Mesh router is easy
From the moment cjdns were added to the official OpenWRT repository, the process of preparing the mesh router has become simply trivial. I don’t see the point of describing the installation of OpenWRT on routers in detail. This is a popular topic. On many officially supported routers, the task of installing free firmware comes down to simply downloading the Factory archive and feeding it to the standard form of updating the firmware on the factory system. The main thing is that there is no lock on installing third-party firmware, but in this case, I believe, there will be many workarounds.
Before the official support of cjdns packages, it was necessary to mess around a bit more. It was possible to build the packages yourself or search for the packages collected by someone and install them. There were also firmware from enthusiasts with already installed the necessary software. In any case, it was necessary to tinker a little more than now.
')
So, we have a router on OpenWRT that performs the usual functions of a home router. We will administer this whole thing with the left mouse button in LuCY.
Installation
As written above, OpenWrt Chaos Calmer 15.05 has the necessary packages in the official repository. Go to the menu System -> Software. Update the list and install the packages luci-app-cjdns and cjdns. The latter is a dependency of the first and should be automatically installed.
Mesh mode
After installation, cjdns will start working immediately. Those. normal installation takes place in one step. But we want the router not only to connect to the cjdns nodes in our local network, but also to become an active participant in the mesh network. The Services section -> cjdns appears in the menu. The Overview tab displays all current connections. If cjdns is running on your home computers, the router will most likely establish a connection with them in mesh mode. We need to add an 802.11s WiFi network. This is done in the same simple way:
go to the Network -> WiFi,
on the desired physical interface, click Add,
According to the current agreement on the cjdroute.net forum, choose channel 11 at 2.4 GHz,
Mode field will be 802.11s - WiFi mesh,
Network she will be separate, because we do not need these participants to get into the internal Lan network (I created a new one with the name Mesh),
SSID: hyperboria_mesh,
There is no need to protect this network.
In the Network -> Interfaces section, we will have a new network. I chose unmanaged protocol - we don’t have to assign participants regular IP addresses.
You can also add a simple, unprotected access point with a name, for example, cjdroute.net, which connects devices to this network. This will allow connecting devices that cannot 802.11s, but can cjdns, to hyperboria.
Now we go to Services -> cjdns -> Settings, go down to the Ethernet Interfaces item and add our new network there (if you forget the name, you can look in the Network -> Interfaces list). I chose Beacon Mode 2 so that it not only waited for special Ethernet frames there with which it would set up mesh connections, but also sent such ones. It is also worth making sure that we are also connecting in the home LAN. If the provider provides your lokalka, you can try and connect to other provider clients via the WAN interface.
Overlay UDP connections (also known as UDP transport)
Naturally, it is foolish to expect that these boxes are scattered throughout the city, and there is a full-fledged network throughout the country. Moreover, between the cities is extremely low population density. For additional communication, we will need to add connections via UDP transport. This is the usual overlay mode on top of other networks such as the Internet. This is how TOR works. Only in this case, connections will be established directly without anonymization attempts and loss of speed.
It is also worth mentioning that there is a misunderstood here, but a very important point - the need to add such connections manually and establish communication with those with whom you have exchanged keys and passwords. At first glance, this procedure is idiotic and creates unnecessary complexity in the installation: after all, in overlay networks like Tor and I2P, this is not necessary - there are bootstrap nodes that give you a list of all the addresses of other participants. However, this convenience is a vulnerability - in the same China, attackers connect to these nodes, get a list of all participants and block connections to these addresses and the node itself. Those. Convenience adds a single point of failure to the system and jeopardizes overall performance.
You can exchange keys and addresses on the same forum cjdroute.net in a special section. Probably later, your friends and colleagues will also join the network and exchange the necessary data with you.
Adding connections is just as easy in Services -> cjdns -> Peers. There you can add passwords for incoming connections (remember that for this you need the router to have a white IP address and open the UPD port) and information about outgoing connections. Each new compound increases stability. And thanks to the simplicity of the interface, it will be possible to add new ones in between a couple of minutes.
At this point, the configuration of a full-fledged mesh router can be considered complete. Now your router will perform its normal functions as a home router, but when the same conscious neighbors appear, it will create new connections with them, independent of your provider.
Bonus point: secure Internet access
Cjdns is essentially a solution that allows you to create a distributed virtual private network. Thanks to its distributed architecture, this VPN grows into a huge Semi-meh (overlay + mesh) network and builds a new Internet of the future (Hyperboria).
If CJDNS is installed and properly configured on your computers, it means they will “see” each other, even if both are thousands of kilometers from each other behind provider NATs. CJDNS provides IPv6, and all its supporting programs will work fine. A sort of hamachi healthy person. But apart from actually accessing hyperboria and connecting personal devices to a single network, I would like to make a secure tunnel to the usual Internet in a couple of clicks.
Settings on the server that will release us to the Internet.
