Italiano English
Edit History Actions

IsoleVPN

OBSOLETE: see: Connessione VPN tra isole ninux in città diverse

Disclaimer

This VPN is mainly used to connect network islands when it is very difficult to build a wired/wireless link ( for example two community networks in very distant city ). It is not intended to connect single persons that wants access internal services via VPN. It is recommended to avoid data traffic over the VPN because it will slow down troubleshooting operation that is one of main use of the VPN itself.

Connect to the VPN between islands with Tinc

1) Install tinc on your Linux Distro ( Debian based: apt-get install tinc, Gentoo based: emerge tinc ) MAKE SURE YOU HAVE AT LEAST TINC 1.0.13

2) Create config dir

mkdir /etc/tinc/isole

3) Create config file

/etc/tinc/isole/tinc.conf

Name = yournickname
ConnectTo = coppermine
ConnectTo = zefiro
ConnectTo = RomaVpnIsole
ConnectTo = BitArno
ConnectTo = heimdall
Mode = switch

Mode switch is required because tinc will operate with a tap interface, needed to run babeld on it.

4) Download hosts keys from our git repository

cd /etc/tinc/isole/
git clone git://github.com/ninuxorg/HostsVpnIsole.git hosts

Optionally to ensure your hosts keys are always updated you can add the following line or something similar to your crontab

0 * * * *       root    cd /etc/tinc/isole/hosts && git pull &> /dev/null

5) Generate a Keypair

tincd -n isole -K

6) Look for a free IP address in the subnet 10.0.5.0/24 and add your self in the table on the GestioneIndirizzi wiki page.

7) Create the file

/etc/tinc/isole/tinc-up

# If your distro supports flexible init networking scripts like Gentoo, you can do it in more elegant way

ip link set dev $INTERFACE up
ip address add dev $INTERFACE HEREYOURIPADDRESS/24
#Adjust MTU
ip link set mtu 1350 dev $INTERFACE
iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

Where in place of HEREYOURIPADDRESS you must put the IP address choosen at point 6 of this guide

Make the file executable

chmod +x /etc/tinc/isole/tinc-up

8) Send an email to contatti@ninux.org and info@eigenlab.org with your Nickname chosen at point 3 and your generated public key that may look something like.

cat /etc/tinc/isole/hosts/YourHostNickName

Address = Public_Host_Address(not_the_10.0.5.x_one)_If_Available

-----BEGIN RSA PUBLIC KEY-----
TXKAJun1ffoORTQTqhfop1Bfn8BZjKF4efagDCNdQanl8vVMRIqrFb3anXzbUI2O
QVL1lIBom8KgsviE6VywVrF5thYzotqWVKH1K2hwgpZXGVsmimIiFr9hz3pBsOfZ
dL2mmLuZXKx1JujdLq2zVYf1peh7ctcqXuXQfJRJIFGhvPndO9dluQUxtZz8StdY
sVhQcmiyCnmvKNcbyIHQXCA+5zZYNNmu9wIDAQAB
-----END RSA PUBLIC KEY-----

This file has the address ( if available ) and the public key of the VPN node

9) Once you received notification that your public key is authorized you can try to connect

tincd -n isole

If everything worked out you can ping 10.0.5.103. Now configure babeld to use the interface "isole"

It is FUNDAMENTAL to use latest babeld version

11) Configure babeld ( depending on your distro default babeld config file path can be different we will refer to Debian in the example )

edit

/etc/babeld.conf

After editing it should look like this but may vary depending on your setup

## Add interface isole as wired with a fixed cost of 300
interface isole wired true rxcost 300

# Suggested
in le 14 ip 0.0.0.0/0 deny
in ge 23 ip 10.0.0.0/23 deny
in ge 23 ip 10.255.254.0/23 deny
in ge 10 ip 100.64.0.0/10 deny
in ge 23 ip 172.16.0.0/23 deny
in ge 23 ip 172.31.254.0/23 deny
in ge 23 ip 192.168.0.0/23 deny
in ge 23 ip 192.168.254.0/24 deny


# example
## Refuse 131.114.0.0/16 route
#in ip 131.114.0.0/16 deny

# example ( this is useful if your adsl router have a subnet like this )
## Refuse route with a prefix lenght great or equal 24 matching with 192.168.2.0/24
# in ge 24 ip 192.168.2.0/24 deny

# example ( this is useful if you are using another routing protocol on your island )
## Redistribute route in the 10/8 subnet from another routing protocol that have proto 157
# redistribute ip 10.0.0.0/8 proto 157

# Mandatory
## Allow announcing route 10.0.5.0/24
redistribute ip 10.0.5.0/24 allow

## Allow here the sharing of route you want share
## for example
# redistribute ip 10.0.0.0/8 allow

## Deny announcing all other local route 
redistribute local deny

OLSRd configuration for Babeld

1) Install git, build-essentials, flex and bison for compile the olsrd version with ad-hoc plugin that permit intercomunication between olsrd and babeld.

2) download ninux.org gihub repository:

git clone git://github.com/ninuxorg/olsrd.git

3) when enter olsrd folder and switch to new plugin branch:

git checkout proto_plugin_rc3

4) compile olsrd and his plugins:

make
make libs

5) install olsrd and plugins:

make install
make install_libs

6) now go to /etc/olsrd.conf and insert  RtProto 157  inside the config on top, before hna4 entries. (this mark all routes learned from olsr network with proto 157, in this way babeld can recognize olsr routes)

CAUTION AT THIS POINT

7) If you want that olsrd redistribute routes from babeld you need to insert this configuration inside the file:

LoadPlugin "olsrd_proto.so.0.2"
{
        PlParam "proto_no" "42"
}

IF BABELD IS IMPROPERLY CONFIGURED THIS OPTION CAN CREATE A BLACKHOLE! WATCH OUT!

8) now you only need to configure olsrd to start on boot with babeld and tincd.