Difference between revisions of "Manual Configuration"

Jump to navigation Jump to search
Line 29: Line 29:
 
== Gateway Config ==
 
== Gateway Config ==
  
=== DIAG ===
+
=== Diagnostics Commands ===
  
 
  tcpdump -nqi any net 4.2.2.1
 
  tcpdump -nqi any net 4.2.2.1
Line 41: Line 41:
 
  ./yggdrasilctl -v getself
 
  ./yggdrasilctl -v getself
  
=== DO ===
+
=== Gateway Config ===
 +
 
 +
Add <code>0.0.0.0/0</code> to <code>IPv4LocalSubnets</code> and enable <code>TunnelRouting</code> in <code>/etc/yggdrasil.conf</code>
 +
 
 +
TunnelRouting:
 +
{
 +
  # Enable or disable tunnel routing.
 +
  Enable: true
 +
  # IPv4 subnets belonging to this node's end of the tunnels. Only traffic 
 +
  # from these ranges will be tunnelled.
 +
  IPv4LocalSubnets:
 +
  [
 +
    0.0.0.0/0
 +
  ]
 +
}
 +
 
 +
Restart yggdrasil with <code>systemctl restart yggdrasil.service</code> or <code>service yggdrasil restart</code>
 +
 
 +
Assign an IP/subnet to the yggdrasil interface (<code>tun0</code> or <code>ygg0</code>)
 +
 
 +
ip addr add 10.42.0.1/16 dev tun0
 +
 
 +
For every node using the gateway, pick an IP address in the previous subnet and inform yggdrasil of the public key of the node to be associated with the chosen IP
 +
 
 +
yggdrasilctl addremotesubnet subnet=10.42.0.10/16 box_pub_key=<client_public_key>
 +
 
 +
Finally, add iptables rules to route / forward traffic to the internet. Replace eth0 with the WAN interface of the gateway
  
yggdrasilctl addlocalsubnet subnet=0.0.0.0/0
 
yggdrasilctl addremotesubnet subnet=192.168.69.10/24 box_pub_key=c34739a55e013d5fbccd1741658bea2885e418e0c100cffa5f286d1c41c93817 #DO pubkey!
 
yggdrasilctl addremotesubnet subnet=192.168.69.30/32 box_pub_key=33da15e48ac664defab0dedca3e91c26e759452ce0ea8f4387925557ca4eb653 #laptop pubkey!
 
ip addr add 192.168.69.1/24 dev tun0
 
yggdrasilctl settunnelrouting enabled
 
 
 
  iptables -A FORWARD -i eth0 -j ACCEPT
 
  iptables -A FORWARD -i eth0 -j ACCEPT
 
  iptables -A FORWARD -o eth0 -j ACCEPT                                                       
 
  iptables -A FORWARD -o eth0 -j ACCEPT                                                       
Line 54: Line 74:
 
  echo 1 | tee /proc/sys/net/ipv4/ip_forward
 
  echo 1 | tee /proc/sys/net/ipv4/ip_forward
  
=== RPI ===
+
=== Client Config ===
 +
 
 +
Add <code>0.0.0.0/0</code> to <code>IPv4LocalSubnets</code> and enable <code>TunnelRouting</code> in <code>/etc/yggdrasil.conf</code>
 +
 
 +
TunnelRouting:
 +
{
 +
  # Enable or disable tunnel routing.
 +
  Enable: true
 +
  # IPv4 subnets belonging to this node's end of the tunnels. Only traffic 
 +
  # from these ranges will be tunnelled.
 +
  IPv4LocalSubnets:
 +
  [
 +
    0.0.0.0/0
 +
  ]
 +
}
 +
 
 +
Restart yggdrasil with <code>systemctl restart yggdrasil.service</code> or <code>service yggdrasil restart</code>
 +
 
 +
Add the IP address allocated on the gateway for this node to the yggdrasil interface
 +
 
 +
ip addr add 10.42.0.10/16 dev ygg0
 +
 
 +
Inform yggdrasil of the gateway node's public key
 +
 
 +
yggdrasilctl addremotesubnet subnet=0.0.0.0/0 box_pub_key=<gateway_public_key>
 +
 
