Other.md
... ...
@@ -44,7 +44,7 @@ A wiki page dedicated to the AnoNet Network: http://wiki.qontrol.nl/Anonet
44 44
45 45
> This information is a caryover from the original dn42 wiki. most is unsubstantiated and probably invalid now. Included here for historical reasons. Keys and other parameters can be found in the registry under `tinc-key` and `tinc-keyset`
46 46
47
-````
47
+```
48 48
first tinc cloud
49 49
================
50 50
... ...
@@ -88,6 +88,6 @@ IP IPv6 User Host ASN
88 88
172.22.255.161 fd04:de02:7af9::161 uves spline 64733
89 89
172.22.255.162 fd04:de02:7af9::162 petrus beta 64751
90 90
-------------- ------------------- --------- ----------- -----
91
-````
91
+```
92 92
93 93
howto/Address-Space.md
... ...
@@ -9,9 +9,9 @@ The [DN42 registry](https://git.dn42.dev/dn42/registry) is the authoritative sou
9 9
10 10
A simple way to see all the active policies in the registry is to search the registry content for policy attributes:
11 11
12
-````sh
12
+```sh
13 13
grep -r ^policy data/inet{,6}num/
14
-````
14
+```
15 15
16 16
The [filter.txt](https://git.dn42.dev/dn42/registry/src/master/data/filter.txt) and [filter6.txt](https://git.dn42.dev/dn42/registry/src/master/data/filter6.txt) files within the registry detail the network wide constraints on what address ranges are in use together with the global limits on what can be announced.
17 17
howto/Bird-communities.md
... ...
@@ -11,7 +11,7 @@ Below, you will see an example config for peers4 based on the original filter im
11 11
To properly assign the right community to your peer, please reference the table below. If you are running your own network and peering internally, please also apply the communities inside your network.
12 12
13 13
## BGP community criteria
14
-````
14
+```
15 15
(64511, 1) :: latency \in (0, 2.7ms]
16 16
(64511, 2) :: latency \in (2.7ms, 7.3ms]
17 17
(64511, 3) :: latency \in (7.3ms, 20ms]
... ...
@@ -39,12 +39,12 @@ bw = min(up,down) for asymmetric connections
39 39
Propagation:
40 40
- - for latency pick max(received_route.latency, link_latency)
41 41
- - for encryption and bandwidth pick min between received BGP community and peer link
42
-````
42
+```
43 43
For example, if your peer is 12ms away and the link speed between you is 250Mbit/s and you are peering using OpenVPN P2P, then the community string would be (3, 24, 33).
44 44
45 45
Two utilites which measure round trip time and calculate community values automatically are provided, written in [ruby](https://github.com/Mic92/bird-dn42/blob/master/bgp-community.rb) and [C](https://github.com/nixnodes/bird/blob/master/misc/dn42-comgen.c).
46 46
47
-````
47
+```
48 48
$ ruby bgp-community.rb --help
49 49
USAGE: bgp-community.rb host mbit_speed unencrypted|unsafe|encrypted|pfs
50 50
-6, --ipv6 Assume ipv6 for ping
... ...
@@ -56,11 +56,11 @@ $ ruby bgp-community.rb -6 dn42-2.higgsboson.tk 1000 pfs
56 56
# 11 ms, 1000 mbit/s, pfs tunnel (updated: 2016-02-11)
57 57
import where dn42_import_filter(3,25,34);
58 58
export where dn42_export_filter(3,25,34);
59
-````
59
+```
60 60
61 61
### Route Origin
62 62
According to [this mail](https://lists.nox.tf/pipermail/dn42/2015-December/001259.html) these are the communities for route origin:
63
-````
63
+```
64 64
(64511, 41) :: Europe
65 65
(64511, 42) :: North America-E
66 66
(64511, 43) :: North America-C
... ...
@@ -74,7 +74,7 @@ According to [this mail](https://lists.nox.tf/pipermail/dn42/2015-December/00125
74 74
(64511, 51) :: Asia-SE (TH,SG,PH,ID,MY)
75 75
(64511, 52) :: Asia-E (JP,CN,KR)
76 76
(64511, 53) :: Pacific
77
-````
77
+```
78 78
79 79
You need to add following lines to your config(s):
80 80
- `define DN42_REGION = $VALUE_FROM_ABOVE` to your node's config (where OWNAS and OWNIP are set)
... ...
@@ -83,15 +83,15 @@ just above `update_flags` in `dn42_export_filter` function
83 83
84 84
85 85
## Example configurations
86
-````
86
+```
87 87
# /etc/bird/peers4/tombii.conf
88 88
protocol bgp tombii from dnpeers {
89 89
neighbor 172.23.102.x as 4242420321;
90 90
import where dn42_import_filter(3,24,33);
91 91
export where dn42_export_filter(3,24,33);
92 92
};
93
-````
94
-````
93
+```
94
+```
95 95
#/etc/bird/community_filters.conf
96 96
function update_latency(int link_latency) {
97 97
bgp_community.add((64511, link_latency));
... ...
@@ -159,9 +159,9 @@ function dn42_export_filter(int link_latency; int link_bandwidth; int link_crypt
159 159
reject;
160 160
}
161 161
162
-````
162
+```
163 163
Please remember to include /etc/bird/community_filters.conf in your bird.conf/birdc6.conf
164
-````
164
+```
165 165
166 166
# local configuration
167 167
######################
... ...
@@ -172,7 +172,7 @@ include "bird/local4.conf";
172 172
173 173
include "/etc/bird/filter4.conf";
174 174
include "/etc/bird/community_filters.conf";
175
-````
175
+```
176 176
177 177
178 178
***
howto/Bird.md
... ...
@@ -7,13 +7,13 @@ In the Debian release cycle the bird packages may become outdated at times, if t
7 7
8 8
This is not necessary for Debian Stretch, which currently ships the most recent version (1.6.3) in this repositories.
9 9
10
-````sh
10
+```sh
11 11
wget -O - http://bird.network.cz/debian/apt.key | apt-key add -
12 12
apt-get install lsb-release
13 13
echo "deb http://bird.network.cz/debian/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/bird.list
14 14
apt-get update
15 15
apt-get install bird
16
-````
16
+```
17 17
18 18
# Example configuration
19 19
... ...
@@ -28,7 +28,7 @@ Note: This file covers the configuration of Bird 1.x. For an example configurati
28 28
29 29
### IPv6
30 30
31
-````
31
+```
32 32
#/etc/bird/bird6.conf
33 33
protocol device {
34 34
scan time 10;
... ...
@@ -96,9 +96,9 @@ template bgp dnpeers {
96 96
}
97 97
98 98
include "/etc/bird/peers6/*";
99
-````
99
+```
100 100
101
-````
101
+```
102 102
# /etc/bird/local6.conf
103 103
# should be a unique identifier, use same id as for ipv4
104 104
router id <GATEWAY_IP>;
... ...
@@ -115,20 +115,20 @@ function is_valid_network() {
115 115
fd00::/8{44,64} # ULA address space as per RFC 4193
116 116
];
117 117
}
118
-````
118
+```
119 119
120
-````
120
+```
121 121
# /etc/bird/peers6/<PEER_NAME>
122 122
protocol bgp <PEER_NAME> from dnpeers {
123 123
neighbor <PEERING_IP> as <PEER_AS>;
124 124
# if you use link-local ipv6 addresses for peering using the following
125 125
# neighbor <PEERING_IP> % '<INTERFACE_NAME>' as <PEER_AS>;
126 126
};
127
-````
127
+```
128 128
129 129
### IPv4
130 130
131
-````
131
+```
132 132
# /etc/bird/bird.conf
133 133
# Device status
134 134
protocol device {
... ...
@@ -205,9 +205,9 @@ template bgp dnpeers {
205 205
};
206 206
207 207
include "/etc/bird/peers4/*";
208
-````
208
+```
209 209
210
-````
210
+```
211 211
#/etc/bird/local4.conf
212 212
# should be a unique identifier, <GATEWAY_IP> is what most people use.
213 213
router id <GATEWAY_IP>;
... ...
@@ -232,14 +232,14 @@ function is_valid_network() {
232 232
10.0.0.0/8{15,24} # Freifunk.net
233 233
];
234 234
}
235
-````
235
+```
236 236
237
-````
237
+```
238 238
# /etc/bird/peers4/<PEER_NAME>
239 239
protocol bgp <PEER_NAME> from dnpeers {
240 240
neighbor <PEERING_IP> as <PEER_AS>;
241 241
};
242
-````
242
+```
243 243
244 244
# Bird communities
245 245
... ...
@@ -270,23 +270,23 @@ ROA files generated by [dn42regsrv](https://git.dn42.dev/burble/dn42regsrv) are
270 270
271 271
You can add cron entries to periodically update the tables:
272 272
273
-````
273
+```
274 274
*/15 * * * * curl -sfSLR {-o,-z}/var/lib/bird/bird6_roa_dn42.conf https://dn42.burble.com/roa/dn42_roa_bird1_6.conf && chronic birdc6 configure
275 275
*/15 * * * * curl -sfSLR {-o,-z}/var/lib/bird/bird_roa_dn42.conf https://dn42.burble.com/roa/dn42_roa_bird1_4.conf && chronic birdc configure
276
-````
276
+```
277 277
278 278
Debian version:
279 279
280
-````
280
+```
281 281
*/15 * * * * curl -sfSLR -o/var/lib/bird/bird6_roa_dn42.conf -z/var/lib/bird/bird6_roa_dn42.conf https://dn42.burble.com/roa/dn42_roa_bird1_6.conf && /usr/sbin/birdc6 configure
282 282
*/15 * * * * curl -sfSLR -o/var/lib/bird/bird_roa_dn42.conf -z/var/lib/bird/bird_roa_dn42.conf https://dn42.burble.com/roa/dn42_roa_bird1_4.conf && /usr/sbin/birdc configure
283
-````
283
+```
284 284
285 285
then create the directory to make sure curls can save the files:
286 286
287
-````
287
+```
288 288
mkdir -p /var/lib/bird/
289
-````
289
+```
290 290
291 291
### Use RPKI ROA for bird2
292 292
* Download gortr
... ...
@@ -295,22 +295,22 @@ mkdir -p /var/lib/bird/
295 295
296 296
* Running gortr,need golang environment.
297 297
298
-````
298
+```
299 299
./gortr -verify=false -checktime=false -cache=https://dn42.burble.com/roa/dn42_roa_46.json
300
-````
300
+```
301 301
302 302
303 303
* run with docker
304 304
305 305
`docker pull cloudflare/gortr`
306 306
307
-````
307
+```
308 308
docker run --name dn42rpki -p 8282:8282 --restart=always -d cloudflare/gortr -verify=false -checktime=false -cache=https://dn42.burble.com/roa/dn42_roa_46.json
309
-````
309
+```
310 310
311 311
* Add this to your bird configure file,other ROA protocol must removed.
312 312
313
-````
313
+```
314 314
protocol rpki rpki_dn42{
315 315
roa4 { table dn42_roa; };
316 316
roa6 { table dn42_roa_v6; };
... ...
@@ -321,26 +321,26 @@ protocol rpki rpki_dn42{
321 321
refresh keep 900;
322 322
expire keep 172800;
323 323
}
324
-````
324
+```
325 325
326 326
## Filter configuration
327 327
328 328
In your import filter add the following to reject invalid routes:
329 329
330
-````
330
+```
331 331
if (roa_check(dn42_roa, net, bgp_path.last) != ROA_VALID) then {
332 332
print "[dn42] ROA check failed for ", net, " ASN ", bgp_path.last;
333 333
reject;
334 334
}
335
-````
335
+```
336 336
337 337
Also, define your ROA table with:
338 338
339
-````
339
+```
340 340
roa table dn42_roa {
341 341
include "/var/lib/bird/bird_roa_dn42.conf";
342 342
};
343
-````
343
+```
344 344
345 345
346 346
**NOTE**: Make sure you setup ROA checks for both bird and bird6 (for IPv6).
... ...
@@ -349,7 +349,7 @@ roa table dn42_roa {
349 349
350 350
bird can be remote controlled via the `birdc` command. Here is a list of useful bird commands:
351 351
352
-````
352
+```
353 353
$ birdc
354 354
BIRD 1.4.5 ready.
355 355
bird> configure # reload configuration
... ...
@@ -389,7 +389,7 @@ bird> show route filtered # shows routed filtered out by rules
389 389
bird> show route protocol <somepeer> # shows the route they export to you
390 390
bird> show route export <somepeer> # shows the route you export to someone
391 391
...
392
-````
392
+```
393 393
394 394
# External Links
395 395
* detailed bird configuration from Mic92: https://github.com/Mic92/bird-dn42
howto/Bird2.md
... ...
@@ -19,7 +19,7 @@ When copying the configuration below onto your system, you will have to enter th
19 19
* The same goes for `<OWNNETv6>`, but it takes an IPv6 subnet (Who'd have thought).
20 20
* Keep in mind that you'll have to enter both networks in the OWNNET{,v6} and OWNNETSET{,v6}, the two variables are required due to set parsing difficulties with variables.
21 21
22
-````
22
+```
23 23
################################################
24 24
# Variable header #
25 25
################################################
... ...
@@ -165,7 +165,7 @@ template bgp dnpeers {
165 165
166 166
167 167
include "/etc/bird/peers/*";
168
-````
168
+```
169 169
170 170
# Route Origin Authorization
171 171
... ...
@@ -177,15 +177,15 @@ Please note: This section assumes that you've already got a tunnel to your peeri
177 177
178 178
First, make sure the /etc/bird/peers directory exists:
179 179
180
-````
180
+```
181 181
# mkdir -p /etc/bird/peers
182
-````
182
+```
183 183
184 184
Then for each peer, create a configuration file similar to this one:
185 185
186 186
`/etc/bird/peers/<NEIGHBOR_NAME>.conf`:
187 187
188
-````
188
+```
189 189
protocol bgp <NEIGHBOR_NAME> from dnpeers {
190 190
neighbor <NEIGHBOR_IP> as <NEIGHBOR_ASN>;
191 191
}
... ...
@@ -193,6 +193,6 @@ protocol bgp <NEIGHBOR_NAME> from dnpeers {
193 193
protocol bgp <NEIGHBOR_NAME>_v6 from dnpeers {
194 194
neighbor <NEIGHBOR_IPv6>%<NEIGHBOR_INTERFACE> as <NEIGHBOR_ASN>;
195 195
}
196
-````
196
+```
197 197
198 198
Due to the special link local addresses of IPv6, an interface has to be specified using the %<if> syntax if a link local address is used (Which is recommended)
... ...
\ No newline at end of file
howto/EMail.md
... ...
