Included release tonarino/innernet@v1.5.5 in focal.

main
github-actions[bot] 2023-05-12 08:20:18 +00:00
parent 05a53af003
commit 1ff2086d5a
12 changed files with 443 additions and 0 deletions

BIN
debian/db/checksums.db vendored

Binary file not shown.

BIN
debian/db/packages.db vendored

Binary file not shown.

Binary file not shown.

Binary file not shown.

36
debian/dists/focal/InRelease vendored Normal file
View File

@ -0,0 +1,36 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Origin: Unofficial Innernet Debian repository
Label: innernet-debian
Codename: focal
Date: Fri, 12 May 2023 08:20:16 UTC
Architectures: amd64
Components: contrib
Description: APT repository for https://github.com/tonarino/innernet/.
MD5Sum:
f6d27f7a8871bdebe4280c9c3ebc71d4 11445 contrib/binary-amd64/Packages
22549a47e28a28b12a2baa1da439285e 4570 contrib/binary-amd64/Packages.gz
77dc2b012f45038d5be68f81d464ee44 179 contrib/binary-amd64/Release
SHA1:
e3facde4370461820390d32d5f4fea9959ee883c 11445 contrib/binary-amd64/Packages
395685ad6722e2ecd8321710289cc69599b2baea 4570 contrib/binary-amd64/Packages.gz
a4f6bbfd6fe4ab5a01909278c4e13b05d6b06f13 179 contrib/binary-amd64/Release
SHA256:
f76c4cec4b313891b8311ee611dc0e329dcb825ab87900b1d1d665061a54f030 11445 contrib/binary-amd64/Packages
1c068e26dd5f42fb95fb3def07e810fb11381f92c8cf59fc35751c3c0c1ab378 4570 contrib/binary-amd64/Packages.gz
67b3f0e511499d8b794eaf1524cea47d2263a1e8e43445c60f311dbef9a50e9c 179 contrib/binary-amd64/Release
-----BEGIN PGP SIGNATURE-----
iQGzBAEBCgAdFiEEbYSVpa4ZFZQzkqZZZYKNdDzui2kFAmRd9sEACgkQZYKNdDzu
i2n8kwv+NbBk8JtOc+12F1slV4Wh2PiBfI7xp6O4aDUBmLoNbl0jr8VoyYVVGusN
rI049w1/1LbD3aJiaza4xKx77xCudN/ZgvnwfmzDcXVrRifBTfOI4WWBzr7SIi+c
qz7fFYNro7OhNCcxqnzAHJWmvm5Ks3+EoBWFCCIoat+dXL7fGFNzRtc5h3Yq3Z+D
1MR5rIs10TnslwyuQSFGkWH8ODAtiHw7VgKkerxj5IbjWodWo5JCEmzoXd0xF2g3
1USRoxruqpm24E7lF29ihDV+QKVM8xfql+kBnIqDizYAipOkTOzm5sqA9C3VUr0F
cDOHNw/vUvo8oUno/yQAOnOVfx+VMcFZERZ9jX1thEV1Iv2K+6KG63BkVyiP//pl
zO2qjaN2uRkXV0u9hZLKwhSvQSJPQXoXQ6H5t9mgfi39PYBbBgsh7putHCI6BAmV
6syhtQOQSabZhkiPQIkUgLYb75AVAQLHBQTvvJDHEVYuj1UgtaCdfLhgAOCexdkj
WjGQ5z1W
=iS48
-----END PGP SIGNATURE-----

19
debian/dists/focal/Release vendored Normal file
View File

@ -0,0 +1,19 @@
Origin: Unofficial Innernet Debian repository
Label: innernet-debian
Codename: focal
Date: Fri, 12 May 2023 08:20:16 UTC
Architectures: amd64
Components: contrib
Description: APT repository for https://github.com/tonarino/innernet/.
MD5Sum:
f6d27f7a8871bdebe4280c9c3ebc71d4 11445 contrib/binary-amd64/Packages
22549a47e28a28b12a2baa1da439285e 4570 contrib/binary-amd64/Packages.gz
77dc2b012f45038d5be68f81d464ee44 179 contrib/binary-amd64/Release
SHA1:
e3facde4370461820390d32d5f4fea9959ee883c 11445 contrib/binary-amd64/Packages
395685ad6722e2ecd8321710289cc69599b2baea 4570 contrib/binary-amd64/Packages.gz
a4f6bbfd6fe4ab5a01909278c4e13b05d6b06f13 179 contrib/binary-amd64/Release
SHA256:
f76c4cec4b313891b8311ee611dc0e329dcb825ab87900b1d1d665061a54f030 11445 contrib/binary-amd64/Packages
1c068e26dd5f42fb95fb3def07e810fb11381f92c8cf59fc35751c3c0c1ab378 4570 contrib/binary-amd64/Packages.gz
67b3f0e511499d8b794eaf1524cea47d2263a1e8e43445c60f311dbef9a50e9c 179 contrib/binary-amd64/Release

