mirror of
https://git.dn42.dev/wiki/wiki.git
synced 2024-11-23 07:43:29 +01:00
Fix Headers, Spaces
This commit is contained in:
parent
570bc4abde
commit
c10f15e424
4
FAQ.md
4
FAQ.md
@ -1,5 +1,5 @@
|
||||
|
||||
### How do I connect to DN42?
|
||||
## How do I connect to DN42?
|
||||
|
||||
We have a [page](/howto/Getting-started) for that!
|
||||
|
||||
@ -58,4 +58,4 @@ Prior to using ASNs in the new private ASN range 4200000000-4294967294 ([RFC6996
|
||||
|
||||
### Can I update the wiki?
|
||||
|
||||
Yes, the wiki can be edited when browsing to [wiki.dn42](https://wiki.dn42).
|
||||
Yes, the wiki can be edited when browsing to [wiki.dn42](https://wiki.dn42).
|
||||
|
2
Home.md
2
Home.md
@ -77,6 +77,6 @@ The [Getting started](/howto/Getting-Started) page helps you to get your first n
|
||||
|
||||
This wiki is the main reference about dn42. It is available in read-only mode from the Internet [here](https://wiki.dn42.us) or [here](https://dn42.dev) or [here](https://dn42.tk) or [here](https://dn42.eu), [tor](http://jsptropkiix3ki5u.onion) and [i2p](http://beb6v2i4jevo72vvnx6segsk4zv3pu3prbwcfuta3bzrcv7boy2q.b32.i2p/) and for editing from within dn42, at [https://wiki.dn42](https://wiki.dn42) - [https](services/Certificate-Authority) required for editing.
|
||||
|
||||
#### DN42 Logo
|
||||
### DN42 Logo
|
||||
|
||||
An svg of the DN42 Logo is available [here](/dn42.svg).
|
||||
|
2
Other.md
2
Other.md
@ -82,7 +82,7 @@ second tinc cloud
|
||||
|
||||
ipv4: 172.22.255.160/28
|
||||
ipv6: fd04:de02:7af9::/64
|
||||
|
||||
|
||||
IP IPv6 User Host ASN
|
||||
-------------- ------------------- --------- ----------- -----
|
||||
172.22.255.161 fd04:de02:7af9::161 uves spline 64733
|
||||
|
@ -1 +1 @@
|
||||
Hosted by: [xuu](mailto:xuu@sour.is), [nurtic-vibe](mailto:nurtic-vibe@grmml.net), [toBee](mailto:tom@xcv.vc), [burble](mailto:dn42@burble.com) | Accessible via: [dn42](http://wiki.dn42), [tor](http://jsptropkiix3ki5u.onion), [i2p](http://beb6v2i4jevo72vvnx6segsk4zv3pu3prbwcfuta3bzrcv7boy2q.b32.i2p/)
|
||||
Hosted by: [xuu](mailto:xuu@sour.is), [nurtic-vibe](mailto:nurtic-vibe@grmml.net), [toBee](mailto:tom@xcv.vc), [burble](mailto:dn42@burble.com) | Accessible via: [dn42](http://wiki.dn42), [tor](http://jsptropkiix3ki5u.onion), [i2p](http://beb6v2i4jevo72vvnx6segsk4zv3pu3prbwcfuta3bzrcv7boy2q.b32.i2p/)
|
||||
|
@ -1 +1 @@
|
||||
[![dn42](/dn42.png)](/)
|
||||
[![dn42](/dn42.png)](/)
|
||||
|
@ -1,66 +0,0 @@
|
||||
# DN42 peering on Extreme Summit 1i
|
||||
Here i'll show how to configure DN42 peering via BGP on an old Extreme Networks [Summit 1i](http://docs.google.com/viewer?url=https://www.mtmnet.com/PDF_FILES/summit1i.pdf) routing switch. This how-to should be also applicable to any other 'i'-series switch.
|
||||
|
||||
## Caveats
|
||||
Looks like ExtremeWare doesn't support any tunneling mechanism in contrast to ExtremeWare IPv6 or ExtremeXOS operating systems. So you need either put your switch behind the router which will do tunneling with DN42 participant or directly connect the switch to our network, if that possible.
|
||||
|
||||
## Snipplet
|
||||
This configuration was tested on latest EW of 7.8.4.1 patch1-r4 version. But it should work on most of older releases as well.
|
||||
|
||||
## DN42 should go both in internal (for clients) and external VLANs
|
||||
create vlan svlan
|
||||
configure vlan svlan ipaddress 192.168.1.100/24
|
||||
# Adding an alias
|
||||
enable multinetting standard
|
||||
configure vlan svlan add secondary-ip 172.22.251.2/23
|
||||
...
|
||||
|
||||
enable ipforwarding
|
||||
|
||||
configure vlan svlan add subvlan ext
|
||||
...
|
||||
|
||||
# It is worth to filter alien nets
|
||||
create access-list deny_int ip destination any source 192.168.1.0/24 deny ports 2-16
|
||||
...
|
||||
##
|
||||
|
||||
# Adding route to a neighbor
|
||||
configure iproute add 172.22.151.1/32 172.22.251.1
|
||||
|
||||
configure bgp soft-reconfiguration
|
||||
configure bgp AS-number 65534
|
||||
configure bgp routerid 172.22.251.2
|
||||
enable bgp
|
||||
|
||||
Now, if you're trying EBGP with your peer:
|
||||
|
||||
# Announce our network
|
||||
configure bgp add network 172.22.151.0/23
|
||||
|
||||
create bgp neighbor 172.22.151.1 remote-AS-number 65535
|
||||
# Point to a proper outgoing interface, useless in case when Super VLAN is used
|
||||
#configure bgp neighbor 172.22.151.1 source-interface vlan ext
|
||||
|
||||
enable bgp neighbor 172.22.151.1
|
||||
|
||||
Or IBGP (local router does the EBGP in following example):
|
||||
|
||||
# Don't wait for an EBGP
|
||||
disable bgp synchronization
|
||||
|
||||
create bgp neighbor 192.168.1.1 remote-AS-number 65534
|
||||
enable bgp neighbor 192.168.1.1
|
||||
|
||||
Next, you may diagnose the things doing:
|
||||
|
||||
show bgp
|
||||
show bgp neighbor
|
||||
show bgp neighbor 172.22.151.1 received-routes all
|
||||
show bgp neighbor 172.22.151.1 transmitted-routes all
|
||||
|
||||
After that ping and traceroute are your mates. It is worth to point switch to the DNS which knows .dn42 zone:
|
||||
|
||||
`configure dns-client add name-server 192.168.1.1`
|
||||
|
||||
And use names.
|
@ -22,7 +22,7 @@ To properly assign the right community to your peer, please reference the table
|
||||
(64511, 8) :: latency \in (1097ms, 2981ms]
|
||||
(64511, 9) :: latency > 2981ms
|
||||
(64511, x) :: latency \in [exp(x-1), exp(x)] ms (for x < 10)
|
||||
|
||||
|
||||
(64511, 21) :: bw >= 0.1mbit
|
||||
(64511, 22) :: bw >= 1mbit
|
||||
(64511, 23) :: bw >= 10mbit
|
||||
@ -30,7 +30,7 @@ To properly assign the right community to your peer, please reference the table
|
||||
(64511, 25) :: bw >= 1000mbit
|
||||
(64511, 2x) :: bw >= 10^(x-2) mbit
|
||||
bw = min(up,down) for asymmetric connections
|
||||
|
||||
|
||||
(64511, 31) :: not encrypted
|
||||
(64511, 32) :: encrypted with unsafe vpn solution
|
||||
(64511, 33) :: encrypted with safe vpn solution (but no PFS - the usual OpenVPN p2p configuration falls in this category)
|
||||
@ -126,7 +126,7 @@ function update_crypto(int link_crypto) {
|
||||
else if (64511, 33) ~ bgp_community then { bgp_community.delete([(64511, 34..34)]); return 33; }
|
||||
else return 34;
|
||||
}
|
||||
|
||||
|
||||
function update_flags(int link_latency; int link_bandwidth; int link_crypto)
|
||||
int dn42_latency;
|
||||
int dn42_bandwidth;
|
||||
|
@ -26,7 +26,7 @@ Note: This file covers the configuration of Bird 1.x. For an example configurati
|
||||
* Replace `<PEER_AS>` the Autonomous System Number of your peer (only the digits)
|
||||
* Replace `<PEER_NAME>` a self chosen name for your peer
|
||||
|
||||
### IPv6
|
||||
## IPv6
|
||||
|
||||
```
|
||||
#/etc/bird/bird6.conf
|
||||
@ -51,7 +51,7 @@ include "/etc/bird/local6.conf";
|
||||
/*
|
||||
krt_prefsrc defines the source address for outgoing connections.
