|
Broadband-Hamnet™ Forum :: General |
|
|
|
|
|
Subject :Re:Re:Virtual Tunnels..
2014-10-10- 12:30:29
|
|
|
| k5dlq |
|
| Member |
 |
Joined: 2012-05-11- 08:05:13
Posts: 233
Location: Magnolia, TX USA |
|
|
|
|
|
yes, i understand. this is just one step in my testing. Next, is to get a remote (across the internet/beyond my home router) client to connect. I would not expect to run in this (m2 to wrt) architecture in a normal situation. ;-)
D.
Also, the Bullet M2 is the client, so no tunneling "into" the M2. The server is on the 54GS.
|
IP Logged
|
|
Last Edited On: 2014-10-10- 12:32:50 By k5dlq for the Reason |
Darryl - K5DLQ
www.aredn.org |
|
|
|
|
|
|
Subject :Re:Virtual Tunnels..
2014-10-10- 14:26:05
|
|
|
| KG6JEI |
|
| Member |
|
Joined: 2013-12-02- 19:52:05
Posts: 516
Location: |
|
|
|
|
|
|
Re Encryption: This is actually still an issue that needs to be looked at, vtund either needs to be ran without encryption OR be configured/bound to only be able to connect over the WAN port. At the moment everything I heard has it unbound and not caring so it's possible it may choose to go over the mesh. Needs to be looked into deeper to be sure that can not happen. |
|
IP Logged
|
|
Note: Most posts submitted from iPhone |
|
|
|
|
|
|
Subject :Re:Virtual Tunnels..
2014-10-10- 21:20:26
|
|
|
| kc2zqo |
|
| Member |
|
Joined: 2013-11-25- 18:52:22
Posts: 6
Location: |
|
|
|
|
|
|
AE6XE I feel any traffic routed via the internet regardless of the content needs to be encrypted. It is entirely possible that users will log into a remote node to modify the config while tunneling through the real internet. this info should not travel as clear text on the internet were Marketers and hackers are analyzing traffic regularly.
Since these tunnels begin and end were the real internet connects the encryption will never hit the RF. |
|
IP Logged
|
|
Asterisk |
|
|
|
|
|
|
Subject :Re:Re:Re:Virtual Tunnels..
2014-10-10- 21:39:03
|
|
|
| SM7I |
|
| Member |
|
Joined: 2012-04-30- 14:56:55
Posts: 79
Location: JO65mo |
|
|
|
|
|
|
This poses a delicate problem if the connection to internet itself is delivered through RF....
In Sweden, at least, we have several smaller cities that have local operators delivering internet by the means of wireless networking throughout the city.
One can also choose to see this as for what it is, the VPN solution is not really the way to move BBHN forward in the terms of being independant from the regular internet, it should only be seen as a temporary solution to bridge gaps between nodes until it is possible to have the density of nodes that allows for direct RF path. This is and has always been the foundation for our solution in Sweden. |
|
IP Logged
|
|
IT infrastructure and security professional |
|
|
|
|
|
|
Subject :Re:Virtual Tunnels..
2014-10-10- 22:11:47
|
|
|
|
|
|
|
|
Subject :Re:Virtual Tunnels..
2014-10-11- 03:30:47
|
|
|
| kd5aeq |
|
|
| Member |
|
Joined: 2014-08-16- 22:03:25
Posts: 6
Location: Las Cruces, NM, USA |
|
|
|
|
|
|
I think there is a security risk in running gre over the internet. However, given the non-authenticated, non-encrypted nature of BBHN, the same risks exists for the mesh itself. I try to keep logging in of remote nodes to a minimal as you never know who could be sniffing. As with all things, it's a risk analysis tradeoff. I think there's a spot for both gre and vtun methods. Like everyone has already stated, the tunneling is great for users who can't directly reach a mesh. I think there is great potential in tunneling for interconnecting meshs. It's a way to bring together everyone and create a world wide mesh network.
|
|
IP Logged
|
|
Network Systems Engineer by day, BBHN by night |
|
|
|
|
|
|
Subject :Re:Re:Re:Virtual Tunnels..
