re6stnet:45e4d3ca29884c32488d724bba93a2585382265f commitshttps://lab.nexedi.com/nexedi/re6stnet/-/commits/45e4d3ca29884c32488d724bba93a2585382265f2015-05-28T17:47:00+02:00https://lab.nexedi.com/nexedi/re6stnet/-/commit/45e4d3ca29884c32488d724bba93a2585382265fOpenVPN >= 2.3 is required2015-05-28T17:47:00+02:00Julien Muchembledjm@nexedi.com
2.2.x branch has a patch[1] that renders tls_serial_* environment variables
in base 16, causing a ValueError exception in ovpn-server hook.
[1] <a href="https://github.com/OpenVPN/openvpn/commit/7d5e26cbb53e2700c966e6b6e815f0c824da8956" rel="nofollow noreferrer noopener" target="_blank">https://github.com/OpenVPN/openvpn/commit/7d5e26cbb53e2700c966e6b6e815f0c824da8956</a>https://lab.nexedi.com/nexedi/re6stnet/-/commit/ab3300c30becbd517979a2b81f7801d9cf85f706Lower again MTU for UDPv4 tunnels2015-04-27T17:29:59+02:00Julien Muchembledjm@nexedi.comhttps://lab.nexedi.com/nexedi/re6stnet/-/commit/15471c016ef4634e8c85f5d9d517b63b08213aebdoc: update 'Troubleshooting' section2015-04-16T19:45:28+02:00Julien Muchembledjm@nexedi.com
It doesn't matter anymore if there are many off nodes, because the registry
only queries the addresses of nodes that are in the routing table.https://lab.nexedi.com/nexedi/re6stnet/-/commit/4a6580b1436f2341bebab2821c9743102df99b30doc: update 'Setting a new network' howto2015-04-16T16:49:19+02:00Julien Muchembledjm@nexedi.comhttps://lab.nexedi.com/nexedi/re6stnet/-/commit/79c1db1b5dbd4731b46f14ee0da8eecfc8cb4711New upstream release of babeld2015-04-14T16:51:18+02:00Julien Muchembledjm@nexedi.comhttps://lab.nexedi.com/nexedi/re6stnet/-/commit/abae0b5d4df37157b56859164f5479b07587d7c9Remove assert that was only there to debug the demo2015-04-14T16:18:59+02:00Julien Muchembledjm@nexedi.comhttps://lab.nexedi.com/nexedi/re6stnet/-/commit/358837993c5acf1fde141dc4a401aa11e859737dComment the method selecting the tunnel to kill2015-04-10T16:46:40+02:00Julien Muchembledjm@nexedi.comhttps://lab.nexedi.com/nexedi/re6stnet/-/commit/b4a9a612356b6fa321fc4d22618963aafa989ee1Change egg versioning scheme to comply with PEP 4402015-04-10T15:29:52+02:00Rafael Monneratrafael@nexedi.comhttps://lab.nexedi.com/nexedi/re6stnet/-/commit/766ad6c8751afc0dec7bb304a099d3a630a01783Increase strength of hashes used for certificate signing2015-04-09T14:50:28+02:00Julien Muchembledjm@nexedi.com
This does not increase of any packet because the size of certificate signature
only depends on the size of the certificate key.
With 512-bit hashes, it's still possible to use RSA keys as small as 768 bits.https://lab.nexedi.com/nexedi/re6stnet/-/commit/40d4e4969bbf8718fb7933b9514e77fcfab4f50bBackward compatibility for Python 2.62015-04-08T17:17:10+02:00Julien Muchembledjm@nexedi.comhttps://lab.nexedi.com/nexedi/re6stnet/-/commit/2fb63515d602b77c684c30dfc9b8e680ae427bbcAdd support for ipv4 payload2015-04-08T17:17:10+02:00Julien Muchembledjm@nexedi.com
There is no plan for a default ipv4 route.https://lab.nexedi.com/nexedi/re6stnet/-/commit/f128ba9ddb85ac162c85327340f23056e54af1c3demo: show default route on the route graph2015-04-08T17:17:10+02:00Julien Muchembledjm@nexedi.com
This is useful because the default one is not always the same as the route
to the registry.
