRV records of recursive-servers.dn42:
````sh ```sh
drill -D SRV _dns._udp.recursive-servers.dn42. @172.20.0.53 drill -D SRV _dns._udp.recursive-servers.dn42. @172.20.0.53
```` ```
Two independent anycast services are also provided: Two independent anycast services are also provided:
@ -27,7 +27,7 @@ DN42 is [interconnected](/internal/Interconnections) with the Inter City VPN or
If you already run a local DNS server, you can tell it to query the dn42 anycast servers for the relevant domains If you already run a local DNS server, you can tell it to query the dn42 anycast servers for the relevant domains
by adding the following to /etc/bind/named.conf.local by adding the following to /etc/bind/named.conf.local
```` ```
zone "dn42" { zone "dn42" {
type forward; type forward;
forwarders { 172.20.0.53; fd42:d42:d42:54::1; }; forwarders { 172.20.0.53; fd42:d42:d42:54::1; };
@ -66,12 +66,12 @@ options {
# [...] # [...]
}; };
```` ```
**Note**: With DNSSEC enabled, bind might refuse to accept query results from the dn42 zone: `validating dn42/SOA: got insecure response; parent indicates it should be secure`. **Note**: With DNSSEC enabled, bind might refuse to accept query results from the dn42 zone: `validating dn42/SOA: got insecure response; parent indicates it should be secure`.
To disable DNSSEC validation only for certain TLDs include the following in the options section: To disable DNSSEC validation only for certain TLDs include the following in the options section:
```` ```
options { options {
# [...] # [...]
@ -87,13 +87,13 @@ options {
# [...] # [...]
}; };
```` ```
## dnsmasq ## dnsmasq
If you are running dnsmasq under openwrt, you just have to add If you are running dnsmasq under openwrt, you just have to add
```` ```
config dnsmasq config dnsmasq
option boguspriv '0' option boguspriv '0'
option rebind_protection '1' option rebind_protection '1'
@ -106,7 +106,7 @@ config dnsmasq
list server '/10.in-addr.arpa/172.20.0.53' list server '/10.in-addr.arpa/172.20.0.53'
list server '/d.f.ip6.arpa/fd42:d42:d42:54::1' list server '/d.f.ip6.arpa/fd42:d42:d42:54::1'
```` ```
to `/etc/config/dhcp` and run `/etc/init.d/dnsmasq restart`. After that you are able to resolve `.dn42` to `/etc/config/dhcp` and run `/etc/init.d/dnsmasq restart`. After that you are able to resolve `.dn42`
with the anycast DNS-Server, while your normal requests go to your standard DNS-resolver. with the anycast DNS-Server, while your normal requests go to your standard DNS-resolver.
@ -115,7 +115,7 @@ Attention: If you go with the default config you'll have to disable "boguspriv"
For normal dnsmasq use For normal dnsmasq use
```` ```
server=/dn42/172.20.0.53 server=/dn42/172.20.0.53
server=/20.172.in-addr.arpa/172.20.0.53 server=/20.172.in-addr.arpa/172.20.0.53
server=/21.172.in-addr.arpa/172.20.0.53 server=/21.172.in-addr.arpa/172.20.0.53
@ -123,21 +123,21 @@ server=/22.172.in-addr.arpa/172.20.0.53
server=/23.172.in-addr.arpa/172.20.0.53 server=/23.172.in-addr.arpa/172.20.0.53
server=/10.in-addr.arpa/172.20.0.53 server=/10.in-addr.arpa/172.20.0.53
server=/d.f.ip6.arpa/fd42:d42:d42:54::1 server=/d.f.ip6.arpa/fd42:d42:d42:54::1
```` ```
in `dnsmasq.conf`. in `dnsmasq.conf`.
## PowerDNS recursor ## PowerDNS recursor
Add this to /etc/powerdns/recursor.conf (at least in Debian and CentOS), the **forward-zone-recurse** is _**one line**_. Add this to /etc/powerdns/recursor.conf (at least in Debian and CentOS), the **forward-zone-recurse** is _**one line**_.
