IPv6 VPN Application 0.7for GNUnet

Quick Install - I.e. How to connect to the GNUbone

2010-05-03 UPDATE: VPN can also be implemented directly on a node and this complements the support in GNUnet, especially useful when are an a metered connection and need to control your costs.

Since 0.7.0e vpn is now maintained in the SVN of GNUnet by me, so you can obtain the most up-to-date released source from there. Nodes wanting to participate in development of GNUnet VPN can copy the following to a script called install in GNUnet/src/applications/vpn/. This will overwrite the existing vpn module with the very latest code for the VPN module fresh from SVN.

#!/bin/sh
wget -O vpn.c https://www.gnunet.org/svn/GNUnet/src/applications/vpn/vpn.c
wget -O gnunet-vpn.c https://www.gnunet.org/svn/GNUnet/src/applications/vpn/gnunet-vpn.c

make
cp .libs/libgnunetmodule_vpn.la /usr/lib/GNUnet/libgnunetmodule_vpn.la
cp .libs/libgnunetmodule_vpn.so /usr/lib/GNUnet/libgnunetmodule_vpn.so
sudo /etc/init.d/gnunet stop
sudo /etc/init.d/gnunet start

Requirements

Update: As of linux 2.6.26 there appears to exist filesystem support for capabilities, so hopefully it will be no longer necessary to use a pipe to negotiate with a program running as root to get raw socket access, needed for TUN/TAP. Just install libcap2-bin and invoke setcap cap_net_raw=+ep /usr/bin/gnunetd and raw permission will be saved in the filesystem, then the code in the program will at last be redundant ☺

You will need IPv6, TUN/TAP and default capabilities modules in your linux, and capabilities does need patching to make it functional.. The linux module "capability" should also be loaded.

VPN does require net_admin capability, so that we can modify the OS routing table. Unfortunately this can only be set by root on the gnunetd process, after forking (libcaps loves to drop privileges) and before we try to get the admin_fd. To ensure this is done reliably, VPN uses a FIFO to tell the init script /etc/init.d/gnunet the right moment to apply the privilege change, and avoids the need for gnunet to have sudo access any more, therefore being considerably more secure.

The script causes the init script to block until GNUnet is ready for net_admin, then GNUnet blocks until the change has been applied. You′ll need to put this in the startup portion of your /etc/init.d/gnunet around the start-stop-daemon or equivalent command as shown.

# ln --symbolic /var/lib/gnunet /var/lib/GNUnet
mkfifo /var/lib/gnunet/gnunet.vpn
chown gnunet:gnunet /var/lib/gnunet/gnunet.vpn
start-stop-daemon ...
# wait for it to fork
cat /var/lib/GNUnet/gnunet.vpn
/sbin/setpcaps -q $(ps -u gnunet -o pid=|while read;do \
	echo -ne " cap_net_admin+eip "$REPLY; done)

echo "DO" > /var/lib/gnunet/gnunet.vpn

VPN requires IPv6 setup. If you have native IPv6 or service from another box, then just adapt this accordingly, otherwise for 6to4 you setup the sit0 interface in /etc/network/interfaces to only allow allocated addresses out via IPv4.

iface sit0 inet6 static
	address `printf "2002:%02x%02x:%02x%02x::1" \`echo ipv4-address | tr "." " "\``
	netmask 16
	#gateway ::192.88.99.1
	up /usr/local/sbin/6routes add sit0
	down up /usr/local/sbin/6routes del sit0

Instead of directing at 192.88.99.1 here(commented out), we do it in a 6routes script as follows. This prevents GNUnet anonymised addresses leaking out onto the Internet, and you don′t want that. ☺

#!/bin/sh
if [ ! -f /var/local/routes/ipv6.txt ]; then
 wget http://www.iana.org/assignments/ipv6-unicast-address-assignments -O /var/local/routes/ipv6.txt
fi

cat /var/local/routes/ipv6.txt | grep -v ^2002 | grep ^....\: | cut -f1 -d" " | while read
do
 route -A inet6 $1 $REPLY gw ::192.88.99.1 dev $2
done

Also consider adding the following exclusion to /etc/bind/zones.rfc1918 if running BIND or similar, as VPN uses RFC4193 addresses. It prevents Reverse DNS leaking info about what IP addresses you are requesting, to the non-anonymous Internet. You can setup reverse dns for your 6to4 addresses

zone "d.f.ip6.arpa" { type master; file "/etc/bind/db.empty"; };

Usage

These are the more interesting commands available in ./gnunet-vpn. For normal operation you would invoke "reset", and "realise", alternately every hour or so. To give you something to access, you may do "add " so long as you have this node′s hello files in your cache, that can be found in my hosts area. Then try ping6 vpn1.wensley.org.uk, if address unreachable comes back, ping6 that instead. I do have an ftp and gopher server accessible here.

reset
Clears prototype routing table and start requesting routes from peers to rebuild it
realise
Realise prototype table into the real routing table, and adds and pulls IPv6 routes to match it. You use this when you think your prototype table is complete. I.e. peers have stopped giving you more routes.
tunnel
Show tunnels to peers
routes
Show prototype routing table contents
realised
Show real routing table contents
add <hash>
Persuade GNUnet to connect to the peer with the given hash.
debug0
Hide activity output.
debug1
Show activity output.