FAQ.md
... ...
@@ -1,5 +1,5 @@
1 1
2
-### How do I connect to DN42?
2
+## How do I connect to DN42?
3 3
4 4
We have a [page](/howto/Getting-started) for that!
5 5
... ...
@@ -58,4 +58,4 @@ Prior to using ASNs in the new private ASN range 4200000000-4294967294 ([RFC6996
58 58
59 59
### Can I update the wiki?
60 60
61
-Yes, the wiki can be edited when browsing to [wiki.dn42](https://wiki.dn42).
... ...
\ No newline at end of file
0
+Yes, the wiki can be edited when browsing to [wiki.dn42](https://wiki.dn42).
Home.md
... ...
@@ -77,6 +77,6 @@ The [Getting started](/howto/Getting-Started) page helps you to get your first n
77 77
78 78
This wiki is the main reference about dn42. It is available in read-only mode from the Internet [here](https://wiki.dn42.us) or [here](https://dn42.dev) or [here](https://dn42.tk) or [here](https://dn42.eu), [tor](http://jsptropkiix3ki5u.onion) and [i2p](http://beb6v2i4jevo72vvnx6segsk4zv3pu3prbwcfuta3bzrcv7boy2q.b32.i2p/) and for editing from within dn42, at [https://wiki.dn42](https://wiki.dn42) - [https](services/Certificate-Authority) required for editing.
79 79
80
-#### DN42 Logo
80
+### DN42 Logo
81 81
82 82
An svg of the DN42 Logo is available [here](/dn42.svg).
Other.md
... ...
@@ -82,7 +82,7 @@ second tinc cloud
82 82
83 83
ipv4: 172.22.255.160/28
84 84
ipv6: fd04:de02:7af9::/64
85
-
85
+
86 86
IP IPv6 User Host ASN
87 87
-------------- ------------------- --------- ----------- -----
88 88
172.22.255.161 fd04:de02:7af9::161 uves spline 64733
_Footer.md
... ...
@@ -1 +1 @@
1
-Hosted by: [xuu](mailto:[email protected]), [nurtic-vibe](mailto:[email protected]), [toBee](mailto:[email protected]), [burble](mailto:[email protected]) | Accessible via: [dn42](http://wiki.dn42), [tor](http://jsptropkiix3ki5u.onion), [i2p](http://beb6v2i4jevo72vvnx6segsk4zv3pu3prbwcfuta3bzrcv7boy2q.b32.i2p/)
... ...
\ No newline at end of file
0
+Hosted by: [xuu](mailto:[email protected]), [nurtic-vibe](mailto:[email protected]), [toBee](mailto:[email protected]), [burble](mailto:[email protected]) | Accessible via: [dn42](http://wiki.dn42), [tor](http://jsptropkiix3ki5u.onion), [i2p](http://beb6v2i4jevo72vvnx6segsk4zv3pu3prbwcfuta3bzrcv7boy2q.b32.i2p/)
_Header.md
... ...
@@ -1 +1 @@
1
-[![dn42](/dn42.png)](/)
... ...
\ No newline at end of file
0
+[![dn42](/dn42.png)](/)
howto/BGP-on-Extreme-Summit1i.md
... ...
@@ -1,66 +0,0 @@
1
-# DN42 peering on Extreme Summit 1i
2
-Here i'll show how to configure DN42 peering via BGP on an old Extreme Networks [Summit 1i](http://docs.google.com/viewer?url=https://www.mtmnet.com/PDF_FILES/summit1i.pdf) routing switch. This how-to should be also applicable to any other 'i'-series switch.
3
-
4
-## Caveats
5
-Looks like ExtremeWare doesn't support any tunneling mechanism in contrast to ExtremeWare IPv6 or ExtremeXOS operating systems. So you need either put your switch behind the router which will do tunneling with DN42 participant or directly connect the switch to our network, if that possible.
6
-
7
-## Snipplet
8
-This configuration was tested on latest EW of 7.8.4.1 patch1-r4 version. But it should work on most of older releases as well.
9
-
10
- ## DN42 should go both in internal (for clients) and external VLANs
11
- create vlan svlan
12
- configure vlan svlan ipaddress 192.168.1.100/24
13
- # Adding an alias
14
- enable multinetting standard
15
- configure vlan svlan add secondary-ip 172.22.251.2/23
16
- ...
17
-
18
- enable ipforwarding
19
-
20
- configure vlan svlan add subvlan ext
21
- ...
22
-
23
- # It is worth to filter alien nets
24
- create access-list deny_int ip destination any source 192.168.1.0/24 deny ports 2-16
25
- ...
26
- ##
27
-
28
- # Adding route to a neighbor
29
- configure iproute add 172.22.151.1/32 172.22.251.1
30
-
31
- configure bgp soft-reconfiguration
32
- configure bgp AS-number 65534
33
- configure bgp routerid 172.22.251.2
34
- enable bgp
35
-
36
-Now, if you're trying EBGP with your peer:
37
-
38
- # Announce our network
39
- configure bgp add network 172.22.151.0/23
40
-
41
- create bgp neighbor 172.22.151.1 remote-AS-number 65535
42
- # Point to a proper outgoing interface, useless in case when Super VLAN is used
43
- #configure bgp neighbor 172.22.151.1 source-interface vlan ext
44
-
45
- enable bgp neighbor 172.22.151.1
46
-
47
-Or IBGP (local router does the EBGP in following example):
48
-
49
- # Don't wait for an EBGP
50
- disable bgp synchronization
51
-
52
- create bgp neighbor 192.168.1.1 remote-AS-number 65534
53
- enable bgp neighbor 192.168.1.1
54
-
55
-Next, you may diagnose the things doing:
56
-
57
- show bgp
58
- show bgp neighbor
59
- show bgp neighbor 172.22.151.1 received-routes all
60
- show bgp neighbor 172.22.151.1 transmitted-routes all
61
-
62
-After that ping and traceroute are your mates. It is worth to point switch to the DNS which knows .dn42 zone:
63
-
64
-`configure dns-client add name-server 192.168.1.1`
65
-
66
-And use names.
... ...
\ No newline at end of file
howto/Bird-communities.md
... ...
@@ -22,7 +22,7 @@ To properly assign the right community to your peer, please reference the table
22 22
(64511, 8) :: latency \in (1097ms, 2981ms]
23 23
(64511, 9) :: latency > 2981ms
24 24
(64511, x) :: latency \in [exp(x-1), exp(x)] ms (for x < 10)
25
-
25
+
26 26
(64511, 21) :: bw >= 0.1mbit
27 27
(64511, 22) :: bw >= 1mbit
28 28
(64511, 23) :: bw >= 10mbit
... ...
@@ -30,7 +30,7 @@ To properly assign the right community to your peer, please reference the table
30 30
(64511, 25) :: bw >= 1000mbit
31 31
(64511, 2x) :: bw >= 10^(x-2) mbit
32 32
bw = min(up,down) for asymmetric connections
33
-
33
+
34 34
(64511, 31) :: not encrypted
35 35
(64511, 32) :: encrypted with unsafe vpn solution
36 36
(64511, 33) :: encrypted with safe vpn solution (but no PFS - the usual OpenVPN p2p configuration falls in this category)
... ...
@@ -126,7 +126,7 @@ function update_crypto(int link_crypto) {
126 126
else if (64511, 33) ~ bgp_community then { bgp_community.delete([(64511, 34..34)]); return 33; }
127 127
else return 34;
128 128
}
129
-
129
+
130 130
function update_flags(int link_latency; int link_bandwidth; int link_crypto)
131 131
int dn42_latency;
132 132
int dn42_bandwidth;
howto/Bird.md
... ...
@@ -26,7 +26,7 @@ Note: This file covers the configuration of Bird 1.x. For an example configurati
26 26
* Replace `<PEER_AS>` the Autonomous System Number of your peer (only the digits)
27 27
* Replace `<PEER_NAME>` a self chosen name for your peer
28 28
29
-### IPv6
29
+## IPv6
30 30
31 31
```
32 32
#/etc/bird/bird6.conf
... ...
@@ -51,7 +51,7 @@ include "/etc/bird/local6.conf";
51 51
/*
52 52
krt_prefsrc defines the source address for outgoing connections.
53 53
On Linux, this causes the "src" attribute of a route to be set.
54
-
54
+
55 55
Without this option outgoing connections would use the peering IP which
56 56
would cause packet loss if some peering disconnects but the interface
57 57
is still available. (The route would still exist and thus route through
... ...
@@ -160,7 +160,7 @@ include "/etc/bird/local4.conf";
160 160
/*
161 161
krt_prefsrc defines the source address for outgoing connections.
162 162
On Linux, this causes the "src" attribute of a route to be set.