14
debian/dists/focal/Release.gpg vendored Normal file
View File

@ -0,0 +1,14 @@
-----BEGIN PGP SIGNATURE-----
iQGzBAABCgAdFiEEbYSVpa4ZFZQzkqZZZYKNdDzui2kFAmRd9sAACgkQZYKNdDzu
i2mSTwv/QpJlyftF+p0Y7/TgCZTVsF9/UuMpMRBH+2gY8ZNt3RByuca7d9qzK9nx
a290PzMUWrItblXwolxvxFWWpNrwrQ0eoc+D9cv7CpmlehznrD3zURuJChNyVd/d
YnOMtipHR5O0fZK5UJtNLq6ZTdxAZYFolaj2xIbmISrI0uoegII3OTGz6iAN/u5C
B4JKPJo5JuY6p5sgC57DDCQuIy5c6wp2sfhHey8RYil5aU2IJnTJx/vM0d+hX0LL
+hEdVAQMtCHYZFoR3IpNasddTA0Ug/q4oi4Zcl/IDiH/tTPKfF5lVoyHqD0mz7ue
NLVFm9WMcRh9u2VDdNsX0Q8AOrzVYIaVGUB8zcTNXwGoSuXdwF9WxT/WOPanRBI0
esHQ9Jq0sQcMFv3Scdjq11iR0seq0IOWlM9h5EXU+lyelHwv+trMbxqleCU2O9N3
IA+sPeKt3s1v2amXzHTQFnoYwqvjduLnVidpHL3eH/5QCGjaDhEK0yOsvxSRpf35
p+/ZF0Xw
=SegE
-----END PGP SIGNATURE-----

