summaryrefslogtreecommitdiff
path: root/src/_posts/2016-10-25-setup-a-vpn-with-cjdns.md
diff options
context:
space:
mode:
Diffstat (limited to 'src/_posts/2016-10-25-setup-a-vpn-with-cjdns.md')
-rw-r--r--src/_posts/2016-10-25-setup-a-vpn-with-cjdns.md211
1 files changed, 211 insertions, 0 deletions
diff --git a/src/_posts/2016-10-25-setup-a-vpn-with-cjdns.md b/src/_posts/2016-10-25-setup-a-vpn-with-cjdns.md
new file mode 100644
index 0000000..74446b0
--- /dev/null
+++ b/src/_posts/2016-10-25-setup-a-vpn-with-cjdns.md
@@ -0,0 +1,211 @@
+---
+title: Setup a VPN with cjdns
+date: 2016-10-25 08:00:34
+tags: Tutorial VPN cjdns GNU+Linux FreeBSD
+layout: post
+authors:
+ - ["Patrick Spek", "http://tyil.work"]
+---
+
+In this tutorial I will outline a simple setup for a [VPN][vpn] using
+[`cjdns`][cjdns]. Cjdns will allow you to setup a secure mesh vpn which uses
+IPv6 internally.
+
+## Requirements
+For this tutorial, I have used two client machines, both running Funtoo. A
+FreeBSD 11 server is used as a global connection point.
+
+You are ofcourse able to use any other OS or distro supported by cjdns, but you
+may have to update some steps to work on your environment in that case.
+
+## Installation of the server
+### Dependencies
+Before you can begin, we need some dependencies. There's only two of those, and
+they are available via `pkg` to make it even easier. Install them as follows:
+
+{% highlight sh %}
+pkg install gmake node
+{% endhighlight %}
+
+### Compiling
+Next up is getting the cjdns sources and compile these, as cjdns is not
+available as a prebuilt package:
+
+{% highlight sh %}
+mkdir -p ~/.local/src
+cd $_
+git clone https://github.com/cjdelisle/cjdns.git cjdns
+cd $_
+./do
+{% endhighlight %}
+
+To make the compiled binary available system-wide so we can use it with a
+system service, copy it to `/usr/local/bin` and rehash to make it available as
+a direct command:
+
+{% highlight sh %}
+cp cjdroute /usr/local/bin/.
+hash -r
+{% endhighlight %}
+
+### Configuring
+Cjdns provides a flag to generate the initial configuration. This will provide
+you with some sane defaults where only a couple of small changes are needed to
+make it work properly. Generate these defaults with `--genconf`:
+
+{% highlight sh %}
+(umask 177 && cjdroute --genconf > /usr/local/etc/cjdroute.conf)
+{% endhighlight %}
+
+The umask will make all following commands write files using `600` permissions.
+This makes sure the config file is not readable by people who shouldn't be able
+to read it. Be sure to check wether the owner of the file is `root`!
+
+Now you can start actually configuring the node to allow incoming connections.
+You have to find the `authorizedPasswords` array in the `cjdroute.conf` file
+and remove the contents of it. Then you can add your own machines in it. This
+guide follows the assumption of two clients, so the config for two clients will
+be shown here. You can add more clients if you wish, ofcourse.
+
+{% highlight json %}
+"authorizedPasswords":
+[
+ {"password": "aeQu6pa4Vuecai3iebah7ogeiShaeDaepha6Mae1yooThoF0oa0Eetha9oox", "user": "client_1"},
+ {"password": "aiweequuthohkahx4tahLohPiezee9OhweiShoNeephe0iekai2jo9Toorah", "user": "client_2"},
+]
+{% endhighlight %}
+
+If you need to generate a password, you can make use of the tool `pwgen`,
+available at your local package manager. You can then generate new passwords by
+running `pwgen 60 -1`. Change the `60` around if you want passwords of a
+different size.
+
+### Adding a startup service
+rcinit has deceptively easy scripts to make applications available as services.
