Included release tonarino/innernet@v1.6.0 in focal jammy for arm64 armhf.

main
github-actions[bot] 2023-07-30 13:18:36 +00:00
parent c4a45291c6
commit 4a3eff3072
30 changed files with 1656 additions and 52 deletions

BIN
debian/db/checksums.db vendored

Binary file not shown.

BIN
debian/db/packages.db vendored

Binary file not shown.

Binary file not shown.

Binary file not shown.

View File

@ -4,33 +4,51 @@ Hash: SHA512
Origin: Unofficial Innernet Debian repository Origin: Unofficial Innernet Debian repository
Label: innernet-debian Label: innernet-debian
Codename: focal Codename: focal
Date: Thu, 15 Jun 2023 14:35:31 UTC Date: Sun, 30 Jul 2023 13:18:34 UTC
Architectures: amd64 Architectures: amd64 armhf arm64
Components: contrib Components: contrib
Description: APT repository for https://github.com/tonarino/innernet/. Description: APT repository for https://github.com/tonarino/innernet/.
MD5Sum: MD5Sum:
09585d6972df6d213e1a2a95a6d7f783 12098 contrib/binary-amd64/Packages 09585d6972df6d213e1a2a95a6d7f783 12098 contrib/binary-amd64/Packages
f71f3ea5d0ab6f8e0dad303f04573e81 4799 contrib/binary-amd64/Packages.gz f71f3ea5d0ab6f8e0dad303f04573e81 4799 contrib/binary-amd64/Packages.gz
77dc2b012f45038d5be68f81d464ee44 179 contrib/binary-amd64/Release 77dc2b012f45038d5be68f81d464ee44 179 contrib/binary-amd64/Release
b1dcfb8ffed93c950262d0d18d93e8db 12097 contrib/binary-armhf/Packages
11ffc1ea682429a3cfd051979b9d6dcc 4799 contrib/binary-armhf/Packages.gz
2e56331833f644fa9dad5483acc93e55 179 contrib/binary-armhf/Release
9e4f28eca65271f15f684a56874f433d 12097 contrib/binary-arm64/Packages
edc6e00a474363010d79da0a577dbc64 4803 contrib/binary-arm64/Packages.gz
16627cd2b6e090772a75639bb48cd54d 179 contrib/binary-arm64/Release
SHA1: SHA1:
87d9b5312a8e5e99090351a36d09785c02303cf1 12098 contrib/binary-amd64/Packages 87d9b5312a8e5e99090351a36d09785c02303cf1 12098 contrib/binary-amd64/Packages
ea7af888161785eae92c690ddf4a3f0cf2f75cc9 4799 contrib/binary-amd64/Packages.gz ea7af888161785eae92c690ddf4a3f0cf2f75cc9 4799 contrib/binary-amd64/Packages.gz
a4f6bbfd6fe4ab5a01909278c4e13b05d6b06f13 179 contrib/binary-amd64/Release a4f6bbfd6fe4ab5a01909278c4e13b05d6b06f13 179 contrib/binary-amd64/Release
d0b3431eb3e21ceb02caa9dd63aaf8b2231e3e5e 12097 contrib/binary-armhf/Packages
3ff371bef4abda8010bc8ad4b8873acfb8bd220e 4799 contrib/binary-armhf/Packages.gz
dbfc90ff9af0819e8b73429a32e4691204b11da7 179 contrib/binary-armhf/Release
b8d99778297cbd777821c7162c9146d3f0407b6c 12097 contrib/binary-arm64/Packages
2ec88f0de84b12f796712cf8bdd9ae163a5e78d0 4803 contrib/binary-arm64/Packages.gz
af10abab9b82b0f8be34be72d478cd7efe4e64b9 179 contrib/binary-arm64/Release
SHA256: SHA256:
ce495f6c9bc1fb23dab42746cf14086dde7f1531922919af49f93708d6f9428c 12098 contrib/binary-amd64/Packages ce495f6c9bc1fb23dab42746cf14086dde7f1531922919af49f93708d6f9428c 12098 contrib/binary-amd64/Packages
466c0a757405ed9c217efb1b5c81f4b722922ee63c462b668a9957f6459a38a9 4799 contrib/binary-amd64/Packages.gz 466c0a757405ed9c217efb1b5c81f4b722922ee63c462b668a9957f6459a38a9 4799 contrib/binary-amd64/Packages.gz
67b3f0e511499d8b794eaf1524cea47d2263a1e8e43445c60f311dbef9a50e9c 179 contrib/binary-amd64/Release 67b3f0e511499d8b794eaf1524cea47d2263a1e8e43445c60f311dbef9a50e9c 179 contrib/binary-amd64/Release
749a6859a1f9859ad9963b7f1d2ea665adf505d4e9457cad997600e26e3c2112 12097 contrib/binary-armhf/Packages
5ee9f26a09e21a87dfdb376fa3a6098a61b4fb7056d0957f56b6f43a84f65e25 4799 contrib/binary-armhf/Packages.gz
ce7a57575ec61bf1af16351e2366f7114f6ad78e035696abaaac42f80dd8f425 179 contrib/binary-armhf/Release
24f6c2047566e4e6921badbbd7d9a6fe47e59acea3b932a1143bfb1783e63e84 12097 contrib/binary-arm64/Packages
e7bc836e26a4d99973dc79ba64ebd6f62dc3e385685bb1963e111466f5205a26 4803 contrib/binary-arm64/Packages.gz
86092179ad14de3750a8a527f8419920154bd761ea7367b9452abe85cfbca03d 179 contrib/binary-arm64/Release
-----BEGIN PGP SIGNATURE----- -----BEGIN PGP SIGNATURE-----
iQGzBAEBCgAdFiEEbYSVpa4ZFZQzkqZZZYKNdDzui2kFAmSLIbQACgkQZYKNdDzu iQGzBAEBCgAdFiEEbYSVpa4ZFZQzkqZZZYKNdDzui2kFAmTGYysACgkQZYKNdDzu
i2mZRQv/SFGNKO418HsrtqKpXl6YYyO5btE9s99uVLUIwm5du7IaqakYaoeLNUBy i2nJWgwAlGrzcAQsvZvsCaQjbWBndiJDtndfj8BQyRORCbbdEQ0pej2KOj7X+BIJ
grDFLA4e8eQlzEPJfURHql8lIncbTv8pI+34tGr3sigv0d6TgGaaHYNyuTzFWOnw /u7fKHLBKQ/oHZ/t7Bijv5z0MG3n1oG1AK0vAwMFr0t8yJQzl6DuwqQrTgeIsAQ5
j9fOUfr6D0ARRDiKTb19/M/0OFx7boYYTbO9ciNhTvWQ1hA+WS5k4JCH7b8ZYAbT 3kHoqbxDuFLUssNUcHsl3yWMULHOb8pteavSfjf7YZiBXmr2qhN+OEV69oHlOPju
CqJ4sKDzSdE5O/TyznAB8PAf7MuyLD1RgqLJsr6ORME7EjVbUSVA8Oo8TFRL5Qe4 UkTPvBTYlt4OPoESLMxk61O1YWB42Y5NpVzx2q6oft5d/D3OzND2SgTrGCQDvWYJ
gyjwUSzQ5immV6yxr473eMY7ilGv89VdZkDxMpYkyIlxAitiQbHRRFeQamgkic2J 55EkN9ddV3hGMqTr216vcq3k0DpHCcUhAd0L2tlyVDnf01mdj9YqtflZM2XfxQ1e
1xVQUBDp4iMP4QYaGSO2yz6wqdtU8hGT1yxnjga/+tKWfesSLqKiIOiUnNT0+0u3 jdDcvHh9BqDlEG2mODtTpQY6aOuNdKX5sx61Vblf7QiQDQMDI0dg7wsco/KiftcT
ZlTCDveotoZmjYOU6fk+q5WHofPPOL+kz+gcjMi4Wohe/+cs5NaceNTX84WVCim5 5QGvOGv2dehlJggMEXxF0B6cLzduwSu2O5OlbFUVqvUhXV+5RKSuiV3g+1g4BonS
zjNrfIOUkA3Bs15vfs4lbOHBOydr0LEv+pIC84LUmVc5JUPoO6HNNYTcANpW3rko faL1bLlMI5iIpO9qJCPvqrVepbRl1bYz7sMIdeVYTGWdcV7MdnZ8RJynIuhlItCk
MqOARofn oI2X+qhm
=Y37W =RQGT
-----END PGP SIGNATURE----- -----END PGP SIGNATURE-----

