N2n
Aus wiki.freifunk.net
Zur Navigation springenZur Suche springen| L2gvpn | ||
| L2gvpn | ||
| Developer | Richard Andrews, Luca Deri | |
| First released | ||
| Latest preview version | ||
| Release date and age | ||
| Frequently updated | yes | |
| Programming language | C | |
| Platform | Gnu/Linux, Windows | |
| Language | English | |
| Status | active | |
| Genre | VPN Software | |
| License | GNU General Public License v3 | |
| Website | http://www.ntop.org/products/n2n/ | |
| Download | http://www.ntop.org/get-started/download/ | |
n2n
n2n is a small layer 2 vpn based on the ideas of modern p2p systems. It creates only shared key security, which should be enough for freifunk purposes and has a very small flash footprint. Currently we use n2n Protocolversion 2.
kamikaze
pre-compiled v1 package for kamikaze (trunk 11600) can be installed via: ipkg install http://downloads.leo34.net/fonera/packages/n2n_svn3561-1_mips.ipk
fritjoff built a small kamikaze trunk package, to be improved: http://builder.frithjof-hammer.de/n2n/
packet b0rken, use:
Index: openwrt/kamikaze/Makefile =================================================================== --- openwrt/kamikaze/Makefile (revision 3558) +++ openwrt/kamikaze/Makefile (working copy) @@ -1,9 +1,3 @@ -# -# Copyright (C) 2008 OpenWrt.org -# -# This is free software, licensed under the GNU General Public License v2. - - include $(TOPDIR)/rules.mk PKG_BRANCH:=trunk @@ -42,7 +36,7 @@ endef define Build/Compile - $(MAKE) -C$(PKG_BUILD_DIR) + $(MAKE) CC="$(TARGET_CC)" -C $(PKG_BUILD_DIR) endef
To have proper integration for uci, please use these fragments
/etc/config/n2n
config "n2n" "edge"
option ifname 'n2n'
option ip4address '77.87.48.x'
option ip4netmask '255.255.255.192'
# option ip6address 'fec0:babe:x/48'
option community 'bbb'
option key 'pass'
option supernode 'vpn.berlin.freifunk.net:8718'
option httptunnel '0'
option routing '1'
option verbose '0'
/etc/init.d/n2n
#!/bin/sh /etc/rc.common
START=45
EDGE=/usr/sbin/edge
SUPERNODE=/usr/sbin/supernode
do_edge () {
config_load n2n
config_get dev edge ifname
config_get ip4addr edge ip4address
config_get ip4mask edge ip4netmask
config_get community edge community
config_get key edge key
config_get supernode edge supernode
config_get_bool httptunnel edge httptunnel
config_get_bool routing edge routing
config_get_bool verbose edge verbose
}
start() {
include /lib/network
scan_interfaces
config_load /var/state/network
do_edge
$EDGE -f -d $dev -a $ipv4 -c $community -k $key -l $supernode -t $httptunnel -r $routing -v $verbose
#hack for n2n ticket #48
ifconfig $dev $ip4addr netmask $ip4mask
}
stop () {
killall edge
}
add the following to /etc/config/network
config interface n2n
option ifname n2n
deb based systems (debian, ubuntu)
/etc/init.d/edge
#!/bin/bash
# /etc/init.d/edge: start and stop the n2n edge
EDGE="/usr/local/bin/edge"
IFNAME=n2n
IP4ADDRESS=0.0.0.0
IP4NETMASK=255.255.255.255
COMMUNITY=bbb
KEY=pass
SUPERNODE=vpn.berlin.freifunk.net:8718
HTTPTUNNEL=0
ROUTING=1
VERBOSE=0
if test -f /etc/default/edge; then
. /etc/default/edge
fi
. /lib/lsb/init-functions
compile_opts() {
EDGE_OPTS="-d $IFNAME -a $IP4ADDRESS -s $IP4NETMASK -c $COMMUNITY -k $KEY -l $SUPERNODE -f"
if [ $HTTPTUNNEL = 1 ]; then EDGE_OPTS+=" -t"; fi
if [ $ROUTING = 1 ]; then EDGE_OPTS+=" -r"; fi
if [ $VERBOSE = 1 ]; then EDGE_OPTS+=" -v"; fi
}
case "$1" in
start)
compile_opts
echo -n "Starting n2n VPN daemon: edge"
# echo $EDGE $EDGE_OPTS
start-stop-daemon --start --quiet --exec $EDGE -- $EDGE_OPTS
echo "."
