From: Rob Date: Fri, 4 May 2018 17:55:01 +0000 (+0800) Subject: fastd tutorial + minor changes X-Git-Url: https://robinkrens.nl/gitweb/?a=commitdiff_plain;h=851aadd07146e96a5e6611b386f5ff210b753e6d;p=robinkrens.nl fastd tutorial + minor changes --- diff --git a/chinese.html b/chinese.html new file mode 100644 index 0000000..134e4ed --- /dev/null +++ b/chinese.html @@ -0,0 +1,58 @@ + + + +Chinese Learning + + + + +

Chinese Learning

+ +

Here are some resources for the more advanced learners. Instead of using books, you might want to pick a podcast, tv show or radio program that Chinese listen to themselves. Still have to parse the Chinese correctly... +

+
+ +

原来æ~&hibar;è¿TM样!- http://www.ximalaya.com/7200706/album/246622/ +Podcast about some interesting scientific (useless?) facts. It's a two host show, with basically the girl 装ç–&hibar;卖傻. Recordings are quite long, but well eloborated and not too technical. +

+

Difficulty: 3 +

+

上班脱口秀 - http://www.ximalaya.com/6534662/album/336435/ +Short broadcast about current events. Supposed to be funny, but that might be a matter of taste. Great way to stay up to date. Pace is fast, a lot of slang. +

+

Difficulty: 4 +

+

新闻今日谈 https://www.youtube.com/playlist?list=PLvXvMUSstINcZQzOoZifThjUr-rNp3ENm +Analysis of political events. A guest speaker is invited and does usually discuss two news items in 20 minutes. Hosts are from mainland, taiwan and hongkong, might have some dialect issues. +

+

Difficulty: 4.5 +

+

圓桌派
+The continuation of 锵锵三人行, that for some reason dissapeared. Four people discussing current events, pace is slow, use a lot of trendy words. Has subtitles in Chinese +https://www.youtube.com/playlist?list=PLvXvMUSstINcZQzOoZifThjUr-rNp3ENm +

+

Diffuculty: 3.5 +

+

凤凰财知道
+Although the name says finance, it basically discusses anyting that is even remotely related to money. Short, but quite intense. You can find subtitles somewhere in cyberspace if you search on the title. +

+

http://diantai.ifeng.com/#!/category/1/92395 +

+

Difficulty: 5 +

+

一èTMŽä¸€å¸­è°ˆ
+Discussion panel with many speakers (including the audience). An excited and composed host. Often has non-native speakers on the show. About societal issues, often a 'Yes' front and 'No' front. Quite long, but has subtitles. + https://www.youtube.com/playlist?list=PLvXvMUSstINfmrcFH0LFBBYW9OcEuA3yx +

+

Difficulty 4.5 +

+

公开è&hibar;¾
+These are some free courses you can download (most are on university level) +谈判学 - series of classes about negotiation +物流学 - series of classes about transportation +

+

Difficulty: 4

+ + + diff --git a/fastd.html b/fastd.html new file mode 100644 index 0000000..3f859f0 --- /dev/null +++ b/fastd.html @@ -0,0 +1,276 @@ + + + +robinkrens.nl - Redirecting traffic using FastD + + + + +

robinkrens.nl - Redirecting traffic using FastD

+ +

FastD is a VPN daemon that has many features of OpenVPN and Tinc and is optimized for small code size and small number of dependencies. Fastd became popular on small devices like routers. In this tutorial we will configure a listening peer (alpha) and a connecting peer (anyremote). On a side note, with fastD you can setup mesh networks (n:n), as opposed to classical clients server networks (1:n). This configuration can be seen as a simple (1:1) setup between the listening alpha peer and our connecting client anyremote. All traffic from anyremote is redirected to alpha, making alpha the default gateway. This configuration has a lot of similarities with the tinc tutorial (that you can find here: http://www.robinkrens.nl/tutorials/tinc.html). Documentation and manual pages of fastd can be found here http://fastd.readthedocs.io +

+
+ +

Alpha peer

+ +

To run the daemon you only need one configuration file. You can place it in fastd's defualt directory /etc/fastd/fastd.conf. Here we show a standard configuration of fastd.conf with some minor changes: +