163
-
163
+
164 164
Without this option outgoing connections would use the peering IP which
165 165
would cause packet loss if some peering disconnects but the interface
166 166
is still available. (The route would still exist and thus route through
... ...
@@ -393,4 +393,4 @@ bird> show route export <somepeer> # shows the route you export to someone
393 393
394 394
# External Links
395 395
* detailed bird configuration from Mic92: https://github.com/Mic92/bird-dn42
396
-* more bird commands: https://bird.network.cz/?get_doc&v=20&f=bird-4.html
... ...
\ No newline at end of file
0
+* more bird commands: https://bird.network.cz/?get_doc&v=20&f=bird-4.html
howto/Bird2.md
... ...
@@ -89,7 +89,7 @@ function is_valid_network_v6() {
89 89
90 90
protocol kernel {
91 91
scan time 20;
92
-
92
+
93 93
ipv6 {
94 94
import none;
95 95
export filter {
... ...
@@ -134,7 +134,7 @@ protocol static {
134 134
template bgp dnpeers {
135 135
local as OWNAS;
136 136
path metric 1;
137
-
137
+
138 138
ipv4 {
139 139
import filter {
140 140
if is_valid_network() && !is_self_net() then {
... ...
@@ -195,4 +195,4 @@ protocol bgp <NEIGHBOR_NAME>_v6 from dnpeers {
195 195
}
196 196
```
197 197
198
-Due to the special link local addresses of IPv6, an interface has to be specified using the %<if> syntax if a link local address is used (Which is recommended)
... ...
\ No newline at end of file
0
+Due to the special link local addresses of IPv6, an interface has to be specified using the %<if> syntax if a link local address is used (Which is recommended)
howto/EMail.md
... ...
@@ -7,7 +7,7 @@ Running email in dn42 is not very complicated. Your SMTP daemon probably alread
7 7
## Redirect
8 8
~~There are forwarding rules for _PERSON_ @ dn42.org to the mail addresses which have been given in the registry. Please note that the trailing `-DN42` is stripped from the local part.~~
9 9
10
-####Example####
10
+### Example
11 11
12 12
| Handle | Alias | Redirection |
13 13
|:------------ |:-------------- |:--------------------- |
... ...
@@ -97,4 +97,4 @@ Email Address Internationalization (EAI) as defined in [RFC 6531](http://tools.i
97 97
Introduced with Postfix version 3.0, this fully supports UTF-8 email addresses and UTF-8 message header values.
98 98
more at the [SMTPUTF8_README](http://www.postfix.org/SMTPUTF8_README.html).
99 99
### Exim
100
-Watch Exims EAI Tracker [Bug 1177](http://bugs.exim.org/show_bug.cgi?id=1177)
... ...
\ No newline at end of file
0
+Watch Exims EAI Tracker [Bug 1177](http://bugs.exim.org/show_bug.cgi?id=1177)
howto/EdgeOS-Config-Example.md
... ...
@@ -376,4 +376,4 @@ traffic-policy {
376 376
/* Warning: Do not remove the following line. */
377 377
/* === vyatta-config-version: "config-management@1:dhcp-relay@1:dhcp-server@4:firewall@4:ipsec@3:nat@3:qos@1:quagga@2:system@4:ubnt-pptp@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
378 378
/* Release version: v1.3.0.4605130.131011.1754 */
379
-```
... ...
\ No newline at end of file
0
+```
howto/EdgeOS-Config.md
... ...
@@ -42,7 +42,7 @@ Using the below as examples:
42 42
#### Copy OpenVPN key to the EdgeRouter
43 43
44 44
Copy the VPN key to `/config/auth/SomeSharedKey.key`:
45
-
45
+
46 46
sudo cat > /config/auth/SomeSharedKey.key
47 47
48 48
Paste the key in the terminal window, hit return once and kill `cat` with CTRL+C. Then type `exit`.
... ...
@@ -108,7 +108,7 @@ so bgp can announce the route
108 108
save
109 109
110 110
#### Announce Route to BGP
111
-
111
+
112 112
set protocols bgp 111111 network 172.A.A.64/27
113 113
commit
114 114
save
howto/EdgeOS-GRE-IPsec-Example.md
... ...
@@ -498,4 +498,4 @@ If your peer sends you a key in PEM format (starts with `-----BEGIN PUBLIC KEY--
498 498
}
499 499
interface eth0
500 500
}
501
- }
... ...
\ No newline at end of file
0
+ }
howto/Edgeos-Config-Example-number-2.md
... ...
@@ -1,148 +0,0 @@
1
-#EdgeRouterPro-8 config example with v1.9.0
2
-
3
-After a lot of searching and trying I [Phil/ALS7] finnaly got a working config
4
-Also thanx to drathir for his patience and support
5
-
6
-##Features
7
-
8
-* IPv4/IPv6 Tunnel via OpenVPN
9
-* dn42 DNS
10
-
11
-##How-To
12
-
13
---> still work in Progress
14
-
15
-* Basic EdgeOS knowledge is required
16
-
17
-1) you need to create all required fields in the registry --> look at [Getting Started](/Getting-Started) page
18
-
19
-2) get a peer --> ask nice @ [IRC](/IRC)
20
-
21
-3) You need following data from the peer
22
-
23
---tunnel options, secret key --ASN from the peer --ip's
24
-
25
-...
26
-
27
-The data i used are the following:
28
-
29
-Own ASN: AS111111
30
-Own IPv4: 172.AA.AA.64/27
31
-Own IPv6: fdBB:BBBB:CCCC::/48
32
-
33
-Peer OpenVPN Remote Address: X.X.X.X
34
-Peer OpenVPN Remote Host: X.X.X.Y
35
-Peer OpenVPN IP for you: fdAA::BBB/64
36
-Peer OpenVPN IP: fdAA::CC
37
-Peer OpenVPN Port: 1194
38
-Peer OpenVPN encryption: aes256
39
-Peer ASN: AS222222
40
-Peer BGP Neighbour IPv4: Z.Z.Z.Z
41
-Peer BGP Neighbour IPv6: fdAA::CC
42
-
43
-###Copy OpenVPN key to the ErPro
44
-
45
-copy vpn key to /config/auth/giveITaName
46
-
47
- sudo su
48
- cd /config
49
- mkdir auth
50
- cd auth
51
- cat > giveITaName
52
-
53
-now paste the key in the terminal window, hit return once and kill cat with CTRL+C
54
-last thing to do is type exit
55
-
56
-###Create IPv4 OpenVPN Interface
57
-
58
-Set up Interface vtunX -- i used vtun0
59
-
60
- configure
61
- set interface openssh vtun0
62
- set interfaces openvpn vtun0 mode site-to-site
63
- set interfaces openvpn vtun0 local-port 1194
64
- set interfaces openvpn vtun0 remote-port 1194
65
- set interfaces openvpn vtun0 local-address 172.AA.AA.64
66
- set interfaces openvpn vtun0 remote-address X.X.X.X
67
- set interfaces openvpn vtun0 remote-host X.X.X.Y
68
- set interfaces openvpn vtun0 shared-secret-key-file /config/auth/giveITaName
69
- set interfaces openvpn vtun0 encryption aes256
70
-
71
- set interfaces openvpn vtun0 openvpn-option "--comp-lzo" //if your peer support compression
72
-
73
- commit
74
- save
75
- exit
76
-
77
-Now the ipv4 tunnel should be up&running
78
-
79
-Check it with:
80
-
81
- show interfaces openvpn
82
- show interfaces openvpn detail
83
- show openvpn status site-to-site
84
-
85
-###Create IPv4 BGP Session
86
-
87
-####Open Firewall
88
-
89
-* You need to open the firewall to local for the tunnel Interface on port 179/tcp
90
-
91
-####Configure the BGP Neighbor
92
-
93
-* You must not use AS before the as numbers !!
94
-
95
-With this step you create the basic bgp session
96
-
97
- configure
98
- set protocols bgp 111111 neighbor Z.Z.Z.Z remote-as 222222
99
- set protocols bgp 111111 neighbor Z.Z.Z.Z soft-reconfiguration inbound
100
- set protocols bgp 111111 neighbor update-source 172.AA.AA.64
101
- commit
102
- save
103
-
104
-When commit this configuration you should be able to see a BGP neighbor session start and come up.
