Dimensione: 4401
Dimensione: 5809
Le cancellazioni sono segnalate in questo modo. | Le aggiunte sono segnalate in questo modo. |
Linea 1: | Linea 1: |
OBSOLATE: see: [[http://wiki.ninux.org/IsoleVPNBGP|Connessione VPN tra isole ninux in città diverse]] |
Linea 11: | Linea 15: |
2) {{{mkdir /etc/tinc/isole}}} | 2) Create config dir {{{ mkdir /etc/tinc/isole }}} |
Linea 13: | Linea 20: |
3) Create {{{/etc/tinc/isole/tinc.conf}}} | 3) Create config file {{{ /etc/tinc/isole/tinc.conf }}} |
Linea 21: | Linea 31: |
ConnectTo = heimdall | |
Linea 26: | Linea 37: |
4) Create the hosts folder {{{mkdir /etc/tinc/isole/hosts/}}} | 4) Download hosts keys from our git repository {{{ cd /etc/tinc/isole/ git clone git://github.com/ninuxorg/HostsVpnIsole.git hosts }}} |
Linea 28: | Linea 43: |
5) Generate a Keypair {{{tincd -n isole -K}}} | Optionally to ensure your hosts keys are always updated you can add the following line or something similar to your crontab {{{ 0 * * * * root cd /etc/tinc/isole/hosts && git pull &> /dev/null }}} |
Linea 30: | Linea 48: |
6) Add only keys you trust ( at least the ones you specified as ConnectTo ) as authorized hosts files from [[ChiaviTincVPNIsole]] (each file you add should appear like this): | 5) Generate a Keypair {{{ tincd -n isole -K }}} |
Linea 32: | Linea 53: |
{{YourPreferredEditor /etc/tinc/isole/hosts/HostNickName}} | 6) Look for a free IP address in the subnet and add your self in the table on the [[GestioneIndirizzi]] wiki page. 7) Create the file {{{ /etc/tinc/isole/tinc-up }}} {{{ # If your distro supports flexible init networking scripts like Gentoo, you can do it in more elegant way ip link set dev $INTERFACE up ip address add dev $INTERFACE HEREYOURIPADDRESS/24 #Adjust MTU ip link set mtu 1350 dev $INTERFACE iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu }}} Where in place of HEREYOURIPADDRESS you must put the IP address choosen at point 6 of this guide Make the file executable {{{ chmod +x /etc/tinc/isole/tinc-up }}} 8) Send an email to contatti@ninux.org and info@eigenlab.org with your Nickname chosen at point 3 and your generated public key that may look something like. {{{ cat /etc/tinc/isole/hosts/YourHostNickName }}} |
Linea 36: | Linea 85: |
Address = Host_Address_If_Available | Address = Public_Host_Address(not_the_10.0.5.x_one)_If_Available |
Linea 38: | Linea 87: |
-----BEGIN RSA PUBLIC KEY----- MIIBCgKCAQEAz3Tmd+1gK0rhLuNw2x3ueT7Fel0+PuBg6EU1bWIhIH5VM9WzCOC7 sWPVZn0Dgk+y2NdKokUEUF2J3BdNS/wPzCCu2shGGM/DvsLoZ/aV1+2R0F3/gInK |
Linea 51: | Linea 98: |
7) Look for a free IP address in the subnet and add your self in the table on the [[GestioneIndirizzi]] wiki page. | |
Linea 53: | Linea 99: |
8) Create the file {{{/etc/tinc/ninux/tinc-up}}} | 9) Once you received notification that your public key is authorized you can try to connect |
Linea 55: | Linea 101: |
# If your distro supports flexible init networking scripts like Gentoo do you can do it in more elegant way ip link set dev $INTERFACE up ip a a dev $INTERFACE HEREYOURIPADDRESS/24 #Adjust MTU ip link set mtu 1350 dev $INTERFACE iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu |
tincd -n isole |
Linea 64: | Linea 104: |
Where in place of HEREYOURIPADDRESS you must put the IP address choosen at point 7 of this guide | If everything worked out you can ping Now configure babeld to use the interface "isole" |
Linea 66: | Linea 106: |
Make the file executable chmod +x /etc/tinc/ninux/tinc-up | It is FUNDAMENTAL to use latest [[http://www.pps.univ-paris-diderot.fr/~jch/software/babel/|babeld]] version |
Linea 68: | Linea 108: |
9) Send an email to contatti@ninux.org and info@eigenlab.org with your Nickname choosen at point 3 and your generated public key ( also append your public key at [[ChiaviTincVPNIsole]] ) so people can authorize you in their VPN nodes. | 11) Configure babeld ( depending on your distro default babeld config file path can be different we will refer to Debian in the example ) |
