OpenNIC DNS Server Now Online

I’ve recently configured a public DNS server in Amsterdam that resolves domains within the OpenNIC root, as well as the traditional ICANN registry. This means you can resolve domains using free OpenNIC TLDs (such as .geek, .null, and .pirate) as well as all of your old favorites (you know, those sites on .com, .net, and all the others).

My DNS server is available on the clearnet via IPv4 (at 146.185.176.36) and IPv6 (at 2a03:b0c0:0:1010::1a7:c001) on port 53. Additionally, you can also access the server via Hyperboria with the address fc16:b44c:2bf9:467:8098:51c6:5849:7b4f, also on port 53.

I have also added DNSCrypt support on port 5353 for all of the addresses above, which allows for authentication between client and server using cryptographic signatures. To connect using DNSCrypt, you will have to install the client and authenticate with the DNSCrypt-Name2.dnscrypt-cert.opennic.peer3.famicoman.phillymesh.net, and the DNSCrypt-KeyB88F:4860:5517:3696:A3D2:BFE0:ECC7:6175:198F:E012:E101:B4FE:869C:1E9C:4C35:E74F.

I perform no logging on the server, so you don’t have to worry about your queries being cached!

Feel free to try it out, or check the health of the server here.

 

Node Page Now Live

I’ve put together a page on the site to keep track of nodes within the Philly Mesh network. Not all nodes are in, or even around Philadelphia, but they are all managed by the group. Check out the new page, here!

All nodes currently listed minimally display a name, a location, contact information, and a status indicator that is refreshed at every page load. Additionally, all of these nodes are available to peer with, just send a message to the email address listed under the respective node(s)!

Where applicable, each node also lists its hosting provider, along with a referral link if you wish to sign up for any of the hosting services. Nodes may also list both Hyperboria and clearnet services that are publicly available. These can be updated periodically, and announcements will be made for anything new.

Happy meshing!

 

Matrix, Wekan, & Map Online!

For the past week I’ve been heavily investing time into the Philly Mesh infrastructure by setting up new resources for the group. I’ve spun up a new VPS through Vultr, located in New Jersey, to host some of the more intensive applications. Information for peering with this box will be available shortly, as it is already up and running on the Hyperboria network!

The new VPS hosts three main services for the time being:

First is a Matrix server (matrix.phillymesh.net) for group communication. All existing addresses and bridges (like IRC) will continue to work and this new server just supplies another federated endpoint to get on the network. Please don’t hesitate to say hi (we also host our own webchat for Matrix (chat.phillymesh.net) though Riot is available for many platforms)!

Second, we are hosting a Wekan installation (wekan.phillymesh.net). This kanban-style application will help organize and keep track of current projects and map out needs for future ones. The Wekan has open registrations at this time, though it may be a bit empty at first!

Third, in collaboration with Toronto Mesh I am working on a new node map (map.phillymesh.net) based off of NYC Mesh’s map source. This is a work in progress and will ultimately have a GitHub repository available for anyone to use for node submission. I am also looking at other meshnet mapping solutions such as NodeShot, but they are proving to be unusable for the time being.

Rough notes for the installations are currently available through our documentation repo on GitHub and will be cleaned up and expanded upon in the future!

 

Set Your Hyperboria Node’s Domain Name on the fc00 Map

fc00, a project aimed to make the Hyperboria network more accessible, has been hosting a network map of Hyperboria peers for a few years. The map, updated throughout the day, is available to view here. Unlike geographic maps, the fc00 map shows the network topology. While I won’t be able to see if my node in Seattle neighbors any other nodes I’m not connected to, I can see the edges between nodes and view the centrality of the network.

The node map at the time of writing.

The fc00 map also has a handy search feature where you are able to look up nodes based on their IP address or domain name to view cjdns version, connected peers, and centrality. However, domain names are not discovered automatically and need to be added manually via a GitHub repository.

Adding your node’s domain name to the GitHub repo is a relatively simple process, and serves as a good introduction to creating pull requests for any git project. This guide assumes you have a web browser, a GitHub account, a DNS AAAA record pointed to the IPv6 address of your Hyperboria node (subdomains work too!), and a non-root, sudo user on a Linux machine. Commands for a Linux-based workstation will be shown, but should translate easily to a workstation running OSX or BSD.