|
||||
On Linux, this causes the "src" attribute of a route to be set.
|
||||
|
||||
|
||||
Without this option outgoing connections would use the peering IP which
|
||||
would cause packet loss if some peering disconnects but the interface
|
||||
is still available. (The route would still exist and thus route through
|
||||
@ -160,7 +160,7 @@ include "/etc/bird/local4.conf";
|
||||
/*
|
||||
krt_prefsrc defines the source address for outgoing connections.
|
||||
On Linux, this causes the "src" attribute of a route to be set.
|
||||
|
||||
|
||||
Without this option outgoing connections would use the peering IP which
|
||||
would cause packet loss if some peering disconnects but the interface
|
||||
is still available. (The route would still exist and thus route through
|
||||
@ -393,4 +393,4 @@ bird> show route export <somepeer> # shows the route you export to someone
|
||||
|
||||
# External Links
|
||||
* detailed bird configuration from Mic92: https://github.com/Mic92/bird-dn42
|
||||
* more bird commands: https://bird.network.cz/?get_doc&v=20&f=bird-4.html
|
||||
* more bird commands: https://bird.network.cz/?get_doc&v=20&f=bird-4.html
|
||||
|
@ -89,7 +89,7 @@ function is_valid_network_v6() {
|
||||
|
||||
protocol kernel {
|
||||
scan time 20;
|
||||
|
||||
|
||||
ipv6 {
|
||||
import none;
|
||||
export filter {
|
||||
@ -134,7 +134,7 @@ protocol static {
|
||||
template bgp dnpeers {
|
||||
local as OWNAS;
|
||||
path metric 1;
|
||||
|
||||
|
||||
ipv4 {
|
||||
import filter {
|
||||
if is_valid_network() && !is_self_net() then {
|
||||
@ -195,4 +195,4 @@ protocol bgp <NEIGHBOR_NAME>_v6 from dnpeers {
|
||||
}
|
||||
```
|
||||
|
||||
Due to the special link local addresses of IPv6, an interface has to be specified using the %<if> syntax if a link local address is used (Which is recommended)
|
||||
Due to the special link local addresses of IPv6, an interface has to be specified using the %<if> syntax if a link local address is used (Which is recommended)
|
||||
|
@ -7,7 +7,7 @@ Running email in dn42 is not very complicated. Your SMTP daemon probably alread
|
||||
## Redirect
|
||||
~~There are forwarding rules for _PERSON_ @ dn42.org to the mail addresses which have been given in the registry. Please note that the trailing `-DN42` is stripped from the local part.~~
|
||||
|
||||
####Example####
|
||||
### Example
|
||||
|
||||
| Handle | Alias | Redirection |
|
||||
|:------------ |:-------------- |:--------------------- |
|
||||
@ -97,4 +97,4 @@ Email Address Internationalization (EAI) as defined in [RFC 6531](http://tools.i
|
||||
Introduced with Postfix version 3.0, this fully supports UTF-8 email addresses and UTF-8 message header values.
|
||||
more at the [SMTPUTF8_README](http://www.postfix.org/SMTPUTF8_README.html).
|
||||
### Exim
|
||||
Watch Exims EAI Tracker [Bug 1177](http://bugs.exim.org/show_bug.cgi?id=1177)
|
||||
Watch Exims EAI Tracker [Bug 1177](http://bugs.exim.org/show_bug.cgi?id=1177)
|
||||
|
@ -376,4 +376,4 @@ traffic-policy {
|
||||
/* Warning: Do not remove the following line. */
|
||||
/* === vyatta-config-version: "config-management@1:dhcp-relay@1:dhcp-server@4:firewall@4:ipsec@3:nat@3:qos@1:quagga@2:system@4:ubnt-pptp@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
|
||||
/* Release version: v1.3.0.4605130.131011.1754 */
|
||||
```
|
||||
```
|
||||
|
@ -42,7 +42,7 @@ Using the below as examples:
|
||||
#### Copy OpenVPN key to the EdgeRouter
|
||||
|
||||
Copy the VPN key to `/config/auth/SomeSharedKey.key`:
|
||||
|
||||
|
||||
sudo cat > /config/auth/SomeSharedKey.key
|
||||
|
||||
Paste the key in the terminal window, hit return once and kill `cat` with CTRL+C. Then type `exit`.
|
||||
@ -108,7 +108,7 @@ so bgp can announce the route
|
||||
save
|
||||
|
||||
#### Announce Route to BGP
|
||||
|
||||
|
||||
set protocols bgp 111111 network 172.A.A.64/27
|
||||
commit
|
||||
save
|
||||
|
@ -498,4 +498,4 @@ If your peer sends you a key in PEM format (starts with `-----BEGIN PUBLIC KEY--
|
||||
}
|
||||
interface eth0
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -1,148 +0,0 @@
|
||||
#EdgeRouterPro-8 config example with v1.9.0
|
||||
|
||||
After a lot of searching and trying I [Phil/ALS7] finnaly got a working config
|
||||
Also thanx to drathir for his patience and support
|
||||
|
||||
##Features
|
||||
|
||||
* IPv4/IPv6 Tunnel via OpenVPN
|
||||
* dn42 DNS
|
||||
|
||||
##How-To
|
||||
|
||||
--> still work in Progress
|
||||
|
||||
* Basic EdgeOS knowledge is required
|
||||
|
||||
1) you need to create all required fields in the registry --> look at [Getting Started](/Getting-Started) page
|
||||
|
||||
2) get a peer --> ask nice @ [IRC](/IRC)
|
||||
|
||||
3) You need following data from the peer
|
||||
|
||||
--tunnel options, secret key --ASN from the peer --ip's
|
||||
|
||||
...
|
||||
|
||||
The data i used are the following:
|
||||
|
||||
Own ASN: AS111111
|
||||
Own IPv4: 172.AA.AA.64/27
|
||||
Own IPv6: fdBB:BBBB:CCCC::/48
|
||||
|
||||
Peer OpenVPN Remote Address: X.X.X.X
|
||||
Peer OpenVPN Remote Host: X.X.X.Y
|
||||
Peer OpenVPN IP for you: fdAA::BBB/64
|
||||
Peer OpenVPN IP: fdAA::CC
|
||||
Peer OpenVPN Port: 1194
|
||||
Peer OpenVPN encryption: aes256
|
||||
Peer ASN: AS222222
|
||||
Peer BGP Neighbour IPv4: Z.Z.Z.Z
|
||||
Peer BGP Neighbour IPv6: fdAA::CC
|
||||
|
||||
###Copy OpenVPN key to the ErPro
|
||||
|
||||
copy vpn key to /config/auth/giveITaName
|
||||
|
||||
sudo su
|
||||
cd /config
|
||||
mkdir auth
|
||||
cd auth
|
||||
cat > giveITaName
|
||||
|
||||
now paste the key in the terminal window, hit return once and kill cat with CTRL+C
|
||||
last thing to do is type exit
|
||||
|
||||
###Create IPv4 OpenVPN Interface
|
||||
|
||||
Set up Interface vtunX -- i used vtun0
|
||||
|
||||
configure
|
||||
set interface openssh vtun0
|
||||
set interfaces openvpn vtun0 mode site-to-site
|
||||
set interfaces openvpn vtun0 local-port 1194
|
||||
set interfaces openvpn vtun0 remote-port 1194
|
||||
set interfaces openvpn vtun0 local-address 172.AA.AA.64
|
||||
set interfaces openvpn vtun0 remote-address X.X.X.X
|
||||
set interfaces openvpn vtun0 remote-host X.X.X.Y
|
||||
set interfaces openvpn vtun0 shared-secret-key-file /config/auth/giveITaName
|
||||
set interfaces openvpn vtun0 encryption aes256
|
||||
|
||||
set interfaces openvpn vtun0 openvpn-option "--comp-lzo" //if your peer support compression
|
||||
|
||||
commit
|
||||
save
|
||||
exit
|
||||
|
||||
Now the ipv4 tunnel should be up&running
|
||||
|
||||
Check it with:
|
||||
|
||||
show interfaces openvpn
|
||||
show interfaces openvpn detail
|
||||
show openvpn status site-to-site
|
||||
|
||||
###Create IPv4 BGP Session
|
||||
|
||||
####Open Firewall
|
||||
|
||||
* You need to open the firewall to local for the tunnel Interface on port 179/tcp
|
||||
|
||||
####Configure the BGP Neighbor
|
||||
|
||||
* You must not use AS before the as numbers !!