View File

@ -1,19 +1,37 @@
Origin: Unofficial Innernet Debian repository Origin: Unofficial Innernet Debian repository
Label: innernet-debian Label: innernet-debian
Codename: focal Codename: focal
Date: Thu, 15 Jun 2023 14:35:31 UTC Date: Sun, 30 Jul 2023 13:18:34 UTC
Architectures: amd64 Architectures: amd64 armhf arm64
Components: contrib Components: contrib
Description: APT repository for https://github.com/tonarino/innernet/. Description: APT repository for https://github.com/tonarino/innernet/.
MD5Sum: MD5Sum:
09585d6972df6d213e1a2a95a6d7f783 12098 contrib/binary-amd64/Packages 09585d6972df6d213e1a2a95a6d7f783 12098 contrib/binary-amd64/Packages
f71f3ea5d0ab6f8e0dad303f04573e81 4799 contrib/binary-amd64/Packages.gz f71f3ea5d0ab6f8e0dad303f04573e81 4799 contrib/binary-amd64/Packages.gz
77dc2b012f45038d5be68f81d464ee44 179 contrib/binary-amd64/Release 77dc2b012f45038d5be68f81d464ee44 179 contrib/binary-amd64/Release
b1dcfb8ffed93c950262d0d18d93e8db 12097 contrib/binary-armhf/Packages
11ffc1ea682429a3cfd051979b9d6dcc 4799 contrib/binary-armhf/Packages.gz
2e56331833f644fa9dad5483acc93e55 179 contrib/binary-armhf/Release
9e4f28eca65271f15f684a56874f433d 12097 contrib/binary-arm64/Packages
edc6e00a474363010d79da0a577dbc64 4803 contrib/binary-arm64/Packages.gz
16627cd2b6e090772a75639bb48cd54d 179 contrib/binary-arm64/Release
SHA1: SHA1:
87d9b5312a8e5e99090351a36d09785c02303cf1 12098 contrib/binary-amd64/Packages 87d9b5312a8e5e99090351a36d09785c02303cf1 12098 contrib/binary-amd64/Packages
ea7af888161785eae92c690ddf4a3f0cf2f75cc9 4799 contrib/binary-amd64/Packages.gz ea7af888161785eae92c690ddf4a3f0cf2f75cc9 4799 contrib/binary-amd64/Packages.gz
a4f6bbfd6fe4ab5a01909278c4e13b05d6b06f13 179 contrib/binary-amd64/Release a4f6bbfd6fe4ab5a01909278c4e13b05d6b06f13 179 contrib/binary-amd64/Release
d0b3431eb3e21ceb02caa9dd63aaf8b2231e3e5e 12097 contrib/binary-armhf/Packages
3ff371bef4abda8010bc8ad4b8873acfb8bd220e 4799 contrib/binary-armhf/Packages.gz
dbfc90ff9af0819e8b73429a32e4691204b11da7 179 contrib/binary-armhf/Release
b8d99778297cbd777821c7162c9146d3f0407b6c 12097 contrib/binary-arm64/Packages
2ec88f0de84b12f796712cf8bdd9ae163a5e78d0 4803 contrib/binary-arm64/Packages.gz
af10abab9b82b0f8be34be72d478cd7efe4e64b9 179 contrib/binary-arm64/Release
SHA256: SHA256:
ce495f6c9bc1fb23dab42746cf14086dde7f1531922919af49f93708d6f9428c 12098 contrib/binary-amd64/Packages ce495f6c9bc1fb23dab42746cf14086dde7f1531922919af49f93708d6f9428c 12098 contrib/binary-amd64/Packages
466c0a757405ed9c217efb1b5c81f4b722922ee63c462b668a9957f6459a38a9 4799 contrib/binary-amd64/Packages.gz 466c0a757405ed9c217efb1b5c81f4b722922ee63c462b668a9957f6459a38a9 4799 contrib/binary-amd64/Packages.gz
67b3f0e511499d8b794eaf1524cea47d2263a1e8e43445c60f311dbef9a50e9c 179 contrib/binary-amd64/Release 67b3f0e511499d8b794eaf1524cea47d2263a1e8e43445c60f311dbef9a50e9c 179 contrib/binary-amd64/Release
749a6859a1f9859ad9963b7f1d2ea665adf505d4e9457cad997600e26e3c2112 12097 contrib/binary-armhf/Packages
5ee9f26a09e21a87dfdb376fa3a6098a61b4fb7056d0957f56b6f43a84f65e25 4799 contrib/binary-armhf/Packages.gz
ce7a57575ec61bf1af16351e2366f7114f6ad78e035696abaaac42f80dd8f425 179 contrib/binary-armhf/Release
24f6c2047566e4e6921badbbd7d9a6fe47e59acea3b932a1143bfb1783e63e84 12097 contrib/binary-arm64/Packages
e7bc836e26a4d99973dc79ba64ebd6f62dc3e385685bb1963e111466f5205a26 4803 contrib/binary-arm64/Packages.gz
86092179ad14de3750a8a527f8419920154bd761ea7367b9452abe85cfbca03d 179 contrib/binary-arm64/Release

