Anonet/Peering: Difference between revisions

From Qontrol.nl Wiki
Jump to navigation Jump to search
No edit summary
No edit summary
Line 7: Line 7:


To start peering, you will have to find a peer: a person with a system that is already connected to Anonet, to which you will connect. Usually, you can just ask on IRC in #anonet.
To start peering, you will have to find a peer: a person with a system that is already connected to Anonet, to which you will connect. Usually, you can just ask on IRC in #anonet.
== Claiming resources ==


== VPN tunnel ==
== VPN tunnel ==
The first thing you need is a VPN tunnel. The most common one on Anonet is [[QuickTun]], although other options like OpenVPN and Tinc are possible too. This article shows how to setup QuickTun.
You will need to setup a VPN tunnel with your peer to safely route packets. The most common one on Anonet is [[QuickTun]], although other options like OpenVPN and Tinc are possible too. This article shows how to setup QuickTun.


You can install QuickTun from the "official" apt.ucis.nl Debian repository, or build it from source.
You can install QuickTun from the "official" apt.ucis.nl Debian repository, or build it from source.
Line 26: Line 29:
  ./build.sh
  ./build.sh
  sudo dpkg -i out/quicktun*.deb
  sudo dpkg -i out/quicktun*.deb
=== Configuring QuickTun ===
You will have to select an IP address to use on your router. It is recommended to use one IP address from the subnet you claimed earlier, we will assume 1.2.3.1. You will also have to decide on a local port number to use for the VPN tunnel. This can be any number between 1024 and roughly 64000; some people prefer to derive the port number from the AS number of the peer while others just number sequentially. We will use 41112 in this example. It's up to you, just as long as it's not in use by anything else (including other peerings). When you have that, you can create a key pair using the following command:
/usr/sbin/quicktun.keypair < /dev/urandom
You can now tell your peer the following information, preferably over a secure channel, so that your peer can begin setting up his end:
- Your internet IP address or dynamic DNS name (only if the IP is more or less static)
- The port number you chose (eg 41112)
- The PUBLIC key generated earlier (the SECRET key is SECRET! Do not give it to anyone!)
- The internal IP address of your router (eg 1.2.3.1)
Your peer should provide you with the same information about his end.
You can now configure the tunnel. Open /etc/network/interfaces in your favorite text editor, as root. Then add the following lines at the end:
auto tun.<PEERNAME>
iface tun.<PEERNAME> inet static
        address <INTERNAL-IP-ADDRESS-OF-LOCAL-ROUTER>
        pointopoint <INTERNAL-IP-ADDRESS-OF-PEER-ROUTER>
        netmask 255.255.255.255
        qt_tun_mode 1
        qt_protocol nacltai
        qt_remote_address <INTERNET-IP-ADDRESS-OR-HOSTNAME-OF-PEER>
        qt_remote_port <VPN-PORT-OF-PEER>
        qt_local_address <LOCAL-IP-ADDRESS>
        qt_local_port <LOCAL-VPN-PORT>
        qt_private_key <SECRET-KEY>
        qt_public_key <PEER-PUBLIC-KEY>
- <PEERNAME> is a simple name for the connection. It should be short and contain only alphanumeric characters (a-z, A-Z, 0-9). Some people use the peer's AS number here, eg as1112.
- <INTERNAL-IP-ADDRESS-OF-LOCAL-ROUTER> is the internal IP address you chose for your router, in this example it would be 1.2.3.4
- <INTERNET-IP-ADDRESS-OR-HOSTNAME-OF-PEER> is the public internet IP address or dynamid DNS name of your peer; set to 0.0.0.0 if unknown or dynamic
- <LOCAL-IP-ADDRESS> is the local IP address for outside of the VPN tunnel; set to 0.0.0.0 if unknown or dynamic
- <SECRET-KEY> is the SECRET key generated by quicktun.keypair
- <PEER-PUBLIC-KEY> is the public key provided by your peer
Save the file. Now run the command "ifup tun.<PEERNAME>". When your peer has also started his tunnel, you should be able to "ping <INTERNAL-IP-ADDRESS-OF-PEER-ROUTER>". If this does not work, you can check syslog ("tail /var/log/syslog") for QuickTun errors.
== BGP routing ==
sudo apt-get install bird
sudo nano /etc/bird.conf
/etc/init.d/bird restart
birdc show protocols
== DNS setup ==
== Firewall ==
== Enable IP forwarding ==
== Get more peers! ==

Revision as of 14:19, 2 June 2013

This page will guide you through the process of setting up your first peering on Anonet. It may also serve as a reference for later, when something needs to be changed or peerings need to be added.

