diff options
Diffstat (limited to '_posts/2016-10-25-setup-a-vpn-with-cjdns.md')
| -rw-r--r-- | _posts/2016-10-25-setup-a-vpn-with-cjdns.md | 211 |
1 files changed, 0 insertions, 211 deletions
diff --git a/_posts/2016-10-25-setup-a-vpn-with-cjdns.md b/_posts/2016-10-25-setup-a-vpn-with-cjdns.md deleted file mode 100644 index 74446b0..0000000 --- a/_posts/2016-10-25-setup-a-vpn-with-cjdns.md +++ /dev/null @@ -1,211 +0,0 @@ ---- -title: Setup a VPN with cjdns -date: 2016-10-25 08:00:34 -tags: Tutorial VPN cjdns GNU+Linux FreeBSD -layout: post -authors: - - ["Patrick Spek", "http://tyil.work"] ---- - -In this tutorial I will outline a simple setup for a [VPN][vpn] using -[`cjdns`][cjdns]. Cjdns will allow you to setup a secure mesh vpn which uses -IPv6 internally. - -## Requirements -For this tutorial, I have used two client machines, both running Funtoo. A -FreeBSD 11 server is used as a global connection point. - -You are ofcourse able to use any other OS or distro supported by cjdns, but you -may have to update some steps to work on your environment in that case. - -## Installation of the server -### Dependencies -Before you can begin, we need some dependencies. There's only two of those, and -they are available via `pkg` to make it even easier. Install them as follows: - -{% highlight sh %} -pkg install gmake node -{% endhighlight %} - -### Compiling -Next up is getting the cjdns sources and compile these, as cjdns is not -available as a prebuilt package: - -{% highlight sh %} -mkdir -p ~/.local/src -cd $_ -git clone https://github.com/cjdelisle/cjdns.git cjdns -cd $_ -./do -{% endhighlight %} - -To make the compiled binary available system-wide so we can use it with a -system service, copy it to `/usr/local/bin` and rehash to make it available as -a direct command: - -{% highlight sh %} -cp cjdroute /usr/local/bin/. -hash -r -{% endhighlight %} - -### Configuring -Cjdns provides a flag to generate the initial configuration. This will provide -you with some sane defaults where only a couple of small changes are needed to -make it work properly. Generate these defaults with `--genconf`: - -{% highlight sh %} -(umask 177 && cjdroute --genconf > /usr/local/etc/cjdroute.conf) -{% endhighlight %} - -The umask will make all following commands write files using `600` permissions. -This makes sure the config file is not readable by people who shouldn't be able -to read it. Be sure to check wether the owner of the file is `root`! - -Now you can start actually configuring the node to allow incoming connections. -You have to find the `authorizedPasswords` array in the `cjdroute.conf` file -and remove the contents of it. Then you can add your own machines in it. This -guide follows the assumption of two clients, so the config for two clients will -be shown here. You can add more clients if you wish, ofcourse. - -{% highlight json %} -"authorizedPasswords": -[ - {"password": "aeQu6pa4Vuecai3iebah7ogeiShaeDaepha6Mae1yooThoF0oa0Eetha9oox", "user": "client_1"}, - {"password": "aiweequuthohkahx4tahLohPiezee9OhweiShoNeephe0iekai2jo9Toorah", "user": "client_2"}, -] -{% endhighlight %} - -If you need to generate a password, you can make use of the tool `pwgen`, -available at your local package manager. You can then generate new passwords by -running `pwgen 60 -1`. Change the `60` around if you want passwords of a -different size. - -### Adding a startup service -rcinit has deceptively easy scripts to make applications available as services. -This in turn allows you to enable a service at startup. This way you can make -sure cjdns starts whenever the server boots. You can copy the following -contents directly into `/usr/local/etc/rc.d/cjdroute`: - -{% highlight sh %} -#! /bin/sh - -# PROVIDE: cjdroute -# KEYWORD: shutdown - -# -# Add the following lines to /etc/rc.conf to enable cjdroute: -# -#cjdroute_enable="YES" - -. /etc/rc.subr - -name="cjdroute" -rcvar="cjdroute_enable" - -load_rc_config $name - -: ${cjdroute_config:=/usr/local/etc/cjdroute.conf} - -command="/usr/local/bin/cjdroute" -command_args=" < ${cjdroute_config}" - -run_rc_command "$1" -{% endhighlight %} - -Afterwards, you must enable the service in `/etc/rc.conf.local` like follows: - -{% highlight sh %} -echo 'cjdroute_enable="YES"' >> /etc/rc.conf.local -{% endhighlight %} - -## Installation of the clients -### Dependencies -The dependencies are still on `gmake` and `node`, so simply install those on -your clients. This guide assumes using Funtoo for the clients, so installation -would go as follows: - -{% highlight sh %} -emerge gmake nodejs -{% endhighlight %} - -### Compiling -Compilation is the same as for the server, so check back there for more -information if you have already forgotten. - -### Configuring -Generating the base configuration is again done using `cjdroute --genconf`, -just like on the server. On Funtoo, config files generally reside in `/etc` -instead of `/usr/local/etc`, so you should set the filepath you write the -configuration to accordingly: - -{% highlight sh %} -cjdroute --genconf > /etc/cjdroute.conf -{% endhighlight %} - -Setting up the connections differs as well, as the clients are going to make an -outbound connection to the server, which is configured to accept inbound -connections. - -You should still clean the `authorizedPasswords` array, as it comes with a -default entry that is uncommented. - -Now you can setup outbound connections on the clients. You set these up in the -`connectTo` block of `cjdroute.conf`. For this example, the IP 192.168.1.1 is -used to denote the server IP. Unsurprisingly, you should change this to your -server's actual IP. You can find the `publicKey` value at the top of your -server's `cjdroute.conf` file. - -On client 1, put the following in your `cjdroute.conf`: - -{% highlight json %} -"connectTo": -{ - "192.168.1.1:9416": - { - "login": "client_1", - "password": "aeQu6pa4Vuecai3iebah7ogeiShaeDaepha6Mae1yooThoF0oa0Eetha9oox", - "publicKey": "thisIsJustForAnExampleDoNotUseThisInYourConfFile_1.k" - } -} -{% endhighlight %} - -On client 2: - -{% highlight json %} -"connectTo": -{ - "192.168.1.1:9416": - { - "login": "client_2", - "password": "aiweequuthohkahx4tahLohPiezee9OhweiShoNeephe0iekai2jo9Toorah", - "publicKey": "thisIsJustForAnExampleDoNotUseThisInYourConfFile_1.k" - } -} -{% endhighlight %} - -That is all for configuring the nodes. - -### Adding a startup service -You probably want cjdroute to run at system startup so you can immediatly use -your VPN. For openrc based systems, such as Funtoo, cjdns comes with a ready to -use service script. To make this available to your system, copy it over to the -right directory: - -{% highlight sh %} -cp ~/.local/src/cjdns/contrib/openrc/cjdns /etc/init.d/cjdroute -{% endhighlight %} - -Now add the service to system startup and start the service: - -{% highlight sh %} -rc-update add cjdroute default -rc-service cjdroute start -{% endhighlight %} - -That should be sufficient to get cjdns up and running for an encrypted VPN. You -can find the IPs of each of your systems at the top of your `cjdroute.conf` -files, in the `ipv6` attribute. - -[cjdns]: https://github.com/cjdelisle/cjdns -[vpn]: https://en.wikipedia.org/wiki/Virtual_private_network - |