View File

@ -1,14 +1,14 @@
-----BEGIN PGP SIGNATURE----- -----BEGIN PGP SIGNATURE-----
iQGzBAABCgAdFiEEbYSVpa4ZFZQzkqZZZYKNdDzui2kFAmSLIbMACgkQZYKNdDzu iQGzBAABCgAdFiEEbYSVpa4ZFZQzkqZZZYKNdDzui2kFAmTGYyoACgkQZYKNdDzu
i2kUyQv8D9dnijsB3JR1kyTufLtncukYje8AgOHS4HTqZIrUeS2hTrdf00llvPiy i2lPdQv8DmSn+7u1+uudvM8K1fU9ShDGeZYtbyC2WhmX1OrI+aq8RQYO2qw6HVcj
METLUrckiwzVWF+9bK/ZWK3rlWPQ6i8ulqUHU7Ec9dfXqYzeesG8DI3jn3ICUfLM Sk+MuN2m1FxDV85mcCWA/VKzRcfiBn3Yybyzn75Pbeyl5TgRnHu9FKET5VSYH7gy
+oqpRyYXW7jXJNJDJafLSYzd/K+CfmlItNMSsbR2k52GoxA52R/vRlDtrCmb7TjM 9ulqONG18nZbshdS57GUwoxjlT2HVwjOLvQ7IKvX88DTKXQzkc7eiiZ3FCgOhX64
DhnXBzUfYLGAq+XBhM5QQnb6Ine6Evjg0Y1pU0wDcU9kJ1iJ7fDFFHJI2vN3P3qS ocGxIB4x6P6q2pCsEGhPGqdjUcYUGe98udxDlhQ99+EgtgtiCCowGtx6gqMuXj1g
43TRULqTGjGsZ2mL3kNj0NmXggUd2d4xx7KnftWNBSJ9LxsJ+KgGybswHt3x01sy 0FOycQlxhpGSPDQ+TW0vsIAauI3gERrqRPh+ZZbg2o7dQPyDYaXUXCeewpD5VqA1
tQaofImFeWpBhUJO5A3IWAWmMQtKmmUY77+WL7rSKKTo4HGvauyPBEG0EH6qvOE7 Gkv0oYRf+SRB215+tewJWTiwAS/Bxh6uxx/bNBk0kcYB3Sc9d6c5GSo78SXuNra1
NBWEDPyn+8CSAYh8VkpjwEJVBNA4rMAkyuRrLmTCPIx9FZRGRG60l7RGuhmCAoHt CHhtFUEKDNMG5aJet0gZBHDEwWl+4mCQsoGc+KzRTPfCgU02SvED75eaAt0pxHMa
mJig5Dskkd/sDGsxJVq1uDMGV3QDstAlHQG30tBZAJ8m61Ca5RrlN4sCi7Vm9urC UjlYKGboA+Zg3FsNxGGRUVjQEAt1Semo4xLI2e/D3J7klxncMFvehzuoro9VV0ab
tSzDD7zd 3SLqGF5l
=Fv/e =DsOy
-----END PGP SIGNATURE----- -----END PGP SIGNATURE-----