2014-10-11- 13:36:24
|
|
|
| kc2zqo |
|
|
| Member |
|
Joined: 2013-11-25- 18:52:22
Posts: 6
Location: |
|
|
|
|
|
|
Like it or not tunnels are a necessity for some connections and they need to be secure. vtun seems to be the way to go. so that is were I will start testing.
It would be nice if it is eventually the tunnel functions were build into the GUI. |
|
IP Logged
|
|
Asterisk |
|
|
|
|
|
|
Subject :Re:Re:Re:Virtual Tunnels..
2014-10-12- 11:58:28
|
|
|
| k5dlq |
|
|
| Member |
|
Joined: 2012-05-11- 08:05:13
Posts: 233
Location: Magnolia, TX USA |
|
|
|
|
|
|
wow. Friday, I ordered a switch (GS105E) on Amazon for $45 and it arrived today... Sunday... via USPS.
color me impressed Amazon Prime. |
|
IP Logged
|
Darryl - K5DLQ
www.aredn.org |
|
|
|
|
|
|
Subject :Re:Virtual Tunnels..
2014-10-13- 11:19:31
|
|
|
|
|
|
|
|
Subject :Re:Virtual Tunnels..
2014-10-13- 12:21:58
|
|
|
| KG6JEI |
|
|
| Member |
|
Joined: 2013-12-02- 19:52:05
Posts: 516
Location: |
|
|
|
|
|
|
Joe: Quick glanced your tar file.
I don't see any handling of the routing table entries in your setup files. might of missed it, but important to look into otherwise routes will likely not work correctly except for one hop nodes if it isn't there.
|
|
IP Logged
|
|
Note: Most posts submitted from iPhone |
|
|
|
|
|
|
Subject :Re:Re:Re:Virtual Tunnels..
2014-10-13- 13:02:56
|
|
|
| AE6XE |
|
| Member |
|
Joined: 2013-11-05- 00:09:51
Posts: 116
Location: |
|
|
|
|
|
|
Conrad, I didn't have any further routing defined beyond the 2 nodes at both ends of the tunnel able to ping each other on the 172.31.x.x address. Relying on olsrd to handle all the route tables entries to get to the multi-hop nodes across both meshes (from each node's perspective). olsr status page in my test showed all the appropriate routing to all nodes on both sides of the tunnel. Tested with streaming video across the tunnel and 2 hops in. This is not a multiple client setup--would need more firewall settings and maybe 172.x.x.x route entry for multiple client connections. |
|
IP Logged
|
|
|
|
|
|
|
Subject :Re:Virtual Tunnels..
2014-10-13- 13:07:43
|
|
|
| KG6JEI |
|
|
| Member |
|
Joined: 2013-12-02- 19:52:05
Posts: 516
Location: |
|
|
|
|
|
|
Take a look at /etc/hotplug.d/iface/11-meshrouting I'm actually surprised your getting across 2 hops at the moment, that should not be the case on quick thought as the right table should not be being consulted. This was part of securing the network from inadvertent routing done in 1.1.0 release (and is the biggest reason why the document needs to be re-written from 1.0.0/1.0.1)
|
|
IP Logged
|
|
Note: Most posts submitted from iPhone |
|
|
|
|
|
|
Subject :Re:Virtual Tunnels..
2014-10-13- 18:21:09
|
|
|
| KG6JEI |
|
|
| Member |
|
Joined: 2013-12-02- 19:52:05
Posts: 516
Location: |
|
|
|
|
|
|
Ah I see why it works, rules 30200-30299 that I set to all interfaces when the loopback comes up allows it to traverse the node. So not so surprising it works.
A new 12-vpnrouting policy should still be created however following similar to the dtdlink policy to ensure we don't have a regression and introduce the security flaw previously seen in 1.0.x
|
|
IP Logged
|
|
Note: Most posts submitted from iPhone |
|
|
|
|
|
|
Subject :Re:Re:Re:Virtual Tunnels..
2014-10-13- 18:28:34
|
|
|
| AE6XE |
|
|
| Member |
|
Joined: 2013-11-05- 00:09:51
Posts: 116
Location: |
|
|
|
|
|
|
re: /etc/hotplug.d/iface/11-meshrouting
Conrad, Looks like it is still catching default rules to see the olsrd routes for these new interfaces, DEVICE=tun0:
30210:from all lookup 29
30220: from all lookup 30
30290: from all lookup main
30299: from all lookup 31
32766: from all lookup main
32767: from all lookup default |
|
IP Logged
|
|
Last Edited On: 2014-10-13- 18:29:38 By AE6XE for the Reason |
|
|
|
|
|
|
Subject :Re:Virtual Tunnels..
