Run cjdns on Google Compute Engine

Google recently announced the Google Cloud Platform Free Tier, which includes an f1-micro instance on the Google Compute Engine. Compute Engine instances are essentially virtual private servers, with full customization available for disk size, number of processors and amount of memory. The f1-micro instance supplied free to each user boasts modest specifications: 1x shared virtual CPU (quantified as 0.2 of a CPU before bursting as available), 600MB of RAM, 5GB of snapshot storage, and 30GB of HDD persistent disk. As with all cloud providers, Compute Engine offers beefier machines priced accordingly. Luckily, Google is currently offering a (US only for the time being) free trial of the Google Cloud Platform for 12 months /$300. At around $4-$5 per f1-instance, a user could run several of these lower-tier machines for a year under their trial period.

Getting started with Google Compute Engine is relatively simple. This guide assumes you have a web browser, and a machine to make SSH connections from to access your Compute Engine instance. Commands for a Linux-based workstation will be shown, but should translate easily to a workstation running OSX or BSD.

Compute Engine Instance Setup

Start by signing up for the free trial here (If you have already completed a trial, the same link should log you in to your account). This will ask for some personal information (if it is not already in your Google account) and credit card information to validate the account. Afterwards, we will be automatically logged into the Google Cloud Platform console. From here, we can create a new project by clicking the Create project link in the console’s banner near the top left of the screen.

Create a new project.

Give the project a name and click on the Create button. Now we will be in the project’s dashboard. Back in the console’s banner, press the Products & services menu button on the left and select Compute Engine from the menu.

Select Compute Engine from the menu.

A pop-up will now appear regarding VM instances. We will want to press the blue Create button when prompted, this will launch the instance creation wizard. Give the instance a Name (if desired) and pick a Zone from the drop-down menu. There are many zones available, and their features are listed here. It is important to note that the free f1-micro instances are limited to US regions, so select one of those if interested in completing the always-free offer. If using  free trial credit or otherwise paying for an instance, feel free to select any zone desired. Under Machine Type, click the Customize link to show our specification options.

Moving the slider for Cores all the way to the left will adjust the specs to an f1-micro instance.

Select the number of cores for the target virtual machine we are creating. Moving the slider all the way to the left will give us 1 shared vCPU and 600MB of RAM. Note of the monthly rate on the right side of the screen changes based on the modifications. As shown under Machine type, Compute Engine offers a wide array of options for your instance, including GPU selection and even the option to run with 64 cores. We could pick a better instance for now and scale it down before the 12-month period is over to retain under the free tier, but for the sake of testing the f1-micro instance, the rest of this tutorial will proceed with settings as shown.

Lower in the page, we will leave the Boot Disk selection alone as Debian Jessie on 10GB is more than enough for cjdns. Click the link for Management, disk, networking, SSH keys to expand a few more options, and click on the Networking tab.

The Networking tab for our instance.

Click on the drop-down menu under External IP and select New static IP address. When prompted, give this IP address a name (anything will do) and press the Reserve button to complete the action. This will make sure our external IP address does not change unexpectedly.

Now, we want to add an SSH key for remote access to our instance. On our Linux workstation, bring up a new console. To create the new SSH key-pair we will run ssh-keygen, specifying a file and our username. Make sure to create a passphrase when prompted!

$ ssh-keygen -t rsa -f ~/.ssh/google-compute-ssh -C famicoman
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/famicoman/.ssh/google-compute-ssh.
Your public key has been saved in /home/famicoman/.ssh/google-compute-ssh.pub.
The key fingerprint is:
d3:f1:63:ab:5a:f9:e8:54:87:92:e1:95:de:3c:58:27 famicoman
The key's randomart image is:
+---[RSA 2048]----+
|                 |
|             .   |
|          o o E .|
|         o B * o |
|        S = O =  |
|         . = + . |
|          + .    |
|         o +     |
|        .o+ .    |
+-----------------+

Now we will modify the permissions of our private key to ensure only our user can access it:

$ chmod 400 ~/.ssh/google-compute-ssh

Finally, read the contents of our public key file, which we will be using to complete the Compute instance setup.

 $ cat ~/.ssh/google-compute-ssh.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDbEKVCbgDus+hno+GKtsuYgrWSgarOH3/2R1q5IA1SWZXn9OJZQ1LAWn7QsM01tg7TTrrAo57wAlemC+eJgLLVsAnayvA/WZjlvjEdcX3TvQqzNnWGNf4VK7g/PvIOvyX4gj8uaHc/zWdz28KIgz2cUP/2bNWJox/p9M3vssxttpuTIL2knFIOKYphxaBWvfXu92a5kB60gso/0pcyZ7O+Kt2evfjtyByJRvypeM0YyMHM+xZ7b0gooWk9rSkpkGRJMBtHQOVVWqIQ2rjnEMPWNpEyqqC3KZmgolRP4a8TpXEDyP6N/2pc53zuVqCrgL7M8jYcIEmcLYASvTqWJlh5 famicoman

Back in our Compute instance setup, click on the SSH Keys tab, directly to the right of the Networking tab we are currently on. In the Enter entire key data textbox, paste the contents of the google-compute-ssh.pub file we just printed with cat and press the Add item button.

Instance configuration after adding the SSH key.

Finally, press the Create button to make our instance and boot it up for the first time.

