dn42/wiki
1
Fork 0
mirror of https://git.dn42.dev/wiki/wiki.git synced 2024-11-23 07:43:29 +01:00
Code Releases Activity

Fix Headers, Spaces

Browse Source
This commit is contained in:
KIOUBIT-MNT 2021-06-01 00:48:53 +03:00
parent 570bc4abde
commit c10f15e424
68 changed files with 138 additions and 352 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
FAQ.md
View File

@ -1,5 +1,5 @@
### How do I connect to DN42?
## How do I connect to DN42?
We have a [page](/howto/Getting-started) for that!

2
Home.md
View File

@ -77,6 +77,6 @@ The [Getting started](/howto/Getting-Started) page helps you to get your first n
This wiki is the main reference about dn42. It is available in read-only mode from the Internet [here](https://wiki.dn42.us) or [here](https://dn42.dev) or [here](https://dn42.tk) or [here](https://dn42.eu), [tor](http://jsptropkiix3ki5u.onion) and [i2p](http://beb6v2i4jevo72vvnx6segsk4zv3pu3prbwcfuta3bzrcv7boy2q.b32.i2p/) and for editing from within dn42, at [https://wiki.dn42](https://wiki.dn42) - [https](services/Certificate-Authority) required for editing.
#### DN42 Logo
### DN42 Logo
An svg of the DN42 Logo is available [here](/dn42.svg).

66
howto/BGP-on-Extreme-Summit1i.md
View File

@ -1,66 +0,0 @@
# DN42 peering on Extreme Summit 1i
Here i'll show how to configure DN42 peering via BGP on an old Extreme Networks [Summit 1i](http://docs.google.com/viewer?url=https://www.mtmnet.com/PDF_FILES/summit1i.pdf) routing switch. This how-to should be also applicable to any other 'i'-series switch.
## Caveats
Looks like ExtremeWare doesn't support any tunneling mechanism in contrast to ExtremeWare IPv6 or ExtremeXOS operating systems. So you need either put your switch behind the router which will do tunneling with DN42 participant or directly connect the switch to our network, if that possible.
## Snipplet
This configuration was tested on latest EW of 7.8.4.1 patch1-r4 version. But it should work on most of older releases as well.
## DN42 should go both in internal (for clients) and external VLANs
create vlan svlan
configure vlan svlan ipaddress 192.168.1.100/24
# Adding an alias
enable multinetting standard
configure vlan svlan add secondary-ip 172.22.251.2/23
...
enable ipforwarding
configure vlan svlan add subvlan ext
...
# It is worth to filter alien nets
create access-list deny_int ip destination any source 192.168.1.0/24 deny ports 2-16
...
##
# Adding route to a neighbor
configure iproute add 172.22.151.1/32 172.22.251.1
configure bgp soft-reconfiguration
configure bgp AS-number 65534
configure bgp routerid 172.22.251.2
enable bgp
Now, if you're trying EBGP with your peer:
# Announce our network
configure bgp add network 172.22.151.0/23
create bgp neighbor 172.22.151.1 remote-AS-number 65535
# Point to a proper outgoing interface, useless in case when Super VLAN is used
#configure bgp neighbor 172.22.151.1 source-interface vlan ext
enable bgp neighbor 172.22.151.1
Or IBGP (local router does the EBGP in following example):
# Don't wait for an EBGP
disable bgp synchronization
create bgp neighbor 192.168.1.1 remote-AS-number 65534
enable bgp neighbor 192.168.1.1
Next, you may diagnose the things doing:
show bgp
show bgp neighbor
show bgp neighbor 172.22.151.1 received-routes all
show bgp neighbor 172.22.151.1 transmitted-routes all
After that ping and traceroute are your mates. It is worth to point switch to the DNS which knows .dn42 zone:
`configure dns-client add name-server 192.168.1.1`
And use names.