105
-You can check this with:
106
-
107
- show ip bgp summary
108
-
109
-####Set route to blackhole
110
-
111
-so bgp can announce the route
112
-
113
- set protocols static route 172.AA.AA.64/27 blackhole
114
- commit
115
- save
116
-
117
-####Announce prefix to BGP
118
-
119
- set protocols bgp 111111 network 172.A.A.64/27
120
- commit
121
- save
122
- exit
123
-
124
-You should now be able to see networks being advertised via
125
-
126
- show ip bgp neighbors Z.Z.Z.Z advertised-routes
127
-
128
-###Define Nameservers
129
-
130
-Now ping to 172.23.0.53 ... thats the nameserver we are using
131
-If everything is allright it should work
132
-
133
-####NS Config
134
-
135
-Enter the configure mode
136
-
137
- configure
138
- set service dns forwarding name-server 8.8.8.8
139
- set service dns forwarding name-server 8.8.4.4
140
- set service dns forwarding options rebind-domain-ok=/dn42/
141
- set service dns forwarding options server=/23.172.in-addr.arpa/172.23.0.53
142
- set service dns forwarding options server=/22.172.in-addr.arpa/172.23.0.53
143
- set service dns forwarding options server=/dn42/172.23.0.53
144
- commit
145
- save
146
- exit
147
-
148
-Now try to access any .dn42 tld
howto/GRE-on-OpenBSD.md
... ...
@@ -68,4 +68,4 @@ destination: fd42::1
68 68
```
69 69
70 70
# Security
71
-GRE may be protected with IPsec to encrypt and authenticate traffic, [OpenIKED](http://www.openiked.org/) can be used to establish an IKEv2 session between *A* and *D*.
... ...
\ No newline at end of file
0
+GRE may be protected with IPsec to encrypt and authenticate traffic, [OpenIKED](http://www.openiked.org/) can be used to establish an IKEv2 session between *A* and *D*.
howto/GRE-plus-IPsec.md
... ...
@@ -31,4 +31,4 @@ See [GRE on FreeBSD](gre-on-freebsd).
31 31
See [IPsec on FreeBSD](ipsec-on-freebsd).
32 32
33 33
## How to configure GRE + IPsec on Debian
34
-See [GRE + IPsec on Debian](gre-plus-ipsec-debian).
... ...
\ No newline at end of file
0
+See [GRE + IPsec on Debian](gre-plus-ipsec-debian).
howto/IPsec-on-FreeBSD.md
... ...
@@ -69,4 +69,4 @@ sainfo (address a.b.c.d gre address b.c.d.e gre) {
69 69
authentication_algorithm hmac_sha1;
70 70
}
71 71
72
-```
... ...
\ No newline at end of file
0
+```
howto/IPsec-with-PublicKeys.md
... ...
@@ -56,4 +56,4 @@ https://git.dn42.us/ryan/pubkey-converter/raw/master/pubkey-converter.pl
56 56
1. Best practice is to generate the private key on the router itself, and not transfer it to another machine. This part should be kept secret!
57 57
2. Generate a key of at least 2048 bits, preferably 4096 if both ends support it.
58 58
3. Some implementations support more than one key format. The examples here only show how to use one of them (usually PEM) for brevity.
59
-4. RFC 3110 format is the same as that described in RFC 2537. The former obsoletes the latter.
... ...
\ No newline at end of file
0
+4. RFC 3110 format is the same as that described in RFC 2537. The former obsoletes the latter.
howto/IPsecWithPublicKeys/CiscoIOSExample.md
... ...
@@ -62,7 +62,7 @@ In this example, we'll use the following settings:
62 62
foo(config-pubkey-chain)#addressed-key 192.0.2.2
63 63
foo(config-pubkey-key)#key-string
64 64
Enter a public key as a hexidecimal number ....
65
-
65
+
66 66
foo(config-pubkey)#30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
67 67
foo(config-pubkey)#00F3E0AA 8924E512 C08BA87C 73820A15 E5180DDC EF827221 2B3864BF B2D2A5E0
68 68
foo(config-pubkey)#33D04C1D 43A0CAF8 617EEEBA 7DB5BD38 429660CC 3144618E 4F386201 52483DA7
... ...
@@ -128,4 +128,4 @@ In this example, we'll use the following settings:
128 128
interface FastEthernet0/0
129 129
description WAN
130 130
ip address 192.0.2.1 255.255.255.0
131
- duplex full
... ...
\ No newline at end of file
0
+ duplex full
howto/IPsecWithPublicKeys/GRE-plus-IPsec-Debian.md
... ...
@@ -55,7 +55,7 @@ remote 5.6.7.8 [500] {
55 55
verify_cert on;
56 56
send_cert off;
57 57
send_cr off;
58
-
58
+
59 59
proposal {
60 60
encryption_algorithm aes 256;
61 61
hash_algorithm sha256;
howto/IPsecWithPublicKeys/OpenBSDExample.md
... ...
@@ -46,7 +46,7 @@ Load the configuration file into isakmpd: `ipsecctl -f /etc/ipsec.conf`. Once th
46 46
FLOWS:
47 47
flow esp in proto gre from 1.3.3.7 to 3.4.5.6 peer 1.3.3.7 srcid 3.4.5.6/32 dstid 1.3.3.7/32 type use
48 48
flow esp out proto gre from 3.4.5.6 to 1.3.3.7 peer 1.3.3.7 srcid 3.4.5.6/32 dstid 1.3.3.7/32 type require
49
-
49
+
50 50
SAD:
51 51
esp transport from 1.3.3.7 to 3.4.5.6 spi 0xdeadbeef auth hmac-sha1 enc aes
52 52
esp transport from 3.4.5.6 to 1.3.3.7 spi 0xf00df00d auth hmac-sha1 enc aes
... ...
@@ -62,4 +62,4 @@ These settings should also be added to [`/etc/hostname.gre0`](http://man.openbsd
62 62
63 63
tunnel 3.4.5.6 1.3.3.7
64 64
inet 10.20.30.0 10.20.30.1
65
- inet6 eui64
... ...
\ No newline at end of file
0
+ inet6 eui64
howto/IPsecWithPublicKeys/RacoonExample.md
... ...
@@ -40,4 +40,4 @@ remote 192.168.255.2 {
40 40
41 41
## Se also
42 42
43
-[debian specific configuration](IPsecWithPublicKeys/GRE plus IPsec Debian)
... ...
\ No newline at end of file
0
+[debian specific configuration](IPsecWithPublicKeys/GRE plus IPsec Debian)
howto/IPsecWithPublicKeys/RouterOSExample.md
... ...
@@ -10,11 +10,11 @@
10 10
# NAME KEY-SIZE
11 11
0 PR mykey 4096-bit
12 12
13
-### Exchange public keys with your peer
13
+## Exchange public keys with your peer
14 14
1. Export the public key to a file.
15 15
16 16
[admin@mtk1] /ip ipsec key> export-pub-key mykey file-name=mykey.pub
17
-
17
+
18 18
[admin@mtk1] /ip ipsec key> /file print where name=mykey.pub
19 19
# NAME TYPE SIZE CREATION-TIME
20 20
2 mykey.pub ssh key 451 jul/20/2014 12:35:33
... ...
@@ -52,7 +52,7 @@ In this example, we'll use the following settings:
52 52
53 53
[admin@mtk1] /ip ipsec key> import peer-key.pub name=peer-key
54 54
passphrase:
55
-
55
+
56 56
[admin@mtk1] /ip ipsec key> print
57 57
Flags: P - private-key, R - rsa
58 58
# NAME KEY-SIZE
... ...
@@ -89,4 +89,4 @@ In this example, we'll use the following settings:
89 89
lifetime=8h local-address=192.0.2.1 remote-key=peer-key
90 90
/ip ipsec policy
91 91
add dst-address=192.0.2.2/32 protocol=gre sa-dst-address=192.0.2.2 \
92
- sa-src-address=192.0.2.1 src-address=192.0.2.1/32
... ...
\ No newline at end of file
0
+ sa-src-address=192.0.2.1 src-address=192.0.2.1/32
howto/IPsecWithPublicKeys/VyOSExample.md
... ...