@@ -18,7 +18,7 @@ Running email in dn42 is not very complicated. Your SMTP daemon probably alread
18 18
~~Send an email to `test@evenet.dn42` to check if your mail setup is correct.~~ This host will reply using the following
19 19
sieve filter:
20 20
21
-````
21
+```
22 22
require ["regex", "variables", "vacation-seconds"];
23 23
if header :contains "To" ["test@evenet.dn42"] {
24 24
if header :matches "Subject" "*" {
... ...
@@ -26,7 +26,7 @@ if header :contains "To" ["test@evenet.dn42"] {
26 26
}
27 27
vacation :addresses ["test@evenet.dn42"] :seconds 60 :subject "Re: ${subject_was}" "Your dn42 email setup works!";
28 28
}
29
-````
29
+```
30 30
31 31
## Exim tips
32 32
... ...
@@ -65,25 +65,25 @@ This should to the trick for sending mails via your DN42-IP
65 65
If you use `smtpd_recipient_restrictions` you can use the following rule to white-list dn42 as sender.
66 66
This can circumvent certain rdns configuration failure or in case you use rbl lists:
67 67
68
-````
68
+```
69 69
smtpd_recipient_restrictions = permit_mynetworks,
70 70
permit_sasl_authenticated,
71 71
check_client_access cidr:/etc/postfix/dn42.cidr,
72 72
reject_non_fqdn_sender,
73 73
# ...
74 74
permit
75
-````
75
+```
76 76
77
-````
77
+```
78 78
#/etc/postfix/dn42.cidr
79 79
172.16.0.0/12 OK
80 80
10.0.0.0/8 OK
81 81
fc00::/7 OK
82
-````
82
+```
83 83
84
-````
84
+```
85 85
$ postmap /etc/postfix/dn42.cidr
86
-````
86
+```
87 87
88 88
89 89
### Receiving emails
howto/EdgeOS-Config-Example.md
... ...
@@ -12,7 +12,7 @@ This is the config I (Felicitus) am running on an Ubiquiti EdgeRouter Lite (AS76
12 12
13 13
## Upcoming
14 14
15
-* AICCU integration (SIXXS), probably not possible with the config, so ````apt-get install aiccu```` should do the trick
15
+* AICCU integration (SIXXS), probably not possible with the config, so ```apt-get install aiccu``` should do the trick
16 16
* dn42 IPv6 routing (probably)
17 17
18 18
Ask me if you want to know if I have implemented those items already.
... ...
@@ -20,7 +20,7 @@ Ask me if you want to know if I have implemented those items already.
20 20
21 21
# Configuration
22 22
23
-````
23
+```
24 24
firewall {
25 25
all-ping enable
26 26
broadcast-ping disable
... ...
@@ -376,4 +376,4 @@ traffic-policy {
376 376
/* Warning: Do not remove the following line. */
377 377
/* === vyatta-config-version: "config-management@1:dhcp-relay@1:dhcp-server@4:firewall@4:ipsec@3:nat@3:qos@1:quagga@2:system@4:ubnt-pptp@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
378 378
/* Release version: v1.3.0.4605130.131011.1754 */
379
-````
... ...
\ No newline at end of file
0
+```
... ...
\ No newline at end of file
howto/GRE-on-FreeBSD.md
... ...
@@ -10,18 +10,18 @@ This page describes how to configure GRE tunnels on FreeBSD.
10 10
11 11
## Create a temporary gre tunnel
12 12
13
-````bash
13
+```bash
14 14
ifconfig gre$INDEX create
15 15
ifconfig gre$INDEX tunnel $TUNNEL_SRC $TUNNEL_DST
16 16
ifconfig gre$INDEX inet $LOCAL $REMOTE netmask 0xffffffff
17 17
ifconfig gre$INDEX descr $DESCR
18
-````
18
+```
19 19
20 20
## Create a persistent gre tunnel
21 21
22 22
Add this to your `rc.conf`.
23 23
24
-````
24
+```
25 25
cloned_interfaces="$cloned_interfaces gre0"
26 26
ifconfig_gre0="10.0.0.1 10.0.0.2 netmask 0xffffffff tunnel 1.2.3.4 5.6.7.8 descr foo"
27
-````
27
+```
howto/GRE-on-OpenBSD.md
... ...
@@ -9,10 +9,10 @@ Let `fd42::` and `fd42::1` be the IPs of *A* and *D* respectively where both are
9 9
10 10
## pseudo interface
11 11
Populate [`/etc/hostname.gre0`](https://man.openbsd.org/hostname.if.5) with:
12
-````
12
+```
13 13
tunnel A.example.com D.example.net
14 14
inet6 fd42::/127
15
-````
15
+```
16 16
This will resolve FQDNs at parse time, set *A*'s and *D*'s IPs as source and destination tunnel address and set *A*'s assigned IP as point-to-point address on the interface.
17 17
18 18
Replace hostnames in the `tunnel` line with literal IPs if DNS is not available (at system boot).
... ...
@@ -21,14 +21,14 @@ Reboot or run [`sh /etc/netstart gre0`](https://man.openbsd.org/netstart.8) to b
21 21
22 22
## miscellaneous
23 23
Populate `/etc/sysctl.conf` with:
24
-````
24
+```
25 25
net.inet.gre.allow=1
26
-````
26
+```
27 27
Reboot or run `sysctl net.inet.gre.allow=1` to allow GRE packet processing.
28 28
29 29
-
30 30
At this point, `gre0` will be administratively *UP*:
31
-````
31
+```
32 32
$ ifconfig gre0
33 33
gre0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1476
34 34
index 22 priority 0 llprio 6
... ...
@@ -37,10 +37,10 @@ gre0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1476
37 37
tunnel: inet6 2001:db8::a --> 2001:db9::d ttl 64 nodf ecn
38 38
inet6 fe80::221:28ff:fef9:c1d8%gre0 --> prefixlen 64 scopeid 0x16
39 39
inet6 fd42:: --> prefixlen 127
40
-````
40
+```
41 41
42 42
All traffic destined to `fd42::1/127` will be encapsulated and routed to *D*:
43
-````
43
+```
44 44
$ route show
45 45
[...]
46 46
Internet6:
... ...
@@ -53,8 +53,8 @@ fe80::221:28ff:fef9:c1d8%gre0 fe80::221:28ff:fef9:c1d8%gre0 UHl 0
53 53
ff01::%gre0/32 fe80::221:28ff:fef9:c1d8%gre0 Um 0 1 - 4 gre0
54 54
ff02::%gre0/32 fe80::221:28ff:fef9:c1d8%gre0 Um 0 1 - 4 gre0
55 55
[...]
56
-````
57
-````
56
+```
57
+```
58 58
$ route -n get fd42::1
59 59
route to: fd42::1
60 60
destination: fd42::1
... ...
@@ -65,7 +65,7 @@ destination: fd42::1
65 65
flags: <UP,HOST,DONE,CLONED>
66 66
use mtu expire
67 67
3181 0 0
68
-````
68
+```
69 69
70 70
# Security
71 71
GRE may be protected with IPsec to encrypt and authenticate traffic, [OpenIKED](http://www.openiked.org/) can be used to establish an IKEv2 session between *A* and *D*.
... ...
\ No newline at end of file
howto/Getting-Started.md
... ...
@@ -65,14 +65,14 @@ Common authentication methods are:
65 65
- SSH Key: `auth: ssh-{rsa,ed25519} <key>`
66 66
67 67
Example: data/mntner/FOO-MNT
68
-````
68
+```
69 69
mntner: FOO-MNT
70 70
admin-c: FOO-DN42
71 71
tech-c: FOO-DN42
72 72
mnt-by: FOO-MNT
73 73
auth: pgp-fingerprint 0123456789ABCDEF0123456789ABCDEF01234567
74 74
source: DN42
75
-````
75
+```
76 76
77 77
### Create person objects
78 78
... ...
@@ -91,13 +91,13 @@ Contact attributes are optional but DN42 is a dynamic network and being able to
91 91
92 92
93 93
Example: data/person/FOO-DN42
94
-````
94
+```
95 95
person: John Doe
96 96
e-mail: john.doe@example.com
97 97
nic-hdl: FOO-DN42
98 98
mnt-by: FOO-MNT
99 99
source: DN42
100
-````
100
+```
101 101
102 102
---
103 103
... ...
@@ -114,14 +114,14 @@ If you intend to register resources for an organisation (e.g. your hackerspace),
114 114
- don't forget to set `mnt-by` to `<FOO>-MNT`, since you're managing this object on behalf of your organisation.
115 115
116 116
Example: data/organisation/ORG-EXAMPLE
117
-````
117
+```
118 118
organisation: ORG-FOO
119 119
org-name: Foo Organisation
120 120
admin-c: FOO-DN42
121 121
tech-c: FOO-DN42
122 122
mnt-by: FOO-MNT
123 123
source: DN42
124
-````
124
+```
125 125
126 126
### Guidelines for resource objects
127 127
... ...
@@ -151,14 +151,14 @@ Internet ASNs may be used, but you must take care to clearly separate Internet a
151 151
If unsure, ask on the mailing list or IRC.
152 152
153 153
Example: data/aut-num/AS4242423999
154
-````
154
+```
155 155
aut-num: AS4242423999
156 156
as-name: AS-FOO-DN42
157 157
admin-c: FOO-DN42
158 158
tech-c: FOO-DN42
159 159
mnt-by: FOO-MNT
160 160
source: DN42
161
-````
161
+```
162 162
163 163
### Register a network prefix
164 164
... ...
@@ -177,7 +177,7 @@ A few websites can generate random ULA prefixes for you:
177 177
or a small script is available: [ulagen.py](https://git.dn42.dev/netravnen/dn42-repo-utils/src/master/ulagen.py)
178 178
179 179
example: data/inet6num/fd35:4992:6a6d::_48
180
-````
180
+```
181 181
inet6num: fd35:4992:6a6d:0000:0000:0000:0000:0000 - fd35:4992:6a6d:ffff:ffff:ffff:ffff:ffff
182 182
cidr: fd35:4992:6a6d::/48
183 183
netname: FOO-NETWORK
... ...
@@ -188,7 +188,7 @@ tech-c: FOO-DN42
188 188
mnt-by: FOO-MNT
189 189
status: ASSIGNED
190 190
source: DN42
191
-````
191
+```
192 192
193 193
#### IPv4 (Legacy)
194 194
... ...
@@ -219,7 +219,7 @@ If you need a /24 or larger, please ask in the IRC chan or on the mailing list a
219 219
**Note:** Reverse DNS works with _any_ prefix length, as long as your [recursive nameserver](/services/DNS) supports [RFC 2317](https://www.ietf.org/rfc/rfc2317.txt). Don't go for a /24 _just to have RDNS_.
220 220
221 221
example: data/inetnum/172.20.150.0_27
222
-````
222
+```
223 223
inetnum: 172.20.150.0 - 172.20.150.31
224 224
cidr: 172.20.150.0/27
225 225
netname: FOO-NETWORK
... ...
@@ -228,28 +228,28 @@ tech-c: FOO-DN42
228 228
mnt-by: FOO-MNT
229 229
status: ASSIGNED
230 230
source: DN42
231
-````
231
+```
232 232
233 233
#### Create route objects
234 234
235 235
If you plan to announce your prefixes in dn42, which you probably want in most cases, you will also need to create a `route6` object for ipv6 prefixes and a `route` object for ipv4 prefixes. This information is used for Route Origin Authorization (ROA) checks. If you skip this step, your network will probably get filtered by most major peers. Checking ROA will prevent (accidental) hijacking of other people's prefixes.
236 236
237 237
example: data/route6/fd35:4992:6a6d::_48
238
-````
238
+```
239 239
route6: fd35:4992:6a6d::/48
240 240
origin: AS4242423999
241 241
max-length: 48
242 242
mnt-by: FOO-MNT
243 243
source: DN42
244
-````
244
+```
245 245
246 246
example data/route/172.20.150.0_27:
247
-````
247
+```
248 248
route: 172.20.150.0/27
249 249
origin: AS4242423999
250 250
mnt-by: FOO-MNT
251 251
source: DN42
252
-````
252
+```
253 253
254 254
#### DNS and Domain Registration
255 255
... ...
@@ -258,7 +258,7 @@ To register a domain name, create a `dns` object in the data/dns directory.
258 258
Domain names and nserver attributes must be lowercase.
259 259
260 260
example: data/dns/foo.dn42
261
-````
261
+```
262 262
domain: foo.dn42
263 263
admin-c: FOO-DN42
264 264
tech-c: FOO-DN42
... ...
@@ -268,17 +268,17 @@ nserver: ns1.foo.dn42 fd35:4992:6a6d:53::1
268 268
nserver: ns2.foo.dn42 172.20.150.2
269 269
nserver: ns2.foo.dn42 fd35:4992:6a6d:53::2
270 270
source: DN42
271
-````
271
+```
272 272
273 273
You can also add DNSSEC delegations using `ds-rdata` attributes to your domain:
274 274
275
-````
275
+```
276 276
ds-rdata: 61857 13 2 bd35e3efe3325d2029fb652e01604a48b677cc2f44226eeabee54b456c67680c
277
-````
277
+```
278 278
279 279
For reverse DNS, add `nserver` attributes to you inet{,6}num objects:
280 280
281
-````
281
+```
282 282
inet6num: fd35:4992:6a6d:0000:0000:0000:0000:0000 - fd35:4992:6a6d:ffff:ffff:ffff:ffff:ffff
283 283
cidr: fd35:4992:6a6d::/48
284 284
netname: FOO-NETWORK
... ...
@@ -291,7 +291,7 @@ status: ASSIGNED
291 291
nserver: ns1.foo.dn42
292 292
nserver: ns2.foo.dn42
293 293
source: DN42
294
-````
294
+```
295 295
296 296
# Get some peers
297 297
howto/IPsec-on-FreeBSD.md
... ...
@@ -10,17 +10,17 @@ These instructions are for IPsec in transport mode not IPsec in tunnel mode. IPs
10 10
## Kernel configuration
11 11
The FreeBSD GENERIC kernel lacks support for in-kernel IPsec processing. Add this two lines to your kernel config and (re-)build your own kernel.
12 12
If you're new to FreeBSD check Chapters [15.9.1](http://www.freebsd.org/doc/handbook/ipsec.html) and [9](http://www.freebsd.org/doc/handbook/kernelconfig.html) of the FreeBSD handbook.
13
-````
13
+```
14 14
options IPSEC #IP security
15 15
device crypto
16
-````
16
+```
17 17
Reboot into your new kernel.
18 18
19 19
## Userland configuration
20 20
21 21
Install the racoon daemon. It's included in the [security/ipsec-tools](http://www.freshports.org/security/ipsec-tools/) port.
22 22
Racoon is pain in the ass to configure the first time because it's error messages aren't helping and the complexity of IPsec. Don't let this stop you.
23
-````
23
+```
24 24
path pre_shared_key "/usr/local/etc/racoon/psk";
25 25
path certificate "/usr/local/etc/racoon/certs";
26 26
log info;
... ...