View File

@ -0,0 +1,378 @@
Package: innernet
Version: 1.6.0-0ubuntu0~focal
Architecture: arm64
Vcs-Browser: https://github.com/tonarino/innernet
Vcs-Git: https://github.com/tonarino/innernet
Homepage: https://github.com/tonarino/innernet
Maintainer: tonari <hey@tonari.no>
Installed-Size: 2841
Depends: libgcc1, systemd, libc6
Recommends: wireguard
Priority: optional
Section: net
Filename: pool/contrib/i/innernet/innernet_1.6.0-0ubuntu0~focal_arm64.deb
Size: 903012
SHA256: d71dd1ea107dea559f8d15c01ae9d58761ba4afee3a9bc7a4c7112e824ce4ab3
SHA1: 0139401fd3f08b403fc2a15f3a331c60ff24e570
MD5sum: f85aeb8aa51538811ff2238914c4a1ab
Description: A client to manage innernet network interfaces.
innernet client binary for fetching peer information and conducting admin tasks
such as adding a new peer.
Package: innernet-server
Version: 1.6.0-0ubuntu0~focal
Architecture: arm64
Vcs-Browser: https://github.com/tonarino/innernet
Vcs-Git: https://github.com/tonarino/innernet
Homepage: https://github.com/tonarino/innernet
Maintainer: tonari <hey@tonari.no>
Installed-Size: 3886
Depends: libc6, libgcc1, zlib1g, systemd, libsqlite3-0
Recommends: wireguard
Source: innernet
Priority: optional
Section: net
Filename: pool/contrib/i/innernet-server/innernet-server_1.6.0-0ubuntu0~focal_arm64.deb
Size: 1355084
SHA256: 46e22e21dcff4538ba143c5e32077983816b9c1d6ff7b856255e59df86023048
SHA1: 8860342c49b89fa9238bd9ba7abed1d2afa63b54
MD5sum: 43de229d49d6134e0801e6338009cf86
Description: A server to coordinate innernet networks.
# innernet
.
[![Actively
Maintained](https://img.shields.io/badge/Maintenance%20Level-Actively%20Maintained-green.svg)](https://gist.github.com/cheerfulstoic/d107229326a01ff0f333a1d3476e068d)
[![MIT](https://img.shields.io/badge/license-MIT-blue.svg)](https://github.com/tonarino/innernet/blob/master/LICENSE)
.
A private network system that uses [WireGuard](https://wireguard.com) under the
hood. See the [announcement blog
post](https://blog.tonari.no/introducing-innernet) for a longer-winded
explanation.
.
<img
src="https://user-images.githubusercontent.com/373823/118917068-09ae7700-b96b-11eb-80f4-6860072d504d.gif"
width="600" height="370">
.
`innernet` is similar in its goals to Slack's
[nebula](https://github.com/slackhq/nebula) or
[Tailscale](https://tailscale.com/), but takes a bit of a different approach.
It aims to take advantage of existing networking concepts like CIDRs and the
security properties of WireGuard to turn your computer's basic IP networking
into more powerful ACL primitives.
.
`innernet` is not an official WireGuard project, and WireGuard is a registered
trademark of Jason A. Donenfeld.
.
This has not received an independent security audit, and should be considered
experimental software at this early point in its lifetime.
.
## Usage
.
### Server Creation
.
Every `innernet` network needs a coordination server to manage peers and
provide endpoint information so peers can directly connect to each other.
Create a new one with
.
```sh
sudo innernet-server new
```
.
The init wizard will ask you questions about your network and give you some
reasonable defaults. It's good to familiarize yourself with [network
CIDRs](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) as a lot
of innernet's access control is based upon them. As an example, let's say the
root CIDR for this network is `10.60.0.0/16`. Server initialization creates a
special "infra" CIDR which contains the `innernet` server itself and is
reachable from all CIDRs on the network.
.
Next we'll also create a `humans` CIDR where we can start adding some peers.
.
```sh
sudo innernet-server add-cidr <interface>
```
.
For the parent CIDR, you can simply choose your network's root CIDR. The name
will be `humans`, and the CIDR will be `10.60.64.0/24` (not a great example
unless you only want to support 256 humans, but it works for now...).
.
By default, peers which exist in this new CIDR will only be able to contact
peers in the same CIDR, and the special "infra" CIDR which was created when the
server was initialized.
.
A typical workflow for creating a new network is to create an admin peer from
the `innernet-server` CLI, and then continue using that admin peer via the
`innernet` client CLI to add any further peers or network CIDRs.
.
```sh
sudo innernet-server add-peer <interface>
```
.
Select the `humans` CIDR, and the CLI will automatically suggest the next
available IP address. Any name is fine, just answer "yes" when asked if you
would like to make the peer an admin. The process of adding a peer results in
an invitation file. This file contains just enough information for the new peer
to contact the `innernet` server and redeem its invitation. It should be
transferred securely to the new peer, and it can only be used once to
initialize the peer.
.
You can run the server with `innernet-server serve <interface>`, or if you're
on Linux and want to run it via `systemctl`, run `systemctl enable --now
innernet-server@<interface>`. If you're on a home network, don't forget to
configure port forwarding to the `Listen Port` you specified when creating the
`innernet` server.
.
### Peer Initialization
.
Let's assume the invitation file generated in the steps above have been
transferred to the machine a network admin will be using.
.
You can initialize the client with
.
```sh
sudo innernet install /path/to/invitation.toml
```
.
You can customize the network name if you want to, or leave it at the default.
`innernet` will then connect to the `innernet` server via WireGuard, generate a
new key pair, and register that pair with the server. The private key in the
invitation file can no longer be used.
.
If everything was successful, the new peer is on the network. You can run
things like
.
```sh
sudo innernet list
```
.
or
.
```sh
sudo innernet list --tree
```
.
to view the current network and all CIDRs visible to this peer.
.
Since we created an admin peer, we can also add new peers and CIDRs from this
peer via `innernet` instead of having to always run commands on the server.
.
### Adding Associations between CIDRs
.
In order for peers from one CIDR to be able to contact peers in another CIDR,
those two CIDRs must be "associated" with each other.
.
With the admin peer we created above, let's add a new CIDR for some theoretical
CI servers we have.
.
```sh
sudo innernet add-cidr <interface>
```
.
The name is `ci-servers` and the CIDR is `10.60.64.0/24`, but for this example
it can be anything.
.
For now, we want peers in the `humans` CIDR to be able to access peers in the
`ci-servers` CIDR.
.
```sh
sudo innernet add-association <interface>
```
.
The CLI will ask you to select the two CIDRs you want to associate. That's all
it takes to allow peers in two different CIDRs to communicate!
.
You can verify the association with
.
```sh
sudo innernet list-associations <interface>
```
.
and associations can be deleted with
.
```sh
sudo innernet delete-associations <interface>
```
.
### Enabling/Disabling Peers
.
For security reasons, IP addresses cannot be re-used by new peers, and
therefore peers cannot be deleted. However, they can be disabled. Disabled
peers will not show up in the list of peers when fetching the config for an
interface.
.
Disable a peer with
.
```su
sudo innernet disable-peer <interface>
```
.
Or re-enable a peer with
.
```su
sudo innernet enable-peer <interface>
```
.
### Specifying a Manual Endpoint
.
The `innernet` server will try to use the internet endpoint it sees from a peer
so other peers can connect to that peer as well. This doesn't always work and
you may want to set an endpoint explicitly. To set an endpoint, use
.
```sh
sudo innernet override-endpoint <interface>
```
.
You can go back to automatic endpoint discovery with
.
```sh
sudo innernet override-endpoint -u <interface>
```
.
### Setting the Local WireGuard Listen Port
.
If you want to change the port which WireGuard listens on, use
.
```sh
sudo innernet set-listen-port <interface>
```
.
or unset the port and use a randomized port with
.
```sh
sudo innernet set-listen-port -u <interface>
```
.
### Remove Network
.
To permanently uninstall a created network, use
.
```sh
sudo innernet-server uninstall <interface>
```
.
Use with care!
.
## Security recommendations
.
If you're running a service on innernet, there are some important security
considerations.
.
### Enable strict Reverse Path Filtering ([RFC
3704](https://tools.ietf.org/html/rfc3704))
.
Strict RPF prevents packets from _other_ interfaces from having internal source
IP addresses. This is _not_ the default on Linux, even though it is the right
choice for 99.99% of situations. You can enable it by adding the following to a
`/etc/sysctl.d/60-network-security.conf`:
.
```
net.ipv4.conf.all.rp_filter=1
net.ipv4.conf.default.rp_filter=1
```
.
### Bind to the WireGuard device
.
If possible, to _ensure_ that packets are only ever transmitted over the
WireGuard interface, it's recommended that you use `SO_BINDTODEVICE` on Linux
or `IP_BOUND_IF` on macOS/BSDs. If you have strict reverse path filtering,
though, this is less of a concern.
.
### IP addresses alone often aren't enough authentication
.
Even following all the above precautions, rogue applications on a peer's
machines could be able to make requests on their behalf unless you add extra
layers of authentication to mitigate this CSRF-type vector.
.
It's recommended that you carefully consider this possibility before deciding
that the source IP is sufficient for your authentication needs on a service.
.
## Installation
.
innernet has only officially been tested on Linux and MacOS, but we hope to
support as many platforms as is feasible!
.
### Runtime Dependencies
.
It's assumed that WireGuard is installed on your system, either via the kernel
module in Linux 5.6 and later, or via the
[`wireguard-go`](https://git.zx2c4.com/wireguard-go/about/) userspace
implementation.
.
[WireGuard Installation Instructions](https://www.wireguard.com/install/)
.
### Arch Linux
.
```sh
pacman -S innernet
```
.
### Debian and Ubuntu
.
[**@tommie**](https://github.com/tommie) is kindly providing Debian/Ubuntu
innernet builds in the https://github.com/tommie/innernet-debian repository.
.
### Other Linux Distributions
.
We're looking for volunteers who are able to set up external builds for popular
distributions. Please see issue
[#203](https://github.com/tonarino/innernet/issues/203).
.
### macOS
.
```sh
brew install tonarino/innernet/innernet
```
.
### Cargo
.
```sh
# to install innernet:
cargo install --git https://github.com/tonarino/innernet --tag v1.6.0 client
.
# to install innernet-server:
cargo install --git https://github.com/tonarino/innernet --tag v1.6.0 server
```
.
Note that you'll be responsible for updating manually.
.
## Development
.
### `innernet-server` Build dependencies
.
- `rustc` / `cargo` (version 1.50.0 or higher)
- `libclang` (see more info at
[https://crates.io/crates/clang-sys](https://crates.io/crates/clang-sys))
- `libsqlite3`
.
Build:
.
```sh
cargo build --release --bin innernet-server
```
.
The resulting binary will be located at `./target/release/innernet-server`
.
### `innernet` Client CLI Build dependencies
.
- `rustc` / `cargo` (version 1.50.0 or higher)
- `libclang` (see more info at
[https://crates.io/crates/clang-sys](https://crates.io/crates/clang-sys))
.
Build:
.
```sh
cargo build --release --bin innernet
```
.
The resulting binary will be located at `./target/release/innernet`
.
### Releases
.
Please run the release script from a Linux machine: generated shell completions
depend on available wireguard backends and Mac doesn't support the `kernel`
backend.
.
1. Fetch and check-out the `main` branch.
2. Run `./release.sh [patch|major|minor|rc]`
3. Push the `main` branch and the created tag to the repo.

