Difference between revisions of "ChaosVPN"

From CCCHHWiki
Jump to: navigation, search
m (ChasoVPN 3.0)
m (long term)
Line 125: Line 125:
  
 
=== long term ===
 
=== long term ===
 
==== tinc based ====
 
 
tinc does have some problems. That is the reason why we want to replace that in the forseable future.
 
tinc does have some problems. That is the reason why we want to replace that in the forseable future.
That will be ChaosVPN 3.0
+
That will be [http://wiki.hamburg.ccc.de/index.php/ChaosVPN#ChaosVPN_3.0 ChaosVPN 3.0]
  
 
* Participants can fake network ranges my intention or mistake. (control informations inside tinc are not proper authentificated)
 
* Participants can fake network ranges my intention or mistake. (control informations inside tinc are not proper authentificated)

Revision as of 23:35, 27 October 2009

ChaosVPN 1.0

TINC SETUP

At the moment the Hamburg ccc Erfa uses TINC together with some dirty perl-scripts, which are used to read the routes and peers.

For this Setup we have howtos for Debian and Gentoo (in german).

Beginninig in 2003

(haegar:) For me the whole setup with Openvpn was to complicated. It would take some time till its done and the scaling problems were forseable.

Therefore i took time today to get a working mini-solution with tinc running real quick.

The bigger issues with ip-submission and database are able to be added later without any big effort.

Most importand design goals were:

  • data traffic between participants must not rely on the ccc infrastructure.
  • failure of any parts of the infrastructure must not shut down the network completely
  • no work needed for participants just because a new participant is joining or a old one quitting.

system requirements

  • linux only first
    • tinc is availible for nearly all unix variants and windows, but my perl script is only working on linux so far.
  • perl with LWP and https support
  • working dyndns hostname that conains the actual router-ip or static ip

Update 2006

Today (2006) i would implement things different than i did before, but when this happens is completely up in the stars. Until there is a better setup we will use the old setup.

ChaosVPN 2.0

redesign

The Rebuild of the ChaosVPN became nessesary at some point, as the vermittlung is blackholed. Furthermore we would like to put live back to the ChaosVPN and use it to interconnect the hackerspaces.

So we thought its a good time to redesign stuff. We will climb up to tinc 1.0.10.

software

Config builder

Currently we are porting haegars script from perl to c and strip off curl and openssl, so it fits in a OpenWRT box.

OpenWRT Packages

Blogic will build a special OpenWRT package, which is called chaosvpn at the moment and a recent tinc 1.0.10 for that.

Debian Packages

Haegar updated (backported) tinc 1.0.10 packages for debian. They are availible at:

I will also create Debian packages of the config builder once it is in a usable state.

sources

The scripts are availible at: http://github.com/ryd/chaosvpn

IP Ranges and Participants:

IP-subnets Node unique name Remarks
your subnet your url / description your unique name your remarks
172.31.16.0/23 *planned* CCC Hamburg. Chaos Computer Club Hansestadt Hamburg

ccchh - Hamburg

nycresistor - New York

noisebridge - San Francisco

PS:one - Chicago

what about:

ccc hannover

ccc berlin

  • (in chaosvpn 1.0)

ccc cologne

  • (in chaosvpn 1.0)

IP Ranges

We need to have non colliding ip ranges and therefore we need some coordination of the used ip ranges.

First of all we would like to be compilant to the used ip ranges of freifunk and dn42.

The IP ranges overall are defined in the freifunk wiki ip-net page as root source.

So we use 172.31.0.0/16 for the europeans and 10.100.0.0/13 for the americans. That should leave enough space for everone untill ipv6 is not the future but the present.

However we will not support 192.168.0.0/16 ip ranges as they are used for various other reasons. This rfc1918 ip range will stay as private to use for internal use (and in fact its used in the dn42 for routing uses.)


wanted changes

short term

  • The config file itself is not validated. We need a signing and validating structure. (.sig)
  • clients don't have to authentificate themself - everybody can see the config.
  • if admins are lazy and don't rebuild the config file properly we will have old routes in the network that don't dissapear (at least until the tinc is reconfigured and restarted)


long term

tinc does have some problems. That is the reason why we want to replace that in the forseable future. That will be ChaosVPN 3.0

ChaosVPN 3.0