After a few seconds, the virtual machine will appear on our screen and be ready to access.

A fresh Compute instance!

Cjdns Installation

Now back on our Linux workstation, we will SSH to the instance using the External IP displayed for our instance:

$ ssh -i .ssh/google-compute-ssh famicoman@146.148.43.98

When prompted, accept the key for the host and enter the passphrase for the SSH key.

Now on our instance, let’s change over to root, run an update and then upgrade all of the packages:

famicoman@instance-1:~$ sudo -i
root@instance-1:~$ apt-get update && apt-get upgrade -y

Now, we will install the packages we need to retrieve and install cjdns:

root@instance-1:~# apt-get install -y git build-essential

IPv6 is disabled on all Compute Engine instances by default, so we will want to override this by adding a few lines the sysctl.conf file to enable IPv6 and then reboot the instance:

root@instance-1:~$ { echo "net.ipv6.conf.all.disable_ipv6 = 0"; echo "net.ipv6.conf.default.disable_ipv6 = 0"; echo "net.ipv6.conf.tun0.disable_ipv6 = 0 = 0";} >> /etc/sysctl.conf && reboot

After a few moments, the machine should become unresponsive and the SSH session should terminate. Afterwards, SSH back into the machine from the workstation and change over to root again:

$ ssh -i .ssh/google-compute-ssh famicoman@146.148.43.98

famicoman@instance-1:~$ sudo -i
root@instance-1:~$ apt-get update && apt-get upgrade -y

Now we will change over to the /opt directory and clone the cjdns repo, checking out the latest version:

root@instance-1:~$ cd /opt
root@instance-1:/opt$ git clone https://github.com/cjdelisle/cjdns.git
root@instance-1:/opt$ cd cjdns && git checkout cjdns-v19.1

Now that the latest version is checked out, we can perform an optimized build:

root@instance-1:/opt/cjdns$ CFLAGS="-O2 -s -static -Wall -march=native" ./do

After a few minutes the build will be done. Next, we will link cjdroute into /usr/local/bin and generate a configuration file.

root@instance-1:/opt/cjdns$ cd /usr/local/bin/ && ln -s /opt/cjdns/cjdroute cjdroute
root@instance-1:/usr/local/bin$ cjdroute --genconf > /usr/local/etc/cjdroute.conf

Finally, we can start cjdns:

root@instance-1:/usr/local/bin$ cjdroute < /usr/local/etc/cjdroute.conf
1489881689 INFO cjdroute2.c:642 Cjdns amd64 linux +seccomp
1489881689 INFO cjdroute2.c:646 Checking for running instance...
1489881689 DEBUG UDPAddrIface.c:293 Bound to address [0.0.0.0:34199]
1489881689 DEBUG AdminClient.c:333 Connecting to [127.0.0.1:11234]
1489881690 DEBUG Pipe.c:134 Buffering a message
1489881690 DEBUG cjdroute2.c:699 Sent [144] bytes to core
1489881690 INFO RandomSeed.c:42 Attempting to seed random number generator
1489881690 INFO RandomSeed.c:50 Trying random seed [/dev/urandom] Success
1489881690 INFO RandomSeed.c:56 Trying random seed [sysctl(RANDOM_UUID) (Linux)] Failed
1489881690 INFO RandomSeed.c:50 Trying random seed [/proc/sys/kernel/random/uuid (Linux)] Success
1489881690 INFO RandomSeed.c:64 Seeding random number generator succeeded with [2] sources
1489881690 INFO LibuvEntropyProvider.c:59 Taking clock samples every [1000]ms for random generator
1489881690 DEBUG Pipe.c:231 Pipe [/tmp/cjdns_pipe_client-core-ycdqw9fs9m75mv3vqv16x7pvg0mcw5] established connection
1489881690 DEBUG Pipe.c:253 Sending buffered message
1489881690 DEBUG Core.c:354 Getting pre-configuration from client
1489881690 DEBUG Pipe.c:231 Pipe [/tmp/cjdns_pipe_client-core-ycdqw9fs9m75mv3vqv16x7pvg0mcw5] established connection
1489881690 DEBUG Core.c:357 Finished getting pre-configuration from client
1489881690 DEBUG UDPAddrIface.c:254 Binding to address [127.0.0.1:11234]
1489881690 DEBUG UDPAddrIface.c:293 Bound to address [127.0.0.1:11234]
1489881690 DEBUG UDPAddrIface.c:293 Bound to address [0.0.0.0:37092]
1489881690 DEBUG AdminClient.c:333 Connecting to [127.0.0.1:11234]
1489881690 INFO Configurator.c:135 Checking authorized password 0.
1489881690 INFO Configurator.c:159 Adding authorized password #[0] for user [default-login].
1489881690 INFO Configurator.c:411 Setting up all ETHInterfaces...
1489881690 INFO Configurator.c:427 Creating new ETHInterface [eth0]
1489881690 INFO Configurator.c:388 Setting beacon mode on ETHInterface to [2].
1489881690 DEBUG Configurator.c:531 Security_chroot(/var/run/)
1489881690 DEBUG Configurator.c:576 Security_noforks()
1489881690 DEBUG Configurator.c:581 Security_setUser(uid:65534, keepNetAdmin:1)
1489881690 DEBUG Configurator.c:596 Security_seccomp()
1489881690 DEBUG Configurator.c:601 Security_setupComplete()
1489881690 DEBUG Configurator.c:685 Cjdns started in the background

Now that cjdns is running, let’s verify this by checking out the interface with ifconfig:

root@instance-1:/usr/local/bin# ifconfig tun0
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet6 addr: fcab:62fc:cd8b:36f0:7837:4361:9aa3:946d/8 Scope:Global
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1304  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

Conclusion

We are now free to add peers to our cjdroute.conf file or generate our own peering credentials for other installations! Be sure to keep in mind Google Compute Engine’s rates for egress bandwidth as noted here. Nobody wants to make up with a $500 bill for bandwidth. And, as always, consider locking down your node with proper firewall rules, etc. now that it is live and Internet-facing.