Forking the Repository

The node list lives in a GitHub repository, https://github.com/zielmicha/nodedb. Obviously, this is not our own personal repository, so we will first need to fork the repository to our own GitHub account. This will duplicate the repository’s current state so we can perform edits. Navigate to the repository’s page and press the Fork button on the right side of the page, near the top.

Press the fork button.

If prompted for a location to fork the repository to, choose your profile. You will now have a complete copy of the repo within your account. Now, on the right side of the page, press the button labeled Clone or download. In the small popup that appears, copy the URL from the field with ctrl-c to get it on our clipboard.

Press the Clone or download button and copy the URL.

Cloning the Repo

On the Linux machine, let’s do a little housekeeping and install git so we can get to work:

$ sudo apt-get update && sudo apt-get upgrade -y && sudo apt-get install git

Now we will clone the repository to our local machine, pasting the link we copied earlier:

$ git clone https://github.com/Famicoman/nodedb.git
]Cloning into 'nodedb'...
remote: Counting objects: 578, done.
remote: Compressing objects: 100% (10/10), done.
remote: Total 578 (delta 4), reused 0 (delta 0), pack-reused 568
Receiving objects: 100% (578/578), 163.20 KiB | 91.00 KiB/s, done.
Resolving deltas: 100% (256/256), done.
Checking connectivity... done.

Next, we can change into the directory and start making updates:

$ cd nodedb

We will only be running a script in the repo to automatically add the node to the proper location in the file (sorted by address). We will be running addnode.sh and pass in our node’s IPv6 Hyperboria address and the domain with an AAAA record pointing to it. Note: this domain should be a fully qualified domain name (FQDN). Here is an example with domain h.peer0.famicoman.phillymesh.net which points to fc9f:990d:2b0f:75ad:8783:5d59:7c84:520b:

$ ./addnode.sh fc9f:990d:2b0f:75ad:8783:5d59:7c84:520b h.peer0.famicoman.phillymesh.net

If we happen to have two or more domain names pointing to the node, we can add them all via one command (though currently on the first in the list is searchable on the fc00 map):

$ ./addnode.sh fc9f:990d:2b0f:75ad:8783:5d59:7c84:520b "h.peer0.famicoman.phillymesh.net h.peer0.famicoman.com"

The changes are now made, so we can commit them to our local, working copy of the repo with a message describing our changes:

git commit -am "Added famicoman's node0"
[master 125b493] Added famicoman's node0
 1 file changed, 1 insertion(+), 1 deletion(-)

Finally, we will push the changes back to our repo on GitHub:

$ git push origin master
Username for 'https://github.com': Famicoman
Password for 'https://Famicoman@github.com':
Counting objects: 3, done.
Compressing objects: 100% (3/3), done.
Writing objects: 100% (3/3), 292 bytes | 0 bytes/s, done.
Total 3 (delta 2), reused 0 (delta 0)
remote: Resolving deltas: 100% (2/2), completed with 2 local objects.
To https://github.com/Famicoman/nodedb.git
   3f94d16..125b493  master -> master

Creating the Pull Request

Back on Github, we can view the changes to our repository by clicking the link labeled Compare on the right side of our fork’s page.

Click the Compare link.

This will show the changes between our fork’s repository and the official repository at zielmicha/nodedb. From here, all we have to do is press the button labeled Create pull request. This will automatically create a request for a change at the official zielmicha/nodedb repository which the author can then approve and merge into the main branch.

Press the button for Create Pull Request.

Making Updates

Later on, we may want to go back and add more nodes to the list or otherwise edit nodes we have already added. We already know the commands to run to get our changes into our fork, but by this time it may be out of date! Luckily we can force an update to our fork from the main zielmicha/nodedb branch so we can perform our edits on the most up-to-date version of the repository.

Back on the Linux machine, simply run the following set of commands:

$ git remote add upstream https://github.com/zielmicha/nodedb
$ git fetch upstream
$ git checkout master
$ git reset --hard upstream/master
$ git push origin master --force

Now we are free to add nodes, commit, push changes to our fork,and create a new pull request!

Conclusion

Creating pull requests through GitHub is a simple task, and adding a node to the fc00 map is a perfect introduction to the process. After your pull request gets successfully merged, be sure to check out your node on the map!

My (small) node.