|
||||
|
||||
With this step you create the basic bgp session
|
||||
|
||||
configure
|
||||
set protocols bgp 111111 neighbor Z.Z.Z.Z remote-as 222222
|
||||
set protocols bgp 111111 neighbor Z.Z.Z.Z soft-reconfiguration inbound
|
||||
set protocols bgp 111111 neighbor update-source 172.AA.AA.64
|
||||
commit
|
||||
save
|
||||
|
||||
When commit this configuration you should be able to see a BGP neighbor session start and come up.
|
||||
You can check this with:
|
||||
|
||||
show ip bgp summary
|
||||
|
||||
####Set route to blackhole
|
||||
|
||||
so bgp can announce the route
|
||||
|
||||
set protocols static route 172.AA.AA.64/27 blackhole
|
||||
commit
|
||||
save
|
||||
|
||||
####Announce prefix to BGP
|
||||
|
||||
set protocols bgp 111111 network 172.A.A.64/27
|
||||
commit
|
||||
save
|
||||
exit
|
||||
|
||||
You should now be able to see networks being advertised via
|
||||
|
||||
show ip bgp neighbors Z.Z.Z.Z advertised-routes
|
||||
|
||||
###Define Nameservers
|
||||
|
||||
Now ping to 172.23.0.53 ... thats the nameserver we are using
|
||||
If everything is allright it should work
|
||||
|
||||
####NS Config
|
||||
|
||||
Enter the configure mode
|
||||
|
||||
configure
|
||||
set service dns forwarding name-server 8.8.8.8
|
||||
set service dns forwarding name-server 8.8.4.4
|
||||
set service dns forwarding options rebind-domain-ok=/dn42/
|
||||
set service dns forwarding options server=/23.172.in-addr.arpa/172.23.0.53
|
||||
set service dns forwarding options server=/22.172.in-addr.arpa/172.23.0.53
|
||||
set service dns forwarding options server=/dn42/172.23.0.53
|
||||
commit
|
||||
save
|
||||
exit
|
||||
|
||||
Now try to access any .dn42 tld
|
@ -68,4 +68,4 @@ destination: fd42::1
|
||||
```
|
||||
|
||||
# Security
|
||||
GRE may be protected with IPsec to encrypt and authenticate traffic, [OpenIKED](http://www.openiked.org/) can be used to establish an IKEv2 session between *A* and *D*.
|
||||
GRE may be protected with IPsec to encrypt and authenticate traffic, [OpenIKED](http://www.openiked.org/) can be used to establish an IKEv2 session between *A* and *D*.
|
||||
|
@ -31,4 +31,4 @@ See [GRE on FreeBSD](gre-on-freebsd).
|
||||
See [IPsec on FreeBSD](ipsec-on-freebsd).
|
||||
|
||||
## How to configure GRE + IPsec on Debian
|
||||
See [GRE + IPsec on Debian](gre-plus-ipsec-debian).
|
||||
See [GRE + IPsec on Debian](gre-plus-ipsec-debian).
|
||||
|
@ -69,4 +69,4 @@ sainfo (address a.b.c.d gre address b.c.d.e gre) {
|
||||
authentication_algorithm hmac_sha1;
|
||||
}
|
||||
|
||||
```
|
||||
```
|
||||
|
@ -56,4 +56,4 @@ https://git.dn42.us/ryan/pubkey-converter/raw/master/pubkey-converter.pl
|
||||
1. Best practice is to generate the private key on the router itself, and not transfer it to another machine. This part should be kept secret!
|
||||
2. Generate a key of at least 2048 bits, preferably 4096 if both ends support it.
|
||||
3. Some implementations support more than one key format. The examples here only show how to use one of them (usually PEM) for brevity.
|
||||
4. RFC 3110 format is the same as that described in RFC 2537. The former obsoletes the latter.
|
||||
4. RFC 3110 format is the same as that described in RFC 2537. The former obsoletes the latter.
|
||||
|
@ -62,7 +62,7 @@ In this example, we'll use the following settings:
|
||||
foo(config-pubkey-chain)#addressed-key 192.0.2.2
|
||||
foo(config-pubkey-key)#key-string
|
||||
Enter a public key as a hexidecimal number ....
|
||||
|
||||
|
||||
foo(config-pubkey)#30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
|
||||
foo(config-pubkey)#00F3E0AA 8924E512 C08BA87C 73820A15 E5180DDC EF827221 2B3864BF B2D2A5E0
|
||||
foo(config-pubkey)#33D04C1D 43A0CAF8 617EEEBA 7DB5BD38 429660CC 3144618E 4F386201 52483DA7
|
||||
@ -128,4 +128,4 @@ In this example, we'll use the following settings:
|
||||
interface FastEthernet0/0
|
||||
description WAN
|
||||
ip address 192.0.2.1 255.255.255.0
|
||||
duplex full
|
||||
duplex full
|
||||
|
@ -55,7 +55,7 @@ remote 5.6.7.8 [500] {
|
||||
verify_cert on;
|
||||
send_cert off;
|
||||
send_cr off;
|
||||
|
||||
|
||||
proposal {
|
||||
encryption_algorithm aes 256;
|
||||
hash_algorithm sha256;
|
||||
|
@ -46,7 +46,7 @@ Load the configuration file into isakmpd: `ipsecctl -f /etc/ipsec.conf`. Once th
|
||||
FLOWS:
|
||||
flow esp in proto gre from 1.3.3.7 to 3.4.5.6 peer 1.3.3.7 srcid 3.4.5.6/32 dstid 1.3.3.7/32 type use
|
||||
flow esp out proto gre from 3.4.5.6 to 1.3.3.7 peer 1.3.3.7 srcid 3.4.5.6/32 dstid 1.3.3.7/32 type require
|
||||
|
||||
|
||||
SAD:
|
||||
esp transport from 1.3.3.7 to 3.4.5.6 spi 0xdeadbeef auth hmac-sha1 enc aes
|
||||
esp transport from 3.4.5.6 to 1.3.3.7 spi 0xf00df00d auth hmac-sha1 enc aes
|
||||
@ -62,4 +62,4 @@ These settings should also be added to [`/etc/hostname.gre0`](http://man.openbsd
|
||||
|
||||
tunnel 3.4.5.6 1.3.3.7
|
||||
inet 10.20.30.0 10.20.30.1
|
||||
inet6 eui64
|
||||
inet6 eui64
|
||||
|
@ -40,4 +40,4 @@ remote 192.168.255.2 {
|
||||
|
||||
## Se also
|
||||
|
||||
[debian specific configuration](IPsecWithPublicKeys/GRE plus IPsec Debian)
|
||||
[debian specific configuration](IPsecWithPublicKeys/GRE plus IPsec Debian)
|
||||
|
@ -10,11 +10,11 @@
|
||||
# NAME KEY-SIZE
|
||||
0 PR mykey 4096-bit
|
||||
|
||||
### Exchange public keys with your peer
|
||||
## Exchange public keys with your peer
|
||||
1. Export the public key to a file.
|
||||
|
||||
[admin@mtk1] /ip ipsec key> export-pub-key mykey file-name=mykey.pub
|
||||
|
||||
|
||||
[admin@mtk1] /ip ipsec key> /file print where name=mykey.pub
|
||||
# NAME TYPE SIZE CREATION-TIME
|
||||
2 mykey.pub ssh key 451 jul/20/2014 12:35:33
|
||||
@ -52,7 +52,7 @@ In this example, we'll use the following settings:
|
||||
|
||||
[admin@mtk1] /ip ipsec key> import peer-key.pub name=peer-key
|
||||
passphrase:
|
||||
|
||||
|
||||
[admin@mtk1] /ip ipsec key> print
|
||||
Flags: P - private-key, R - rsa
|
||||
# NAME KEY-SIZE
|
||||
@ -89,4 +89,4 @@ In this example, we'll use the following settings:
|
||||
lifetime=8h local-address=192.0.2.1 remote-key=peer-key
|
||||
/ip ipsec policy
|
||||
add dst-address=192.0.2.2/32 protocol=gre sa-dst-address=192.0.2.2 \
|
||||
sa-src-address=192.0.2.1 src-address=192.0.2.1/32
|
||||
sa-src-address=192.0.2.1 src-address=192.0.2.1/32
|
||||
|
@ -4,19 +4,19 @@
|
||||
|
||||
ubnt@ubnt:~$ generate vpn rsa-key bits 4096 random /dev/urandom
|
||||
Generating rsa-key to /config/ipsec.d/rsa-keys/localhost.key
|
||||
|
||||
|
||||
Your new local RSA key has been generated
|
||||
The public portion of the key is:
|
||||
|
||||
|
||||
0sAQPNdF370ZEbN+kZUJQ10qnBlZujrg39ujfk20ILTjELksOIdJw/4jiU1MfpqFDKuB/XxERwJQp2POsFyV/n76jAgxIYBfFYfuaBcIH1rdNQtDhCnkmWzlueRXGEsz0Af79n8TKyQ9otzNhJ2cPE1CWCJbKqbIUN3piviLgGlItWNeya+Tl3Oj3ZfEVwr1QOvUAw32+m4L8T9jf1vqSlOTHpRpxxPWBrLEzstk0FOcZISji2JBpDOCU8Kpyyf74JM+LxsOIHwmS15b6iFZR3U9KZLqbbd0dSy/cM8P4XjrwM5UMyRDjrLqvuA/K/33BgtnxdQR3e9DJoYH3Qr8eRgSkR+jHyq06LvgHkHbMvrEjUnc3n8bg+YfR4oyJpIWsKjfIXmN1Q51KzxAPIAww+YSYUYtamSsQsspVAtMIQqR4e0r1In1qyoSn8VCPlksNMWpqYHbSjDo5HJYoSwxf2epzMtCvhenn0OuiH0xlgzziA+wBi6txksTMvJYcPJYnBVR2NIBjkWftOfmkY+rKMozViGjyd6kB7C8lqd8W7Ha5Ds2WxIY22DM3HcYH/zTp9z2xbuMOsbIgib/Y12Kh0wHyCz0lzFvs+d6CZwinyIXNKB/Vo4iiwT5luL5mGqf3pZx4zB+30GYSs/6MaELRF9BxD7tfqYCkOLXUtxyZ4Pdl2sw==