```` ```
dont-query=127.0.0.0/8, 192.168.0.0/16, ::1/128, fe80::/10 dont-query=127.0.0.0/8, 192.168.0.0/16, ::1/128, fe80::/10
forward-zones-recurse=dn42=172.20.0.53,hack=172.20.0.53,ffhh=172.20.0.53,ffac=172.20.0.53,020=172.20.0.53,adm=172.20.0.53,ffa=172.20.0.53,ffhb=172.20.0.53,ffc=172.20.0.53,ffda=172.20.0.53,ffdh=172.20.0.53,ff3l=172.20.0.53,fffl=172.20.0.53,ffffm=172.20.0.53,fffr=172.20.0.53,fffd=172.20.0.53,ffgl=172.20.0.53,fflln=172.20.0.53,ffbcd=172.20.0.53,ffbgl=172.20.0.53,ffgoe=172.20.0.53,ffgt=172.20.0.53,ffh=172.20.0.53,helgo=172.20.0.53,ffhef=172.20.0.53,ffj=172.20.0.53,ffka=172.20.0.53,ffki=172.20.0.53,ffhl=172.20.0.53,fflux=172.20.0.53,ffms=172.20.0.53,mueritz=172.20.0.53,ffnord=172.20.0.53,ffnw=172.20.0.53,ffoh=172.20.0.53,ffpb=172.20.0.53,ffpi=172.20.0.53,ffrade=172.20.0.53,ffrgb=172.20.0.53,ffrg=172.20.0.53,rzl=172.20.0.53,ffsaar=172.20.0.53,fftr=172.20.0.53,fftdf=172.20.0.53,ffwk=172.20.0.53,ffgro=172.20.0.53,ffwk=172.20.0.53,ffwp=172.20.0.53,ffw=172.20.0.53,20.172.in-addr.arpa=172.20.0.53,21.172.in-addr.arpa=172.20.0.53,22.172.in-addr.arpa=172.20.0.53,23.172.in-addr.arpa=172.20.0.53,31.172.in-addr.arpa=172.20.0.53,10.in-addr.arpa=172.20.0.53,c.f.ip6.arpa=172.20.0.53 forward-zones-recurse=dn42=172.20.0.53,hack=172.20.0.53,ffhh=172.20.0.53,ffac=172.20.0.53,020=172.20.0.53,adm=172.20.0.53,ffa=172.20.0.53,ffhb=172.20.0.53,ffc=172.20.0.53,ffda=172.20.0.53,ffdh=172.20.0.53,ff3l=172.20.0.53,fffl=172.20.0.53,ffffm=172.20.0.53,fffr=172.20.0.53,fffd=172.20.0.53,ffgl=172.20.0.53,fflln=172.20.0.53,ffbcd=172.20.0.53,ffbgl=172.20.0.53,ffgoe=172.20.0.53,ffgt=172.20.0.53,ffh=172.20.0.53,helgo=172.20.0.53,ffhef=172.20.0.53,ffj=172.20.0.53,ffka=172.20.0.53,ffki=172.20.0.53,ffhl=172.20.0.53,fflux=172.20.0.53,ffms=172.20.0.53,mueritz=172.20.0.53,ffnord=172.20.0.53,ffnw=172.20.0.53,ffoh=172.20.0.53,ffpb=172.20.0.53,ffpi=172.20.0.53,ffrade=172.20.0.53,ffrgb=172.20.0.53,ffrg=172.20.0.53,rzl=172.20.0.53,ffsaar=172.20.0.53,fftr=172.20.0.53,fftdf=172.20.0.53,ffwk=172.20.0.53,ffgro=172.20.0.53,ffwk=172.20.0.53,ffwp=172.20.0.53,ffw=172.20.0.53,20.172.in-addr.arpa=172.20.0.53,21.172.in-addr.arpa=172.20.0.53,22.172.in-addr.arpa=172.20.0.53,23.172.in-addr.arpa=172.20.0.53,31.172.in-addr.arpa=172.20.0.53,10.in-addr.arpa=172.20.0.53,c.f.ip6.arpa=172.20.0.53
```` ```
## MaraDNS ## MaraDNS
Put this in your mararc: Put this in your mararc:
```` ```
ipv4_alias["dn42_root"] = "172.20.0.53" ipv4_alias["dn42_root"] = "172.20.0.53"
root_servers["dn42."] = "dn42_root" root_servers["dn42."] = "dn42_root"
root_servers["20.172.in-addr.arpa."] = "dn42_root" root_servers["20.172.in-addr.arpa."] = "dn42_root"
@ -145,14 +145,14 @@ root_servers["21.172.in-addr.arpa."] = "dn42_root"
root_servers["22.172.in-addr.arpa."] = "dn42_root" root_servers["22.172.in-addr.arpa."] = "dn42_root"
root_servers["23.172.in-addr.arpa."] = "dn42_root" root_servers["23.172.in-addr.arpa."] = "dn42_root"
root_servers["10.in-addr.arpa."] = "dn42_root" root_servers["10.in-addr.arpa."] = "dn42_root"
```` ```
## Unbound ## Unbound
Make sure to disable `auto-trust-anchor-file` and manually configure `trust-anchor-file` to Make sure to disable `auto-trust-anchor-file` and manually configure `trust-anchor-file` to
point to a file with DNSKEY records for dn42. point to a file with DNSKEY records for dn42.
