re6stnet:12ba2ee40fe7e94a60e6c4ac71d2884ddbabc51b commitshttps://lab.nexedi.com/nexedi/re6stnet/-/commits/12ba2ee40fe7e94a60e6c4ac71d2884ddbabc51b2019-06-19T11:41:50+02:00https://lab.nexedi.com/nexedi/re6stnet/-/commit/12ba2ee40fe7e94a60e6c4ac71d2884ddbabc51bImplement HMAC for babel2019-06-19T11:41:50+02:00Killian Lufaukillian.lufau@nexedi.com
HMAC is added in babel call to prevent babel communication between nodes of different re6st networks.
This solves the problem of machines in different re6st networks but on the same LAN that exchange routes through babel.
The key used to authenticate packets is randomly created on 16 bytes by the registry and sent to nodes when they fetch network parameters.
This uses the WIP hmac branch of jech/babeld with Nexedi patches and the added possibility to not check HMAC in incoming packets for better HMAC integration on a HMAC-less network.
/reviewed-on <a href="https://lab.nexedi.com/nexedi/re6stnet/merge_requests/18" data-original="https://lab.nexedi.com/nexedi/re6stnet/merge_requests/18" data-link="false" data-link-reference="true" data-project="206" data-merge-request="2965" data-project-path="nexedi/re6stnet" data-iid="18" data-mr-title="Implement HMAC for babel" data-reference-type="merge_request" data-container="body" data-placement="top" data-html="true" title="" class="gfm gfm-merge_request">!18</a>https://lab.nexedi.com/nexedi/re6stnet/-/commit/63b5c4c2d81667072cb5b904c1983b2df7bae415Fix attribute deletion when updating config2019-06-18T17:31:26+02:00Killian Lufaukillian.lufau@nexedi.com
The received network parameter name can have a ':json' suffix that
is not present in the class attribute of this parameter.
This suffix was not removed and could cause attribute deletion to fail.
/reviewed-on <a href="https://lab.nexedi.com/nexedi/re6stnet/merge_requests/20" data-original="https://lab.nexedi.com/nexedi/re6stnet/merge_requests/20" data-link="false" data-link-reference="true" data-project="206" data-merge-request="3039" data-project-path="nexedi/re6stnet" data-iid="20" data-mr-title="Fix attribute deletion when updating config" data-reference-type="merge_request" data-container="body" data-placement="top" data-html="true" title="" class="gfm gfm-merge_request">nexedi/re6stnet!20</a>https://lab.nexedi.com/nexedi/re6stnet/-/commit/85045501add59ef13953066c5445dac5e453d1adFix missing GEOIP2_MMDB environment variable if the DB is in /etc/re6stnet2019-06-12T15:55:25+02:00Julien Muchembledjm@nexedi.com
In commit <a href="/nexedi/re6stnet/-/commit/d7a4d73f739cf7372a7766ea35f29c9aa4a8061c" data-original="d7a4d73f739cf7372a7766ea35f29c9aa4a8061c" data-link="false" data-link-reference="false" data-project="206" data-commit="d7a4d73f739cf7372a7766ea35f29c9aa4a8061c" data-reference-type="commit" data-container="body" data-placement="top" data-html="true" title="New option to prevent tunnelling accross borders of listed countries" class="gfm gfm-commit has-tooltip">d7a4d73f</a>,
this was done only for the init.d script.https://lab.nexedi.com/nexedi/re6stnet/-/commit/73314e4da934f9518ccc81db97245ccb0c08802fFix automatic restart on network parameter change for some parameters2019-06-04T15:27:03+02:00Julien Muchembledjm@jmuchemb.euhttps://lab.nexedi.com/nexedi/re6stnet/-/commit/b5b52dc8dc4744cf5f3f8ff83575a38385863ddbdemo: add testing of UDP2019-05-15T16:46:48+02:00Killian Lufaukillian.lufau@nexedi.com
/reviewed-on <a href="https://lab.nexedi.com/nexedi/re6stnet/merge_requests/11" data-original="https://lab.nexedi.com/nexedi/re6stnet/merge_requests/11" data-link="false" data-link-reference="true" data-project="206" data-merge-request="2922" data-project-path="nexedi/re6stnet" data-iid="11" data-mr-title="demo: add testing of UDP" data-reference-type="merge_request" data-container="body" data-placement="top" data-html="true" title="" class="gfm gfm-merge_request">nexedi/re6stnet!11</a>https://lab.nexedi.com/nexedi/re6stnet/-/commit/120fff13be12489893d072be3d9b847564252754Fix --disable-proto2019-05-15T16:16:09+02:00Killian Lufaukillian.lufau@nexedi.com
argparse is error-prone in that `action='append'` starts from (a copy of) the
given default when it adds values from command-line, rather than restarting
from an empty list. For example, simply passing `--disable-proto udp` resulted
in ['udp', 'udp6', 'udp'], which caused 'udp6' to remain disabled.
