-
Notifications
You must be signed in to change notification settings - Fork 42
How to connect to ground zero
THIS PAGE IS A WORK IN PROGRESS.
You got XIA running on your laptop, desktop, virtual machine, Raspberry Pi, or whatever other form of computing you have access, and would like to connect it to "the XIA Internet". At this point in time, the XIA Internet is a single server in our lab that runs a Linux XIA kernel and an echo server (see page Testing XIA with an echo server for details); we expect to grown the number of servers and applications as the project matures. Ground zero, as we call this mini Linux XIA island, accepts tunnels to other XIA deployments through principals U4ID and United4ID, and OpenVPN tunnels.
The preferred connection method is through U4ID. United4ID is only meant to help Click XIA's users to join ground zero. Users that do not have a routable IP address, or a way to forward UDP port 0x41D (decimal 1053), can still join ground zero through an OpenVPN tunnel. Please notice that OpenVPN tunnels are IP only, so you will still need principal U4ID, or United4ID to interoperate with XIA.
Please be respectful and only use this facility for tests, demo, and general experimentation. We do not have personnel to maintain our infrastructure. Thus, if ground zero is target of abuse, and/or goes down, we will turn it off until we need it back.
The current IP address used to connect to ground zero is 128.197.41.209.
In order to access the echo service on ground zero, you will need to have at least principals XDP and U4ID running on your deployment. In case you do not have a routable IP address, make sure that your firewall is forwarding the UDP port 0x41D to the proper address of your host. With all that set up, all you need to use the following server address:
xdp-1234567890123456789012345678901234567890-1: u4id-80c529d1041d0000000000000000000000000000-0
See page Testing XIA with an echo server to learn how to use the echo client.
Can a Click-XIA person write this section?
Client configuration is simpler than its server counterpart. Install the OpenVPN package with
# apt-get install openvpn
just as it was done for the server. Once again, the configuration file can be named arbitrarily, as long as it has a .conf extension. We'll refer to it as client.conf in this documentation. The contents of client.conf are as follows.
remote MY_SERVER_IP_ADDRESS client dev tun proto tcp-client port 443 resolv-retry infinite nobind persist-key persist-tun ca ca.crt comp-lzo verb 4 ns-cert-type server auth-user-pass passwd
The only value to be edited in client.conf is MY_SERVER_IP_ADDRESS which must match the server's address in server.conf, although here you can use its DNS name too.
Two extra files are required in addition to client.conf in /etc/openvpn. The ca.crt file is the same as the one used for the server configuration. The passwd file must contain two lines, the first being the username and the second being the password. Since our authentication script in the server always returns successfully, the content of these lines is arbitrary. The file can therefore be generated with the command below.
# echo -ne "a\nb\n" > /etc/openvpn/passwd
Once all configuration files are in place, the OpenVPN daemon can be started:
service openvpn start
This article documents the necessary steps to configure an OpenVPN gateway and respective clients. The configuration described here is geared towards simplicity, therefore ignoring possible security issues that would complicate client configuration (eg. client certificate generation).
To install OpenVPN on the server, install the openvpn package:
# apt-get install openvpn
The configuration below sets up an OpenVPN server listening on TCP port 443. This choice of port was done due to the fact that many public networks block outgoing traffic to non-HTTP(s) ports, so using the HTTPS port for the server ensures most clients will be able to connect to it.
The OpenVPN initialization script will load any *.conf files found in /etc/openvpn as VPN configurations, so the name of this file does not matter, as long as it has the correct extension. For our purposes, we'll refer to this file as /etc/openvpn/server.conf or simply server.conf.
local MY_SERVER_IP_ADDRESS server MY_VPN_NETWORK MY_VPN_NETMASK push "route MY_NETWORK MY_NETMASK" push "dhcp-option DNS MY_DNS_SERVER_ADDRESS" port 443 dev tun proto tcp-server script-security 3 persist-key persist-tun ca ca.crt cert server.crt key server.key comp-lzo verb 4 dh dh2048.pem status openvpn-status.log mute 20 keepalive 10 120 auth-user-pass-verify auth.sh via-env client-cert-not-required username-as-common-name
The four topmost directives contain text that must be adapted so that the server can work. Replace the MY_* with appropriate values:
- MY_SERVER_IP_ADDRESS: the IP address of the OpenVPN server.
- MY_VPN_NETWORK: the network to be used for the VPN. The server will use the first address of the network, while the remaining ones will be allocated to connected clients.
- MY_VPN_NETMASK: the netmask of the VPN network, in dotted quad notation.
- MY_NETWORK: the network that connected clients will be given access to via the VPN tunnel.
- MY_NETMASK: the netmask of that network, in dotted quad notation.
- MY_DNS_SERVER_ADDRESS: the IP address of your network's DNS server. This is optional and is only really necessary if you're tunneling to an internal network whose node names cannot be resolved from the internet (eg. an RFC 1918 network).
#!/bin/sh exit 0
Once all configuration files are in place, the OpenVPN daemon can be started:
service openvpn start
The public key infrastructure is generated by a set of helper scripts called "easy-rsa", provided in a separate package. This package creates scripts in /usr/share/easy-rsa. It is recommended that a copy of them is made, where the PKI building procedure will be executed.
# apt-get install easy-rsa $ cp -a /usr/share/easy-rsa .
In the directory where the copy of "easy-rsa" was created, execute the following steps. The first task is to edit the easy-rsa/vars file. Open it with a text editor and replace the following variables: KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, KEY_EMAIL. Next, initialize the PKI running the commands below.
cd easy-rsa . ./vars ./clean-all ./build-ca
The build-ca script will run OpenSSL in interactive mode, which will require the user to input data to complete the process. Most of the required information will be set to default values fetched from the variables edited in the vars file above. Only the Common Name parameter must be explicitly filled in.
Next, generate the server certificate and key:
./build-key-server server
As above, most parameters can be set to their default values. Only the Common Name must be typed. When it is queried, type server. Next, two other questions require positive reponses so that the process can be finished. Simply type y to both.
The final step is to generate the Diffie-Hellman parameters:
./build-dh
At the end of this procedure the following files will have been generated in the keys directory:
- ca.crt: the root CA certificate (server + client)
- ca.key: the root CA key (only needed to generate client certificates, not used in this setup)
- dh2048.pem: Diffie Hellman parameters (server)
- server.crt: server certificate (server)
- server.key: server key (server)
We would like to thank Andre Nathan for having developed and tested the OpenVPN setup used here.
All grants that have generously supported the development of Linux XIA are listed on our Funding page.