lixonet-ee/README.md

# Lixonet Enterprise Edition (LIXONET 3)

This is the semi-official, testing Lixonet EE repository.

Custom configurations should be supplied in a `lixonet.conf` file in the `name=value` format, such as your subnet.  Additionally, a tinc keypair is also be required.

**Generating keypairs for tinc (`tinc.key`)**:

Source: https://www.tinc-vpn.org/documentation/Generating-keypairs.html

Run: `tincd -n lixonet -K`

# Configuration options

#### Location

A `lixonet.conf` file should be under each **network** directory you'd like to create.  Create one directory for each mesh you'll be joining, under `/etc/lixonet`.  If you want to join the `teamlixo` mesh for example, do this:

1. Create `/etc/lixonet/teamlixo/lixonet.conf` and specify at least all **required** options in this file.
2. Create or save `/etc/lixonet/teamlixo/tinc.key`

#### Available networks

Official networks:

| Name | Git clone URL(s) | Subnet | ASN format | Administsration |
| ------ | ------ | ------ | ------ | ------ |
| teamlixo | http://git.team.lixo/lixonet/teamlixo.mesh.git | 172.31.0.0/16 | 4206969XXXX | Manevolent, Nurd |
| colorado | http://git.team.lixo/lixonet/colorado.mesh.git | 172.29.0.0/16 | 4206970XXXX | Manevolent |


#### Format

All options are supplied in the `name=value` format on individual lines, i.e. `name=test_name_lixo`

## Required options

You **MUST** specify these options, or Lixonet will not work.

 * `git` - The Git clone repository URL, used for peer configurations.
 * `tinc_peer_name` - The global neighbor name.  Tinc and Bird use this to identify a peer in the network, and to exclude your own pre-packed config automagically from Tinc and BIRD dialing out so you don't connect to yourself over and over again.
 * `tinc_peer_address` - The *router* address to use.  This is your Lixonet routing layer address: 172.xxx.0.xxx
 * `network_address` - The *network* address to use.  This is your Lixonet routing layer address: 172.xxx.0.0 (especially take note of the last two 0's: `0.0` -- it _MUST_ end with zeros corresponding to the network size)
 * `bgp_asn` - The BGP ASN to use.  We usually follow the format `4206969XXX` where _XXX_ is the last octet of your `address`, zero-padded (i.e. 008 or 212)
 * `internal_gateway` - The internal gateway to use.  This is the IP address, directly upstream from the Lixonet EE router, that can be used as a next hop to reach your own subnets.

#### Configuration example

A copy of the live configuration (`/etc/lixonet/teamlixo/lixonet.conf`) used by `denco_mane_lixo`:

```
git=http://git.team.lixo/lixonet/teamlixo.mesh.git
tinc_peer_name=denco_mane_lixo
tinc_peer_address=172.31.0.8
tinc_bind_address=172.31.8.2
bgp_asn=4206969008
bgp_routes=172.31.8.0/21,172.31.254.0/24
network_address=172.31.0.0
netmask=255.255.255.0
internal_gateway=172.31.8.1
```

(A key exists at `/etc/lixonet/teamlixo/tinc.key`)

`cat /etc/network/interfaces`:
```
auto lo
iface lo inet loopback

auto eth0
iface eth0 inet dhcp
        hostname lixonet
```

`ifconfig eth0`:
```
lixonet:/home/manevolent# ifconfig eth0
eth0      Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:xx
          inet addr:172.31.8.2  Bcast:0.0.0.0  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:313268 errors:0 dropped:0 overruns:0 frame:0
          TX packets:266835 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:223824994 (213.4 MiB)  TX bytes:145971829 (139.2 MiB)
```

`docker ps -a | grep teamlixo` (built by `./build.sh`):
```
646e3b6b5456        teamlixo_tinc       "sh -c '/usr/sbin/ti…"   17 minutes ago      Up 15 minutes                                 teamlixo_tinc_1
84fda16f829b        teamlixo_bird       "/bin/sh -c 'bird -c…"   17 minutes ago      Up 9 minutes                                  teamlixo_bird_1
```

`route`
```
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         172.31.8.1      0.0.0.0         UG    202    0        0 eth0
172.17.0.0      *               255.255.0.0     U     0      0        0 docker0
172.18.0.0      *               255.255.0.0     U     0      0        0 br-b91440553ab5
172.31.0.0      *               255.255.255.0   U     0      0        0 teamlixo
172.31.0.0      *               255.255.0.0     !     32     0        0 *
172.31.8.0      *               255.255.255.0   U     0      0        0 eth0
172.31.8.0      172.31.8.1      255.255.248.0   UG    32     0        0 eth0
172.31.16.0     172.31.0.16     255.255.248.0   UG    32     0        0 teamlixo
172.31.200.0    172.31.0.200    255.255.248.0   UG    32     0        0 teamlixo
172.31.208.0    172.31.0.208    255.255.252.0   UG    32     0        0 teamlixo
172.31.212.0    172.31.0.212    255.255.252.0   UG    32     0        0 teamlixo
172.31.254.0    172.31.8.1      255.255.255.0   UG    32     0        0 eth0
```

(Note the use of the `internal_gateway` variable to set the local `172.31.8.0      172.31.8.1      255.255.248.0   UG    32     0        0 eth0` route!)