/reviewed-on <a href="https://lab.nexedi.com/nexedi/re6stnet/merge_requests/17" data-original="https://lab.nexedi.com/nexedi/re6stnet/merge_requests/17" data-link="false" data-link-reference="true" data-project="206" data-merge-request="2939" data-project-path="nexedi/re6stnet" data-iid="17" data-mr-title="fix disable-proto option" data-reference-type="merge_request" data-container="body" data-placement="top" data-html="true" title="" class="gfm gfm-merge_request">nexedi/re6stnet!17</a>https://lab.nexedi.com/nexedi/re6stnet/-/commit/d398aa9326e4e588db33a906c42f358c1740f1bdOpenVPN 2.4.7 workaround to revert to previous MTU settings2019-05-09T15:46:53+02:00Killian Lufaukillian.lufau@nexedi.com
In commit <a href="/nexedi/re6stnet/-/commit/0697478817bd5b2f4a52fec5591a285ee16a5b01" data-original="0697478817bd5b2f4a52fec5591a285ee16a5b01" data-link="false" data-link-reference="false" data-project="206" data-commit="0697478817bd5b2f4a52fec5591a285ee16a5b01" data-reference-type="commit" data-container="body" data-placement="top" data-html="true" title="Switch to OpenVPN 2.4" class="gfm gfm-commit has-tooltip">06974788</a>,
we increased the --link-mtu value as a temporary way to compensate the
unexplained behaviour change of recent OpenVPN.
This was partly due to encryption, which was enabled despite
`--cipher none`. And it happens that the behaviour of --link-mtu only
changed for the server, with a mysterious difference of 93 bytes.
Hence the workaround to get identical tunnel MTU on both sides.
/reviewed-on <a href="https://lab.nexedi.com/nexedi/re6stnet/merge_requests/13" data-original="https://lab.nexedi.com/nexedi/re6stnet/merge_requests/13" data-link="false" data-link-reference="true" data-project="206" data-merge-request="2926" data-project-path="nexedi/re6stnet" data-iid="13" data-mr-title="OpenVPN 2.4.7 workaround to revert to previous MTU settings" data-reference-type="merge_request" data-container="body" data-placement="top" data-html="true" title="" class="gfm gfm-merge_request">!13</a>https://lab.nexedi.com/nexedi/re6stnet/-/commit/24fea8cd6a9078c99c8c3c6eadf6d7a817891351Remove old fix in ovpn-client2019-05-06T11:20:10+02:00Killian Lufaukillian.lufau@nexedi.com
The fix to mark an interface as "up" and indicate its MTU was
useful for machines with a single client, because OpenVPN would fail
to configure them this way in OpenVPN 2.3. It has been fixed in 2.4
so the fix has been removed.