|
||||
|
||||
### Exchange public keys with your peer
|
||||
1. Display the public key. Send the key data portion to your peer.
|
||||
|
||||
ubnt@ubnt:~$ show vpn ike rsa-keys
|
||||
|
||||
|
||||
Local public key (/config/ipsec.d/rsa-keys/localhost.key):
|
||||
|
||||
|
||||
0sAQPNdF370ZEbN+kZUJQ10qnBlZujrg39ujfk20ILTjELksOIdJw/4jiU1MfpqFDKuB/XxERwJQp2POsFyV/n76jAgxIYBfFYfuaBcIH1rdNQtDhCnkmWzlueRXGEsz0Af79n8TKyQ9otzNhJ2cPE1CWCJbKqbIUN3piviLgGlItWNeya+Tl3Oj3ZfEVwr1QOvUAw32+m4L8T9jf1vqSlOTHpRpxxPWBrLEzstk0FOcZISji2JBpDOCU8Kpyyf74JM+LxsOIHwmS15b6iFZR3U9KZLqbbd0dSy/cM8P4XjrwM5UMyRDjrLqvuA/K/33BgtnxdQR3e9DJoYH3Qr8eRgSkR+jHyq06LvgHkHbMvrEjUnc3n8bg+YfR4oyJpIWsKjfIXmN1Q51KzxAPIAww+YSYUYtamSsQsspVAtMIQqR4e0r1In1qyoSn8VCPlksNMWpqYHbSjDo5HJYoSwxf2epzMtCvhenn0OuiH0xlgzziA+wBi6txksTMvJYcPJYnBVR2NIBjkWftOfmkY+rKMozViGjyd6kB7C8lqd8W7Ha5Ds2WxIY22DM3HcYH/zTp9z2xbuMOsbIgib/Y12Kh0wHyCz0lzFvs+d6CZwinyIXNKB/Vo4iiwT5luL5mGqf3pZx4zB+30GYSs/6MaELRF9BxD7tfqYCkOLXUtxyZ4Pdl2sw==
|
||||
|
||||
2. Convert your peer's public key to the Base64 RFC 3110 format using the [pubkey-converter][pubkey-converter] script, if necessary.
|
||||
@ -132,4 +132,4 @@ In this example, we'll use the following settings:
|
||||
rsa-key 0sAwEAAbsbRoUcgdm4A4Nm+PLxWcW+zFis7pkaJ0MkGVzM7VC8nmngkM+W2zqZyQ4NUTBKKfGOUc4Ogi6gyhlzUnHdag9tDERIX+BwlDO6G4arod9z9KqmJuX4AOYVjH5QlAPz7NDMAezVekGoVLPGdOAMPD6NN54ihLRH6V3if8AGoJRpiajhcgQipjeQnhH4QhsYK4XSjayGT1onQwA8nhy5kt4ofyqSale4Fl4166S9tCn4RKwtlJDjR6VIrg6op6Ip8+ke2vjEHPJHj6qVsxfRgOk2d8pY8oPVt8ayc5F1z+lqJ7R0fADfN+AQSaBqOMmg5dHDFYWwgYkU5egdVKS7Oko6uNuUWsZ0VEnRoPZ4syJEUbiF5wGfaVBaaVLZYUlRLQCffB4JKzp+JesVToCX6JYRfb4JYQWFCDeQfrqRZHM4r13h8MOWPn9cqXcP47RKJjzNp6595biUotmCbMHyy/uveMWxK6vDzPQRkywqMMJE2qOyACmbMnSce9KlYhvma82Vd+z/9/U9NEy0s5MaYNDn+q+KYT5My3NSv52F6sLVGrKxTk79tzUejZcoukJv+gf51Epam4kVHzPIal/khsfjZn6YCU2j5+qcdRmzF+SG5c2WicvEU2Gc4ratfYNEPxU5oArzHIhIz6x2nAF+szcx/x8GEyXPNHnxEboJB7ox
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -73,13 +73,13 @@ _Note: strongSwan < 5.0.0 will read PEM-formatted **private** keys, but requires
|
||||
valid_lft forever preferred_lft forever
|
||||
root@debian:~# more /etc/ipsec.conf
|
||||
# ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
|
||||
config setup
|
||||
|
||||
|
||||
conn %default
|
||||
keyexchange=ikev1
|
||||
dpdaction=restart
|
||||
|
||||
|
||||
conn MYPEER
|
||||
# peer IPs
|
||||
left=192.0.2.1
|
||||
@ -101,4 +101,4 @@ _Note: strongSwan < 5.0.0 will read PEM-formatted **private** keys, but requires
|
||||
rightprotoport=gre
|
||||
# startup
|
||||
auto=route
|
||||
keyingtries=%forever
|
||||
keyingtries=%forever
|
||||
|
@ -94,13 +94,13 @@ In this example, we'll use the following settings:
|
||||
valid_lft forever preferred_lft forever
|
||||
root@debian:~# more /etc/ipsec.conf
|
||||
# ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
|
||||
config setup
|
||||
|
||||
|
||||
conn %default
|
||||
keyexchange=ikev1
|
||||
dpdaction=restart
|
||||
|
||||
|
||||
conn MYPEER
|
||||
# peer IPs
|
||||
left=192.0.2.1
|
||||
@ -127,4 +127,4 @@ If your peer is using a Cisco router and is behind NAT, then you might need to a
|
||||
rightid=NATIP
|
||||
|
||||
# See also
|
||||
* [Network settings](https://internal.dn42/howto/networksettings)
|
||||
* [Network settings](https://internal.dn42/howto/networksettings)
|
||||
|
@ -42,20 +42,20 @@ The following guide illustrates how to set up an IPv6 multicast router using [PI
|
||||
# /etc/pim6sd.conf
|
||||
# disable all interfaces by default
|
||||
default_phyint_status disable;
|
||||
|
||||
|
||||
# enable the pim-router-id interface first to acquire the correct primary address
|
||||
phyint pim-router-id enable;
|
||||
|
||||
|
||||
# add multicast-capable peer interfaces below
|
||||
phyint dn42-peer1 enable;
|
||||
|
||||
|
||||
# configure rendezvous point for the personal multicast prefix
|
||||
cand_rp pim-router-id;
|
||||
group_prefix ff7e:230:fd00:2001:db8::/96;
|
||||
```
|
||||
|
||||
The `phyint` statement enables [PIM](https://tools.ietf.org/html/rfc7761) and [MLD](https://tools.ietf.org/html/rfc2710) on the target interface - by default all interfaces are in the disable state. Enable an interface if it is directed towards a multicast-capable peer or other multicast-capable routers in your autonomous system. Also enable it for downstream network segments with multicast listeners and senders, like for example your home (W)LAN segments.
|
||||
|
||||
|
||||
With `cand_rp` and `group_prefix` statements you can configure this router as a Rendezvous Point (RP) for your personal multicast group prefix. The address on the interface given as `cand_rp` will be used as the primary address for your RP, it therefore *must* be routable.
|
||||
|
||||
---
|
||||
@ -165,4 +165,4 @@ If you want to offer an RP candidate for a shared multicast address, please read
|
||||
|
||||
ToDo:
|
||||
* We have a solution for personal multicast prefixes tied to the network prefix of an AS owner. But what to do with multicast addresses that not only have listeners but also senders globally? We could have everyone add an additional "group_prefix ff00::/8" and then multicast router with the lowest address would win and become the central RP for all these addresses... not really scalable, robust or decentral though :-/. Should we use PIM-DM for some of these addresses instead (e.g. ones which generally have a low throughput, for instance Bittorrent Local Peer Discovery)? Or maybe those global addresses should be managed and configured as /128 and people who are interested in managing a specific, global multicast address will coordinate with each other?
