lixonet-ee/README.md
2020-05-21 20:39:55 +00:00

6.1 KiB

Lixonet Enterprise Edition (LIXONET 3)

This is the semi-official, testing Lixonet EE repository.

Custom configurations should be supplied in a lixonet.conf file in the name=value format, such as your subnet. Additionally, a tinc keypair is also be required.

Generating keypairs for tinc (tinc.key):

Source: https://www.tinc-vpn.org/documentation/Generating-keypairs.html

Run: tincd -n lixonet -K

Configuration options

Location

A lixonet.conf file should be under each network directory you'd like to create. Create one directory for each mesh you'll be joining, under /etc/lixonet. If you want to join the teamlixo mesh for example, do this:

  1. Create /etc/lixonet/teamlixo/lixonet.conf and specify at least all required options in this file.
  2. Create or save /etc/lixonet/teamlixo/tinc.key

Available networks

Official networks:

Name Git clone URL(s) Subnet ASN format Administsration
teamlixo http://git.team.lixo/lixonet/teamlixo.mesh.git 172.31.0.0/16 4206969XXXX Manevolent, Nurd
colorado http://git.team.lixo/lixonet/colorado.mesh.git 172.29.0.0/16 4206970XXXX Manevolent

Format

All options are supplied in the name=value format on individual lines, i.e. name=test_name_lixo

Required options

You MUST specify these options, or Lixonet will not work.

Network options

  • git - The Git clone repository URL, used for peer configurations.
  • tinc_peer_name - The global neighbor name. Tinc and Bird use this to identify a peer in the network, and to exclude your own pre-packed config automagically from Tinc and BIRD dialing out so you don't connect to yourself over and over again.
  • tinc_peer_address - The router address to use. This is your Lixonet routing layer address: 172.xxx.0.xxx
  • network_address - The network address to use. This is your Lixonet routing layer address: 172.xxx.0.0 (especially take note of the last two 0's: 0.0 -- it MUST end with zeros corresponding to the network size)
  • bgp_asn - The BGP ASN to use. We usually follow the format 4206969XXX where XXX is the last octet of your address, zero-padded (i.e. 008 or 212)

Non-required options:

General network options

  • global_prefix: global network prefix: defaults to 16.
  • router_prefix: router network prefix: defaults to 24. If you change this you SHOULD change netmask too.
  • netmask: router netmask: defaults to 255.255.255.0 (/24); SHOULD be the bitmask that corresponds to the router_prefix

Tinc options

  • tinc_interface_name - The name of the interface that Tinc should create when it's started. Defaults to lixonet. Set this for multiple networks.
  • tinc_bind_address - The address that Tinc should bind to to listen for incoming WAN-sided connections (i.e. 10.0.0.1). This is not the Lixonet router IP (i.e. 172.31.0.8). Use this if you have an eth1 that you don't want to use for binding tinc to, and would prefer to bind tinc exclusivley to eth0 instead.
  • tinc_connect_to - A comma-separated list of well-known/pre-defined hosts to connect to (i.e. denco_mane_lixo). If not supplied, this is automatically set to all core routers that aren't yourself (name).

BGP options

For options we expose here, for information see: https://bird.network.cz/?get_doc&v=20&f=bird-6.html#ss6.3

  • bgp_path_metric: Enable comparison of path lengths when deciding which BGP route is the best one (0 or 1): defaults to 1
  • bgp_aigp: BGP AIGP state (enable, disable, or originate): defaults to originate (see BIRD documentation)
  • bgp_rpki_retry: If RPKI cache data cannot be obtained, the time period in seconds between a failed query the next attempt. Defaults to 90.
  • bgp_rpki_refresh: How long to wait in seconds before attempting to poll RPKI cache data after the last successful poll. Defaults to 900.
  • bgp_rpki_expire: How long to keep any records locally cached before they are deleted. Defaults to 172800 (2 days).
  • bgp_rpki_known_hosts: The file path for the SSH key known_hosts file to use when validating remote RPKI hosts. Defaults to /etc/bird/rpki/known_hosts (provided by Lixonet; don't change this unless you need to!).
  • bgp_passwd_*: The password for a specific BGP peer (i.e. bgp_passwd_denco_mane_lixo). If not specified, no password is used for the host.
  • bgp_routes: A comma-delimited list of routes to advertise over BGP. If not specified, no routes are propagated.

Setup

Prerequisites:

  1. docker and docker-compose (Alpine: community repository; https://docs.genesys.com/Documentation/System/8.5.x/DDG/InstallationofDockeronAlpineLinux), git, and curl are installed (Alpine: apk add). You may also want to make docker run at boot: rc-update add docker boot.
  2. eth0 is the LAN or WAN interface supporting external routing, DNS, etc., and is the bridged interface to a router that will statically route the entire desired network subnet (i.e. x.x.0.0/21) through it. You may also have an eth1 (and so on, so forth) that you statically configure for your entire, wide subnet (i.e. x.x.0.0/21) if you want to use two physical adapters.
  3. tun and tap are in /etc/modules to load at boot (https://www.cyberciti.biz/faq/linux-how-to-load-a-kernel-module-automatically-at-boot-time/) and the system has been rebooted afterwards.
  4. sigil is installed (curl -L "https://github.com/gliderlabs/sigil/releases/download/v0.5.0/sigil_0.5.0_$(uname -sm|tr ' ' '_').tgz" | tar -zxC /usr/local/bin)
  5. IPv4 forwarding is on: sysctl -w net.ipv4.ip_forward=1 and iptables -P FORWARD ACCEPT are run (and persisted) to allow IP forwarding. To persist these changes, see: https://wiki.alpinelinux.org/wiki/Configure_Networking, refer to "Save Firewall Rules".

Install:

  1. Clone this repository: git clone
  2. mkdir /etc/lixonet/(mesh)/
  3. Fill out /etc/lixonet/(mesh)lixonet.conf (see: Configuration options)
  4. Supply /etc/lixonet/(mesh)/tinc.key
  5. Run chmod +x build.sh && ./build.sh to deploy the stack on Docker.