2
howto/Bird.md
View File

@ -26,7 +26,7 @@ Note: This file covers the configuration of Bird 1.x. For an example configurati
* Replace `<PEER_AS>` the Autonomous System Number of your peer (only the digits)
* Replace `<PEER_NAME>` a self chosen name for your peer
### IPv6
## IPv6
```
#/etc/bird/bird6.conf

2
howto/EMail.md
View File

@ -7,7 +7,7 @@ Running email in dn42 is not very complicated. Your SMTP daemon probably alread
## Redirect
~~There are forwarding rules for _PERSON_ @ dn42.org to the mail addresses which have been given in the registry. Please note that the trailing `-DN42` is stripped from the local part.~~
####Example####
### Example
| Handle | Alias | Redirection |
|:------------ |:-------------- |:--------------------- |

148
howto/Edgeos-Config-Example-number-2.md
View File

@ -1,148 +0,0 @@
#EdgeRouterPro-8 config example with v1.9.0
After a lot of searching and trying I [Phil/ALS7] finnaly got a working config
Also thanx to drathir for his patience and support
##Features
* IPv4/IPv6 Tunnel via OpenVPN
* dn42 DNS
##How-To
--> still work in Progress
* Basic EdgeOS knowledge is required
1) you need to create all required fields in the registry --> look at [Getting Started](/Getting-Started) page
2) get a peer --> ask nice @ [IRC](/IRC)
3) You need following data from the peer
--tunnel options, secret key --ASN from the peer --ip's
...
The data i used are the following:
Own ASN: AS111111
Own IPv4: 172.AA.AA.64/27
Own IPv6: fdBB:BBBB:CCCC::/48
Peer OpenVPN Remote Address: X.X.X.X
Peer OpenVPN Remote Host: X.X.X.Y
Peer OpenVPN IP for you: fdAA::BBB/64
Peer OpenVPN IP: fdAA::CC
Peer OpenVPN Port: 1194
Peer OpenVPN encryption: aes256
Peer ASN: AS222222
Peer BGP Neighbour IPv4: Z.Z.Z.Z
Peer BGP Neighbour IPv6: fdAA::CC
###Copy OpenVPN key to the ErPro
copy vpn key to /config/auth/giveITaName
sudo su
cd /config
mkdir auth
cd auth
cat > giveITaName
now paste the key in the terminal window, hit return once and kill cat with CTRL+C
last thing to do is type exit
###Create IPv4 OpenVPN Interface
Set up Interface vtunX -- i used vtun0
configure
set interface openssh vtun0
set interfaces openvpn vtun0 mode site-to-site
set interfaces openvpn vtun0 local-port 1194
set interfaces openvpn vtun0 remote-port 1194
set interfaces openvpn vtun0 local-address 172.AA.AA.64
set interfaces openvpn vtun0 remote-address X.X.X.X
set interfaces openvpn vtun0 remote-host X.X.X.Y
set interfaces openvpn vtun0 shared-secret-key-file /config/auth/giveITaName
set interfaces openvpn vtun0 encryption aes256
set interfaces openvpn vtun0 openvpn-option "--comp-lzo" //if your peer support compression
commit
save
exit
Now the ipv4 tunnel should be up&running
Check it with:
show interfaces openvpn
show interfaces openvpn detail
show openvpn status site-to-site
###Create IPv4 BGP Session
####Open Firewall
* You need to open the firewall to local for the tunnel Interface on port 179/tcp
####Configure the BGP Neighbor
* You must not use AS before the as numbers !!
With this step you create the basic bgp session
configure
set protocols bgp 111111 neighbor Z.Z.Z.Z remote-as 222222
set protocols bgp 111111 neighbor Z.Z.Z.Z soft-reconfiguration inbound
set protocols bgp 111111 neighbor update-source 172.AA.AA.64
commit
save
When commit this configuration you should be able to see a BGP neighbor session start and come up.
You can check this with:
show ip bgp summary
####Set route to blackhole
so bgp can announce the route
set protocols static route 172.AA.AA.64/27 blackhole
commit
save
####Announce prefix to BGP
set protocols bgp 111111 network 172.A.A.64/27
commit
save
exit
You should now be able to see networks being advertised via
show ip bgp neighbors Z.Z.Z.Z advertised-routes
###Define Nameservers
Now ping to 172.23.0.53 ... thats the nameserver we are using
If everything is allright it should work
####NS Config
Enter the configure mode
configure
set service dns forwarding name-server 8.8.8.8
set service dns forwarding name-server 8.8.4.4
set service dns forwarding options rebind-domain-ok=/dn42/
set service dns forwarding options server=/23.172.in-addr.arpa/172.23.0.53
set service dns forwarding options server=/22.172.in-addr.arpa/172.23.0.53
set service dns forwarding options server=/dn42/172.23.0.53
commit
save
exit
Now try to access any .dn42 tld

2
howto/IPsecWithPublicKeys/RouterOSExample.md
View File

@ -10,7 +10,7 @@
# NAME KEY-SIZE
0 PR mykey 4096-bit
### Exchange public keys with your peer
## Exchange public keys with your peer
1. Export the public key to a file.
[admin@mtk1] /ip ipsec key> export-pub-key mykey file-name=mykey.pub

6
howto/Registry-Authentication.md
View File

@ -16,7 +16,7 @@ The signature and verification process varies depending on the type of public ke
---
#### Finding the commit hash
## Finding the commit hash
`git log` will list all the recent commits and show the commit hash:
```
@ -31,7 +31,7 @@ Date: Mon Jan 01 01:01:01 2020 +0000
PGP keys may be uploaded to a public keyserver for verification, or added in the registry.
#### Using a public keyserver
### Using a public keyserver
- Use the following `auth` attribute in your `mntner` object:
```
@ -72,7 +72,7 @@ auth: ssh-<keytype> <pubkey>
```
There are examples below for each specific key type.
#### Generic process for signing with an SSH key
### Generic process for signing with an SSH key
OpenSSH v8 introduced new functionality for creating signatures using SSH keys. If you have an older version, you can compile the latest version of ssh-keygen from the [openssh-portable repo](https://github.com/openssh/openssh-portable).

