12/1/2018 ChaosVPN:Howto - CCCHHWiki

ChaosVPN:Howto
From CCCHHWiki

Back

Note:
ChaosVPN is a VPN to connect Hackers and Hackerspaces - it does
NOT provide anonymous internet access!
For this look at tor or other similar services.

It will also not help you to reach domains like .rdos, .lll, .clos or any
other strange things supposed to be available on the "dark web".

Alternative: If you prefer BGP, you can also connect via https://dn42.net/, we are
interconnected.

QUICK HOWTO

Written for by a debian user. If you use a different OS just make the steps accordingly. If you just want an easy
Debian way look at our ChaosVPN:DebianHowto

Contents
1 Install software
1.1 Install necessary helper programs
1.2 Install tinc
1.3 Create config directory
1.4 Install our ChaosVPN software
1.4.1 Compile for yourself from our git repository
1.4.1.1 way 1: create a git snapshot debian package
1.4.1.2 way 2: create debian package and install this
1.4.1.3 way 3: just compile and install the raw binary
2 Get your new node added to the central configuration
2.1 Devise a network-nick and a unique IP range you will be using
2.2 Hostname
2.3 Generate keys
2.3.1 Generate keys with tinc 1.1+

https://wiki.hamburg.ccc.de/ChaosVPN:Howto 1/6
12/1/2018 ChaosVPN:Howto - CCCHHWiki

2.3.2 Generate keys with tinc 1.0.xx

2.4 Mail us your Infos
3 Customize configfile
4 Enable Starting of ChaosVPN
5 script in /etc/ppp/ip-up to autostart, or to restart from time to time via cron

Install software
Install necessary helper programs
needed to use the chaosvpn client:

# apt-get install tinc iproute libssl0.9.8 zlib1g

needed to compile the chaosvpn-client if not using a precreated debian package for it:

# apt-get install build-essential git-core bison flex libssl-dev zlib1g-dev

Install tinc

# apt-get install tinc

You need either the package from Debian squeeze/unstable, or a lenny backport like from
http://debian.sdinet.de/lenny/sdinet/tinc/

This should be at least tinc version 1.0.13, but may work with 1.0.10 or later.

Or visit http://tinc-vpn.org/, download and build yourself - at a minimum ./configure, specify the parameter --
sysconfdir=/etc, and check the binary in the script

If the tinc installation gives the following error:

> ./MAKEDEV: don't know how to make device "tun"

Then create the device by hand:

# mkdir -p /dev/net
# mknod /dev/net/tun c 10 200
# chown root:root /dev/net/tun
# chmod 600 /dev/net/tun

Create config directory

# mkdir -p /etc/tinc/chaos

https://wiki.hamburg.ccc.de/ChaosVPN:Howto 2/6
12/1/2018 ChaosVPN:Howto - CCCHHWiki

Install our ChaosVPN software

Compile for yourself from our git repository

Always needed to compile:

# git clone git://github.com/ryd/chaosvpn.git

# cd chaosvpn

way 1: create a git snapshot debian package

# apt-get install devscripts

# make deb
perhaps it throws an error about missing build dependencies, install these and retry.
# sudo dpkg -i ../chaosvpn_2.0*.deb
install the generated package file, replace filename above with real name.
it is also possible to copy the generated .deb package to a different machine of the same
architecture and install it there - no need to have a full compile environment
on your router/firewall.

way 2: create debian package and install this

# debuild
Answer the "This package has a Debian revision number but there does not seem to be
an appropriate original tar file or .orig directory in the parent directory" with "y"
# sudo dpkg -i ../chaosvpn_2.0*.deb
install the generated package file, replace filename above with real name.

way 3: just compile and install the raw binary

# make
# sudo make install

Get your new node added to the central configuration

Devise a network-nick and a unique IP range you will be using

This network-nick or sometimes called nodename is the name of the network endpoint/gateway where the vpn
software will be running,
not necessarily the name of the user, there may even be more than one gateway per user.

Used below where <nodename> is.

Please use only characters a-z, 0-9 and _ in it. Note that only lowercase letters are supported.

Second please select an unused IPv4 range out of IP Range, and write yourself down in that wiki page to mark
your future range as in-use.
Please select from the correct ranges, 172.31.*.* for Europe, and 10.100.*.* for North America and elsewhere.

Repeat: Please do not forget to add yourself to the list at IP Range to mark your range as used.
https://wiki.hamburg.ccc.de/ChaosVPN:Howto 3/6
12/1/2018 ChaosVPN:Howto - CCCHHWiki

Used below where <ipv4 subnet in the vpn> is.

The usage of IPv6 networks is also possible, but we do not have a central range for this (yet),
you may specify an IPv6 range you received from your (tunnel) provider to be reachable over the VPN,
or a private IPv6 ULA (Unique Local Address) network described in RFC4193 (http://www.rfc-
editor.org/rfc/rfc4193.txt) .
For more info about ULA and a network-range generator please also see http://www.sixxs.net/tools/grh/ula/ .

Used below where <ipv6 subnet in the vpn> is.

