Supernode: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
Kaleng (Diskussion | Beiträge) (+ in bearbeitung) |
Kaleng (Diskussion | Beiträge) (Fastd) |
||
| Zeile 1: | Zeile 1: | ||
{{TOCright}} | |||
<span style="color: red">===== Derzeit in bearbeitung. Bitte nicht ändern =====</span> | <span style="color: red">===== Derzeit in bearbeitung. Bitte nicht ändern =====</span> | ||
== Voraussetzungen == | |||
[[https://en.wikipedia.org/wiki/Supernode_%28networking%29 wikipedia-article]] | [[https://en.wikipedia.org/wiki/Supernode_%28networking%29 wikipedia-article]] | ||
Benötigte Software | |||
1) [[https://projects.universe-factory.net/projects/fastd fastd]] mesh-node-vpn | 1) [[https://projects.universe-factory.net/projects/fastd fastd]] mesh-node-vpn | ||
| Zeile 17: | Zeile 18: | ||
5) OS: debian wheezy (or whatever you like) | 5) OS: debian wheezy (or whatever you like) | ||
Du benötigst ausserdem: <br /> | |||
* einen fastd-private-key | |||
* eine IPv4/IPv6 Adresse und ein Subnetz | |||
in /etc/apt/apt/sources.list | == fastd == | ||
=== Installation === | |||
in /etc/apt/apt/sources.list hinzufügen: | |||
<pre> | <pre> | ||
deb http://repo.universe-factory.net/debian/ sid main | deb http://repo.universe-factory.net/debian/ sid main | ||
</pre> | </pre> | ||
GPG-Key importieren: | |||
<pre> | <pre> | ||
gpg --keyserver pgpkeys.mit.edu --recv-key AB7A88C5B89033D8 | gpg --keyserver pgpkeys.mit.edu --recv-key AB7A88C5B89033D8 | ||
| Zeile 44: | Zeile 37: | ||
</pre> | </pre> | ||
<pre> | <pre> | ||
apt-get update | apt-get update | ||
| Zeile 50: | Zeile 42: | ||
</pre> | </pre> | ||
=== Konfiguration === | |||
fastd | "[YOUR SECRET KEY HERE]" Sollte dabei durch den fastd-secret-key ersetzt werden (erfragen) | ||
<pre> | <pre> | ||
/etc/fastd/ | mkdir /etc/fastd/mesh-vpn; | ||
cat > /etc/fastd/mesh-vpn/fastd.conf << EOF | |||
# Log warnings and errors to stderr | |||
#log level warn; | |||
log level error; | |||
# Log everything to a log file | |||
#log to "/var/log/fastd-mesh-vpn.log" level debug; | |||
log to "/var/log/fastd-mesh-vpn.log" level warn; | |||
# Set the interface name | # Set the interface name | ||
interface " | interface "mesh-vpn"; | ||
# Support xsalsa20 and aes128 encryption methods, prefer xsalsa20 | # Support xsalsa20 and aes128 encryption methods, prefer xsalsa20 | ||
method "xsalsa20-poly1305"; | method "xsalsa20-poly1305"; | ||
method " | method "null"; | ||
method " | #method "aes128-gcm"; | ||
# Bind to a fixed port, IPv4 only | # Bind to a fixed port, IPv4 only | ||
bind 0.0.0.0:10000; | bind 0.0.0.0:10000; | ||
# Secret key generated by | # Secret key generated by 'fastd --generate-key' | ||
secret "[YOUR SECRET KEY HERE]"; | |||
secret " | |||
# Set the interface MTU for TAP mode with xsalsa20/aes128 over IPv4 with a base MTU of 1492 (PPPoE) | # Set the interface MTU for TAP mode with xsalsa20/aes128 over IPv4 with a base MTU of 1492 (PPPoE) | ||
# (see MTU selection documentation) | # (see MTU selection documentation) | ||
mtu 1426; | mtu 1426; | ||
# Include peers from the directory 'peers' | # Include peers from the directory 'peers' | ||
include peers from "/etc/fastd/ | include peers from "peers"; | ||
include peers from "backbone"; | |||
on up "./fastd-up"; | |||
EOF | |||
</pre> | |||
Ordnerstruktur anlegen: | |||
<pre> | |||
mkdir /etc/fastd/mesh-vpn/backbone | |||
mkdir /etc/fastd/mesh-vpn/peers | |||
</pre> | |||
# | Backbone Keys einrichten: | ||
<pre> | |||
$:/etc/fastd/mesh-vpn# ls backbone/ | |||
fastd1 fastd2 fastd3 fastd4 | |||
$:/etc/fastd/mesh-vpn# cat backbone/* | |||
key "4f856d95bd596ac7724edca73a19e6e9d142b374df27166bb1a78e58785efc59"; | |||
remote ipv4 "fastd1.kbu.freifunk.net" port 10000; | |||
key "e1916b66c4f8a795e217877cf72607d952e796463c7024dd9a6a47ae2929bc10"; | |||
remote ipv4 "fastd2.kbu.freifunk.net" port 10000; | |||