@@ -4,19 +4,19 @@
4 4
5 5
ubnt@ubnt:~$ generate vpn rsa-key bits 4096 random /dev/urandom
6 6
Generating rsa-key to /config/ipsec.d/rsa-keys/localhost.key
7
-
7
+
8 8
Your new local RSA key has been generated
9 9
The public portion of the key is:
10
-
10
+
11 11
0sAQPNdF370ZEbN+kZUJQ10qnBlZujrg39ujfk20ILTjELksOIdJw/4jiU1MfpqFDKuB/XxERwJQp2POsFyV/n76jAgxIYBfFYfuaBcIH1rdNQtDhCnkmWzlueRXGEsz0Af79n8TKyQ9otzNhJ2cPE1CWCJbKqbIUN3piviLgGlItWNeya+Tl3Oj3ZfEVwr1QOvUAw32+m4L8T9jf1vqSlOTHpRpxxPWBrLEzstk0FOcZISji2JBpDOCU8Kpyyf74JM+LxsOIHwmS15b6iFZR3U9KZLqbbd0dSy/cM8P4XjrwM5UMyRDjrLqvuA/K/33BgtnxdQR3e9DJoYH3Qr8eRgSkR+jHyq06LvgHkHbMvrEjUnc3n8bg+YfR4oyJpIWsKjfIXmN1Q51KzxAPIAww+YSYUYtamSsQsspVAtMIQqR4e0r1In1qyoSn8VCPlksNMWpqYHbSjDo5HJYoSwxf2epzMtCvhenn0OuiH0xlgzziA+wBi6txksTMvJYcPJYnBVR2NIBjkWftOfmkY+rKMozViGjyd6kB7C8lqd8W7Ha5Ds2WxIY22DM3HcYH/zTp9z2xbuMOsbIgib/Y12Kh0wHyCz0lzFvs+d6CZwinyIXNKB/Vo4iiwT5luL5mGqf3pZx4zB+30GYSs/6MaELRF9BxD7tfqYCkOLXUtxyZ4Pdl2sw==
12 12
13 13
### Exchange public keys with your peer
14 14
1. Display the public key. Send the key data portion to your peer.
15 15
16 16
ubnt@ubnt:~$ show vpn ike rsa-keys
17
-
17
+
18 18
Local public key (/config/ipsec.d/rsa-keys/localhost.key):
19
-
19
+
20 20
0sAQPNdF370ZEbN+kZUJQ10qnBlZujrg39ujfk20ILTjELksOIdJw/4jiU1MfpqFDKuB/XxERwJQp2POsFyV/n76jAgxIYBfFYfuaBcIH1rdNQtDhCnkmWzlueRXGEsz0Af79n8TKyQ9otzNhJ2cPE1CWCJbKqbIUN3piviLgGlItWNeya+Tl3Oj3ZfEVwr1QOvUAw32+m4L8T9jf1vqSlOTHpRpxxPWBrLEzstk0FOcZISji2JBpDOCU8Kpyyf74JM+LxsOIHwmS15b6iFZR3U9KZLqbbd0dSy/cM8P4XjrwM5UMyRDjrLqvuA/K/33BgtnxdQR3e9DJoYH3Qr8eRgSkR+jHyq06LvgHkHbMvrEjUnc3n8bg+YfR4oyJpIWsKjfIXmN1Q51KzxAPIAww+YSYUYtamSsQsspVAtMIQqR4e0r1In1qyoSn8VCPlksNMWpqYHbSjDo5HJYoSwxf2epzMtCvhenn0OuiH0xlgzziA+wBi6txksTMvJYcPJYnBVR2NIBjkWftOfmkY+rKMozViGjyd6kB7C8lqd8W7Ha5Ds2WxIY22DM3HcYH/zTp9z2xbuMOsbIgib/Y12Kh0wHyCz0lzFvs+d6CZwinyIXNKB/Vo4iiwT5luL5mGqf3pZx4zB+30GYSs/6MaELRF9BxD7tfqYCkOLXUtxyZ4Pdl2sw==
21 21
22 22
2. Convert your peer's public key to the Base64 RFC 3110 format using the [pubkey-converter][pubkey-converter] script, if necessary.
... ...
@@ -132,4 +132,4 @@ In this example, we'll use the following settings:
132 132
rsa-key 0sAwEAAbsbRoUcgdm4A4Nm+PLxWcW+zFis7pkaJ0MkGVzM7VC8nmngkM+W2zqZyQ4NUTBKKfGOUc4Ogi6gyhlzUnHdag9tDERIX+BwlDO6G4arod9z9KqmJuX4AOYVjH5QlAPz7NDMAezVekGoVLPGdOAMPD6NN54ihLRH6V3if8AGoJRpiajhcgQipjeQnhH4QhsYK4XSjayGT1onQwA8nhy5kt4ofyqSale4Fl4166S9tCn4RKwtlJDjR6VIrg6op6Ip8+ke2vjEHPJHj6qVsxfRgOk2d8pY8oPVt8ayc5F1z+lqJ7R0fADfN+AQSaBqOMmg5dHDFYWwgYkU5egdVKS7Oko6uNuUWsZ0VEnRoPZ4syJEUbiF5wGfaVBaaVLZYUlRLQCffB4JKzp+JesVToCX6JYRfb4JYQWFCDeQfrqRZHM4r13h8MOWPn9cqXcP47RKJjzNp6595biUotmCbMHyy/uveMWxK6vDzPQRkywqMMJE2qOyACmbMnSce9KlYhvma82Vd+z/9/U9NEy0s5MaYNDn+q+KYT5My3NSv52F6sLVGrKxTk79tzUejZcoukJv+gf51Epam4kVHzPIal/khsfjZn6YCU2j5+qcdRmzF+SG5c2WicvEU2Gc4ratfYNEPxU5oArzHIhIz6x2nAF+szcx/x8GEyXPNHnxEboJB7ox
133 133
}
134 134
}
135
- }
... ...
\ No newline at end of file
0
+ }
howto/IPsecWithPublicKeys/strongSwan4Example.md
... ...
@@ -73,13 +73,13 @@ _Note: strongSwan < 5.0.0 will read PEM-formatted **private** keys, but requires
73 73
valid_lft forever preferred_lft forever
74 74
root@debian:~# more /etc/ipsec.conf
75 75
# ipsec.conf - strongSwan IPsec configuration file
76
-
76
+
77 77
config setup
78
-
78
+
79 79
conn %default
80 80
keyexchange=ikev1
81 81
dpdaction=restart
82
-
82
+
83 83
conn MYPEER
84 84
# peer IPs
85 85
left=192.0.2.1
... ...
@@ -101,4 +101,4 @@ _Note: strongSwan < 5.0.0 will read PEM-formatted **private** keys, but requires
101 101
rightprotoport=gre
102 102
# startup
103 103
auto=route
104
- keyingtries=%forever
... ...
\ No newline at end of file
0
+ keyingtries=%forever
howto/IPsecWithPublicKeys/strongSwan5Example.md
... ...
@@ -94,13 +94,13 @@ In this example, we'll use the following settings:
94 94
valid_lft forever preferred_lft forever
95 95
root@debian:~# more /etc/ipsec.conf
96 96
# ipsec.conf - strongSwan IPsec configuration file
97
-
97
+
98 98
config setup
99
-
99
+
100 100
conn %default
101 101
keyexchange=ikev1
102 102
dpdaction=restart
103
-
103
+
104 104
conn MYPEER
105 105
# peer IPs
106 106
left=192.0.2.1
... ...
@@ -127,4 +127,4 @@ If your peer is using a Cisco router and is behind NAT, then you might need to a
127 127
rightid=NATIP
128 128
129 129
# See also
130
-* [Network settings](https://internal.dn42/howto/networksettings)
... ...
\ No newline at end of file
0
+* [Network settings](https://internal.dn42/howto/networksettings)
howto/IPv6-Multicast.md
... ...
@@ -42,20 +42,20 @@ The following guide illustrates how to set up an IPv6 multicast router using [PI
42 42
# /etc/pim6sd.conf
43 43
# disable all interfaces by default
44 44
default_phyint_status disable;
45
-
45
+
46 46
# enable the pim-router-id interface first to acquire the correct primary address
47 47
phyint pim-router-id enable;
48
-
48
+
49 49
# add multicast-capable peer interfaces below
50 50
phyint dn42-peer1 enable;
51
-
51
+
52 52
# configure rendezvous point for the personal multicast prefix
53 53
cand_rp pim-router-id;
54 54
group_prefix ff7e:230:fd00:2001:db8::/96;
55 55
```
56 56
57 57
The `phyint` statement enables [PIM](https://tools.ietf.org/html/rfc7761) and [MLD](https://tools.ietf.org/html/rfc2710) on the target interface - by default all interfaces are in the disable state. Enable an interface if it is directed towards a multicast-capable peer or other multicast-capable routers in your autonomous system. Also enable it for downstream network segments with multicast listeners and senders, like for example your home (W)LAN segments.
58
-
58
+
59 59
With `cand_rp` and `group_prefix` statements you can configure this router as a Rendezvous Point (RP) for your personal multicast group prefix. The address on the interface given as `cand_rp` will be used as the primary address for your RP, it therefore *must* be routable.
60 60
61 61
---
... ...
@@ -165,4 +165,4 @@ If you want to offer an RP candidate for a shared multicast address, please read
165 165
166 166
ToDo:
167 167
* We have a solution for personal multicast prefixes tied to the network prefix of an AS owner. But what to do with multicast addresses that not only have listeners but also senders globally? We could have everyone add an additional "group_prefix ff00::/8" and then multicast router with the lowest address would win and become the central RP for all these addresses... not really scalable, robust or decentral though :-/. Should we use PIM-DM for some of these addresses instead (e.g. ones which generally have a low throughput, for instance Bittorrent Local Peer Discovery)? Or maybe those global addresses should be managed and configured as /128 and people who are interested in managing a specific, global multicast address will coordinate with each other?
