N2n
Aus wiki.freifunk.net
(Weitergeleitet von N2n:testcases)
| Die Tests mit N2n sind soweit abgeschlossen, als dass wir es warscheinlich nicht verwenden werden. Aus dem Test ist nun die neue VPN Variante L2gvpn entstanden, welches wir nun einsetzen
We finished testing N2n for now and it seems that we are not going to use it further. From our testing experience, we created the VPN software called L2gvpn, which we now develop and test |
Inhaltsverzeichnis |
[Bearbeiten] n2n
n2n is a small layer 2 vpn based on the ideas of modern p2p systems. It creates only shared key security, which should be enough for freifunk purposes and has a very small flash footprint.
[Bearbeiten] kamikaze
pre-compiled package for kamikaze (trunk 11600) can be installed via: ipkg install http://downloads.leo34.net/fonera/packages/n2n_svn3561-1_mips.ipk
fritjoff built a small kamikaze trunk package, to be improved: http://builder.frithjof-hammer.de/n2n/
packet b0rken, use:
Index: openwrt/kamikaze/Makefile =================================================================== --- openwrt/kamikaze/Makefile (revision 3558) +++ openwrt/kamikaze/Makefile (working copy) @@ -1,9 +1,3 @@ -# -# Copyright (C) 2008 OpenWrt.org -# -# This is free software, licensed under the GNU General Public License v2. - - include $(TOPDIR)/rules.mk PKG_BRANCH:=trunk @@ -42,7 +36,7 @@ endef define Build/Compile - $(MAKE) -C$(PKG_BUILD_DIR) + $(MAKE) CC="$(TARGET_CC)" -C $(PKG_BUILD_DIR) endef
To have proper integration for uci, please use these fragments
/etc/config/n2n
config "n2n" "edge"
option ifname 'n2n'
option ip4address '77.87.48.x'
option ip4netmask '255.255.255.192'
# option ip6address 'fec0:babe:x/48'
option community 'bbb'
option key 'pass'
option supernode 'vpn.berlin.freifunk.net:8718'
option httptunnel '0'
option routing '1'
option verbose '0'
/etc/init.d/n2n
#!/bin/sh /etc/rc.common
START=45
EDGE=/usr/sbin/edge
SUPERNODE=/usr/sbin/supernode
do_edge () {
config_load n2n
config_get dev edge ifname
config_get ip4addr edge ip4address
config_get ip4mask edge ip4netmask
config_get community edge community
config_get key edge key
config_get supernode edge supernode
config_get_bool httptunnel edge httptunnel
config_get_bool routing edge routing
config_get_bool verbose edge verbose
}
start() {
include /lib/network
scan_interfaces
config_load /var/state/network
do_edge
$EDGE -f -d $dev -a $ipv4 -c $community -k $key -l $supernode -t $httptunnel -r $routing -v $verbose
#hack for n2n ticket #48
ifconfig $dev $ip4addr netmask $ip4mask
}
stop () {
killall edge
}
add the following to /etc/config/network
config interface n2n
option ifname n2n
[Bearbeiten] deb based systems (debian, ubuntu)
/etc/init.d/edge
#!/bin/bash
# /etc/init.d/edge: start and stop the n2n edge
EDGE="/usr/local/bin/edge"
IFNAME=n2n
IP4ADDRESS=0.0.0.0
IP4NETMASK=255.255.255.255
COMMUNITY=bbb
KEY=pass
SUPERNODE=vpn.berlin.freifunk.net:8718
HTTPTUNNEL=0
ROUTING=1
VERBOSE=0
if test -f /etc/default/edge; then
. /etc/default/edge
fi
. /lib/lsb/init-functions
compile_opts() {
EDGE_OPTS="-d $IFNAME -a $IP4ADDRESS -s $IP4NETMASK -c $COMMUNITY -k $KEY -l $SUPERNODE -f"
if [ $HTTPTUNNEL = 1 ]; then EDGE_OPTS+=" -t"; fi
if [ $ROUTING = 1 ]; then EDGE_OPTS+=" -r"; fi
if [ $VERBOSE = 1 ]; then EDGE_OPTS+=" -v"; fi
}
case "$1" in
start)
compile_opts
echo -n "Starting n2n VPN daemon: edge"
# echo $EDGE $EDGE_OPTS
start-stop-daemon --start --quiet --exec $EDGE -- $EDGE_OPTS
echo "."