Linea 70: | Linea 110: |
10) Once you received notification that your public key is authorized you can try to connect | edit {{{ /etc/babeld.conf }}} |
Linea 72: | Linea 115: |
{{{tincd -n isole}}} If everything worked out you can ping Now configure babeld to use the interface "isole" It is FUNDAMENTAL to use latest [[http://www.pps.univ-paris-diderot.fr/~jch/software/babel/ babeld]] version 11) Configure babeld ( depending on your distro default babeld config file path can be different we will use Debian in the example ) edit {{{/etc/babeld.conf.}}} It should be something like that but may vary depending on your setup |
After editing it should look like this but may vary depending on your setup |
Linea 88: | Linea 121: |
## Refuse every ipv4 route with a prefix lenght less or equal to 14 | # Suggested |
Linea 90: | Linea 123: |
in ge 23 ip deny in ge 23 ip deny in ge 10 ip deny in ge 23 ip deny in ge 23 ip deny in ge 23 ip deny in ge 23 ip deny |
Linea 91: | Linea 131: |
# example |
Linea 92: | Linea 134: |
in ip deny | #in ip deny |
Linea 94: | Linea 136: |
# example ( this is useful if your adsl router have a subnet like this ) | |
Linea 95: | Linea 138: |
in ge 24 ip deny | # in ge 24 ip deny |
Linea 97: | Linea 140: |
## Allow announcing route redistribute ip allow |
# example ( this is useful if you are using another routing protocol on your island ) ## Redistribute route in the 10/8 subnet from another routing protocol that have proto 157 # redistribute ip proto 157 # Mandatory ## Allow announcing route redistribute ip allow |
Linea 104: | Linea 152: |
## Deny announcing all other route | ## Deny announcing all other local route |
Linea 106: | Linea 154: |
redistribute deny | |
Linea 109: | Linea 156: |
= OLSRd configuration for Babeld = 1) Install git, build-essentials, flex and bison for compile the olsrd version with ad-hoc plugin that permit intercomunication between olsrd and babeld. 2) download ninux.org gihub repository: {{{ git clone git://github.com/ninuxorg/olsrd.git }}} 3) when enter olsrd folder and switch to new plugin branch: {{{ git checkout proto_plugin_rc3 }}} 4) compile olsrd and his plugins: {{{ make make libs }}} 5) install olsrd and plugins: {{{ make install make install_libs }}} 6) now go to /etc/olsrd.conf and insert {{{ RtProto 157 }}} inside the config on top, before hna4 entries. (this mark all routes learned from olsr network with proto 157, in this way babeld can recognize olsr routes) == CAUTION AT THIS POINT == 7) If you want that olsrd redistribute routes from babeld you need to insert this configuration inside the file: {{{ LoadPlugin "olsrd_proto.so.0.2" { PlParam "proto_no" "42" } }}} IF BABELD IS IMPROPERLY CONFIGURED THIS OPTION CAN CREATE A BLACKHOLE! WATCH OUT! 8) now you only need to configure olsrd to start on boot with babeld and tincd. |
OBSOLATE: see: Connessione VPN tra isole ninux in città diverse
This VPN is mainly used to connect network islands when it is very difficult to build a wired/wireless link ( for example two community networks in very distant city ). It is not intended to connect single persons that wants access internal services via VPN. It is recommended to avoid data traffic over the VPN because it will slow down troubleshooting operation that is one of main use of the VPN itself.
Connect to the VPN between islands with Tinc
1) Install tinc on your Linux Distro ( Debian based: apt-get install tinc, Gentoo based: emerge tinc ) MAKE SURE YOU HAVE AT LEAST TINC 1.0.13
2) Create config dir
mkdir /etc/tinc/isole
3) Create config file
Name = yournickname ConnectTo = coppermine ConnectTo = zefiro ConnectTo = RomaVpnIsole ConnectTo = BitArno ConnectTo = heimdall Mode = switch
Mode switch is required because tinc will operate with a tap interface, needed to run babeld on it.