@@ -69,4 +69,4 @@ sainfo (address a.b.c.d gre address b.c.d.e gre) {
69 69
authentication_algorithm hmac_sha1;
70 70
}
71 71
72
-````
... ...
\ No newline at end of file
0
+```
... ...
\ No newline at end of file
howto/IPsecWithPublicKeys/GRE-plus-IPsec-Debian.md
... ...
@@ -12,26 +12,26 @@
12 12
13 13
## Define an IPsec security policy
14 14
Example policy on 1.2.3.4:
15
-````bash
15
+```bash
16 16
#!/usr/sbin/setkey -f
17 17
spdadd 1.2.3.4 5.6.7.8 gre -P out ipsec esp/transport//require;
18 18
spdadd 5.6.7.8 1.2.3.4 gre -P in ipsec esp/transport//require;
19
-````
19
+```
20 20
Change the direction on 5.6.7.8.
21 21
22 22
## Load the IPsec security policy into the IPsec security policy database
23 23
Load the policy with the setkey command.
24
-````
24
+```
25 25
setkey -f /etc/ipsec-tools.conf
26
-````
26
+```
27 27
Afterward check the policy database with:
28
-````
28
+```
29 29
setkey -DP
30
-````
30
+```
31 31
32 32
## Configure the racoon daemon
33 33
An example /etc/racoon/racoon.conf.
34
-````
34
+```
35 35
path pre_shared_key "/etc/racoon/psk.txt";
36 36
path certificate "/etc/racoon/certs";
37 37
log info;
... ...
@@ -72,11 +72,11 @@ sainfo address 1.2.3.4 47 address 5.6.7.8 47 {
72 72
authentication_algorithm hmac_sha1;
73 73
compression_algorithm deflate;
74 74
}
75
-````
75
+```
76 76
77 77
## Configure a GRE tunnel
78 78
Add this to /etc/network/interfaces:
79
-````
79
+```
80 80
auto gre1
81 81
iface gre1 inet tunnel
82 82
mode gre
... ...
@@ -86,4 +86,4 @@ iface gre1 inet tunnel
86 86
endpoint 5.6.7.8
87 87
local 1.2.3.4
88 88
ttl 255
89
-````
89
+```
howto/IPsecWithPublicKeys/RacoonExample.md
... ...
@@ -4,7 +4,7 @@ See also [strongswan](howto/IPsecWithPublicKeys/strongSwan5Example)
4 4
5 5
The keys are generated with plainrsa-gen.
6 6
7
-````
7
+```
8 8
Usage: plainrsa-gen [options]
9 9
10 10
-b bits Generate <bits> long RSA key (default=1024)
... ...
@@ -12,12 +12,12 @@ Usage: plainrsa-gen [options]
12 12
-f filename Filename to store the key to (default=stdout)
13 13
-i filename Input source for format conversion
14 14
-h Help
15
-````
15
+```
16 16
I'd probably go with 4096 bits.
17 17
18 18
19 19
in your racoon.conf:
20
-````
20
+```
21 21
path certificate "/etc/racoon/keys";
22 22
23 23
listen {
... ...
@@ -36,7 +36,7 @@ remote 192.168.255.2 {
36 36
dh_group modp1024;
37 37
}
38 38
}
39
-````
39
+```
40 40
41 41
## Se also
42 42
howto/IPv6-Multicast.md
... ...
@@ -5,14 +5,14 @@ The following guide illustrates how to set up an IPv6 multicast router using [PI
5 5
## Quickstart
6 6
7 7
* Install pim6sd from here: https://github.com/troglobit/pim6sd/
8
- ````sh
8
+ ```sh
9 9
cd /usr/src
10 10
git clone https://github.com/troglobit/pim6sd.git
11 11
cd pim6sd
12 12
./autogen.sh
13 13
./configure
14 14
make
15
- ````
15
+ ```
16 16
* Find a peer who is already connected to the dn42 multicast backbone
17 17
* Calculate your personal, embedded-RP multicast prefix matching your network prefix via [RFC3956](https://tools.ietf.org/html/rfc3956)
18 18
* Example:
... ...
@@ -26,7 +26,7 @@ The following guide illustrates how to set up an IPv6 multicast router using [PI
26 26
27 27
* Create a dummy interface to hold your calculated unicast Rendezvous Point address. This one needs to be reachable from within dn42. Also set "multicast on" on this dummy interface. Example:
28 28
29
- ````
29
+ ```
30 30
# /etc/network/interfaces.d/pim6sd
31 31
auto pim-router-id
32 32
iface pim-router-id inet manual
... ...
@@ -34,11 +34,11 @@ The following guide illustrates how to set up an IPv6 multicast router using [PI
34 34
post-up ip link set multicast on dev $IFACE
35 35
post-up ip -6 a a fd00:2001:db8::2/128 dev $IFACE
36 36
post-down ip link del $IFACE
37
- ````
37
+ ```
38 38
39 39
* Create the configuration file:
40 40
41
- ````sh
41
+ ```sh
42 42
# /etc/pim6sd.conf
43 43
# disable all interfaces by default
44 44
default_phyint_status disable;
... ...
@@ -52,7 +52,7 @@ The following guide illustrates how to set up an IPv6 multicast router using [PI
52 52
# configure rendezvous point for the personal multicast prefix
53 53
cand_rp pim-router-id;
54 54
group_prefix ff7e:230:fd00:2001:db8::/96;
55
- ````
55
+ ```
56 56
57 57
The `phyint` statement enables [PIM](https://tools.ietf.org/html/rfc7761) and [MLD](https://tools.ietf.org/html/rfc2710) on the target interface - by default all interfaces are in the disable state. Enable an interface if it is directed towards a multicast-capable peer or other multicast-capable routers in your autonomous system. Also enable it for downstream network segments with multicast listeners and senders, like for example your home (W)LAN segments.
58 58
... ...
@@ -66,7 +66,7 @@ The following guide illustrates how to set up an IPv6 multicast router using [PI
66 66
67 67
On your router:
68 68
69
-````sh
69
+```sh
70 70
allow-hotplug pim-ns0
71 71
iface pim-ns0 inet manual
72 72
pre-up ip link add pim-ns0 type veth peer name pim-ns1
... ...
@@ -78,24 +78,24 @@ iface pim-ns0 inet manual
78 78
post-up ip netns exec pim-ns0 ip -6 r a default via fdd5:69d5:c530:1::1
79 79
post-down ip link del pim-ns0
80 80
post-down ip netns del pim-ns0
81
-````
81
+```
82 82
83 83
You can now switch into this test network namespace via "ip netns exec /bin/bash". Inside this network namespace you can try:
84 84
85 85
### Creating a test multicast listener
86 86
87
-````
87
+```
88 88
$ socat -u UDP6-RECV:1234,reuseaddr,ipv6-join-group="[ff7e:230:fdd5:69d5:c530::123]:eth0" -
89
-````
89
+```
90 90
91 91
### Creating a test multicast sender
92 92
93 93
First select which interface should be the default one for your multicast traffic. Then send multicast packets via ICMPv6:
94 94
95
-````
95
+```
96 96
$ ip -6 route add ff7e:230:fdd5:69d5:c530::/96 dev eth0 table local
97 97
$ ping6 -t 16 ff7e:230:fdd5:69d5:c530::123
98
-````
98
+```
99 99
100 100
The "-t 16", a hop-limit of 16, is important here as **by default all multicast traffic is usually send with a hop-limit of just 1**.
101 101
howto/IPv6.md
... ...
@@ -65,10 +65,10 @@ Enter NPT. Address your services using a reserved private block, and map that bl
65 65
For example, if you've been assigned a public /48 prefix, and want to be reachable on DN42 aswell, you can use only ULA addresses from DN42 internally (or your own!), then map them to outside prefixes. Note that they'll need to all use the same prefix size to maintain the one-to-one mapping, so you may have to subnet the public prefix.
66 66
67 67
In Linux's netfilter, this can be implemented through the use of the NETMAP target, for the example above:
68
-````
68
+```
69 69
ip6tables -t nat -A POSTROUTING -d 2000::/3 -s <DN42-PREFIX>:<SUBNET>::/56 -j NETMAP --to <PUBLIC-PREFIX>:<SUBNET>::/56; # Map ULA to the public prefix for outgoing packets
70 70
ip6tables -t nat -A PREROUTING -s 2000::/3 -d <PUBLIC-PREFIX>:<SUBNET>::/56 -j NETMAP --to <DN42-PREFIX>:<SUBNET>::/56; # Map public prefix to ULA for incoming packets
71
-````
71
+```
72 72
73 73
74 74
### With Multiple Prefixes
howto/Munin.md
... ...
@@ -1,7 +1,7 @@
1 1
## Number of routes by AS
2 2
3 3
IPv4:
4
-````bash
4
+```bash
5 5
#!/bin/bash
6 6
if [ "$1" = "config" ];then
7 7
echo graph_title Number of routes
... ...
@@ -14,10 +14,10 @@ if [ "$1" = "config" ];then
14 14
else
15 15
ip r|sed 's/.* dev //;s/ .*//'|sort|uniq -c|grep as|awk '{print $2".value "$1}'
16 16
fi
17
-````
17
+```
18 18
19 19
IPv6:
20
-````bash
20
+```bash
21 21
#!/bin/bash
22 22
if [ "$1" = "config" ];then
23 23
echo graph_title Number of routes
... ...
@@ -30,7 +30,7 @@ if [ "$1" = "config" ];then
30 30
else
31 31
ip -6 r|sed 's/.* dev //;s/ .*//'|sort|uniq -c|grep as|awk '{print $2".value "$1}'
32 32
fi
33
-````
33
+```
34 34
(hint: The difference just the -6 on the ip command)
35 35
36 36
## Graph routes and activity for every neighbour
... ...
@@ -39,19 +39,19 @@ This munin-plugin makes it very easy to graph the announced routes and activity
39 39
https://github.com/luben/bird-multigraph-plugin
40 40
41 41
It's also possible to get notified by Munin when a problem with the peering persists. You have to define a critical value in line 138:
42
-````
42
+```
43 43
imported.critical 1:
44
-````
44
+```
45 45
This will send execute the command (set in munin-node.conf) to alert you, if the imported route count falls under 1.
46 46
47 47
You might also want to change line 125 from
48
-````
48
+```
49 49
graph_title $proto->{title} routes
50
-````
50
+```
51 51
to
52
-````
52
+```
53 53
graph_title $name routes
54
-````
54
+```
55 55
56 56
Example installation:
57 57
http://stats.tbspace.de/munin-cgi/munin-cgi-graph/tbspace.de/server.tbspace.de/dn42_crest_routes-day.png
... ...
\ No newline at end of file
howto/OpenBGPD.md
... ...
@@ -16,7 +16,7 @@ By default, [bgpd(8)](http://man.openbsd.org/bgpd.8) listens on all local addres
16 16
17 17
## local host
18 18
Information such as ASN, router ID and allocated networks are required:
19
-````
19
+```
20 20
# macros
21 21
ASN="4242421234"
22 22
... ...
@@ -27,21 +27,21 @@ router-id 1.2.3.4
27 27
prefix-set mynetworks {
28 28
fd00:12:34::/48
29 29
}
30
-````
30
+```
31 31
32 32
These can be used in subsequent filter rules.
33 33
The local peer's announcements is then defined as follows:
34
-````
34
+```
35 35
# Generate routes for the networks our ASN will originate.
36 36
# The communities (read 'tags') are later used to match on what
37 37
# is announced to EBGP neighbors
38 38
network prefix-set mynetworks set large-community $ASN:1:1
39
-````
39
+```
40 40
41 41
## neighbors
42 42
For each neighbor its ASN and transfer ULA is required.
43 43
An optional description is provided such that [bgpctl(8)](http://man.openbsd.org/bgpctl.8) for example can be used with mnemonic names instead of AS numbers:
44
-````
44
+```
45 45
# peer A, transport over IPSec/GRE
46 46
$A_local="fd00:12:34:A::1"
47 47
$A_remote="fd00:12:34:A::2"
... ...
@@ -53,7 +53,7 @@ neighbor $A_remote {
53 53
remote-as $A_ASN
54 54
descr "A"
55 55
}
56
-````
56
+```
57 57
58 58
## filter rules
59 59
**bgpd** blocks all BGP __UPDATE__ messages by default.
... ...
@@ -61,35 +61,35 @@ The filter rules are evaluated in sequential order, form first to last.
61 61
The last matching allow or deny rule decides what action is taken.
62 62
63 63
Start off with basic protection and sanity rules:
64
-````
64
+```
65 65
# deny more-specifics of our own originated prefixes
66 66
deny quick from ebgp prefix-set mynetworks or-longer
67 67
68 68
# filter out too long paths, establish more peerings instead
69 69
deny quick from any max-as-len 8
70
-````
70
+```
71 71
72 72
`quick` rules are considered the last matching rule, and evaluation of subsequent rules is skipped.
73 73
74 74
Allow own announcements:
75
-````
75
+```
76 76
# Outbound EBGP: only allow self originated networks to ebgp peers
77 77
# Don't leak any routes from upstream or peering sessions. This is done
78 78
# by checking for routes that are tagged with the large-community $ASN:1:1
79 79
allow to ebgp prefix-set kn large-community $ASN:1:1
80
-````
80
+```
81 81
82 82
Allow all remaining UPDATES based on **O**rigin **V**alidation **S**tates:
83
-````
83
+```
84 84
# enforce ROA
85 85
allow from ebgp ovs valid
86
-````
86
+```
87 87
88 88
Note how the `ovs` filter requires the `roa-set {...}` to be defined; see the `ROA` section below.
89 89
90 90
### path attributes
91 91
Besides `allow` and `deny` statements, filter rules can modify UPDATE messages, e.g.
92
-````
92
+```
93 93
# Scrub normal and large communities relevant to our ASN from EBGP neighbors
94 94
# https://tools.ietf.org/html/rfc7454#section-11
95 95
match from ebgp set { large-community delete $ASN:*:* }
... ...
@@ -97,7 +97,7 @@ match from ebgp set { large-community delete $ASN:*:* }
97 97
# Honor requests to gracefully shutdown BGP sessions
98 98
# https://tools.ietf.org/html/rfc8326
99 99
match from any community GRACEFUL_SHUTDOWN set { localpref 0 }
100
-````
100
+```
101 101
102 102
# ROA
103 103
... ...
@@ -114,19 +114,19 @@ ROA files generated by [dn42regsrv](https://git.dn42.dev/burble/dn42regsrv) are
114 114
|[https://dn42.burble.com/roa/dn42_roa_obgpd_6.conf](https://dn42.burble.com/roa/dn42_roa_obgpd_6.conf) &nbsp; | &nbsp;IPv6 Only&nbsp; |
115 115
116 116
`/etc/dn42.roa-set` is the generated set:
117
-````
117
+```
118 118
roa-set {
119 119
fd00:12:34::/48 source-as 4242421234
120 120
fd00:ab:cd::/44 maxlen 64 source-as 4242427890
121 121
...