Suppose we have a VPS in some normal country where the Internet is not subject to aggressive attacks. We have configured the same CJDNS node on this VPS and want to be able to access it via the Internet. To do this, in the cjdns config of our VPS, you need to add an incoming tunnel in the ipTunnel -> allowedConnections section. For example:
In the console, add an IPv4 address to the tunnel interface and enable Forwarding to allow clients to access the Internet.
ip addr add dev tun0 192.168.45.1/24
echo 1> / proc / sys / net / ipv4 / conf / all / forwarding
Add Routing and Firewall Rules
ip route add dev tun0 192.168.45.0/24
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth0 -o tun0 -m state --state RELATED, ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT
Now our VPS server can replace us with ordinary paid VPN services. By the way, according to my feelings, the setting is much faster and easier than the same OpenVPN.
I got into an interesting trap at this point. I wanted to connect both the router and the laptop right away, giving them different IPv4 addresses, but on the same subnet. As it turned out, it is not intended for this, the first client entered normally routed, and the second simply received the address, but could not even ping the server. If you want to cut several devices, you need to make different subnets. This can be useful, for example, to provide secure access to the Internet over an unauthorized Internet connection.
Settings on the router
It's simple. Go to Services -> cjdns -> IP Tunnel and add the public key cjdns from the config of our VPS node to Outgoing connections. Prescribed IP is assigned automatically. Routing router clients to the Internet through this VPN is configured by adding the appropriate rules on the firewall.
You can register the address of our server 192.168.45.1 as a gateway for all connections, or you can simply add static routes and redirect requests only for specific sites: Network -> Static routes
In this case, I made secure and stable connections for all devices in my home network on root-tracker and btc-e.com. For some strange reason, I wanted to make connections to these sites more secure.
In this bonus point, there is a reverse option: make the router such a server. For example, you are somewhere visiting or using public WiFi and you want to make connections more secure. In the same tab of the settings of the router we add incoming connections, and on the laptop outgoing ones. There are a few other rules for routing - and here you have a more secure connection from anywhere.
Thus, we left and right mouse buttons have achieved the tasks. On writing, perhaps banal for a habr article, this map of cjdroute.net/map led me . Many have added their location with a comment that they are ready to join, if they can help them all set up. In the days of the first articles on CJDNS, the setup procedure was sometimes confusing, and most manuals involved the manual building of OpenWRT and picking configs. Of course, there are a number of settings that would be good to add later in the console, but for the start, the described items are enough. Hopefully this can turn many of your wishes into intent. If there are any questions, we gladly answer on the forum cjdroute.net
Before the official support of cjdns packages, it was necessary to mess around a bit more. It was possible to build the packages yourself or search for the packages collected by someone and install them. There were also firmware from enthusiasts with already installed the necessary software. In any case, it was necessary to tinker a little more than now.
')
So, we have a router on OpenWRT that performs the usual functions of a home router. We will administer this whole thing with the left mouse button in LuCY.
Installation
As written above, OpenWrt Chaos Calmer 15.05 has the necessary packages in the official repository. Go to the menu System -> Software. Update the list and install the packages luci-app-cjdns and cjdns. The latter is a dependency of the first and should be automatically installed.
Mesh mode
After installation, cjdns will start working immediately. Those. normal installation takes place in one step. But we want the router not only to connect to the cjdns nodes in our local network, but also to become an active participant in the mesh network. The Services section -> cjdns appears in the menu. The Overview tab displays all current connections. If cjdns is running on your home computers, the router will most likely establish a connection with them in mesh mode. We need to add an 802.11s WiFi network. This is done in the same simple way:
go to the Network -> WiFi,
on the desired physical interface, click Add,
According to the current agreement on the cjdroute.net forum, choose channel 11 at 2.4 GHz,
Mode field will be 802.11s - WiFi mesh,
Network she will be separate, because we do not need these participants to get into the internal Lan network (I created a new one with the name Mesh),
SSID: hyperboria_mesh,
There is no need to protect this network.
In the Network -> Interfaces section, we will have a new network. I chose unmanaged protocol - we don’t have to assign participants regular IP addresses.
You can also add a simple, unprotected access point with a name, for example, cjdroute.net, which connects devices to this network. This will allow connecting devices that cannot 802.11s, but can cjdns, to hyperboria.
Now we go to Services -> cjdns -> Settings, go down to the Ethernet Interfaces item and add our new network there (if you forget the name, you can look in the Network -> Interfaces list). I chose Beacon Mode 2 so that it not only waited for special Ethernet frames there with which it would set up mesh connections, but also sent such ones. It is also worth making sure that we are also connecting in the home LAN. If the provider provides your lokalka, you can try and connect to other provider clients via the WAN interface.
Overlay UDP connections (also known as UDP transport)
Naturally, it is foolish to expect that these boxes are scattered throughout the city, and there is a full-fledged network throughout the country. Moreover, between the cities is extremely low population density. For additional communication, we will need to add connections via UDP transport. This is the usual overlay mode on top of other networks such as the Internet. This is how TOR works. Only in this case, connections will be established directly without anonymization attempts and loss of speed.