+
+        # Log warnings and errors to stderr
+        log level warn;
+
+        # Log everything to syslog
+        log to syslog level debug;
+
+        # tunnel mode (default is tap). 
+        # We use tunneling mode, since we are dealing with routing
+        mode tun;
+
+        # Set the interface name
+        # you can use any name you like
+        # this is the name to configure your interface wit
+        interface "vpngateway";
+
+        # encryption method to use
+        falls back to null if salsa is not chosen.
+        method "salsa2012+umac";
+        method "null";
+
+        # Bind to a fixed port, IPv4 only
+        # If your remote ip is 1.2.3.4, make sure 1.2.3.4:10000 is accesible
+        bind 0.0.0.0:10000;
+
+        # Secret key generated by `fastd --generate-key`
+        # --generate-key outputs a file with a secret and public key
+        # secret key goes in here. Public keys is distributed amongst other peers
+        # read about PKI infrastructures if you don't know about this.
+        secret "supersecretkey";
+
+        # (see MTU selection documentation)
+        # base MTU is 1500 and you want to use TUN mode over IPv4 with any 
+        # crypto method: Choose 1500 - 52 = 1448 bytes.
+        mtu 1448;
+
+        # on up: shell script to configure the tun interface on daemon start
+        on up "./interface-up";
+
+        # on down: shell script when daemon is terminated
+        on down "./interface-down"; 
+
+        # Include peers from the directory 'peers'
+        # anyremote is a peer trying to connect to alpha
+        include peer "peers/anyremote";
+
+

Keys can be generate by running --generate-key (written to stdout): + +

+        root@alpha:~$ fastd --generate-key > keys
+        root@alpha:~$ cat keys
+        2018-04-30 19:25:57 +0800 --- Info: Reading 32 bytes from /dev/random...
+        Secret: 5035de5b4ea448b74e9a373765207095057a9485fd9dca5fadb9c1b86347bd75
+        Public: 8cb5e8d70d34f52716b6c4de518af2edfd6794e68ef1b3f0608cf05dd6a2ef42
+
+

The secret key needs to be added to the above fastd.conf file. The public needs to be spread amongst peers (as we explain later). +on up "./interface-up" will run a simple shell script and configures our network interface vpngateway (make sure this script is executable). +This is our interface.up script: We create a virtual IP: 172.16.16.1. +

+
+        #!/bin/bash
+        ip link set $INTERFACE up
+        ip addr add 172.16.16.1/24 dev $INTERFACE
+
+

If we terminate fastd, we run a similar script as defined in interface-down + +

+        #!/bin/sh
+        ip addr del 172.16.16.1/24 dev $INTERFACE
+        ip link set $INTERFACE down
+
+

We will create the peer/anyremote file after we finished configuring anyremote and its public key +

+

Anyremote peer

+ +

Similar to alpha, we create /etc/fastd/fastd.conf. Since we only need to connect to alpha we don't need to bind to a fixed port. +

+
+        # log arnings and errors to stderr
+        log level warn;
+
+        # Log everything to syslog
+        log to syslog level debug;
+
+        # tunnel mode (default is tap)
+        mode tun;
+
+        # Set the interface name
+        interface "vpngateway";
+
+        # Support salsa2012+umac and null methods, prefer salsa2012+umac
+        method "salsa2012+umac";
+        method "null";
+
+        # Secret key generated by `fastd --generate-key`
+        secret "supersecretkey";
+
+        # (see MTU selection documentation)
+        mtu 1448;
+
+        # daemon start
+        on up "./interface-up";
+
+        # daemon terminated
+        on down "./interface-down";
+
+        # if a connection is established set up the gateway
+        on establish "./set-gateway";
+
+        # if the connection is lost restore the default gateway
+        on disestablish "./restore-gateway";
+
+        # Include peers from the directory 'peers'
+        include peer "peers/alpha";
+
+

For anyremote we also need to generate a key pair and replace the "supersecretkey" with the secret key value. The public key will be given to alpha (explained in a little while) +