Compute instances should perform relatively well, even the f1-micro instances. Below are sample cjdns bench results for the f1-micro:

root@instance-1:/usr/local/bin# cjdroute --bench | grep "per second"
1489881851 INFO Benchmark.c:62 Benchmark salsa20/poly1305 in 653ms. 1837672 kilobits per second
1489881851 INFO Benchmark.c:62 Benchmark Switching in 342ms. 598830 packets per second
root@instance-1:/usr/local/bin# cjdroute --bench | grep "per second"
1489881854 INFO Benchmark.c:62 Benchmark salsa20/poly1305 in 635ms. 1889763 kilobits per second
1489881854 INFO Benchmark.c:62 Benchmark Switching in 335ms. 611343 packets per second
root@instance-1:/usr/local/bin# cjdroute --bench | grep "per second"
1489881858 INFO Benchmark.c:62 Benchmark salsa20/poly1305 in 664ms. 1807228 kilobits per second
1489881858 INFO Benchmark.c:62 Benchmark Switching in 355ms. 576901 packets per second
 

Browse the Philly Mesh Site from Hyperboria

The Philly Mesh website is now available from Hyperboria. The new subdomain h.phillymesh.net will resolve to [fc4a:cb93:88dc:32e1:43ec:e1b8:2b45:dd46] and is available via both HTTP and HTTPS:

As cjdns encrypts traffic end-to-end, standard HTTP should be acceptable in most configurations. You will want to use the HTTPS link if you connect to Hyperboria via a cjdns gateway on a different machine or if you share the machine running cjdroute.

If you do use HTTPS, you will likely get a warning from the browser that the cerificate is invalid as it is issued for an IP in a private address space (as all Hyperboria addresses are). Be aware, there should be no issue with this certificate. In the future, I may go through the process of configuring a CA for phillymesh.net (self-signing a cert for h.phillymesh.net and distributing the root cert, signed with my GPG key, but don’t find it necessary right now. The current certificate is issued by Let’s Encrypt.

 

New Site Online!

As you can see, I have officially put the phillymesh.net domain to full use as the new public-facing site for Philly Mesh. I’ve finished importing all of the old site content into this new site, and added permanant redirects on all the old permalinks to their respective pages here. This means any existing link for a page on http://mesh.philly2600.net should seamlessly redirect to the proper content on https://phillymesh.net. If you happen to find any broken links, please let me know! The previous site was suffering from several issues before the move and I was unable to import a database backup; all content was reentered by hand.

This new site has some updated content, but all of the previous posts are accounted for. I have temporarily removed the node map page as it was not maintained well and I hope to replace it with a self-hosted solution coming up.

You may also notice that https is now forced, all insecure http connections will be automatically redirected to use TLS.

The GitHub organization is also live, which you can find at https://github.com/phillymesh.

Next on the list of to-dos:

  • Setup a Wekan kanban board (to better track to-do lists).
  • Setup phillymesh.net for Hyperboria access
  • Setup a Matrix server for communication
  • Setup a Nodeshot map for nodes (or some other mapping solution)
  • Setup cjdns on more servers and create a nodes/services page for nodes Philly Mesh has on the network and what they offer.
 

Building DIY Community Mesh Networks (2600 Article)

Now that the article has been printed in 2600 magazine, Volume 33, Issue 3 (2016-10-10), I’m able to republish it on the web. The article below is my submission to 2600 with some slight formatting changes for hyperlinks.

Building DIY Community Mesh Networks
By Mike Dank
Famicoman@gmail.com

Today, we are faced with issues regarding our access to the Internet, as well as our freedoms on it. As governmental bodies fight to gain more control and influence over the flow of our information, some choose to look for alternatives to the traditional Internet and build their own networks as they see fit. These community networks can pop up in dense urban areas, remote locations with limited Internet access, and everywhere in between.Whether you are politically fueled by issues of net neutrality, privacy, and censorship, fed up with an oligarchy of Internet service providers, or just like tinkering with hardware, a wireless mesh network (or “meshnet”) can be an invaluable project to work on. Numerous groups and organizations have popped up all over the world, creating robust mesh networks and refining the technologies that make them possible. While the overall task of building a wireless mesh network for your community may seem daunting, it is easy to get started and scale up as needed.

What Are Mesh Networks?

Think about your existing home network. Most people have a centralized router with several devices hooked up to it. Each device communicates directly with the central router and relies on it to relay traffic to and from other devices. This is called a hub/spoke topology, and you’ll notice that it has a single point of failure. With a mesh topology, many different routers (referred to as nodes) relay traffic to one another on the path to the target machine. Nodes in this network can be set up ad-hoc; if one node goes down, traffic can easily be rerouted to another node. If new nodes come online, they can be seamlessly integrated into the network. In the wireless space, distant users can be connected together with the help of directional antennas and share network access. As more nodes join a network, service only improves as various gaps are filled in and connections are made more redundant. Ultimately, a network is created that is both decentralized and distributed. There is no single point of failure, making it difficult to shut down.

