dn42/wiki
1
Fork 0
mirror of https://git.dn42.dev/wiki/wiki.git synced 2024-11-23 07:43:29 +01:00
Code Releases Activity

Fix Headers, Spaces

Browse Source
This commit is contained in:
KIOUBIT-MNT 2021-06-01 00:48:53 +03:00
parent 570bc4abde
commit c10f15e424
68 changed files with 138 additions and 352 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
FAQ.md
View File

@ -1,5 +1,5 @@
### How do I connect to DN42?
## How do I connect to DN42?
We have a [page](/howto/Getting-started) for that!
@ -58,4 +58,4 @@ Prior to using ASNs in the new private ASN range 4200000000-4294967294 ([RFC6996
### Can I update the wiki?
Yes, the wiki can be edited when browsing to [wiki.dn42](https://wiki.dn42).
Yes, the wiki can be edited when browsing to [wiki.dn42](https://wiki.dn42).

2
Home.md
View File

@ -77,6 +77,6 @@ The [Getting started](/howto/Getting-Started) page helps you to get your first n
This wiki is the main reference about dn42. It is available in read-only mode from the Internet [here](https://wiki.dn42.us) or [here](https://dn42.dev) or [here](https://dn42.tk) or [here](https://dn42.eu), [tor](http://jsptropkiix3ki5u.onion) and [i2p](http://beb6v2i4jevo72vvnx6segsk4zv3pu3prbwcfuta3bzrcv7boy2q.b32.i2p/) and for editing from within dn42, at [https://wiki.dn42](https://wiki.dn42) - [https](services/Certificate-Authority) required for editing.
#### DN42 Logo
### DN42 Logo
An svg of the DN42 Logo is available [here](/dn42.svg).

2
Other.md
View File

@ -82,7 +82,7 @@ second tinc cloud
ipv4: 172.22.255.160/28
ipv6: fd04:de02:7af9::/64
IP IPv6 User Host ASN
-------------- ------------------- --------- ----------- -----
172.22.255.161 fd04:de02:7af9::161 uves spline 64733

2
_Footer.md
View File

@ -1 +1 @@
Hosted by: [xuu](mailto:xuu@sour.is), [nurtic-vibe](mailto:nurtic-vibe@grmml.net), [toBee](mailto:tom@xcv.vc), [burble](mailto:dn42@burble.com) | Accessible via: [dn42](http://wiki.dn42), [tor](http://jsptropkiix3ki5u.onion), [i2p](http://beb6v2i4jevo72vvnx6segsk4zv3pu3prbwcfuta3bzrcv7boy2q.b32.i2p/)
Hosted by: [xuu](mailto:xuu@sour.is), [nurtic-vibe](mailto:nurtic-vibe@grmml.net), [toBee](mailto:tom@xcv.vc), [burble](mailto:dn42@burble.com) | Accessible via: [dn42](http://wiki.dn42), [tor](http://jsptropkiix3ki5u.onion), [i2p](http://beb6v2i4jevo72vvnx6segsk4zv3pu3prbwcfuta3bzrcv7boy2q.b32.i2p/)

2
_Header.md
View File

@ -1 +1 @@
[![dn42](/dn42.png)](/)
[![dn42](/dn42.png)](/)

66
howto/BGP-on-Extreme-Summit1i.md
View File

@ -1,66 +0,0 @@
# DN42 peering on Extreme Summit 1i
Here i'll show how to configure DN42 peering via BGP on an old Extreme Networks [Summit 1i](http://docs.google.com/viewer?url=https://www.mtmnet.com/PDF_FILES/summit1i.pdf) routing switch. This how-to should be also applicable to any other 'i'-series switch.
## Caveats
Looks like ExtremeWare doesn't support any tunneling mechanism in contrast to ExtremeWare IPv6 or ExtremeXOS operating systems. So you need either put your switch behind the router which will do tunneling with DN42 participant or directly connect the switch to our network, if that possible.
## Snipplet
This configuration was tested on latest EW of 7.8.4.1 patch1-r4 version. But it should work on most of older releases as well.
## DN42 should go both in internal (for clients) and external VLANs
create vlan svlan
configure vlan svlan ipaddress 192.168.1.100/24
# Adding an alias
enable multinetting standard
configure vlan svlan add secondary-ip 172.22.251.2/23
...
enable ipforwarding
configure vlan svlan add subvlan ext
...
# It is worth to filter alien nets
create access-list deny_int ip destination any source 192.168.1.0/24 deny ports 2-16
...
##
# Adding route to a neighbor
configure iproute add 172.22.151.1/32 172.22.251.1
configure bgp soft-reconfiguration
configure bgp AS-number 65534
configure bgp routerid 172.22.251.2
enable bgp
Now, if you're trying EBGP with your peer:
# Announce our network
configure bgp add network 172.22.151.0/23
create bgp neighbor 172.22.151.1 remote-AS-number 65535
# Point to a proper outgoing interface, useless in case when Super VLAN is used
#configure bgp neighbor 172.22.151.1 source-interface vlan ext
enable bgp neighbor 172.22.151.1
Or IBGP (local router does the EBGP in following example):
# Don't wait for an EBGP
disable bgp synchronization
create bgp neighbor 192.168.1.1 remote-AS-number 65534
enable bgp neighbor 192.168.1.1
Next, you may diagnose the things doing:
show bgp
show bgp neighbor
show bgp neighbor 172.22.151.1 received-routes all
show bgp neighbor 172.22.151.1 transmitted-routes all
After that ping and traceroute are your mates. It is worth to point switch to the DNS which knows .dn42 zone:
`configure dns-client add name-server 192.168.1.1`
And use names.

6
howto/Bird-communities.md
View File

@ -22,7 +22,7 @@ To properly assign the right community to your peer, please reference the table
(64511, 8) :: latency \in (1097ms, 2981ms]
(64511, 9) :: latency > 2981ms
(64511, x) :: latency \in [exp(x-1), exp(x)] ms (for x < 10)
(64511, 21) :: bw >= 0.1mbit
(64511, 22) :: bw >= 1mbit
(64511, 23) :: bw >= 10mbit
@ -30,7 +30,7 @@ To properly assign the right community to your peer, please reference the table
(64511, 25) :: bw >= 1000mbit
(64511, 2x) :: bw >= 10^(x-2) mbit
bw = min(up,down) for asymmetric connections
(64511, 31) :: not encrypted
(64511, 32) :: encrypted with unsafe vpn solution
(64511, 33) :: encrypted with safe vpn solution (but no PFS - the usual OpenVPN p2p configuration falls in this category)
@ -126,7 +126,7 @@ function update_crypto(int link_crypto) {
else if (64511, 33) ~ bgp_community then { bgp_community.delete([(64511, 34..34)]); return 33; }
else return 34;
}
function update_flags(int link_latency; int link_bandwidth; int link_crypto)
int dn42_latency;
int dn42_bandwidth;

