gnunet-handbook

The GNUnet Handbook
Log | Files | Refs

vpn.rst (10163B)

      1 .. _Using-the-Virtual-Public-Network:
      2 
      3 Virtual Public Network
      4 ----------------------
      5 
      6 Using the GNUnet Virtual Public Network (VPN) application you can tunnel
      7 IP traffic over GNUnet. Moreover, the VPN comes with built-in protocol
      8 translation and DNS-ALG support, enabling IPv4-to-IPv6 protocol
      9 translation (in both directions). This chapter documents how to use the
     10 GNUnet VPN.
     11 
     12 The first thing to note about the GNUnet VPN is that it is a public
     13 network. All participating peers can participate and there is no secret
     14 key to control access. So unlike common virtual private networks, the
     15 GNUnet VPN is not useful as a means to provide a \"private\" network
     16 abstraction over the Internet. The GNUnet VPN is a virtual network in
     17 the sense that it is an overlay over the Internet, using its own routing
     18 mechanisms and can also use an internal addressing scheme. The GNUnet
     19 VPN is an Internet underlay --- TCP/IP applications run on top of it.
     20 
     21 The VPN is currently only supported on GNU/Linux systems. Support for
     22 operating systems that support TUN (such as FreeBSD) should be easy to
     23 add (or might not even require any coding at all --- we just did not
     24 test this so far). Support for other operating systems would require
     25 re-writing the code to create virtual network interfaces and to
     26 intercept DNS requests.
     27 
     28 The VPN does not provide good anonymity. While requests are routed over
     29 the GNUnet network, other peers can directly see the source and
     30 destination of each (encapsulated) IP packet. Finally, if you use the
     31 VPN to access Internet services, the peer sending the request to the
     32 Internet will be able to observe and even alter the IP traffic. We will
     33 discuss additional security implications of using the VPN later in this
     34 chapter.
     35 
     36 .. _Setting-up-an-Exit-node:
     37 
     38 Setting up an Exit node
     39 ~~~~~~~~~~~~~~~~~~~~~~~
     40 
     41 Any useful operation with the VPN requires the existence of an exit node
     42 in the GNUnet Peer-to-Peer network. Exit functionality can only be
     43 enabled on peers that have regular Internet access. If you want to play
     44 around with the VPN or support the network, we encourage you to setup
     45 exit nodes. This chapter documents how to setup an exit node.
     46 
     47 There are four types of exit functions an exit node can provide, and
     48 using the GNUnet VPN to access the Internet will only work nicely if the
     49 first three types are provided somewhere in the network. The four exit
     50 functions are:
     51 
     52 -  DNS: allow other peers to use your DNS resolver
     53 
     54 -  IPv4: allow other peers to access your IPv4 Internet connection
     55 
     56 -  IPv6: allow other peers to access your IPv6 Internet connection
     57 
     58 -  Local service: allow other peers to access a specific TCP or UDP
     59    service your peer is providing
     60 
     61 By enabling \"exit\" in gnunet-setup and checking the respective boxes
     62 in the \"exit\" tab, you can easily choose which of the above exit
     63 functions you want to support.
     64 
     65 Note, however, that by supporting the first three functions you will
     66 allow arbitrary other GNUnet users to access the Internet via your
     67 system. This is somewhat similar to running a Tor exit node. The
     68 Torproject has a nice article about what to consider if you want to do
     69 this here. We believe that generally running a DNS exit node is
     70 completely harmless.
     71 
     72 The exit node configuration does currently not allow you to restrict the
     73 Internet traffic that leaves your system. In particular, you cannot
     74 exclude SMTP traffic (or block port 25) or limit to HTTP traffic using
     75 the GNUnet configuration. However, you can use your host firewall to
     76 restrict outbound connections from the virtual tunnel interface. This is
     77 highly recommended. In the future, we plan to offer a wider range of
     78 configuration options for exit nodes.
     79 
     80 Note that by running an exit node GNUnet will configure your kernel to
     81 perform IP-forwarding (for IPv6) and NAT (for IPv4) so that the traffic
     82 from the virtual interface can be routed to the Internet. In order to
     83 provide an IPv6-exit, you need to have a subnet routed to your host's
     84 external network interface and assign a subrange of that subnet to the
     85 GNUnet exit's TUN interface.
     86 
     87 When running a local service, you should make sure that the local
     88 service is (also) bound to the IP address of your EXIT interface (e.g.
     89 169.254.86.1). It will NOT work if your local service is just bound to
     90 loopback. You may also want to create a \"VPN\" record in your zone of
     91 the GNU Name System to make it easy for others to access your service
     92 via a name instead of just the full service descriptor. Note that the
     93 identifier you assign the service can serve as a passphrase or shared
     94 secret, clients connecting to the service must somehow learn the
     95 service's name. VPN records in the GNU Name System can make this easier.
     96 
     97 The config file configuration to offer a service `http` on port 80 which
     98 is forwarded to port 8080 on IP `169.254.86.1` is as follows:
     99 
    100 ::
    101 
    102   [http.gnunet.]
    103   TCP_REDIRECTS = 80:169.254.86.1:8080
    104 
    105 You can then add a GNS record to this service:
    106 
    107 ::
    108 
    109   $  gnunet-namestore -z myzone -a -e "1 d" -p -t VPN -n www -V "6 <ZKEY> http"