When creating mesh networks, we are mostly concerned with how devices are routing to and linking with one another. This means that most services you are used to running like HTTP or IRC daemons should be able to operate without a hitch. Additionally, you are presented with the choice of whether or not to create a darknet (completely separated from the Internet) or host exit nodes to allow your traffic out of the mesh.

Existing Community Mesh Networking Projects

One of the most well-known grassroots community mesh networks is Freifunk, based out of Germany, encompassing over 150 local communities with over 25,000 access points. Guifi.net based in Spain, boasts over 27,000 nodes spanning over 36,000 km. In North America we see projects like Hyperboria which connect smaller mesh networking communities together such as Seattle Meshnet, NYC Mesh, and Toronto Mesh. We also see standalone projects like PittMesh in Pittsburgh, WasabiNet in St. Louis, and People’s Open Network in Oakland, California.

While each of these mesh networks may run different software and have a different base of users, they all serve an important purpose within their communities. Additionally, many of these networks consistently give back to the greater mesh networking community and choose to share information about their hardware configurations, software stacks, and infrastructure. This only benefits those who want to start their own networks or improve existing ones.

Picking Your Hardware & OS

When I was first starting out with Philly Mesh, I was faced with the issue of acquiring hardware on a shoestring budget. Many will tell you that the best hardware is low-power computers with dedicated wireless cards. This however can incur a cost of several hundred dollars per node. Alternatively, many groups make use of SOHO routers purchased off-the-shelf, flashed with custom firmware. The most popular firmware used here is OpenWRT, an open source alternative that supports a large majority of consumer routers. If you have a relatively modern router in your house, there is a good chance it is already supported (if you are buying specifically for meshing, consider consulting OpenWRT’s wiki for compatibility. Based on Linux, OpenWRT really shines with its packaging system, allowing you to easily install and configure packages of networking software across several routers regardless of most hardware differences between nodes. With only a few commands, you can have mesh packages installed and ready for production.

Other groups are turning towards credit-card-sized computers like the BeagleBone Black and Raspberry Pi, using multiple USB WiFi dongles to perform over-the-air communication. Here, we have many more options for an operating system as many prefer to use a flavor of Linux or BSD, though most of these platforms also have OpenWRT support.

There are no specific wrong answers here when choosing your hardware. Some platforms may be better suited to different scenarios. For the sake of getting started, spec’ing out some inexpensive routers (aim for something with at least two radios, 8MB of flash) or repurposing some Raspberry Pis is perfectly adequate and will help you learn the fundamental concepts of mesh networking as well develop a working prototype that can be upgraded or expanded as needed (hooray for portable configurations). Make sure you consider options like indoor vs outdoor use, 2.4 GHz vs. 5 GHz band, etc.

Meshing Software

You have OpenWRT or another operating system installed, but how can you mesh your router with others wirelessly? Now, you have to pick out some software that will allow you to facilitate a mesh network. The first packages that you need to look at are for what is called the data link layer of the OSI model of computer networking (or OSI layer 2). Software here establishes the protocol that controls how your packets get transferred from node A to node B. Common software in this space is batman-adv (not to be confused with the layer 3 B.A.T.M.A.N. daemon), and open80211s, which are available for most operating systems. Each of these pieces of software have their own strengths and weaknesses; it might be best to install each package on a pair of routers and see which one works best for you. There is currently a lot of praise for batman-adv as it has been integrated into the mainline Linux tree and was developed by Freifunk to use within their own mesh network.

Revisiting the OSI model again, you will also need some software to work at the network layer (OSI layer 3). This will control your IP routing, allowing for each node to compute where to send traffic next on its forwarding path to the final destination on the network. There are many software packages here such as OLSR (Optimized Link State Routing), B.A.T.M.A.N (Better Approach To Mobile Adhoc Networking), Babel, BMX6, and CJDNS (Caleb James Delisle’s Networking Suite). Each of these addresses the task in its own way, making use of a proactive, reactive, or hybrid approach to determine routing. B.A.T.M.A.N. and OLSR are popular here, both developed by Freifunk. Though B.A.T.M.A.N. was designed as a replacement for OLSR, each is actively used and OLSR is highly utilized in the Commotion mesh networking firmware (a router firmware based off of OpenWRT).

For my needs, I settled on CJDNS which boasts IPv6 addressing, secure communications, and some flexibility in auto-peering with local nodes. Additionally, CJDNS is agnostic to how its host connects to peers. It will work whether you want to connect to another access point over batman-adv, or even tunnel over the existing Internet (similar to Tor or a VPN)! This is useful for mesh networks starting out that may have nodes too distant to connect wirelessly until more nodes are set up in-between. This gives you a chance to lay infrastructure sooner rather than later, and simply swap-out for wireless linking when possible. You also get the interesting ability to link multiple meshnets together that may not be geographically close.