/reviewed-on <a href="https://lab.nexedi.com/nexedi/re6stnet/merge_requests/14" data-original="https://lab.nexedi.com/nexedi/re6stnet/merge_requests/14" data-link="false" data-link-reference="true" data-project="206" data-merge-request="2927" data-project-path="nexedi/re6stnet" data-iid="14" data-mr-title="remove old fix in ovpn-client" data-reference-type="merge_request" data-container="body" data-placement="top" data-html="true" title="" class="gfm gfm-merge_request">!14</a>https://lab.nexedi.com/nexedi/re6stnet/-/commit/114a1763a7b9c575f04051da1d7eae863a6181c3Fix deactivation of encryption with recent OpenVPN2019-05-03T18:49:43+02:00Killian Lufaukillian.lufau@nexedi.com
Passing `--cipher none` to OpenVPN is not enough anymore because
clients and servers can still negotiate the algorithm to use for
encryption (by default not empty). We pass the option `--ncp-disable`
to disable cipher negotiation.
/reviewed-on <a href="https://lab.nexedi.com/nexedi/re6stnet/merge_requests/12" data-original="https://lab.nexedi.com/nexedi/re6stnet/merge_requests/12" data-link="false" data-link-reference="true" data-project="206" data-merge-request="2925" data-project-path="nexedi/re6stnet" data-iid="12" data-mr-title="fix deactivation of encryption in OpenVPN" data-reference-type="merge_request" data-container="body" data-placement="top" data-html="true" title="" class="gfm gfm-merge_request">nexedi/re6stnet!12</a>https://lab.nexedi.com/nexedi/re6stnet/-/commit/0697478817bd5b2f4a52fec5591a285ee16a5b01Switch to OpenVPN 2.42019-04-29T18:19:33+02:00Killian Lufaukillian.lufau@nexedi.com
The behaviour of --link-mtu has changed and we increase the values to
at least have interface MTU greater than IPv6 minimum.
We'll see later to have even greater values in ovpn_link_mtu_dict
(so that the resulting MTU is closer to what we had with 2.3)
or review the whole MTU part completely.https://lab.nexedi.com/nexedi/re6stnet/-/commit/96ab35a98cb2f7e0c06002164fd5957216a03abcadd OS identification of nodes2019-04-10T16:39:13+02:00Killian Lufaukillian.lufau@nexedi.com
The main goal of this is to check if we should keep supporting
older distributions.
/reviewed-on <a href="https://lab.nexedi.com/nexedi/re6stnet/merge_requests/9" data-original="https://lab.nexedi.com/nexedi/re6stnet/merge_requests/9" data-link="false" data-link-reference="true" data-project="206" data-merge-request="2876" data-project-path="nexedi/re6stnet" data-iid="9" data-mr-title="add OS identification of nodes" data-reference-type="merge_request" data-container="body" data-placement="top" data-html="true" title="" class="gfm gfm-merge_request">!9</a>https://lab.nexedi.com/nexedi/re6stnet/-/commit/8401ce4ee8b6779cb786f842035f9ca9298d6b7fdemo: new ping monitoring script and option to stop demo after some time2019-03-12T14:25:33+01:00Killian Lufaukillian.lufau@nexedi.com
See "./demo --help" for more information.
