From CCCHHWiki
Revision as of 23:40, 18 April 2012 by Kleinerelefant (talk | contribs) (Step 1 - Flash to Official Dev Image)
Jump to: navigation, search

ChaosVPN: Fonera Instructions

Supported Hardware

 * Fonera 2.0n


Signed Official Foneros DEV Images in this Dir (check there for Updates)

Latest ChaosVPN Fonera Image - openfly's build

 * Foneros beta 2
 * ChaosVPN 2.12
 * Tinc 1.0.18

Source Available here at your own peril.


Step 1 - Flash to Official Dev Image

Before you can install our image, or any custom image for that matter, you will need to reflash your stock fonera with a DEV image.

I've included a link to a tested DEV image in the Using "" as property chain is not permitted during the annotation process..
You download the .tgz of the image.
Do not untar or ungzip it.
Simply access the administrative web interface on the device.
Head to the system / settings section.
Upload the tarball to the device to start the reflash.
A progress bar should appear to indicate the device is being flashed.
Do not unpower the device until the flash has completed.
800px-2.0n Settings System.png
Do not unpower the device until the flash has completed.

Upon the completion of a flash, the system should automatically reboot itself.
Please give it time to do so.
There have been instances where it has hung just after a reflash, or simply acted oddly.
I've simply waited until I was certain no more was going on on the device and then gave it a quick reboot.
This can also address browser issues.

Step 2 - SCP the ChaosVPN image

Now that you have an official DEV image on your fonera you can access ssh on the device.

User: Root
Password: the same as your administrative password used on the web UI.

Verify you can login correctly.
Once you have done so, scp (Secure CoPy) the ChaosVPN image tarball to the device.

Exampel code

scp SourceFile user@host:directory/TargetFile

you can use simply scp in Linux.
you can use winscp or putty in Windows.

Confirm that everything uploads nicely.

More about [Secure CoPy]

Step 3 - Setting up for reflash

The tarball as included is laid out to demonstrate how you can upgrade your device properly.
Since you won't be "upgrading" from a previous chaosvpn instance some things are slightly different.
Let's look at what is in the tarball.


fonera20n.img, and upgrade are symlinks to the image and upgrade script respectively.

20100824_FON2303_2.3.6.1_r1730_DEV.img is the image you will be upgrading to. (check the Using "" as property chain is not permitted during the annotation process. for newer images)

Let's look at upgrade_developer:


 VERSION=$(cat /etc/fon_version)
 # FAILSAFE=$(cat /etc/failsafe)
 DEVICE=$(cat /etc/fon_device)

 if [ "$DEVICE" = "fonera20n" ]
 uci set
 uci commit
 tar cvzf /tmp/sysupgrade.tgz /etc/passwd /etc/group /etc/dropbear /etc/samba/smbpasswd /etc/samba/secrets.tdb /etc/config/firewall /etc/config/upnpd /etc/config/umtsd /etc/config/registered /etc/config/gdata /etc/config/facebook /etc/config/flickr /etc/config/mountd /etc/config/fon /etc/config/ddns /etc/config/wizard /etc/pureftpd.pdb /etc/pureftpd.passwd /etc/config/luci_dlmanager /etc/config/twitter /etc/config /firewall /etc/tinc /etc/init.d/firewall
 mtd -j /tmp/sysupgrade.tgz -r write fonera20n.img image > /dev/null 2>&1 
 return 0
 return 1

Okay so there's only 2 important lines in the script.
The tar creation call,
and the call to mtd.

Depending on what you need to do with your device the tar creation call may not be needed.

What the tar creation call does, is it creates a tarball in /tmp of the fonera called "sysupgrade.tgz".
Everything you tar up into it ( using an absolute directory path ), will be saved there and deployed after the firmware is upgraded.
What this allows you to do is save settings of your device.
Importen Do it befor and save lots of rage
You will need to specify the paths of areas of the file structure you want preserved manually.
Please don't use my command as written, it will not work most likely.

Assuming you don't want to preserve any settings on your device,
or you have already created the sysupgrade.tgz file in /tmp, we can just get started on the firmware installation.

The mtd call in the upgrade script is the upgrade call.

Case 1 ( with sysupgrade.tgz )

mtd -j /tmp/sysupgrade.tgz -r write fonera20n.img image

Case 2 ( without sysupgrade.tgz )

mtd -r write 20100824_FON2303_2.3.6.1_r1730_DEV.img image

Now you should see some dialogue that says the firmware is flashing with an oscillating w / e thing going.
Eventually this will end and the device will reboot.
This is expected. Anything else, is not.

Please do not unpower the device until you are certain the operation has completed, or are certain that anything still occurring MUST be bad.
For instance, zombie velociraptors would precipitate running away, and or cutting power to avoid detection.