|
||||
* bootstrap router coordination; according to RFCs a bootstrap router can alter/filter the multicast prefixes it received from candidate RPs. Should a bootstrap router check and filter any multicast prefix that was generated from a network prefix which does not match the network prefix used by the PR?
|
||||
* bootstrap router coordination; according to RFCs a bootstrap router can alter/filter the multicast prefixes it received from candidate RPs. Should a bootstrap router check and filter any multicast prefix that was generated from a network prefix which does not match the network prefix used by the PR?
|
||||
|
@ -74,4 +74,4 @@ ip6tables -t nat -A PREROUTING -s 2000::/3 -d <PUBLIC-PREFIX>:<SUBNET>::/56 -j N
|
||||
### With Multiple Prefixes
|
||||
|
||||
## More Info
|
||||
This page is a work in progress. Please contact Fira if you feel like more information should be added here! Also see ASN 4242423218 for an example of IPv6-only AS on DN42.
|
||||
This page is a work in progress. Please contact Fira if you feel like more information should be added here! Also see ASN 4242423218 for an example of IPv6-only AS on DN42.
|
||||
|
@ -54,4 +54,4 @@ graph_title $name routes
|
||||
```
|
||||
|
||||
Example installation:
|
||||
http://stats.tbspace.de/munin-cgi/munin-cgi-graph/tbspace.de/server.tbspace.de/dn42_crest_routes-day.png
|
||||
http://stats.tbspace.de/munin-cgi/munin-cgi-graph/tbspace.de/server.tbspace.de/dn42_crest_routes-day.png
|
||||
|
@ -132,4 +132,4 @@ include "/etc/dn42.roa-set"
|
||||
This is mostly OpenBSD specific since [bgplg(8)](http://man.openbsd.org/bgplg.8) and [httpd(8)](http://man.openbsd.org/httpd.8) ship as part of the operating system.
|
||||
The **bgplg** manual contains the few steps and example [httpd.conf(5)](http://man.openbsd.org/httpd.conf.5) required to enable the looking glass.
|
||||
|
||||
See https://t4-2.high5.nl/bgplg for a running instance operating within DN42.
|
||||
See https://t4-2.high5.nl/bgplg for a running instance operating within DN42.
|
||||
|
@ -80,4 +80,4 @@ You have to use this patch: https://dev.openwrt.org/changeset/35484 (monkeypatch
|
||||
|
||||
## DNS
|
||||
|
||||
See [DNS Configuration](/services/dns/Configuration). This will use the anycast dn42 DNS server to resolve `dn42` and relevant reverse domains.
|
||||
See [DNS Configuration](/services/dns/Configuration). This will use the anycast dn42 DNS server to resolve `dn42` and relevant reverse domains.
|
||||
|
@ -43,7 +43,7 @@ for IPv6 do something like
|
||||
vtysh(config-router-af)> exit
|
||||
vtysh(config-router)> exit
|
||||
vtysh(config)> exit
|
||||
|
||||
|
||||
### peer groups, prefix lists and such
|
||||
If you want to use 'prefix-list' to filter some of the prefixes quagga is receiving, you can use a 'peer-group' instead of apply the prefix list to every neighbor.
|
||||
|
||||
@ -66,7 +66,7 @@ Apply a prefix list for incoming prefixes to your peer group:
|
||||
ip prefix-list vpn-in seq 5 permit 172.22.0.0/15 ge 22 le 28
|
||||
!new dn42 allocation:
|
||||
ip prefix-list vpn-in seq 10 permit 172.20.0.0/16 ge 22 le 28
|
||||
|
||||
|
||||
! Anycast /32s for Whois and DNS:
|
||||
ip prefix-list vpn-in seq 11 permit 172.22.0.43/32
|
||||
ip prefix-list vpn-in seq 12 permit 172.22.0.53/32
|
||||
@ -132,4 +132,4 @@ Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
|
||||
....
|
||||
172.23.64.1 4 4242421375 0 0 0 0 0 never Active
|
||||
fe80::deca:fbad 4 64699 902 694 0 0 0 01:23:57 486
|
||||
```
|
||||
```
|
||||
|
@ -19,7 +19,7 @@ It provides the router with validity information regarding prefix origination:
|
||||
The route announcement is covered by a ROA and the announcing AS is invalid (possibly hijacking)
|
||||
* UNKNOWN
|
||||
There exists no ROA for the route announcement
|
||||
|
||||
|
||||
## How can I implement ROA on dn42?
|
||||
|
||||
On dn42 we generate ROA information from the dn42 registry.
|
||||
@ -31,14 +31,14 @@ It is also possible to integrate this with a RTR cache server such as [gortr](ht
|
||||
You can find a hosted example of dn42regsrv at https://explorer.burble.com/
|
||||
|
||||
Instructions on how to host dn42regsrv yourself can be found on the git repo of [dn42regsrv](https://git.dn42.us/burble/dn42regsrv).
|
||||
|
||||
|
||||
You can also run dn42regsrv via docker (then available at 127.0.0.1:8042):
|
||||
|
||||
git checkout https://git.dn42.us/burble/dn42regsrv.git .
|
||||
cd contrib/docker
|
||||
./build.sh
|
||||
docker-compose up -d
|
||||
|
||||
|
||||
Documentation for the api endpoints can be found here: https://git.dn42.us/burble/dn42regsrv/src/master/API.md
|
||||
|
||||
### gortr
|
||||
@ -57,4 +57,4 @@ TODO: Publish docker-compose-yml to git for gortr+dn42regsrv
|
||||
|
||||
### How do I integrate RTR with my BGP implementation
|
||||
|
||||
You have to consult the documentation of your implementation for that. We will provide configuration examples on the specific pages.
|
||||
You have to consult the documentation of your implementation for that. We will provide configuration examples on the specific pages.
|
||||
|
@ -16,7 +16,7 @@ The signature and verification process varies depending on the type of public ke
|
||||
|
||||
---
|
||||
|
||||
#### Finding the commit hash
|
||||
## Finding the commit hash
|
||||
|
||||
`git log` will list all the recent commits and show the commit hash:
|
||||
```
|
||||
@ -31,7 +31,7 @@ Date: Mon Jan 01 01:01:01 2020 +0000
|
||||
|
||||
PGP keys may be uploaded to a public keyserver for verification, or added in the registry.
|
||||
|
||||
#### Using a public keyserver
|
||||
### Using a public keyserver
|
||||
|
||||
- Use the following `auth` attribute in your `mntner` object:
|
||||
```
|
||||
@ -72,7 +72,7 @@ auth: ssh-<keytype> <pubkey>
|
||||
```
|
||||
There are examples below for each specific key type.
|
||||
|
||||
#### Generic process for signing with an SSH key
|
||||
### Generic process for signing with an SSH key
|
||||
|
||||
OpenSSH v8 introduced new functionality for creating signatures using SSH keys. If you have an older version, you can compile the latest version of ssh-keygen from the [openssh-portable repo](https://github.com/openssh/openssh-portable).
|
||||
|
||||
|
@ -60,4 +60,4 @@ ping %gateway4%
|
||||
pause
|
||||
ping %gateway6%
|
||||
pause
|
||||
```
|
||||
```
|
||||
|
@ -153,4 +153,4 @@ Since version 6.47 have added functionality that can redirect DNS queries accord
|
||||
```
|
||||
/ip dns static
|
||||
add comment=DN42 forward-to=172.23.0.53 regexp=".*\\.dn42" type=FWD
|
||||
```
|
||||
```
|
||||
|
@ -67,4 +67,4 @@ Check the routes with:
|
||||
There should an attribute like:
|
||||
```
|
||||
gateway=gre-dn42-peer gateway-status=gre-dn42-peer reachable
|
||||
```
|
||||
```
|
||||
|
@ -32,7 +32,7 @@ Check that ALL your vpn interfaces allow ip forwarding for ipv6/ipv4.
|
||||
$ sysctl -a | grep forwarding
|
||||
```
|
||||
|
||||
### Note on firewalls, conntrack and asymmetric routing
|
||||
## Note on firewalls, conntrack and asymmetric routing
|
||||
|
||||
Do not configure iptables/nftables to drop packets with invalid conntrack state in forward chain.
|
||||
|
||||
@ -41,4 +41,4 @@ but responses are fowarded via your network. This will prevent conntrack from as
|
||||
and your firewall will drop it if it is configured to drop packets with invalid state.