2
howto/networksettings.md
View File

@ -32,7 +32,7 @@ Check that ALL your vpn interfaces allow ip forwarding for ipv6/ipv4.
$ sysctl -a | grep forwarding
```
### Note on firewalls, conntrack and asymmetric routing
## Note on firewalls, conntrack and asymmetric routing
Do not configure iptables/nftables to drop packets with invalid conntrack state in forward chain.

18
howto/vyos.md
View File

@ -1,4 +1,4 @@
#VyOS
# VyOS
VyOS is an open source software router. It is feature rich and supports multiple deployment options such as physical hardware (Old PC's) or a VPC/VM. The developers have a nightly rolling release that includes all the latest features such as Wireguard.
It can be downloaded here https://www.vyos.io/rolling-release/.
@ -98,14 +98,14 @@ set protocols static interface-route 172.20.50.1/32 next-hop-interface wg92
##BGP
## BGP
Now that we have a tunnel to our peer and theoretically can ping them, we can setup BGP.
###Initial Router Setup
### Initial Router Setup
`set protocols bgp 424242XXXX address-family ipv4-unicast network 172.x.x.x\x`
_Insert your ASN and your assigned network block. Note that this should match your exact prefix as listed in the registry; if you try to advertise a subnet of your assigned block it could get filtered by some peers._
`set protocols bgp 424242XXX parameters router-id 172.x.x.x`
_To keep it simple just make your router ID match your lower IP within the DN42 registered space._
###Neighbor Up With Peers
### Neighbor Up With Peers
`set protocols bgp 424242XXXX neighbor 172.x.x.x address-family ipv4-unicast`
_This is likely the same IP as the one used in your static route earlier when creating the Wireguard tunnel._
`set protocols bgp 424242XXXX neighbor 172.x.x.x ebgp-multihop 20`
@ -115,8 +115,8 @@ _Your peers ASN_
`show ip bgp summary`
##RPKI/ROA Checking
###Setup RPKI Caching Server
## RPKI/ROA Checking
### Setup RPKI Caching Server
Burble has made this super easy. More info can be found [here](https://wiki.dn42/howto/ROA-slash-RPKI) on this wiki. Get started by running the below command on a Linux server with Docker installed.
```
@ -125,14 +125,14 @@ sudo docker run -ti -p 8082:8082 cloudflare/gortr -cache https://dn42.burble.com
This will start a docker container that listens on the host server's IP at port 8082. This setup is using Cloudflare's GoRTR and automatically reaching out and downloading a custom JSON file generated by Burble just for the DN42 network.
###Point VyOS Router at RPKI Caching Server
### Point VyOS Router at RPKI Caching Server
`set protocols rpki cache GoRTR address x.x.x.x`
`set protocols rpki cache GoRTR port 8082`
You can check the connection with `show rpki cache-connection` and the received prefix-table with `show rpki prefix-table`.
###Create Route Map
### Create Route Map
```
set policy route-map DN42-ROA rule 10 action 'permit'
set policy route-map DN42-ROA rule 10 match rpki 'valid'
@ -142,7 +142,7 @@ set policy route-map DN42-ROA rule 30 action 'deny'
set policy route-map DN42-ROA rule 30 match rpki 'invalid'
```
This example allows all routes in unless they are marked invalid or in other words possibly been a victim of BGP hijacking.
###Assign Route Map to Neighbor
### Assign Route Map to Neighbor
```
set protocols bgp 424242XXXX neighbor x.x.x.x address-family ipv4-unicast route-map import DN42-ROA
set protocols bgp 424242XXXX neighbor x.x.x.x address-family ipv4-unicast route-map export DN42-ROA

6
internal/APIs.md
View File

@ -1,12 +1,12 @@
#Application Programming Interfaces (APIs)
# Application Programming Interfaces (APIs)
This page can be useful if you are trying to automate something or if you are trying to retrieve data programmatically.
##ASN Authentication Solution
## ASN Authentication Solution
Authenticate your users by having them verify their ASN ownership with KIOUBIT-MNT using their registry-provided methods in an automated way.
More Information in the setup tutorial: https://dn42.g-load.eu/auth/documentation/tutorial.html
To use the service, please message Kioubit on IRC to have your domain activated.
##Registry REST API
## Registry REST API
[dn42regsrv](https://git.dn42.us/burble/dn42regsrv) is a REST API for the DN42 registry that provides a bridge between interactive applications and the registry.

2
internal/Ideas.md
View File

@ -2,7 +2,7 @@
… or the service that would make dn42 truly interesting for people (for non-technical reasons).
#### Criterias
## Criterias
- it should be difficult to setup on the Internet (for technical or legal reasons)
- it should interest people that are likely to know dn42 (hackerspaces, etc)

2
internal/Internal-Services.md
View File

@ -54,7 +54,7 @@ To use the service, please message Kioubit on IRC to have your domain activated.
| irc.hackint.hack/dn42 | Yes | ChaosVPN |
| irc.dn42 | Yes | Internal IRC |
#### Clients
### Clients
| Hostname / IP | Remarks |
|:--------------|:--------|

2
services/Automatic-CA.md
View File

@ -218,7 +218,7 @@ Type=oneshot
WorkingDirectory=/etc/ssl/dn42
ExecStart=/etc/ssl/dn42/ca.dn42 tls-sign wiki.dn42 MIC92-MNT
# accept multiple ExecStart lines for other certificates
#ExecStart=/etc/ssl/dn42/ca.dn42 tls-sign foobar.dn42 MIC92-MNT
# ExecStart=/etc/ssl/dn42/ca.dn42 tls-sign foobar.dn42 MIC92-MNT
ExecStart=/usr/bin/nginx -s reload
```