 

Run cjdns on Google Compute Engine

Google recently announced the Google Cloud Platform Free Tier, which includes an f1-micro instance on the Google Compute Engine. Compute Engine instances are essentially virtual private servers, with full customization available for disk size, number of processors and amount of memory. The f1-micro instance supplied free to each user boasts modest specifications: 1x shared virtual CPU (quantified as 0.2 of a CPU before bursting as available), 600MB of RAM, 5GB of snapshot storage, and 30GB of HDD persistent disk. As with all cloud providers, Compute Engine offers beefier machines priced accordingly. Luckily, Google is currently offering a (US only for the time being) free trial of the Google Cloud Platform for 12 months /$300. At around $4-$5 per f1-instance, a user could run several of these lower-tier machines for a year under their trial period.

Getting started with Google Compute Engine is relatively simple. This guide assumes you have a web browser, and a machine to make SSH connections from to access your Compute Engine instance. Commands for a Linux-based workstation will be shown, but should translate easily to a workstation running OSX or BSD.

Compute Engine Instance Setup

Start by signing up for the free trial here (If you have already completed a trial, the same link should log you in to your account). This will ask for some personal information (if it is not already in your Google account) and credit card information to validate the account. Afterwards, we will be automatically logged into the Google Cloud Platform console. From here, we can create a new project by clicking the Create project link in the console’s banner near the top left of the screen.

Create a new project.

Give the project a name and click on the Create button. Now we will be in the project’s dashboard. Back in the console’s banner, press the Products & services menu button on the left and select Compute Engine from the menu.

Select Compute Engine from the menu.

A pop-up will now appear regarding VM instances. We will want to press the blue Create button when prompted, this will launch the instance creation wizard. Give the instance a Name (if desired) and pick a Zone from the drop-down menu. There are many zones available, and their features are listed here. It is important to note that the free f1-micro instances are limited to US regions, so select one of those if interested in completing the always-free offer. If using  free trial credit or otherwise paying for an instance, feel free to select any zone desired. Under Machine Type, click the Customize link to show our specification options.

Moving the slider for Cores all the way to the left will adjust the specs to an f1-micro instance.

Select the number of cores for the target virtual machine we are creating. Moving the slider all the way to the left will give us 1 shared vCPU and 600MB of RAM. Note of the monthly rate on the right side of the screen changes based on the modifications. As shown under Machine type, Compute Engine offers a wide array of options for your instance, including GPU selection and even the option to run with 64 cores. We could pick a better instance for now and scale it down before the 12-month period is over to retain under the free tier, but for the sake of testing the f1-micro instance, the rest of this tutorial will proceed with settings as shown.

Lower in the page, we will leave the Boot Disk selection alone as Debian Jessie on 10GB is more than enough for cjdns. Click the link for Management, disk, networking, SSH keys to expand a few more options, and click on the Networking tab.

The Networking tab for our instance.

Click on the drop-down menu under External IP and select New static IP address. When prompted, give this IP address a name (anything will do) and press the Reserve button to complete the action. This will make sure our external IP address does not change unexpectedly.

Now, we want to add an SSH key for remote access to our instance. On our Linux workstation, bring up a new console. To create the new SSH key-pair we will run ssh-keygen, specifying a file and our username. Make sure to create a passphrase when prompted!

$ ssh-keygen -t rsa -f ~/.ssh/google-compute-ssh -C famicoman
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/famicoman/.ssh/google-compute-ssh.
Your public key has been saved in /home/famicoman/.ssh/google-compute-ssh.pub.
The key fingerprint is:
d3:f1:63:ab:5a:f9:e8:54:87:92:e1:95:de:3c:58:27 famicoman
The key's randomart image is:
+---[RSA 2048]----+
|                 |
|             .   |
|          o o E .|
|         o B * o |
|        S = O =  |
|         . = + . |
|          + .    |
|         o +     |
|        .o+ .    |
+-----------------+

Now we will modify the permissions of our private key to ensure only our user can access it:

$ chmod 400 ~/.ssh/google-compute-ssh

Finally, read the contents of our public key file, which we will be using to complete the Compute instance setup.