|
||||
|
||||
|
||||
Happy Routing!
|
||||
Happy Routing!
|
||||
|
@ -200,4 +200,4 @@ Then, for each client, generate a private key and a certificate: ```./build-key
|
||||
* [IPv4 - multicast](https://en.wikipedia.org/wiki/Multicast_address#GLOP_addressing)
|
||||
* [IPv4 - GLOB calculator](http://labs.spritelink.net/glop)
|
||||
* [RFC3108 GLOP Addressing in 233/8](http://tools.ietf.org/html/rfc3180)
|
||||
* [RFC3138 Extended Assignments in 233/8](https://tools.ietf.org/html/rfc3138)
|
||||
* [RFC3138 Extended Assignments in 233/8](https://tools.ietf.org/html/rfc3138)
|
||||
|
@ -43,4 +43,4 @@ Peer = <peer tunnel linklocal address>/128
|
||||
Address = <your DN42 ipv4>/32
|
||||
Peer = <peer DN42 ipv4>/32
|
||||
|
||||
```
|
||||
```
|
||||
|
@ -92,4 +92,4 @@ $ tinc join <invitation-url>
|
||||
|
||||
This node will then automatically generate configuration, private/public keys and will exchange this key with the other node on connection.
|
||||
|
||||
Remember to still set up your **tinc-up** script.
|
||||
Remember to still set up your **tinc-up** script.
|
||||
|
@ -1,4 +1,4 @@
|
||||
#VyOS
|
||||
# VyOS
|
||||
VyOS is an open source software router. It is feature rich and supports multiple deployment options such as physical hardware (Old PC's) or a VPC/VM. The developers have a nightly rolling release that includes all the latest features such as Wireguard.
|
||||
|
||||
It can be downloaded here https://www.vyos.io/rolling-release/.
|
||||
@ -98,41 +98,41 @@ set protocols static interface-route 172.20.50.1/32 next-hop-interface wg92
|
||||
|
||||
|
||||
|
||||
##BGP
|
||||
## BGP
|
||||
Now that we have a tunnel to our peer and theoretically can ping them, we can setup BGP.
|
||||
###Initial Router Setup
|
||||
### Initial Router Setup
|
||||
`set protocols bgp 424242XXXX address-family ipv4-unicast network 172.x.x.x\x`
|
||||
_Insert your ASN and your assigned network block. Note that this should match your exact prefix as listed in the registry; if you try to advertise a subnet of your assigned block it could get filtered by some peers._
|
||||
`set protocols bgp 424242XXX parameters router-id 172.x.x.x`
|
||||
_To keep it simple just make your router ID match your lower IP within the DN42 registered space._
|
||||
###Neighbor Up With Peers
|
||||
### Neighbor Up With Peers
|
||||
`set protocols bgp 424242XXXX neighbor 172.x.x.x address-family ipv4-unicast`
|
||||
_This is likely the same IP as the one used in your static route earlier when creating the Wireguard tunnel._
|
||||
`set protocols bgp 424242XXXX neighbor 172.x.x.x ebgp-multihop 20`
|
||||
_This setting may need to be adjusted depending on circumstances_
|
||||
`set protocols bgp 424242XXXX neighbor 172.x.x.x remote-as 424242XXXX`
|
||||
_Your peers ASN_
|
||||
|
||||
|
||||
`show ip bgp summary`
|
||||
|
||||
##RPKI/ROA Checking
|
||||
###Setup RPKI Caching Server
|
||||
## RPKI/ROA Checking
|
||||
### Setup RPKI Caching Server
|
||||
Burble has made this super easy. More info can be found [here](https://wiki.dn42/howto/ROA-slash-RPKI) on this wiki. Get started by running the below command on a Linux server with Docker installed.
|
||||
|
||||
```
|
||||
sudo docker run -ti -p 8082:8082 cloudflare/gortr -cache https://dn42.burble.com/roa/dn42_roa_46.json -verify=false -checktime=false -bind :8082
|
||||
```
|
||||
|
||||
|
||||
This will start a docker container that listens on the host server's IP at port 8082. This setup is using Cloudflare's GoRTR and automatically reaching out and downloading a custom JSON file generated by Burble just for the DN42 network.
|
||||
|
||||
###Point VyOS Router at RPKI Caching Server
|
||||
### Point VyOS Router at RPKI Caching Server
|
||||
`set protocols rpki cache GoRTR address x.x.x.x`
|
||||
|
||||
|
||||
`set protocols rpki cache GoRTR port 8082`
|
||||
|
||||
|
||||
You can check the connection with `show rpki cache-connection` and the received prefix-table with `show rpki prefix-table`.
|
||||
|
||||
###Create Route Map
|
||||
### Create Route Map
|
||||
```
|
||||
set policy route-map DN42-ROA rule 10 action 'permit'
|
||||
set policy route-map DN42-ROA rule 10 match rpki 'valid'
|
||||
@ -142,12 +142,12 @@ set policy route-map DN42-ROA rule 30 action 'deny'
|
||||
set policy route-map DN42-ROA rule 30 match rpki 'invalid'
|
||||
```
|
||||
This example allows all routes in unless they are marked invalid or in other words possibly been a victim of BGP hijacking.
|
||||
###Assign Route Map to Neighbor
|
||||
### Assign Route Map to Neighbor
|
||||
```
|
||||
set protocols bgp 424242XXXX neighbor x.x.x.x address-family ipv4-unicast route-map import DN42-ROA
|
||||
set protocols bgp 424242XXXX neighbor x.x.x.x address-family ipv4-unicast route-map export DN42-ROA
|
||||
```
|
||||
|
||||
|
||||
## Example Route Map
|
||||
### No RPKI/ROA and Internal Network Falls Into DN42 Range
|
||||
```
|
||||
@ -210,4 +210,4 @@ set protocols bgp 4242421099 neighbor x.x.x.x address-family ipv6-unicast route-
|
||||
```
|
||||
|
||||
|
||||
This page is a work-in-progress by Owens Research. If you have any suggestions or questions please reach out.
|
||||
This page is a work-in-progress by Owens Research. If you have any suggestions or questions please reach out.
|
||||
|
@ -47,7 +47,7 @@ $ ip addr add fe80::<some_random_suffix>/64 dev <interface_name>
|
||||
$ ip addr add 172.xx.xx.xx/32 peer 172.xx.xx.xx/32 dev <interface_name>
|
||||
$ ip link set <interface_name> up
|
||||
```
|
||||
|
||||
|
||||
<!-- Nurtic-Vibe has another [script](https://git.dn42.us/Nurtic-Vibe/grmml-helper/src/master/create_wg.sh) to interactively automate the peering process. -->
|
||||
|
||||
Maybe you should check the MTU to your peer with e.g. `ping -s 1472 <end_point_hostname_or_ip>`. If your output looks like `From gateway.local (192.168.0.1) icmp_seq=1 Frag needed and DF set (mtu = 1440)` substract `80` from the MTU and set it via `ip link set dev <interface_name> mtu <calculated_mtu>`
|
||||
@ -101,7 +101,7 @@ Address = <your link-local address, if any>
|
||||
PostUp = /sbin/ip addr add dev %i <MyIPv4>/32 peer <PeerIPv4>/32
|
||||
PostUp = /sbin/ip addr add dev %i <MyIPv6>/128 peer <PeerIPv6>/128
|
||||
Table = off
|
||||
|
||||
|
||||
[Peer]
|
||||
Endpoint = <your peer's wireguard endpoint>
|
||||
PublicKey = <your peer's public key>
|
||||
|
@ -1,12 +1,12 @@
|
||||
#Application Programming Interfaces (APIs)
|
||||
# Application Programming Interfaces (APIs)
|
||||
This page can be useful if you are trying to automate something or if you are trying to retrieve data programmatically.
|
||||
|
||||
##ASN Authentication Solution
|
||||
## ASN Authentication Solution
|
||||
Authenticate your users by having them verify their ASN ownership with KIOUBIT-MNT using their registry-provided methods in an automated way.
|
||||
More Information in the setup tutorial: https://dn42.g-load.eu/auth/documentation/tutorial.html
|
||||
To use the service, please message Kioubit on IRC to have your domain activated.
|
||||
|
||||
##Registry REST API
|
||||
## Registry REST API
|
||||
|
||||
[dn42regsrv](https://git.dn42.us/burble/dn42regsrv) is a REST API for the DN42 registry that provides a bridge between interactive applications and the registry.