168
-* bootstrap router coordination; according to RFCs a bootstrap router can alter/filter the multicast prefixes it received from candidate RPs. Should a bootstrap router check and filter any multicast prefix that was generated from a network prefix which does not match the network prefix used by the PR?
... ...
\ No newline at end of file
0
+* bootstrap router coordination; according to RFCs a bootstrap router can alter/filter the multicast prefixes it received from candidate RPs. Should a bootstrap router check and filter any multicast prefix that was generated from a network prefix which does not match the network prefix used by the PR?
howto/IPv6.md
... ...
@@ -74,4 +74,4 @@ ip6tables -t nat -A PREROUTING -s 2000::/3 -d <PUBLIC-PREFIX>:<SUBNET>::/56 -j N
74 74
### With Multiple Prefixes
75 75
76 76
## More Info
77
-This page is a work in progress. Please contact Fira if you feel like more information should be added here! Also see ASN 4242423218 for an example of IPv6-only AS on DN42.
... ...
\ No newline at end of file
0
+This page is a work in progress. Please contact Fira if you feel like more information should be added here! Also see ASN 4242423218 for an example of IPv6-only AS on DN42.
howto/Munin.md
... ...
@@ -54,4 +54,4 @@ graph_title $name routes
54 54
```
55 55
56 56
Example installation:
57
-http://stats.tbspace.de/munin-cgi/munin-cgi-graph/tbspace.de/server.tbspace.de/dn42_crest_routes-day.png
... ...
\ No newline at end of file
0
+http://stats.tbspace.de/munin-cgi/munin-cgi-graph/tbspace.de/server.tbspace.de/dn42_crest_routes-day.png
howto/OpenBGPD.md
... ...
@@ -132,4 +132,4 @@ include "/etc/dn42.roa-set"
132 132
This is mostly OpenBSD specific since [bgplg(8)](http://man.openbsd.org/bgplg.8) and [httpd(8)](http://man.openbsd.org/httpd.8) ship as part of the operating system.
133 133
The **bgplg** manual contains the few steps and example [httpd.conf(5)](http://man.openbsd.org/httpd.conf.5) required to enable the looking glass.
134 134
135
-See https://t4-2.high5.nl/bgplg for a running instance operating within DN42.
... ...
\ No newline at end of file
0
+See https://t4-2.high5.nl/bgplg for a running instance operating within DN42.
howto/OpenWRT.md
... ...
@@ -80,4 +80,4 @@ You have to use this patch: https://dev.openwrt.org/changeset/35484 (monkeypatch
80 80
81 81
## DNS
82 82
83
-See [DNS Configuration](/services/dns/Configuration). This will use the anycast dn42 DNS server to resolve `dn42` and relevant reverse domains.
... ...
\ No newline at end of file
0
+See [DNS Configuration](/services/dns/Configuration). This will use the anycast dn42 DNS server to resolve `dn42` and relevant reverse domains.
howto/Quagga.md
... ...
@@ -43,7 +43,7 @@ for IPv6 do something like
43 43
vtysh(config-router-af)> exit
44 44
vtysh(config-router)> exit
45 45
vtysh(config)> exit
46
-
46
+
47 47
### peer groups, prefix lists and such
48 48
If you want to use 'prefix-list' to filter some of the prefixes quagga is receiving, you can use a 'peer-group' instead of apply the prefix list to every neighbor.
49 49
... ...
@@ -66,7 +66,7 @@ Apply a prefix list for incoming prefixes to your peer group:
66 66
ip prefix-list vpn-in seq 5 permit 172.22.0.0/15 ge 22 le 28
67 67
!new dn42 allocation:
68 68
ip prefix-list vpn-in seq 10 permit 172.20.0.0/16 ge 22 le 28
69
-
69
+
70 70
! Anycast /32s for Whois and DNS:
71 71
ip prefix-list vpn-in seq 11 permit 172.22.0.43/32
72 72
ip prefix-list vpn-in seq 12 permit 172.22.0.53/32
... ...
@@ -132,4 +132,4 @@ Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
132 132
....
133 133
172.23.64.1 4 4242421375 0 0 0 0 0 never Active
134 134
fe80::deca:fbad 4 64699 902 694 0 0 0 01:23:57 486
135
-```
... ...
\ No newline at end of file
0
+```
howto/ROA-slash-RPKI.md
... ...
@@ -19,7 +19,7 @@ It provides the router with validity information regarding prefix origination:
19 19
The route announcement is covered by a ROA and the announcing AS is invalid (possibly hijacking)
20 20
* UNKNOWN
21 21
There exists no ROA for the route announcement
22
-
22
+
23 23
## How can I implement ROA on dn42?
24 24
25 25
On dn42 we generate ROA information from the dn42 registry.
... ...
@@ -31,14 +31,14 @@ It is also possible to integrate this with a RTR cache server such as [gortr](ht
31 31
You can find a hosted example of dn42regsrv at https://explorer.burble.com/
32 32
33 33
Instructions on how to host dn42regsrv yourself can be found on the git repo of [dn42regsrv](https://git.dn42.us/burble/dn42regsrv).
34
-
34
+
35 35
You can also run dn42regsrv via docker (then available at 127.0.0.1:8042):
36 36
37 37
git checkout https://git.dn42.us/burble/dn42regsrv.git .
38 38
cd contrib/docker
39 39
./build.sh
40 40
docker-compose up -d
41
-
41
+
42 42
Documentation for the api endpoints can be found here: https://git.dn42.us/burble/dn42regsrv/src/master/API.md
43 43
44 44
### gortr
... ...
@@ -57,4 +57,4 @@ TODO: Publish docker-compose-yml to git for gortr+dn42regsrv
57 57
58 58
### How do I integrate RTR with my BGP implementation
59 59
60
-You have to consult the documentation of your implementation for that. We will provide configuration examples on the specific pages.
... ...
\ No newline at end of file
0
+You have to consult the documentation of your implementation for that. We will provide configuration examples on the specific pages.
howto/Registry-Authentication.md
... ...
@@ -16,7 +16,7 @@ The signature and verification process varies depending on the type of public ke
16 16
17 17
---
18 18
19
-#### Finding the commit hash
19
+## Finding the commit hash
20 20
21 21
`git log` will list all the recent commits and show the commit hash:
22 22
```
... ...
@@ -31,7 +31,7 @@ Date: Mon Jan 01 01:01:01 2020 +0000
31 31
32 32
PGP keys may be uploaded to a public keyserver for verification, or added in the registry.
33 33
34
-#### Using a public keyserver
34
+### Using a public keyserver
35 35
36 36
- Use the following `auth` attribute in your `mntner` object:
37 37
```
... ...
@@ -72,7 +72,7 @@ auth: ssh-<keytype> <pubkey>
72 72
```
73 73
There are examples below for each specific key type.
74 74
75
-#### Generic process for signing with an SSH key
75
+### Generic process for signing with an SSH key
76 76
77 77
OpenSSH v8 introduced new functionality for creating signatures using SSH keys. If you have an older version, you can compile the latest version of ssh-keygen from the [openssh-portable repo](https://github.com/openssh/openssh-portable).
78 78
howto/Static-routes-on-Windows.md
... ...
@@ -60,4 +60,4 @@ ping %gateway4%
60 60
pause
61 61
ping %gateway6%
62 62
pause
63
-```
... ...
\ No newline at end of file
0
+```
howto/mikrotik.md
... ...
@@ -153,4 +153,4 @@ Since version 6.47 have added functionality that can redirect DNS queries accord
153 153
```
154 154
/ip dns static
155 155
add comment=DN42 forward-to=172.23.0.53 regexp=".*\\.dn42" type=FWD
156
-```
... ...
\ No newline at end of file
0
+```
howto/mikrotik/ptp32.md
... ...
@@ -67,4 +67,4 @@ Check the routes with:
67 67
There should an attribute like:
68 68
```
69 69
gateway=gre-dn42-peer gateway-status=gre-dn42-peer reachable
70
-```
... ...
\ No newline at end of file
0
+```
howto/networksettings.md
... ...
@@ -32,7 +32,7 @@ Check that ALL your vpn interfaces allow ip forwarding for ipv6/ipv4.
32 32
$ sysctl -a | grep forwarding
33 33
```
34 34
35
-### Note on firewalls, conntrack and asymmetric routing
35
+## Note on firewalls, conntrack and asymmetric routing
36 36
37 37
Do not configure iptables/nftables to drop packets with invalid conntrack state in forward chain.
38 38
... ...
@@ -41,4 +41,4 @@ but responses are fowarded via your network. This will prevent conntrack from as
41 41
and your firewall will drop it if it is configured to drop packets with invalid state.
42 42
43 43
44
-Happy Routing!
... ...
\ No newline at end of file
0
+Happy Routing!
howto/openvpn.md
... ...