Binary file not shown.

View File

@ -0,0 +1,5 @@
Component: contrib
Origin: Unofficial Innernet Debian repository
Label: innernet-debian
Architecture: arm64
Description: APT repository for https://github.com/tonarino/innernet/.

View File

@ -0,0 +1,378 @@
Package: innernet
Version: 1.6.0-0ubuntu0~focal
Architecture: armhf
Vcs-Browser: https://github.com/tonarino/innernet
Vcs-Git: https://github.com/tonarino/innernet
Homepage: https://github.com/tonarino/innernet
Maintainer: tonari <hey@tonari.no>
Installed-Size: 2684
Depends: libgcc1, libc6, systemd
Recommends: wireguard
Priority: optional
Section: net
Filename: pool/contrib/i/innernet/innernet_1.6.0-0ubuntu0~focal_armhf.deb
Size: 916708
SHA256: 5a659fba5e5410ea9cb5591753075fcc040c92386e3e6382efacd43583e2c782
SHA1: 03ac24914abd80fcaee5d0dacd77c2b4aebfd08c
MD5sum: b0c21e227ed3ca35815137d941035b1f
Description: A client to manage innernet network interfaces.
innernet client binary for fetching peer information and conducting admin tasks
such as adding a new peer.
Package: innernet-server
Version: 1.6.0-0ubuntu0~focal
Architecture: armhf
Vcs-Browser: https://github.com/tonarino/innernet
Vcs-Git: https://github.com/tonarino/innernet
Homepage: https://github.com/tonarino/innernet
Maintainer: tonari <hey@tonari.no>
Installed-Size: 3343
Depends: libgcc1, zlib1g, libc6, libsqlite3-0, systemd
Recommends: wireguard
Source: innernet
Priority: optional
Section: net
Filename: pool/contrib/i/innernet-server/innernet-server_1.6.0-0ubuntu0~focal_armhf.deb
Size: 1337176
SHA256: 429c6cbf976e82910bd9be68b772a9264f680ea051c1850074a25e39e6d03059
SHA1: d97a2f0ae144af2a67dc6dc9df547fc0b61d3058
MD5sum: 105818d65bcc4e3ffbb3feb7dab0867c
Description: A server to coordinate innernet networks.
# innernet
.
[![Actively
Maintained](https://img.shields.io/badge/Maintenance%20Level-Actively%20Maintained-green.svg)](https://gist.github.com/cheerfulstoic/d107229326a01ff0f333a1d3476e068d)
[![MIT](https://img.shields.io/badge/license-MIT-blue.svg)](https://github.com/tonarino/innernet/blob/master/LICENSE)
.
A private network system that uses [WireGuard](https://wireguard.com) under the
hood. See the [announcement blog
post](https://blog.tonari.no/introducing-innernet) for a longer-winded
explanation.
.
<img
src="https://user-images.githubusercontent.com/373823/118917068-09ae7700-b96b-11eb-80f4-6860072d504d.gif"
width="600" height="370">
.
`innernet` is similar in its goals to Slack's
[nebula](https://github.com/slackhq/nebula) or
[Tailscale](https://tailscale.com/), but takes a bit of a different approach.
It aims to take advantage of existing networking concepts like CIDRs and the
security properties of WireGuard to turn your computer's basic IP networking
into more powerful ACL primitives.
.
`innernet` is not an official WireGuard project, and WireGuard is a registered
trademark of Jason A. Donenfeld.
.
This has not received an independent security audit, and should be considered
experimental software at this early point in its lifetime.
.
## Usage
.
### Server Creation
.
Every `innernet` network needs a coordination server to manage peers and
provide endpoint information so peers can directly connect to each other.
Create a new one with
.
```sh
sudo innernet-server new
```
.
The init wizard will ask you questions about your network and give you some
reasonable defaults. It's good to familiarize yourself with [network
CIDRs](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) as a lot
of innernet's access control is based upon them. As an example, let's say the
root CIDR for this network is `10.60.0.0/16`. Server initialization creates a
special "infra" CIDR which contains the `innernet` server itself and is
reachable from all CIDRs on the network.
.
Next we'll also create a `humans` CIDR where we can start adding some peers.
.
```sh
sudo innernet-server add-cidr <interface>
```
.
For the parent CIDR, you can simply choose your network's root CIDR. The name
will be `humans`, and the CIDR will be `10.60.64.0/24` (not a great example
unless you only want to support 256 humans, but it works for now...).
.
By default, peers which exist in this new CIDR will only be able to contact
peers in the same CIDR, and the special "infra" CIDR which was created when the
server was initialized.
.
A typical workflow for creating a new network is to create an admin peer from
the `innernet-server` CLI, and then continue using that admin peer via the
`innernet` client CLI to add any further peers or network CIDRs.
.
```sh
sudo innernet-server add-peer <interface>
```
.
Select the `humans` CIDR, and the CLI will automatically suggest the next
available IP address. Any name is fine, just answer "yes" when asked if you
would like to make the peer an admin. The process of adding a peer results in
an invitation file. This file contains just enough information for the new peer
to contact the `innernet` server and redeem its invitation. It should be
transferred securely to the new peer, and it can only be used once to
initialize the peer.
.
You can run the server with `innernet-server serve <interface>`, or if you're
on Linux and want to run it via `systemctl`, run `systemctl enable --now
innernet-server@<interface>`. If you're on a home network, don't forget to
configure port forwarding to the `Listen Port` you specified when creating the
`innernet` server.
.
### Peer Initialization
.
Let's assume the invitation file generated in the steps above have been
transferred to the machine a network admin will be using.
.
You can initialize the client with
.
```sh
sudo innernet install /path/to/invitation.toml
```
.
You can customize the network name if you want to, or leave it at the default.
`innernet` will then connect to the `innernet` server via WireGuard, generate a
new key pair, and register that pair with the server. The private key in the
invitation file can no longer be used.
.
If everything was successful, the new peer is on the network. You can run
things like
.
```sh
sudo innernet list
```
.