    110 
    111 Where `myzone` is the name of your GNS zone.
    112 We are adding a record of type `VPN`, and the value is a string containing three values:
    113 The first is a boolean indicating the use of TCP (`6`) or UDP (`17`),
    114 your peer identity and the identifier of the service we used in the configuration section above
    115 before the `.gnunet.`.
    116 
    117 When using the `dns2gns` DNS server it will automatically synthesize `A`/`AAAA` records from
    118 encountered `VPN` records using the `VPN` service.
    119 Otherwise, this must be done by the client that resolved the `VPN` record.
    120 
    121 .. _Fedora-and-the-Firewall:
    122 
    123 Fedora and the Firewall
    124 ~~~~~~~~~~~~~~~~~~~~~~~
    125 
    126 When using an exit node on Fedora 15, the standard firewall can create
    127 trouble even when not really exiting the local system! For IPv4, the
    128 standard rules seem fine. However, for IPv6 the standard rules prohibit
    129 traffic from the network range of the virtual interface created by the
    130 exit daemon to the local IPv6 address of the same interface (which is
    131 essentially loopback traffic, so you might suspect that a standard
    132 firewall would leave this traffic alone). However, as somehow for IPv6
    133 the traffic is not recognized as originating from the local system (and
    134 as the connection is not already \"established\"), the firewall drops
    135 the traffic. You should still get ICMPv6 packets back, but that's
    136 obviously not very useful.
    137 
    138 Possible ways to fix this include disabling the firewall (do you have a
    139 good reason for having it on?) or disabling the firewall at least for
    140 the GNUnet exit interface (or the respective IPv4/IPv6 address range).
    141 The best way to diagnose these kinds of problems in general involves
    142 setting the firewall to REJECT instead of DROP and to watch the traffic
    143 using wireshark (or tcpdump) to see if ICMP messages are generated when
    144 running some tests that should work.
    145 
    146 .. _Setting-up-VPN-node-for-protocol-translation-and-tunneling:
    147 
    148 Setting up VPN node for protocol translation and tunneling
    149 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    150 
    151 The GNUnet VPN/PT subsystem enables you to tunnel IP traffic over the
    152 VPN to an exit node, from where it can then be forwarded to the
    153 Internet. This section documents how to setup VPN/PT on a node. Note
    154 that you can enable both the VPN and an exit on the same peer. In this
    155 case, IP traffic from your system may enter your peer's VPN and leave
    156 your peer's exit. This can be useful as a means to do protocol
    157 translation. For example, you might have an application that supports
    158 only IPv4 but needs to access an IPv6-only site. In this case, GNUnet
    159 would perform 4to6 protocol translation between the VPN (IPv4) and the
    160 Exit (IPv6). Similarly, 6to4 protocol translation is also possible.
    161 However, the primary use for GNUnet would be to access an Internet
    162 service running with an IP version that is not supported by your ISP. In
    163 this case, your IP traffic would be routed via GNUnet to a peer that has
    164 access to the Internet with the desired IP version.
    165 
    166 Setting up an entry node into the GNUnet VPN primarily requires you to
    167 enable the \"VPN/PT\" option in \"gnunet-setup\". This will launch the
    168 \"gnunet-service-vpn\", \"gnunet-service-dns\" and \"gnunet-daemon-pt\"
    169 processes. The \"gnunet-service-vpn\" will create a virtual interface
    170 which will be used as the target for your IP traffic that enters the
    171 VPN. Additionally, a second virtual interface will be created by the
    172 \"gnunet-service-dns\" for your DNS traffic. You will then need to
    173 specify which traffic you want to tunnel over GNUnet. If your ISP only
    174 provides you with IPv4 or IPv6-access, you may choose to tunnel the
    175 other IP protocol over the GNUnet VPN. If you do not have an ISP (and
    176 are connected to other GNUnet peers via WLAN), you can also choose to
    177 tunnel all IP traffic over GNUnet. This might also provide you with some
    178 anonymity. After you enable the respective options and restart your
    179 peer, your Internet traffic should be tunneled over the GNUnet VPN.
    180 
    181 The GNUnet VPN uses DNS-ALG to hijack your IP traffic. Whenever an
    182 application resolves a hostname (like 'gnunet.org'), the
    183 \"gnunet-daemon-pt\" will instruct the \"gnunet-service-dns\" to
    184 intercept the request (possibly route it over GNUnet as well) and
    185 replace the normal answer with an IP in the range of the VPN's
    186 interface. \"gnunet-daemon-pt\" will then tell \"gnunet-service-vpn\" to
    187 forward all traffic it receives on the TUN interface via the VPN to the
    188 original destination.
    189 
    190 For applications that do not use DNS, you can also manually create such
    191 a mapping using the gnunet-vpn command-line tool. Here, you specify the
    192 desired address family of the result (e.g. \"-4\"), and the intended
    193 target IP on the Internet (e.g. \"-i 131.159.74.67\") and \"gnunet-vpn\"
    194 will tell you which IP address in the range of your VPN tunnel was
    195 mapped.
    196 
    197 ``gnunet-vpn`` can also be used to access \"internal\" services offered
    198 by GNUnet nodes. So if you happen to know a peer and a service offered
    199 by that peer, you can create an IP tunnel to that peer by specifying the
    200 peer's identity, service name and protocol (--tcp or --udp) and you will
    201 again receive an IP address that will terminate at the respective peer's
    202 service.
    203