@@ -200,4 +200,4 @@ Then, for each client, generate a private key and a certificate: ```./build-key
200 200
* [IPv4 - multicast](https://en.wikipedia.org/wiki/Multicast_address#GLOP_addressing)
201 201
* [IPv4 - GLOB calculator](http://labs.spritelink.net/glop)
202 202
* [RFC3108 GLOP Addressing in 233/8](http://tools.ietf.org/html/rfc3180)
203
- * [RFC3138 Extended Assignments in 233/8](https://tools.ietf.org/html/rfc3138)
... ...
\ No newline at end of file
0
+ * [RFC3138 Extended Assignments in 233/8](https://tools.ietf.org/html/rfc3138)
howto/systemd-networkd-configuration-example.md
... ...
@@ -43,4 +43,4 @@ Peer = <peer tunnel linklocal address>/128
43 43
Address = <your DN42 ipv4>/32
44 44
Peer = <peer DN42 ipv4>/32
45 45
46
-```
... ...
\ No newline at end of file
0
+```
howto/tinc.md
... ...
@@ -92,4 +92,4 @@ $ tinc join <invitation-url>
92 92
93 93
This node will then automatically generate configuration, private/public keys and will exchange this key with the other node on connection.
94 94
95
-Remember to still set up your **tinc-up** script.
... ...
\ No newline at end of file
0
+Remember to still set up your **tinc-up** script.
howto/vyos.md
... ...
@@ -1,4 +1,4 @@
1
-#VyOS
1
+# VyOS
2 2
VyOS is an open source software router. It is feature rich and supports multiple deployment options such as physical hardware (Old PC's) or a VPC/VM. The developers have a nightly rolling release that includes all the latest features such as Wireguard.
3 3
4 4
It can be downloaded here https://www.vyos.io/rolling-release/.
... ...
@@ -98,41 +98,41 @@ set protocols static interface-route 172.20.50.1/32 next-hop-interface wg92
98 98
99 99
100 100
101
-##BGP
101
+## BGP
102 102
Now that we have a tunnel to our peer and theoretically can ping them, we can setup BGP.
103
-###Initial Router Setup
103
+### Initial Router Setup
104 104
`set protocols bgp 424242XXXX address-family ipv4-unicast network 172.x.x.x\x`
105 105
_Insert your ASN and your assigned network block. Note that this should match your exact prefix as listed in the registry; if you try to advertise a subnet of your assigned block it could get filtered by some peers._
106 106
`set protocols bgp 424242XXX parameters router-id 172.x.x.x`
107 107
_To keep it simple just make your router ID match your lower IP within the DN42 registered space._
108
-###Neighbor Up With Peers
108
+### Neighbor Up With Peers
109 109
`set protocols bgp 424242XXXX neighbor 172.x.x.x address-family ipv4-unicast`
110 110
_This is likely the same IP as the one used in your static route earlier when creating the Wireguard tunnel._
111 111
`set protocols bgp 424242XXXX neighbor 172.x.x.x ebgp-multihop 20`
112 112
_This setting may need to be adjusted depending on circumstances_
113 113
`set protocols bgp 424242XXXX neighbor 172.x.x.x remote-as 424242XXXX`
114 114
_Your peers ASN_
115
-
115
+
116 116
`show ip bgp summary`
117 117
118
-##RPKI/ROA Checking
119
-###Setup RPKI Caching Server
118
+## RPKI/ROA Checking
119
+### Setup RPKI Caching Server
120 120
Burble has made this super easy. More info can be found [here](https://wiki.dn42/howto/ROA-slash-RPKI) on this wiki. Get started by running the below command on a Linux server with Docker installed.
121 121
122 122
```
123 123
sudo docker run -ti -p 8082:8082 cloudflare/gortr -cache https://dn42.burble.com/roa/dn42_roa_46.json -verify=false -checktime=false -bind :8082
124 124
```
125
-
125
+
126 126
This will start a docker container that listens on the host server's IP at port 8082. This setup is using Cloudflare's GoRTR and automatically reaching out and downloading a custom JSON file generated by Burble just for the DN42 network.
127 127
128
-###Point VyOS Router at RPKI Caching Server
128
+### Point VyOS Router at RPKI Caching Server
129 129
`set protocols rpki cache GoRTR address x.x.x.x`
130
-
130
+
131 131
`set protocols rpki cache GoRTR port 8082`
132
-
132
+
133 133
You can check the connection with `show rpki cache-connection` and the received prefix-table with `show rpki prefix-table`.
134 134
135
-###Create Route Map
135
+### Create Route Map
136 136
```
137 137
set policy route-map DN42-ROA rule 10 action 'permit'
138 138
set policy route-map DN42-ROA rule 10 match rpki 'valid'
... ...
@@ -142,12 +142,12 @@ set policy route-map DN42-ROA rule 30 action 'deny'
142 142
set policy route-map DN42-ROA rule 30 match rpki 'invalid'
143 143
```
144 144
This example allows all routes in unless they are marked invalid or in other words possibly been a victim of BGP hijacking.
145
-###Assign Route Map to Neighbor
145
+### Assign Route Map to Neighbor
146 146
```
147 147
set protocols bgp 424242XXXX neighbor x.x.x.x address-family ipv4-unicast route-map import DN42-ROA
148 148
set protocols bgp 424242XXXX neighbor x.x.x.x address-family ipv4-unicast route-map export DN42-ROA
149 149
```
150
-
150
+
151 151
## Example Route Map
152 152
### No RPKI/ROA and Internal Network Falls Into DN42 Range
153 153
```
... ...
@@ -210,4 +210,4 @@ set protocols bgp 4242421099 neighbor x.x.x.x address-family ipv6-unicast route-
210 210
```
211 211
212 212
213
-This page is a work-in-progress by Owens Research. If you have any suggestions or questions please reach out.
... ...
\ No newline at end of file
0
+This page is a work-in-progress by Owens Research. If you have any suggestions or questions please reach out.
howto/wireguard.md
... ...
@@ -47,7 +47,7 @@ $ ip addr add fe80::<some_random_suffix>/64 dev <interface_name>
47 47
$ ip addr add 172.xx.xx.xx/32 peer 172.xx.xx.xx/32 dev <interface_name>
48 48
$ ip link set <interface_name> up
49 49
```
50
-
50
+
51 51
<!-- Nurtic-Vibe has another [script](https://git.dn42.us/Nurtic-Vibe/grmml-helper/src/master/create_wg.sh) to interactively automate the peering process. -->
52 52
53 53
Maybe you should check the MTU to your peer with e.g. `ping -s 1472 <end_point_hostname_or_ip>`. If your output looks like `From gateway.local (192.168.0.1) icmp_seq=1 Frag needed and DF set (mtu = 1440)` substract `80` from the MTU and set it via `ip link set dev <interface_name> mtu <calculated_mtu>`
... ...
@@ -101,7 +101,7 @@ Address = <your link-local address, if any>
101 101
PostUp = /sbin/ip addr add dev %i <MyIPv4>/32 peer <PeerIPv4>/32
102 102
PostUp = /sbin/ip addr add dev %i <MyIPv6>/128 peer <PeerIPv6>/128
103 103
Table = off
104
-
104
+
105 105
[Peer]
106 106
Endpoint = <your peer's wireguard endpoint>
107 107
PublicKey = <your peer's public key>
internal/APIs.md
... ...
@@ -1,12 +1,12 @@
1
-#Application Programming Interfaces (APIs)
1
+# Application Programming Interfaces (APIs)
2 2
This page can be useful if you are trying to automate something or if you are trying to retrieve data programmatically.
3 3
4
-##ASN Authentication Solution
4
+## ASN Authentication Solution
5 5
Authenticate your users by having them verify their ASN ownership with KIOUBIT-MNT using their registry-provided methods in an automated way.
6 6
More Information in the setup tutorial: https://dn42.g-load.eu/auth/documentation/tutorial.html
7 7
To use the service, please message Kioubit on IRC to have your domain activated.
8 8
9
-##Registry REST API
9
+## Registry REST API
10 10
11 11
[dn42regsrv](https://git.dn42.us/burble/dn42regsrv) is a REST API for the DN42 registry that provides a bridge between interactive applications and the registry.
12 12
internal/Historical-Services.md
... ...
@@ -68,7 +68,7 @@ wieistmeineip.dn42 also provides a telnet service that returns the address you c
68 68
|:------------------------------------------------- |:--------------------------------------------------------------- |
69 69
| http://stream.media.dn42/ | icecast-relay, contact toBee for more streams (DOWN 2020-11-02) |
70 70
| http://radio.hex.dn42/ | Ambient musics |
71
-
71
+
72 72
73 73
## File Sharing
74 74
... ...
@@ -181,4 +181,4 @@ There is a page for email Providers [here](/services/E-Mail-Providers)
181 181
### Augsburg
182 182
183 183
We have a plugin that enables us to announce services in the mesh. So instead of listing them here again just have a look at http://10.11.0.8/cgi-bin/luci/freifunk/services to see what we have to offer.