#fix IP Address
#ifconfig $IFNAME $IP4ADDRESS
;;
stop)
echo -n "Stopping n2n VPN daemon: edge"
start-stop-daemon --stop --quiet --exec $EDGE -- $EDGE_OPTS
echo "."
;;
restart)
$0 stop
$0 start
;;
*)
echo "Usage: $0 {start|stop|restart}"
exit 1
esac
exit 0
Debian packages for n2n v1 with netmask patch:
Note: This package is not tested because I had no machine running Debian.
Seems to work properly on Debian Etch.
FreeBSD
I've created a Port of n2n v1 for FreeBSD.
It already includes my subnet patch.
It's not merged with the official FreeBSD Ports repository but this will be done soon.
You can check out the latest revision at
Send your feedback to <syso-n2n(at)no-route.org> or create a new ticket if you've found a bug.
Testbed
Supernode at vpn.berlin.freifunk.net, very secret password is "pass", community is bbb (case sensitive). We use this for connecting our CityMesh by VPN.
We use IP addresses of the range 77.87.48.64/26. (host going from .65 - .126)
example startup line:
sudo ./edge -d bbb -c bbb -k pass -a static:77.87.48.77 -s 255.255.255.192 -l vpn.berlin.freifunk.net:8718 -f -vvv
IP config
IPv4 addresses
Hosts from 77.87.48.65 to 77.87.48.126
| hostname | IPv4-Address | Admin email | Comment |
|---|---|---|---|
| bbb1 | 77.87.48.65 | dpaufler at leo34 dot net | Main VPN Server BBB1 |
| weimarnetz | 77.87.48.66 | bittorf at bluebottle dot com | http://weimarnetz.de/freifunk/vpn/ |
| kel1 | 77.87.48.67 | syso-ff at no-route dot org | Temporaer fuer testzwecke. |
| c-base GW | 77.87.48.68 | dpaufler at leo34 dot net, cven at cbase dot org | GW @cbase (WCW2009) |
| gate | 77.87.48.69 | dpaufler at leo34 dot net | router @home |
| tetzlav-vhost | 77.87.48.70 | tetzlav ät leipzig.freifunk.net | qemu-openwrt @inet |
| tetzlav-ff-web | 77.87.48.71 | tetzlav ät leipzig.freifunk.net | server @home |
| berlin.freifunk.net | 77.87.48.72 | nosy ät c-base.org | berlin web/dns |
| Kortikalknoten | 77.87.48.73 | pirat ät ralfgerlich dot de | Viktoriastadt Titanic e.V. |
| J.A.S. | 77.87.48.74 | pirat ät ralfgerlich dot de | Viktoriastadt Kaskelstr. |
| Canapé | 77.87.48.75 | pirat ät ralfgerlich dot de | Südliche Pfarrstraße Berlin |
| bgp.ff.dd19.de | 77.87.48.76 | dpaufler at leo34 dot net, alx at dd19 dot de | BGP routing FistColo |
| carma | 77.87.48.77 | dpaufler at leo34 dot net | mobile notebook |
| alx | 77.87.48.78 | alx at dd19 de | FOKUS vpn gate |
| alx-eh2009 | 77.87.48.79 | alx at dd19 de | eh2009 vpn gate |
| morpheus | 77.87.48.80 | simon.frerichs gmail com | siit, ipv6, ipv4 :) |
| kifuse02 | 77.87.48.81 | patrick lunatiki de | pberg build & vpn server |
| druschba | 77.87.48.82 | patrick lunatiki de | Berlin Weißensee uplink (Umbenannt von "lachman" zu "druschba") |
| pitoresque | 77.87.48.83 | joli64 web de | pberg |