|
||||
|
||||
|
@ -68,7 +68,7 @@ wieistmeineip.dn42 also provides a telnet service that returns the address you c
|
||||
|:------------------------------------------------- |:--------------------------------------------------------------- |
|
||||
| http://stream.media.dn42/ | icecast-relay, contact toBee for more streams (DOWN 2020-11-02) |
|
||||
| http://radio.hex.dn42/ | Ambient musics |
|
||||
|
||||
|
||||
|
||||
## File Sharing
|
||||
|
||||
@ -181,4 +181,4 @@ There is a page for email Providers [here](/services/E-Mail-Providers)
|
||||
### Augsburg
|
||||
|
||||
We have a plugin that enables us to announce services in the mesh. So instead of listing them here again just have a look at http://10.11.0.8/cgi-bin/luci/freifunk/services to see what we have to offer.
|
||||
(Upload is not fast, most probably DSL speed only)
|
||||
(Upload is not fast, most probably DSL speed only)
|
||||
|
@ -2,7 +2,7 @@
|
||||
|
||||
… or the service that would make dn42 truly interesting for people (for non-technical reasons).
|
||||
|
||||
#### Criterias
|
||||
## Criterias
|
||||
|
||||
- it should be difficult to setup on the Internet (for technical or legal reasons)
|
||||
- it should interest people that are likely to know dn42 (hackerspaces, etc)
|
||||
|
@ -54,7 +54,7 @@ To use the service, please message Kioubit on IRC to have your domain activated.
|
||||
| irc.hackint.hack/dn42 | Yes | ChaosVPN |
|
||||
| irc.dn42 | Yes | Internal IRC |
|
||||
|
||||
#### Clients
|
||||
### Clients
|
||||
|
||||
| Hostname / IP | Remarks |
|
||||
|:--------------|:--------|
|
||||
|
@ -35,4 +35,4 @@ _Note that the same warnings above also apply to the following proxies._
|
||||
|
||||
| Offline | | |
|
||||
|---------------------------------------|-------------|-------------|
|
||||
| socks5://172.20.11.33:9050 | 100 Mbit/s | twink0r |
|
||||
| socks5://172.20.11.33:9050 | 100 Mbit/s | twink0r |
|
||||
|
@ -218,7 +218,7 @@ Type=oneshot
|
||||
WorkingDirectory=/etc/ssl/dn42
|
||||
ExecStart=/etc/ssl/dn42/ca.dn42 tls-sign wiki.dn42 MIC92-MNT
|
||||
# accept multiple ExecStart lines for other certificates
|
||||
#ExecStart=/etc/ssl/dn42/ca.dn42 tls-sign foobar.dn42 MIC92-MNT
|
||||
# ExecStart=/etc/ssl/dn42/ca.dn42 tls-sign foobar.dn42 MIC92-MNT
|
||||
ExecStart=/usr/bin/nginx -s reload
|
||||
```
|
||||
|
||||
@ -239,4 +239,4 @@ OK
|
||||
```
|
||||
|
||||
## Certificate transparency
|
||||
All issued certificates will be logged to [xuu's mattermost instance](https://teams.dn42/dn42/channels/tls-certificates).
|
||||
All issued certificates will be logged to [xuu's mattermost instance](https://teams.dn42/dn42/channels/tls-certificates).
|
||||
|
@ -168,4 +168,4 @@ $ update-ca-certificates
|
||||
|
||||
## PKI Store
|
||||
|
||||
All issued keys and crl information are posted at: https://ca.dn42/
|
||||
All issued keys and crl information are posted at: https://ca.dn42/
|
||||
|
@ -1 +1 @@
|
||||
tba
|
||||
tba
|
||||
|
@ -36,7 +36,7 @@ Since gollum is built on top of Git, it is not overly complicated to keep the lo
|
||||
|
||||
- Contact [XUU-DN42](https://io.nixnodes.net?t=person&l=XUU-DN42) and ask for write access to the repo
|
||||
- Setup cron for periodic pull/push jobs for the repo (simple example):
|
||||
|
||||
|
||||
+ **wiki-sync.sh**:
|
||||
|
||||
```sh
|
||||
@ -62,7 +62,7 @@ exit 0
|
||||
|
||||
- Install [gollum](https://github.com/gollum/gollum)
|
||||
- Start two gollum instances, read-only and read/write on `127.0.0.1`:
|
||||
|
||||
|
||||
Read/write (SSL only):
|
||||
```
|
||||
RACK_ENV=production gollum --css --host 127.0.0.1 --port 4568 <path>
|
||||
@ -76,7 +76,7 @@ RACK_ENV=production gollum --css --host 127.0.0.1 --port 4567 --no-edit <path>
|
||||
|
||||
## Nginx reverse proxy
|
||||
|
||||
#### SSL
|
||||
### SSL
|
||||
|
||||
- Setup your maintainer object according to [Automatic CA](/services/Automatic-CA)
|
||||
- Generate a [CSR](/services/Certificate-Authority) and send DNS Key Pin to [xuu@sour.is](mailto:xuu@sour.is):
|
||||
@ -138,7 +138,7 @@ Nginx should listen on a unicast address as well, so your site can be reached ex
|
||||
```
|
||||
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
|
||||
ssl_session_cache shared:SSL:2m;
|
||||
|
||||
|
||||
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
|
||||
|
||||
ssl_prefer_server_ciphers on;
|
||||
@ -188,7 +188,7 @@ server {
|
||||
|
||||
## ExaBGP
|
||||
|
||||
#### Announcing
|
||||
### Announcing
|
||||
|
||||
The prefix AS-PATH should show the announcement is originating from your AS. After peering ExaBGP to the nearest speaker(s), check if the prefix is routing properly inside your network. Try not to blackhole the passing traffic (e.g. no static routes to `172.23.0.80/32`). Test the whole thing by shutting down nginx/gollum and watch what happens.
|
||||
|
||||
@ -247,7 +247,7 @@ URL=("http://172.23.0.80" "https://172.23.0.80" "http://[fd42:d42:d42:80::1]" "h
|
||||
ROUTE='172.23.0.80/32'
|
||||
## the anycast v6 route (/64 due to prefix size limits)
|
||||
ROUTE6='fd42:d42:d42:80::/64'
|
||||
|
||||
|
||||
## the next-hop we'll be advertising to neighbor(s)
|
||||
NEXTHOP='<source-address>'
|
||||
NEXTHOP6='<source-address-v6>'
|
||||
@ -258,15 +258,15 @@ VALIDATE_KEYWORD='gollum'
|
||||
INTERVAL=60
|
||||
|
||||
###########################
|
||||
|
||||
|
||||
RUN_STATE=0
|
||||
|
||||
|
||||
check_urls() {
|
||||
for url in "${URL[@]}"; do
|
||||
|
||||
|
||||
## workaround curl errno 23 when piping
|
||||
http_response=`${CURL} --insecure -g -s -L -o - "${url}"`
|
||||
|
||||
|
||||
echo "${http_response}" | egrep -q "${VALIDATE_KEYWORD}" || {
|
||||
return 1
|
||||
}
|
||||
@ -293,7 +293,7 @@ while [ 1 ]; do
|
||||
fi
|
||||
|
||||
sleep ${INTERVAL}
|
||||
|
||||
|
||||
done
|
||||
|
||||
exit 0
|
||||
@ -325,7 +325,7 @@ start() {
|
||||
cpid=$!
|
||||
[ ${cpid} -eq 0 ] && {
|
||||
echo "ERROR: could not start process"; return 1
|
||||
|
||||
|
||||
}
|
||||
echo ${cpid} > ${PID_FILE}
|
||||
}
|
||||
@ -356,4 +356,4 @@ exit 0
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
@ -3,4 +3,4 @@ If you have an E-Mail service and would like to test it's functionality, send an
|
||||
**Free E-Mail Addresses for DN42 Users.**
|
||||
* DN42 Mail, https://dmail.dn42
|
||||
* Free, easy to sign up, unlimited internal emailing. Hosted by zane_reick
|
||||
* Register at https://dmail.dn42/register/register.php
|
||||
* Register at https://dmail.dn42/register/register.php
|
||||
|
@ -15,4 +15,4 @@ points of failure and are no longer operating
|
||||
|
||||
The NL-Zuid website is also available from the public internet: https://nl-zuid.nl
|
||||
|
||||
Its generally recommended to only announce prefixes from your own network and that of your transit customers.
|
||||
Its generally recommended to only announce prefixes from your own network and that of your transit customers.
|
||||
|
@ -48,4 +48,4 @@ If someone is willing to experiment we could try allowing reinvites. This way al
|
||||
* Phone #: +493727/959023
|
||||
* Sipgate: 5884293
|
||||
* SIP: maxx(at)maxx.spaceboyz.net
|
||||
* Transcoding from/into G.729 works fine now, thanks to some precompiled versions for asterisk.
|
||||
* Transcoding from/into G.729 works fine now, thanks to some precompiled versions for asterisk.