 $ cat ~/.ssh/google-compute-ssh.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDbEKVCbgDus+hno+GKtsuYgrWSgarOH3/2R1q5IA1SWZXn9OJZQ1LAWn7QsM01tg7TTrrAo57wAlemC+eJgLLVsAnayvA/WZjlvjEdcX3TvQqzNnWGNf4VK7g/PvIOvyX4gj8uaHc/zWdz28KIgz2cUP/2bNWJox/p9M3vssxttpuTIL2knFIOKYphxaBWvfXu92a5kB60gso/0pcyZ7O+Kt2evfjtyByJRvypeM0YyMHM+xZ7b0gooWk9rSkpkGRJMBtHQOVVWqIQ2rjnEMPWNpEyqqC3KZmgolRP4a8TpXEDyP6N/2pc53zuVqCrgL7M8jYcIEmcLYASvTqWJlh5 famicoman

Back in our Compute instance setup, click on the SSH Keys tab, directly to the right of the Networking tab we are currently on. In the Enter entire key data textbox, paste the contents of the google-compute-ssh.pub file we just printed with cat and press the Add item button.

Instance configuration after adding the SSH key.

Finally, press the Create button to make our instance and boot it up for the first time.

After a few seconds, the virtual machine will appear on our screen and be ready to access.

A fresh Compute instance!

Cjdns Installation

Now back on our Linux workstation, we will SSH to the instance using the External IP displayed for our instance:

$ ssh -i .ssh/google-compute-ssh famicoman@146.148.43.98

When prompted, accept the key for the host and enter the passphrase for the SSH key.

Now on our instance, let’s change over to root, run an update and then upgrade all of the packages:

famicoman@instance-1:~$ sudo -i
root@instance-1:~$ apt-get update && apt-get upgrade -y

Now, we will install the packages we need to retrieve and install cjdns:

root@instance-1:~# apt-get install -y git build-essential

IPv6 is disabled on all Compute Engine instances by default, so we will want to override this by adding a few lines the sysctl.conf file to enable IPv6 and then reboot the instance:

root@instance-1:~$ { echo "net.ipv6.conf.all.disable_ipv6 = 0"; echo "net.ipv6.conf.default.disable_ipv6 = 0"; echo "net.ipv6.conf.tun0.disable_ipv6 = 0 = 0";} >> /etc/sysctl.conf && reboot

After a few moments, the machine should become unresponsive and the SSH session should terminate. Afterwards, SSH back into the machine from the workstation and change over to root again:

$ ssh -i .ssh/google-compute-ssh famicoman@146.148.43.98

famicoman@instance-1:~$ sudo -i
root@instance-1:~$ apt-get update && apt-get upgrade -y

Now we will change over to the /opt directory and clone the cjdns repo, checking out the latest version:

root@instance-1:~$ cd /opt
root@instance-1:/opt$ git clone https://github.com/cjdelisle/cjdns.git
root@instance-1:/opt$ cd cjdns && git checkout cjdns-v19.1

Now that the latest version is checked out, we can perform an optimized build:

root@instance-1:/opt/cjdns$ CFLAGS="-O2 -s -static -Wall -march=native" ./do

After a few minutes the build will be done. Next, we will link cjdroute into /usr/local/bin and generate a configuration file.

root@instance-1:/opt/cjdns$ cd /usr/local/bin/ && ln -s /opt/cjdns/cjdroute cjdroute
root@instance-1:/usr/local/bin$ cjdroute --genconf > /usr/local/etc/cjdroute.conf

Finally, we can start cjdns:

root@instance-1:/usr/local/bin$ cjdroute < /usr/local/etc/cjdroute.conf
1489881689 INFO cjdroute2.c:642 Cjdns amd64 linux +seccomp
1489881689 INFO cjdroute2.c:646 Checking for running instance...
1489881689 DEBUG UDPAddrIface.c:293 Bound to address [0.0.0.0:34199]
1489881689 DEBUG AdminClient.c:333 Connecting to [127.0.0.1:11234]
1489881690 DEBUG Pipe.c:134 Buffering a message
1489881690 DEBUG cjdroute2.c:699 Sent [144] bytes to core
1489881690 INFO RandomSeed.c:42 Attempting to seed random number generator
1489881690 INFO RandomSeed.c:50 Trying random seed [/dev/urandom] Success
1489881690 INFO RandomSeed.c:56 Trying random seed [sysctl(RANDOM_UUID) (Linux)] Failed
1489881690 INFO RandomSeed.c:50 Trying random seed [/proc/sys/kernel/random/uuid (Linux)] Success
1489881690 INFO RandomSeed.c:64 Seeding random number generator succeeded with [2] sources
1489881690 INFO LibuvEntropyProvider.c:59 Taking clock samples every [1000]ms for random generator
1489881690 DEBUG Pipe.c:231 Pipe [/tmp/cjdns_pipe_client-core-ycdqw9fs9m75mv3vqv16x7pvg0mcw5] established connection
1489881690 DEBUG Pipe.c:253 Sending buffered message
1489881690 DEBUG Core.c:354 Getting pre-configuration from client
1489881690 DEBUG Pipe.c:231 Pipe [/tmp/cjdns_pipe_client-core-ycdqw9fs9m75mv3vqv16x7pvg0mcw5] established connection
1489881690 DEBUG Core.c:357 Finished getting pre-configuration from client
1489881690 DEBUG UDPAddrIface.c:254 Binding to address [127.0.0.1:11234]
1489881690 DEBUG UDPAddrIface.c:293 Bound to address [127.0.0.1:11234]
1489881690 DEBUG UDPAddrIface.c:293 Bound to address [0.0.0.0:37092]
1489881690 DEBUG AdminClient.c:333 Connecting to [127.0.0.1:11234]
1489881690 INFO Configurator.c:135 Checking authorized password 0.
1489881690 INFO Configurator.c:159 Adding authorized password #[0] for user [default-login].
1489881690 INFO Configurator.c:411 Setting up all ETHInterfaces...
1489881690 INFO Configurator.c:427 Creating new ETHInterface [eth0]
1489881690 INFO Configurator.c:388 Setting beacon mode on ETHInterface to [2].
1489881690 DEBUG Configurator.c:531 Security_chroot(/var/run/)
1489881690 DEBUG Configurator.c:576 Security_noforks()
1489881690 DEBUG Configurator.c:581 Security_setUser(uid:65534, keepNetAdmin:1)
1489881690 DEBUG Configurator.c:596 Security_seccomp()
1489881690 DEBUG Configurator.c:601 Security_setupComplete()
1489881690 DEBUG Configurator.c:685 Cjdns started in the background

Now that cjdns is running, let’s verify this by checking out the interface with ifconfig:

root@instance-1:/usr/local/bin# ifconfig tun0
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet6 addr: fcab:62fc:cd8b:36f0:7837:4361:9aa3:946d/8 Scope:Global
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1304  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

Conclusion

We are now free to add peers to our cjdroute.conf file or generate our own peering credentials for other installations! Be sure to keep in mind Google Compute Engine’s rates for egress bandwidth as noted here. Nobody wants to make up with a $500 bill for bandwidth. And, as always, consider locking down your node with proper firewall rules, etc. now that it is live and Internet-facing.

Compute instances should perform relatively well, even the f1-micro instances. Below are sample cjdns bench results for the f1-micro:

root@instance-1:/usr/local/bin# cjdroute --bench | grep "per second"
1489881851 INFO Benchmark.c:62 Benchmark salsa20/poly1305 in 653ms. 1837672 kilobits per second
1489881851 INFO Benchmark.c:62 Benchmark Switching in 342ms. 598830 packets per second
root@instance-1:/usr/local/bin# cjdroute --bench | grep "per second"
1489881854 INFO Benchmark.c:62 Benchmark salsa20/poly1305 in 635ms. 1889763 kilobits per second
1489881854 INFO Benchmark.c:62 Benchmark Switching in 335ms. 611343 packets per second
root@instance-1:/usr/local/bin# cjdroute --bench | grep "per second"
1489881858 INFO Benchmark.c:62 Benchmark salsa20/poly1305 in 664ms. 1807228 kilobits per second
1489881858 INFO Benchmark.c:62 Benchmark Switching in 355ms. 576901 packets per second
 

Browse the Philly Mesh Site from Hyperboria

The Philly Mesh website is now available from Hyperboria. The new subdomain h.phillymesh.net will resolve to [fc4a:cb93:88dc:32e1:43ec:e1b8:2b45:dd46] and is available via both HTTP and HTTPS:

As cjdns encrypts traffic end-to-end, standard HTTP should be acceptable in most configurations. You will want to use the HTTPS link if you connect to Hyperboria via a cjdns gateway on a different machine or if you share the machine running cjdroute.