+
+        root@anyremote~ $ fastd --generate-keys > anyremote-keypair
+        root@anyremote~ $ cat anyremote-keypair
+        2018-05-01 19:48:49 +0800 --- Info: Reading 32 bytes from /dev/random...
+        Secret: c0a611e0d4f3075b45cf172d3221c8427008e2c6f541b5b6adda0368cb79f271
+        Public: 2598c5d7e72f171731658ce35734ff7599e1840367422e1a9c5943c327ab5ea9
+
+ +

on up and on down are similar to alpha (except the ip address). interface-up: + +

+        #!/bin/bash
+        ip link set $INTERFACE up
+        ip addr add 172.16.16.2/24 dev $INTERFACE
+
+ +

interface-down: +

+
+        #!/bin/sh
+        ip addr del 172.16.16.1/24 dev $INTERFACE
+        ip link set $INTERFACE down
+
+

We need to include some information about how to connect to alpha. We define in a file (/etc/fastd/peers/alpha): +

+
+        root@anyremote:/etc/fastd/peers/ $ cat alpha
+        # alpha 
+        key "8cb5e8d70d34f52716b6c4de518af2edfd6794e68ef1b3f0608cf05dd6a2ef42";
+        remote 1.2.3.4:10000;
+
+

key means the public key we just created with --generate-keys the alpha section. Here we add a remote ip to which anyremote tries to connect to. Make sure port numbers are the same. +Don't forget to also add our our just created public key to our alpha server: +

+
+        root@alpha:/etc/fastd/peers/ $ cat anyremote
+        # anyremote
+        key "2598c5d7e72f171731658ce35734ff7599e1840367422e1a9c5943c327ab5ea9";
+
+

This will allow alpha to accept connections from anyremote. Note: you don't need to specify a remote address, this will make it more dynamic and you can connect with anyremote from anywhere as long as you have the private key. +

+

After these steps you should be able to run both alpha and anyremote. You can run the daemon as follows: + +

+        root@alpha:~ $ fastd -c /etc/fastd/fastd.conf &
+        root@anyremote:~ $ fastd -c /etc/fastd/fastd.conf &
+
+

The interface vpngateway should show up and you should be able to ping to both hosts us. + +

Now, in our config file of anyremote we see two additionals values: on establish and on disestablish. Once the connection is (dis)established, fastd will execute these scripts. This brings us two the last step: setting the default gateway of anyremote to point to alpha +

+

Alpha as gateway for anyremote

+ +

Have a look at the tinc tutorial (gateway section) about the theory of routing and gateways. +We add the following scripts in /etc/fastd of anyremote if a connection with alpha is established: (set-gateway) + +

+        #!/bin/bash
+        #ip link set $INTERFACE up
+        #ip addr add 172.16.16.2/24 dev $INTERFACE
+
+        VPN_GATEWAY=172.16.16.1
+        ORIGINAL_GATEWAY=`ip route show | grep ^default | cut -d ' ' -f 2-5`
+        REMOTEADDRESS=1.2.3.4
+
+        ip route add $REMOTEADDRESS $ORIGINAL_GATEWAY
+        ip route add $VPN_GATEWAY dev $INTERFACE
+        ip route add 0.0.0.0/1 via $VPN_GATEWAY dev $INTERFACE
+        ip route add 128.0.0.0/1 via $VPN_GATEWAY dev $INTERFACE
+
+ +

And, similar, if the connecting is lost: (restore-gateway): +

+
+        #!/bin/sh
+        #ip addr del 172.16.16.2/24 dev $INTERFACE
+        #ip link set $INTERFACE down
+
+        ORIGINAL_GATEWAY=`ip route show | grep ^default | cut -d ' ' -f 2-5`
+        REMOTEADDRESS=45.76.159.1
+
+        ip route del $REMOTEADDRESS $ORIGINAL_GATEWAY
+        ip route del $VPN_GATEWAY dev $INTERFACE
+        ip route del 0.0.0.0/1 dev $INTERFACE
+        ip route del 128.0.0.0/1 dev $INTERFACE
+
+