Step 5 - IP Allocation

Go to IPRanges, select a range and fill out the corresponding data.
Please conform to standards.
Be sparing in your address space allocations.
You don't need a /16 for your apt.
No really, you don't.
If you do, well kudos to you man... use IPV6 and don't be a jerk.

Step 4 - Setting up TINC keys

So by now your fonera should have rebooted.
You should have set up an administrative password, and made the device network accessible.
Happy day.

So ssh to the device.
You should see some ChaosVPN / Agora messages in the MoTD, take this as a sign you've gotten this far without error.
You rock, but no cookies yet.

First thing you are going to want to do is generate a keypair for your node.

tincd -n chaos --generate-keys=2048

You will be prompted to drop the keys somewhere. Place a copy in /etc/tinc/chaos/.
Save a copy in a SECURE location not on that device ( just in case ).

E-Mail Haegar directly, or the ChaosVPN mailing list to have your node added.

Send info such as the following:

nodename: hackerspace  ( short, no spaces, no non chars, descriptive )
network: ( use the address space you allocated in the IP ranges wiki )
owner: ( make this legitimate )
gatewayhost: your external address if you have a static one
network6: same as network, but for ipv6.
key: public key here 

Wait for Haegar or someone else to confirm you have been added to the VPN successfully. (can take >24h we all have a life=)

Configuring ChaosVPN

There is an example config in /etc/tinc/ . This config is not 100% accurate for Foneras. Some path information is different on these embedded devices.

Please look at this SAMPLE fonera config:

 # achtung: dies configfile ist perl ;)
 # Warning: this configfile is written in perl
# name of this node:
$my_peerid              = "notyou";

# locale IPs form this node/gateways
# if you dont want only ipv6 or ipv4 
# left the line blank

$my_vpn_ip              = "";
$my_vpn_netmask         = "";

$my_vpn_ip6             = "2001::1";

$my_ip                  = ""; # unused for now

# The exclude parameter can contain a list of node names. A VPN connection
# will not established to them. You may want to use it if you have another
# VPN, or direct connection to these nodes.

@exclude                = ();

# ============================================================================
# you should'nt need to change anything below,
# at least not for linux and chaosvpn

$networkname            = "chaos";
$tincd_bin              = "/usr/sbin/tincd";
$routemetric            = "0";
$routeadd               = "/usr/sbin/ip -4 route add %s metric $routemetric dev \$INTERFACE";
$routeadd6              = "/usr/sbin/ip -6 route add %s metric $routemetric dev \$INTERFACE";
$routedel               = "/usr/sbin/ip -4 route del %s metric $routemetric dev \$INTERFACE";
$routedel6              = "/usr/sbin/ip -6 route del %s metric $routemetric dev \$INTERFACE";
$ifconfig               = "/sbin/ifconfig \$INTERFACE $my_vpn_ip netmask $my_vpn_netmask";
$ifconfig6              = "/usr/sbin/ip addr add $my_vpn_ip6/128 dev \$INTERFACE";

$master_url             = "$my_peerid.dat";
# public key of key used to sign the file at $master_url:
$masterdata_signkey     = "HAXX()R";

$base                   = "/etc/tinc/$networkname";
$pidfile                = "/var/run/tinc.$";
$tmpconffile            = "$base/chaosvpn-config.temp";
$tincd_debuglevel       = 2;
#$tincd_graphdumpfile   = "/var/run/tinc.$networkname.dump";

# Number of seconds to wait before tincd is restarted after it has
# unexpectedly terminated
$tincd_restart_delay = 5;

# Number of seconds to wait between refetching the remote config
$update_interval = 3600;

Once you have filled out your chaosvpn.conf file correctly, please do a test run of the chaosvpn by simply executing


You will see a lot of text.
Some errors are okay. Some are not. Have fun figuring out which are which =P

Checking to see if it worked

netstat -nr

You should see a hell of a lot of routes using the chaos_vpn interface. This is good.

Check /etc/tinc/chaos/hosts/ see if a whole bunch of node info has appeared.

Wait several minutes from first execution then test ping some of the "test ping" addresses as defined in the IP Ranges wiki page. is the NYC Resistor fonera. See if you can ping it from the router.

If all went well you are now pinging. Get someone to ping you back. You now have a functional node.

Firewall Rules

People have diverse configuration needs. You may have to make your own changes the iptables on the fonera. For me the following two iptables commands are all that is required to allow bi-directional communication from devices connected to the fonera, and the rest of the ChaosVPN.

/usr/bin/iptables -I forwarding_rule -j ACCEPT -p all -s '0/0' -d '0/0' -i 'br-lan' -o 'chaos_vpn'
/usr/bin/iptables -I forwarding_rule -j ACCEPT -p all -s '0/0' -d '0/0' -i 'chaos_vpn' -o 'br-lan'

Also you should throw ChaosVPN, and the iptables rules into /etc/init.d/ somewhere. I put them all in the firewalls init.d script. This is probably wrong. There is probably a better way.