If you do use HTTPS, you will likely get a warning from the browser that the cerificate is invalid as it is issued for an IP in a private address space (as all Hyperboria addresses are). Be aware, there should be no issue with this certificate. In the future, I may go through the process of configuring a CA for phillymesh.net (self-signing a cert for h.phillymesh.net and distributing the root cert, signed with my GPG key, but don’t find it necessary right now. The current certificate is issued by Let’s Encrypt.

 

New Site Online!

As you can see, I have officially put the phillymesh.net domain to full use as the new public-facing site for Philly Mesh. I’ve finished importing all of the old site content into this new site, and added permanant redirects on all the old permalinks to their respective pages here. This means any existing link for a page on http://mesh.philly2600.net should seamlessly redirect to the proper content on https://phillymesh.net. If you happen to find any broken links, please let me know! The previous site was suffering from several issues before the move and I was unable to import a database backup; all content was reentered by hand.

This new site has some updated content, but all of the previous posts are accounted for. I have temporarily removed the node map page as it was not maintained well and I hope to replace it with a self-hosted solution coming up.

You may also notice that https is now forced, all insecure http connections will be automatically redirected to use TLS.

The GitHub organization is also live, which you can find at https://github.com/phillymesh.

Next on the list of to-dos:

  • Setup a Wekan kanban board (to better track to-do lists).
  • Setup phillymesh.net for Hyperboria access
  • Setup a Matrix server for communication
  • Setup a Nodeshot map for nodes (or some other mapping solution)
  • Setup cjdns on more servers and create a nodes/services page for nodes Philly Mesh has on the network and what they offer.
 

Building DIY Community Mesh Networks (2600 Article)

Now that the article has been printed in 2600 magazine, Volume 33, Issue 3 (2016-10-10), I’m able to republish it on the web. The article below is my submission to 2600 with some slight formatting changes for hyperlinks.

Building DIY Community Mesh Networks
By Mike Dank
Famicoman@gmail.com

Today, we are faced with issues regarding our access to the Internet, as well as our freedoms on it. As governmental bodies fight to gain more control and influence over the flow of our information, some choose to look for alternatives to the traditional Internet and build their own networks as they see fit. These community networks can pop up in dense urban areas, remote locations with limited Internet access, and everywhere in between.Whether you are politically fueled by issues of net neutrality, privacy, and censorship, fed up with an oligarchy of Internet service providers, or just like tinkering with hardware, a wireless mesh network (or “meshnet”) can be an invaluable project to work on. Numerous groups and organizations have popped up all over the world, creating robust mesh networks and refining the technologies that make them possible. While the overall task of building a wireless mesh network for your community may seem daunting, it is easy to get started and scale up as needed.

What Are Mesh Networks?

Think about your existing home network. Most people have a centralized router with several devices hooked up to it. Each device communicates directly with the central router and relies on it to relay traffic to and from other devices. This is called a hub/spoke topology, and you’ll notice that it has a single point of failure. With a mesh topology, many different routers (referred to as nodes) relay traffic to one another on the path to the target machine. Nodes in this network can be set up ad-hoc; if one node goes down, traffic can easily be rerouted to another node. If new nodes come online, they can be seamlessly integrated into the network. In the wireless space, distant users can be connected together with the help of directional antennas and share network access. As more nodes join a network, service only improves as various gaps are filled in and connections are made more redundant. Ultimately, a network is created that is both decentralized and distributed. There is no single point of failure, making it difficult to shut down.

When creating mesh networks, we are mostly concerned with how devices are routing to and linking with one another. This means that most services you are used to running like HTTP or IRC daemons should be able to operate without a hitch. Additionally, you are presented with the choice of whether or not to create a darknet (completely separated from the Internet) or host exit nodes to allow your traffic out of the mesh.

Existing Community Mesh Networking Projects

One of the most well-known grassroots community mesh networks is Freifunk, based out of Germany, encompassing over 150 local communities with over 25,000 access points. Guifi.net based in Spain, boasts over 27,000 nodes spanning over 36,000 km. In North America we see projects like Hyperboria which connect smaller mesh networking communities together such as Seattle Meshnet, NYC Mesh, and Toronto Mesh. We also see standalone projects like PittMesh in Pittsburgh, WasabiNet in St. Louis, and People’s Open Network in Oakland, California.