8
howto/Bird.md
View File

@ -26,7 +26,7 @@ Note: This file covers the configuration of Bird 1.x. For an example configurati
* Replace `<PEER_AS>` the Autonomous System Number of your peer (only the digits)
* Replace `<PEER_NAME>` a self chosen name for your peer
### IPv6
## IPv6
```
#/etc/bird/bird6.conf
@ -51,7 +51,7 @@ include "/etc/bird/local6.conf";
/*
krt_prefsrc defines the source address for outgoing connections.
On Linux, this causes the "src" attribute of a route to be set.
Without this option outgoing connections would use the peering IP which
would cause packet loss if some peering disconnects but the interface
is still available. (The route would still exist and thus route through
@ -160,7 +160,7 @@ include "/etc/bird/local4.conf";
/*
krt_prefsrc defines the source address for outgoing connections.
On Linux, this causes the "src" attribute of a route to be set.
Without this option outgoing connections would use the peering IP which
would cause packet loss if some peering disconnects but the interface
is still available. (The route would still exist and thus route through
@ -393,4 +393,4 @@ bird> show route export <somepeer> # shows the route you export to someone
# External Links
* detailed bird configuration from Mic92: https://github.com/Mic92/bird-dn42
* more bird commands: https://bird.network.cz/?get_doc&v=20&f=bird-4.html
* more bird commands: https://bird.network.cz/?get_doc&v=20&f=bird-4.html

6
howto/Bird2.md
View File

@ -89,7 +89,7 @@ function is_valid_network_v6() {
protocol kernel {
scan time 20;
ipv6 {
import none;
export filter {
@ -134,7 +134,7 @@ protocol static {
template bgp dnpeers {
local as OWNAS;
path metric 1;
ipv4 {
import filter {
if is_valid_network() && !is_self_net() then {
@ -195,4 +195,4 @@ protocol bgp <NEIGHBOR_NAME>_v6 from dnpeers {
}
```
Due to the special link local addresses of IPv6, an interface has to be specified using the %<if> syntax if a link local address is used (Which is recommended)
Due to the special link local addresses of IPv6, an interface has to be specified using the %<if> syntax if a link local address is used (Which is recommended)

4
howto/EMail.md
View File

@ -7,7 +7,7 @@ Running email in dn42 is not very complicated. Your SMTP daemon probably alread
## Redirect
~~There are forwarding rules for _PERSON_ @ dn42.org to the mail addresses which have been given in the registry. Please note that the trailing `-DN42` is stripped from the local part.~~
####Example####
### Example
| Handle | Alias | Redirection |
|:------------ |:-------------- |:--------------------- |
@ -97,4 +97,4 @@ Email Address Internationalization (EAI) as defined in [RFC 6531](http://tools.i
Introduced with Postfix version 3.0, this fully supports UTF-8 email addresses and UTF-8 message header values.
more at the [SMTPUTF8_README](http://www.postfix.org/SMTPUTF8_README.html).
### Exim
Watch Exims EAI Tracker [Bug 1177](http://bugs.exim.org/show_bug.cgi?id=1177)
Watch Exims EAI Tracker [Bug 1177](http://bugs.exim.org/show_bug.cgi?id=1177)

2
howto/EdgeOS-Config-Example.md
View File

@ -376,4 +376,4 @@ traffic-policy {
/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:dhcp-relay@1:dhcp-server@4:firewall@4:ipsec@3:nat@3:qos@1:quagga@2:system@4:ubnt-pptp@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v1.3.0.4605130.131011.1754 */
```
```

4
howto/EdgeOS-Config.md
View File

@ -42,7 +42,7 @@ Using the below as examples:
#### Copy OpenVPN key to the EdgeRouter
Copy the VPN key to `/config/auth/SomeSharedKey.key`:
sudo cat > /config/auth/SomeSharedKey.key
Paste the key in the terminal window, hit return once and kill `cat` with CTRL+C. Then type `exit`.
@ -108,7 +108,7 @@ so bgp can announce the route
save
#### Announce Route to BGP
set protocols bgp 111111 network 172.A.A.64/27
commit
save

2
howto/EdgeOS-GRE-IPsec-Example.md
View File

@ -498,4 +498,4 @@ If your peer sends you a key in PEM format (starts with `-----BEGIN PUBLIC KEY--
}
interface eth0
}
}
}

148
howto/Edgeos-Config-Example-number-2.md
View File

@ -1,148 +0,0 @@
#EdgeRouterPro-8 config example with v1.9.0
After a lot of searching and trying I [Phil/ALS7] finnaly got a working config
Also thanx to drathir for his patience and support
##Features
* IPv4/IPv6 Tunnel via OpenVPN
* dn42 DNS
##How-To
--> still work in Progress
* Basic EdgeOS knowledge is required
1) you need to create all required fields in the registry --> look at [Getting Started](/Getting-Started) page
2) get a peer --> ask nice @ [IRC](/IRC)
3) You need following data from the peer
--tunnel options, secret key --ASN from the peer --ip's
...
The data i used are the following:
Own ASN: AS111111
Own IPv4: 172.AA.AA.64/27
Own IPv6: fdBB:BBBB:CCCC::/48
Peer OpenVPN Remote Address: X.X.X.X
Peer OpenVPN Remote Host: X.X.X.Y
Peer OpenVPN IP for you: fdAA::BBB/64
Peer OpenVPN IP: fdAA::CC
Peer OpenVPN Port: 1194
Peer OpenVPN encryption: aes256
Peer ASN: AS222222
Peer BGP Neighbour IPv4: Z.Z.Z.Z
Peer BGP Neighbour IPv6: fdAA::CC
###Copy OpenVPN key to the ErPro
copy vpn key to /config/auth/giveITaName
sudo su
cd /config
mkdir auth
cd auth
cat > giveITaName
now paste the key in the terminal window, hit return once and kill cat with CTRL+C
last thing to do is type exit
###Create IPv4 OpenVPN Interface
Set up Interface vtunX -- i used vtun0
configure
set interface openssh vtun0
set interfaces openvpn vtun0 mode site-to-site
set interfaces openvpn vtun0 local-port 1194
set interfaces openvpn vtun0 remote-port 1194
set interfaces openvpn vtun0 local-address 172.AA.AA.64
set interfaces openvpn vtun0 remote-address X.X.X.X
set interfaces openvpn vtun0 remote-host X.X.X.Y
set interfaces openvpn vtun0 shared-secret-key-file /config/auth/giveITaName
set interfaces openvpn vtun0 encryption aes256
set interfaces openvpn vtun0 openvpn-option "--comp-lzo" //if your peer support compression
commit
save
exit
Now the ipv4 tunnel should be up&running
Check it with:
show interfaces openvpn
show interfaces openvpn detail
show openvpn status site-to-site
###Create IPv4 BGP Session
####Open Firewall
* You need to open the firewall to local for the tunnel Interface on port 179/tcp
####Configure the BGP Neighbor
* You must not use AS before the as numbers !!
With this step you create the basic bgp session
configure
set protocols bgp 111111 neighbor Z.Z.Z.Z remote-as 222222
set protocols bgp 111111 neighbor Z.Z.Z.Z soft-reconfiguration inbound
set protocols bgp 111111 neighbor update-source 172.AA.AA.64
commit
save
When commit this configuration you should be able to see a BGP neighbor session start and come up.
You can check this with:
show ip bgp summary
####Set route to blackhole
so bgp can announce the route
set protocols static route 172.AA.AA.64/27 blackhole
commit
save
####Announce prefix to BGP
set protocols bgp 111111 network 172.A.A.64/27
commit
save
exit
You should now be able to see networks being advertised via
show ip bgp neighbors Z.Z.Z.Z advertised-routes
###Define Nameservers
Now ping to 172.23.0.53 ... thats the nameserver we are using
If everything is allright it should work
####NS Config
Enter the configure mode
configure
set service dns forwarding name-server 8.8.8.8
set service dns forwarding name-server 8.8.4.4
set service dns forwarding options rebind-domain-ok=/dn42/
set service dns forwarding options server=/23.172.in-addr.arpa/172.23.0.53
set service dns forwarding options server=/22.172.in-addr.arpa/172.23.0.53
set service dns forwarding options server=/dn42/172.23.0.53
commit
save
exit
Now try to access any .dn42 tld