## Non-required options:

#### General network options
 * `global_prefix`: global network prefix: defaults to `16`.
 * `router_prefix`: router network prefix: defaults to `24`. If you change this you _SHOULD_ change `netmask` too.
 * `netmask`: router netmask: defaults to `255.255.255.0` (`/24`); _SHOULD_ be the bitmask that corresponds to the `router_prefix`
 * `internal_interface`: the interface to route your _OWN_ networks to.  This should be the interface where your personal Lixonet subnets are reachable at, or in other words the interface at which the Lixonet EE router can send packets destined to networks you own.  Defaults to `eth0`.
 * `vip`: virtual IP: a virtual IP address to assign to the Lixonet EE router directly, aside from 172.31.0.8.

#### Tinc options
 * `network_name` - The name of the interface that Tinc should create when it's started.  Defaults to `lixonet`.  Set this for multiple networks.
 * `tinc_bind_address` - The address that Tinc should bind to to _listen_ for incoming WAN-sided connections (i.e. 10.0.0.1).  This is _not_ the Lixonet router IP (i.e. 172.31.0.8).  Use this if you have an `eth1` that you _don't_ want to use for binding tinc to, and would prefer to bind tinc exclusivley to `eth0` instead.
 * `tinc_bind_port` - The Tinc server port to listen on.  Defaults to `9994`.
 * `tinc_connect_to` - A comma-separated list of well-known/pre-defined hosts to connect to (i.e. `denco_mane_lixo`).  If not supplied, this is automatically set to all core routers that aren't yourself (`name`).

#### BGP options

For options we expose here, for information see: https://bird.network.cz/?get_doc&v=20&f=bird-6.html#ss6.3

 * `bgp_path_metric`: Enable comparison of path lengths when deciding which BGP route is the best one (`0` or `1`): defaults to `1`
 * `bgp_aigp`: BGP AIGP state (`enable`, `disable`, or `originate`): defaults to `originate` (see BIRD documentation)
 * `bgp_rpki_retry`: If RPKI cache data cannot be obtained, the time period in seconds between a failed query the next attempt.  Defaults to `90`.
 * `bgp_rpki_refresh`: How long to wait in seconds before attempting to poll RPKI cache data after the last successful poll.  Defaults to `900`.
 * `bgp_rpki_expire`: How long to keep any records locally cached before they are deleted.  Defaults to `172800` (2 days).
 * `bgp_rpki_known_hosts`: The file path for the SSH key `known_hosts` file to use when validating remote RPKI hosts.  Defaults to `/etc/bird/rpki/known_hosts` (provided by Lixonet; don't change this unless you need to!).
 * `bgp_passwd_*`: The password for a specific BGP peer (i.e. `bgp_passwd_denco_mane_lixo`).  If not specified, no password is used for the host.
 * `bgp_routes`: A comma-delimited list of routes to advertise over BGP.  If not specified, no routes are propagated.

#### BIND options

These settings are optional, and are already defaulted to general network common practices.

 * `bind_forward_address`: The overridden DNS server IP address to forward all requests for your own domain to.  Defaults to the value of `internal_gateway`, which is proper in most if not all cases.  Your BIND zone is automatically converted from your `tinc_peer_name` (i.e. `lkwco_mane_lixo` becomes `lkwco.mane.lixo`).
 * `tld`: The network-wide TLD to use.  Defaults to `lixo`.

# Setup, Installation, and Updating

#### Prerequisites/Setup:

1. `eth0` is the **LAN** or **WAN** interface supporting external routing, DNS, etc., and is the **bridged** interface to a router that will statically route the entire desired network subnet (i.e. x.x.0.0/21) through it.  You may also have an `eth1` (and so on, so forth) that you statically configure for your entire, wide subnet (i.e. x.x.0.0/21) if you want to use two physical adapters.  If you do have more than one interface, make sure that `internal_gateway` is set to the router IP address that can route your personal Lixonet subnets, and not your WAN gateway (unless they're the same).
2. `tun` and `tap` are in `/etc/modules` to load at boot (https://www.cyberciti.biz/faq/linux-how-to-load-a-kernel-module-automatically-at-boot-time/) and the system has been rebooted afterwards.
3. IPv4 forwarding is on: `sysctl -w net.ipv4.ip_forward=1`
4. Clone this repository: `git clone <url>`
5. `mkdir /etc/lixonet/(mesh)/`
6. Fill out `/etc/lixonet/(mesh)lixonet.conf` (see: **Configuration options**)
7. Supply `/etc/lixonet/(mesh)/tinc.key`

#### Install/Update:

You should **no longer** need to run `build.sh` directly.  Instead, use a "self-configuring" Docker container to make your life easier.

1. Clone or navigate to a cloned repository folder you already have.
2. Run `git clean -f -d && git reset --hard && git pull origin master && docker build -t lixonet-ee . && docker run --rm -it -v /etc/bird:/etc/bird/ -v /etc/tinc:/etc/tinc -v /etc/bind:/etc/bind -v /etc/lixonet:/etc/lixonet -v /var/run/docker.sock:/var/run/docker.sock lixonet-ee`