| rinocelot | 77.87.48.84 | kinoletti gmail com | pberg / kiezfunk ;) |
| blackhole | 77.87.48.85 | freifunk at animatedpictures de | |
| karow | 77.87.48.86 | mercurix at wlankarow dot de | server in karow |
| nuremberg | 77.87.48.87 | mercurix at wlankarow dot de | server in nürnberg |
| moabit | 77.87.48.88 | mercurix at wlankarow dot de | WRT54G in der Kruppstr. 13 |
| gw-floh-1 | 77.87.48.89 | onlinefloh dot freifunk at web dot de | router @home |
| leipzig-l2gvpn-main | 77.87.48.90 | freifunk wwsnet net | F²x (Kopplung HauptVPN - Berlin) |
| jow | 77.87.48.91 | freifunk wwsnet net | F²x #2 |
| gw-floh-2 | 77.87.48.92 | onlinefloh dot freifunk at web dot de | server @Tempelhof |
| schaeuble | 77.87.48.93 | patrick lunatiki de | pberg vpn gate |
| inorouter | 77.87.48.94 | patrick lunatiki de | xberg Zossener uplink |
| zeratul | 77.87.48.95 | andreas dot pittrich web de | |
| caminetto-2 | 77.87.48.96 | Prometheus | |
| 23-5 | 77.87.48.97 | freifunk@23-5.eu | |
| 77.87.48.98 | |||
| 77.87.48.99 | |||
| chi.cyranjo.org | 77.87.48.100 | steven midlink org | Freifunk Halle VPN #1 |
| bno_test | 77.87.48.101 | dennis_bartsch hotmail com | |
| 77.87.48.102 | |||
| hannover | 77.87.48.103 | toxxic freifunk-hannover de | Freifunk Hannover Testing |
| 77.87.48.104 | |||
| joti | 77.87.48.105 | johannes soziologiker org | Hostname ändert sich noch, update ich dann |
| 56.3 | 77.87.48.106 | freifunkbs gmx-topmail de | Test |
| 77.87.48.107 | |||
| 77.87.48.108 | |||
| 77.87.48.109 | |||
| wien | 77.87.48.110 | aaron dot lo-res dotdotdot org | via tunnel.wien.funkfeuer.at |
| hamburg | 77.87.48.111 | ds at ainex net | bgp vpn router |
| charon.fh.ff.jpod.cc | 77.87.48.112 | freifunk at jpod.cc | fhain vpn gate0 |
| wrt0.fh.ff.jpod.cc | 77.87.48.113 | freifunk at jpod.cc | fhain vpn gate1 |
| houston | 77.87.48.114 | freifunk at jpod.cc | FOKUS vpn gate |
| vpn4.ff.jpod.cc | 77.87.48.115 | freifunk at jpod.cc | vpn gate |
| cronus.ff.jpod.cc | 77.87.48.116 | freifunk at jpod.cc | vpn gate |
| erfurt | 77.87.48.117 | sb at ilmbeat net | http://erfurt.freifunk.net |
| rhea.ff.jpod.cc | 77.87.48.118 | freifunk at jpod.cc | vpn gate |
| 77.87.48.119 | |||
| pberg.freifunk.net | 77.87.48.120 | admin at pberg dot freifunk dot net | http://pberg.freifunk.net |
| chinchilla | 77.87.48.121 | robin pt pberg dot freifunk dot net | |
| 77.87.48.122 | |||
| wonka | 77.87.48.123 | w-l2gvpn near chaos dot in-kiel dot de | test test test :) |
| StefanoGSoC | 77.87.48.124 | pillastefano at gmail dot com | Tunnel for GSoC Project |
| jwyzer1 | 77.87.48.125 | john dot wyzer at gmx dot de | lonely node in x-berg |
| bubble | 77.87.48.126 | andre dot riehl at web dot de | lonely node in Lichtenberg |
Ipv6 addresses