2
howto/GRE-on-OpenBSD.md
View File

@ -68,4 +68,4 @@ destination: fd42::1
```
# Security
GRE may be protected with IPsec to encrypt and authenticate traffic, [OpenIKED](http://www.openiked.org/) can be used to establish an IKEv2 session between *A* and *D*.
GRE may be protected with IPsec to encrypt and authenticate traffic, [OpenIKED](http://www.openiked.org/) can be used to establish an IKEv2 session between *A* and *D*.

2
howto/GRE-plus-IPsec.md
View File

@ -31,4 +31,4 @@ See [GRE on FreeBSD](gre-on-freebsd).
See [IPsec on FreeBSD](ipsec-on-freebsd).
## How to configure GRE + IPsec on Debian
See [GRE + IPsec on Debian](gre-plus-ipsec-debian).
See [GRE + IPsec on Debian](gre-plus-ipsec-debian).

2
howto/IPsec-on-FreeBSD.md
View File

@ -69,4 +69,4 @@ sainfo (address a.b.c.d gre address b.c.d.e gre) {
authentication_algorithm hmac_sha1;
}
```
```

2
howto/IPsec-with-PublicKeys.md
View File

@ -56,4 +56,4 @@ https://git.dn42.us/ryan/pubkey-converter/raw/master/pubkey-converter.pl
1. Best practice is to generate the private key on the router itself, and not transfer it to another machine. This part should be kept secret!
2. Generate a key of at least 2048 bits, preferably 4096 if both ends support it.
3. Some implementations support more than one key format. The examples here only show how to use one of them (usually PEM) for brevity.
4. RFC 3110 format is the same as that described in RFC 2537. The former obsoletes the latter.
4. RFC 3110 format is the same as that described in RFC 2537. The former obsoletes the latter.

4
howto/IPsecWithPublicKeys/CiscoIOSExample.md
View File

@ -62,7 +62,7 @@ In this example, we'll use the following settings:
foo(config-pubkey-chain)#addressed-key 192.0.2.2
foo(config-pubkey-key)#key-string
Enter a public key as a hexidecimal number ....
foo(config-pubkey)#30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
foo(config-pubkey)#00F3E0AA 8924E512 C08BA87C 73820A15 E5180DDC EF827221 2B3864BF B2D2A5E0
foo(config-pubkey)#33D04C1D 43A0CAF8 617EEEBA 7DB5BD38 429660CC 3144618E 4F386201 52483DA7
@ -128,4 +128,4 @@ In this example, we'll use the following settings:
interface FastEthernet0/0
description WAN
ip address 192.0.2.1 255.255.255.0
duplex full
duplex full

2
howto/IPsecWithPublicKeys/GRE-plus-IPsec-Debian.md
View File

@ -55,7 +55,7 @@ remote 5.6.7.8 [500] {
verify_cert on;
send_cert off;
send_cr off;
proposal {
encryption_algorithm aes 256;
hash_algorithm sha256;

4
howto/IPsecWithPublicKeys/OpenBSDExample.md
View File

@ -46,7 +46,7 @@ Load the configuration file into isakmpd: `ipsecctl -f /etc/ipsec.conf`. Once th
FLOWS:
flow esp in proto gre from 1.3.3.7 to 3.4.5.6 peer 1.3.3.7 srcid 3.4.5.6/32 dstid 1.3.3.7/32 type use
flow esp out proto gre from 3.4.5.6 to 1.3.3.7 peer 1.3.3.7 srcid 3.4.5.6/32 dstid 1.3.3.7/32 type require
SAD:
esp transport from 1.3.3.7 to 3.4.5.6 spi 0xdeadbeef auth hmac-sha1 enc aes
esp transport from 3.4.5.6 to 1.3.3.7 spi 0xf00df00d auth hmac-sha1 enc aes
@ -62,4 +62,4 @@ These settings should also be added to [`/etc/hostname.gre0`](http://man.openbsd
tunnel 3.4.5.6 1.3.3.7
inet 10.20.30.0 10.20.30.1
inet6 eui64
inet6 eui64

2
howto/IPsecWithPublicKeys/RacoonExample.md
View File

@ -40,4 +40,4 @@ remote 192.168.255.2 {
## Se also
[debian specific configuration](IPsecWithPublicKeys/GRE plus IPsec Debian)
[debian specific configuration](IPsecWithPublicKeys/GRE plus IPsec Debian)

8
howto/IPsecWithPublicKeys/RouterOSExample.md
View File

@ -10,11 +10,11 @@
# NAME KEY-SIZE
0 PR mykey 4096-bit
### Exchange public keys with your peer
## Exchange public keys with your peer
1. Export the public key to a file.
[admin@mtk1] /ip ipsec key> export-pub-key mykey file-name=mykey.pub
[admin@mtk1] /ip ipsec key> /file print where name=mykey.pub
# NAME TYPE SIZE CREATION-TIME
2 mykey.pub ssh key 451 jul/20/2014 12:35:33
@ -52,7 +52,7 @@ In this example, we'll use the following settings:
[admin@mtk1] /ip ipsec key> import peer-key.pub name=peer-key
passphrase:
[admin@mtk1] /ip ipsec key> print
Flags: P - private-key, R - rsa
# NAME KEY-SIZE
@ -89,4 +89,4 @@ In this example, we'll use the following settings:
lifetime=8h local-address=192.0.2.1 remote-key=peer-key
/ip ipsec policy
add dst-address=192.0.2.2/32 protocol=gre sa-dst-address=192.0.2.2 \
sa-src-address=192.0.2.1 src-address=192.0.2.1/32
sa-src-address=192.0.2.1 src-address=192.0.2.1/32

10
howto/IPsecWithPublicKeys/VyOSExample.md
View File

@ -4,19 +4,19 @@
ubnt@ubnt:~$ generate vpn rsa-key bits 4096 random /dev/urandom
Generating rsa-key to /config/ipsec.d/rsa-keys/localhost.key
Your new local RSA key has been generated
The public portion of the key is:
0sAQPNdF370ZEbN+kZUJQ10qnBlZujrg39ujfk20ILTjELksOIdJw/4jiU1MfpqFDKuB/XxERwJQp2POsFyV/n76jAgxIYBfFYfuaBcIH1rdNQtDhCnkmWzlueRXGEsz0Af79n8TKyQ9otzNhJ2cPE1CWCJbKqbIUN3piviLgGlItWNeya+Tl3Oj3ZfEVwr1QOvUAw32+m4L8T9jf1vqSlOTHpRpxxPWBrLEzstk0FOcZISji2JBpDOCU8Kpyyf74JM+LxsOIHwmS15b6iFZR3U9KZLqbbd0dSy/cM8P4XjrwM5UMyRDjrLqvuA/K/33BgtnxdQR3e9DJoYH3Qr8eRgSkR+jHyq06LvgHkHbMvrEjUnc3n8bg+YfR4oyJpIWsKjfIXmN1Q51KzxAPIAww+YSYUYtamSsQsspVAtMIQqR4e0r1In1qyoSn8VCPlksNMWpqYHbSjDo5HJYoSwxf2epzMtCvhenn0OuiH0xlgzziA+wBi6txksTMvJYcPJYnBVR2NIBjkWftOfmkY+rKMozViGjyd6kB7C8lqd8W7Ha5Ds2WxIY22DM3HcYH/zTp9z2xbuMOsbIgib/Y12Kh0wHyCz0lzFvs+d6CZwinyIXNKB/Vo4iiwT5luL5mGqf3pZx4zB+30GYSs/6MaELRF9BxD7tfqYCkOLXUtxyZ4Pdl2sw==
### Exchange public keys with your peer
1. Display the public key. Send the key data portion to your peer.
ubnt@ubnt:~$ show vpn ike rsa-keys
Local public key (/config/ipsec.d/rsa-keys/localhost.key):