122 122
}
123
-````
123
+```
124 124
125 125
Include it in `/etc/bgpd.conf`:
126
-````
126
+```
127 127
# defines roat-set, see _rpki-client crontab
128 128
include "/etc/dn42.roa-set"
129
-````
129
+```
130 130
131 131
# Looking glass
132 132
This is mostly OpenBSD specific since [bgplg(8)](http://man.openbsd.org/bgplg.8) and [httpd(8)](http://man.openbsd.org/httpd.8) ship as part of the operating system.
howto/Quagga.md
... ...
@@ -98,7 +98,7 @@ Apply a prefix list for incoming prefixes to your peer group:
98 98
ipv6 prefix-list vpn-in seq 15 deny any
99 99
100 100
#### Example filter list script
101
-````
101
+```
102 102
#!/bin/bash
103 103
104 104
vtysh -c 'conf t' -c "no ip prefix-list dn42"; #drop old prefix list
... ...
@@ -109,7 +109,7 @@ do
109 109
done < <(curl -s https://ca.dn42.us/reg/filter.txt | grep -e ^[0-9] | awk '{ print "ip prefix-list dn42 seq " $1 " " $2 " " $3 " ge " $4 " le " $5}' | sed "s_/\([0-9]\+\) ge \1_/\1_g;s_/\([0-9]\+\) le \1_/\1_g");
110 110
vtysh -c "wr" #write new prefix list
111 111
112
-````
112
+```
113 113
114 114
## show bpg session status
115 115
... ...
@@ -118,7 +118,7 @@ in this example:
118 118
* no (vpn) connection at all exists with peer 64692
119 119
* a (vpn) connection with 4242421375 exists, but no bgp session
120 120
121
-````
121
+```
122 122
vtysh> show ip bgp summary
123 123
BGP router identifier 172.22.100.254, local AS number 64698
124 124
RIB entries 938, using 103 KiB of memory
... ...
@@ -132,4 +132,4 @@ Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
132 132
....
133 133
172.23.64.1 4 4242421375 0 0 0 0 0 never Active
134 134
fe80::deca:fbad 4 64699 902 694 0 0 0 01:23:57 486
135
-````
... ...
\ No newline at end of file
0
+```
... ...
\ No newline at end of file
howto/Registry-Authentication.md
... ...
@@ -19,13 +19,13 @@ The signature and verification process varies depending on the type of public ke
19 19
#### Finding the commit hash
20 20
21 21
`git log` will list all the recent commits and show the commit hash:
22
-````
22
+```
23 23
commit 6e2e9ac540e2e4e3c3a135ad90c8575bb8fa1784 (HEAD -> master)
24 24
Author: foo <foo@baz.com>
25 25
Date: Mon Jan 01 01:01:01 2020 +0000
26 26
27 27
Change some stuff
28
-````
28
+```
29 29
30 30
## Authentication with PGP Key
31 31
... ...
@@ -34,9 +34,9 @@ PGP keys may be uploaded to a public keyserver for verification, or added in the
34 34
#### Using a public keyserver
35 35
36 36
- Use the following `auth` attribute in your `mntner` object:
37
-````
37
+```
38 38
auth: pgp-fingerprint <fingerprint>
39
-````
39
+```
40 40
Where `<fingerprint>` is your full 40-digit key fingerprint, without spaces.
41 41
42 42
- Ensure that your public key has been uploaded to a public keyserver, e.g. [SKS](https://sks-keyservers.net/), [OpenPGP](https://keys.openpgp.org/), [keybase](https://keybase.io/).
... ...
@@ -44,9 +44,9 @@ Where `<fingerprint>` is your full 40-digit key fingerprint, without spaces.
44 44
#### Adding to the registry
45 45
46 46
- Use the following `auth` attribute in your `mntner` object:
47
-````
47
+```
48 48
auth: PGPKEY-<fprint>
49
-````
49
+```
50 50
Where `<fprint>` is the last 8 digits from your key fingerprint.
51 51
52 52
- Create a `key-cert` object for your public key, using `PGPKEY-<fprint>` for the filename. Do browse the registry and check the existing objects for examples.
... ...
@@ -56,9 +56,9 @@ Where `<fprint>` is the last 8 digits from your key fingerprint.
56 56
- Use `git commit -S` to commit and sign your change. See the [github guide](https://help.github.com/en/github/authenticating-to-github/signing-commits).
57 57
58 58
- If you have already committed your change, you can sign it using.
59
-````
59
+```
60 60
git commit --amend --no-edit -S
61
-````
61
+```
62 62
63 63
#### Verifying the signature
64 64
... ...
@@ -67,9 +67,9 @@ git commit --amend --no-edit -S
67 67
## Authentication using an SSH key
68 68
69 69
The generic format for authentication using an SSH key is as follows:
70
-````
70
+```
71 71
auth: ssh-<keytype> <pubkey>
72
-````
72
+```
73 73
There are examples below for each specific key type.
74 74
75 75
#### Generic process for signing with an SSH key
... ...
@@ -77,9 +77,9 @@ There are examples below for each specific key type.
77 77
OpenSSH v8 introduced new functionality for creating signatures using SSH keys. If you have an older version, you can compile the latest version of ssh-keygen from the [openssh-portable repo](https://github.com/openssh/openssh-portable).
78 78
79 79
Use the following to sign the latest `<commit hash>` (that you found using `git log`)
80
-````sh
80
+```sh
81 81
echo "<commit hash>" | ssh-keygen -Y sign -f <private key file> -n dn42
82
-````
82
+```
83 83
84 84
Post the signature in to the 'Conversation' section of your pull request to allow the registry maintainers to verify it. It can help to also include the commit hash that you have signed, to avoid any confusion.
85 85
... ...
@@ -88,25 +88,25 @@ Post the signature in to the 'Conversation' section of your pull request to allo
88 88
The following procedure will verify the signature (using the `<commit hash>`, your `<pubkey>` and the `<signature>` generated in the previous step.
89 89
90 90
Create a temporary file containing the signature
91
-````sh
91
+```sh
92 92
echo "<signature>" > sig.tmp
93
-````
93
+```
94 94
Create a temporary 'allowed users' file
95
-````sh
95
+```sh
96 96
echo "YOU-MNT ssh-<keytype> <pubkey>" > allowed.tmp
97
-````
97
+```
98 98
Verify the signature
99
-````sh
99
+```sh
100 100
echo "<commit hash>" | \
101 101
ssh-keygen -Y verify -f allowed.tmp -n dn42 -I YOU-MNT -s sig.tmp
102
-````
102
+```
103 103
104 104
### Authentication with an SSH RSA key
105 105
106 106
- Use the following `auth` attribute in your `mntner` object:
107
-````
107
+```
108 108
auth: ssh-rsa <pubkey>
109
-````
109
+```
110 110
Where `<pubkey>` is the ssh public key copied from your id_rsa.pub file.
111 111
112 112
#### Signing your commits
... ...
@@ -114,19 +114,19 @@ Where `<pubkey>` is the ssh public key copied from your id_rsa.pub file.
114 114
If you cannot use the generic SSH process described above then RSA signatures can also be created using openssl.
115 115
116 116
Use the following to sign your `<commit hash>` (that you found using `git log`)
117
-````sh
117
+```sh
118 118
openssl pkeyutl \
119 119
-sign \
120 120
-inkey ~/.ssh/id_rsa \
121 121
-in <(echo "<commit hash>") | base64
122
-````
122
+```
123 123
124 124
Post the signature in to the 'Conversation' section of your pull request to allow the registry maintainers to verify it. It can help to also include the commit hash that you have signed, to avoid any confusion.
125 125
126 126
#### Verifying the signature
127 127
128 128
The following script will verify the signature (using the `<commit hash>`, your rsa `<pubkey>` and the `<signature>` generated in the previous step.
129
-````sh
129
+```sh
130 130
openssl pkeyutl \
131 131
-verify \
132 132
-pubin \
... ...
@@ -137,14 +137,14 @@ openssl pkeyutl \
137 137
-f <(echo "ssh-rsa <pubkey>")\
138 138
) \
139 139
-sigfile <(echo "<signature>" | base64 -d)
140
-````
140
+```
141 141
142 142
### Authentication with an SSH ed25519 key
143 143
144 144
- Use the following `auth` attribute in your `mntner` object:
145
-````
145
+```
146 146
auth: ssh-ed25519 <pubkey>
147
-````
147
+```
148 148
Where `<pubkey>` is the ssh public key copied from your id_ed25519.pub file.
149 149
150 150
#### Signing your commits
... ...
@@ -152,9 +152,9 @@ Where `<pubkey>` is the ssh public key copied from your id_ed25519.pub file.
152 152
There is no alternative process for signing using ed25519 keys, you must use the generic process described above. The process only works with ssh-keygen versions >= v8.
153 153
154 154
Use the following to sign your `<commit hash>` (that you found using `git log`)
155
-````sh
155
+```sh
156 156
echo "<commit hash>" | ssh-keygen -Y sign -f ~/.ssh/id_ed25519 -n dn42
157
-````
157
+```
158 158
159 159
Post the signature in to the 'Conversation' section of your pull request to allow the registry maintainers to verify it. It can help to also include the commit hash that you have signed, to avoid any confusion.
160 160
... ...
@@ -163,25 +163,25 @@ Post the signature in to the 'Conversation' section of your pull request to allo
163 163
The following procedure will verify the signature (using the `<commit hash>`, your ed25519 `<pubkey>` and the `<signature>` generated in the previous step.
164 164
165 165
Create a temporary file containing the signature
166
-````sh
166
+```sh
167 167
echo "<signature>" > sig.tmp
168
-````
168
+```
169 169
Create a temporary 'allowed users' file
170
-````sh
170
+```sh
171 171
echo "YOU-MNT ssh-ed25519 <pubkey>" > allowed.tmp
172
-````
172
+```
173 173
Verify the signature
174
-````sh
174
+```sh
175 175
echo "<commit hash>" | \
176 176
ssh-keygen -Y verify -f allowed.tmp -n dn42 -I YOU-MNT -s sig.tmp
177
-````
177
+```
178 178
179 179
### Authentication with an SSH ecdsa key
180 180
181 181
- Use the following `auth` attribute in your `mntner` object:
182
-````
182
+```
183 183
auth: ecdsa-sha2-nistp256 <pubkey>
184
-````
184
+```
185 185
Where `<pubkey>` is the ssh public key copied from your id_ecdsa.pub file.
186 186
187 187
#### Signing your commits
... ...
@@ -193,23 +193,23 @@ Make a copy and use the copy as the ssh-keygen command below will overwrite the
193 193
194 194
Convert your private ssh key to a file that openssl can read:
195 195
**DO THIS ON A COPY OF YOUR SSH KEY**
196
-````sh
196
+```sh
197 197
ssh-keygen -p -m pem -f <private key file copy>
198
-````
198
+```
199 199
200 200
Sign the commit hash using your ecdsa key, using openssl:
201
-````sh
201
+```sh
202 202
openssl pkeyutl -sign \
203 203
-inkey <converted key file> \
204 204
-in <(echo "<commit hash>") | base64
205
-````
205
+```
206 206
207 207
Post the signature in to the 'Conversation' section of your pull request to allow the registry maintainers to verify it. It can help to also include the commit hash that you have signed, to avoid any confusion.
208 208
209 209
#### Verifying the signature
210 210
211 211
The following script will verify the signature (using the `<commit hash>`, your ecdsa `<pubkey>` and the `<signature>` generated in the previous step.
212
-````sh
212
+```sh
213 213
openssl pkeyutl \
214 214
-verify \
215 215
-pubin \
... ...
@@ -220,4 +220,4 @@ openssl pkeyutl \
220 220
-f <(echo "ecdsa-sha2-nistp256 <pubkey>")\
221 221
) \
222 222
-sigfile <(echo "<signature>" | base64 -d)
223
-````
223
+```
howto/Static-routes-on-Windows.md
... ...
@@ -1,6 +1,6 @@
1 1
Modern versions of Windows do not support OSPF and manually adding static routes every time after a reboot is annoying. Below is a batch script you can edit and run to help make adding routes easier. This script assumes that your BGP router and Windows computer are on the same LAN.
2 2
3
-````
3
+```
4 4
@echo off
5 5
REM fill in YOUR network information
6 6
REM right click and RUN AS ADMIN
... ...
@@ -60,4 +60,4 @@ ping %gateway4%
60 60
pause
61 61
ping %gateway6%
62 62
pause
63
-````
... ...
\ No newline at end of file
0
+```
... ...
\ No newline at end of file
howto/mikrotik.md
... ...
@@ -30,26 +30,26 @@ Peer most likely provided you with encryption details.
30 30
If not, ask them about it.
31 31
Here we're gonna use aes256-sha256-modp1536
32 32
33
-````
33
+```
34 34
/ip ipsec peer
35 35
add address=1.1.1.1 comment=gre-dn42-peer dh-group=modp1536 \
36 36
enc-algorithm=aes-256 hash-algorithm=sha256 local-address=2.2.2.2 secret=PASSWORD
37 37
38
-````
39
-````
38
+```
39
+```
40 40
/ip ipsec policy
41 41
add comment=gre-dn42-peer dst-address=1.1.1.1/32 proposal=dn42 protocol=gre \
42 42
sa-dst-address=1.1.1.1 sa-src-address=2.2.2.2 src-address=2.2.2.2/32
43
-````
43
+```
44 44
45 45
### GRE
46 46
Pretty straightforward here
47 47
48
-````
48
+```
49 49
/interface gre
50 50
add allow-fast-path=no comment="DN42 somepeer" local-address=2.2.2.2 name=gre-dn42-peer \
51 51
remote-address=1.1.1.1
52
-````
52
+```
53 53
54 54
### IPs inside the GRE tunnel
55 55
Your peer most likely provided you with IP adresses for GRE tunnel.
... ...
@@ -60,18 +60,18 @@ Add the IP your peer provided you:
60 60
61 61
#### IPv4
62 62
63
-````
63
+```
64 64
/ip address
65 65
add address=192.168.200.130/30 interface=gre-dn42-peer network=192.168.200.128
66
-````
66
+```
67 67
68 68
#### IPv6
69 69
Here we can use /127, so it's simple:
70 70
71
-````
71
+```
72 72
/ipv6 address
73 73
add address=fdc8:c633:5319:3300::41/127 advertise=no interface=gre-dn42-peer
74
-````
74
+```
75 75
76 76
If you configured everything correctly, you should be able to ping
77 77
... ...
@@ -83,74 +83,74 @@ In this example, we will be filtering IN: 192.168.0.0/16 and 169.254.0.0/16
83 83
OUT: 192.168.0.0/16 and 169.254.0.0/16, you really don't want to advertise this networks.