Putting It Together

At this point, you should have at least one node (though you will probably want two for testing) running the software stack that you have settled on. With wireless communications, you can generally say that the higher you place the antenna, the better. Many community mesh groups try to establish nodes on top of buildings with roof access, making use of both directional antennas (to connect to distant nodes within the line of sight) as well as omnidirectional antennas to connect to nearby nodes and/or peers. By arranging several distant nodes to connect to one another via line of sight, you can establish a networking backbone for your meshnet that other nodes in the city can easily connect to and branch off of.

Gathering Interest

Mesh networks can only grow so much when you are working by yourself. At some point, you are going to need help finding homes for more nodes and expanding the network. You can easily start with friends and family – see if they are willing to host a node (they probably wouldn’t even notice it after a while). Otherwise, you will want to meet with like-minded people who can help configure hardware and software, or plan out the infrastructure. You can start small online by setting up a website with a mission statement and making a post or two on Reddit (/r/darknetplan in particular) or Twitter. Do you have hackerspaces in your area? Linux or amateur radio groups? A 2600 meeting you frequent? All of these are great resources to meet people face-to-face and grow your network one node at a time.

Conclusion

Starting a mesh network is easier than many think, and is an incredible way to learn about networking, Linux, micro platforms, embedded systems, and wireless communication. With only a few off-the-shelf devices, one can get their own working network set up and scale it to accommodate more users. Community-run mesh networks not only aid in helping those fed up with or persecuted by traditional network providers, but also those who want to construct, experiment, and tinker. With mesh networks, we can build our own future of communication and free the network for everyone.

 

Welcome 2600 Readers!

I have been informed that my article, “Building DIY Community Mesh Networks,” has been published in the Autumn 2016 issue of 2600: The Hacker Quarterly.

2600 Volume 33, issue 3 – Autumn 2016

Please feel free to reach out for any additional information.

 

CJDNS on OpenWRT – Part 3: Installing & Configuring CJDNS

Now that we have OpenWRT installed and ensured that we have enough space to experiment and install packages, we can proceed to install and configure cjdns.

I have opted to install a GUI package to allow for easier configuration (though I also wanted to see what it had to offer over editing configuration files). The package used here is luci-app-cjdns, relying on the LuCI interface that comes default in most OpenWRT images. If you want to install cjdns without the GUI or do not use LuCI, you can install the regular cjdns package. Note: The standard cjdns package was left out of OpenWRT 15.05.1, but should be in the older 15.05 image. The luci-app-cjdns package should be available in both versions, so you won’t have any issue with the remainder of this guide.

Now we are ready to install cjdns for LuCI. SSH into the access point and run the following command to update and install luci-app-cjdns.

opkg update && opkg install luci-app-cjdns

After this finishes, leave the SSH session open and then load up the OpenWRT web console in a browser and log in. By default, this interface can be reached via http://192.168.1.1. Now that we’re in the console, select cjdns from the Services dropdown on the top menu. An Overview page for cjdns will load (and look rather empty). Now, click the Peers sub-tab link near the top of this page.

Now, we can enter in the peering information for any number of peers to connect to. You will likely want to populate the Authorized Passwords and Outgoing UDP Peers sections as I have below.

CJDNS Peers Tab

When finished, press the Save & Apply button to commit any changes and restart cjdns. These steps can be repeated to add as many peers as needed.

Now, navigate back to the Overview page by clicking on the Overview sub-tab link.

After loading, we should now have connection information about the configured peers as shown below.

CJDNS Overview Page

That’s all there is to it! Back in our SSH session, we can try pinging a machine on Hyperboria to confirm a connection:

 ping6 h.peer0.famicoman.com
PING h.peer0.famicoman.com (fc9f:990d:2b0f:75ad:8783:5d59:7c84:520b): 56 data bytes
64 bytes from fc9f:990d:2b0f:75ad:8783:5d59:7c84:520b: seq=0 ttl=42 time=4072.631 ms
64 bytes from fc9f:990d:2b0f:75ad:8783:5d59:7c84:520b: seq=1 ttl=42 time=3800.924 ms
64 bytes from fc9f:990d:2b0f:75ad:8783:5d59:7c84:520b: seq=2 ttl=42 time=4594.193 ms
64 bytes from fc9f:990d:2b0f:75ad:8783:5d59:7c84:520b: seq=3 ttl=42 time=4329.846 ms
^C
--- h.peer0.famicoman.com ping statistics ---
9 packets transmitted, 4 packets received, 55% packet loss
round-trip min/avg/max = 3800.924/4199.398/4594.193 ms

If all went as expected, you now have cjdns running on your OpenWRT router! This can be expanded in the future by copying an OpwnWRT configuration onto several routers, and then linking them together wirelessly.

 

CJDNS on OpenWRT – Part 2: Configuring Extroot for More Storage

If you have any low-memory OpenWRT device (4MB of flash) you will probably fill up any free space quickly after the initial OpenWRT install and need more room to grow. Luckily, you can transfer your root file system to a flash drive and boot off of it as long as your access point has a USB port.

If you are following along with our Western Digital N600, you probably don’t need to do this. The N600 comes equipped with 12MB of built-in flash, more than enough to accommodate the software packages we will install in the future. If you have less than this or want to have a nice learning exercise, read on!

You are going to need a Linux machine and a flash drive. The flash drive size shouldn’t matter too much. A lot of people run OpenWRT off of 8MB of internal flash, so any small drive should have plenty of room.