0sAQPNdF370ZEbN+kZUJQ10qnBlZujrg39ujfk20ILTjELksOIdJw/4jiU1MfpqFDKuB/XxERwJQp2POsFyV/n76jAgxIYBfFYfuaBcIH1rdNQtDhCnkmWzlueRXGEsz0Af79n8TKyQ9otzNhJ2cPE1CWCJbKqbIUN3piviLgGlItWNeya+Tl3Oj3ZfEVwr1QOvUAw32+m4L8T9jf1vqSlOTHpRpxxPWBrLEzstk0FOcZISji2JBpDOCU8Kpyyf74JM+LxsOIHwmS15b6iFZR3U9KZLqbbd0dSy/cM8P4XjrwM5UMyRDjrLqvuA/K/33BgtnxdQR3e9DJoYH3Qr8eRgSkR+jHyq06LvgHkHbMvrEjUnc3n8bg+YfR4oyJpIWsKjfIXmN1Q51KzxAPIAww+YSYUYtamSsQsspVAtMIQqR4e0r1In1qyoSn8VCPlksNMWpqYHbSjDo5HJYoSwxf2epzMtCvhenn0OuiH0xlgzziA+wBi6txksTMvJYcPJYnBVR2NIBjkWftOfmkY+rKMozViGjyd6kB7C8lqd8W7Ha5Ds2WxIY22DM3HcYH/zTp9z2xbuMOsbIgib/Y12Kh0wHyCz0lzFvs+d6CZwinyIXNKB/Vo4iiwT5luL5mGqf3pZx4zB+30GYSs/6MaELRF9BxD7tfqYCkOLXUtxyZ4Pdl2sw==
2. Convert your peer's public key to the Base64 RFC 3110 format using the [pubkey-converter][pubkey-converter] script, if necessary.
@ -132,4 +132,4 @@ In this example, we'll use the following settings:
rsa-key 0sAwEAAbsbRoUcgdm4A4Nm+PLxWcW+zFis7pkaJ0MkGVzM7VC8nmngkM+W2zqZyQ4NUTBKKfGOUc4Ogi6gyhlzUnHdag9tDERIX+BwlDO6G4arod9z9KqmJuX4AOYVjH5QlAPz7NDMAezVekGoVLPGdOAMPD6NN54ihLRH6V3if8AGoJRpiajhcgQipjeQnhH4QhsYK4XSjayGT1onQwA8nhy5kt4ofyqSale4Fl4166S9tCn4RKwtlJDjR6VIrg6op6Ip8+ke2vjEHPJHj6qVsxfRgOk2d8pY8oPVt8ayc5F1z+lqJ7R0fADfN+AQSaBqOMmg5dHDFYWwgYkU5egdVKS7Oko6uNuUWsZ0VEnRoPZ4syJEUbiF5wGfaVBaaVLZYUlRLQCffB4JKzp+JesVToCX6JYRfb4JYQWFCDeQfrqRZHM4r13h8MOWPn9cqXcP47RKJjzNp6595biUotmCbMHyy/uveMWxK6vDzPQRkywqMMJE2qOyACmbMnSce9KlYhvma82Vd+z/9/U9NEy0s5MaYNDn+q+KYT5My3NSv52F6sLVGrKxTk79tzUejZcoukJv+gf51Epam4kVHzPIal/khsfjZn6YCU2j5+qcdRmzF+SG5c2WicvEU2Gc4ratfYNEPxU5oArzHIhIz6x2nAF+szcx/x8GEyXPNHnxEboJB7ox
}
}
}
}

8
howto/IPsecWithPublicKeys/strongSwan4Example.md
View File

@ -73,13 +73,13 @@ _Note: strongSwan < 5.0.0 will read PEM-formatted **private** keys, but requires
valid_lft forever preferred_lft forever
root@debian:~# more /etc/ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file
config setup
conn %default
keyexchange=ikev1
dpdaction=restart
conn MYPEER
# peer IPs
left=192.0.2.1
@ -101,4 +101,4 @@ _Note: strongSwan < 5.0.0 will read PEM-formatted **private** keys, but requires
rightprotoport=gre
# startup
auto=route
keyingtries=%forever
keyingtries=%forever

8
howto/IPsecWithPublicKeys/strongSwan5Example.md
View File

@ -94,13 +94,13 @@ In this example, we'll use the following settings:
valid_lft forever preferred_lft forever
root@debian:~# more /etc/ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file
config setup
conn %default
keyexchange=ikev1
dpdaction=restart
conn MYPEER
# peer IPs
left=192.0.2.1
@ -127,4 +127,4 @@ If your peer is using a Cisco router and is behind NAT, then you might need to a
rightid=NATIP
# See also
* [Network settings](https://internal.dn42/howto/networksettings)
* [Network settings](https://internal.dn42/howto/networksettings)

10
howto/IPv6-Multicast.md
View File

@ -42,20 +42,20 @@ The following guide illustrates how to set up an IPv6 multicast router using [PI
# /etc/pim6sd.conf
# disable all interfaces by default
default_phyint_status disable;
# enable the pim-router-id interface first to acquire the correct primary address
phyint pim-router-id enable;
# add multicast-capable peer interfaces below
phyint dn42-peer1 enable;
# configure rendezvous point for the personal multicast prefix
cand_rp pim-router-id;
group_prefix ff7e:230:fd00:2001:db8::/96;
```
The `phyint` statement enables [PIM](https://tools.ietf.org/html/rfc7761) and [MLD](https://tools.ietf.org/html/rfc2710) on the target interface - by default all interfaces are in the disable state. Enable an interface if it is directed towards a multicast-capable peer or other multicast-capable routers in your autonomous system. Also enable it for downstream network segments with multicast listeners and senders, like for example your home (W)LAN segments.
With `cand_rp` and `group_prefix` statements you can configure this router as a Rendezvous Point (RP) for your personal multicast group prefix. The address on the interface given as `cand_rp` will be used as the primary address for your RP, it therefore *must* be routable.
---
@ -165,4 +165,4 @@ If you want to offer an RP candidate for a shared multicast address, please read
ToDo:
* We have a solution for personal multicast prefixes tied to the network prefix of an AS owner. But what to do with multicast addresses that not only have listeners but also senders globally? We could have everyone add an additional "group_prefix ff00::/8" and then multicast router with the lowest address would win and become the central RP for all these addresses... not really scalable, robust or decentral though :-/. Should we use PIM-DM for some of these addresses instead (e.g. ones which generally have a low throughput, for instance Bittorrent Local Peer Discovery)? Or maybe those global addresses should be managed and configured as /128 and people who are interested in managing a specific, global multicast address will coordinate with each other?
* bootstrap router coordination; according to RFCs a bootstrap router can alter/filter the multicast prefixes it received from candidate RPs. Should a bootstrap router check and filter any multicast prefix that was generated from a network prefix which does not match the network prefix used by the PR?
* bootstrap router coordination; according to RFCs a bootstrap router can alter/filter the multicast prefixes it received from candidate RPs. Should a bootstrap router check and filter any multicast prefix that was generated from a network prefix which does not match the network prefix used by the PR?