84 84
This filter will not only catch /8 or /16 networks, but smaller networks inside this subnets as well.
85 85
86
-````
86
+```
87 87
/routing filter
88 88
add action=discard address-family=ip chain=dn42-in prefix=192.168.0.0/16 prefix-length=16-32 protocol=bgp
89 89
add action=discard address-family=ip chain=dn42-in prefix=169.254.0.0/16 prefix-length=16-32 protocol=bgp
90 90
add action=discard address-family=ip chain=dn42-out prefix=192.168.0.0/16 prefix-length=16-32 protocol=bgp
91 91
add action=discard address-family=ip chain=dn42-out prefix=169.254.0.0/16 prefix-length=16-32 protocol=bgp
92
-````
92
+```
93 93
94 94
Now, if you want only DN42 connection, you can filter IN 10.0.0.0/8 (ChaosVPN / freifunk networks):
95 95
96
-````
96
+```
97 97
/routing filter
98 98
add action=discard address-family=ip chain=dn42-in prefix=10.0.0.0/8 prefix-length=8-32 protocol=bgp
99
-````
99
+```
100 100
101 101
### BGP
102 102
Now, for actual BGP configuration.
103 103
104
-````
104
+```
105 105
/routing bgp instance
106 106
set default disabled=yes
107 107
add as=YOUR_AS client-to-client-reflection=no name=bgp-dn42-somename out-filter=dn42-in \
108 108
router-id=1.1.1.1
109
-````
109
+```
110 110
Let's add some peers. Right now we have just one, but we still need two connections - to IPv4 and IPv6
111 111
112 112
IPv4:
113 113
114
-````
114
+```
115 115
/routing bgp peer
116 116
add comment="DN42: somepeer IPv4" in-filter=dn42-in instance=bgp-dn42-somename multihop=yes \
117 117
name=dn42-somepeer-ipv4 out-filter=dn42-out remote-address=192.168.200.129 remote-as=PEER_AS \
118 118
route-reflect=yes ttl=default
119
-````
119
+```
120 120
IPv6 (if needed):
121 121
122
-````
122
+```
123 123
/routing bgp peer
124 124
add address-families=ipv6 comment="DN42: somepeer IPv6" in-filter=dn42-in \
125 125
instance=bgp-dn42-somename multihop=yes name=dn42-somepeer-ipv6 out-filter=dn42-out \
126 126
remote-address=fd42:c644:5222:3222::40 remote-as=PEER_AS route-reflect=yes ttl=default
127
-````
127
+```
128 128
129 129
Also, as a note, Mikrotik doesn't deal well with BGP running over link-local addresses (the address starting with fe80). You need to use a fd42:: address in your BGP session, otherwise, BGP will not install any received route.
130 130
131 131
### BGP Advertisements
132 132
You want to advertise your allocated network (most likely), it's very simple:
133 133
134
-````
134
+```
135 135
/routing bgp network
136 136
add network=YOUR_ALLOCATED_SUBNET synchronize=no
137
-````
137
+```
138 138
You can repeat that with as much IPv4 and IPv6 networks which you own.
139 139
140 140
## Split DNS
141 141
Separate dns requests for dn42 tld from your default dns traffic with L7 filter in Mikrotik.
142 142
Change network and LAN GW to mach your network configuration.
143 143
144
-````
144
+```
145 145
/ip firewall layer7-protocol
146 146
add name=DN42-DNS regexp="\\x04dn42.\\x01"
147 147
/ip firewall nat
148 148
add action=src-nat chain=srcnat comment="NAT to DN42 DNS" dst-address=172.23.0.53 dst-port=53 protocol=udp src-address=192.168.0.0/24 to-addresses=192.168.0.1
149 149
add action=dst-nat chain=dstnat dst-address-type=local dst-port=53 layer7-protocol=DN42-DNS protocol=udp src-address=192.168.0.0/24 to-addresses=172.23.0.53 to-ports=53
150 150
151
-````
151
+```
152 152
Since version 6.47 have added functionality that can redirect DNS queries according to special rules. If you used to do Layer-7 rules in the firewall, now it's simple and elegant:
153
-````
153
+```
154 154
/ip dns static
155 155
add comment=DN42 forward-to=172.23.0.53 regexp=".*\\.dn42" type=FWD
156
-````
... ...
\ No newline at end of file
0
+```
... ...
\ No newline at end of file
howto/mikrotik/ptp32.md
... ...
@@ -22,49 +22,49 @@ How can we workaround these issues? Simple. We setup a /32 on the Point-to-Point
22 22
23 23
You create the GRE interface in the same way the [Mikrotik Guide](/howto/mikrotik) does.
24 24
25
-````
25
+```
26 26
/interface gre
27 27
add allow-fast-path=no comment="DN42 somepeer" local-address=2.2.2.2 name=gre-dn42-peer \
28 28
remote-address=1.1.1.1
29
-````
29
+```
30 30
31 31
Next you add the /32 address on the interface. You can install this address on a loop interface (on RouterOS this means an empty bridge) if you plan to use the same address over several GRE tunnels or other OpenVPN interfaces.
32 32
33
-````
33
+```
34 34
/ip address add address=172.24.0.1/32 interface=gre-dn42-peer
35
-````
35
+```
36 36
37 37
Next, we add the direct route as next-hop using the interface
38 38
39
-````
39
+```
40 40
/ip route add distance=1 dst-address=172.26.2.2/32 gateway=gre-dn42-peer pref-src=172.24.0.1
41
-````
41
+```
42 42
43 43
At this point, the ping with the peer should work. Also, the bgp session can be established, but the routes will not work. We need a input filter to fix the next-hop routes.
44 44
45
-````
45
+```
46 46
/routing filter add chain=bgp-dn42-peer-in protocol=bgp set-in-nexthop-direct=gre-dn42-peer
47
-````
47
+```
48 48
49 49
if you have other global input chain filters, you should add a jump in the same chain, like this:
50
-````
50
+```
51 51
/routing filter add action=jump chain=bgp-dn42-peer-in protocol=bgp jump-target=bgp-global-dn42-input
52
-````
52
+```
53 53
54 54
If you haven't created the BGP session, create it now from the [Mikrotik guide](/howto/mikrotik#how-to-connect-to-dn42-using-mikrotik-routeros_bgp). Change the peer input filter to use the chain we've just created:
55 55
56
-````
56
+```
57 57
/routing bgp peer set bgp-dn42-somename in-filter=bgp-dn42-peer-in
58
-````
58
+```
59 59
60 60
With this fix, all the routes will have set next-hop the GRE interface and there will be no need to use RouterOS' recursive route resolve.
61 61
62 62
Check the routes with:
63
-````
63
+```
64 64
/ip routes print detail where received-from=bgp-dn42-somename
65
-````
65
+```
66 66
67 67
There should an attribute like:
68
-````
68
+```
69 69
gateway=gre-dn42-peer gateway-status=gre-dn42-peer reachable
70
-````
... ...
\ No newline at end of file
0
+```
... ...
\ No newline at end of file
howto/networksettings.md
... ...
@@ -13,24 +13,24 @@ That is why `rp_filter` needs to be disabled.
13 13
14 14
**Note** using sysctl is not persistent. Depending on your linux distribution put it into `/etc/sysctl.conf` or `/etc/sysctl.d`
15 15
16
-````
16
+```
17 17
sysctl -w net.ipv4.conf.all.rp_filter=0 net.ipv4.conf.default.rp_filter=0
18
-````
18
+```
19 19
20 20
Check that its really disabled:
21
-````
21
+```
22 22
sysctl -a | grep rp_filter
23
-````
23
+```
24 24
25 25
Also the following options must be set.
26
-````
26
+```
27 27
$ sysctl -w net.ipv4.conf.all.forwarding=1 net.ipv6.conf.all.forwarding=1
28
-````
28
+```
29 29
30 30
Check that ALL your vpn interfaces allow ip forwarding for ipv6/ipv4.
31
-````
31
+```
32 32
$ sysctl -a | grep forwarding
33
-````
33
+```
34 34
35 35
### Note on firewalls, conntrack and asymmetric routing
36 36
howto/openvpn.md
... ...
@@ -10,7 +10,7 @@
10 10
* Replace `<REMOTE_GATEWAY_IP>` with dn42 ip address of your peer
11 11
* `<LOCAL_GATEWAY_IPV6> <REMOTE_GATEWAY_IPV6>` same as ipv4, but both ip addresses needs to be in the same subnet. For simplicity you can always use an address from link-local ipv6 range (fe80::/64)
12 12
13
-````
13
+```
14 14
#/etc/openvpn/<PEER_NAME>
15 15
proto <PROTO>
16 16
mode p2p
... ...
@@ -35,19 +35,19 @@ secret /etc/openvpn/<PEER_NAME>.key
35 35
# <secret>
36 36
# ... Key File contents go here ...
37 37
# </secret>
38
-````
38
+```
39 39
40 40
then create a new key and share it with your peer
41 41
42
-````
42
+```
43 43
$ openvpn --genkey --secret /etc/openvpn/<PEER_NAME>.key
44
-````
44
+```
45 45
46 46
# Example Configuration if one peer has a floating ip
47 47
48 48
## peer with fixed ip
49 49
50
-````
50
+```
51 51
proto <PROTO>
52 52
mode p2p
53 53
dev-type tun
... ...
@@ -63,7 +63,7 @@ port <LOCAL_PORT>
63 63
ifconfig-ipv6 <LOCAL_GATEWAY_IPV6> <REMOTE_GATEWAY_IPV6>
64 64
ifconfig <LOCAL_GATEWAY_IP> <REMOTE_GATEWAY_IP>
65 65
secret /etc/openvpn/<PEER_NAME>.key
66
-````
66
+```
67 67
68 68
## peer with floating ip
69 69
... ...
@@ -72,7 +72,7 @@ secret /etc/openvpn/<PEER_NAME>.key
72 72
* `<REMOTE_HOST>` is the ip address of your peer
73 73
* `<REMOTE_PORT>` is openvpn port, where your peer listen for traffic
74 74
75
-````
75
+```
76 76
proto <PROTO>
77 77
mode p2p
78 78
remote <REMOTE_HOST>
... ...
@@ -89,7 +89,7 @@ resolv-retry infinite
89 89
ifconfig <LOCAL_GATEWAY_IP> <REMOTE_GATEWAY_IP>
90 90
ifconfig-ipv6 <LOCAL_GATEWAY_IPV6> <LOCAL_GATEWAY_IPV6>
91 91
secret /etc/openvpn/<PEER_NAME>.key
92
-````
92
+```
93 93
94 94
# Example configuration for connecting roaming clients to dn42
95 95
... ...
@@ -99,7 +99,7 @@ Clients connect using certificates, and simply get attributed dn42 IPs in the or
99 99
100 100
Replace `<PORT>` with the UDP port you want OpenVPN to listen to, and change the IP ranges (`ifconfig` and `route-gateway` options).
101 101
102
-````
102
+```
103 103
mode server
104 104
tls-server
105 105
... ...
@@ -146,13 +146,13 @@ push "route-gateway 172.22.X.145"
146 146
push "route 172.22.0.0 255.254.0.0"
147 147
###push "route 172.31.0.0 255.255.0.0"
148 148
###push "route 10.0.0.0 255.0.0.0"
149
-````
149
+```
150 150
151 151
## Client configuration
152 152
153 153
Change `<SERVER>` and `<PORT>`.
154 154
155
-````
155
+```
156 156
client
157 157
158 158
ca ca.crt
... ...
@@ -176,7 +176,7 @@ persist-tun
176 176
resolv-retry infinite
177 177
178 178
verb 3
179
-````
179
+```
180 180
181 181
## Certificate management
182 182
... ...
@@ -184,7 +184,7 @@ Use easy-rsa, it's easy to use. Below is a very short description, find a real
184 184
185 185
Build the CA: `. vars`, `./build-ca`, then generate the server key: `./build-key-server roaming-dn42`.
186 186
187
-Then, for each client, generate a private key and a certificate: ````./build-key myclient````. The Common Name is the only important information (it will be used to identify the client, for instance in the logs).
187
+Then, for each client, generate a private key and a certificate: ```./build-key myclient```. The Common Name is the only important information (it will be used to identify the client, for instance in the logs).
188 188
189 189
# See also
190 190
* [Network settings](https://internal.dn42/howto/networksettings)
howto/systemd-networkd-configuration-example.md
... ...
@@ -5,16 +5,16 @@ This is the config that is used on ZOTAN Networks (AS4242422341). Full network c
5 5
# Configuration
6 6
7 7
## loopback device (lo.network)
8
-````
8
+```
9 9
[Match]
10 10
Name=lo
11 11
12 12
[Network]
13 13
Address=fdff:b02d:2ef7::2/128
14
-````
14
+```
15 15
16 16
## wireguard netdev (dn42p1.netdev)
17
-````
17
+```
18 18
[NetDev]
19 19
Name = dn42p1
20 20
Kind = wireguard
... ...
@@ -28,10 +28,10 @@ PrivateKeyFile = /etc/wireguard/private.key
28 28
PublicKey = <peer wg pubkey>
29 29
Endpoint = <peer wg endpoint>:<peer wg port>
30 30
AllowedIPs = 172.16.0.0/12,10.0.0.0/8,fd00::/8,fe80::/10,ff00::/8
31
-````
31
+```
32 32
33 33
## wireguard network (dn42p1.network)
34
-````
34
+```
35 35
[Match]
36 36
Name = dn42p1
37 37
... ...
@@ -43,4 +43,4 @@ Peer = <peer tunnel linklocal address>/128
43 43
Address = <your DN42 ipv4>/32
44 44
Peer = <peer DN42 ipv4>/32
45 45
46
-````
... ...
\ No newline at end of file
0
+```
... ...
\ No newline at end of file
howto/tinc.md
... ...
@@ -10,7 +10,7 @@ One advantage of tinc is that you can have multiple peering over the same VPN co
10 10
11 11
Example `/etc/tinc/dn42_yourpeer/tinc.conf`:
12 12
13
-````
13
+```
14 14
Interface = dn42_yourpeer
15 15
Name = your_host
16 16
# Only switch mode is feasible for dn42 peerings, since in router mode tinc takes care of routing decisions on its own
... ...
@@ -19,14 +19,14 @@ Mode = switch
19 19
ConnectTo = remote_host
20 20
# In newer versions (>= 1.1) you can use AutoConnect instead
21 21
#AutoConnect = yes
22
-````
22
+```
23 23
24 24
Tinc requires to add manually ip addresses and routes to the tap/tun interfaces. On startup it will execute `/etc/tinc/dn42_yourpeer/tinc-up` if it exists **and** is executable:
25 25
26 26
Example `/etc/tinc/dn42_yourpeer/tinc-up`:
27 27
28 28
**Linux/iproute2**
29
-````
29
+```
30 30
#!/bin/sh
31 31
32 32
# set the interface up
... ...