184
-(Upload is not fast, most probably DSL speed only)
... ...
\ No newline at end of file
0
+(Upload is not fast, most probably DSL speed only)
internal/Ideas.md
... ...
@@ -2,7 +2,7 @@
2 2
3 3
… or the service that would make dn42 truly interesting for people (for non-technical reasons).
4 4
5
-#### Criterias
5
+## Criterias
6 6
7 7
- it should be difficult to setup on the Internet (for technical or legal reasons)
8 8
- it should interest people that are likely to know dn42 (hackerspaces, etc)
internal/Internal-Services.md
... ...
@@ -54,7 +54,7 @@ To use the service, please message Kioubit on IRC to have your domain activated.
54 54
| irc.hackint.hack/dn42 | Yes | ChaosVPN |
55 55
| irc.dn42 | Yes | Internal IRC |
56 56
57
-#### Clients
57
+### Clients
58 58
59 59
| Hostname / IP | Remarks |
60 60
|:--------------|:--------|
internal/services/Tor.md
... ...
@@ -35,4 +35,4 @@ _Note that the same warnings above also apply to the following proxies._
35 35
36 36
| Offline | | |
37 37
|---------------------------------------|-------------|-------------|
38
-| socks5://172.20.11.33:9050 | 100 Mbit/s | twink0r |
... ...
\ No newline at end of file
0
+| socks5://172.20.11.33:9050 | 100 Mbit/s | twink0r |
services/Automatic-CA.md
... ...
@@ -218,7 +218,7 @@ Type=oneshot
218 218
WorkingDirectory=/etc/ssl/dn42
219 219
ExecStart=/etc/ssl/dn42/ca.dn42 tls-sign wiki.dn42 MIC92-MNT
220 220
# accept multiple ExecStart lines for other certificates
221
-#ExecStart=/etc/ssl/dn42/ca.dn42 tls-sign foobar.dn42 MIC92-MNT
221
+# ExecStart=/etc/ssl/dn42/ca.dn42 tls-sign foobar.dn42 MIC92-MNT
222 222
ExecStart=/usr/bin/nginx -s reload
223 223
```
224 224
... ...
@@ -239,4 +239,4 @@ OK
239 239
```
240 240
241 241
## Certificate transparency
242
-All issued certificates will be logged to [xuu's mattermost instance](https://teams.dn42/dn42/channels/tls-certificates).
... ...
\ No newline at end of file
0
+All issued certificates will be logged to [xuu's mattermost instance](https://teams.dn42/dn42/channels/tls-certificates).
services/Certificate-Authority.md
... ...
@@ -168,4 +168,4 @@ $ update-ca-certificates
168 168
169 169
## PKI Store
170 170
171
-All issued keys and crl information are posted at: https://ca.dn42/
... ...
\ No newline at end of file
0
+All issued keys and crl information are posted at: https://ca.dn42/
services/Certificate-Authority/Automated-Certificate-Management-Environment.md
... ...
@@ -1 +1 @@
1
-tba
... ...
\ No newline at end of file
0
+tba
services/Distributed-Wiki.md
... ...
@@ -36,7 +36,7 @@ Since gollum is built on top of Git, it is not overly complicated to keep the lo
36 36
37 37
- Contact [XUU-DN42](https://io.nixnodes.net?t=person&l=XUU-DN42) and ask for write access to the repo
38 38
- Setup cron for periodic pull/push jobs for the repo (simple example):
39
-
39
+
40 40
+ **wiki-sync.sh**:
41 41
42 42
```sh
... ...
@@ -62,7 +62,7 @@ exit 0
62 62
63 63
- Install [gollum](https://github.com/gollum/gollum)
64 64
- Start two gollum instances, read-only and read/write on `127.0.0.1`:
65
-
65
+
66 66
Read/write (SSL only):
67 67
```
68 68
RACK_ENV=production gollum --css --host 127.0.0.1 --port 4568 <path>
... ...
@@ -76,7 +76,7 @@ RACK_ENV=production gollum --css --host 127.0.0.1 --port 4567 --no-edit <path>
76 76
77 77
## Nginx reverse proxy
78 78
79
-#### SSL
79
+### SSL
80 80
81 81
- Setup your maintainer object according to [Automatic CA](/services/Automatic-CA)
82 82
- Generate a [CSR](/services/Certificate-Authority) and send DNS Key Pin to [[email protected]](mailto:[email protected]):
... ...
@@ -138,7 +138,7 @@ Nginx should listen on a unicast address as well, so your site can be reached ex
138 138
```
139 139
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
140 140
ssl_session_cache shared:SSL:2m;
141
-
141
+
142 142
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
143 143
144 144
ssl_prefer_server_ciphers on;
... ...
@@ -188,7 +188,7 @@ server {
188 188
189 189
## ExaBGP
190 190
191
-#### Announcing
191
+### Announcing
192 192
193 193
The prefix AS-PATH should show the announcement is originating from your AS. After peering ExaBGP to the nearest speaker(s), check if the prefix is routing properly inside your network. Try not to blackhole the passing traffic (e.g. no static routes to `172.23.0.80/32`). Test the whole thing by shutting down nginx/gollum and watch what happens.
194 194
... ...
@@ -247,7 +247,7 @@ URL=("http://172.23.0.80" "https://172.23.0.80" "http://[fd42:d42:d42:80::1]" "h
247 247
ROUTE='172.23.0.80/32'
248 248
## the anycast v6 route (/64 due to prefix size limits)
249 249
ROUTE6='fd42:d42:d42:80::/64'
250
-
250
+
251 251
## the next-hop we'll be advertising to neighbor(s)
252 252
NEXTHOP='<source-address>'
253 253
NEXTHOP6='<source-address-v6>'
... ...
@@ -258,15 +258,15 @@ VALIDATE_KEYWORD='gollum'
258 258
INTERVAL=60
259 259
260 260
###########################
261
-
261
+
262 262
RUN_STATE=0
263
-
263
+
264 264
check_urls() {
265 265
for url in "${URL[@]}"; do
266
-
266
+
267 267
## workaround curl errno 23 when piping
268 268
http_response=`${CURL} --insecure -g -s -L -o - "${url}"`
269
-
269
+
270 270
echo "${http_response}" | egrep -q "${VALIDATE_KEYWORD}" || {
271 271
return 1
272 272
}
... ...
@@ -293,7 +293,7 @@ while [ 1 ]; do
293 293
fi
294 294
295 295
sleep ${INTERVAL}
296
-
296
+
297 297
done
298 298
299 299
exit 0
... ...
@@ -325,7 +325,7 @@ start() {
325 325
cpid=$!
326 326
[ ${cpid} -eq 0 ] && {
327 327
echo "ERROR: could not start process"; return 1
328
-
328
+
329 329
}
330 330
echo ${cpid} > ${PID_FILE}
331 331
}
... ...
@@ -356,4 +356,4 @@ exit 0
356 356
357 357
358 358
359
-
359
+
services/E-Mail-Providers.md
... ...
@@ -3,4 +3,4 @@ If you have an E-Mail service and would like to test it's functionality, send an
3 3
**Free E-Mail Addresses for DN42 Users.**
4 4
* DN42 Mail, https://dmail.dn42
5 5
* Free, easy to sign up, unlimited internal emailing. Hosted by zane_reick
6
- * Register at https://dmail.dn42/register/register.php
... ...
\ No newline at end of file
0
+ * Register at https://dmail.dn42/register/register.php
services/Exchanges.md
... ...
@@ -15,4 +15,4 @@ points of failure and are no longer operating
15 15
16 16
The NL-Zuid website is also available from the public internet: https://nl-zuid.nl
17 17
18
-Its generally recommended to only announce prefixes from your own network and that of your transit customers.
... ...
\ No newline at end of file
0
+Its generally recommended to only announce prefixes from your own network and that of your transit customers.
services/FreePhone.md
... ...
@@ -48,4 +48,4 @@ If someone is willing to experiment we could try allowing reinvites. This way al
48 48
* Phone #: +493727/959023
49 49
* Sipgate: 5884293
50 50
* SIP: maxx(at)maxx.spaceboyz.net
51
- * Transcoding from/into G.729 works fine now, thanks to some precompiled versions for asterisk.
... ...
\ No newline at end of file
0
+ * Transcoding from/into G.729 works fine now, thanks to some precompiled versions for asterisk.
services/IPv6-Anycast.md
... ...
@@ -23,4 +23,4 @@ Remember, if you announce an anycast /64, then you need to provide **all** servi
23 23
### Future services
24 24
25 25
- streaming
26
-- other kind of DNS (authoritative-only, recursive for `dn42` only)
... ...