On your Linux machine, plug in the flash drive (mine is a ~10 year old 64MB), and run dmesg to get the kernel message buffer.

dmesg

You should get a lot of output, but importantly at the end, we should see our flash drive being recognized.

[26913.782811] usb 1-1.4: new high-speed USB device number 4 using dwc_otg
[26913.883754] usb 1-1.4: New USB device found, idVendor=0457, idProduct=0151[26913.883779] usb 1-1.4: New USB device strings: Mfr=0, Product=2, SerialNumber=3
[26913.883796] usb 1-1.4: Product: USB Mass Storage Device
[26913.883812] usb 1-1.4: SerialNumber: 00000000004FDE
[26913.884913] usb-storage 1-1.4:1.0: USB Mass Storage device detected
[26913.887282] usb-storage 1-1.4:1.0: Quirks match for vid 0457 pid 0151: 80
[26913.887450] scsi host0: usb-storage 1-1.4:1.0
[26914.884185] scsi 0:0:0:0: Direct-Access     Staples                   0.00 PQ: 0 ANSI: 2
[26914.886688] sd 0:0:0:0: [sda] 124000 512-byte logical blocks: (63.4 MB/60.5 MiB)
[26914.887210] sd 0:0:0:0: [sda] Write Protect is off
[26914.887235] sd 0:0:0:0: [sda] Mode Sense: 00 00 00 00
[26914.887748] sd 0:0:0:0: [sda] Asking for cache data failed
[26914.887771] sd 0:0:0:0: [sda] Assuming drive cache: write through
[26914.916959]  sda: sda1
[26914.920057] sd 0:0:0:0: [sda] Attached SCSI removable disk
[26914.922645] sd 0:0:0:0: Attached scsi generic sg0 type 0

We see that our physical device is sda, with one partition sda1. Your drive/partition may be labeled differently depending on how many drives you have installed or plugged into your machine, and how many partitions your flash drive has. We can verify we are looking at our flash drive by listing via fdisk.

fdisk -l /dev/sda

You will get a lot of informative output about the device:

Disk /dev/sda: 63 MB, 63488000 bytes
16 heads, 32 sectors/track, 242 cylinders, total 124000 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x91f72d24

   Device Boot      Start         End      Blocks   Id  System
/dev/sda1   *          32      123999       61984    b  W95 FAT32

Now we will go ahead and format the drive as ext4. First however, we need to create a partition by running the fdisk command on the drive (without the -l option).

fdisk /dev/sda

This is an interactive utility, so when prompted, enter d to delete the current partition on the drive. Then enter n for a new partition (taking the defaults by pressing the return key). Finally, enter w to apply the changes to the disk and exit.

Now, we can make a file system on the partition we just created, formatting it as ext4:

mkfs.ext4 /dev/sda1

Afterwards we can list with fdisk again to see our changes:

fdisk -l /dev/sda

Disk /dev/sda: 63 MB, 63488000 bytes
3 heads, 32 sectors/track, 1291 cylinders, total 124000 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x91f72d24

   Device Boot      Start         End      Blocks   Id  System
/dev/sda1            2048      123999       60976   83  Linux

You can now remove your USB drive from your Linux machine and plug it into your OpenWRT device.

Next, we ssh into our OpenWRT device and login as root. We need to install a few utilities with opkg before we can switch over the root filesystem.

opkg update && opkg install block-mount kmod-fs-ext4 kmod-usb-storage fdisk nano

Now we will run fdisk to see that our drive is recognized:

root@OpenWrt:~# fdisk -l

Disk /dev/mtdblock0: 256 KiB, 262144 bytes, 512 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk /dev/mtdblock1: 64 KiB, 65536 bytes, 128 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk /dev/mtdblock2: 64 KiB, 65536 bytes, 128 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk /dev/mtdblock3: 64 KiB, 65536 bytes, 128 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk /dev/mtdblock4: 15.5 MiB, 16252928 bytes, 31744 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk /dev/mtdblock5: 1.3 MiB, 1310720 bytes, 2560 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk /dev/mtdblock6: 14.3 MiB, 14942208 bytes, 29184 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk /dev/mtdblock7: 12.1 MiB, 12648448 bytes, 24704 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk /dev/mtdblock8: 64 KiB, 65536 bytes, 128 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk /dev/sda: 60.6 MiB, 63488000 bytes, 124000 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x91f72d24

Device     Boot Start    End Sectors  Size Id Type
/dev/sda1        2048 123999  121952 59.6M 83 Linux

My drive registers as /dev/sda1, and this is used through the commands below. Make sure you take note of yours and make the necessary changes when running additional commands.

Next, we will copy our filesystem over and set the device to boot from the flash drive. If you are squeamish about making this change via a terminal, scroll down and view the sources referenced at the end of this tutorial. There is a way to perform this configuration using OpenWRT’s default graphical interface: LuCI. If you prefer to issue commands over ssh, read on.

Now, we will actually mount the drive, and copy the root filesystem to it:

mkdir /mnt/sda1
mount /dev/sda1 /mnt/sda1
mkdir -p /tmp/cproot
mount --bind / /tmp/cproot
tar -C /tmp/cproot -cvf - . | tar -C /mnt/sda1 -xf -
umount /tmp/cproot

After we have moved the filesystem over, we can modify the fstab with our editor of choice.

nano /etc/config/fstab

Paste the following at the top the file and save it. This will use the flash drive as the primary filesystem and preserve this configuration even after reboot.

config mount
        option device '/dev/sda1'
        option target '/'
        option fstype 'ext4'
        option enabled '1'

Finally, we reboot the device by issuing the reboot command:

reboot

After the system comes back up, ssh into it once more and run the df command.

df -h

In the output, pay attention to the Size column to make sure it matches up closely to your flash drive’s capacity to verify that you are actually running off of the flash drive.