/reviewed-on <a href="https://lab.nexedi.com/nexedi/re6stnet/merge_requests/8" data-original="https://lab.nexedi.com/nexedi/re6stnet/merge_requests/8" data-link="false" data-link-reference="true" data-project="206" data-merge-request="2803" data-project-path="nexedi/re6stnet" data-iid="8" data-mr-title="demo: New ping monitoring script and option to stop demo after some time" data-reference-type="merge_request" data-container="body" data-placement="top" data-html="true" title="" class="gfm gfm-merge_request">!8</a>https://lab.nexedi.com/nexedi/re6stnet/-/commit/8c4cc9b620693ba7af2f81e69b42d1d935adb52cReplace --tls-remote with --verify-x509-name for OpenVPN 2.4+2019-02-21T15:48:35+01:00Killian Lufaukillian.lufau@nexedi.com
/reviewed-on <a href="https://lab.nexedi.com/nexedi/re6stnet/merge_requests/7" data-original="https://lab.nexedi.com/nexedi/re6stnet/merge_requests/7" data-link="false" data-link-reference="true" data-project="206" data-merge-request="2779" data-project-path="nexedi/re6stnet" data-iid="7" data-mr-title="Replace --tls-remote with --verify-x509-name for OpenVPN 2.4+" data-reference-type="merge_request" data-container="body" data-placement="top" data-html="true" title="" class="gfm gfm-merge_request">nexedi/re6stnet!7</a>https://lab.nexedi.com/nexedi/re6stnet/-/commit/f8da64c61862a4b60bb3e63426a7ac956ff5c9a4README: more information on installation process2019-02-05T18:24:30+01:00Thomas Gambierthomas.gambier@nexedi.comhttps://lab.nexedi.com/nexedi/re6stnet/-/commit/2b0d5043f97c6c20b5fecb71f714794899b1afcbx509: gracefully handle ENOMEM when running openssl2018-12-14T10:08:50+01:00Jérome Perrinjerome@nexedi.com
prevent this kind of errors when running openssl fail:
```
10-12-2018 19:04:02 ERROR AttributeError: 'NoneType' object has no attribute 'splitlines'
Traceback (most recent call last):
File "/opt/re6st/eggs/re6stnet-0.513-py2.7.egg/re6st/cli/node.py", line 428, in main
s(*args)
File "/opt/re6st/eggs/re6stnet-0.513-py2.7.egg/re6st/utils.py", line 191, in select
R[r]()
File "/opt/re6st/eggs/re6stnet-0.513-py2.7.egg/re6st/tunnel.py", line 399, in handlePeerEvent
True, crypto.FILETYPE_ASN1)
File "/opt/re6st/eggs/re6stnet-0.513-py2.7.egg/re6st/x509.py", line 136, in loadVerify
for x in err.splitlines():
```
/reviewed-on <a href="https://lab.nexedi.com/nexedi/re6stnet/merge_requests/6" data-original="https://lab.nexedi.com/nexedi/re6stnet/merge_requests/6" data-link="false" data-link-reference="true" data-project="206" data-merge-request="2610" data-project-path="nexedi/re6stnet" data-iid="6" data-mr-title="x509: gracefully handle ENOMEM when running openssl" data-reference-type="merge_request" data-container="body" data-placement="top" data-html="true" title="" class="gfm gfm-merge_request">!6</a>https://lab.nexedi.com/nexedi/re6stnet/-/commit/61ca38b59df6333f075aeba741eae0ee58861ca5re6st-geo: quick'n dirty update to at least in which countries nodes are spread2018-10-17T18:11:18+02:00Julien Muchembledjm@nexedi.comhttps://lab.nexedi.com/nexedi/re6stnet/-/commit/111a5e4d8ced6ec33ac85a95c032cfca412df3b1fixup! Fix read of own IP from cache2018-10-17T10:51:36+02:00Julien Muchembledjm@nexedi.comhttps://lab.nexedi.com/nexedi/re6stnet/-/commit/f3eb2d4e7c2b27cd95fa319e3db122470085c1c3conf: clarify comment2018-10-02T16:25:25+02:00Julien Muchembledjm@nexedi.comhttps://lab.nexedi.com/nexedi/re6stnet/-/commit/ac3cb0f5649bff98859e5c2a9a44f108dff41557Log own ip2018-09-25T18:05:20+02:00Julien Muchembledjm@nexedi.comhttps://lab.nexedi.com/nexedi/re6stnet/-/commit/e23c4782016a408a5a76a7a07ebf0666a7d89be5fixup! Fix read of own IP from cache2018-09-25T18:04:26+02:00Julien Muchembledjm@nexedi.comhttps://lab.nexedi.com/nexedi/re6stnet/-/commit/eadce3820672463e3c4b81ec65dd8cfd21f0d046Log exit message2018-08-30T20:56:25+02:00Julien Muchembledjm@nexedi.comhttps://lab.nexedi.com/nexedi/re6stnet/-/commit/d4eb48ceba2ab058f90c7636361754f7bbbb0426When not using --default, check at startup that IPV6_SUBTREES is enabled2018-08-30T20:56:20+02:00Julien Muchembledjm@nexedi.com
Ideally, babeld should not keep running when it can't set such routes.