uses fdca:ffee:babe:dad0::/64 - http://www.sixxs.net/tools/grh/ula/list/
OLSR config
IPv4
For olsrd v4 status look at http://vpn.berlin.freifunk.net:8080/nodes
to use the tunnel, add l2gvpn interface to olsr configuration at /etc/config/olsr
config 'Interface'
option 'Interface' 'bbb'
option 'HelloInterval' '10.0'
option 'HelloValidityTime' '900.0'
option 'TcInterval' '30.0'
option 'TcValidityTime' '2700.0'
option 'MidInterval' '150.0'
option 'MidValidityTime' '2700.0'
option 'HnaInterval' '150.0'
option 'HnaValidityTime' '900.0'
option 'Ip4Broadcast' '255.255.255.255'
option 'LinkQualityMult' 'default 0.1'
option 'LinkQualityMult' '77.87.48.65 0.5'
IPv6
For olsrd v6 status look at http://vpn.berlin.freifunk.net:8080/nodes
More Info for our 6Mesh Tests at 6mesh.freifunk.net
config 'Interface'
option 'Interface' 'bbb'
option 'HelloInterval' '10.0'
option 'HelloValidityTime' '900.0'
option 'TcInterval' '30.0'
option 'TcValidityTime' '2700.0'
option 'MidInterval' '150.0'
option 'MidValidityTime' '2700.0'
option 'HnaInterval' '150.0'
option 'HnaValidityTime' '900.0'
option 'Ip6AddrType' 'global'
option 'LinkQualityMult' 'default 0.1'
option 'LinkQualityMult' '77.87.48.65 0.5'
OSPF config
/etc/quagga/daemons
zebra=yes bgpd=no ospfd=yes
/etc/quagga/vtysh.conf
! ! Sample configuration file for vtysh. ! service integrated-vtysh-config !hostname quagga-router username root nopassword !
/etc/quagga/Quagga.conf
log file /var/log/quagga/bgpd.log log syslog informational ! password freifunk2009 enable password freifunk2009 ! interface bbb ip ospf authentication-key freifunk ipv6 nd suppress-ra ! router ospf ospf router-id 77.87.48.XX network 77.87.48.64/26 area 0.0.0.0 network 77.87.<your net>/xx area 0.0.0.0 ! ip forwarding ipv6 forwarding ! line vty !
test cases
gvpn test cases
- ipv6
- RA (gibs ne adresse vom benachbarten radvd)
- neighbour rechability via ll-addr. (ndp testen) (ping6 ll-nachbar)
- olsr (kommt multicast an? olsr nachbarn?) einheitliche olsr version
- routing (von 1 hop hinter vpn zu 1 hop hinter vpn)
- ipv4
- olsr (nachbarn?)
- std broadcast (kommt er an?)
- full broadcast (kommt er an?)
- link local multicast (komm er an?)
- routing (von 1 hop hinter vpn zu 1 hop hinter vpn)
- arp (ping ll-nachbar)
- dhcp (dhclient)
- olsr (nachbarn?)
- layer-2
- bridging (gehen all diese tests auch, wenn der testnode per bridge am tap device hängt?)
- STP? (gute frage)
- MTU
- Path MTU discovery (ping?) (tcp?) (tools?)
linux: tracepath BSD:
- generelly administrativia
- syncrone revisionen (nighly builds)
- automatische generierung von packages
- debian (libuci statisch linken.)
- openwrt
- automatische generierung von packages
- geskriptete updates, ssh keys
- syncrone revisionen (nighly builds)
- jitter messung?