Filesystem                Size      Used Available Use% Mounted on
rootfs                   53.7M      9.7M     39.8M  20% /
/dev/root                 2.3M      2.3M         0 100% /rom
tmpfs                    61.6M    628.0K     61.0M   1% /tmp
/dev/sda1                53.7M      9.7M     39.8M  20% /
tmpfs                   512.0K         0    512.0K   0% /dev

That’s all there is to it! Now, you are booting directly off of the flash drive and have more room to install packages. Additionally, you may want to save an image of your drive for future use. You never know when you will be trying something out and need to restore from a backup!

Sources

 

CJDNS on OpenWRT – Part 1: Installing OpenWRT on the WD N600

I was lucky enough to snag a Western Digital N600 router recently for $10 via Woot and have been working through the process of getting it configured with OpenWRT and cjdns.

For $10, I didn’t think I was getting a whole lot, but these devices sport a popular Atheros chipset and are perfectly compatible with OpenWRT’s latest version (Chaos Calmer 15.05 at the time of writing). For the uninitiated, OpenWRT is an alternative firmware for routers that allows for an advanced set of features and more customization.

My N600, happily chugging away.

The first (and sometimes daunting) task in this process is to flash the firmware on to the device, but this is easy to accomplish with the help of the OpenWRT Wiki page for the N600.

One issue I’ve found is that the page states that the web updater doesn’t work on most N600 devices and that it is preferable to use telnet. Being the console junkie I am, I tried the telnet method first but had no way to configure or enable it! I found I couldn’t use telnet but ultimately was able to flash via the web interface.

Adapted from the wiki, here are the steps I took to flash my device. Any additions/modifications by me are in bold:

0) Turn on and configure the device. I couldnt do anything until i completed the initial setup.
1)Download the file openwrt-ar71xx-generic-mynet-n600-squashfs-factory.bin. I pulled it down from
https://downloads.openwrt.org/chaos_calmer/15.05/ar71xx/generic/openwrt-15.05-ar71xx-generic-mynet-n600-squashfs-factory.bin

2) Configure your computers IP address to 192.168.1.10 and connect to a LAN port in the router.
3) Turn the router off.
4) Using a paperclip, press and hold the reset button on the bottom of the router and turn it on. Hold the reset button for at least 15 seconds. Wait until the power light on the front is slowly flashing on and off.
5) On your computer, visit http://192.168.1.1 NOTE: You will not be able to ping this address.
6) Upload the file openwrt-ar71xx-generic-mynet-n600-squashfs-factory.bin as downloaded earlier.
7) The router will now flash OpenWRT. This will take a couple of minutes to achieve. You can ping 192.168.1.1 and watch for ping replies to see when your router has rebooted into OpenWRT.

That’s all there is to it. After OpenWRT boots for the first time, youll be able to configure it to work on your local network. At most,I suggest setting a root password!

This process is pretty adaptable to other hardware, and the OpenWRT wiki is invaluable when it comes to specific steps to flash OpenWRT on any device you may have around. Dont feel like you have to get an N600 because I did, a lot of hardware is supported (I would recommend something with two radios and 8MB of flash for maximum hackery)!

This tutorial is just the first in a series where we will get cjdns configured on your OpenWRT router. The more meshing, the merrier!

 

Router Lockdowns

If you have not heard yet, Adam Longwill of Meta Mesh has discovered that TP-Link, a prominent wireless access point vendor, has started to lock down firmware on some of their routers resulting in routers that are difficult or impossible to flash with open firmware such as OpenWRT. Ubiquiti, another popular vendor, is also on track to follow suit.

You can find a full write-up from Meta Mesh, titled The Lockdown is Here, on their website. It is an important read.

Currently on the BattleMesh mailing list, there are discussions of alternative hardware that can still be used, and even potential plans for small orders of “unlocked” hardware to benefit the community as a whole.

As I was planning on getting a low-tier TP-Link device to experiment with, this delays my plans. However, I am looking at hardware from other vendors to continue my work, and hope to provide updates and create new tutorials as soon as I have the ability.

Hopefully this issue is only a small speed bump on the road to more accessible wireless mesh networking.

 

Setting Up Dynamic DNS for Your Registered Domain through CloudFlare

Note: As of cjdns version 18, cjdns peering credentials will not be valid if they use domain names as opposed to IP addresses. If you are reading this in the year 2017 or later, the below guide is essentially obsolete from a peering perspective but may still be useful for automatically updating DNS records for other purposes.

If you host a node at a residential location, you probably do not have the comfort of a static IP address, one which does not change. Residential Internet accounts usually have the unfortunate side effect of occasional public-facing IP address changes, meaning you have a dynamic IP address. If you give out your peering information to others with your IP address and it changes, these credentials will fail until you are able to supply all of your peers with an updated IP address. Even after you discover the issue, it could take a while for all of your peers to adopt the new information, causing plenty of broken connections.