2
howto/IPv6.md
View File

@ -74,4 +74,4 @@ ip6tables -t nat -A PREROUTING -s 2000::/3 -d <PUBLIC-PREFIX>:<SUBNET>::/56 -j N
### With Multiple Prefixes
## More Info
This page is a work in progress. Please contact Fira if you feel like more information should be added here! Also see ASN 4242423218 for an example of IPv6-only AS on DN42.
This page is a work in progress. Please contact Fira if you feel like more information should be added here! Also see ASN 4242423218 for an example of IPv6-only AS on DN42.

2
howto/Munin.md
View File

@ -54,4 +54,4 @@ graph_title $name routes
```
Example installation:
http://stats.tbspace.de/munin-cgi/munin-cgi-graph/tbspace.de/server.tbspace.de/dn42_crest_routes-day.png
http://stats.tbspace.de/munin-cgi/munin-cgi-graph/tbspace.de/server.tbspace.de/dn42_crest_routes-day.png

2
howto/OpenBGPD.md
View File

@ -132,4 +132,4 @@ include "/etc/dn42.roa-set"
This is mostly OpenBSD specific since [bgplg(8)](http://man.openbsd.org/bgplg.8) and [httpd(8)](http://man.openbsd.org/httpd.8) ship as part of the operating system.
The **bgplg** manual contains the few steps and example [httpd.conf(5)](http://man.openbsd.org/httpd.conf.5) required to enable the looking glass.
See https://t4-2.high5.nl/bgplg for a running instance operating within DN42.
See https://t4-2.high5.nl/bgplg for a running instance operating within DN42.

2
howto/OpenWRT.md
View File

@ -80,4 +80,4 @@ You have to use this patch: https://dev.openwrt.org/changeset/35484 (monkeypatch
## DNS
See [DNS Configuration](/services/dns/Configuration). This will use the anycast dn42 DNS server to resolve `dn42` and relevant reverse domains.
See [DNS Configuration](/services/dns/Configuration). This will use the anycast dn42 DNS server to resolve `dn42` and relevant reverse domains.

6
howto/Quagga.md
View File

@ -43,7 +43,7 @@ for IPv6 do something like
vtysh(config-router-af)> exit
vtysh(config-router)> exit
vtysh(config)> exit
### peer groups, prefix lists and such
If you want to use 'prefix-list' to filter some of the prefixes quagga is receiving, you can use a 'peer-group' instead of apply the prefix list to every neighbor.
@ -66,7 +66,7 @@ Apply a prefix list for incoming prefixes to your peer group:
ip prefix-list vpn-in seq 5 permit 172.22.0.0/15 ge 22 le 28
!new dn42 allocation:
ip prefix-list vpn-in seq 10 permit 172.20.0.0/16 ge 22 le 28
! Anycast /32s for Whois and DNS:
ip prefix-list vpn-in seq 11 permit 172.22.0.43/32
ip prefix-list vpn-in seq 12 permit 172.22.0.53/32
@ -132,4 +132,4 @@ Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
....
172.23.64.1 4 4242421375 0 0 0 0 0 never Active
fe80::deca:fbad 4 64699 902 694 0 0 0 01:23:57 486
```
```

8
howto/ROA-slash-RPKI.md
View File

@ -19,7 +19,7 @@ It provides the router with validity information regarding prefix origination:
The route announcement is covered by a ROA and the announcing AS is invalid (possibly hijacking)
* UNKNOWN
There exists no ROA for the route announcement
## How can I implement ROA on dn42?
On dn42 we generate ROA information from the dn42 registry.
@ -31,14 +31,14 @@ It is also possible to integrate this with a RTR cache server such as [gortr](ht
You can find a hosted example of dn42regsrv at https://explorer.burble.com/
Instructions on how to host dn42regsrv yourself can be found on the git repo of [dn42regsrv](https://git.dn42.us/burble/dn42regsrv).
You can also run dn42regsrv via docker (then available at 127.0.0.1:8042):
git checkout https://git.dn42.us/burble/dn42regsrv.git .
cd contrib/docker
./build.sh
docker-compose up -d
Documentation for the api endpoints can be found here: https://git.dn42.us/burble/dn42regsrv/src/master/API.md
### gortr
@ -57,4 +57,4 @@ TODO: Publish docker-compose-yml to git for gortr+dn42regsrv
### How do I integrate RTR with my BGP implementation
You have to consult the documentation of your implementation for that. We will provide configuration examples on the specific pages.
You have to consult the documentation of your implementation for that. We will provide configuration examples on the specific pages.

6
howto/Registry-Authentication.md
View File

@ -16,7 +16,7 @@ The signature and verification process varies depending on the type of public ke
---
#### Finding the commit hash
## Finding the commit hash
`git log` will list all the recent commits and show the commit hash:
```
@ -31,7 +31,7 @@ Date: Mon Jan 01 01:01:01 2020 +0000
PGP keys may be uploaded to a public keyserver for verification, or added in the registry.
#### Using a public keyserver
### Using a public keyserver
- Use the following `auth` attribute in your `mntner` object:
```
@ -72,7 +72,7 @@ auth: ssh-<keytype> <pubkey>
```
There are examples below for each specific key type.
#### Generic process for signing with an SSH key
### Generic process for signing with an SSH key
OpenSSH v8 introduced new functionality for creating signatures using SSH keys. If you have an older version, you can compile the latest version of ssh-keygen from the [openssh-portable repo](https://github.com/openssh/openssh-portable).

2
howto/Static-routes-on-Windows.md
View File

@ -60,4 +60,4 @@ ping %gateway4%
pause
ping %gateway6%
pause
```
```

2
howto/mikrotik.md
View File

@ -153,4 +153,4 @@ Since version 6.47 have added functionality that can redirect DNS queries accord
```
/ip dns static
add comment=DN42 forward-to=172.23.0.53 regexp=".*\\.dn42" type=FWD
```
```

2
howto/mikrotik/ptp32.md
View File

@ -67,4 +67,4 @@ Check the routes with:
There should an attribute like:
```
gateway=gre-dn42-peer gateway-status=gre-dn42-peer reachable
```
```