|
||||
|
@ -23,4 +23,4 @@ Remember, if you announce an anycast /64, then you need to provide **all** servi
|
||||
### Future services
|
||||
|
||||
- streaming
|
||||
- other kind of DNS (authoritative-only, recursive for `dn42` only)
|
||||
- other kind of DNS (authoritative-only, recursive for `dn42` only)
|
||||
|
@ -49,4 +49,4 @@ The set of valid KSKs can be found in the registry.
|
||||
|
||||
* [DNS Quick Start](/DNS)
|
||||
* [Old Hierarchical DNS](/Old-Hierarchical-DNS)
|
||||
* [Original DNS (deprecated)](/Original-DNS-(deprecated))
|
||||
* [Original DNS (deprecated)](/Original-DNS-(deprecated))
|
||||
|
@ -10,4 +10,4 @@
|
||||
|----|----|----|----|----|----|
|
||||
| cronix | _down_ | news.crystalnet.dn42 | _yes_ | as requested | _no_ |
|
||||
| UFO | _down_ | [UCIS.ano news](http://cgiproxy.ucis.dn42/nph-proxy.cgi/00/http/www.ucis.ano/news/) | _no_ | anonet, dn42 | _limited_ |
|
||||
| SeekingFor | _down_ | [AnoNet News](http://cgiproxy.ucis.dn42/nph-proxy.cgi/00/http/news.sfor.ano/) | _yes_ | anonet, dn42 | _no_ |
|
||||
| SeekingFor | _down_ | [AnoNet News](http://cgiproxy.ucis.dn42/nph-proxy.cgi/00/http/news.sfor.ano/) | _yes_ | anonet, dn42 | _no_ |
|
||||
|
@ -46,4 +46,4 @@ Contact one of the root-servers.dn42 operators if you wish to set up a root/zone
|
||||
|
||||
You may want to set up a resolver, see link below or use 172.23.0.53 directly.
|
||||
|
||||
Techical information available [here](https://nixnodes.net/wiki/n/DN42_DNS)
|
||||
Techical information available [here](https://nixnodes.net/wiki/n/DN42_DNS)
|
||||
|
@ -43,4 +43,4 @@ See [Providing Anycast DNS](/Providing Anycast DNS).
|
||||
|
||||
## [Old Hierarchical DNS](/Old Hierarchical DNS)
|
||||
|
||||
This is a new effort to build a DNS system that mirrors how DNS was designed to work in clearnet.
|
||||
This is a new effort to build a DNS system that mirrors how DNS was designed to work in clearnet.
|
||||
|
@ -37,7 +37,7 @@ protocol bgp ROUTE_COLLECTOR
|
||||
ipv4 {
|
||||
# export all available paths to the collector
|
||||
add paths tx;
|
||||
|
||||
|
||||
# import/export filters
|
||||
import none;
|
||||
export filter {
|
||||
|
@ -112,4 +112,4 @@ user root
|
||||
fi
|
||||
# Measure Section ##########
|
||||
```
|
||||
* restart munin-node
|
||||
* restart munin-node
|
||||
|
@ -30,4 +30,4 @@ With `bin/tahoe start` you start your local node.
|
||||
You can reach the local node via web browser at [http://localhost:3456](http://localhost:3456).
|
||||
|
||||
## Further informations
|
||||
Look at https://tahoe-lafs.org for further information.
|
||||
Look at https://tahoe-lafs.org for further information.
|
||||
|
@ -2,7 +2,7 @@
|
||||
|
||||
Previously, some DN42 users had provided VMs to the community, but it is not known if any of these are currently active any more. The list of old providers is below the break.
|
||||
|
||||
#### burble.dn42
|
||||
## burble.dn42
|
||||
|
||||
If you have a DN42 project but do not have the resources to host it yourself, the burble.dn42 network may be able to provide hosting for you. Contact burble on IRC or via email to discuss.
|
||||
|
||||
@ -13,7 +13,7 @@ If you have a DN42 project but do not have the resources to host it yourself, th
|
||||
|
||||
---
|
||||
|
||||
#### Old Providers:
|
||||
### Old Providers:
|
||||
|
||||
| Person | RAM | HDD | Net | CPU | Description | No. Available
|
||||
|:------------- |:------ |:--------- |:---------- |:---------- |:-------------------------- |:--------------------------|
|
||||
@ -21,4 +21,4 @@ If you have a DN42 project but do not have the resources to host it yourself, th
|
||||
| florianb | 384 MB | 5 GB | dn42 only | 1x 2.2Ghz | OpenVZ in Germany, good peers | always enough
|
||||
| nellicus | 384 MB | 5 - 10 GB | dn42 only | 1x 2.6Ghz | Xen/KVM Washington, DC USA | 0
|
||||
|Basil | 256 MB | 20 GB | dn42, NAT v4, /64 v6 | 1x 3.4Ghz | KVM, Gravelines, France | Always enough
|
||||
| KaiRaphixx (AS4242422506) | 512 MB - 4096 MB | 20 GB SSD / 50 GB HDD | dn42, NAT v4 (only Internet-Connection, No Port-Forwarding) | 1x - 2x 3.5 Ghz | KVM, Falkenstein, Germany | Always enough
|
||||
| KaiRaphixx (AS4242422506) | 512 MB - 4096 MB | 20 GB SSD / 50 GB HDD | dn42, NAT v4 (only Internet-Connection, No Port-Forwarding) | 1x - 2x 3.5 Ghz | KVM, Falkenstein, Germany | Always enough
|
||||
|
@ -90,7 +90,7 @@ We have anycast IPv4 and IPv6, both reachable under whois.dn42. IPs are 172.22.0
|
||||
| burble | whois.burble.dn42 | 172.20.129.8 / fd42:4242:2601:ac43::1 |
|
||||
| taavi | whois.svc.as4242423270.dn42 | 172.22.130.143 / fd96:70f6:b174:<span>ac</span>::43 |
|
||||
|
||||
### Down?
|
||||
## Down?
|
||||
|
||||
| **person** | **dns** | **ip** |
|
||||
|------------|---------------------------|-----------------|
|
||||
|
@ -74,7 +74,7 @@ To disable DNSSEC validation only for certain TLDs include the following in the
|
||||
```
|
||||
options {
|
||||
# [...]
|
||||
|
||||
|
||||
validate-except {
|
||||
"dn42";
|
||||
"20.172.in-addr.arpa";
|
||||
@ -254,4 +254,4 @@ system {
|
||||
```
|
||||
|
||||
## MS DNS
|
||||
Add a "Conditional Forward" (de: "Bedingte Weiterleitung") for each of "dn42", "20.172.in-addr.arpa", "21.172.in-addr.arpa", "22.172.in-addr.arpa", "23.172.in-addr.arpa", "10.in-addr.arpa" using 172.20.0.53 as forwarder. Ignore the error message that the server is not authoritative.
|
||||
Add a "Conditional Forward" (de: "Bedingte Weiterleitung") for each of "dn42", "20.172.in-addr.arpa", "21.172.in-addr.arpa", "22.172.in-addr.arpa", "23.172.in-addr.arpa", "10.in-addr.arpa" using 172.20.0.53 as forwarder. Ignore the error message that the server is not authoritative.
|
||||
|
@ -31,4 +31,4 @@ NeoNetwork zone files can be found here: https://github.com/NeoCloud/NeoNetwork/
|
||||
|
||||
## Configuration
|
||||
|
||||
See [DNS forwarding configuration](/services/dns/Configuration).
|
||||
See [DNS forwarding configuration](/services/dns/Configuration).
|
||||
|
@ -1,4 +1,4 @@
|
||||
#DEPRECATED - Please have a look at [Hierarchical DNS](https://internal.dn42/Hierarchical-DNS) instead
|
||||
# DEPRECATED - Please have a look at [Hierarchical DNS](https://internal.dn42/Hierarchical-DNS) instead
|
||||
|
||||
You may want to participate in the anycast DNS cloud.
|
||||
|
||||
@ -63,4 +63,4 @@ There are a few different scripts for generating zone files. They have been writ
|
||||
| xuu |ON,CA| 64737 | souris.root.dn42 (fdea:a15a:77b9:53::1) | |
|
||||
| Nurtic-Vibe |EU |4242420123 | ns1.grmml.dn42 (fd42:23:149:cccc::53) ||
|
||||
| hax404 | DE | 76114 | chero.hax404.dn42 (fd58:eb75:347d:101::1) ||
|
||||
| florianb | AT | 4242423955 | resolver.flo.dn42 (fd42:d42:d42:53::1) | advertisted in BGP |
|
||||
| florianb | AT | 4242423955 | resolver.flo.dn42 (fd42:d42:d42:53::1) | advertisted in BGP |
|
||||
|
Loading…
Reference in New Issue
Block a user