Currently, it only outputs an error message in its log.https://lab.nexedi.com/nexedi/re6stnet/-/commit/f594fe1fb0b27fca88338a4c32c81dd824ebfc32Fix read of own IP from cache2018-08-30T18:26:56+02:00Julien Muchembledjm@nexedi.com
In SQLite, a string that only contains '0' chars evaluates to False.https://lab.nexedi.com/nexedi/re6stnet/-/commit/26f114286a84365f708125e1b7395c69f02c1f55fixup! Fix crash caused by buggy UPnP2018-08-09T11:04:52+02:00Julien Muchembledjm@nexedi.comhttps://lab.nexedi.com/nexedi/re6stnet/-/commit/9e6ece7ab7927a597d913381eaa75c9fe156ef74Log signals that are sent to kill subprocesses and increase default log level2018-08-07T18:30:11+02:00Julien Muchembledjm@nexedi.com
We currently have issues with OpenVPN hook scripts that aren't always killed
at exit. Such orphan processes prevent re6st from starting again (EADDRINUSE).
We want to know if it's an OpenVPN that does not exit cleanly on TERM,
or if it sometimes does not exit at all after 5s (then re6st sends a KILL
signal and at that point we should indeed make sure that any subprocess is
also KILLed).https://lab.nexedi.com/nexedi/re6stnet/-/commit/29d7fc03d6e56167179ed32b3f40e0a510a0e751Fix restart when json network parameters change2018-08-01T19:10:20+02:00Julien Muchembledjm@nexedi.comhttps://lab.nexedi.com/nexedi/re6stnet/-/commit/20f89677ae6cb05abc9de0814b96983c54b50312Update comments2018-08-01T19:10:20+02:00Julien Muchembledjm@nexedi.comhttps://lab.nexedi.com/nexedi/re6stnet/-/commit/2938a7c626ffa91b94cefef0e3d4757f779991e1Fix crash caused by buggy UPnP2018-08-01T19:08:59+02:00Julien Muchembledjm@nexedi.com
gaierror: [Errno -2] Name or service not known
Traceback (most recent call last):
File "re6st/cli/node.py", line 271, in main
remote_gateway, config.disable_proto, config.neighbour)
File "re6st/tunnel.py", line 663, in __init__
cache, cert, address)
File "re6st/tunnel.py", line 236, in __init__
self._updateCountry(address)
File "re6st/tunnel.py", line 643, in _updateCountry
family, ip = resolve(*address)
File "re6st/tunnel.py", line 30, in resolve
for x in socket.getaddrinfo(ip, port, family, 0, proto))
where ip is '-a'https://lab.nexedi.com/nexedi/re6stnet/-/commit/4fda2dc7045b35fb99f236383a6487e95cce687eFix wrong WARNING when own ip is unknown at startup2018-07-03T10:53:52+02:00Julien Muchembledjm@nexedi.comhttps://lab.nexedi.com/nexedi/re6stnet/-/commit/d7a4d73f739cf7372a7766ea35f29c9aa4a8061cNew option to prevent tunnelling accross borders of listed countries2018-07-02T21:08:15+02:00Julien Muchembledjm@nexedi.comhttps://lab.nexedi.com/nexedi/re6stnet/-/commit/6b45d7ead7a1d0d5bbd4a783b978098fa0b7fd2bFix verification of expired certificates with recent OpenSSL2018-07-02T11:35:51+02:00Julien Muchembledjm@nexedi.comhttps://lab.nexedi.com/nexedi/re6stnet/-/commit/44ec03af8a4ae2415e6b7ee114a2a3a20f644befdebian: add examples2018-07-02T11:35:51+02:00Julien Muchembledjm@nexedi.comhttps://lab.nexedi.com/nexedi/re6stnet/-/commit/3009b42050fbaa0b4966f51c4119c12e52506c8bregistry: new SMTP options for authentication and starttls2018-06-29T19:43:50+02:00Julien Muchembledjm@nexedi.comhttps://lab.nexedi.com/nexedi/re6stnet/-/commit/5e30be771a347f506efba363441e78776f784288doc: fix fw example: iptables does not have REJECT policy.2018-06-26T19:11:22+02:00Arnaud Fontainearnaud.fontaine@nexedi.com