This article assumes you're using a Debian style operating system (Debian, Linux Mint, Ubuntu) and will use Debian style configuration. There are other ways to implement the same configuration, but those are not discussed here.

What is peering?

Peering is the process of adding peers. Peer usually refers to a BGP peer. The first time you do so, you will probably have to configure a lot to setup a framework for other peerings. BGP peering implies that your system will become a router, routing traffic for your own subnetwork and possibly also routing transit traffic for others.

To start peering, you will have to find a peer: a person with a system that is already connected to Anonet, to which you will connect. Usually, you can just ask on IRC in #anonet.

Claiming resources

VPN tunnel

You will need to setup a VPN tunnel with your peer to safely route packets. The most common one on Anonet is QuickTun, although other options like OpenVPN and Tinc are possible too. This article shows how to setup QuickTun.

You can install QuickTun from the "official" apt.ucis.nl Debian repository, or build it from source.

Installing QuickTun from the Debian repository

Run the following commands, as root (login as root or run "su bash"):

wget -q http://apt.ucis.nl/IvoSmits.asc -O- | apt-key add -
echo "deb http://apt.ucis.nl/ current ucis" >> /etc/apt/sources.list
apt-get update
apt-get install quicktun

Installing QuickTun from source

sudo apt-get install gcc fakeroot dpkg
wget http://oss.ucis.nl/quicktun/src/quicktun.tgz -O- | tar -xvz
cd quicktun*
./build.sh
sudo dpkg -i out/quicktun*.deb

Configuring QuickTun

You will have to select an IP address to use on your router. It is recommended to use one IP address from the subnet you claimed earlier, we will assume 1.2.3.1. You will also have to decide on a local port number to use for the VPN tunnel. This can be any number between 1024 and roughly 64000; some people prefer to derive the port number from the AS number of the peer while others just number sequentially. We will use 41112 in this example. It's up to you, just as long as it's not in use by anything else (including other peerings). When you have that, you can create a key pair using the following command:

/usr/sbin/quicktun.keypair < /dev/urandom

You can now tell your peer the following information, preferably over a secure channel, so that your peer can begin setting up his end: - Your internet IP address or dynamic DNS name (only if the IP is more or less static) - The port number you chose (eg 41112) - The PUBLIC key generated earlier (the SECRET key is SECRET! Do not give it to anyone!) - The internal IP address of your router (eg 1.2.3.1) Your peer should provide you with the same information about his end.

You can now configure the tunnel. Open /etc/network/interfaces in your favorite text editor, as root. Then add the following lines at the end:

auto tun.<PEERNAME>
iface tun.<PEERNAME> inet static
       address <INTERNAL-IP-ADDRESS-OF-LOCAL-ROUTER>
       pointopoint <INTERNAL-IP-ADDRESS-OF-PEER-ROUTER>
       netmask 255.255.255.255
       qt_tun_mode 1
       qt_protocol nacltai
       qt_remote_address <INTERNET-IP-ADDRESS-OR-HOSTNAME-OF-PEER>
       qt_remote_port <VPN-PORT-OF-PEER>
       qt_local_address <LOCAL-IP-ADDRESS>
       qt_local_port <LOCAL-VPN-PORT>
       qt_private_key <SECRET-KEY>
       qt_public_key <PEER-PUBLIC-KEY>

- <PEERNAME> is a simple name for the connection. It should be short and contain only alphanumeric characters (a-z, A-Z, 0-9). Some people use the peer's AS number here, eg as1112. - <INTERNAL-IP-ADDRESS-OF-LOCAL-ROUTER> is the internal IP address you chose for your router, in this example it would be 1.2.3.4 - <INTERNET-IP-ADDRESS-OR-HOSTNAME-OF-PEER> is the public internet IP address or dynamid DNS name of your peer; set to 0.0.0.0 if unknown or dynamic - <LOCAL-IP-ADDRESS> is the local IP address for outside of the VPN tunnel; set to 0.0.0.0 if unknown or dynamic - <SECRET-KEY> is the SECRET key generated by quicktun.keypair - <PEER-PUBLIC-KEY> is the public key provided by your peer

Save the file. Now run the command "ifup tun.<PEERNAME>". When your peer has also started his tunnel, you should be able to "ping <INTERNAL-IP-ADDRESS-OF-PEER-ROUTER>". If this does not work, you can check syslog ("tail /var/log/syslog") for QuickTun errors.

BGP routing

sudo apt-get install bird
sudo nano /etc/bird.conf
/etc/init.d/bird restart
birdc show protocols

DNS setup

Firewall

Enable IP forwarding

Get more peers!