#fix IP Address
#ifconfig $IFNAME $IP4ADDRESS
;;
stop)
echo -n "Stopping n2n VPN daemon: edge"
start-stop-daemon --stop --quiet --exec $EDGE -- $EDGE_OPTS
echo "."
;;
restart)
$0 stop
$0 start
;;
*)
echo "Usage: $0 {start|stop|restart}"
exit 1
esac
exit 0
Debian packages for n2n with netmask patch:
Note: This package is not tested because I had no machine running Debian.
Seems to work properly on Debian Etch.
[Bearbeiten] FreeBSD
I've created a Port of n2n for FreeBSD.
It already includes my subnet patch.
It's not merged with the official FreeBSD Ports repository but this will be done soon.
You can check out the latest revision at
Send your feedback to <syso-n2n(at)no-route.org> or create a new ticket if you've found a bug.
[Bearbeiten] fixes
[Bearbeiten] set netmask via command line argument
|
| Already done at no-route.org SVN repo. |
Here is a more clean (kind of) solution to supply the subnet mask via command line argument:
--- edge.c 2008-12-11 16:54:00.000000000 +0100
+++ edge.c 2008-12-11 21:40:15.000000000 +0100
@@ -17,6 +17,7 @@
* Code contributions courtesy of:
* Richard Andrews <bbmaj7@yahoo.com.au>
* Don Bindner <don.bindner@gmail.com>
+ * Sylwester Sosnowski <syso-n2n@no-route.org>
*
*/
@@ -252,6 +253,7 @@
"-a <tun IP address> "
"-c <community> "
"-k <encrypt key> "
+ "-s <subnet mask> "
#ifndef WIN32
"[-u <uid> -g <gid>]"
"[-f]"
@@ -271,6 +273,7 @@
printf("-k <encrypt key> | Encryption key (ASCII) - also N2N_KEY=<encrypt key>\n");
printf("-l <supernode host:port> | Supernode IP:port\n");
printf("-p <local port> | Local port used for connecting to supernode\n");
+ printf("-s <subnet mask> | n2n Subnet mask (Default: 255.255.255.0)\n");
#ifndef WIN32
printf("-u <UID> | User ID (numeric) to use when privileges are dropped\n");
printf("-g <GID> | Group ID (numeric) to use when privileges are dropped\n");
@@ -1125,7 +1128,9 @@
int opt, local_port = 0 /* any port */;
char *tuntap_dev_name = "edge0";
char *ip_addr = NULL;
+ char *subnet_mask = "255.255.255.0";
ipstr_t ip_buf;
+ int got_s = 0;
#ifndef WIN32
uid_t userid=0; /* root is the only guaranteed ID */
@@ -1196,7 +1201,7 @@
/* {int k;for(k=0;k<effectiveargc;++k) printf("%s\n",effectiveargv[k]);} */
optarg = NULL;
- while((opt = getopt_long(effectiveargc, effectiveargv, "k:a:c:u:g:m:d:l:p:fvhrt", long_options, NULL)) != EOF) {
+ while((opt = getopt_long(effectiveargc, effectiveargv, "k:a:c:u:g:m:s:d:l:p:fvhrt", long_options, NULL)) != EOF) {
switch (opt) {
case 'a':
ip_addr = strdup(optarg);
@@ -1249,6 +1254,14 @@
case 'p':
local_port = atoi(optarg);
break;
+ case 's': /* Subnet Mask */
+ if (got_s == 1) {
+ traceEvent(TRACE_WARNING, "Multiple subnet masks supplied.");
+ free(subnet_mask);
+ }
+ subnet_mask = strdup(optarg);
+ got_s = 1;
+ break;
case 'h': /* help */
help();
break;
@@ -1274,7 +1287,7 @@
/* setgid( 0 ); */
#endif
- if(tuntap_open(&(eee.device), tuntap_dev_name, ip_addr, "255.255.255.0", device_mac ) < 0)
+ if(tuntap_open(&(eee.device), tuntap_dev_name, ip_addr, subnet_mask, device_mac ) < 0)
return(-1);
#ifndef WIN32
[Bearbeiten] allow broadcast packets to every address, modify the packet_check to allow all packets
[Bearbeiten] ugly
to allow broadcast packets to every address (i.e. OLSR bcast 255.255.255.255) modify the packet_check to allow all packets.