```` ```
server: server:
local-zone: "20.172.in-addr.arpa." nodefault local-zone: "20.172.in-addr.arpa." nodefault
local-zone: "21.172.in-addr.arpa." nodefault local-zone: "21.172.in-addr.arpa." nodefault
@ -195,15 +195,15 @@ forward-zone:
name: "d.f.ip6.arpa" name: "d.f.ip6.arpa"
forward-addr: fd42:d42:d42:54::1 forward-addr: fd42:d42:d42:54::1
forward-addr: 172.20.0.53 forward-addr: 172.20.0.53
```` ```
## JunOS (SRX 12.1X46) ## JunOS (SRX 12.1X46)
Should also work in 12.1X44 and 12.1X45. After making the changes below you may need to run: Should also work in 12.1X44 and 12.1X45. After making the changes below you may need to run:
```` ```
restart named-service restart named-service
```` ```
Config (vlan.0 is presumed to be your LAN/Trust interface) Config (vlan.0 is presumed to be your LAN/Trust interface)
```` ```
system { system {
services { services {
dns { dns {
@ -251,7 +251,7 @@ system {
} }
} }
} }
```` ```
## MS DNS ## MS DNS
Add a "Conditional Forward" (de: "Bedingte Weiterleitung") for each of "dn42", "20.172.in-addr.arpa", "21.172.in-addr.arpa", "22.172.in-addr.arpa", "23.172.in-addr.arpa", "10.in-addr.arpa" using 172.20.0.53 as forwarder. Ignore the error message that the server is not authoritative. Add a "Conditional Forward" (de: "Bedingte Weiterleitung") for each of "dn42", "20.172.in-addr.arpa", "21.172.in-addr.arpa", "22.172.in-addr.arpa", "23.172.in-addr.arpa", "10.in-addr.arpa" using 172.20.0.53 as forwarder. Ignore the error message that the server is not authoritative.

2
services/dns/Providing-Anycast-DNS.md
View File

@ -8,7 +8,7 @@ Configuration requirements for all members of the anycast group are:
* maintain your own zones based on whois database (scripts included in monotone repository) * maintain your own zones based on whois database (scripts included in monotone repository)
* allow recursion (including `.`) * allow recursion (including `.`)
* listen on a unicast IP too for testing/debugging reasons * listen on a unicast IP too for testing/debugging reasons
* with bind, please use ````minimal-responses yes;```` (goes into ````options````/````view````) * with bind, please use ```minimal-responses yes;``` (goes into ```options```/```view```)
It is _really_ good to hang around in [IRC](/IRC) to get things sorted out, if something doesn't work. Letting some people test your DNS behavior before joining the anycast-group is considered best practice - better safe than sorry. It is _really_ good to hang around in [IRC](/IRC) to get things sorted out, if something doesn't work. Letting some people test your DNS behavior before joining the anycast-group is considered best practice - better safe than sorry.

12
services/dns/Recursive-DNS-resolver.md
View File

@ -8,7 +8,7 @@ You may use some servers listed in the [table of anycast servers](/Providing-Any
Configuration for `unbound.conf` Configuration for `unbound.conf`
```` ```
server: server:
local-zone: "22.172.in-addr.arpa." nodefault local-zone: "22.172.in-addr.arpa." nodefault
local-zone: "23.172.in-addr.arpa." nodefault local-zone: "23.172.in-addr.arpa." nodefault
@ -30,12 +30,12 @@ stub-zone:
stub-prime: yes stub-prime: yes
stub-addr: 172.22.119.160 stub-addr: 172.22.119.160
stub-addr: 172.22.119.163 stub-addr: 172.22.119.163
```` ```
### Unbound with root-hints ### Unbound with root-hints
Alternatively you can put dn42 root servers in the root-hints file for recursive resolving. Alternatively you can put dn42 root servers in the root-hints file for recursive resolving.
```` ```
# /etc/unbound/unbound.conf.d/dn42.conf # /etc/unbound/unbound.conf.d/dn42.conf
server: server:
# DNSSEC validation will fail # DNSSEC validation will fail
@ -52,10 +52,10 @@ server:
remote-control: remote-control:
control-enable: no control-enable: no
```` ```
The `/etc/unbound/dn42.hints` file: The `/etc/unbound/dn42.hints` file:
```` ```
. NS a.root-servers.dn42. . NS a.root-servers.dn42.
a.root-servers.dn42. 3600000 A 172.22.177.6 a.root-servers.dn42. 3600000 A 172.22.177.6
. NS m.root-servers.dn42. . NS m.root-servers.dn42.
@ -64,4 +64,4 @@ m.root-servers.dn42. 3600000 A 172.23.67.67
t.root-servers.dn42. 3600000 A 172.22.102.141 t.root-servers.dn42. 3600000 A 172.22.102.141
. NS x.root-servers.dn42. . NS x.root-servers.dn42.
x.root-servers.dn42. 3600000 A 172.22.141.1 x.root-servers.dn42. 3600000 A 172.22.141.1
```` ```