4
services/Distributed-Wiki.md
View File

@ -76,7 +76,7 @@ RACK_ENV=production gollum --css --host 127.0.0.1 --port 4567 --no-edit <path>
## Nginx reverse proxy
#### SSL
### SSL
- Setup your maintainer object according to [Automatic CA](/services/Automatic-CA)
- Generate a [CSR](/services/Certificate-Authority) and send DNS Key Pin to [xuu@sour.is](mailto:xuu@sour.is):
@ -188,7 +188,7 @@ server {
## ExaBGP
#### Announcing
### Announcing
The prefix AS-PATH should show the announcement is originating from your AS. After peering ExaBGP to the nearest speaker(s), check if the prefix is routing properly inside your network. Try not to blackhole the passing traffic (e.g. no static routes to `172.23.0.80/32`). Test the whole thing by shutting down nginx/gollum and watch what happens.

4
services/Virtual-Machines.md
View File

@ -2,7 +2,7 @@
Previously, some DN42 users had provided VMs to the community, but it is not known if any of these are currently active any more. The list of old providers is below the break.
#### burble.dn42
## burble.dn42
If you have a DN42 project but do not have the resources to host it yourself, the burble.dn42 network may be able to provide hosting for you. Contact burble on IRC or via email to discuss.
@ -13,7 +13,7 @@ If you have a DN42 project but do not have the resources to host it yourself, th
---
#### Old Providers:
### Old Providers:
| Person | RAM | HDD | Net | CPU | Description | No. Available
|:------------- |:------ |:--------- |:---------- |:---------- |:-------------------------- |:--------------------------|

2
services/Whois.md
View File

@ -90,7 +90,7 @@ We have anycast IPv4 and IPv6, both reachable under whois.dn42. IPs are 172.22.0
| burble | whois.burble.dn42 | 172.20.129.8 / fd42:4242:2601:ac43::1 |
| taavi | whois.svc.as4242423270.dn42 | 172.22.130.143 / fd96:70f6:b174:<span>ac</span>::43 |
### Down?
## Down?
| **person** | **dns** | **ip** |
|------------|---------------------------|-----------------|

2
services/dns/Providing-Anycast-DNS.md
View File

@ -1,4 +1,4 @@
#DEPRECATED - Please have a look at [Hierarchical DNS](https://internal.dn42/Hierarchical-DNS) instead
# DEPRECATED - Please have a look at [Hierarchical DNS](https://internal.dn42/Hierarchical-DNS) instead
You may want to participate in the anycast DNS cloud.