+This in turn allows you to enable a service at startup. This way you can make
+sure cjdns starts whenever the server boots. You can copy the following
+contents directly into `/usr/local/etc/rc.d/cjdroute`:
+
+{% highlight sh %}
+#! /bin/sh
+
+# PROVIDE: cjdroute
+# KEYWORD: shutdown
+
+#
+# Add the following lines to /etc/rc.conf to enable cjdroute:
+#
+#cjdroute_enable="YES"
+
+. /etc/rc.subr
+
+name="cjdroute"
+rcvar="cjdroute_enable"
+
+load_rc_config $name
+
+: ${cjdroute_config:=/usr/local/etc/cjdroute.conf}
+
+command="/usr/local/bin/cjdroute"
+command_args=" < ${cjdroute_config}"
+
+run_rc_command "$1"
+{% endhighlight %}
+
+Afterwards, you must enable the service in `/etc/rc.conf.local` like follows:
+
+{% highlight sh %}
+echo 'cjdroute_enable="YES"' >> /etc/rc.conf.local
+{% endhighlight %}
+
+## Installation of the clients
+### Dependencies
+The dependencies are still on `gmake` and `node`, so simply install those on
+your clients. This guide assumes using Funtoo for the clients, so installation
+would go as follows:
+
+{% highlight sh %}
+emerge gmake nodejs
+{% endhighlight %}
+
+### Compiling
+Compilation is the same as for the server, so check back there for more
+information if you have already forgotten.
+
+### Configuring
+Generating the base configuration is again done using `cjdroute --genconf`,
+just like on the server. On Funtoo, config files generally reside in `/etc`
+instead of `/usr/local/etc`, so you should set the filepath you write the
+configuration to accordingly:
+
+{% highlight sh %}
+cjdroute --genconf > /etc/cjdroute.conf
+{% endhighlight %}
+
+Setting up the connections differs as well, as the clients are going to make an
+outbound connection to the server, which is configured to accept inbound
+connections.
+
+You should still clean the `authorizedPasswords` array, as it comes with a
+default entry that is uncommented.
+
+Now you can setup outbound connections on the clients. You set these up in the
+`connectTo` block of `cjdroute.conf`. For this example, the IP 192.168.1.1 is
+used to denote the server IP. Unsurprisingly, you should change this to your
+server's actual IP. You can find the `publicKey` value at the top of your
+server's `cjdroute.conf` file.
+
+On client 1, put the following in your `cjdroute.conf`:
+
+{% highlight json %}
+"connectTo":
+{
+ "192.168.1.1:9416":
+ {
+ "login": "client_1",
+ "password": "aeQu6pa4Vuecai3iebah7ogeiShaeDaepha6Mae1yooThoF0oa0Eetha9oox",
+ "publicKey": "thisIsJustForAnExampleDoNotUseThisInYourConfFile_1.k"
+ }
+}
+{% endhighlight %}
+
+On client 2:
+
+{% highlight json %}
+"connectTo":
+{
+ "192.168.1.1:9416":
+ {
+ "login": "client_2",
+ "password": "aiweequuthohkahx4tahLohPiezee9OhweiShoNeephe0iekai2jo9Toorah",
+ "publicKey": "thisIsJustForAnExampleDoNotUseThisInYourConfFile_1.k"
+ }
+}
+{% endhighlight %}
+
+That is all for configuring the nodes.
+
+### Adding a startup service
+You probably want cjdroute to run at system startup so you can immediatly use
+your VPN. For openrc based systems, such as Funtoo, cjdns comes with a ready to
+use service script. To make this available to your system, copy it over to the
+right directory:
+
+{% highlight sh %}
+cp ~/.local/src/cjdns/contrib/openrc/cjdns /etc/init.d/cjdroute
+{% endhighlight %}
+
+Now add the service to system startup and start the service:
+
+{% highlight sh %}
+rc-update add cjdroute default
+rc-service cjdroute start
+{% endhighlight %}
+
+That should be sufficient to get cjdns up and running for an encrypted VPN. You
+can find the IPs of each of your systems at the top of your `cjdroute.conf`
+files, in the `ipv6` attribute.
+
+[cjdns]: https://github.com/cjdelisle/cjdns
+[vpn]: https://en.wikipedia.org/wiki/Virtual_private_network
+
generated by cgit v1.1 at 2024-04-19 12:59:56 +0000