 +
If the client device is connected to WAN, add routes to each yggdrasil peer's IP address to override the default route. Replace <code><peer_ip></code> with the IP address of the yggdrasil peer (likely found in yggdrasil.conf), replace <code><wan_gw></code> with the IP address of the router or gateway the client device is connected to (likely 192.168.1.1), and replace <code><wan_dev></code> with the interface name of the WAN port on the client device. Do this for every peer yggdrasil is configured to use.
  
yggdrasilctl addlocalsubnet subnet=0.0.0.0/0
+
  ip ro add <peer_ip> via <wan_gw> dev <wan_dev>
yggdrasilctl  addremotesubnet subnet=0.0.0.0/0 box_pub_key=cb240d63c9d69f2d6b133a77a341f035c2d62507c22f0302e40ace7e0245184e
 
ip addr add 192.168.69.10/24 dev ygg0
 
yggdrasilctl settunnelrouting enabled
 
  ip ro add 167.71.82.204 via 192.168.1.1 dev eth1
 
ip ro replace default via 192.168.69.1
 
yggdrasilctl addpeer yggdrasil addpeer uri=tcp://167.71.82.204:2617
 
  
=== LAPTOP ===
+
Finally, replace the default route with one pointing to the gateway node's tunnel IP
  
./yggdrasilctl addpeer yggdrasil addpeer uri=tcp://167.71.82.204:2617
+
  ip ro replace default via 10.42.0.1
./yggdrasilctl addlocalsubnet subnet=0.0.0.0/0
 
./yggdrasilctl  addremotesubnet subnet=0.0.0.0/0 box_pub_key=cb240d63c9d69f2d6b133a77a341f035c2d62507c22f0302e40ace7e0245184e
 
ip addr add 192.168.69.30/24 dev tun0
 
./yggdrasilctl settunnelrouting enabled
 
ip ro add 167.71.82.204 via 192.168.1.1 dev wlp4s0
 
  ip ro replace default via 192.168.69.1
 
 
# yggdrasilctl setconfig to set runtime configureation
 

Revision as of 00:19, 20 November 2019

Configuring your Mesh Node

Once your device has been flashed, the meshing software needs to be set up. Follow these steps to complete the set-up:

  1. Plug your node's WAN port into a network that provides internet access. If your device has multiple ports, check the device page for which one to use.
  2. Navigate to the openwrt configuration page at http://192.168.1.1/
  3. Log in with an empty password and press "Go to password configuration..." to set an administrator password
  4. Optional: Add an ssh key to the SSH-Keys section to allow secure access to the node via ssh.
  5. Enter a new password, uncheck "Password authentication" and "Allow root logins with password". Press "Save & Apply".
  6. Navigate to Network > DHCP and DNS and add 2 values for DNS Forwardings: 200:c493:950a:d576:a413:faef:990b:fb76 and 1.1.1.1, click "Save & Apply" at the bottom
  7. Use scp to send the Yggdrasil package to the node, eg. scp -o StrictHostKeyChecking=no ~/Downloads/yggdrasil_0.3.5-4_aarch64_cortex-a53.ipk root@192.168.1.1:/tmp
  8. Use ssh and your node's password to access the node's command line, eg. ssh root@192.168.1.1
  9. Run opkg update && opkg install kmod-tun nano to prepare the node for Yggdrasil
  10. Run opkg install /tmp/yggdrasil_0.3.5-4_aarch64_cortex-a53.ipk to install Yggdrasil
  11. Use the command nano /etc/yggdrasil.conf to edit the Yggdrasil configuration. Change peers section to include a few public nodes:
  12. { "Peers": [ "tcp://50.236.201.218:56088", "tcp://45.76.166.128:12345", "tcp://45.77.107.150:34660", "tcp://108.175.10.127:61216", "tcp://198.58.100.240:44478" ],...
  13. Press Ctrl + O, Enter, Ctrl + X to edit the text editor
  14. Run yggdrasilctl getSelf and take note of the "IPv6 subnet", for example IPv6 subnet: 300:f86f:fcf9:8479::/64
  15. Run reboot to fully initialize Yggdrasil
  16. Navigate to Network > Interfaces in the Openwrt web configuration and find "ULA Prefix" near the bottom. Replace the value with the IPv6 subnet value from before (starting from 3xx and ending with /64) and click "Save & Apply"
  17. On the same page, click "Edit" next to "LAN" and set "IPv6 assignment length" to 64. Under the DHCP Server section in the "IPv6 Settings" tab, check "Always announce default router". Click Save & Apply
  18. Navigate to Network > Firewall, and find "LAN" in the "Zones" section. Press the Edit button for this zone.
  19. Under the "Inter-Zone Forwarding" section, add "yggdrasil" to both "Allow forward to destination zones:" and "Allow forward from source zones:". Press "Save & Apply".
  20. Optional: To disallow unencrypted usage of the shared internet connection, remove "WAN" from "Allow forward to destination zones:"
  21. Optional: Under Network > Firewall > Traffic Rules, check enable on "Allow-SSH-yggdrasil" to allow ssh access using the node's mesh IP. Click "Save & Apply".