Index: edge.c
===================================================================
--- edge.c (revision 3626)
+++ edge.c (working copy)
@@ -865,6 +865,10 @@
traceEvent(TRACE_INFO, "Discarding routed packet [rcvd=%s][expected=%s]",
intoa(ntohl(the_ip->ip_dst.s_addr), ip_buf, sizeof(ip_buf)),
intoa(ntohl(eee->device.ip_addr), ip_buf2, sizeof(ip_buf2)));
+
+ /* dpa */
+ return(0);
+
} else {
/* This packet is for us */
[Bearbeiten] less ugly (by wonka)
Index: edge.c
===================================================================
--- edge.c (revision 3593)
+++ edge.c (working copy)
@@ -725,9 +725,12 @@
/* Note: all elements of the_ip are in network order */
struct ip *the_ip = (struct ip*)(pkt+sizeof(struct ether_header));
+
+ struct in_addr bcast = { 0xffffffff };
if((the_ip->ip_dst.s_addr != eee->device.ip_addr)
- && ((the_ip->ip_dst.s_addr & eee->device.device_mask) != (eee->device.ip_addr & eee->device.device_mask))) /* Not a broadcast */
+ && ((the_ip->ip_dst.s_addr & eee->device.device_mask) != (eee->device.ip_addr & eee->device.device_mask)) /* Not a broadcast */
+ && ((the_ip->ip_dst.s_addr) != (bcast.s_addr))) /* really not a broadcast */
{
ipstr_t ip_buf;
ipstr_t ip_buf2;
[Bearbeiten] Testbed
|
| Testbed is finished now. Have a look at our Testbed at L2gvpn. The IPs are moved over and will used for L2gvpn. |
Supernode at vpn.berlin.freifunk.net, very secret password is "pass", community is bbb (case sensitive). We use this for connecting our CityMesh by VPN.
We use IP addresses of the range 77.87.48.64/26. (host going from .65 - .126)
example startup line:
sudo ./edge -d n2n -a 77.87.48.X -s 255.255.255.192 -c bbb -l vpn.berlin.freifunk.net:8718 -k pass -v
sudo ./edge -d n2n -a 77.87.48.X -c bbb -l vpn.berlin.freifunk.net:8718 -k pass -v
Dont forget to set the right netmask via ifconfig command or use the patch above.
ifconfig n2n netmask 255.255.255.192
[Bearbeiten] test cases
gvpn test cases
- ipv6
- RA (gibs ne adresse vom benachbarten radvd)
- neighbour rechability via ll-addr. (ndp testen) (ping6 ll-nachbar)
- olsr (kommt multicast an? olsr nachbarn?) einheitliche olsr version
- routing (von 1 hop hinter vpn zu 1 hop hinter vpn)
- ipv4
- olsr (nachbarn?)
- std broadcast (kommt er an?)
- full broadcast (kommt er an?)
- link local multicast (komm er an?)
- routing (von 1 hop hinter vpn zu 1 hop hinter vpn)
- arp (ping ll-nachbar)
- dhcp (dhclient)
- olsr (nachbarn?)
- layer-2
- bridging (gehen all diese tests auch, wenn der testnode per bridge am tap device hängt?)
- STP? (gute frage)
- MTU
- Path MTU discovery (ping?) (tcp?) (tools?)
linux: tracepath BSD:
- generelly administrativia
- syncrone revisionen (nighly builds)
- automatische generierung von packages
- debian (libuci statisch linken.)
- openwrt
- automatische generierung von packages
- geskriptete updates, ssh keys
- syncrone revisionen (nighly builds)
- jitter messung?
- periodische bandbreitenvergleiche zwischen mit vpn und ohne vpn (tcp)