Setup firewall

+ +

Make sure forwarding is enabled on alpha. Make sure you have masquerading or another form of routing set up on alpha. If you don't masquerade outgoing (forwarded anyremote) packets, the source address in in the TCP/UDP package will still remain 172.16.16.2. Please have a look here: http://www.tldp.org/LDP/nag2/x-087-2-ipmasq.html if you don't know about NAT and masquerading. +

+
+        #!/bin/sh
+        # iptables config line to masquerade
+        
+        echo "Enabling IPv4 forwarding"
+        echo 1 >/proc/sys/net/ipv4/ip_forward
+        
+        echo "Appending Masquerade rule to iptables"
+        iptables -t nat -A POSTROUTING -s 172.16.16.0/255.255.255.0 -o eth0 -j MASQUERADE
+
+

I use iptables to masquerade the (-s) source address on the (-o) interface eth0. +

+

Test the gateway

+ +

Restart the daemon on alpha and anyremote. Use route -n to see check your routing tables. Ping both 172.16.16.1 and 1.2.3.4 (external address). In case of problems, trace the connections or analyze the data with tools like wireshark. +

+

Troubleshooting help

+ + +
+        root@anyremote:~$ cat /etc/resolv.conf  
+        # resolv.conf file
+        nameserver 127.0.1.0
+
+ +
+        IP ROUTING TABLE
+        link-local      *               255.255.0.0     U     1000   0        0 wlp7s0
+
+ +
+        --log-level error|warn|info|verbose|debug|debug2
+        Sets the stderr log level; default is info if no alternative log
+        destination is configured.
+
+ + + + diff --git a/fastd.txt b/fastd.txt new file mode 100644 index 0000000..6db9bd6 --- /dev/null +++ b/fastd.txt @@ -0,0 +1,248 @@ +robinkrens.nl - Redirecting traffic using FastD +===== + +FastD is a VPN daemon that has many features of OpenVPN and Tinc and is optimized for small code size and small number of dependencies. Fastd became popular on small devices like routers. In this tutorial we will configure a listening peer (alpha) and a connecting peer (anyremote). On a side note, with fastD you can setup mesh networks (n:n), as opposed to classical clients server networks (1:n). This configuration can be seen as a simple (1:1) setup between the listening *alpha* peer and our connecting client *anyremote*. All traffic from anyremote is redirected to alpha, making alpha the default gateway. This configuration has a lot of similarities with the tinc tutorial (that you can find here: http://www.robinkrens.nl/tutorials/tinc.html). Documentation and manual pages of fastd can be found here http://fastd.readthedocs.io + +-------------- + +Alpha peer +********** + +To run the daemon you only need one configuration file. You can place it in fastd's defualt directory _/etc/fastd/fastd.conf_. Here we show a standard configuration of _fastd.conf_ with some minor changes: + + # Log warnings and errors to stderr + log level warn; + + # Log everything to syslog + log to syslog level debug; + + # tunnel mode (default is tap). + # We use tunneling mode, since we are dealing with routing + mode tun; + + # Set the interface name + # you can use any name you like + # this is the name to configure your interface wit + interface "vpngateway"; + + # encryption method to use + falls back to null if salsa is not chosen. + method "salsa2012+umac"; + method "null"; + + # Bind to a fixed port, IPv4 only + # If your remote ip is 1.2.3.4, make sure 1.2.3.4:10000 is accesible + bind 0.0.0.0:10000; + + # Secret key generated by `fastd --generate-key` + # --generate-key outputs a file with a secret and public key + # secret key goes in here. Public keys is distributed amongst other peers + # read about PKI infrastructures if you don't know about this. + secret "supersecretkey"; + + # (see MTU selection documentation) + # base MTU is 1500 and you want to use TUN mode over IPv4 with any + # crypto method: Choose 1500 - 52 = 1448 bytes. + mtu 1448; + + # on up: shell script to configure the tun interface on daemon start + on