Before, arrows were filled dot. Now only the default one is filled.https://lab.nexedi.com/nexedi/re6stnet/-/commit/9dc1707eb0e8ce18474e464531f0a7a3b40c3b7fOur fork of Babeld can now override RTA_(PREF)SRC locally2015-04-08T17:17:10+02:00Julien Muchembledjm@nexedi.com
This simplify network configuration a lot, and on recent kernels, this fixes
wrong source address for extra interfaces that already have a public IP.https://lab.nexedi.com/nexedi/re6stnet/-/commit/cfb2c159823f538472135f08682b8e5d89858a35demo: duplicate code from Nemu for future monkey-patching2015-04-03T18:21:04+02:00Julien Muchembledjm@nexedi.comhttps://lab.nexedi.com/nexedi/re6stnet/-/commit/16f87a3008735324c1c46996f9cdb7afa5f305a8Stop specifying a rxcost for old nodes since there's none left with the new p...2015-04-03T18:16:09+02:00Julien Muchembledjm@nexedi.comhttps://lab.nexedi.com/nexedi/re6stnet/-/commit/bec6b3cf2c530c3d45e9023e99f43ed85a6c80bere6st-conf: generate private key compatible with the network2015-03-27T19:23:40+01:00Julien Muchembledjm@nexedi.comhttps://lab.nexedi.com/nexedi/re6stnet/-/commit/f7d04fc4fb26bc62d3b5c2a2cb2ebb209347857cBy default, get DH parameters from the registry instead of requiring each nod...2015-03-07T18:54:51+01:00Julien Muchembledjm@nexedi.com
Generating them takes a lot of time and there's no reason to do this by default.
We keep --dh option in 're6stnet' to not break existing configuration.https://lab.nexedi.com/nexedi/re6stnet/-/commit/8ebdd500ede1ec25d36307bd8c8300f44e6c9cb6Certificate revocation, with broadcast of CRL2015-03-07T18:54:51+01:00Julien Muchembledjm@nexedi.comhttps://lab.nexedi.com/nexedi/re6stnet/-/commit/f73c51ec7dbd77c8fa526eb471f2452e0fc11dacMove runtime files to a subdirectory and simplify command-line options2015-03-07T18:54:50+01:00Julien Muchembledjm@nexedi.com
We consider using sockets to communicate with OpenVPN, via --management option.https://lab.nexedi.com/nexedi/re6stnet/-/commit/1257f36c4a4d1a420a6259afdaa8c07141c55dc9Some network option should be the same everywhere so move them to the registry2015-03-06T19:45:10+01:00Julien Muchembledjm@nexedi.comhttps://lab.nexedi.com/nexedi/re6stnet/-/commit/ef5401a443a141a06b6f032d5f7fab68efa99b74Add a way to define network parameters in the registry and propagate them eff...2015-03-06T19:45:05+01:00Julien Muchembledjm@nexedi.comhttps://lab.nexedi.com/nexedi/re6stnet/-/commit/aba0e94d0a34f4d8ed7954b61b11ceb979587ff3Network parameters will be also cached so rename a few things2015-03-06T19:42:52+01:00Julien Muchembledjm@nexedi.com
db.py -> cache.py
PeerDB -> Cache
peers.db -> cache.dbhttps://lab.nexedi.com/nexedi/re6stnet/-/commit/acc0568a96c988dea040fc3125f87a0108d4c51cGenerate certificates with 2 serials for future needs (crl & ivp4)2015-03-06T19:42:52+01:00Julien Muchembledjm@nexedi.com
And automatic renewal of existing certificates.https://lab.nexedi.com/nexedi/re6stnet/-/commit/37943a2684bb2cee8964c3a49e44bcb45230e029Remove type specifier on config.value column2015-03-06T19:42:52+01:00Julien Muchembledjm@nexedi.com
For the registry at least, we'll want to store integers
without having to convert to/from strings.