4
howto/networksettings.md
View File

@ -32,7 +32,7 @@ Check that ALL your vpn interfaces allow ip forwarding for ipv6/ipv4.
$ sysctl -a | grep forwarding
```
### Note on firewalls, conntrack and asymmetric routing
## Note on firewalls, conntrack and asymmetric routing
Do not configure iptables/nftables to drop packets with invalid conntrack state in forward chain.
@ -41,4 +41,4 @@ but responses are fowarded via your network. This will prevent conntrack from as
and your firewall will drop it if it is configured to drop packets with invalid state.
Happy Routing!
Happy Routing!

2
howto/openvpn.md
View File

@ -200,4 +200,4 @@ Then, for each client, generate a private key and a certificate: ```./build-key
* [IPv4 - multicast](https://en.wikipedia.org/wiki/Multicast_address#GLOP_addressing)
* [IPv4 - GLOB calculator](http://labs.spritelink.net/glop)
* [RFC3108 GLOP Addressing in 233/8](http://tools.ietf.org/html/rfc3180)
* [RFC3138 Extended Assignments in 233/8](https://tools.ietf.org/html/rfc3138)
* [RFC3138 Extended Assignments in 233/8](https://tools.ietf.org/html/rfc3138)

2
howto/systemd-networkd-configuration-example.md
View File

@ -43,4 +43,4 @@ Peer = <peer tunnel linklocal address>/128
Address = <your DN42 ipv4>/32
Peer = <peer DN42 ipv4>/32
```
```

2
howto/tinc.md
View File

@ -92,4 +92,4 @@ $ tinc join <invitation-url>
This node will then automatically generate configuration, private/public keys and will exchange this key with the other node on connection.
Remember to still set up your **tinc-up** script.
Remember to still set up your **tinc-up** script.

30
howto/vyos.md
View File

@ -1,4 +1,4 @@
#VyOS
# VyOS
VyOS is an open source software router. It is feature rich and supports multiple deployment options such as physical hardware (Old PC's) or a VPC/VM. The developers have a nightly rolling release that includes all the latest features such as Wireguard.
It can be downloaded here https://www.vyos.io/rolling-release/.
@ -98,41 +98,41 @@ set protocols static interface-route 172.20.50.1/32 next-hop-interface wg92
##BGP
## BGP
Now that we have a tunnel to our peer and theoretically can ping them, we can setup BGP.
###Initial Router Setup
### Initial Router Setup
`set protocols bgp 424242XXXX address-family ipv4-unicast network 172.x.x.x\x`
_Insert your ASN and your assigned network block. Note that this should match your exact prefix as listed in the registry; if you try to advertise a subnet of your assigned block it could get filtered by some peers._
`set protocols bgp 424242XXX parameters router-id 172.x.x.x`
_To keep it simple just make your router ID match your lower IP within the DN42 registered space._
###Neighbor Up With Peers
### Neighbor Up With Peers
`set protocols bgp 424242XXXX neighbor 172.x.x.x address-family ipv4-unicast`
_This is likely the same IP as the one used in your static route earlier when creating the Wireguard tunnel._
`set protocols bgp 424242XXXX neighbor 172.x.x.x ebgp-multihop 20`
_This setting may need to be adjusted depending on circumstances_
`set protocols bgp 424242XXXX neighbor 172.x.x.x remote-as 424242XXXX`
_Your peers ASN_
`show ip bgp summary`
##RPKI/ROA Checking
###Setup RPKI Caching Server
## RPKI/ROA Checking
### Setup RPKI Caching Server
Burble has made this super easy. More info can be found [here](https://wiki.dn42/howto/ROA-slash-RPKI) on this wiki. Get started by running the below command on a Linux server with Docker installed.
```
sudo docker run -ti -p 8082:8082 cloudflare/gortr -cache https://dn42.burble.com/roa/dn42_roa_46.json -verify=false -checktime=false -bind :8082
```
This will start a docker container that listens on the host server's IP at port 8082. This setup is using Cloudflare's GoRTR and automatically reaching out and downloading a custom JSON file generated by Burble just for the DN42 network.
###Point VyOS Router at RPKI Caching Server
### Point VyOS Router at RPKI Caching Server
`set protocols rpki cache GoRTR address x.x.x.x`
`set protocols rpki cache GoRTR port 8082`
You can check the connection with `show rpki cache-connection` and the received prefix-table with `show rpki prefix-table`.
###Create Route Map
### Create Route Map
```
set policy route-map DN42-ROA rule 10 action 'permit'
set policy route-map DN42-ROA rule 10 match rpki 'valid'
@ -142,12 +142,12 @@ set policy route-map DN42-ROA rule 30 action 'deny'
set policy route-map DN42-ROA rule 30 match rpki 'invalid'
```
This example allows all routes in unless they are marked invalid or in other words possibly been a victim of BGP hijacking.
###Assign Route Map to Neighbor
### Assign Route Map to Neighbor
```
set protocols bgp 424242XXXX neighbor x.x.x.x address-family ipv4-unicast route-map import DN42-ROA
set protocols bgp 424242XXXX neighbor x.x.x.x address-family ipv4-unicast route-map export DN42-ROA
```
## Example Route Map
### No RPKI/ROA and Internal Network Falls Into DN42 Range
```
@ -210,4 +210,4 @@ set protocols bgp 4242421099 neighbor x.x.x.x address-family ipv6-unicast route-
```
This page is a work-in-progress by Owens Research. If you have any suggestions or questions please reach out.
This page is a work-in-progress by Owens Research. If you have any suggestions or questions please reach out.

4
howto/wireguard.md
View File

@ -47,7 +47,7 @@ $ ip addr add fe80::<some_random_suffix>/64 dev <interface_name>
$ ip addr add 172.xx.xx.xx/32 peer 172.xx.xx.xx/32 dev <interface_name>
$ ip link set <interface_name> up
```
<!-- Nurtic-Vibe has another [script](https://git.dn42.us/Nurtic-Vibe/grmml-helper/src/master/create_wg.sh) to interactively automate the peering process. -->
Maybe you should check the MTU to your peer with e.g. `ping -s 1472 <end_point_hostname_or_ip>`. If your output looks like `From gateway.local (192.168.0.1) icmp_seq=1 Frag needed and DF set (mtu = 1440)` substract `80` from the MTU and set it via `ip link set dev <interface_name> mtu <calculated_mtu>`
@ -101,7 +101,7 @@ Address = <your link-local address, if any>
PostUp = /sbin/ip addr add dev %i <MyIPv4>/32 peer <PeerIPv4>/32
PostUp = /sbin/ip addr add dev %i <MyIPv6>/128 peer <PeerIPv6>/128
Table = off
[Peer]
Endpoint = <your peer's wireguard endpoint>
PublicKey = <your peer's public key>

6
internal/APIs.md
View File

@ -1,12 +1,12 @@
#Application Programming Interfaces (APIs)
# Application Programming Interfaces (APIs)
This page can be useful if you are trying to automate something or if you are trying to retrieve data programmatically.
##ASN Authentication Solution
## ASN Authentication Solution
Authenticate your users by having them verify their ASN ownership with KIOUBIT-MNT using their registry-provided methods in an automated way.
More Information in the setup tutorial: https://dn42.g-load.eu/auth/documentation/tutorial.html
To use the service, please message Kioubit on IRC to have your domain activated.
##Registry REST API
## Registry REST API
[dn42regsrv](https://git.dn42.us/burble/dn42regsrv) is a REST API for the DN42 registry that provides a bridge between interactive applications and the registry.