or
.
```sh
sudo innernet list --tree
```
.
to view the current network and all CIDRs visible to this peer.
.
Since we created an admin peer, we can also add new peers and CIDRs from this
peer via `innernet` instead of having to always run commands on the server.
.
### Adding Associations between CIDRs
.
In order for peers from one CIDR to be able to contact peers in another CIDR,
those two CIDRs must be "associated" with each other.
.
With the admin peer we created above, let's add a new CIDR for some theoretical
CI servers we have.
.
```sh
sudo innernet add-cidr <interface>
```
.
The name is `ci-servers` and the CIDR is `10.60.64.0/24`, but for this example
it can be anything.
.
For now, we want peers in the `humans` CIDR to be able to access peers in the
`ci-servers` CIDR.
.
```sh
sudo innernet add-association <interface>
```
.
The CLI will ask you to select the two CIDRs you want to associate. That's all
it takes to allow peers in two different CIDRs to communicate!
.
You can verify the association with
.
```sh
sudo innernet list-associations <interface>
```
.
and associations can be deleted with
.
```sh
sudo innernet delete-associations <interface>
```
.
### Enabling/Disabling Peers
.
For security reasons, IP addresses cannot be re-used by new peers, and
therefore peers cannot be deleted. However, they can be disabled. Disabled
peers will not show up in the list of peers when fetching the config for an
interface.
.
Disable a peer with
.
```su
sudo innernet disable-peer <interface>
```
.
Or re-enable a peer with
.
```su
sudo innernet enable-peer <interface>
```
.
### Specifying a Manual Endpoint
.
The `innernet` server will try to use the internet endpoint it sees from a peer
so other peers can connect to that peer as well. This doesn't always work and
you may want to set an endpoint explicitly. To set an endpoint, use
.
```sh
sudo innernet override-endpoint <interface>
```
.
You can go back to automatic endpoint discovery with
.
```sh
sudo innernet override-endpoint -u <interface>
```
.
### Setting the Local WireGuard Listen Port
.
If you want to change the port which WireGuard listens on, use
.
```sh
sudo innernet set-listen-port <interface>
```
.
or unset the port and use a randomized port with
.
```sh
sudo innernet set-listen-port -u <interface>
```
.
### Remove Network
.
To permanently uninstall a created network, use
.
```sh
sudo innernet-server uninstall <interface>
```
.
Use with care!
.
## Security recommendations
.
If you're running a service on innernet, there are some important security
considerations.
.
### Enable strict Reverse Path Filtering ([RFC
3704](https://tools.ietf.org/html/rfc3704))
.
Strict RPF prevents packets from _other_ interfaces from having internal source
IP addresses. This is _not_ the default on Linux, even though it is the right
choice for 99.99% of situations. You can enable it by adding the following to a
`/etc/sysctl.d/60-network-security.conf`:
.
```
net.ipv4.conf.all.rp_filter=1
net.ipv4.conf.default.rp_filter=1
```
.
### Bind to the WireGuard device
.
If possible, to _ensure_ that packets are only ever transmitted over the
WireGuard interface, it's recommended that you use `SO_BINDTODEVICE` on Linux
or `IP_BOUND_IF` on macOS/BSDs. If you have strict reverse path filtering,
though, this is less of a concern.
.
### IP addresses alone often aren't enough authentication
.
Even following all the above precautions, rogue applications on a peer's
machines could be able to make requests on their behalf unless you add extra
layers of authentication to mitigate this CSRF-type vector.
.
It's recommended that you carefully consider this possibility before deciding
that the source IP is sufficient for your authentication needs on a service.
.
## Installation
.
innernet has only officially been tested on Linux and MacOS, but we hope to
support as many platforms as is feasible!
.
### Runtime Dependencies
.
It's assumed that WireGuard is installed on your system, either via the kernel
module in Linux 5.6 and later, or via the
[`wireguard-go`](https://git.zx2c4.com/wireguard-go/about/) userspace
implementation.
.
[WireGuard Installation Instructions](https://www.wireguard.com/install/)
.
### Arch Linux
.
```sh
pacman -S innernet
```
.
### Debian and Ubuntu
.
[**@tommie**](https://github.com/tommie) is kindly providing Debian/Ubuntu
innernet builds in the https://github.com/tommie/innernet-debian repository.
.
### Other Linux Distributions
.
We're looking for volunteers who are able to set up external builds for popular
distributions. Please see issue
[#203](https://github.com/tonarino/innernet/issues/203).
.
### macOS
.
```sh
brew install tonarino/innernet/innernet
```
.
### Cargo
.
```sh
# to install innernet:
cargo install --git https://github.com/tonarino/innernet --tag v1.6.0 client
.
# to install innernet-server:
cargo install --git https://github.com/tonarino/innernet --tag v1.6.0 server
```
.
Note that you'll be responsible for updating manually.
.
## Development
.
### `innernet-server` Build dependencies
.
- `rustc` / `cargo` (version 1.50.0 or higher)
- `libclang` (see more info at
[https://crates.io/crates/clang-sys](https://crates.io/crates/clang-sys))
- `libsqlite3`
.
Build:
.
```sh
cargo build --release --bin innernet-server
```
.
The resulting binary will be located at `./target/release/innernet-server`
.
### `innernet` Client CLI Build dependencies
.
- `rustc` / `cargo` (version 1.50.0 or higher)
- `libclang` (see more info at
[https://crates.io/crates/clang-sys](https://crates.io/crates/clang-sys))
.
Build:
.
```sh
cargo build --release --bin innernet
```
.
The resulting binary will be located at `./target/release/innernet`
.
### Releases
.
Please run the release script from a Linux machine: generated shell completions
depend on available wireguard backends and Mac doesn't support the `kernel`
backend.
.
1. Fetch and check-out the `main` branch.
2. Run `./release.sh [patch|major|minor|rc]`
3. Push the `main` branch and the created tag to the repo.

