Difference between revisions of "Mesh/Exit setup"

From Sudo Room
Jump to navigation Jump to search
 
(2 intermediate revisions by 2 users not shown)
Line 1: Line 1:
An exit node is like a [[Mesh/Relay setup|relay node]] but with a connection out to the Internet. Exit nodes are run by sudo mesh and have the sudo mesh organization listed as the whois abuse complaint contact. This ensures that legal inquires for Internet-bound traffic from the mesh are sent to sudo mesh so node-operators don't have to deal with e.g. DMCA complaints and other legal issues unless absolutely necessary. We encourage anyone and everyone to run relay nodes, but we do not expect anyone else to run public exit nodes. If you're still interested in running an exit node, come talk to us!
An exit node is like a [[Mesh/Relay setup|relay node]] but with a connection out to the Internet. Exit nodes are run by sudo mesh and have the sudo mesh organization listed as the whois abuse complaint contact. This ensures that legal inquires for Internet-bound traffic from the mesh are sent to sudo mesh so node-operators don't have to deal with e.g. DMCA complaints and other legal issues unless absolutely necessary. We encourage anyone and everyone to run relay nodes, but we do not expect anyone else to run public exit nodes. If you're still interested in running an exit node, come talk to us!
This page below is outdated and is kept for our communal scrapbook. Please use https://github.com/sudomesh/exitnode for a more up-to-date info.
-----


Exit nodes do everything relay nodes do and adds the following:
Exit nodes do everything relay nodes do and adds the following:
Line 21: Line 25:
case "$1" in
case "$1" in
   start)
   start)
         echo "Starting mesh NAT"
         if [ "`iptables -t nat -L|grep MASQUERADE`" = '' ]; then
        echo 1 > /proc/sys/net/ipv4/ip_forward
                echo "Starting mesh NAT"
        iptables -t nat -A POSTROUTING -o $PUBIF -j MASQUERADE
                echo 1 > /proc/sys/net/ipv4/ip_forward
        iptables -A FORWARD -i $PUBIF -o $BATIF -m state --state RELATED,ESTABLISHED $
                iptables -t nat -A POSTROUTING -o $PUBIF -j MASQUERADE
        iptables -A FORWARD -i $PUBIF -o $BATIF -j DROP
                iptables -A FORWARD -i $PUBIF -o $BATIF -m state --state RELATED,ESTABLISHED -j ACCEPT
                iptables -A FORWARD -i $PUBIF -o $BATIF -j DROP
        else
                echo "Mesh NAT already started"
        fi
         ;;
         ;;
   stop)
   stop)
Line 38: Line 46:
         ;;
         ;;
esac
esac
</pre>
</pre>


Line 44: Line 53:
  chmod 755 /etc/init.d/meshnat
  chmod 755 /etc/init.d/meshnat


Now modify the tunneldigger broker session.up hook script to start the meshnat script. Change the section:
Now modify the tunneldigger broker/up_hook.sh hook script to start the meshnat script. Change the section:


  if [ `cat /sys/class/net/bat0/operstate` != "up" ]; then
  if [ `cat /sys/class/net/bat0/operstate` != "up" ]; then
        ifup bat0
        ifconfig bat0 <relay_mesh_ip> netmask 255.0.0.0 up
  fi
  fi


Line 53: Line 62:


  if [ `cat /sys/class/net/bat0/operstate` != "up" ]; then
  if [ `cat /sys/class/net/bat0/operstate` != "up" ]; then
        ifup bat0 && /etc/init.d/meshnat start
        ifconfig bat0 <exit_mesh_ip> netmask 255.0.0.0 up
        /etc/init.d/meshnat start
  fi
  fi
Where <exit_mesh_ip> is the assigned mesh IP address for your exit node. E.g: 10.42.0.1.


Now NAT should be set up correctly.
Now NAT should be set up correctly.

Latest revision as of 12:27, 8 February 2018

An exit node is like a relay node but with a connection out to the Internet. Exit nodes are run by sudo mesh and have the sudo mesh organization listed as the whois abuse complaint contact. This ensures that legal inquires for Internet-bound traffic from the mesh are sent to sudo mesh so node-operators don't have to deal with e.g. DMCA complaints and other legal issues unless absolutely necessary. We encourage anyone and everyone to run relay nodes, but we do not expect anyone else to run public exit nodes. If you're still interested in running an exit node, come talk to us!

This page below is outdated and is kept for our communal scrapbook. Please use https://github.com/sudomesh/exitnode for a more up-to-date info.


Exit nodes do everything relay nodes do and adds the following:

This guide builds on top of the relay node guide, so follow that first and them come back here!

NATed internet access

Create the script /etc/init.d/meshnat containing the following:

#!/bin/sh

PUBIF="eth0"
BATIF="bat0"

case "$1" in
  start)
        if [ "`iptables -t nat -L|grep MASQUERADE`" = '' ]; then
                echo "Starting mesh NAT"
                echo 1 > /proc/sys/net/ipv4/ip_forward
                iptables -t nat -A POSTROUTING -o $PUBIF -j MASQUERADE
                iptables -A FORWARD -i $PUBIF -o $BATIF -m state --state RELATED,ESTABLISHED -j ACCEPT
                iptables -A FORWARD -i $PUBIF -o $BATIF -j DROP
        else
                echo "Mesh NAT already started"
        fi
        ;;
  stop)
        echo "Stopping mesh NAT"
        echo 0 > /proc/sys/net/ipv4/ip_forward
        iptables -F FORWARD
        iptables -t nat -F POSTROUTING
        ;;
  *)
        echo "Usage: $0 start|stop" >&2
        exit 3
        ;;
esac

Make it executable:

chmod 755 /etc/init.d/meshnat

Now modify the tunneldigger broker/up_hook.sh hook script to start the meshnat script. Change the section:

if [ `cat /sys/class/net/bat0/operstate` != "up" ]; then
       ifconfig bat0 <relay_mesh_ip> netmask 255.0.0.0 up
fi

To:

if [ `cat /sys/class/net/bat0/operstate` != "up" ]; then
       ifconfig bat0 <exit_mesh_ip> netmask 255.0.0.0 up
       /etc/init.d/meshnat start
fi

Where <exit_mesh_ip> is the assigned mesh IP address for your exit node. E.g: 10.42.0.1.

Now NAT should be set up correctly.

Setting up DNS

First, ensure that tunneldigger broker is not running on port 53 by removing port 53 from the "ports=" entry in /opt/tunneldigger/broker/l2tp_broker.cfg

Now, install dnsmasq:

sudo aptitude install dnsmasq

Ensure that you have one or more domain name server IPs in /etc/resolv.conf

Make sure that ENABLED=1 is set in /etc/default/dnsmasq

Restart dnsmasq if you changed anything:

sudo /etc/init.d/dnsmasq restart

Fake captive portal

TODO write this section