To upgrade 'registry.db':
- dump it to a file
- fix create table statements
- load it
Nodes will restart with an empty cache.https://lab.nexedi.com/nexedi/re6stnet/-/commit/648e677431dc48e76c74dffd79f8e02ae2fcfb08Forget peers whose certificate expires2015-03-06T19:42:52+01:00Julien Muchembledjm@nexedi.comhttps://lab.nexedi.com/nexedi/re6stnet/-/commit/a7a863412521848082d9d96ccfe9da6cf1178f70New protocol between nodes with authentication2015-02-25T20:56:00+01:00Julien Muchembledjm@nexedi.comhttps://lab.nexedi.com/nexedi/re6stnet/-/commit/32ebb80ba7b08052b68a042118399f31ed6b746ere6st-conf: new --fingerprint option2015-02-24T19:31:20+01:00Julien Muchembledjm@nexedi.comhttps://lab.nexedi.com/nexedi/re6stnet/-/commit/b2040ea0c15467cd27bc45c5e9bc01f3275d7096Make --client & --client-count=0 modes process UDP/326 messages2015-02-24T19:31:20+01:00Julien Muchembledjm@nexedi.com
These modes are partly unified with the normal one by splitting TunnelManager.https://lab.nexedi.com/nexedi/re6stnet/-/commit/9717eb0e3fe29a68424a03d0ee4e8dc0fdd0d680re6stnet: verify certificate with CA at startup2015-02-24T19:31:20+01:00Julien Muchembledjm@nexedi.comhttps://lab.nexedi.com/nexedi/re6stnet/-/commit/7977404ac7502121d55ea58235857199efe7836erefactoring: move crypto code to a new file2015-02-24T19:31:20+01:00Julien Muchembledjm@nexedi.comhttps://lab.nexedi.com/nexedi/re6stnet/-/commit/5be3cc90e5dea5fe823b6e4c5f945e79a05be5d9Update TODO2015-02-24T19:30:59+01:00Julien Muchembledjm@nexedi.comhttps://lab.nexedi.com/nexedi/re6stnet/-/commit/d4beb9c7da911e36d87b4c6fdef0189b3a92b888demo: abort quickly if there's an obvious error2015-02-19T11:21:08+01:00Julien Muchembledjm@nexedi.comhttps://lab.nexedi.com/nexedi/re6stnet/-/commit/e803749b2dc7cfb0bf99dfca6c5778c2a26ba11ddemo: generate certs that expire quickly to check renewal2015-02-19T11:21:04+01:00Julien Muchembledjm@nexedi.comhttps://lab.nexedi.com/nexedi/re6stnet/-/commit/0234d059ddef5520ac9d0b324fc3d1e11e26fd34demo: add wrapper to easily monkey-patch re6st2015-02-19T11:12:05+01:00Julien Muchembledjm@nexedi.com
Also:
- use '/usr/bin/env python' to easily use a Python interpreter different than
/usr/bin/python
- demo must be run by root so "dont_write_bytecode" to avoid having *.pyc files
owned by root in the working copyhttps://lab.nexedi.com/nexedi/re6stnet/-/commit/51cfbec774265663313f782fa5c7d124584bb717demo: print executed command when re6stnet crashes2015-02-19T11:02:12+01:00Julien Muchembledjm@nexedi.com
This is then easier to restart it manually.https://lab.nexedi.com/nexedi/re6stnet/-/commit/3ada47f8aaa86e84a1596e4a6d5da67f6fbfa441registry: increase/fix timeouts for requests done by getBootstrapPeer/topolog...2015-02-13T14:39:09+01:00Julien Muchembledjm@nexedi.comhttps://lab.nexedi.com/nexedi/re6stnet/-/commit/58204ee82d9b14033c6bf9e06881c894f11a0e92Limit number of client tunnels if NAT is not configured properly2015-02-02T20:30:34+01:00Julien Muchembledjm@nexedi.com
If too many nodes create client tunnels without serving any, working servers
saturate and the network collapses.https://lab.nexedi.com/nexedi/re6stnet/-/commit/3a9e668c08d826284b2bbd5b66067182c5407d6cUPnP: randomize external port2015-02-02T18:19:23+01:00Julien Muchembledjm@nexedi.com
Some routers are so broken that UPnP NAT don't report ConflictInMappingEntry
when redirecting the same port several times.
Here is for example what we had with a Numericable Box (France):
0 (1024, 'TCP', ('192.168.0.29', 1194), 're6stnet openvpn server (1194/tcp)', '1', '', 0)
1 (1024, 'TCP', ('192.168.0.16', 1194), 're6stnet openvpn server (1194/tcp)', '1', '', 0)
2 (1024, 'TCP', ('192.168.0.33', 1194), 're6stnet openvpn server (1194/tcp)', '1', '', 0)
3 (1024, 'TCP', ('192.168.0.20', 1194), 're6stnet openvpn server (1194/tcp)', '1', '', 0)
('192.168.0.29', 1194, 're6stnet openvpn server (1194/tcp)', True, 0)
Obviously, this can't work.
It seems that this router also accepts a limited number of NAT rules, far less
than we'd like, so even if there's still a probability of conflict with this
commit, it will be good enough for our use.https://lab.nexedi.com/nexedi/re6stnet/-/commit/e3c424942dda646d4a2b43eefbb30185b99c813clogging: higher severity for UDP errors other than ENETUNREACH2014-12-30T16:26:03+01:00Julien Muchembledjm@nexedi.com
ENETUNREACH is the only error I've ever seen since the beginning of the project.https://lab.nexedi.com/nexedi/re6stnet/-/commit/4536d8eb83ee2e2bb93e88f158fe0ebea3629fd8Reread routing table when a established tunnel breaks2014-12-30T16:26:03+01:00Julien Muchembledjm@nexedi.com
The main reason is to speed up recovery from temporary network cut:
- by not wasting time trying remaining distant peers that were collected during
the last read of the routing table.
- by not blacklisting good peers, which would happen if too many of them were
retried before network is back