2014-10-13- 18:34:41
|
|
|
| KG6JEI |
|
|
| Member |
|
Joined: 2013-12-02- 19:52:05
Posts: 516
Location: |
|
|
|
|
|
|
Yes it is, but as done it would be a regression of the BBHN->ticket:35 (a tunnel link could force its way to use your internet because of rules 30290,32766 It also leaks the nodes when in nat mode too. The 30200+ rules are meant to be used by the node itself for finding everything it may need to connect to, not to be used by traffic actually traversing the mesh itself (which a vpnlink side would be)
|
|
IP Logged
|
|
Note: Most posts submitted from iPhone |
|
|
|
|
|
|
Subject :Re:Re:Re:Virtual Tunnels..
2014-10-14- 01:25:16
|
|
|
| AE6XE |
|
|
| Member |
|
Joined: 2013-11-05- 00:09:51
Posts: 116
Location: |
|
|
|
|
|
|
I'll create the new 12-vpnrouting rules--to sustain/reduce the security vulnerability level for tun* interfaces. |
|
IP Logged
|
|
|
|
|
|
|
Subject :Re:Virtual Tunnels..
2014-10-14- 11:31:09
|
|
|
| k5dlq |
|
|
| Member |
|
Joined: 2012-05-11- 08:05:13
Posts: 233
Location: Magnolia, TX USA |
|
|
|
|
|
|
will your routing rules be in the firewall.users file?
I'm working on a script to do the client installation and it does include firewall rules. |
|
IP Logged
|
Darryl - K5DLQ
www.aredn.org |
|
|
|
|
|
|
Subject :Re:Re:Re:Virtual Tunnels..
2014-10-14- 12:20:09
|
|
|
| AE6XE |
|
|
| Member |
|
Joined: 2013-11-05- 00:09:51
Posts: 116
Location: |
|
|
|
|
|
|
This is a bit different--there are essentially many routing tables in linux. These are rules in an overarching policy table that basically says which route tables apply to the traffic. Right now all the route tables apply to our tunnel traffic (specifically the routes maintained by olsr). We need to undefine usage of route tables when they don't apply to our tunnel traffic to prevent avenues of attack/exploitation (call us paranoid :) ). This is not something that prevents 'development/testing' of tunnels now, rather something that we need to begin including from a security perspective for permanent or production usage. |
|
IP Logged
|
|
|
|
|
|
|
Subject :Re:Re:Re:Virtual Tunnels..
2014-10-14- 13:27:13
|
|
|
| k5dlq |
|
|
| Member |
|
Joined: 2012-05-11- 08:05:13
Posts: 233
Location: Magnolia, TX USA |
|
|
|
|
|
|
excellent. Security should always be on our minds. At the onset, not an afterthought.
Thx. |
|
IP Logged
|
Darryl - K5DLQ
www.aredn.org |
|
|
|
|
|
|
Subject :Re:Re:Re:Virtual Tunnels..
2014-10-15- 09:34:15
|
|
|
| k5dlq |
|
|
| Member |
|
Joined: 2012-05-11- 08:05:13
Posts: 233
Location: Magnolia, TX USA |
|
|
|
|
|
|
Question, when defining multiple vtun clients, what do I need to do to my /etc/config/network file regarding the mtmlink sections...
ie.
Currently, i have:
...
#### mesh to mesh configuration
config interface mtmlink
option ifname "tun0"
option proto none
...
However, I have 4 different tun* interfaces (ie. tun0, tun1, tun2, tun3)
Do I need to change the network file to:
#### mesh to mesh configuration
config interface mtmlink
option ifname "tun0,tun1,tun2,tun3"
option proto none
any guidance from those who have multiple client connection abilities?
|
|
IP Logged
|
|
Last Edited On: 2014-10-15- 09:36:01 By k5dlq for the Reason |
Darryl - K5DLQ
www.aredn.org |
|
|
|
|