\ No newline at end of file
0
+- other kind of DNS (authoritative-only, recursive for `dn42` only)
services/New-DNS.md
... ...
@@ -49,4 +49,4 @@ The set of valid KSKs can be found in the registry.
49 49
50 50
* [DNS Quick Start](/DNS)
51 51
* [Old Hierarchical DNS](/Old-Hierarchical-DNS)
52
-* [Original DNS (deprecated)](/Original-DNS-(deprecated))
... ...
\ No newline at end of file
0
+* [Original DNS (deprecated)](/Original-DNS-(deprecated))
services/News.md
... ...
@@ -10,4 +10,4 @@
10 10
|----|----|----|----|----|----|
11 11
| cronix | _down_ | news.crystalnet.dn42 | _yes_ | as requested | _no_ |
12 12
| UFO | _down_ | [UCIS.ano news](http://cgiproxy.ucis.dn42/nph-proxy.cgi/00/http/www.ucis.ano/news/) | _no_ | anonet, dn42 | _limited_ |
13
-| SeekingFor | _down_ | [AnoNet News](http://cgiproxy.ucis.dn42/nph-proxy.cgi/00/http/news.sfor.ano/) | _yes_ | anonet, dn42 | _no_ |
... ...
\ No newline at end of file
0
+| SeekingFor | _down_ | [AnoNet News](http://cgiproxy.ucis.dn42/nph-proxy.cgi/00/http/news.sfor.ano/) | _yes_ | anonet, dn42 | _no_ |
services/Old-Hierarchical-DNS.md
... ...
@@ -46,4 +46,4 @@ Contact one of the root-servers.dn42 operators if you wish to set up a root/zone
46 46
47 47
You may want to set up a resolver, see link below or use 172.23.0.53 directly.
48 48
49
-Techical information available [here](https://nixnodes.net/wiki/n/DN42_DNS)
... ...
\ No newline at end of file
0
+Techical information available [here](https://nixnodes.net/wiki/n/DN42_DNS)
services/Original-DNS-(deprecated).md
... ...
@@ -43,4 +43,4 @@ See [Providing Anycast DNS](/Providing Anycast DNS).
43 43
44 44
## [Old Hierarchical DNS](/Old Hierarchical DNS)
45 45
46
-This is a new effort to build a DNS system that mirrors how DNS was designed to work in clearnet.
... ...
\ No newline at end of file
0
+This is a new effort to build a DNS system that mirrors how DNS was designed to work in clearnet.
services/Route-Collector.md
... ...
@@ -37,7 +37,7 @@ protocol bgp ROUTE_COLLECTOR
37 37
ipv4 {
38 38
# export all available paths to the collector
39 39
add paths tx;
40
-
40
+
41 41
# import/export filters
42 42
import none;
43 43
export filter {
services/Statistics.md
... ...
@@ -112,4 +112,4 @@ user root
112 112
fi
113 113
# Measure Section ##########
114 114
```
115
-* restart munin-node
... ...
\ No newline at end of file
0
+* restart munin-node
services/Tahoe-LAFS.md
... ...
@@ -30,4 +30,4 @@ With `bin/tahoe start` you start your local node.
30 30
You can reach the local node via web browser at [http://localhost:3456](http://localhost:3456).
31 31
32 32
## Further informations
33
-Look at https://tahoe-lafs.org for further information.
... ...
\ No newline at end of file
0
+Look at https://tahoe-lafs.org for further information.
services/Virtual-Machines.md
... ...
@@ -2,7 +2,7 @@
2 2
3 3
Previously, some DN42 users had provided VMs to the community, but it is not known if any of these are currently active any more. The list of old providers is below the break.
4 4
5
-#### burble.dn42
5
+## burble.dn42
6 6
7 7
If you have a DN42 project but do not have the resources to host it yourself, the burble.dn42 network may be able to provide hosting for you. Contact burble on IRC or via email to discuss.
8 8
... ...
@@ -13,7 +13,7 @@ If you have a DN42 project but do not have the resources to host it yourself, th
13 13
14 14
---
15 15
16
-#### Old Providers:
16
+### Old Providers:
17 17
18 18
| Person | RAM | HDD | Net | CPU | Description | No. Available
19 19
|:------------- |:------ |:--------- |:---------- |:---------- |:-------------------------- |:--------------------------|
... ...
@@ -21,4 +21,4 @@ If you have a DN42 project but do not have the resources to host it yourself, th
21 21
| florianb | 384 MB | 5 GB | dn42 only | 1x 2.2Ghz | OpenVZ in Germany, good peers | always enough
22 22
| nellicus | 384 MB | 5 - 10 GB | dn42 only | 1x 2.6Ghz | Xen/KVM Washington, DC USA | 0
23 23
|Basil | 256 MB | 20 GB | dn42, NAT v4, /64 v6 | 1x 3.4Ghz | KVM, Gravelines, France | Always enough
24
-| KaiRaphixx (AS4242422506) | 512 MB - 4096 MB | 20 GB SSD / 50 GB HDD | dn42, NAT v4 (only Internet-Connection, No Port-Forwarding) | 1x - 2x 3.5 Ghz | KVM, Falkenstein, Germany | Always enough
... ...
\ No newline at end of file
0
+| KaiRaphixx (AS4242422506) | 512 MB - 4096 MB | 20 GB SSD / 50 GB HDD | dn42, NAT v4 (only Internet-Connection, No Port-Forwarding) | 1x - 2x 3.5 Ghz | KVM, Falkenstein, Germany | Always enough
services/Whois.md
... ...
@@ -90,7 +90,7 @@ We have anycast IPv4 and IPv6, both reachable under whois.dn42. IPs are 172.22.0
90 90
| burble | whois.burble.dn42 | 172.20.129.8 / fd42:4242:2601:ac43::1 |
91 91
| taavi | whois.svc.as4242423270.dn42 | 172.22.130.143 / fd96:70f6:b174:<span>ac</span>::43 |
92 92
93
-### Down?
93
+## Down?
94 94
95 95
| **person** | **dns** | **ip** |
96 96
|------------|---------------------------|-----------------|
services/dns/Configuration.md
... ...
@@ -74,7 +74,7 @@ To disable DNSSEC validation only for certain TLDs include the following in the
74 74
```
75 75
options {
76 76
# [...]
77
-
77
+
78 78
validate-except {
79 79
"dn42";
80 80
"20.172.in-addr.arpa";
... ...
@@ -254,4 +254,4 @@ system {
254 254
```
255 255
256 256
## MS DNS
257
-Add a "Conditional Forward" (de: "Bedingte Weiterleitung") for each of "dn42", "20.172.in-addr.arpa", "21.172.in-addr.arpa", "22.172.in-addr.arpa", "23.172.in-addr.arpa", "10.in-addr.arpa" using 172.20.0.53 as forwarder. Ignore the error message that the server is not authoritative.
... ...
\ No newline at end of file
0
+Add a "Conditional Forward" (de: "Bedingte Weiterleitung") for each of "dn42", "20.172.in-addr.arpa", "21.172.in-addr.arpa", "22.172.in-addr.arpa", "23.172.in-addr.arpa", "10.in-addr.arpa" using 172.20.0.53 as forwarder. Ignore the error message that the server is not authoritative.
services/dns/External-DNS.md
... ...
@@ -31,4 +31,4 @@ NeoNetwork zone files can be found here: https://github.com/NeoCloud/NeoNetwork/
31 31
32 32
## Configuration
33 33
34
-See [DNS forwarding configuration](/services/dns/Configuration).
... ...
\ No newline at end of file
0
+See [DNS forwarding configuration](/services/dns/Configuration).
services/dns/Providing-Anycast-DNS.md
... ...
@@ -1,4 +1,4 @@
1
-#DEPRECATED - Please have a look at [Hierarchical DNS](https://internal.dn42/Hierarchical-DNS) instead
1
+# DEPRECATED - Please have a look at [Hierarchical DNS](https://internal.dn42/Hierarchical-DNS) instead
2 2
3 3
You may want to participate in the anycast DNS cloud.
4 4
... ...
@@ -63,4 +63,4 @@ There are a few different scripts for generating zone files. They have been writ
63 63
| xuu |ON,CA| 64737 | souris.root.dn42 (fdea:a15a:77b9:53::1) | |
64 64
| Nurtic-Vibe |EU |4242420123 | ns1.grmml.dn42 (fd42:23:149:cccc::53) ||
65 65
| hax404 | DE | 76114 | chero.hax404.dn42 (fd58:eb75:347d:101::1) ||
66
-| florianb | AT | 4242423955 | resolver.flo.dn42 (fd42:d42:d42:53::1) | advertisted in BGP |
... ...
\ No newline at end of file
0
+| florianb | AT | 4242423955 | resolver.flo.dn42 (fd42:d42:d42:53::1) | advertisted in BGP |