View File

@ -0,0 +1,369 @@
Package: innernet
Version: 1.5.5-0ubuntu0~focal
Architecture: amd64
Vcs-Browser: https://github.com/tonarino/innernet
Vcs-Git: https://github.com/tonarino/innernet
Homepage: https://github.com/tonarino/innernet
Maintainer: tonari <hey@tonari.no>
Installed-Size: 5759
Depends: systemd, libgcc1, libc6
Recommends: wireguard
Priority: optional
Section: net
Filename: pool/contrib/i/innernet/innernet_1.5.5-0ubuntu0~focal_amd64.deb
Size: 939712
SHA256: 920928b6a121d58994d69562ac15ff19ab63343ac27e5c35c4da3e8854932fb9
SHA1: d668e3d513936d1610c43bdf4fd8c5407aee5c45
MD5sum: b8de44c86ea2f3315aa7768f13770577
Description: A client to manage innernet network interfaces.
innernet client binary for fetching peer information and conducting admin tasks
such as adding a new peer.
Package: innernet-server
Version: 1.5.5-0ubuntu0~focal
Architecture: amd64
Maintainer: tonari <hey@tonari.no>
Installed-Size: 3937
Depends: libgcc1, zlib1g, systemd, libsqlite3-0, libc6
Recommends: wireguard
Source: innernet
Priority: optional
Section: net
Filename: pool/contrib/i/innernet-server/innernet-server_1.5.5-0ubuntu0~focal_amd64.deb
Size: 1419844
SHA256: d3e09c49d837e8b679fe718b33bf82d1941e383fecf61e4a0d326159eca2cf09
SHA1: c1ccc872b83f5098f012b4997c0c9b45ea5207b7
MD5sum: 99ced787f8c8e8afd40cb6e48e3f0c95
Description: A server to coordinate innernet networks.
# innernet
.
A private network system that uses [WireGuard](https://wireguard.com) under the
hood. See the [announcement blog
post](https://blog.tonari.no/introducing-innernet) for a longer-winded
explanation.
.
<img
src="https://user-images.githubusercontent.com/373823/118917068-09ae7700-b96b-11eb-80f4-6860072d504d.gif"
width="600" height="370">
.
`innernet` is similar in its goals to Slack's
[nebula](https://github.com/slackhq/nebula) or
[Tailscale](https://tailscale.com/), but takes a bit of a different approach.
It aims to take advantage of existing networking concepts like CIDRs and the
security properties of WireGuard to turn your computer's basic IP networking
into more powerful ACL primitives.
.
`innernet` is not an official WireGuard project, and WireGuard is a registered
trademark of Jason A. Donenfeld.
.
This has not received an independent security audit, and should be considered
experimental software at this early point in its lifetime.
.
## Usage
.
### Server Creation
.
Every `innernet` network needs a coordination server to manage peers and
provide endpoint information so peers can directly connect to each other.
Create a new one with
.
```sh
sudo innernet-server new
```
.
The init wizard will ask you questions about your network and give you some
reasonable defaults. It's good to familiarize yourself with [network
CIDRs](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) as a lot
of innernet's access control is based upon them. As an example, let's say the
root CIDR for this network is `10.60.0.0/16`. Server initialization creates a
special "infra" CIDR which contains the `innernet` server itself and is
reachable from all CIDRs on the network.
.
Next we'll also create a `humans` CIDR where we can start adding some peers.
.
```sh
sudo innernet-server add-cidr <interface>
```
.
For the parent CIDR, you can simply choose your network's root CIDR. The name
will be `humans`, and the CIDR will be `10.60.64.0/24` (not a great example
unless you only want to support 256 humans, but it works for now...).
.
By default, peers which exist in this new CIDR will only be able to contact
peers in the same CIDR, and the special "infra" CIDR which was created when the
server was initialized.
.
A typical workflow for creating a new network is to create an admin peer from
the `innernet-server` CLI, and then continue using that admin peer via the
`innernet` client CLI to add any further peers or network CIDRs.
.
```sh
sudo innernet-server add-peer <interface>
```
.
Select the `humans` CIDR, and the CLI will automatically suggest the next
available IP address. Any name is fine, just answer "yes" when asked if you
would like to make the peer an admin. The process of adding a peer results in
an invitation file. This file contains just enough information for the new peer
to contact the `innernet` server and redeem its invitation. It should be
transferred securely to the new peer, and it can only be used once to
initialize the peer.
.
You can run the server with `innernet-server serve <interface>`, or if you're
on Linux and want to run it via `systemctl`, run `systemctl enable --now
innernet-server@<interface>`. If you're on a home network, don't forget to
configure port forwarding to the `Listen Port` you specified when creating the
`innernet` server.
.
### Peer Initialization
.
Let's assume the invitation file generated in the steps above have been
transferred to the machine a network admin will be using.
.
You can initialize the client with
.
```sh
sudo innernet install /path/to/invitation.toml
```
.
You can customize the network name if you want to, or leave it at the default.
`innernet` will then connect to the `innernet` server via WireGuard, generate a
new key pair, and register that pair with the server. The private key in the
invitation file can no longer be used.
.
If everything was successful, the new peer is on the network. You can run
things like
.
```sh
sudo innernet list
```
.
or
.
```sh
sudo innernet list --tree
```
.
to view the current network and all CIDRs visible to this peer.
.
Since we created an admin peer, we can also add new peers and CIDRs from this
peer via `innernet` instead of having to always run commands on the server.
.
### Adding Associations between CIDRs
.
In order for peers from one CIDR to be able to contact peers in another CIDR,