@@ -38,19 +38,19 @@ ip addr add fe80::1/64 dev $INTERFACE
38 38
39 39
# add routes
40 40
ip route add 172.16.0.1/30 dev $INTERFACE table peers
41
-````
41
+```
42 42
43 43
For authentication tinc uses public key authentication instead of certificates or pre-shared keys.
44 44
For each key tinc should connect to or allow to connect, a file with the name of the peer in tincd -n twwh -K
45 45
is required. To generate a public/private key pair use:
46 46
47
-````
47
+```
48 48
$ tincd -K
49
-````
49
+```
50 50
51 51
Import for each other party the key like this `/etc/tinc/dn42_yourpeer/hosts/<peername>`:
52 52
53
-````
53
+```
54 54
# address/port are optional, in case they're missing you only expect connections from that host
55 55
Address = <fqdn/ip_addr>
56 56
Port = <port|655>
... ...
@@ -62,7 +62,7 @@ tcJpbgbYRzBTUPdSL3OB8k0qlmFI2ZYTnCzOSpgxRQARIB1ecoqOYVxQISK2pzxi
62 62
MHQQlVbquwldaKiVoj7tD7PFW4oQxpiMHZnHIA6dnZCsT3ktTOzCjhf2XMi8o8u5
63 63
P9C5dYrmVWrVAWQznlbuq/w1z+PrTYquoQIDAQAB
64 64
-----END RSA PUBLIC KEY-----
65
-````
65
+```
66 66
67 67
## Fun with tinc-pre
68 68
... ...
@@ -74,21 +74,21 @@ Installation:
74 74
* Freebsd: Use this [port repo](https://github.com/Mic92/ports/tree/master/security/tinc)
75 75
76 76
Set up a new tinc network
77
-````
77
+```
78 78
# tinc -n dn42_yourpeer init dn42_yourself
79
-````
79
+```
80 80
81 81
Invite your peering partner. Tinc will print the invitaion which you need to copy to your peering partner.
82
-````
82
+```
83 83
$ tinc invite yourpeer
84 84
<ip-or-address>/nIRp5pJCnfnhuV13JUomscGs1q5HqEbz3AydZer7wRaMcpUB
85
-````
85
+```
86 86
87 87
On the other node you can join by using:
88 88
89
-````
89
+```
90 90
$ tinc join <invitation-url>
91
-````
91
+```
92 92
93 93
This node will then automatically generate configuration, private/public keys and will exchange this key with the other node on connection.
94 94
howto/vyos.md
... ...
@@ -7,18 +7,18 @@ It can be downloaded here https://www.vyos.io/rolling-release/.
7 7
We will configure firewall access lists for inbound connections on our peer Wireguard interfaces as well as block all inbound connections to our router with the exception of BGP. This should be a good baseline firewall ruleset to filter inbound traffic on your network’s edge. Modifications may be needed depending on your specific goals. If your router has an uplink back to a larger internal network (outside of DN42), an outbound firewall ruleset will need to be applied to that interface. The examples here only cover **IPv4**, but the same concepts can be applied to **IPv6** rulesets.
8 8
9 9
By default, VyOS is a **stateless** firewall. To enable **stateful** packet inspection globally enter the following commands.
10
-````
10
+```
11 11
set firewall state-policy established action 'accept'
12 12
set firewall state-policy related action 'accept'
13
-````
13
+```
14 14
15 15
We also need to accept invalids on our network’s edge. However, this should not become common practice elsewhere.
16
-````
16
+```
17 17
set firewall state-policy invalid action 'accept'
18
-````
18
+```
19 19
20 20
The below commands create **in** and **local** baseline templates to be applied to all Wireguard interfaces that are facing peers. In this example, **172.20.20.0/24** is your assigned address space.
21
-````
21
+```
22 22
#Create Groups
23 23
set firewall group network-group Allowed-Transit-v4 network '10.0.0.0/8'
24 24
set firewall group network-group Allowed-Transit-v4 network '172.20.0.0/14'
... ...
@@ -59,17 +59,17 @@ set firewall name Tunnels_Local_v4 rule 98 state invalid 'enable'
59 59
set firewall name Tunnels_Local_v4 rule 99 action 'drop'
60 60
set firewall name Tunnels_Local_v4 rule 99 description 'Black Hole'
61 61
set firewall name Tunnels_Local_v4 rule 99 log 'enable'
62
-````
62
+```
63 63
64 64
## Wireguard
65 65
### Setup Keys
66
-````
66
+```
67 67
generate wireguard default-keypair
68 68
show wireguard keypairs pubkey default
69
-````
69
+```
70 70
_Grab your public key and save it for later. This will be shared with peers._
71 71
### Configure First Peer
72
-````
72
+```
73 73
#Your DN42 Address
74 74
set interfaces wireguard wg92 address '172.20.20.1/32'
75 75
... ...
@@ -93,7 +93,7 @@ set interfaces wireguard wg92 port '12345'
93 93
94 94
#Set static interface route to first peers /32 DN42 IPv4 on their tunnel endpoint
95 95
set protocols static interface-route 172.20.50.1/32 next-hop-interface wg92
96
-````
96
+```
97 97
98 98
99 99
... ...
@@ -119,9 +119,9 @@ _Your peers ASN_
119 119
###Setup RPKI Caching Server
120 120
Burble has made this super easy. More info can be found [here](https://wiki.dn42/howto/ROA-slash-RPKI) on this wiki. Get started by running the below command on a Linux server with Docker installed.
121 121
122
-````
122
+```
123 123
sudo docker run -ti -p 8082:8082 cloudflare/gortr -cache https://dn42.burble.com/roa/dn42_roa_46.json -verify=false -checktime=false -bind :8082
124
-````
124
+```
125 125
126 126
This will start a docker container that listens on the host server's IP at port 8082. This setup is using Cloudflare's GoRTR and automatically reaching out and downloading a custom JSON file generated by Burble just for the DN42 network.
127 127
... ...
@@ -133,24 +133,24 @@ This will start a docker container that listens on the host server's IP at port
133 133
You can check the connection with `show rpki cache-connection` and the received prefix-table with `show rpki prefix-table`.
134 134
135 135
###Create Route Map
136
-````
136
+```
137 137
set policy route-map DN42-ROA rule 10 action 'permit'
138 138
set policy route-map DN42-ROA rule 10 match rpki 'valid'
139 139
set policy route-map DN42-ROA rule 20 action 'permit'
140 140
set policy route-map DN42-ROA rule 20 match rpki 'notfound'
141 141
set policy route-map DN42-ROA rule 30 action 'deny'
142 142
set policy route-map DN42-ROA rule 30 match rpki 'invalid'
143
-````
143
+```
144 144
This example allows all routes in unless they are marked invalid or in other words possibly been a victim of BGP hijacking.
145 145
###Assign Route Map to Neighbor
146
-````
146
+```
147 147
set protocols bgp 424242XXXX neighbor x.x.x.x address-family ipv4-unicast route-map import DN42-ROA
148 148
set protocols bgp 424242XXXX neighbor x.x.x.x address-family ipv4-unicast route-map export DN42-ROA
149
-````
149
+```
150 150
151 151
## Example Route Map
152 152
### No RPKI/ROA and Internal Network Falls Into DN42 Range
153
-````
153
+```
154 154
##Build prefix list to match personal internal network
155 155
set policy prefix-list BlockIPConflicts description 'Prevent Conflicting Routes'
156 156
set policy prefix-list BlockIPConflicts rule 10 action 'permit'
... ...
@@ -207,7 +207,7 @@ set protocols bgp 4242421099 neighbor x.x.x.x address-family ipv4-unicast route-
207 207
set protocols bgp 4242421099 neighbor x.x.x.x address-family ipv4-unicast route-map import 'Default-Peering'
208 208
set protocols bgp 4242421099 neighbor x.x.x.x address-family ipv6-unicast route-map export 'Default-Peering'
209 209
set protocols bgp 4242421099 neighbor x.x.x.x address-family ipv6-unicast route-map import 'Default-Peering'
210
-````
210
+```
211 211
212 212
213 213
This page is a work-in-progress by Owens Research. If you have any suggestions or questions please reach out.
... ...
\ No newline at end of file
howto/wireguard.md
... ...
@@ -9,13 +9,13 @@ to allow your BGP daemon instead to do routing. This approach is comparable to [
9 9
10 10
First generate on each peer public and private keys.
11 11
12
-````
12
+```
13 13
$ wg genkey | tee privatekey | wg pubkey > publickey
14
-````
14
+```
15 15
16 16
## Configuration
17 17
18
-````
18
+```
19 19
# tunnel.conf
20 20
[Interface]
21 21
PrivateKey = <private_key>
... ...
@@ -31,14 +31,14 @@ Endpoint = <end_point_hostname_or_ip:port>
31 31
# however it is easier to do this with iptables/bgp filters/routing table
32 32
# instead just like for openvpn-based peerings
33 33
AllowedIPs = 0.0.0.0/0,::/0
34
-````
34
+```
35 35
36 36
## Configure tunnel:
37 37
38 38
Wireguard comes with its own interface type.
39 39
It supports link-local addresses for IPv6 and single /32 addresses for IPv4, which can be used for peering.
40 40
41
-````
41
+```
42 42
$ ip link add dev <interface_name> type wireguard
43 43
$ wg setconf <interface_name> tunnel.conf
44 44
# both side pick a different link-local ipv6 address
... ...
@@ -46,7 +46,7 @@ $ ip addr add fe80::<some_random_suffix>/64 dev <interface_name>
46 46
# choose the first ip from your subnet and the second one from the peer
47 47
$ ip addr add 172.xx.xx.xx/32 peer 172.xx.xx.xx/32 dev <interface_name>
48 48
$ ip link set <interface_name> up
49
-````
49
+```
50 50
51 51
<!-- Nurtic-Vibe has another [script](https://git.dn42.us/Nurtic-Vibe/grmml-helper/src/master/create_wg.sh) to interactively automate the peering process. -->
52 52
... ...
@@ -54,9 +54,9 @@ Maybe you should check the MTU to your peer with e.g. `ping -s 1472 <end_point_h
54 54
55 55
## Testing
56 56
57
-````
57
+```
58 58
ping fe80::<your_peers_suffix>%<interface_name>
59
-````
59
+```
60 60
61 61
(For older iputils, use `ping6`.)
62 62
... ...
@@ -68,15 +68,15 @@ The wireguard kernel module on linux has support for enabling dynamic debugging.
68 68
69 69
Debug messages are logged via dmesg and can be enabled using:
70 70
71
-````sh
71
+```sh
72 72
$ echo 'module wireguard +p' > /sys/kernel/debug/dynamic_debug/control
73
-````
73
+```
74 74
75 75
To disable debug:
76 76
77
-````sh
77
+```sh
78 78
$ echo 'module wireguard -p' > /sys/kernel/debug/dynamic_debug/control
79
-````
79
+```
80 80
81 81
## wg-quick
82 82
... ...
@@ -94,7 +94,7 @@ The script makes some changes that are not valid when used for DN42 tunnels, and
94 94
95 95
An example wg-quick script that incorporates the above two workarounds is below, where `<MyIPv[46]>` are the DN42 IP addresses of your node and `<PeerIPv[46]>` are the IP addresses for your peer.
96 96
97
-````
97
+```
98 98
[Interface]
99 99
PrivateKey = <your private key>
100 100
Address = <your link-local address, if any>
... ...
@@ -106,7 +106,7 @@ Table = off
106 106
Endpoint = <your peer's wireguard endpoint>
107 107
PublicKey = <your peer's public key>
108 108
AllowedIPs = 172.16.0.0/12, 10.0.0.0/8, fd00::/8, fe80::/10
109
-````
109
+```
110 110
Use `which ip` to get the full path to your ip binary.
111 111
112 112
## systemd-networkd
... ...
@@ -114,7 +114,7 @@ Use `which ip` to get the full path to your ip binary.
114 114
Example configuration for systemd-networkd.
115 115
116 116
peer.netdev
117
-````text
117
+```text
118 118
[NetDev]
119 119
Name=<ifname>
120 120
Kind=wireguard
... ...
@@ -131,10 +131,10 @@ Endpoint=<peer host and port, e.g. 1.2.3.4:9876>
131 131
AllowedIPs=fe80::/64
132 132
AllowedIPs=fd00::/8
133 133
AllowedIPs=0.0.0.0/0
134
-````
134
+```
135 135
136 136
peer.network
137
-````text
137
+```text
138 138
[Match]
139 139
Name=<ifname>
140 140
... ...
@@ -165,5 +165,5 @@ Peer=<your peer's IPv6 address>/128
165 165
[Address]
166 166
Address=<your IPv4 address>/32
167 167
Peer=<your peer's IPv4 address>/32
168
-````
168
+```
169 169
internal/Historical-Services.md
... ...
@@ -84,23 +84,23 @@ Some people runs [Tahoe LAFS](/services/Tahoe-LAFS) nodes to provide a secure de
84 84
85 85
### ipfs
86 86
bootstrap peers
87
-````
87
+```
88 88
/ip4/172.20.161.135/tcp/4001/ipfs/QmYgD1wdPjx5oWzYJ195K84PqAXRnw9mcqbyZYAdXfaYkD
89 89
/ip4/172.20.52.220/tcp/4001/ipfs/QmW5ZhZFav8MZLJyvKuK6pKaR4vnQ5MVHfXY3LuMXqa4kc
90
-````
90
+```
91 91
test hashes
92
-````
92
+```
93 93
/ipfs/QmQ7psrGrXS3GFNC4BtU6pJXq6G7ps5NbYrhS2VYFufj9T
94 94
/ipfs/QmYLapmcSU7q93Ta4eHMh8fq9ios2HTSdbpHDRQwGG6ocJ
95
-````
95
+```
96 96
cdn (currently only jquery
97
-````
97
+```
98 98
/ipns/QmW5ZhZFav8MZLJyvKuK6pKaR4vnQ5MVHfXY3LuMXqa4kc/cdn/jquery
99
-````
99
+```
100 100
Until browsers have ipfs access (either through native support or js), one can use the http gateway
101
-````
101
+```
102 102
https://rest.dn42/
103
-````
103
+```
104 104
105 105
### Torrent Search Engine
106 106
services/Automatic-CA.md
... ...
@@ -90,7 +90,7 @@ Read more on this [stack exchange post][osx-2]
90 90
How to Run
91 91
==========
92 92
93
-````
93
+```
94 94
Usage: # OWNER is your MNT handle.
95 95
./ca.dn42 user-gen OWNER EMAIL # Output to OWNER.csr and OWNER.key
96 96
./ca.dn42 user-sig OWNER # Output to OWNER.crt and OWNER.p12
... ...
