|
Dimensione: 2194
Commento:
|
Dimensione: 3900
Commento:
|
| Le cancellazioni sono segnalate in questo modo. | Le aggiunte sono segnalate in questo modo. |
| Linea 1: | Linea 1: |
| = Disclaimer = |
|
| Linea 2: | Linea 4: |
| It is not aimed to connect single persons that wants access internal services via VPN. |
It is not intended to connect single persons that wants access internal services via VPN. |
| Linea 8: | Linea 9: |
| 1) Install tinc on your Linux (e.g. apt-get install tinc) '''MAKE SURE YOU HAVE AT LEAST TINC 1.0.13''' | 1) Install tinc on your Linux Distro ( Debian based: apt-get install tinc, Gentoo based: emerge tinc ) '''MAKE SURE YOU HAVE AT LEAST TINC 1.0.13''' |
| Linea 10: | Linea 11: |
| 2) {{{mkdir /etc/tinc/isole}}} | 2) Create config dir {{{ mkdir /etc/tinc/isole }}} |
| Linea 12: | Linea 16: |
| 3) Create {{{/etc/tinc/isole/tinc.conf}}} | 3) Create config file {{{ /etc/tinc/isole/tinc.conf }}} |
| Linea 25: | Linea 32: |
| 4) Create the hosts folder {{{mkdir /etc/tinc/isole/hosts/}}} | 4) Download hosts keys from our git repository {{{ git clone git://github.com/ninuxorg/HostsVpnIsole.git hosts }}} |
| Linea 27: | Linea 37: |
| 5) Generate a Keypair {{{tincd -n isole -K}}} | 5) Generate a Keypair {{{ tincd -n isole -K }}} |
| Linea 29: | Linea 42: |
| 6) Add only keys you trust ( at least the ones you specified as ConnectTo ) as authorized hosts files from [[ChiaviTincVPNIsole]] (each file you add should appear like this): | 6) Look for a free IP address in the subnet 10.0.1.0/24 and add your self in the table on the [[GestioneIndirizzi]] wiki page. |
| Linea 31: | Linea 44: |
| {{YourPreferredEditor /etc/tinc/isole/hosts/HostNickName}} | 7) Create the file {{{ /etc/tinc/ninux/tinc-up }}} |
| Linea 33: | Linea 49: |
| {{ | {{{ # If your distro supports flexible init networking scripts like Gentoo, you can do it in more elegant way |
| Linea 35: | Linea 52: |
| Address = Host_Address_If_Available | ip link set dev $INTERFACE up ip address add dev $INTERFACE HEREYOURIPADDRESS/24 #Adjust MTU ip link set mtu 1350 dev $INTERFACE iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu }}} |
| Linea 37: | Linea 59: |
| -----BEGIN RSA PUBLIC KEY----- MIIBCgKCAQEAz3Tmd+1gK0rhLuNw2x3ueT7Fel0+PuBg6EU1bWIhIH5VM9WzCOC7 sWPVZn0Dgk+y2NdKokUEUF2J3BdNS/wPzCCu2shGGM/DvsLoZ/aV1+2R0F3/gInK |
Where in place of HEREYOURIPADDRESS you must put the IP address choosen at point 6 of this guide Make the file executable {{{ chmod +x /etc/tinc/ninux/tinc-up }}} 8) Send an email to contatti@ninux.org and info@eigenlab.org with your Nickname chosen at point 3 and your generated public key that may look something like. {{{ cat /etc/tinc/isole/hosts/YourHostNickName }}} {{{ Address = Public_Host_Address(not_the_10.0.1.x_one)_If_Available -----BEGIN RSA PUBLIC KEY----- |
| Linea 46: | Linea 83: |
| }} | }}} |
| Linea 51: | Linea 88: |
| 9) Once you received notification that your public key is authorized you can try to connect {{{tincd -n isole}}} If everything worked out you can ping 10.0.1.1. Now configure babeld to use the interface "isole" It is FUNDAMENTAL to use latest [[http://www.pps.univ-paris-diderot.fr/~jch/software/babel/|babeld]] version 11) Configure babeld ( depending on your distro default babeld config file path can be different we will refer to Debian in the example ) edit {{{ /etc/babeld.conf }}} After editing it should look like this but may vary depending on your setup {{{ ## Add interface isole as wired with a fixed cost of 300 interface isole wired true rxcost 300 # Suggested ## Refuse every ipv4 route with a prefix lenght less or equal to 14 in le 14 ip 0.0.0.0/0 deny # example ## Refuse 131.114.0.0/16 route #in ip 131.114.0.0/16 deny # example ( this is useful if your adsl router have a subnet like this ) ## Refuse route with a prefix lenght great or equal 24 matching with 192.168.2.0/24 # in ge 24 ip 192.168.2.0/24 deny # Mandatory ## Allow announcing route 10.0.1.0/24 redistribute ip 10.0.1.0/24 allow ## Allow here the sharing of route you want share ## for example # redistribute ip 10.0.0.0/8 allow ## Deny announcing all other local route redistribute local deny }}} |
Disclaimer
This VPN is mainly used to connect network islands when it is very difficult to build a wired/wireless link ( for example two community networks in very distant city ). It is not intended to connect single persons that wants access internal services via VPN. It is recommended to avoid data traffic over the VPN because it will slow down troubleshooting operation that is one of main use of the VPN itself.