4) Download hosts keys from our git repository
cd /etc/tinc/isole/ git clone git://github.com/ninuxorg/HostsVpnIsole.git hosts
Optionally to ensure your hosts keys are always updated you can add the following line or something similar to your crontab
0 * * * * root cd /etc/tinc/isole/hosts && git pull &> /dev/null
5) Generate a Keypair
tincd -n isole -K
6) Look for a free IP address in the subnet and add your self in the table on the GestioneIndirizzi wiki page.
7) Create the file
# If your distro supports flexible init networking scripts like Gentoo, you can do it in more elegant way ip link set dev $INTERFACE up ip address add dev $INTERFACE HEREYOURIPADDRESS/24 #Adjust MTU ip link set mtu 1350 dev $INTERFACE iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
Where in place of HEREYOURIPADDRESS you must put the IP address choosen at point 6 of this guide
Make the file executable
chmod +x /etc/tinc/isole/tinc-up
8) Send an email to contatti@ninux.org and info@eigenlab.org with your Nickname chosen at point 3 and your generated public key that may look something like.
cat /etc/tinc/isole/hosts/YourHostNickName
Address = Public_Host_Address(not_the_10.0.5.x_one)_If_Available -----BEGIN RSA PUBLIC KEY----- TXKAJun1ffoORTQTqhfop1Bfn8BZjKF4efagDCNdQanl8vVMRIqrFb3anXzbUI2O QVL1lIBom8KgsviE6VywVrF5thYzotqWVKH1K2hwgpZXGVsmimIiFr9hz3pBsOfZ dL2mmLuZXKx1JujdLq2zVYf1peh7ctcqXuXQfJRJIFGhvPndO9dluQUxtZz8StdY sVhQcmiyCnmvKNcbyIHQXCA+5zZYNNmu9wIDAQAB -----END RSA PUBLIC KEY-----
This file has the address ( if available ) and the public key of the VPN node
9) Once you received notification that your public key is authorized you can try to connect
tincd -n isole
If everything worked out you can ping Now configure babeld to use the interface "isole"
It is FUNDAMENTAL to use latest babeld version
11) Configure babeld ( depending on your distro default babeld config file path can be different we will refer to Debian in the example )
After editing it should look like this but may vary depending on your setup
## Add interface isole as wired with a fixed cost of 300 interface isole wired true rxcost 300 # Suggested in le 14 ip deny in ge 23 ip deny in ge 23 ip deny in ge 10 ip deny in ge 23 ip deny in ge 23 ip deny in ge 23 ip deny in ge 23 ip deny # example ## Refuse route #in ip deny # example ( this is useful if your adsl router have a subnet like this ) ## Refuse route with a prefix lenght great or equal 24 matching with # in ge 24 ip deny # example ( this is useful if you are using another routing protocol on your island ) ## Redistribute route in the 10/8 subnet from another routing protocol that have proto 157 # redistribute ip proto 157 # Mandatory ## Allow announcing route redistribute ip allow ## Allow here the sharing of route you want share ## for example # redistribute ip allow ## Deny announcing all other local route redistribute local deny
OLSRd configuration for Babeld
1) Install git, build-essentials, flex and bison for compile the olsrd version with ad-hoc plugin that permit intercomunication between olsrd and babeld.
2) download ninux.org gihub repository:
git clone git://github.com/ninuxorg/olsrd.git
3) when enter olsrd folder and switch to new plugin branch:
git checkout proto_plugin_rc3
4) compile olsrd and his plugins:
make make libs
5) install olsrd and plugins:
make install make install_libs
6) now go to /etc/olsrd.conf and insert RtProto 157 inside the config on top, before hna4 entries. (this mark all routes learned from olsr network with proto 157, in this way babeld can recognize olsr routes)
7) If you want that olsrd redistribute routes from babeld you need to insert this configuration inside the file:
LoadPlugin "olsrd_proto.so.0.2" { PlParam "proto_no" "42" }
8) now you only need to configure olsrd to start on boot with babeld and tincd.