Binary file not shown.

View File

@ -0,0 +1,5 @@
Component: contrib
Origin: Unofficial Innernet Debian repository
Label: innernet-debian
Architecture: armhf
Description: APT repository for https://github.com/tonarino/innernet/.

View File

@ -4,33 +4,51 @@ Hash: SHA512
Origin: Unofficial Innernet Debian repository Origin: Unofficial Innernet Debian repository
Label: innernet-debian Label: innernet-debian
Codename: jammy Codename: jammy
Date: Fri, 16 Jun 2023 13:45:35 UTC Date: Sun, 30 Jul 2023 13:18:35 UTC
Architectures: amd64 Architectures: amd64 armhf arm64
Components: contrib Components: contrib
Description: APT repository for https://github.com/tonarino/innernet/. Description: APT repository for https://github.com/tonarino/innernet/.
MD5Sum: MD5Sum:
c3fb046e579f2886ef6b3cf3e219ba05 12098 contrib/binary-amd64/Packages c3fb046e579f2886ef6b3cf3e219ba05 12098 contrib/binary-amd64/Packages
e09b77d60d34ab4af3b28265d59cea19 4799 contrib/binary-amd64/Packages.gz e09b77d60d34ab4af3b28265d59cea19 4799 contrib/binary-amd64/Packages.gz
77dc2b012f45038d5be68f81d464ee44 179 contrib/binary-amd64/Release 77dc2b012f45038d5be68f81d464ee44 179 contrib/binary-amd64/Release
780524704fdb47454787362f650f63b2 12097 contrib/binary-armhf/Packages
092d4159daa0a41922473929fb72b666 4798 contrib/binary-armhf/Packages.gz
2e56331833f644fa9dad5483acc93e55 179 contrib/binary-armhf/Release
774c59f064602c6d2a571c4927700ea1 12097 contrib/binary-arm64/Packages
111c0179f59c4f065197f95058495807 4802 contrib/binary-arm64/Packages.gz
16627cd2b6e090772a75639bb48cd54d 179 contrib/binary-arm64/Release
SHA1: SHA1:
24f3f3be92fa94c5c91f4e1016a87dc3bee36bc0 12098 contrib/binary-amd64/Packages 24f3f3be92fa94c5c91f4e1016a87dc3bee36bc0 12098 contrib/binary-amd64/Packages
91350afc9bc7f37a9fa65c7827fd0161cefc2791 4799 contrib/binary-amd64/Packages.gz 91350afc9bc7f37a9fa65c7827fd0161cefc2791 4799 contrib/binary-amd64/Packages.gz
a4f6bbfd6fe4ab5a01909278c4e13b05d6b06f13 179 contrib/binary-amd64/Release a4f6bbfd6fe4ab5a01909278c4e13b05d6b06f13 179 contrib/binary-amd64/Release
ba0280a48581058691a8a392862fbf3820b841d0 12097 contrib/binary-armhf/Packages
b7d567b2b284f0734227eaa771004539525a2d90 4798 contrib/binary-armhf/Packages.gz
dbfc90ff9af0819e8b73429a32e4691204b11da7 179 contrib/binary-armhf/Release
6d826c8431b6b5983b654a37a34d68efa4148b8a 12097 contrib/binary-arm64/Packages
1c5ee6f104cf87055db66f368be7792d52a60094 4802 contrib/binary-arm64/Packages.gz
af10abab9b82b0f8be34be72d478cd7efe4e64b9 179 contrib/binary-arm64/Release
SHA256: SHA256:
42614d2b5bb2bc2be526f2aac7a249a78fe9e06b6dfbf174f1b81f774e9c94d9 12098 contrib/binary-amd64/Packages 42614d2b5bb2bc2be526f2aac7a249a78fe9e06b6dfbf174f1b81f774e9c94d9 12098 contrib/binary-amd64/Packages
5e2f2c7f0d4e5b718e3e4429aea9e02ea1d2cda4b8e68357dddae26eae7e0df5 4799 contrib/binary-amd64/Packages.gz 5e2f2c7f0d4e5b718e3e4429aea9e02ea1d2cda4b8e68357dddae26eae7e0df5 4799 contrib/binary-amd64/Packages.gz
67b3f0e511499d8b794eaf1524cea47d2263a1e8e43445c60f311dbef9a50e9c 179 contrib/binary-amd64/Release 67b3f0e511499d8b794eaf1524cea47d2263a1e8e43445c60f311dbef9a50e9c 179 contrib/binary-amd64/Release
6920dfcb12fa912d057fbef51193867d02a2d52a02ac8cbd8e43346e199edf44 12097 contrib/binary-armhf/Packages
0039297dbd77d349e5acf51945cda8f284f3d1813746789c31127472ad019a6e 4798 contrib/binary-armhf/Packages.gz
ce7a57575ec61bf1af16351e2366f7114f6ad78e035696abaaac42f80dd8f425 179 contrib/binary-armhf/Release
eee57fae348c6121d8aee97c08e437cc62471dd87103df971d368e72791b4447 12097 contrib/binary-arm64/Packages
3a77da57917309f4fce907bf2828bd2def020f210d77e18ec80c6b0d58c65475 4802 contrib/binary-arm64/Packages.gz
86092179ad14de3750a8a527f8419920154bd761ea7367b9452abe85cfbca03d 179 contrib/binary-arm64/Release
-----BEGIN PGP SIGNATURE----- -----BEGIN PGP SIGNATURE-----
iQGzBAEBCgAdFiEEbYSVpa4ZFZQzkqZZZYKNdDzui2kFAmSMZ4AACgkQZYKNdDzu iQGzBAEBCgAdFiEEbYSVpa4ZFZQzkqZZZYKNdDzui2kFAmTGYysACgkQZYKNdDzu
i2msrAv/flrJ7B8kMVB35KVN+TNkplpEOUjb0aa+xBQ4+1h1TaZftrJRxNgTHpmz i2kz1wv+NcR8ROJf8Azw6AQPyL8gzuT2c9gRVcMEMGvMtbU/phJQXZReBGgvdcZX
Y8L4l7xTJxEI+rMvJ6SDWxK7/BGyHzdOIlF49u6lRtI1KJWAEXCPNas2FszKIywy r5hY3SwMdvgXxPzWhYr1lnhA71NmPhUxjc2H+J0dGULxMnvoyQ88/UQQpaAIyZsq
mdf+1UGZ4fgtMXJfMblpDua95pDaUH11vuB2Ty1kLl6ELmG136sR/5w1laP6N10I JuuT1D5QHJ9ZWI3SGDKOcdsb2ix51sYVoYsRx/OO5RlYofLfAgU0wGrfa0pUj3l9
y8HTL5poEQOQMeX6cSiYPyiVMUKZgacs1gEv0Z0sksgwDMdghFUUN6poZlG5RfCC OVO0QBeqyb4Xs2+3sjQH8NsJd3bIHOR65ULXJ33R/Bbkt0VYYgApiCMDVifJWMko
7s9NJNKEAiuvcyikP+TrJT0H/JsDO7LJRyZXvxlfS5xoxBWUgc/kCjbh638TtSOP HOZvH0lCvgVy5QE2Dg3KC/8nEVglky3cwwpnN6GWAMTFEFwArZ9IGfcNJmjfuwDz
wPkhPhxedPBgfQ0Ri46P5J+D+qsg7Ck0QsA+nhEUdrQ0ajWB1iBuuuhkflKvkBBj eUgNUnzItCHJyu8G1bX1IgKIHBMkJB9qXbr5DhDjVN8UrfD92A25ZXzbSsgzC6Zc
ft/F672ysXKhSQpW/+ljUjWrkHoA/9Rg25cJOZF4gBUGoavOentnfEjq9h14Qrnl O0Wt0xSuqmoaluwnePxmA/cmV3ffvdIBnBnXEKFaTf1l3aHcDAG0Zmh6/9abKx78
1PPb8ANL+wyTQP6zd5mV7j/3cahyQiZldoVkjXRJ6EQ6Ro/E7e+SrAi/9+2rIKiB Ey17a8voz9U3gRRZG2YTTVYIWhqPVxaPnC14slZzuC2CDWZBVF2f74sCYPqH6SF+
/w7rJEA7 zAGYm7Ur
=XTJH =6gHL
-----END PGP SIGNATURE----- -----END PGP SIGNATURE-----