While each of these mesh networks may run different software and have a different base of users, they all serve an important purpose within their communities. Additionally, many of these networks consistently give back to the greater mesh networking community and choose to share information about their hardware configurations, software stacks, and infrastructure. This only benefits those who want to start their own networks or improve existing ones.

Picking Your Hardware & OS

When I was first starting out with Philly Mesh, I was faced with the issue of acquiring hardware on a shoestring budget. Many will tell you that the best hardware is low-power computers with dedicated wireless cards. This however can incur a cost of several hundred dollars per node. Alternatively, many groups make use of SOHO routers purchased off-the-shelf, flashed with custom firmware. The most popular firmware used here is OpenWRT, an open source alternative that supports a large majority of consumer routers. If you have a relatively modern router in your house, there is a good chance it is already supported (if you are buying specifically for meshing, consider consulting OpenWRT’s wiki for compatibility. Based on Linux, OpenWRT really shines with its packaging system, allowing you to easily install and configure packages of networking software across several routers regardless of most hardware differences between nodes. With only a few commands, you can have mesh packages installed and ready for production.

Other groups are turning towards credit-card-sized computers like the BeagleBone Black and Raspberry Pi, using multiple USB WiFi dongles to perform over-the-air communication. Here, we have many more options for an operating system as many prefer to use a flavor of Linux or BSD, though most of these platforms also have OpenWRT support.

There are no specific wrong answers here when choosing your hardware. Some platforms may be better suited to different scenarios. For the sake of getting started, spec’ing out some inexpensive routers (aim for something with at least two radios, 8MB of flash) or repurposing some Raspberry Pis is perfectly adequate and will help you learn the fundamental concepts of mesh networking as well develop a working prototype that can be upgraded or expanded as needed (hooray for portable configurations). Make sure you consider options like indoor vs outdoor use, 2.4 GHz vs. 5 GHz band, etc.

Meshing Software

You have OpenWRT or another operating system installed, but how can you mesh your router with others wirelessly? Now, you have to pick out some software that will allow you to facilitate a mesh network. The first packages that you need to look at are for what is called the data link layer of the OSI model of computer networking (or OSI layer 2). Software here establishes the protocol that controls how your packets get transferred from node A to node B. Common software in this space is batman-adv (not to be confused with the layer 3 B.A.T.M.A.N. daemon), and open80211s, which are available for most operating systems. Each of these pieces of software have their own strengths and weaknesses; it might be best to install each package on a pair of routers and see which one works best for you. There is currently a lot of praise for batman-adv as it has been integrated into the mainline Linux tree and was developed by Freifunk to use within their own mesh network.

Revisiting the OSI model again, you will also need some software to work at the network layer (OSI layer 3). This will control your IP routing, allowing for each node to compute where to send traffic next on its forwarding path to the final destination on the network. There are many software packages here such as OLSR (Optimized Link State Routing), B.A.T.M.A.N (Better Approach To Mobile Adhoc Networking), Babel, BMX6, and CJDNS (Caleb James Delisle’s Networking Suite). Each of these addresses the task in its own way, making use of a proactive, reactive, or hybrid approach to determine routing. B.A.T.M.A.N. and OLSR are popular here, both developed by Freifunk. Though B.A.T.M.A.N. was designed as a replacement for OLSR, each is actively used and OLSR is highly utilized in the Commotion mesh networking firmware (a router firmware based off of OpenWRT).

For my needs, I settled on CJDNS which boasts IPv6 addressing, secure communications, and some flexibility in auto-peering with local nodes. Additionally, CJDNS is agnostic to how its host connects to peers. It will work whether you want to connect to another access point over batman-adv, or even tunnel over the existing Internet (similar to Tor or a VPN)! This is useful for mesh networks starting out that may have nodes too distant to connect wirelessly until more nodes are set up in-between. This gives you a chance to lay infrastructure sooner rather than later, and simply swap-out for wireless linking when possible. You also get the interesting ability to link multiple meshnets together that may not be geographically close.

Putting It Together

At this point, you should have at least one node (though you will probably want two for testing) running the software stack that you have settled on. With wireless communications, you can generally say that the higher you place the antenna, the better. Many community mesh groups try to establish nodes on top of buildings with roof access, making use of both directional antennas (to connect to distant nodes within the line of sight) as well as omnidirectional antennas to connect to nearby nodes and/or peers. By arranging several distant nodes to connect to one another via line of sight, you can establish a networking backbone for your meshnet that other nodes in the city can easily connect to and branch off of.

