Aus wiki.freifunk.net

Die Tests mit N2n sind soweit abgeschlossen, als dass wir es warscheinlich nicht verwenden werden. Aus dem Test ist nun die neue VPN Variante L2gvpn entstanden, welches wir nun einsetzen We finished testing N2n for now and it seems that we are not going to use it further. From our testing experience, we created the VPN software called L2gvpn, which we now develop and test

n2n

n2n is a small layer 2 vpn based on the ideas of modern p2p systems. It creates only shared key security, which should be enough for freifunk purposes and has a very small flash footprint.

kamikaze

pre-compiled package for kamikaze (trunk 11600) can be installed via: ipkg install http://downloads.leo34.net/fonera/packages/n2n_svn3561-1_mips.ipk

fritjoff built a small kamikaze trunk package, to be improved: http://builder.frithjof-hammer.de/n2n/

packet b0rken, use:

Index: openwrt/kamikaze/Makefile
===================================================================
--- openwrt/kamikaze/Makefile   (revision 3558)
+++ openwrt/kamikaze/Makefile   (working copy)
@@ -1,9 +1,3 @@
-#
-# Copyright (C) 2008 OpenWrt.org
-#
-# This is free software, licensed under the GNU General Public License v2.
-
-
  include $(TOPDIR)/rules.mk

  PKG_BRANCH:=trunk
@@ -42,7 +36,7 @@
  endef

  define Build/Compile
-       $(MAKE) -C$(PKG_BUILD_DIR)
+       $(MAKE) CC="$(TARGET_CC)" -C $(PKG_BUILD_DIR)
  endef

To have proper integration for uci, please use these fragments

/etc/config/n2n

config "n2n" "edge"
        option ifname           'n2n'
        option ip4address       '77.87.48.x'
        option ip4netmask       '255.255.255.192'
#       option ip6address       'fec0:babe:x/48'
        option community        'bbb'
        option key              'pass'
        option supernode        'vpn.berlin.freifunk.net:8718'
        option httptunnel       '0'
        option routing          '1'
        option verbose          '0'

/etc/init.d/n2n

#!/bin/sh /etc/rc.common
START=45

EDGE=/usr/sbin/edge
SUPERNODE=/usr/sbin/supernode

do_edge () {
        config_load n2n


        config_get dev edge ifname
        config_get ip4addr edge ip4address
        config_get ip4mask edge ip4netmask
        config_get community edge community
        config_get key edge key
        config_get supernode edge supernode
        config_get_bool httptunnel edge httptunnel
        config_get_bool routing edge routing
        config_get_bool verbose edge verbose

}

start() {
        include /lib/network
        scan_interfaces
        config_load /var/state/network

        do_edge
        $EDGE -f -d $dev -a $ipv4 -c $community -k $key -l $supernode -t $httptunnel -r $routing -v $verbose

        #hack for n2n ticket #48
        ifconfig $dev $ip4addr netmask $ip4mask
}

stop () {
        killall edge
}

add the following to /etc/config/network

config interface n2n
        option ifname   n2n

deb based systems (debian, ubuntu)

/etc/init.d/edge

#!/bin/bash

# /etc/init.d/edge: start and stop the n2n edge

EDGE="/usr/local/bin/edge"

IFNAME=n2n
IP4ADDRESS=0.0.0.0
IP4NETMASK=255.255.255.255
COMMUNITY=bbb
KEY=pass
SUPERNODE=vpn.berlin.freifunk.net:8718
HTTPTUNNEL=0
ROUTING=1
VERBOSE=0

if test -f /etc/default/edge; then
    . /etc/default/edge
fi

. /lib/lsb/init-functions

compile_opts() {
        EDGE_OPTS="-d $IFNAME -a $IP4ADDRESS -s $IP4NETMASK -c $COMMUNITY -k $KEY -l $SUPERNODE -f"
        if [ $HTTPTUNNEL = 1 ]; then EDGE_OPTS+=" -t"; fi
        if [ $ROUTING = 1 ]; then EDGE_OPTS+=" -r"; fi
        if [ $VERBOSE = 1 ]; then EDGE_OPTS+=" -v"; fi

}

case "$1" in
  start)
        compile_opts
        echo -n "Starting n2n VPN daemon: edge"
#        echo $EDGE $EDGE_OPTS
        start-stop-daemon --start --quiet --exec $EDGE -- $EDGE_OPTS
        echo "."
        #fix IP Address
        #ifconfig $IFNAME $IP4ADDRESS
        ;;
  stop)
        echo -n "Stopping n2n VPN daemon: edge"
        start-stop-daemon --stop --quiet --exec $EDGE -- $EDGE_OPTS
        echo "."
        ;;
  restart)
        $0 stop
        $0 start
        ;;

  *)
        echo "Usage: $0 {start|stop|restart}"
        exit 1
esac

exit 0

Debian packages for n2n with netmask patch:

• https://trac.no-route.org/packages/debian/n2n_1.2-1_i386.deb
  

Note: This package is not tested because I had no machine running Debian.
Seems to work properly on Debian Etch.

FreeBSD

I've created a Port of n2n for FreeBSD.
It already includes my subnet patch.
It's not merged with the official FreeBSD Ports repository but this will be done soon.

You can check out the latest revision at

• svn co https://svn.no-route.org/svn/freebsd-ports/ports/security/n2n/

Send your feedback to <syso-n2n(at)no-route.org> or create a new ticket if you've found a bug.

fixes

set netmask via command line argument

Already done at no-route.org SVN repo.