- periodische bandbreitenvergleiche zwischen mit vpn und ohne vpn (tcp)
fixes n2n_v1
set netmask via command line argument
|
Wichtig: Already done at no-route.org SVN repo. |
Here is a more clean (kind of) solution to supply the subnet mask via command line argument:
--- edge.c 2008-12-11 16:54:00.000000000 +0100
+++ edge.c 2008-12-11 21:40:15.000000000 +0100
@@ -17,6 +17,7 @@
* Code contributions courtesy of:
* Richard Andrews <bbmaj7@yahoo.com.au>
* Don Bindner <don.bindner@gmail.com>
+ * Sylwester Sosnowski <syso-n2n@no-route.org>
*
*/
@@ -252,6 +253,7 @@
"-a <tun IP address> "
"-c <community> "
"-k <encrypt key> "
+ "-s <subnet mask> "
#ifndef WIN32
"[-u <uid> -g <gid>]"
"[-f]"
@@ -271,6 +273,7 @@
printf("-k <encrypt key> | Encryption key (ASCII) - also N2N_KEY=<encrypt key>\n");
printf("-l <supernode host:port> | Supernode IP:port\n");
printf("-p <local port> | Local port used for connecting to supernode\n");
+ printf("-s <subnet mask> | n2n Subnet mask (Default: 255.255.255.0)\n");
#ifndef WIN32
printf("-u <UID> | User ID (numeric) to use when privileges are dropped\n");
printf("-g <GID> | Group ID (numeric) to use when privileges are dropped\n");
@@ -1125,7 +1128,9 @@
int opt, local_port = 0 /* any port */;
char *tuntap_dev_name = "edge0";
char *ip_addr = NULL;
+ char *subnet_mask = "255.255.255.0";
ipstr_t ip_buf;
+ int got_s = 0;
#ifndef WIN32
uid_t userid=0; /* root is the only guaranteed ID */
@@ -1196,7 +1201,7 @@
/* {int k;for(k=0;k<effectiveargc;++k) printf("%s\n",effectiveargv[k]);} */
optarg = NULL;
- while((opt = getopt_long(effectiveargc, effectiveargv, "k:a:c:u:g:m:d:l:p:fvhrt", long_options, NULL)) != EOF) {
+ while((opt = getopt_long(effectiveargc, effectiveargv, "k:a:c:u:g:m:s:d:l:p:fvhrt", long_options, NULL)) != EOF) {
switch (opt) {
case 'a':
ip_addr = strdup(optarg);
@@ -1249,6 +1254,14 @@
case 'p':
local_port = atoi(optarg);
break;
+ case 's': /* Subnet Mask */
+ if (got_s == 1) {
+ traceEvent(TRACE_WARNING, "Multiple subnet masks supplied.");
+ free(subnet_mask);
+ }
+ subnet_mask = strdup(optarg);
+ got_s = 1;
+ break;
case 'h': /* help */
help();
break;
@@ -1274,7 +1287,7 @@
/* setgid( 0 ); */
#endif
- if(tuntap_open(&(eee.device), tuntap_dev_name, ip_addr, "255.255.255.0", device_mac ) < 0)
+ if(tuntap_open(&(eee.device), tuntap_dev_name, ip_addr, subnet_mask, device_mac ) < 0)
return(-1);
#ifndef WIN32
allow broadcast packets to every address, modify the packet_check to allow all packets
ugly
to allow broadcast packets to every address (i.e. OLSR bcast 255.255.255.255) modify the packet_check to allow all packets.
Index: edge.c
===================================================================
--- edge.c (revision 3626)
+++ edge.c (working copy)
@@ -865,6 +865,10 @@
traceEvent(TRACE_INFO, "Discarding routed packet [rcvd=%s][expected=%s]",
intoa(ntohl(the_ip->ip_dst.s_addr), ip_buf, sizeof(ip_buf)),
intoa(ntohl(eee->device.ip_addr), ip_buf2, sizeof(ip_buf2)));
+
+ /* dpa */
+ return(0);
+
} else {
/* This packet is for us */
less ugly (by wonka)
Index: edge.c
===================================================================
--- edge.c (revision 3593)
+++ edge.c (working copy)
@@ -725,9 +725,12 @@
/* Note: all elements of the_ip are in network order */
struct ip *the_ip = (struct ip*)(pkt+sizeof(struct ether_header));
+
+ struct in_addr bcast = { 0xffffffff };
if((the_ip->ip_dst.s_addr != eee->device.ip_addr)
- && ((the_ip->ip_dst.s_addr & eee->device.device_mask) != (eee->device.ip_addr & eee->device.device_mask))) /* Not a broadcast */
+ && ((the_ip->ip_dst.s_addr & eee->device.device_mask) != (eee->device.ip_addr & eee->device.device_mask)) /* Not a broadcast */
+ && ((the_ip->ip_dst.s_addr) != (bcast.s_addr))) /* really not a broadcast */
{
ipstr_t ip_buf;
ipstr_t ip_buf2;