To solve this problem, we can use dynamic DNS, and get you a domain name to use in place of your IP address by acting as a pointer to it. There are many providers that do this including Duck DNS and FreeDNS. Almost all of them allow you to create subdomains (like yoursupercoolsub.duckdns.org) which behind the scenes point to your IP address. In DNS lingo, this is called an A record (or AAAA record if you have an IPv6 address). Most of these services also allow you to download a client to automatically update your IP address for the record if it changes, so you can just distribute the subdomain’s name to your peers and not worry about unexpected changes.

This works well, but I (and possibly some of you) have a paid domain set up through CloudFlare’s DNS. Instead of famicomans-node.duckdns.org, I would prefer to use my own domain and configure something like node.famicoman.com to act as a pointer to my IP address. Now, I could make a record with a dynamic DNS provider (like famicomans-node.duckdns.org) and have node.famicoman.com point to it instead of the IP address directly (this is called a C record) but that would require me to sign up for another service and configure the two to work together.

Instead of this, I decided to use CloudFlare directly, working with their API, some scripting, and a cron job.

The following assumes that you have registered at CloudFlare and have already added your domain to its care. We also assume that your cjdns installation is on a Linux machine, or you have access to one on your home network.

Before doing anything else, you need to retrieve your CloudFlare API key. Log into the CloudFlare console and navigate to My Settings. Scroll down until you find the API Key item and press the button labeled View API Key. After your API key displays, record it for use later.

Now, navigate to the DNS tab for your domain name. Create a new A record for your public IP by specifying a name (I chose “node”) and a dummy IP address (I used “8.8.8.8”). It doesn’t matter what IP address you supply as it will be updated later. Afterwards, press the green Add Record button.

The record should now display below with a gray cloud icon next to it. This shows that CloudFlare’s CDN services are not active for the record (which is what we want) and that this sub domain name will resolve the IP address directly.

Now on your cjdns node, we can start to configure automatic updates.

First, we need to set up some directories. Log into a non-root account and execute the following to create and change into our new directory. I like to put each of my scripts in its own folder under a ‘scripts’ folder in my home directory, but feel free to use a different location.

mkdir -p ~/scripts/cloudflare-update-record
cd ~/scripts/cloudflare-update-record

Now, we will download a gist with a CloudFlare update script, saving it as ‘cloudflare-update-record.sh’. As always, it is unwise to blindly execute something from a random script on the Internet, so review the code to check for any funny business. You can see updates to and comments on this script here.

wget https://gist.githubusercontent.com/benkulbertis/fff10759c2391b6618dd/raw/0e365a91a15e15494b312cb5492e40dec2072414/cloudflare-update-record.sh

Now we will edit the script to supply credentials for connecting to and updating our CloudFlare record.

nano cloudflare-update-record.sh

Near the top of the file, there are four fields you need to set with some values. Enter your email as the auth_email, your API key from earlier as the auth_key, your root domain as the zone_name, and your subdomains name as the record_name. Below is an example of what these fields might look like filled out.

auth_email="famicoman@gmail.com"
auth_key="a456a7b68cb9ac65b34c2b43b3c6bc4c2b4" # found in cloudflare account settings
zone_name="famicoman.com"
record_name="node.famicoman.com"

Now we want to change permissions so only you can read, write, and execute the script (we wouldn’t want any other users peeking at your API key), and finally execute the script to test it out.

chmod 700 cloudflare-update-record.sh
./cloudflare-update-record.sh

If all goes to plan, you should receive output similar to the following in your console:

>>> IP changed to: 127.112.6.34

If you don’t get a message that your IP is changed, go back and check the credentials you entered into cloudflare-update-record.sh and make sure they are correct.

Additionally, we can check cloudflare.log to see a time-stamped account of our execution.

cat cloudflare.log
[Tue  9 Feb 22:32:30 UTC 2016] - Check Initiated
[Tue  9 Feb 22:32:33 UTC 2016] - IP changed to: 127.112.6.34

Now, we want to have this script run automatically to reduce downtime. I’ve opted to set this script up to run every 10 minutes and schedule it with cron.

Bring up your crontab with the following command:

crontab -e

Scroll to the bottom of the file in your editor and paste the below command on a new line. Every 10 minutes, every hour, every day of the month, every month, and every day of the week this job will run by changing to your cloudflare-update-record directory and then executing cloudflare-update-record.sh.

*/10 * * * * cd ~/scripts/cloudflare-update-record && /bin/bash ~/scripts/cloudflare-update-record/cloudflare-update-record.sh

After saving (C-x), the new job will become active. We can watch the job go off by tailing the cloudflare.log file.

tail -f cloudflare.log

It will take some time depending on when you first save the crontab, but you should see records written to the log in realtime, every 10 minutes starting on the hour.

[Tue  9 Feb 22:32:30 UTC 2016] - Check Initiated
[Tue  9 Feb 22:32:33 UTC 2016] - IP changed to: 127.112.6.34
[Tue  9 Feb 22:40:02 UTC 2016] - Check Initiated
[Tue  9 Feb 22:50:02 UTC 2016] - Check Initiated
[Tue  9 Feb 23:00:02 UTC 2016] - Check Initiated

That’s all there is to it, you can now distribute your connection details using a subdomain on a registered domain name instead of your IP address. Keep in mind that this can be scaled to multiple nodes by giving them multiple subdomain names (node1, node2, etc.) for easy remember-ability.