Connect to the VPN between islands with Tinc
1) Install tinc on your Linux Distro ( Debian based: apt-get install tinc, Gentoo based: emerge tinc ) MAKE SURE YOU HAVE AT LEAST TINC 1.0.13
2) Create config dir
mkdir /etc/tinc/isole
3) Create config file
/etc/tinc/isole/tinc.conf
Name = yournickname ConnectTo = coppermine ConnectTo = zefiro ConnectTo = RomaVpnIsole ConnectTo = BitArno Mode = switch
Mode switch is required because tinc will operate with a tap interface, needed to run babeld on it.
4) Download hosts keys from our git repository
git clone git://github.com/ninuxorg/HostsVpnIsole.git hosts
5) Generate a Keypair
tincd -n isole -K
6) Look for a free IP address in the subnet 10.0.1.0/24 and add your self in the table on the GestioneIndirizzi wiki page.
7) Create the file
/etc/tinc/ninux/tinc-up
# If your distro supports flexible init networking scripts like Gentoo, you can do it in more elegant way ip link set dev $INTERFACE up ip address add dev $INTERFACE HEREYOURIPADDRESS/24 #Adjust MTU ip link set mtu 1350 dev $INTERFACE iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
Where in place of HEREYOURIPADDRESS you must put the IP address choosen at point 6 of this guide
Make the file executable
chmod +x /etc/tinc/ninux/tinc-up
8) Send an email to contatti@ninux.org and info@eigenlab.org with your Nickname chosen at point 3 and your generated public key that may look something like.
cat /etc/tinc/isole/hosts/YourHostNickName
Address = Public_Host_Address(not_the_10.0.1.x_one)_If_Available -----BEGIN RSA PUBLIC KEY----- TXKAJun1ffoORTQTqhfop1Bfn8BZjKF4efagDCNdQanl8vVMRIqrFb3anXzbUI2O QVL1lIBom8KgsviE6VywVrF5thYzotqWVKH1K2hwgpZXGVsmimIiFr9hz3pBsOfZ dL2mmLuZXKx1JujdLq2zVYf1peh7ctcqXuXQfJRJIFGhvPndO9dluQUxtZz8StdY sVhQcmiyCnmvKNcbyIHQXCA+5zZYNNmu9wIDAQAB -----END RSA PUBLIC KEY-----
This file has the address ( if available ) and the public key of the VPN node
9) Once you received notification that your public key is authorized you can try to connect
tincd -n isole
If everything worked out you can ping 10.0.1.1. Now configure babeld to use the interface "isole"
It is FUNDAMENTAL to use latest babeld version
11) Configure babeld ( depending on your distro default babeld config file path can be different we will refer to Debian in the example )
edit
/etc/babeld.conf
After editing it should look like this but may vary depending on your setup
## Add interface isole as wired with a fixed cost of 300 interface isole wired true rxcost 300 # Suggested ## Refuse every ipv4 route with a prefix lenght less or equal to 14 in le 14 ip 0.0.0.0/0 deny # example ## Refuse 131.114.0.0/16 route #in ip 131.114.0.0/16 deny # example ( this is useful if your adsl router have a subnet like this ) ## Refuse route with a prefix lenght great or equal 24 matching with 192.168.2.0/24 # in ge 24 ip 192.168.2.0/24 deny # Mandatory ## Allow announcing route 10.0.1.0/24 redistribute ip 10.0.1.0/24 allow ## Allow here the sharing of route you want share ## for example # redistribute ip 10.0.0.0/8 allow ## Deny announcing all other local route redistribute local deny