/reviewed-on <a href="https://lab.nexedi.com/nexedi/re6stnet/merge_requests/4" data-original="https://lab.nexedi.com/nexedi/re6stnet/merge_requests/4" data-link="false" data-link-reference="true" data-project="206" data-merge-request="2129" data-project-path="nexedi/re6stnet" data-iid="4" data-mr-title="doc: fix fw example: iptables does not have REJECT policy." data-reference-type="merge_request" data-container="body" data-placement="top" data-html="true" title="" class="gfm gfm-merge_request">nexedi/re6stnet!4</a>https://lab.nexedi.com/nexedi/re6stnet/-/commit/522ec5a9bd8a634647a2ffd8364177f7e5a62a3bsetup.py: add a workaround to prevent the following error in build with old s...2018-06-01T12:16:27+02:00Kazuhiko Shiozakikazuhiko@nexedi.com
error: [Errno 21] Is a directory: 're6st/cli'https://lab.nexedi.com/nexedi/re6stnet/-/commit/33ac246194a3a2e8580a2b952a96b1f9ca3507e1Document UPnP server configuration and add details about firewall configuration2018-03-15T21:38:32+01:00Arnaud Fontainearnaud.fontaine@nexedi.com
/reviewed-on <a href="https://lab.nexedi.com/nexedi/re6stnet/merge_requests/3" data-original="https://lab.nexedi.com/nexedi/re6stnet/merge_requests/3" data-link="false" data-link-reference="true" data-project="206" data-merge-request="1874" data-project-path="nexedi/re6stnet" data-iid="3" data-mr-title="Document UPnP server configuration and add details about firewall configuration" data-reference-type="merge_request" data-container="body" data-placement="top" data-html="true" title="" class="gfm gfm-merge_request">nexedi/re6stnet!3</a>https://lab.nexedi.com/nexedi/re6stnet/-/commit/7ea5aa2a74f1fb8e9ad1e852d4d9db3fd76a2104doc: extend fw example to warn about --interface and --ipv42018-03-13T12:27:29+01:00Julien Muchembledjm@nexedi.comhttps://lab.nexedi.com/nexedi/re6stnet/-/commit/3a89d3d9b84c7e096979d0498463d4e6ab3c368adoc: clarify firewall section in the manpage.2018-03-13T08:18:31+09:00Arnaud Fontainearnaud.fontaine@nexedi.com
Also, add iptables/ip6tables example configuration.https://lab.nexedi.com/nexedi/re6stnet/-/commit/029bdaffd0d69790054d23e6e1ef25617e000cf5Fix too many NewSessionError when nodes are in different timezones2018-03-12T15:48:21+01:00Julien Muchembledjm@nexedi.com
Using datetime objects was a bad idea anyway. Its extra accuracy for
microseconds is lost because datime.utcnow() is slower than time.time().https://lab.nexedi.com/nexedi/re6stnet/-/commit/ced915a1356eda117f14bdd34486ccacf5316dfedoc: document UPnP server configuration in manpage.2018-02-27T08:16:26+09:00Arnaud Fontainearnaud.fontaine@nexedi.com
Required to share the connectivity with others.