those two CIDRs must be "associated" with each other.
.
With the admin peer we created above, let's add a new CIDR for some theoretical
CI servers we have.
.
```sh
sudo innernet add-cidr <interface>
```
.
The name is `ci-servers` and the CIDR is `10.60.64.0/24`, but for this example
it can be anything.
.
For now, we want peers in the `humans` CIDR to be able to access peers in the
`ci-servers` CIDR.
.
```sh
sudo innernet add-association <interface>
```
.
The CLI will ask you to select the two CIDRs you want to associate. That's all
it takes to allow peers in two different CIDRs to communicate!
.
You can verify the association with
.
```sh
sudo innernet list-associations <interface>
```
.
and associations can be deleted with
.
```sh
sudo innernet delete-associations <interface>
```
.
### Enabling/Disabling Peers
.
For security reasons, IP addresses cannot be re-used by new peers, and
therefore peers cannot be deleted. However, they can be disabled. Disabled
peers will not show up in the list of peers when fetching the config for an
interface.
.
Disable a peer with
.
```su
sudo innernet disable-peer <interface>
```
.
Or re-enable a peer with
.
```su
sudo innernet enable-peer <interface>
```
.
### Specifying a Manual Endpoint
.
The `innernet` server will try to use the internet endpoint it sees from a peer
so other peers can connect to that peer as well. This doesn't always work and
you may want to set an endpoint explicitly. To set an endpoint, use
.
```sh
sudo innernet override-endpoint <interface>
```
.
You can go back to automatic endpoint discovery with
.
```sh
sudo innernet override-endpoint -u <interface>
```
.
### Setting the Local WireGuard Listen Port
.
If you want to change the port which WireGuard listens on, use
.
```sh
sudo innernet set-listen-port <interface>
```
.
or unset the port and use a randomized port with
.
```sh
sudo innernet set-listen-port -u <interface>
```
.
### Remove Network
.
To permanently uninstall a created network, use
.
```sh
sudo innernet-server uninstall <interface>
```
.
Use with care!
.
## Security recommendations
.
If you're running a service on innernet, there are some important security
considerations.
.
### Enable strict Reverse Path Filtering ([RFC
3704](https://tools.ietf.org/html/rfc3704))
.
Strict RPF prevents packets from _other_ interfaces from having internal source
IP addresses. This is _not_ the default on Linux, even though it is the right
choice for 99.99% of situations. You can enable it by adding the following to a
`/etc/sysctl.d/60-network-security.conf`:
.
```
net.ipv4.conf.all.rp_filter=1
net.ipv4.conf.default.rp_filter=1
```
.
### Bind to the WireGuard device
.
If possible, to _ensure_ that packets are only ever transmitted over the
WireGuard interface, it's recommended that you use `SO_BINDTODEVICE` on Linux
or `IP_BOUND_IF` on macOS/BSDs. If you have strict reverse path filtering,
though, this is less of a concern.
.
### IP addresses alone often aren't enough authentication
.
Even following all the above precautions, rogue applications on a peer's
machines could be able to make requests on their behalf unless you add extra
layers of authentication to mitigate this CSRF-type vector.
.
It's recommended that you carefully consider this possibility before deciding
that the source IP is sufficient for your authentication needs on a service.
.
## Installation
.
innernet has only officially been tested on Linux and MacOS, but we hope to
support as many platforms as is feasible!
.
### Runtime Dependencies
.
It's assumed that WireGuard is installed on your system, either via the kernel
module in Linux 5.6 and later, or via the
[`wireguard-go`](https://git.zx2c4.com/wireguard-go/about/) userspace
implementation.
.
[WireGuard Installation Instructions](https://www.wireguard.com/install/)
.
### Arch Linux
.
```sh
pacman -S innernet
```
.
### Ubuntu
.
Fetch the appropriate `.deb` packages from
https://github.com/tonarino/innernet/releases and install with
.
```sh
sudo apt install ./innernet*.deb
```
.
### macOS
.
```sh
brew install tonarino/innernet/innernet
```
.
### Cargo
.
```sh
# to install innernet:
cargo install --git https://github.com/tonarino/innernet --tag v1.5.5 client
.
# to install innernet-server:
cargo install --git https://github.com/tonarino/innernet --tag v1.5.5 server
```
.
Note that you'll be responsible for updating manually.
.
## Development
.
### `innernet-server` Build dependencies
.
- `rustc` / `cargo` (version 1.50.0 or higher)
- `libclang` (see more info at
[https://crates.io/crates/clang-sys](https://crates.io/crates/clang-sys))
- `libsqlite3`
.
Build:
.
```sh
cargo build --release --bin innernet-server
```
.
The resulting binary will be located at `./target/release/innernet-server`
.
### `innernet` Client CLI Build dependencies
.
- `rustc` / `cargo` (version 1.50.0 or higher)
- `libclang` (see more info at
[https://crates.io/crates/clang-sys](https://crates.io/crates/clang-sys))
.
Build:
.
```sh
cargo build --release --bin innernet
```
.
The resulting binary will be located at `./target/release/innernet`
.
### Releases
.
1. Run `cargo release [--dry-run] [minor|major|patch|...]` to automatically
bump the crates appropriately.
2. Create a new git tag (ex. `v0.6.0`).
3. Push (with tags) to the repo.
.
innernet uses GitHub Actions to automatically produce a debian package for the
[releases page](https://github.com/tonarino/innernet/releases).

Binary file not shown.

View File

@ -0,0 +1,5 @@
Component: contrib
Origin: Unofficial Innernet Debian repository
Label: innernet-debian
Architecture: amd64
Description: APT repository for https://github.com/tonarino/innernet/.