@@ -104,14 +104,14 @@ Revoke Reasons: unspecified, keyCompromise, affiliationChanged,
104 104
105 105
Environtment Options:
106 106
DN42CA_PKCS12 = 1 # Generate pkcs12 file for certificate.
107
-````
107
+```
108 108
109 109
Example
110 110
=======
111 111
112 112
Generate the user key
113 113
114
-````
114
+```
115 115
$ ./ca.dn42 user-gen XUU-MNT xuu@sour.is
116 116
Generating a 2048 bit RSA private key
117 117
...............................+++
... ...
@@ -122,11 +122,11 @@ writing new private key to 'XUU-MNT.key'
122 122
= You need to have this pin added to your mnt object before proceeding to the next step.
123 123
=
124 124
|MNT Key Pin| remarks: pin-sha256:HdqCid0sedWXX3Q0uG98rYjJyTNOzaT13WfWpr1GvIw=
125
-````
125
+```
126 126
127 127
## Sign the user key
128 128
129
-`````
129
+````
130 130
$ ./ca.dn42 user-sign XUU-MNT xuu@sour.is
131 131
== USER CERT ==
132 132
C:XD
... ...
@@ -139,11 +139,11 @@ $ ./ca.dn42 user-sign XUU-MNT xuu@sour.is
139 139
OK https://ca.dn42/crt/XUU-MNT.crt
140 140
Enter Export Password:
141 141
Verifying - Enter Export Password:
142
-````
142
+```
143 143
144 144
## Generate the server key
145 145
146
-````
146
+```
147 147
$ ./ca.dn42 tls-gen ca.dn42 XUU-MNT xuu@sour.is DNS:ca.dn42
148 148
149 149
Generating a 2048 bit RSA private key
... ...
@@ -156,18 +156,18 @@ writing RSA key
156 156
= |DNS Key Pin| You need to have this pin added to your dns records before proceeding to the next step.
157 157
=
158 158
_dn42_tlsverify.ca.dn42. IN TXT XUU-MNT:pin-sha256:Qu/X5GNqOo05TdL7oexkamE34OUuDE60T+f0xc60UPQ=
159
-````
159
+```
160 160
161 161
After you set this TXT-Record for your domain, you can verify it with the following command (by replacing the domain with your own):
162 162
163
-````
163
+```
164 164
$ dig +short TXT _dn42_tlsverify.ca.dn42.
165 165
"XUU-MNT:pin-sha256:Qu/X5GNqOo05TdL7oexkamE34OUuDE60T+f0xc60UPQ="
166
-````
166
+```
167 167
168 168
## Sign the server key
169 169
170
-````
170
+```
171 171
$ ./ca.dn42 tls-sign ca.dn42 XUU-MNT
172 172
== USER CERT ==
173 173
C:XD
... ...
@@ -191,17 +191,17 @@ $ ./ca.dn42 tls-sign ca.dn42 XUU-MNT
191 191
OK https://ca.dn42/crt/XUU-MNT_ca.dn42.crt
192 192
Enter Export Password: ****
193 193
Verifying - Enter Export Password: ****
194
-````
194
+```
195 195
196
-The generated certificate will be valid for 3 months, to renew it simply run ````./ca.dn42 tls-sign ca.dn42 XUU-MNT```` again. This could be also automated in cron:
196
+The generated certificate will be valid for 3 months, to renew it simply run ```./ca.dn42 tls-sign ca.dn42 XUU-MNT``` again. This could be also automated in cron:
197 197
198
-````
198
+```
199 199
0 0 1 * * /etc/ssl/dn42/ca.dn42 tls-sign wiki.dn42 MIC92-MNT
200
-````
200
+```
201 201
202 202
or with a systemd timer:
203 203
204
-````
204
+```
205 205
# update-dn42-ca.timer
206 206
[Timer]
207 207
OnBootSec=1h
... ...
@@ -210,9 +210,9 @@ Persistent=yes
210 210
211 211
[Install]
212 212
WantedBy=timers.target
213
-````
213
+```
214 214
215
-````
215
+```
216 216
[Service]
217 217
Type=oneshot
218 218
WorkingDirectory=/etc/ssl/dn42
... ...
@@ -220,11 +220,11 @@ ExecStart=/etc/ssl/dn42/ca.dn42 tls-sign wiki.dn42 MIC92-MNT
220 220
# accept multiple ExecStart lines for other certificates
221 221
#ExecStart=/etc/ssl/dn42/ca.dn42 tls-sign foobar.dn42 MIC92-MNT
222 222
ExecStart=/usr/bin/nginx -s reload
223
-````
223
+```
224 224
225 225
## Revoke a certificate.
226 226
227
-````
227
+```
228 228
$ ./ca.dn42 revoke XUU-MNT XUU-MNT.crt
229 229
== USER CERT ==
230 230
C:XD
... ...
@@ -236,7 +236,7 @@ $ ./ca.dn42 revoke XUU-MNT XUU-MNT.crt
236 236
pin-sha256:HdqCid0sedWXX3Q0uG98rYjJyTNOzaT13WfWpr1GvIw=
237 237
== REVOKE CERT ==
238 238
OK
239
-````
239
+```
240 240
241 241
## Certificate transparency
242 242
All issued certificates will be logged to [xuu's mattermost instance](https://teams.dn42/dn42/channels/tls-certificates).
... ...
\ No newline at end of file
services/Certificate-Authority.md
... ...
@@ -5,7 +5,7 @@ If you would like to have a certificate signed by this CA there is [an automated
5 5
6 6
The CA certificate ([dn42](https://ca.dn42/crt/root-ca.crt), [iana](https://ca.dn42.us/crt/root-ca.crt)):
7 7
8
-````
8
+```
9 9
Certificate:
10 10
Data:
11 11
Version: 3 (0x2)
... ...
@@ -95,21 +95,21 @@ P6v/P0WrfgdFTk0LGEA9OwKcTqkPpcI/SjB3rmZcs42yQWvimAF94GtScE09uKlI
95 95
1zAi8vbktPY7OMprTOc8pHDL3q8KFP8jJcoEzZ5Jw0vkCrULhLXvtFtjB0djzVxQ
96 96
C0IKqQ==
97 97
-----END CERTIFICATE-----
98
-````
98
+```
99 99
100 100
101 101
## Testing constraints
102 102
103 103
The name constraints can be verified for example by using openssl:
104
-````
104
+```
105 105
openssl x509 -in dn42.crt -text -noout
106
-````
106
+```
107 107
which will show among other things:
108
-````
108
+```
109 109
X509v3 Name Constraints:
110 110
Permitted:
111 111
DNS:.dn42
112
-````
112
+```
113 113
114 114
## Importing the certificate
115 115
... ...
@@ -123,19 +123,19 @@ Install `ca-certificates-dn42` from [AUR](https://aur.archlinux.org/packages/ca-
123 123
124 124
#### Unofficial Debian Package
125 125
126
-````bash
126
+```bash
127 127
wget https://ca.dn42.us/ca-dn42_20161122.0_all.deb
128 128
# If you're on a dn42-only network:
129 129
# wget --no-check-certificate https://ca.dn42/ca-dn42_20161122.0_all.deb
130 130
sudo dpkg -i ca-dn42_20161122.0_all.deb
131 131
sudo dpkg-reconfigure ca-certificates
132
-````
132
+```
133 133
134 134
You will be asked which certificates you would like to enabled. By default, the dn42 root certifcate (dn42/root-ca.crt) is not enable, be sure to enable it. This package is waiting for inclusion in Debian (Debian bug [#845351](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=845351)).
135 135
136 136
#### Manual Installation
137 137
138
-````bash
138
+```bash
139 139
$ mkdir /usr/share/ca-certificates/extra
140 140
$ cat > /usr/share/ca-certificates/extra/dn42.crt <<EOF
141 141
-----BEGIN CERTIFICATE-----
... ...
@@ -164,7 +164,7 @@ C0IKqQ==
164 164
-----END CERTIFICATE-----
165 165
EOF
166 166
$ update-ca-certificates
167
-````
167
+```
168 168
169 169
## PKI Store
170 170
services/DNS.md
... ...
@@ -24,17 +24,17 @@ service and configure the other service as the secondary or backup nameserver.
24 24
25 25
Example resolv.conf, preferring a0.recursive-servers.dn42 and IPv4:
26 26
27
-````text
27
+```text
28 28
nameserver 172.20.0.53
29 29
nameserver 172.23.0.53
30 30
nameserver fd42:d42:d42:54::1
31 31
nameserver fd42:d42:d42:53::1
32 32
search dn42
33
-````
33
+```
34 34
35 35
Example resolv.conf, preferring a3.recursive-servers.dn42 and IPv6:
36 36
37
-````text
37
+```text
38 38
nameserver fd42:d42:d42:53::1
39 39
nameserver fd42:d42:d42:54::1
40 40
nameserver 172.23.0.53
... ...
@@ -42,7 +42,7 @@ nameserver 172.20.0.53
42 42
option inet6 # Linux/glibc
43 43
family inet6 inet4 # BSD
44 44
search dn42
45
-````
45
+```
46 46
47 47
## Advanced Configuration
48 48
services/Distributed-Wiki.md
... ...
@@ -39,7 +39,7 @@ Since gollum is built on top of Git, it is not overly complicated to keep the lo
39 39
40 40
+ **wiki-sync.sh**:
41 41
42
- ````sh
42
+ ```sh
43 43
#!/bin/bash
44 44
45 45
WIKI_PATH=<repo path>
... ...
@@ -50,7 +50,7 @@ ${GIT} push
50 50
${GIT} pull
51 51
52 52
exit 0
53
- ````
53
+ ```
54 54
55 55
+ **Cron entry**:
56 56
... ...
@@ -64,13 +64,13 @@ exit 0
64 64
- Start two gollum instances, read-only and read/write on `127.0.0.1`:
65 65
66 66
Read/write (SSL only):
67
- ````
67
+ ```
68 68
RACK_ENV=production gollum --css --host 127.0.0.1 --port 4568 <path>
69
- ````
69
+ ```
70 70
Read-only:
71
- ````
71
+ ```
72 72
RACK_ENV=production gollum --css --host 127.0.0.1 --port 4567 --no-edit <path>
73
- ````
73
+ ```
74 74
75 75
Set `<path>` to the location where wiki Git repo was cloned.
76 76
... ...
@@ -82,13 +82,13 @@ RACK_ENV=production gollum --css --host 127.0.0.1 --port 4567 --no-edit <path>
82 82
- Generate a [CSR](/services/Certificate-Authority) and send DNS Key Pin to [xuu@sour.is](mailto:xuu@sour.is):
83 83
- \<AS> is the as number with the prefix `as` like `as64737-ca.wiki.dn42`
84 84
85
-````
85
+```
86 86
./ca.dn42 tls-gen \
87 87
<AS>-<CC>(-<UID>).wiki.dn42 \
88 88
EXAMPLE-MNT \
89 89
mail@example.com \
90 90
DNS:<AS>-<CC>(-<ID>).wiki.dn42,DNS:wiki.dn42,DNS:www.wiki.dn42,DNS:internal.dn42,DNS:www.internal.dn42
91
-````
91
+```
92 92
93 93
Wait for a reply and then sign the certificate:
94 94
... ...
@@ -107,15 +107,15 @@ A custom header `X-SiteID` identifies the site you're connecting to:
107 107
108 108
- Extract base64 encoded SPKI fingerprint from private key `wiki.key`:
109 109
110
- ````
110
+ ```
111 111
openssl rsa -in wiki.key -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64
112
- ````
112
+ ```
113 113
114 114
- Configure Nginx to send the fingerprint in header (SSL block):
115 115
116
- ````
116
+ ```
117 117
add_header Public-Key-Pins pin-sha256="<primary>"; pin-sha256="<backup>"; max-age=5184000; includeSubDomains';
118
- ````
118
+ ```
119 119
120 120
+ `<primary>` - the fingerprint extracted from `wiki.key`
121 121
+ `<backup>` - the CA fingerprint: `of00RDinhPeVRNnXm1jXQDagktOL75qQo1pT+xc7VIE=`
... ...
@@ -135,7 +135,7 @@ Nginx should listen on a unicast address as well, so your site can be reached ex
135 135
136 136
#### Config example
137 137
138
-````
138
+```
139 139
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
140 140
ssl_session_cache shared:SSL:2m;
141 141
... ...
@@ -184,7 +184,7 @@ server {
184 184
}
185 185
}
186 186
187
-````
187
+```
188 188
189 189
## ExaBGP
190 190
... ...
@@ -194,7 +194,7 @@ The prefix AS-PATH should show the announcement is originating from your AS. Aft
194 194
195 195
#### Configuration
196 196
197
-````
197
+```
198 198
# exabgp.conf
199 199
200 200
group gollum-watchdog {
... ...
@@ -228,7 +228,7 @@ group gollum-watchdog {
228 228
}
229 229
}
230 230
231
-````
231
+```
232 232
233 233
#### Watchdog script
234 234
... ...
@@ -236,7 +236,7 @@ Watchdog runs in an infinite loop, sending the appropriate commands to stdout. [
236 236
237 237
Run `gollum-watchdog.sh` in a shell first to validate it's working:
238 238
239
-````sh
239
+```sh
240 240
#!/bin/bash
241 241
242 242
CURL=curl
... ...
@@ -297,7 +297,7 @@ while [ 1 ]; do
297 297
done
298 298
299 299
exit 0
300
-````
300
+```
301 301
302 302
#### Run
303 303
... ...
@@ -305,7 +305,7 @@ exit 0
305 305
306 306
`USAGE: /etc/exabgp/run.sh [start|stop|restart]`
307 307
308
-````sh
308
+```sh
309 309
#!/bin/bash
310 310
311 311
PID_FILE=/var/run/exaBGP/exabgp_PID
... ...
@@ -352,7 +352,7 @@ case ${1} in
352 352
esac
353 353
354 354
exit 0
355
-````
355
+```
356 356
357 357
358 358
services/Route-Collector.md
... ...
@@ -25,7 +25,7 @@ The collector uses the dynamic peering capability in Bird2 to allow anyone to pe
25 25
26 26
Example bird2 config:
27 27
28
-````text
28
+```text
29 29
protocol bgp ROUTE_COLLECTOR
30 30
{
31 31
local as ***YOUR_ASN***;
... ...
@@ -66,7 +66,7 @@ protocol bgp ROUTE_COLLECTOR
66 66
};
67 67
};
68 68
}
69
-````
69
+```
70 70
71 71
72 72
## Querying the collector
... ...
@@ -106,7 +106,7 @@ The collector bird instance can be queried directly using a birdc shell.
106 106
107 107
- ssh shell@collector.dn42
108 108
109
-````sh
109
+```sh
110 110
$ ssh shell@collector.dn42
111 111
------------------------------------
112 112
* DN42 Global Route Collector *
... ...
