2010-05-03 UPDATE: VPN can also be implemented directly on a node and this complements the support in GNUnet, especially useful when are an a metered connection and need to control your costs.
Since 0.7.0e vpn is now maintained in the SVN of GNUnet by me, so you can obtain the most up-to-date released source from there. Nodes wanting to participate in development of GNUnet VPN can copy the following to a script called install in GNUnet/src/applications/vpn/. This will overwrite the existing vpn module with the very latest code for the VPN module fresh from SVN.
#!/bin/sh wget -O vpn.c https://www.gnunet.org/svn/GNUnet/src/applications/vpn/vpn.c wget -O gnunet-vpn.c https://www.gnunet.org/svn/GNUnet/src/applications/vpn/gnunet-vpn.c make cp .libs/libgnunetmodule_vpn.la /usr/lib/GNUnet/libgnunetmodule_vpn.la cp .libs/libgnunetmodule_vpn.so /usr/lib/GNUnet/libgnunetmodule_vpn.so sudo /etc/init.d/gnunet stop sudo /etc/init.d/gnunet start
Update: As of linux 2.6.26 there appears to exist filesystem support for capabilities, so hopefully it will be no longer necessary to use a pipe to negotiate with a program running as root to get raw socket access, needed for TUN/TAP. Just install libcap2-bin and invoke setcap cap_net_raw=+ep /usr/bin/gnunetd and raw permission will be saved in the filesystem, then the code in the program will at last be redundant ☺
You will need IPv6, TUN/TAP and default capabilities modules in your linux, and capabilities does need patching to make it functional.. The linux module "capability" should also be loaded.
VPN does require net_admin capability, so that we can modify the OS routing table. Unfortunately this can only be set by root on the gnunetd process, after forking (libcaps loves to drop privileges) and before we try to get the admin_fd. To ensure this is done reliably, VPN uses a FIFO to tell the init script /etc/init.d/gnunet the right moment to apply the privilege change, and avoids the need for gnunet to have sudo access any more, therefore being considerably more secure.
The script causes the init script to block until GNUnet is ready for net_admin, then GNUnet blocks until the change has been applied. You′ll need to put this in the startup portion of your /etc/init.d/gnunet around the start-stop-daemon or equivalent command as shown.
# ln --symbolic /var/lib/gnunet /var/lib/GNUnet mkfifo /var/lib/gnunet/gnunet.vpn chown gnunet:gnunet /var/lib/gnunet/gnunet.vpn start-stop-daemon ... # wait for it to fork cat /var/lib/GNUnet/gnunet.vpn /sbin/setpcaps -q $(ps -u gnunet -o pid=|while read;do \ echo -ne " cap_net_admin+eip "$REPLY; done) echo "DO" > /var/lib/gnunet/gnunet.vpn
VPN requires IPv6 setup. If you have native IPv6 or service from another box, then just adapt this accordingly, otherwise for 6to4 you setup the sit0 interface in /etc/network/interfaces to only allow allocated addresses out via IPv4.
iface sit0 inet6 static address `printf "2002:%02x%02x:%02x%02x::1" \`echo ipv4-address | tr "." " "\`` netmask 16 #gateway ::192.88.99.1 up /usr/local/sbin/6routes add sit0 down up /usr/local/sbin/6routes del sit0
Instead of directing at 192.88.99.1 here(commented out), we do it in a 6routes script as follows. This prevents GNUnet anonymised addresses leaking out onto the Internet, and you don′t want that. ☺
#!/bin/sh if [ ! -f /var/local/routes/ipv6.txt ]; then wget http://www.iana.org/assignments/ipv6-unicast-address-assignments -O /var/local/routes/ipv6.txt fi cat /var/local/routes/ipv6.txt | grep -v ^2002 | grep ^....\: | cut -f1 -d" " | while read do route -A inet6 $1 $REPLY gw ::192.88.99.1 dev $2 done
Also consider adding the following exclusion to /etc/bind/zones.rfc1918 if running BIND or similar, as VPN uses RFC4193 addresses. It prevents Reverse DNS leaking info about what IP addresses you are requesting, to the non-anonymous Internet. You can setup reverse dns for your 6to4 addresses
zone "d.f.ip6.arpa" { type master; file "/etc/bind/db.empty"; };
These are the more interesting commands available in ./gnunet-vpn. For normal operation you would invoke "reset", and "realise", alternately every hour or so. To give you something to access, you may do "add " so long as you have this node′s hello files in your cache, that can be found in my hosts area. Then try ping6 vpn1.wensley.org.uk, if address unreachable comes back, ping6 that instead. I do have an ftp and gopher server accessible here.