key "d56181dfe9b5ac7cfe68a94c0ce406322a9924286a751673da0dcb28ad5218b0"; | |||
remote ipv4 "fastd3.kbu.freifunk.net" port 10000; | |||
key "9b3f65f99963343e2785c8c4fad65e70b73ee7e1205d63bd84f3e2decb53e621"; | |||
remote ipv4 "fastd1.kbu.freifunk.net" port 10000; | |||
</pre> | </pre> | ||
[[https://github.com/ff-kbu/fff/tree/v0.3-generic/files/lib/freifunk/mesh-vpn/backbone fastd-backbone]] for more | |||
fastd-up Script: | |||
<pre> | <pre> | ||
cat > /etc/fastd/mesh-vpn/fastd-up << EOF | |||
#/bin/sh | #/bin/sh | ||
/sbin/ip link set dev mesh-vpn up | |||
/usr/sbin/batctl if add mesh-vpn | |||
/sbin/ | |||
/usr/sbin/batctl if add | |||
/usr/sbin/batctl gw_mode server | /usr/sbin/batctl gw_mode server | ||
/sbin/ifconfig bat0 | /sbin/ifconfig bat0 [DEINE IPv4 Addresse hier] netmask 255.255.192.0 up | ||
/sbin/ip rule add from 172.27.0.0/18 table ffkbu | /sbin/ip rule add from 172.27.0.0/18 table ffkbu | ||
/sbin/ip route add 172.27.0.0/18 dev bat0 table ffkbu | /sbin/ip route add 172.27.0.0/18 dev bat0 table ffkbu | ||
/sbin/ip route flush cache | /sbin/ip route flush cache | ||
EOF | |||
</pre> | |||
fastd-up ausführbar machen: | |||
<pre> | |||
chmod +x /etc/fastd/mesh-vpn/fastd-up | |||
</pre> | |||
load batman-adv kernel-module while booting | |||
in /etc/modules.conf add | |||
<pre> | |||
batman-adv | |||
</pre> | |||
disable pmtu-discovery | |||
in /etc/sysctl.conf add | |||
<pre> | |||
net.ipv4.ip_no_pmtu_disc=1 | |||
</pre> | </pre> | ||
Version vom 22. Februar 2014, 21:31 Uhr
===== Derzeit in bearbeitung. Bitte nicht ändern =====
Voraussetzungen
Benötigte Software
1) [fastd] mesh-node-vpn
2) [vpn-key-upload] todo: remove overhead (apache,ruby,sinatra ...), kiss principle] not documented in here (todo)
3) [batman-adv]
4) [tinc] mesh-backbone-vpn
5) OS: debian wheezy (or whatever you like)
Du benötigst ausserdem:
- einen fastd-private-key
- eine IPv4/IPv6 Adresse und ein Subnetz
fastd
Installation
in /etc/apt/apt/sources.list hinzufügen:
deb http://repo.universe-factory.net/debian/ sid main
GPG-Key importieren:
gpg --keyserver pgpkeys.mit.edu --recv-key AB7A88C5B89033D8 gpg -a --export AB7A88C5B89033D8 | sudo apt-key add -
apt-get update apt-get install fastd
Konfiguration
"[YOUR SECRET KEY HERE]" Sollte dabei durch den fastd-secret-key ersetzt werden (erfragen)
mkdir /etc/fastd/mesh-vpn; cat > /etc/fastd/mesh-vpn/fastd.conf << EOF # Log warnings and errors to stderr #log level warn; log level error; # Log everything to a log file #log to "/var/log/fastd-mesh-vpn.log" level debug; log to "/var/log/fastd-mesh-vpn.log" level warn; # Set the interface name interface "mesh-vpn"; # Support xsalsa20 and aes128 encryption methods, prefer xsalsa20 method "xsalsa20-poly1305"; method "null"; #method "aes128-gcm"; # Bind to a fixed port, IPv4 only bind 0.0.0.0:10000; # Secret key generated by 'fastd --generate-key' secret "[YOUR SECRET KEY HERE]"; # Set the interface MTU for TAP mode with xsalsa20/aes128 over IPv4 with a base MTU of 1492 (PPPoE) # (see MTU selection documentation) mtu 1426; # Include peers from the directory 'peers' include peers from "peers"; include peers from "backbone"; on up "./fastd-up"; EOF
Ordnerstruktur anlegen:
mkdir /etc/fastd/mesh-vpn/backbone mkdir /etc/fastd/mesh-vpn/peers
Backbone Keys einrichten:
$:/etc/fastd/mesh-vpn# ls backbone/ fastd1 fastd2 fastd3 fastd4 $:/etc/fastd/mesh-vpn# cat backbone/* key "4f856d95bd596ac7724edca73a19e6e9d142b374df27166bb1a78e58785efc59"; remote ipv4 "fastd1.kbu.freifunk.net" port 10000; key "e1916b66c4f8a795e217877cf72607d952e796463c7024dd9a6a47ae2929bc10"; remote ipv4 "fastd2.kbu.freifunk.net" port 10000; key "d56181dfe9b5ac7cfe68a94c0ce406322a9924286a751673da0dcb28ad5218b0"; remote ipv4 "fastd3.kbu.freifunk.net" port 10000; key "9b3f65f99963343e2785c8c4fad65e70b73ee7e1205d63bd84f3e2decb53e621"; remote ipv4 "fastd1.kbu.freifunk.net" port 10000;