@@ -129,5 +129,5 @@ bird> 297441 of 297441 routes for 502 networks in table master4
129 129
Total: 586116 of 586116 routes for 3597 networks in 4 tables
130 130
bird>
131 131
132
-````
132
+```
133 133
services/Statistics.md
... ...
@@ -11,18 +11,18 @@ Channel statistics for #dn42@hackint are available at: https://dev.0l.dn42/stats
11 11
12 12
#### collectd.conf
13 13
14
-````
14
+```
15 15
LoadPlugin exec
16 16
<Plugin exec>
17 17
Exec nobody "/etc/collectd/bgp_prefixes-quagga.sh"
18 18
</Plugin>
19
-````
19
+```
20 20
21 21
collectd refuses to exec scripts as root. On Debian vtysh is compiled with PAM support: adding nobody to the quaggavty group suffices.
22 22
23 23
#### bgp_prefixes-quagga.sh
24 24
25
-````sh
25
+```sh
26 26
#!/bin/bash
27 27
28 28
INTERVAL=10
... ...
@@ -37,11 +37,11 @@ echo "PUTVAL $HOSTNAME/quagga-bgpd/routes-IPv6 interval=$INTERVAL N:$n6"
37 37
38 38
sleep $INTERVAL
39 39
done
40
-````
40
+```
41 41
42 42
#### Number of prefixes per neighbour for bird
43 43
44
-````sh
44
+```sh
45 45
#!/bin/sh
46 46
#
47 47
# Collectd script for collecting the number of routes going through each
... ...
@@ -65,19 +65,19 @@ do
65 65
echo "PUTVAL $HOSTNAME/bird-bgpd/routes-all interval=$INTERVAL N:$totalroutes"
66 66
sleep $INTERVAL
67 67
done
68
-````
68
+```
69 69
70 70
### munin plugin
71 71
* add the following to /etc/munin/plugin-conf.d/munin-node
72 72
73
-````
73
+```
74 74
[quagga_bgp]
75 75
user root
76
-````
76
+```
77 77
78 78
* place the script as quagga_bgp in /etc/munin/plugins
79 79
80
-````sh
80
+```sh
81 81
#!/bin/sh
82 82
#
83 83
#
... ...
@@ -111,5 +111,5 @@ user root
111 111
echo bgproutes.value $data
112 112
fi
113 113
# Measure Section ##########
114
-````
114
+```
115 115
* restart munin-node
... ...
\ No newline at end of file
services/Tahoe-LAFS.md
... ...
@@ -19,10 +19,10 @@ To run a node you have to install tahoe-lafs at least in version 1.10.2. You can
19 19
20 20
Before the first start you have to create a node with `bin/tahoe create-node` or a client (doesn't provide storage) with `bin/tahoe create-client`. This will create the folder .tahoe in your home dir. In the file .tahoe/tahoe.cfg you have to enter on `introducer.furl` the link to our introducer node (UPDATED):
21 21
22
-````
22
+```
23 23
introducer.furl = pb://shvdnad4bqey27ff7ngtschexamvdmmr@tahoe-lafs.e-utp.dn42:44412/kmvmrcforeeet7isgq7ftuymywqp3obb
24 24
helper.furl = pb://ru7miwm74bfkd6ytchfoq4wgvo3vikq3@fido.e-utp.dn42:44412/iiiopiclr2gszw2fmckbx3eob6krxk7x
25
-````
25
+```
26 26
27 27
With `bin/tahoe start` you start your local node.
28 28
services/Whois.md
... ...
@@ -102,13 +102,13 @@ We have anycast IPv4 and IPv6, both reachable under whois.dn42. IPs are 172.22.0
102 102
| weiti | whois.weiti.dn42 | 172.20.175.253 / fdf7:17d5:de49::43 |
103 103
104 104
## Usage
105
-````sh
105
+```sh
106 106
whois -h $host $query
107
-````
107
+```
108 108
109 109
## Using a whois config
110 110
111
-````sh
111
+```sh
112 112
$ cat /etc/whois.conf
113 113
\.dn42$ whois.dn42
114 114
\-DN42$ whois.dn42
... ...
@@ -124,18 +124,18 @@ $ cat /etc/whois.conf
124 124
# dn42 ula ipv6 address space
125 125
^fd**:****:****:****:****:****:****:**** whois.dn42
126 126
127
-````
127
+```
128 128
129 129
You can then use whois without specifying the server. Works at least with Marco d'Itri's whois client.
130 130
131 131
## Running your own whoisd
132
-````sh
132
+```sh
133 133
cd /home/some/path/to/store/branch
134 134
sudo aptitude install ruby rubygems
135 135
sudo gem install netaddr
136 136
cd whoisd/ruby
137 137
sudo ruby whoisd.rb nobody
138
-````
138
+```
139 139
## Whois restful API
140 140
Note: this service is in beta testing, use at your own risk.
141 141
https://whois.rest.dn42/
services/dns/Configuration.md
... ...
@@ -4,9 +4,9 @@ Configuration of common resolver softwares to forward DNS queries for `.dn42` (a
4 4
5 5
You can use any *.recursive-servers.dn42 (where * is a letter) for resolving .dn42 domains. The current list is available at the [DN42 registry](https://git.dn42.dev/dn42/registry/src/master/data/dns/recursive-servers.dn42) or through querying SRV records of recursive-servers.dn42:
6 6
7
-````sh
7
+```sh
8 8
drill -D SRV _dns._udp.recursive-servers.dn42. @172.20.0.53
9
-````
9
+```
10 10
11 11
Two independent anycast services are also provided:
12 12
... ...
@@ -27,7 +27,7 @@ DN42 is [interconnected](/internal/Interconnections) with the Inter City VPN or
27 27
If you already run a local DNS server, you can tell it to query the dn42 anycast servers for the relevant domains
28 28
by adding the following to /etc/bind/named.conf.local
29 29
30
-````
30
+```
31 31
zone "dn42" {
32 32
type forward;
33 33
forwarders { 172.20.0.53; fd42:d42:d42:54::1; };
... ...
@@ -66,12 +66,12 @@ options {
66 66
67 67
# [...]
68 68
};
69
-````
69
+```
70 70
71 71
**Note**: With DNSSEC enabled, bind might refuse to accept query results from the dn42 zone: `validating dn42/SOA: got insecure response; parent indicates it should be secure`.
72 72
73 73
To disable DNSSEC validation only for certain TLDs include the following in the options section:
74
-````
74
+```
75 75
options {
76 76
# [...]
77 77
... ...
@@ -87,13 +87,13 @@ options {
87 87
88 88
# [...]
89 89
};
90
-````
90
+```
91 91
92 92
## dnsmasq
93 93
94 94
If you are running dnsmasq under openwrt, you just have to add
95 95
96
-````
96
+```
97 97
config dnsmasq
98 98
option boguspriv '0'
99 99
option rebind_protection '1'
... ...
@@ -106,7 +106,7 @@ config dnsmasq
106 106
list server '/10.in-addr.arpa/172.20.0.53'
107 107
list server '/d.f.ip6.arpa/fd42:d42:d42:54::1'
108 108
109
-````
109
+```
110 110
111 111
to `/etc/config/dhcp` and run `/etc/init.d/dnsmasq restart`. After that you are able to resolve `.dn42`
112 112
with the anycast DNS-Server, while your normal requests go to your standard DNS-resolver.
... ...
@@ -115,7 +115,7 @@ Attention: If you go with the default config you'll have to disable "boguspriv"
115 115
116 116
For normal dnsmasq use
117 117
118
-````
118
+```
119 119
server=/dn42/172.20.0.53
120 120
server=/20.172.in-addr.arpa/172.20.0.53
121 121
server=/21.172.in-addr.arpa/172.20.0.53
... ...
@@ -123,21 +123,21 @@ server=/22.172.in-addr.arpa/172.20.0.53
123 123
server=/23.172.in-addr.arpa/172.20.0.53
124 124
server=/10.in-addr.arpa/172.20.0.53
125 125
server=/d.f.ip6.arpa/fd42:d42:d42:54::1
126
-````
126
+```
127 127
in `dnsmasq.conf`.
128 128
129 129
## PowerDNS recursor
130 130
Add this to /etc/powerdns/recursor.conf (at least in Debian and CentOS), the **forward-zone-recurse** is _**one line**_.
131 131
132
-````
132
+```
133 133
dont-query=127.0.0.0/8, 192.168.0.0/16, ::1/128, fe80::/10
134 134
forward-zones-recurse=dn42=172.20.0.53,hack=172.20.0.53,ffhh=172.20.0.53,ffac=172.20.0.53,020=172.20.0.53,adm=172.20.0.53,ffa=172.20.0.53,ffhb=172.20.0.53,ffc=172.20.0.53,ffda=172.20.0.53,ffdh=172.20.0.53,ff3l=172.20.0.53,fffl=172.20.0.53,ffffm=172.20.0.53,fffr=172.20.0.53,fffd=172.20.0.53,ffgl=172.20.0.53,fflln=172.20.0.53,ffbcd=172.20.0.53,ffbgl=172.20.0.53,ffgoe=172.20.0.53,ffgt=172.20.0.53,ffh=172.20.0.53,helgo=172.20.0.53,ffhef=172.20.0.53,ffj=172.20.0.53,ffka=172.20.0.53,ffki=172.20.0.53,ffhl=172.20.0.53,fflux=172.20.0.53,ffms=172.20.0.53,mueritz=172.20.0.53,ffnord=172.20.0.53,ffnw=172.20.0.53,ffoh=172.20.0.53,ffpb=172.20.0.53,ffpi=172.20.0.53,ffrade=172.20.0.53,ffrgb=172.20.0.53,ffrg=172.20.0.53,rzl=172.20.0.53,ffsaar=172.20.0.53,fftr=172.20.0.53,fftdf=172.20.0.53,ffwk=172.20.0.53,ffgro=172.20.0.53,ffwk=172.20.0.53,ffwp=172.20.0.53,ffw=172.20.0.53,20.172.in-addr.arpa=172.20.0.53,21.172.in-addr.arpa=172.20.0.53,22.172.in-addr.arpa=172.20.0.53,23.172.in-addr.arpa=172.20.0.53,31.172.in-addr.arpa=172.20.0.53,10.in-addr.arpa=172.20.0.53,c.f.ip6.arpa=172.20.0.53
135
-````
135
+```
136 136
137 137
## MaraDNS
138 138
Put this in your mararc:
139 139
140
-````
140
+```
141 141
ipv4_alias["dn42_root"] = "172.20.0.53"
142 142
root_servers["dn42."] = "dn42_root"
143 143
root_servers["20.172.in-addr.arpa."] = "dn42_root"
... ...
@@ -145,14 +145,14 @@ root_servers["21.172.in-addr.arpa."] = "dn42_root"
145 145
root_servers["22.172.in-addr.arpa."] = "dn42_root"
146 146
root_servers["23.172.in-addr.arpa."] = "dn42_root"
147 147
root_servers["10.in-addr.arpa."] = "dn42_root"
148
-````
148
+```
149 149
150 150
## Unbound
151 151
152 152
Make sure to disable `auto-trust-anchor-file` and manually configure `trust-anchor-file` to
153 153
point to a file with DNSKEY records for dn42.
154 154
155
-````
155
+```
156 156
server:
157 157
local-zone: "20.172.in-addr.arpa." nodefault
158 158
local-zone: "21.172.in-addr.arpa." nodefault
... ...
@@ -195,15 +195,15 @@ forward-zone:
195 195
name: "d.f.ip6.arpa"
196 196
forward-addr: fd42:d42:d42:54::1
197 197
forward-addr: 172.20.0.53
198
-````
198
+```
199 199
200 200
## JunOS (SRX 12.1X46)
201 201
Should also work in 12.1X44 and 12.1X45. After making the changes below you may need to run:
202
-````
202
+```
203 203
restart named-service
204
-````
204
+```
205 205
Config (vlan.0 is presumed to be your LAN/Trust interface)
206
-````
206
+```
207 207
system {
208 208
services {
209 209
dns {
... ...
@@ -251,7 +251,7 @@ system {
251 251
}
252 252
}
253 253
}
254
-````
254
+```
255 255
256 256
## MS DNS
257 257
Add a "Conditional Forward" (de: "Bedingte Weiterleitung") for each of "dn42", "20.172.in-addr.arpa", "21.172.in-addr.arpa", "22.172.in-addr.arpa", "23.172.in-addr.arpa", "10.in-addr.arpa" using 172.20.0.53 as forwarder. Ignore the error message that the server is not authoritative.
... ...
\ No newline at end of file
services/dns/Providing-Anycast-DNS.md
... ...
@@ -8,7 +8,7 @@ Configuration requirements for all members of the anycast group are:
8 8
* maintain your own zones based on whois database (scripts included in monotone repository)
9 9
* allow recursion (including `.`)
10 10
* listen on a unicast IP too for testing/debugging reasons
11
- * with bind, please use ````minimal-responses yes;```` (goes into ````options````/````view````)
11
+ * with bind, please use ```minimal-responses yes;``` (goes into ```options```/```view```)
12 12
13 13
It is _really_ good to hang around in [IRC](/IRC) to get things sorted out, if something doesn't work. Letting some people test your DNS behavior before joining the anycast-group is considered best practice - better safe than sorry.
14 14
services/dns/Recursive-DNS-resolver.md
... ...
@@ -8,7 +8,7 @@ You may use some servers listed in the [table of anycast servers](/Providing-Any
8 8
9 9
Configuration for `unbound.conf`
10 10
11
-````
11
+```
12 12
server:
13 13
local-zone: "22.172.in-addr.arpa." nodefault
14 14
local-zone: "23.172.in-addr.arpa." nodefault
... ...
@@ -30,12 +30,12 @@ stub-zone:
30 30
stub-prime: yes
31 31
stub-addr: 172.22.119.160
32 32
stub-addr: 172.22.119.163
33
-````
33
+```
34 34
35 35
### Unbound with root-hints
36 36
Alternatively you can put dn42 root servers in the root-hints file for recursive resolving.
37 37
38
-````
38
+```
39 39
# /etc/unbound/unbound.conf.d/dn42.conf
40 40
server:
41 41
# DNSSEC validation will fail
... ...
@@ -52,10 +52,10 @@ server:
52 52
53 53
remote-control:
54 54
control-enable: no
55
-````
55
+```
56 56
57 57
The `/etc/unbound/dn42.hints` file:
58
-````
58
+```
59 59
. NS a.root-servers.dn42.
60 60
a.root-servers.dn42. 3600000 A 172.22.177.6
61 61
. NS m.root-servers.dn42.
... ...
@@ -64,4 +64,4 @@ m.root-servers.dn42. 3600000 A 172.23.67.67
64 64
t.root-servers.dn42. 3600000 A 172.22.102.141
65 65
. NS x.root-servers.dn42.
66 66
x.root-servers.dn42. 3600000 A 172.22.141.1
67
-````
67
+```