Here is a more clean (kind of) solution to supply the subnet mask via command line argument:

--- edge.c	2008-12-11 16:54:00.000000000 +0100
+++ edge.c	2008-12-11 21:40:15.000000000 +0100
@@ -17,6 +17,7 @@
  * Code contributions courtesy of:
  * Richard Andrews <bbmaj7@yahoo.com.au>
  * Don Bindner <don.bindner@gmail.com>
+ * Sylwester Sosnowski <syso-n2n@no-route.org>
  *
  */
 
@@ -252,6 +253,7 @@
 	 "-a <tun IP address> "
 	 "-c <community> "
 	 "-k <encrypt key> "
+	 "-s <subnet mask> "
 #ifndef WIN32
 	 "[-u <uid> -g <gid>]"
 	 "[-f]"
@@ -271,6 +273,7 @@
   printf("-k <encrypt key>         | Encryption key (ASCII) - also N2N_KEY=<encrypt key>\n");
   printf("-l <supernode host:port> | Supernode IP:port\n");
   printf("-p <local port>          | Local port used for connecting to supernode\n");
+  printf("-s <subnet mask>         | n2n Subnet mask (Default: 255.255.255.0)\n");
 #ifndef WIN32
   printf("-u <UID>                 | User ID (numeric) to use when privileges are dropped\n");
   printf("-g <GID>                 | Group ID (numeric) to use when privileges are dropped\n");
@@ -1125,7 +1128,9 @@
   int opt, local_port = 0 /* any port */;
   char *tuntap_dev_name = "edge0";
   char *ip_addr = NULL;
+  char *subnet_mask = "255.255.255.0";
   ipstr_t ip_buf;
+  int got_s = 0;
 
 #ifndef WIN32
   uid_t userid=0; /* root is the only guaranteed ID */
@@ -1196,7 +1201,7 @@
   /* {int k;for(k=0;k<effectiveargc;++k)  printf("%s\n",effectiveargv[k]);} */
 
   optarg = NULL;
-  while((opt = getopt_long(effectiveargc, effectiveargv, "k:a:c:u:g:m:d:l:p:fvhrt", long_options, NULL)) != EOF) {
+  while((opt = getopt_long(effectiveargc, effectiveargv, "k:a:c:u:g:m:s:d:l:p:fvhrt", long_options, NULL)) != EOF) {
     switch (opt) {
     case 'a':
       ip_addr = strdup(optarg);
@@ -1249,6 +1254,14 @@
     case 'p':
       local_port = atoi(optarg);
       break;
+    case 's': /* Subnet Mask */
+      if (got_s == 1) {
+          traceEvent(TRACE_WARNING, "Multiple subnet masks supplied.");
+          free(subnet_mask);
+      }
+      subnet_mask = strdup(optarg);
+      got_s = 1;
+      break;
     case 'h': /* help */
       help();
       break;
@@ -1274,7 +1287,7 @@
   /* setgid( 0 ); */
 #endif
 
-  if(tuntap_open(&(eee.device), tuntap_dev_name, ip_addr, "255.255.255.0", device_mac ) < 0)
+  if(tuntap_open(&(eee.device), tuntap_dev_name, ip_addr, subnet_mask, device_mac ) < 0)
     return(-1);
 
 #ifndef WIN32

allow broadcast packets to every address, modify the packet_check to allow all packets

ugly

to allow broadcast packets to every address (i.e. OLSR bcast 255.255.255.255) modify the packet_check to allow all packets.

Index: edge.c
===================================================================
--- edge.c      (revision 3626)
+++ edge.c      (working copy)
@@ -865,6 +865,10 @@
          traceEvent(TRACE_INFO, "Discarding routed packet [rcvd=%s][expected=%s]",
                     intoa(ntohl(the_ip->ip_dst.s_addr), ip_buf, sizeof(ip_buf)),
                     intoa(ntohl(eee->device.ip_addr), ip_buf2, sizeof(ip_buf2)));
+
+       /* dpa */
+       return(0);
+
        } else {
        /* This packet is for us */

less ugly (by wonka)

Index: edge.c
===================================================================
--- edge.c	(revision 3593)
+++ edge.c	(working copy)
@@ -725,9 +725,12 @@
 
       /* Note: all elements of the_ip are in network order */
       struct ip *the_ip = (struct ip*)(pkt+sizeof(struct ether_header));
+      
+      struct in_addr bcast = { 0xffffffff };
 
       if((the_ip->ip_dst.s_addr != eee->device.ip_addr)
-	 && ((the_ip->ip_dst.s_addr & eee->device.device_mask) != (eee->device.ip_addr & eee->device.device_mask))) /* Not a broadcast */
+	 && ((the_ip->ip_dst.s_addr & eee->device.device_mask) != (eee->device.ip_addr & eee->device.device_mask)) /* Not a broadcast */
+	 && ((the_ip->ip_dst.s_addr) != (bcast.s_addr))) /* really not a broadcast */
 	{
           ipstr_t ip_buf;
           ipstr_t ip_buf2;

Testbed

Testbed is finished now. Have a look at our Testbed at L2gvpn. The IPs are moved over and will used for L2gvpn.

Supernode at vpn.berlin.freifunk.net, very secret password is "pass", community is bbb (case sensitive). We use this for connecting our CityMesh by VPN.

We use IP addresses of the range 77.87.48.64/26. (host going from .65 - .126)

example startup line:

sudo ./edge -d n2n -a  77.87.48.X -s 255.255.255.192 -c bbb -l vpn.berlin.freifunk.net:8718 -k pass -v

sudo ./edge -d n2n -a  77.87.48.X -c bbb -l vpn.berlin.freifunk.net:8718 -k pass -v

ifconfig n2n netmask 255.255.255.192

see also

• IC-VPN
• Tinc
• TincVPNBerlin
• 6mesh.freifunk.net
• N2n:testcases