up "./interface-up"; + + # on down: shell script when daemon is terminated + on down "./interface-down"; + + # Include peers from the directory 'peers' + # anyremote is a peer trying to connect to alpha + include peer "peers/anyremote"; + +Keys can be generate by running --generate-key (written to stdout): + + root@alpha:~$ fastd --generate-key > keys + root@alpha:~$ cat keys + 2018-04-30 19:25:57 +0800 --- Info: Reading 32 bytes from /dev/random... + Secret: 5035de5b4ea448b74e9a373765207095057a9485fd9dca5fadb9c1b86347bd75 + Public: 8cb5e8d70d34f52716b6c4de518af2edfd6794e68ef1b3f0608cf05dd6a2ef42 + +The secret key needs to be added to the above _fastd.conf_ file. The public needs to be spread amongst peers (as we explain later). +on up "./interface-up" will run a simple shell script and configures our network interface vpngateway (make sure this script is executable). +This is our _interface.up_ script: We create a virtual IP: 172.16.16.1. + + #!/bin/bash + ip link set $INTERFACE up + ip addr add 172.16.16.1/24 dev $INTERFACE + +If we terminate fastd, we run a similar script as defined in interface-down + + #!/bin/sh + ip addr del 172.16.16.1/24 dev $INTERFACE + ip link set $INTERFACE down + +We will create the _peer/anyremote_ file after we finished configuring anyremote and its public key + +Anyremote peer +********* + +Similar to alpha, we create _/etc/fastd/fastd.conf_. Since we only need to connect to alpha we don't need to bind to a fixed port. + + # log arnings and errors to stderr + log level warn; + + # Log everything to syslog + log to syslog level debug; + + # tunnel mode (default is tap) + mode tun; + + # Set the interface name + interface "vpngateway"; + + # Support salsa2012+umac and null methods, prefer salsa2012+umac + method "salsa2012+umac"; + method "null"; + + # Secret key generated by `fastd --generate-key` + secret "supersecretkey"; + + # (see MTU selection documentation) + mtu 1448; + + # daemon start + on up "./interface-up"; + + # daemon terminated + on down "./interface-down"; + + # if a connection is established set up the gateway + on establish "./set-gateway"; + + # if the connection is lost restore the default gateway + on disestablish "./restore-gateway"; + + # Include peers from the directory 'peers' + include peer "peers/alpha"; + +For anyremote we also need to generate a key pair and replace the "supersecretkey" with the secret key value. The public key will be given to alpha (explained in a little while) + + root@anyremote~ $ fastd --generate-keys > anyremote-keypair + root@anyremote~ $ cat anyremote-keypair + 2018-05-01 19:48:49 +0800 --- Info: Reading 32 bytes from /dev/random... + Secret: c0a611e0d4f3075b45cf172d3221c8427008e2c6f541b5b6adda0368cb79f271 + Public: 2598c5d7e72f171731658ce35734ff7599e1840367422e1a9c5943c327ab5ea9 + + +*on up* and *on down* are similar to alpha (except the ip address). interface-up: + + #!/bin/bash + ip link set $INTERFACE up + ip addr add 172.16.16.2/24 dev $INTERFACE + +interface-down: + + #!/bin/sh + ip addr del 172.16.16.1/24 dev $INTERFACE + ip link set $INTERFACE down + +We need to include some information about how to connect to alpha. We define in a file (_/etc/fastd/peers/alpha_): + + root@anyremote:/etc/fastd/peers/ $ cat alpha + # alpha + key "8cb5e8d70d34f52716b6c4de518af2edfd6794e68ef1b3f0608cf05dd6a2ef42"; + remote 1.2.3.4:10000; + +*key* means the public key we just created with --generate-keys the alpha section. Here we add a remote ip to which anyremote tries to connect to. Make sure port numbers are the same. +Don't forget to also add our our just created public key to our alpha server: + + root@alpha:/etc/fastd/peers/ $ cat anyremote + # anyremote + key "2598c5d7e72f171731658ce35734ff7599e1840367422e1a9c5943c327ab5ea9"; + +This will allow alpha to accept connections from anyremote. Note: you don't need to specify a remote address, this will make it more dynamic and you can connect with