4
internal/Historical-Services.md
View File

@ -68,7 +68,7 @@ wieistmeineip.dn42 also provides a telnet service that returns the address you c
|:------------------------------------------------- |:--------------------------------------------------------------- |
| http://stream.media.dn42/ | icecast-relay, contact toBee for more streams (DOWN 2020-11-02) |
| http://radio.hex.dn42/ | Ambient musics |
## File Sharing
@ -181,4 +181,4 @@ There is a page for email Providers [here](/services/E-Mail-Providers)
### Augsburg
We have a plugin that enables us to announce services in the mesh. So instead of listing them here again just have a look at http://10.11.0.8/cgi-bin/luci/freifunk/services to see what we have to offer.
(Upload is not fast, most probably DSL speed only)
(Upload is not fast, most probably DSL speed only)

2
internal/Ideas.md
View File

@ -2,7 +2,7 @@
… or the service that would make dn42 truly interesting for people (for non-technical reasons).
#### Criterias
## Criterias
- it should be difficult to setup on the Internet (for technical or legal reasons)
- it should interest people that are likely to know dn42 (hackerspaces, etc)

2
internal/Internal-Services.md
View File

@ -54,7 +54,7 @@ To use the service, please message Kioubit on IRC to have your domain activated.
| irc.hackint.hack/dn42 | Yes | ChaosVPN |
| irc.dn42 | Yes | Internal IRC |
#### Clients
### Clients
| Hostname / IP | Remarks |
|:--------------|:--------|

2
internal/services/Tor.md
View File

@ -35,4 +35,4 @@ _Note that the same warnings above also apply to the following proxies._
| Offline | | |
|---------------------------------------|-------------|-------------|
| socks5://172.20.11.33:9050 | 100 Mbit/s | twink0r |
| socks5://172.20.11.33:9050 | 100 Mbit/s | twink0r |

4
services/Automatic-CA.md
View File

@ -218,7 +218,7 @@ Type=oneshot
WorkingDirectory=/etc/ssl/dn42
ExecStart=/etc/ssl/dn42/ca.dn42 tls-sign wiki.dn42 MIC92-MNT
# accept multiple ExecStart lines for other certificates
#ExecStart=/etc/ssl/dn42/ca.dn42 tls-sign foobar.dn42 MIC92-MNT
# ExecStart=/etc/ssl/dn42/ca.dn42 tls-sign foobar.dn42 MIC92-MNT
ExecStart=/usr/bin/nginx -s reload
```
@ -239,4 +239,4 @@ OK
```
## Certificate transparency
All issued certificates will be logged to [xuu's mattermost instance](https://teams.dn42/dn42/channels/tls-certificates).
All issued certificates will be logged to [xuu's mattermost instance](https://teams.dn42/dn42/channels/tls-certificates).

2
services/Certificate-Authority.md
View File

@ -168,4 +168,4 @@ $ update-ca-certificates
## PKI Store
All issued keys and crl information are posted at: https://ca.dn42/
All issued keys and crl information are posted at: https://ca.dn42/

2
services/Certificate-Authority/Automated-Certificate-Management-Environment.md
View File

@ -1 +1 @@
tba
tba

26
services/Distributed-Wiki.md
View File

@ -36,7 +36,7 @@ Since gollum is built on top of Git, it is not overly complicated to keep the lo
- Contact [XUU-DN42](https://io.nixnodes.net?t=person&l=XUU-DN42) and ask for write access to the repo
- Setup cron for periodic pull/push jobs for the repo (simple example):
+ **wiki-sync.sh**:
```sh
@ -62,7 +62,7 @@ exit 0
- Install [gollum](https://github.com/gollum/gollum)
- Start two gollum instances, read-only and read/write on `127.0.0.1`:
Read/write (SSL only):
```
RACK_ENV=production gollum --css --host 127.0.0.1 --port 4568 <path>
@ -76,7 +76,7 @@ RACK_ENV=production gollum --css --host 127.0.0.1 --port 4567 --no-edit <path>
## Nginx reverse proxy
#### SSL
### SSL
- Setup your maintainer object according to [Automatic CA](/services/Automatic-CA)
- Generate a [CSR](/services/Certificate-Authority) and send DNS Key Pin to [xuu@sour.is](mailto:xuu@sour.is):
@ -138,7 +138,7 @@ Nginx should listen on a unicast address as well, so your site can be reached ex
```
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_session_cache shared:SSL:2m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
ssl_prefer_server_ciphers on;
@ -188,7 +188,7 @@ server {
## ExaBGP
#### Announcing
### Announcing
The prefix AS-PATH should show the announcement is originating from your AS. After peering ExaBGP to the nearest speaker(s), check if the prefix is routing properly inside your network. Try not to blackhole the passing traffic (e.g. no static routes to `172.23.0.80/32`). Test the whole thing by shutting down nginx/gollum and watch what happens.
@ -247,7 +247,7 @@ URL=("http://172.23.0.80" "https://172.23.0.80" "http://[fd42:d42:d42:80::1]" "h
ROUTE='172.23.0.80/32'
## the anycast v6 route (/64 due to prefix size limits)
ROUTE6='fd42:d42:d42:80::/64'
## the next-hop we'll be advertising to neighbor(s)
NEXTHOP='<source-address>'
NEXTHOP6='<source-address-v6>'
@ -258,15 +258,15 @@ VALIDATE_KEYWORD='gollum'
INTERVAL=60
###########################
RUN_STATE=0
check_urls() {
for url in "${URL[@]}"; do
## workaround curl errno 23 when piping
http_response=`${CURL} --insecure -g -s -L -o - "${url}"`
echo "${http_response}" | egrep -q "${VALIDATE_KEYWORD}" || {
return 1
}
@ -293,7 +293,7 @@ while [ 1 ]; do
fi
sleep ${INTERVAL}
done
exit 0
@ -325,7 +325,7 @@ start() {
cpid=$!
[ ${cpid} -eq 0 ] && {
echo "ERROR: could not start process"; return 1
}
echo ${cpid} > ${PID_FILE}
}
@ -356,4 +356,4 @@ exit 0

2
services/E-Mail-Providers.md
View File

@ -3,4 +3,4 @@ If you have an E-Mail service and would like to test it's functionality, send an
**Free E-Mail Addresses for DN42 Users.**
* DN42 Mail, https://dmail.dn42
* Free, easy to sign up, unlimited internal emailing. Hosted by zane_reick
* Register at https://dmail.dn42/register/register.php
* Register at https://dmail.dn42/register/register.php

2
services/Exchanges.md
View File

@ -15,4 +15,4 @@ points of failure and are no longer operating
The NL-Zuid website is also available from the public internet: https://nl-zuid.nl
Its generally recommended to only announce prefixes from your own network and that of your transit customers.
Its generally recommended to only announce prefixes from your own network and that of your transit customers.

2
services/FreePhone.md
View File

@ -48,4 +48,4 @@ If someone is willing to experiment we could try allowing reinvites. This way al
* Phone #: +493727/959023
* Sipgate: 5884293
* SIP: maxx(at)maxx.spaceboyz.net
* Transcoding from/into G.729 works fine now, thanks to some precompiled versions for asterisk.
* Transcoding from/into G.729 works fine now, thanks to some precompiled versions for asterisk.

2
services/IPv6-Anycast.md
View File

@ -23,4 +23,4 @@ Remember, if you announce an anycast /64, then you need to provide **all** servi
### Future services
- streaming
- other kind of DNS (authoritative-only, recursive for `dn42` only)
- other kind of DNS (authoritative-only, recursive for `dn42` only)

2
services/New-DNS.md
View File

@ -49,4 +49,4 @@ The set of valid KSKs can be found in the registry.
* [DNS Quick Start](/DNS)
* [Old Hierarchical DNS](/Old-Hierarchical-DNS)
* [Original DNS (deprecated)](/Original-DNS-(deprecated))
* [Original DNS (deprecated)](/Original-DNS-(deprecated))

2
services/News.md
View File

@ -10,4 +10,4 @@
|----|----|----|----|----|----|
| cronix | _down_ | news.crystalnet.dn42 | _yes_ | as requested | _no_ |
| UFO | _down_ | [UCIS.ano news](http://cgiproxy.ucis.dn42/nph-proxy.cgi/00/http/www.ucis.ano/news/) | _no_ | anonet, dn42 | _limited_ |
| SeekingFor | _down_ | [AnoNet News](http://cgiproxy.ucis.dn42/nph-proxy.cgi/00/http/news.sfor.ano/) | _yes_ | anonet, dn42 | _no_ |
| SeekingFor | _down_ | [AnoNet News](http://cgiproxy.ucis.dn42/nph-proxy.cgi/00/http/news.sfor.ano/) | _yes_ | anonet, dn42 | _no_ |

2
services/Old-Hierarchical-DNS.md
View File

@ -46,4 +46,4 @@ Contact one of the root-servers.dn42 operators if you wish to set up a root/zone
You may want to set up a resolver, see link below or use 172.23.0.53 directly.
Techical information available [here](https://nixnodes.net/wiki/n/DN42_DNS)
Techical information available [here](https://nixnodes.net/wiki/n/DN42_DNS)

2
services/Original-DNS-(deprecated).md
View File

@ -43,4 +43,4 @@ See [Providing Anycast DNS](/Providing Anycast DNS).
## [Old Hierarchical DNS](/Old Hierarchical DNS)
This is a new effort to build a DNS system that mirrors how DNS was designed to work in clearnet.
This is a new effort to build a DNS system that mirrors how DNS was designed to work in clearnet.

2
services/Route-Collector.md
View File

@ -37,7 +37,7 @@ protocol bgp ROUTE_COLLECTOR
ipv4 {
# export all available paths to the collector
add paths tx;
# import/export filters
import none;
export filter {

2
services/Statistics.md
View File

@ -112,4 +112,4 @@ user root
fi
# Measure Section ##########
```
* restart munin-node
* restart munin-node