It is also worth mentioning that there is a misunderstood here, but a very important point - the need to add such connections manually and establish communication with those with whom you have exchanged keys and passwords. At first glance, this procedure is idiotic and creates unnecessary complexity in the installation: after all, in overlay networks like Tor and I2P, this is not necessary - there are bootstrap nodes that give you a list of all the addresses of other participants. However, this convenience is a vulnerability - in the same China, attackers connect to these nodes, get a list of all participants and block connections to these addresses and the node itself. Those. Convenience adds a single point of failure to the system and jeopardizes overall performance.
You can exchange keys and addresses on the same forum cjdroute.net in a special section. Probably later, your friends and colleagues will also join the network and exchange the necessary data with you.
Adding connections is just as easy in Services -> cjdns -> Peers. There you can add passwords for incoming connections (remember that for this you need the router to have a white IP address and open the UPD port) and information about outgoing connections. Each new compound increases stability. And thanks to the simplicity of the interface, it will be possible to add new ones in between a couple of minutes.
At this point, the configuration of a full-fledged mesh router can be considered complete. Now your router will perform its normal functions as a home router, but when the same conscious neighbors appear, it will create new connections with them, independent of your provider.
Bonus point: secure Internet access
Cjdns is essentially a solution that allows you to create a distributed virtual private network. Thanks to its distributed architecture, this VPN grows into a huge Semi-meh (overlay + mesh) network and builds a new Internet of the future (Hyperboria).
If CJDNS is installed and properly configured on your computers, it means they will “see” each other, even if both are thousands of kilometers from each other behind provider NATs. CJDNS provides IPv6, and all its supporting programs will work fine. A sort of hamachi healthy person. But apart from actually accessing hyperboria and connecting personal devices to a single network, I would like to make a secure tunnel to the usual Internet in a couple of clicks.
Settings on the server that will release us to the Internet.
Suppose we have a VPS in some normal country where the Internet is not subject to aggressive attacks. We have configured the same CJDNS node on this VPS and want to be able to access it via the Internet. To do this, in the cjdns config of our VPS, you need to add an incoming tunnel in the ipTunnel -> allowedConnections section. For example:
{
"publicKey": "kdddddgfgsftrtrtrnrmnmnmgnmdfndmfnmdfnmdnfmdfmdndfdf0.k", // . Services -> cjdns -> Settings
"ip4Address": "192.168.45.10", // IP ,
"ip4Prefix": 24 // . 255.255.255.0
}
In the console, add an IPv4 address to the tunnel interface and enable Forwarding to allow clients to access the Internet.
ip addr add dev tun0 192.168.45.1/24
echo 1> / proc / sys / net / ipv4 / conf / all / forwarding
Add Routing and Firewall Rules
ip route add dev tun0 192.168.45.0/24
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth0 -o tun0 -m state --state RELATED, ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT
Now our VPS server can replace us with ordinary paid VPN services. By the way, according to my feelings, the setting is much faster and easier than the same OpenVPN.
I got into an interesting trap at this point. I wanted to connect both the router and the laptop right away, giving them different IPv4 addresses, but on the same subnet. As it turned out, it is not intended for this, the first client entered normally routed, and the second simply received the address, but could not even ping the server. If you want to cut several devices, you need to make different subnets. This can be useful, for example, to provide secure access to the Internet over an unauthorized Internet connection.
Settings on the router
It's simple. Go to Services -> cjdns -> IP Tunnel and add the public key cjdns from the config of our VPS node to Outgoing connections. Prescribed IP is assigned automatically. Routing router clients to the Internet through this VPN is configured by adding the appropriate rules on the firewall.
You can register the address of our server 192.168.45.1 as a gateway for all connections, or you can simply add static routes and redirect requests only for specific sites: Network -> Static routes
In this case, I made secure and stable connections for all devices in my home network on root-tracker and btc-e.com. For some strange reason, I wanted to make connections to these sites more secure.
In this bonus point, there is a reverse option: make the router such a server. For example, you are somewhere visiting or using public WiFi and you want to make connections more secure. In the same tab of the settings of the router we add incoming connections, and on the laptop outgoing ones. There are a few other rules for routing - and here you have a more secure connection from anywhere.
Thus, we left and right mouse buttons have achieved the tasks. On writing, perhaps banal for a habr article, this map of cjdroute.net/map led me . Many have added their location with a comment that they are ready to join, if they can help them all set up. In the days of the first articles on CJDNS, the setup procedure was sometimes confusing, and most manuals involved the manual building of OpenWRT and picking configs. Of course, there are a number of settings that would be good to add later in the console, but for the start, the described items are enough. Hopefully this can turn many of your wishes into intent. If there are any questions, we gladly answer on the forum cjdroute.net
Source: https://habr.com/ru/post/277721/
All Articles