[fastd-backbone] for more
fastd-up Script:
cat > /etc/fastd/mesh-vpn/fastd-up << EOF #/bin/sh /sbin/ip link set dev mesh-vpn up /usr/sbin/batctl if add mesh-vpn /usr/sbin/batctl gw_mode server /sbin/ifconfig bat0 [DEINE IPv4 Addresse hier] netmask 255.255.192.0 up /sbin/ip rule add from 172.27.0.0/18 table ffkbu /sbin/ip route add 172.27.0.0/18 dev bat0 table ffkbu /sbin/ip route flush cache EOF
fastd-up ausführbar machen:
chmod +x /etc/fastd/mesh-vpn/fastd-up
load batman-adv kernel-module while booting in /etc/modules.conf add
batman-adv
disable pmtu-discovery in /etc/sysctl.conf add
net.ipv4.ip_no_pmtu_disc=1
backbone-net (tinc)
apt-get install tinc
root@fastd4:/etc/tinc/backbone# ls bbkeys hosts -> bbkeys tinc.conf tinc-up
public-keys for the tinc-backbone, can be found [here]
add your public key to that repo
tinc.conf
/etc/tinc/backbone# cat tinc.conf Name=fastd4 Device=/dev/net/tun Mode=router Compression=9 ConnectTo=paula ConnectTo=paul #enough links?
tinc-up
#!/bin/sh ifconfig $INTERFACE 172.27.255.X netmask 255.255.255.0 up # #set some backbone related routes ip route add 172.27.255.0/24 dev backbone table ffkbu ip route add default dev backbone table ffkbu ip route flush cache
routing
we need to set up policy based routing.
echo "200 ffkbu" >> /etc/iproute2/rt_tables
this is done in the tinc-up and the fastd-up scripts
ip rule ls
ip rule ls 0: from all lookup local 32765: from 172.27.0.0/18 lookup ffkbu 32766: from all lookup main 32767: from all lookup default
ip route list table ffkbu
ip route list table ffkbu default dev backbone scope link 172.27.0.0/18 dev bat0 scope link 172.27.255.0/24 dev backbone scope link
dhcpd.conf
subnet 172.27.0.0 netmask 255.255.192.0 {
#if guru talks about subnets,
#just the range is meant!
#all nodes,supernodes,and clients
#remain in the net 172.27.0.0/18
range 172.27.XXX.XXX 172.27.XXX.XXX;
option domain-name-servers 172.27.XXX.1;
option domain-name "kbu.freifunk.net";
option routers 172.27.XXX.1;
option broadcast-address 172.27.63.255;
default-lease-time 600;
max-lease-time 7200;
}
you need to install a bind9
fastd
UDP-Queue Größe
Durch Broadcasts können können auf Supernodes kurzzeitig hohe Lastspitzen enstehen. In der aktuellen batman-adv-Version wird jedes Broadcast-Paket zudem 3x auf jedem Link versendet. Die vergleichweise hohe Datenrate von 100MBit/s zwischen Supernodes bewirkt darüber hinaus, dass broadcast-Pakete mit 100MBit/s eingehen können, während sie gleichzeitig an alle Nodes gesendet werden müssen.
Linux-Distributionen sehen per Default Queue-Größen im Bereich von 128 KB vor (http://www.cyberciti.biz/faq/linux-tcp-tuning/). Supernodes sind somit nicht in der Lage entsprechende Lastspitzen zu puffern und während Idle-Times zu versenden. Läuft die UDP-Queue über, so loggt fastd:
2013-03-30 12:32:01 +0100 --- Warning: sendmsg: Resource temporarily unavailable 2013-03-30 12:32:01 +0100 --- Warning: sendmsg: Resource temporarily unavailable 2013-03-30 12:32:01 +0100 --- Warning: sendmsg: Resource temporarily unavailable 2013-03-30 12:32:01 +0100 --- Warning: sendmsg: Resource temporarily unavailable 2013-03-30 12:32:01 +0100 --- Warning: sendmsg: Resource temporarily unavailable
Jeder Log-Eintrag entspricht einem Paket, dass nicht enqueued werden konnte und damit verworfen wurde. Die Queue-Größen können via systctl angepasst werden (http://wwwx.cs.unc.edu/~sparkst/howto/network_tuning.php). Auf fastd2 wird zur Zeit verwendet:
#/etc/sysctl.conf net.core.rmem_max=83886080 net.core.wmem_max=83886080 net.core.rmem_default=83886080 net.core.wmem_default=83886080
Das System verfügt dadurch über 80MB Speicher für Queues. Per default stehen ebenfalls 80MB zur Verfügung. Die konfigurierten 80MB reichen aus, um die 100MBit/s Verbindung über mehrere Sekunden auszulasten und Lastspitzen abzufangen.