Gathering Interest

Mesh networks can only grow so much when you are working by yourself. At some point, you are going to need help finding homes for more nodes and expanding the network. You can easily start with friends and family – see if they are willing to host a node (they probably wouldn’t even notice it after a while). Otherwise, you will want to meet with like-minded people who can help configure hardware and software, or plan out the infrastructure. You can start small online by setting up a website with a mission statement and making a post or two on Reddit (/r/darknetplan in particular) or Twitter. Do you have hackerspaces in your area? Linux or amateur radio groups? A 2600 meeting you frequent? All of these are great resources to meet people face-to-face and grow your network one node at a time.

Conclusion

Starting a mesh network is easier than many think, and is an incredible way to learn about networking, Linux, micro platforms, embedded systems, and wireless communication. With only a few off-the-shelf devices, one can get their own working network set up and scale it to accommodate more users. Community-run mesh networks not only aid in helping those fed up with or persecuted by traditional network providers, but also those who want to construct, experiment, and tinker. With mesh networks, we can build our own future of communication and free the network for everyone.

 

Welcome 2600 Readers!

I have been informed that my article, “Building DIY Community Mesh Networks,” has been published in the Autumn 2016 issue of 2600: The Hacker Quarterly.

2600 Volume 33, issue 3 – Autumn 2016

Please feel free to reach out for any additional information.

 

CJDNS on OpenWRT – Part 3: Installing & Configuring CJDNS

Now that we have OpenWRT installed and ensured that we have enough space to experiment and install packages, we can proceed to install and configure cjdns.

I have opted to install a GUI package to allow for easier configuration (though I also wanted to see what it had to offer over editing configuration files). The package used here is luci-app-cjdns, relying on the LuCI interface that comes default in most OpenWRT images. If you want to install cjdns without the GUI or do not use LuCI, you can install the regular cjdns package. Note: The standard cjdns package was left out of OpenWRT 15.05.1, but should be in the older 15.05 image. The luci-app-cjdns package should be available in both versions, so you won’t have any issue with the remainder of this guide.

Now we are ready to install cjdns for LuCI. SSH into the access point and run the following command to update and install luci-app-cjdns.

opkg update && opkg install luci-app-cjdns

After this finishes, leave the SSH session open and then load up the OpenWRT web console in a browser and log in. By default, this interface can be reached via http://192.168.1.1. Now that we’re in the console, select cjdns from the Services dropdown on the top menu. An Overview page for cjdns will load (and look rather empty). Now, click the Peers sub-tab link near the top of this page.

Now, we can enter in the peering information for any number of peers to connect to. You will likely want to populate the Authorized Passwords and Outgoing UDP Peers sections as I have below.

CJDNS Peers Tab

When finished, press the Save & Apply button to commit any changes and restart cjdns. These steps can be repeated to add as many peers as needed.

Now, navigate back to the Overview page by clicking on the Overview sub-tab link.

After loading, we should now have connection information about the configured peers as shown below.

CJDNS Overview Page

That’s all there is to it! Back in our SSH session, we can try pinging a machine on Hyperboria to confirm a connection:

 ping6 h.peer0.famicoman.com
PING h.peer0.famicoman.com (fc9f:990d:2b0f:75ad:8783:5d59:7c84:520b): 56 data bytes
64 bytes from fc9f:990d:2b0f:75ad:8783:5d59:7c84:520b: seq=0 ttl=42 time=4072.631 ms
64 bytes from fc9f:990d:2b0f:75ad:8783:5d59:7c84:520b: seq=1 ttl=42 time=3800.924 ms
64 bytes from fc9f:990d:2b0f:75ad:8783:5d59:7c84:520b: seq=2 ttl=42 time=4594.193 ms
64 bytes from fc9f:990d:2b0f:75ad:8783:5d59:7c84:520b: seq=3 ttl=42 time=4329.846 ms
^C
--- h.peer0.famicoman.com ping statistics ---
9 packets transmitted, 4 packets received, 55% packet loss
round-trip min/avg/max = 3800.924/4199.398/4594.193 ms

If all went as expected, you now have cjdns running on your OpenWRT router! This can be expanded in the future by copying an OpwnWRT configuration onto several routers, and then linking them together wirelessly.