Difference between revisions of "ChaosVPN:FreeBSDHowto"

From CCCHHWiki
Jump to: navigation, search
m
(Adapted, and removed steps that should not be needed anymore.)
Line 6: Line 6:
  
 
There is only one port you need to install: '''tinc'''. Any dependencies ought to be automatically installed when this port is installed. You can find the port in the following directory: <code>/usr/ports/security/tinc</code>.
 
There is only one port you need to install: '''tinc'''. Any dependencies ought to be automatically installed when this port is installed. You can find the port in the following directory: <code>/usr/ports/security/tinc</code>.
 
<blockquote>'''Note:''' There will be a configuration directory made called <code>/usr/local/etc/tinc</code>, but ChaosVPN expects the directory to be <code>/etc/tinc</code>. Create both directories if they aren’t both automatically created.</blockquote>
 
  
 
= Download the ChaosVPN source =
 
= Download the ChaosVPN source =
Line 15: Line 13:
 
  git clone git://github.com/ryd/chaosvpn.git
 
  git clone git://github.com/ryd/chaosvpn.git
 
  cd chaosvpn
 
  cd chaosvpn
 
== Modify source for BSD ==
 
 
Unfortunately, the ChaosVPN source is mostly written for Linux (specifically, GNU) machines. Therefore, there are several modifications that must be made before the project can be compiled on a BSD system.
 
 
=== Makefile ===
 
 
Change the following line:
 
 
CFLAGS?=-std=c99 -D_POSIX_C_SOURCE=2 -D_BSD_SOURCE -D_FILE_OFFSET_BITS=64 -O2 -Wall -g $(INCLUDES)
 
 
…to say:
 
 
CFLAGS?=-std=c99 -D_FILE_OFFSET_BITS=64 -O2 -Wall -g $(INCLUDES)
 
 
Also, change the following line:
 
 
        $(LEX) --yylineno cvconf.l
 
 
…to say:
 
 
        $(LEX) -l cvconf.l
 
 
=== addrmask.c ===
 
 
Change the following line:
 
 
#include <string.h>
 
 
…to say:
 
 
#include <string.h>
 
#include <sys/socket.h>
 
 
=== config.c ===
 
 
Change the following line:
 
 
#include <sys/types.h>
 
 
…to say:
 
 
#include <sys/types.h>
 
#include <sys/socket.h>
 
 
=== cvconf.l ===
 
 
Change the following line:
 
 
%option noyywrap
 
 
…to say:
 
 
%option noyywrap
 
%option yylineno
 
 
=== parser.c ===
 
 
Change the following line:
 
 
#include <stdbool.h>
 
 
…to say:
 
 
#include <stdbool.h>
 
#include <sys/socket.h>
 
 
=== tinc.c ===
 
 
Change the following line:
 
 
#include <sys/param.h>
 
 
…to say:
 
 
#include <sys/param.h>
 
#include <sys/socket.h>
 
  
 
== Build ChaosVPN ==
 
== Build ChaosVPN ==
Line 99: Line 20:
 
  $ gmake
 
  $ gmake
 
  $ su -
 
  $ su -
  # gmake install
+
  # gmake bsdinstall
  
 
= Additional information =
 
= Additional information =
  
Configuring ChaosVPN on FreeBSD is very similar to configuring it on Linux, but here are some FreeBSD-specific options to set in the file <code>/etc/tinc/chaosvpn.conf</code>:
+
Configuring ChaosVPN on FreeBSD is very similar to configuring it on Linux, but here are some FreeBSD-specific options to set in the file <code>/usr/local/etc/tinc/chaosvpn.conf</code>:
 
 
$tincd_device = "/dev/tun0";
 
$tincd_interface = "tun0";
 
 
 
== Post-startup commands ==
 
 
 
The necessary IP routes may not be put into place when ChaosVPN starts up. Here’s a shell script to run to add these routes manually:
 
  
#!/bin/sh
+
The "gmake bsdinstall" installs a FreeBSD specific default config that should cover most of the specialities.
# Replace this variable with the location of your "route" command.
 
# (This shouldn’t need to be changed.)
 
ROUTE="/sbin/route"
 
 
# Replace this variable with the IP address assigned to your end of the VPN.
 
# (You will need to change this.)
 
MYIP="10.103.0.0"
 
 
$ROUTE add -net 10.4.0.0/16 $MYIP
 
$ROUTE add -net 10.32.0.0/16 $MYIP
 
$ROUTE add -net 10.100.0.0/14 $MYIP
 
$ROUTE add -net 10.104.0.0/14 $MYIP
 
$ROUTE add -net 10.112.0.0/16 $MYIP
 
$ROUTE add -net 172.31.0.0/16 $MYIP
 
  
 
== Post-shutdown commands ==
 
== Post-shutdown commands ==
Line 138: Line 38:
 
== Security concerns ==
 
== Security concerns ==
  
It’s best to create a new, non-root user specifically for running ChaosVPN. This user will need to be listed in the '''sudoers''' file, and will need to be a member of the '''wheel''' group, so you can run the <code>sudo</code> and <code>su</code> commands, respectively. In the file <code>/etc/tinc/chaosvpn.conf</code>, change the option '''$tincd_user''' to that new user.
+
It’s best to create a new, non-root user specifically for running ChaosVPN. This user will need to be listed in the '''sudoers''' file, and will need to be a member of the '''wheel''' group, so you can run the <code>sudo</code> and <code>su</code> commands, respectively. In the file <code>/usr/local/etc/tinc/chaosvpn.conf</code>, change the option '''$tincd_user''' to that new user.

Revision as of 23:56, 17 July 2012

The following is a quick tutorial on setting up ChaosVPN on a FreeBSD machine.

These instructions ought to work on any BSD machine, including Mac OS X, but this article is specifically for FreeBSD.

Install tinc

There is only one port you need to install: tinc. Any dependencies ought to be automatically installed when this port is installed. You can find the port in the following directory: /usr/ports/security/tinc.

Download the ChaosVPN source

Fetch the latest version of ChaosVPN by running the following command:

git clone git://github.com/ryd/chaosvpn.git
cd chaosvpn

Build ChaosVPN

Compiling and installing ChaosVPN is a fairly straightforward process:

$ gmake
$ su -
# gmake bsdinstall

Additional information

Configuring ChaosVPN on FreeBSD is very similar to configuring it on Linux, but here are some FreeBSD-specific options to set in the file /usr/local/etc/tinc/chaosvpn.conf:

The "gmake bsdinstall" installs a FreeBSD specific default config that should cover most of the specialities.

Post-shutdown commands

ChaosVPN may not automatically remove the tunnel interface once it shuts down. If you notice that a tunX interface with no IP address remains after killing the ChaosVPN process, run the following command:

/sbin/ifconfig tunX destroy

(Replace “tunX” with the actual tunnel name.)

Security concerns

It’s best to create a new, non-root user specifically for running ChaosVPN. This user will need to be listed in the sudoers file, and will need to be a member of the wheel group, so you can run the sudo and su commands, respectively. In the file /usr/local/etc/tinc/chaosvpn.conf, change the option $tincd_user to that new user.