Once these steps are completed, your node will be capable of meshing with any other similarly configured node, as well as relaying encrypted mesh traffic to nodes over the internet if an internet connection is supplied to the node. Clients of the node will also be able to access in-mesh services using mesh IPs that the node assigns to connected devices. You can test this out by visiting the in-mesh wiki while connected to a LAN port of the node.

Gateway Config

Diagnostics Commands

tcpdump -nqi any net 4.2.2.1
ip a | grep 200
# think metric as in "cost" -> higher is lower priority
ip route del default via 192.168.42.1 dev enp0s25
ip route del default via 192.168.42.1 dev enp0s25 metric 700
./build -d # build w/ debug flag
env PPROFLISTEN=localhost:6060 ./yggdrasil -useconffile /etc/yggdrasil/yggdrasil.conf
http://localhost:6060/debug/pprof/
./yggdrasilctl -v getself

Gateway Config

Add 0.0.0.0/0 to IPv4LocalSubnets and enable TunnelRouting in /etc/yggdrasil.conf

TunnelRouting:
{
  # Enable or disable tunnel routing.
  Enable: true
  # IPv4 subnets belonging to this node's end of the tunnels. Only traffic  
  # from these ranges will be tunnelled.
  IPv4LocalSubnets:
  [
    0.0.0.0/0
  ]
}

Restart yggdrasil with systemctl restart yggdrasil.service or service yggdrasil restart

Assign an IP/subnet to the yggdrasil interface (tun0 or ygg0)

ip addr add 10.42.0.1/16 dev tun0

For every node using the gateway, pick an IP address in the previous subnet and inform yggdrasil of the public key of the node to be associated with the chosen IP

yggdrasilctl addremotesubnet subnet=10.42.0.10/16 box_pub_key=<client_public_key>

Finally, add iptables rules to route / forward traffic to the internet. Replace eth0 with the WAN interface of the gateway

iptables -A FORWARD -i eth0 -j ACCEPT
iptables -A FORWARD -o eth0 -j ACCEPT                                                      
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE                                       
echo 1 | tee /proc/sys/net/ipv4/ip_forward

Client Config

Add 0.0.0.0/0 to IPv4LocalSubnets and enable TunnelRouting in /etc/yggdrasil.conf

TunnelRouting:
{
  # Enable or disable tunnel routing.
  Enable: true
  # IPv4 subnets belonging to this node's end of the tunnels. Only traffic  
  # from these ranges will be tunnelled.
  IPv4LocalSubnets:
  [
    0.0.0.0/0
  ]
}

Restart yggdrasil with systemctl restart yggdrasil.service or service yggdrasil restart

Add the IP address allocated on the gateway for this node to the yggdrasil interface

ip addr add 10.42.0.10/16 dev ygg0

Inform yggdrasil of the gateway node's public key

yggdrasilctl addremotesubnet subnet=0.0.0.0/0 box_pub_key=<gateway_public_key>

If the client device is connected to WAN, add routes to each yggdrasil peer's IP address to override the default route. Replace <peer_ip> with the IP address of the yggdrasil peer (likely found in yggdrasil.conf), replace <wan_gw> with the IP address of the router or gateway the client device is connected to (likely 192.168.1.1), and replace <wan_dev> with the interface name of the WAN port on the client device. Do this for every peer yggdrasil is configured to use.

ip ro add <peer_ip> via <wan_gw> dev <wan_dev>

Finally, replace the default route with one pointing to the gateway node's tunnel IP

ip ro replace default via 10.42.0.1