Hostname

The gateway may have a DynDNS (or similar) hostname pointing to a dynamic IP, or a static hostname/fixed IP.

Better supply a hostname than a raw IP address even if it is static, so you can change it youself and do not need to
contact us when needed. (Perhaps something like chaosvpn.yourdomain.example)

Used below where <clienthost> is.

Generate keys

Generate keys with tinc 1.1+

# tinc --net=chaos init <nodename>

Replace <nodename> with the name your new node should get.

**FIXME** need some way that "tinc init" puts the public key into the seperate files and not only into the
generated hosts file, which our chaosvpn daemon overwrites.

generate public/private RSA and ECDSA keypairs with

# tinc --net=chaos generate-keys 2048

press Enter 4 times and backup the files /etc/tinc/chaos/ecdsa_key.priv, ecdsa_key.pub, rsa_key.priv and
rsa_key.pub on an external device.

Generate keys with tinc 1.0.xx

create chaos config folder with

# mkdir /etc/tinc/chaos/

generate public/private keypairs with

# tincd --net=chaos --generate-keys=2048

press Enter 2 times and backup the files /etc/tinc/chaos/rsa_key.priv and rsa_key.pub on an external device.
https://wiki.hamburg.ccc.de/ChaosVPN:Howto 4/6
12/1/2018 ChaosVPN:Howto - CCCHHWiki

Mail us your Infos

send via email to chaosvpn-join@hamburg.ccc.de

We need the following info - but please be so kind and also add a short description of you/your space and your
motivation to join chaosvpn - or at least make us laugh. :)

(Please remove all lines starting with # from the email, they are just descriptions)

[<nodename>]

sponsor=
# Name a person/nickname/nodename or organisation/hackerspace already on ChaosVPN that will
# vouch for you getting access.

gatewayhost=<clienthost>
# This should be the external hostname or ip address of the client host, not a VPN address.
# If the client is not reachable over the internet leave it out and set hidden=1 below.
# If possible supply a hostname (even dyndns) and not an ip address for easier changing
# from your side without touching the central config.

network=<ipv4 subnet in the vpn>

network6=<ipv6 subnet in the vpn>
# (mandatory, must include)
# this may be more than one, IPv4 or IPv6, network6 with IPv6 is optional
#
# These subnets must be unique in our vpn,
# simply renumber your home network (or use something like NETMAP) with a network block that is still free.
#
# Please use the list of assigned networks on ChaosVPN:IPRanges, and add yourself there.

owner=
# (mandatory, must include)
# Admin of the VPN gateway, with email address - a way to contact the responsible
# person in case of problems with your network link.

port=4712
# (optional)
# if not specified tinc works on tcp+udp port 655
# it is better if everyone chooses a random port for this.
# either this specified port or port 655 should accept TCP and UDP traffic from internet.

hidden=0
# (optional)
# "I cannot accept inbound tunnel connections, I can only connect out."
# (e.g. behind a NAT)
silent=0
# (optional)
# "I cannot connect out, but you can connect to me."
# Only ONE of hidden=1 or silent=1 is possible.

Ed25519PublicKey=<something>
# (optional)
# tinc 1.1pre11+ only, contents of your /etc/tinc/chaos/ed25519_key.pub

-----BEGIN RSA PUBLIC KEY-----

....
-----END RSA PUBLIC KEY-----
# (mandatory)
# rsa-public-key - contents of your /etc/tinc/chaos/rsa_key.pub

Awaiting Response, give us some days, your request is processed manually

Retry until $success or $reject - but do not spam us.

https://wiki.hamburg.ccc.de/ChaosVPN:Howto 5/6
12/1/2018 ChaosVPN:Howto - CCCHHWiki

Customize configfile
edit the chaosvpn.conf in /etc/tinc/

$my_peerid = <nodename>

$my_vpn_ip = 172.31.<your Subnet>.[1-255]

Enable Starting of ChaosVPN

If you installed ChaosVPN through our Debian packages it is not started by default.

To enable this edit the file /etc/default/chaosvpn and change the RUN= line to RUN="yes"

After all changes (re-)start the chaosvpn client:

# /etc/init.d/chaosvpn start

If you made everything correct there should now be a tinc daemon running, and the output of 'route -n' should
show lots of routes pointing to the new 'chaos_vpn' network interface.

On other systems you have to take a look at our debian/init.d example script and adapt it for your environment.

script in /etc/ppp/ip-up to autostart, or to restart from

time to time via cron
if you built a debian package and installed it the cron and ip-up parts are already setup, if you installed it manually
with make install you have to do it yourself.

and with luck, it will function beautifully! ;)

todo: tons ;) test in particular, and adjust docs for other linux distros, and perhaps even with *bsd

Retrieved from "https://wiki.hamburg.ccc.de/index.php?title=ChaosVPN:Howto&oldid=10521"

Category: ChaosVPN

This page was last modified on 24 May 2016, at 20:32.

This page has been accessed 40,703 times.

https://wiki.hamburg.ccc.de/ChaosVPN:Howto 6/6