anyremote from anywhere as long as you have the private key. + +After these steps you should be able to run both alpha and anyremote. You can run the daemon as follows: + + root@alpha:~ $ fastd -c /etc/fastd/fastd.conf & + root@anyremote:~ $ fastd -c /etc/fastd/fastd.conf & + +The interface *vpngateway* should show up and you should be able to ping to both hosts us. + +Now, in our config file of anyremote we see two additionals values: *on establish* and *on disestablish*. Once the connection is (dis)established, fastd will execute these scripts. This brings us two the last step: setting the default gateway of anyremote to point to alpha + +Alpha as gateway for anyremote +********** + +Have a look at the tinc tutorial (gateway section) about the theory of routing and gateways. +We add the following scripts in _/etc/fastd_ of anyremote if a connection with alpha is established: (set-gateway) + + #!/bin/bash + #ip link set $INTERFACE up + #ip addr add 172.16.16.2/24 dev $INTERFACE + + VPN_GATEWAY=172.16.16.1 + ORIGINAL_GATEWAY=`ip route show | grep ^default | cut -d ' ' -f 2-5` + REMOTEADDRESS=1.2.3.4 + + ip route add $REMOTEADDRESS $ORIGINAL_GATEWAY + ip route add $VPN_GATEWAY dev $INTERFACE + ip route add 0.0.0.0/1 via $VPN_GATEWAY dev $INTERFACE + ip route add 128.0.0.0/1 via $VPN_GATEWAY dev $INTERFACE + +And, similar, if the connecting is lost: (restore-gateway): + + #!/bin/sh + #ip addr del 172.16.16.2/24 dev $INTERFACE + #ip link set $INTERFACE down + + ORIGINAL_GATEWAY=`ip route show | grep ^default | cut -d ' ' -f 2-5` + REMOTEADDRESS=45.76.159.1 + + ip route del $REMOTEADDRESS $ORIGINAL_GATEWAY + ip route del $VPN_GATEWAY dev $INTERFACE + ip route del 0.0.0.0/1 dev $INTERFACE + ip route del 128.0.0.0/1 dev $INTERFACE + + +Setup firewall +******* + +Make sure forwarding is enabled on alpha. Make sure you have masquerading or another form of routing set up on alpha. If you don't masquerade outgoing (forwarded anyremote) packets, the source address in in the TCP/UDP package will still remain 172.16.16.2. Please have a look here: http://www.tldp.org/LDP/nag2/x-087-2-ipmasq.html if you don't know about NAT and masquerading. + + #!/bin/sh + # iptables config line to masquerade + + echo "Enabling IPv4 forwarding" + echo 1 >/proc/sys/net/ipv4/ip_forward + + echo "Appending Masquerade rule to iptables" + iptables -t nat -A POSTROUTING -s 172.16.16.0/255.255.255.0 -o eth0 -j MASQUERADE + +I use iptables to masquerade the (-s) source address on the (-o) interface eth0. + + +Test the gateway +******** + +Restart the daemon on alpha and anyremote. Use route -n to see check your routing tables. Ping both 172.16.16.1 and 1.2.3.4 (external address). In case of problems, trace the connections or analyze the data with tools like wireshark. + +Troubleshooting help +******* + +* DNS request are not forwarded through the gateway. Check your resolver config files (/etc/resolv.conf). Debian-based systems might have the following configuration + + root@anyremote:~$ cat /etc/resolv.conf + # resolv.conf file + nameserver 127.0.1.0 + +* and in your routing table you might have the following entry. A local / caching DNS server might still send packages to your router. Use wireshark to see if there are any DNS queries, not going to the VPN gateway + + IP ROUTING TABLE + link-local * 255.255.0.0 U 1000 0 0 wlp7s0 + +* A simple fix would to change your resolv.conf and point it to nameserver 8.8.8.8 + +* Fastd's log to _/var/log/syslog_ You can define these locations in your fast.conf file. You can also change the log level, in case you need more information: + + --log-level error|warn|info|verbose|debug|debug2 + Sets the stderr log level; default is info if no alternative log + destination is configured. + +* Use tcpdump or wireshark to analyze your network devices diff --git a/files/git.pdf b/files/git.pdf new file mode 100644 index 0000000..feb83ba Binary files /dev/null and b/files/git.pdf differ