2
services/Tahoe-LAFS.md
View File

@ -30,4 +30,4 @@ With `bin/tahoe start` you start your local node.
You can reach the local node via web browser at [http://localhost:3456](http://localhost:3456).
## Further informations
Look at https://tahoe-lafs.org for further information.
Look at https://tahoe-lafs.org for further information.

6
services/Virtual-Machines.md
View File

@ -2,7 +2,7 @@
Previously, some DN42 users had provided VMs to the community, but it is not known if any of these are currently active any more. The list of old providers is below the break.
#### burble.dn42
## burble.dn42
If you have a DN42 project but do not have the resources to host it yourself, the burble.dn42 network may be able to provide hosting for you. Contact burble on IRC or via email to discuss.
@ -13,7 +13,7 @@ If you have a DN42 project but do not have the resources to host it yourself, th
---
#### Old Providers:
### Old Providers:
| Person | RAM | HDD | Net | CPU | Description | No. Available
|:------------- |:------ |:--------- |:---------- |:---------- |:-------------------------- |:--------------------------|
@ -21,4 +21,4 @@ If you have a DN42 project but do not have the resources to host it yourself, th
| florianb | 384 MB | 5 GB | dn42 only | 1x 2.2Ghz | OpenVZ in Germany, good peers | always enough
| nellicus | 384 MB | 5 - 10 GB | dn42 only | 1x 2.6Ghz | Xen/KVM Washington, DC USA | 0
|Basil | 256 MB | 20 GB | dn42, NAT v4, /64 v6 | 1x 3.4Ghz | KVM, Gravelines, France | Always enough
| KaiRaphixx (AS4242422506) | 512 MB - 4096 MB | 20 GB SSD / 50 GB HDD | dn42, NAT v4 (only Internet-Connection, No Port-Forwarding) | 1x - 2x 3.5 Ghz | KVM, Falkenstein, Germany | Always enough
| KaiRaphixx (AS4242422506) | 512 MB - 4096 MB | 20 GB SSD / 50 GB HDD | dn42, NAT v4 (only Internet-Connection, No Port-Forwarding) | 1x - 2x 3.5 Ghz | KVM, Falkenstein, Germany | Always enough

2
services/Whois.md
View File

@ -90,7 +90,7 @@ We have anycast IPv4 and IPv6, both reachable under whois.dn42. IPs are 172.22.0
| burble | whois.burble.dn42 | 172.20.129.8 / fd42:4242:2601:ac43::1 |
| taavi | whois.svc.as4242423270.dn42 | 172.22.130.143 / fd96:70f6:b174:<span>ac</span>::43 |
### Down?
## Down?
| **person** | **dns** | **ip** |
|------------|---------------------------|-----------------|

4
services/dns/Configuration.md
View File

@ -74,7 +74,7 @@ To disable DNSSEC validation only for certain TLDs include the following in the
```
options {
# [...]
validate-except {
"dn42";
"20.172.in-addr.arpa";
@ -254,4 +254,4 @@ system {
```
## MS DNS
Add a "Conditional Forward" (de: "Bedingte Weiterleitung") for each of "dn42", "20.172.in-addr.arpa", "21.172.in-addr.arpa", "22.172.in-addr.arpa", "23.172.in-addr.arpa", "10.in-addr.arpa" using 172.20.0.53 as forwarder. Ignore the error message that the server is not authoritative.
Add a "Conditional Forward" (de: "Bedingte Weiterleitung") for each of "dn42", "20.172.in-addr.arpa", "21.172.in-addr.arpa", "22.172.in-addr.arpa", "23.172.in-addr.arpa", "10.in-addr.arpa" using 172.20.0.53 as forwarder. Ignore the error message that the server is not authoritative.

2
services/dns/External-DNS.md
View File

@ -31,4 +31,4 @@ NeoNetwork zone files can be found here: https://github.com/NeoCloud/NeoNetwork/
## Configuration
See [DNS forwarding configuration](/services/dns/Configuration).
See [DNS forwarding configuration](/services/dns/Configuration).

4
services/dns/Providing-Anycast-DNS.md
View File

@ -1,4 +1,4 @@
#DEPRECATED - Please have a look at [Hierarchical DNS](https://internal.dn42/Hierarchical-DNS) instead
# DEPRECATED - Please have a look at [Hierarchical DNS](https://internal.dn42/Hierarchical-DNS) instead
You may want to participate in the anycast DNS cloud.
@ -63,4 +63,4 @@ There are a few different scripts for generating zone files. They have been writ
| xuu |ON,CA| 64737 | souris.root.dn42 (fdea:a15a:77b9:53::1) | |
| Nurtic-Vibe |EU |4242420123 | ns1.grmml.dn42 (fd42:23:149:cccc::53) ||
| hax404 | DE | 76114 | chero.hax404.dn42 (fd58:eb75:347d:101::1) ||
| florianb | AT | 4242423955 | resolver.flo.dn42 (fd42:d42:d42:53::1) | advertisted in BGP |
| florianb | AT | 4242423955 | resolver.flo.dn42 (fd42:d42:d42:53::1) | advertisted in BGP |