View File

@ -1,19 +1,37 @@
Origin: Unofficial Innernet Debian repository Origin: Unofficial Innernet Debian repository
Label: innernet-debian Label: innernet-debian
Codename: jammy Codename: jammy
Date: Fri, 16 Jun 2023 13:45:35 UTC Date: Sun, 30 Jul 2023 13:18:35 UTC
Architectures: amd64 Architectures: amd64 armhf arm64
Components: contrib Components: contrib
Description: APT repository for https://github.com/tonarino/innernet/. Description: APT repository for https://github.com/tonarino/innernet/.
MD5Sum: MD5Sum:
c3fb046e579f2886ef6b3cf3e219ba05 12098 contrib/binary-amd64/Packages c3fb046e579f2886ef6b3cf3e219ba05 12098 contrib/binary-amd64/Packages
e09b77d60d34ab4af3b28265d59cea19 4799 contrib/binary-amd64/Packages.gz e09b77d60d34ab4af3b28265d59cea19 4799 contrib/binary-amd64/Packages.gz
77dc2b012f45038d5be68f81d464ee44 179 contrib/binary-amd64/Release 77dc2b012f45038d5be68f81d464ee44 179 contrib/binary-amd64/Release
780524704fdb47454787362f650f63b2 12097 contrib/binary-armhf/Packages
092d4159daa0a41922473929fb72b666 4798 contrib/binary-armhf/Packages.gz
2e56331833f644fa9dad5483acc93e55 179 contrib/binary-armhf/Release
774c59f064602c6d2a571c4927700ea1 12097 contrib/binary-arm64/Packages
111c0179f59c4f065197f95058495807 4802 contrib/binary-arm64/Packages.gz
16627cd2b6e090772a75639bb48cd54d 179 contrib/binary-arm64/Release
SHA1: SHA1:
24f3f3be92fa94c5c91f4e1016a87dc3bee36bc0 12098 contrib/binary-amd64/Packages 24f3f3be92fa94c5c91f4e1016a87dc3bee36bc0 12098 contrib/binary-amd64/Packages
91350afc9bc7f37a9fa65c7827fd0161cefc2791 4799 contrib/binary-amd64/Packages.gz 91350afc9bc7f37a9fa65c7827fd0161cefc2791 4799 contrib/binary-amd64/Packages.gz
a4f6bbfd6fe4ab5a01909278c4e13b05d6b06f13 179 contrib/binary-amd64/Release a4f6bbfd6fe4ab5a01909278c4e13b05d6b06f13 179 contrib/binary-amd64/Release
ba0280a48581058691a8a392862fbf3820b841d0 12097 contrib/binary-armhf/Packages
b7d567b2b284f0734227eaa771004539525a2d90 4798 contrib/binary-armhf/Packages.gz
dbfc90ff9af0819e8b73429a32e4691204b11da7 179 contrib/binary-armhf/Release
6d826c8431b6b5983b654a37a34d68efa4148b8a 12097 contrib/binary-arm64/Packages
1c5ee6f104cf87055db66f368be7792d52a60094 4802 contrib/binary-arm64/Packages.gz
af10abab9b82b0f8be34be72d478cd7efe4e64b9 179 contrib/binary-arm64/Release
SHA256: SHA256:
42614d2b5bb2bc2be526f2aac7a249a78fe9e06b6dfbf174f1b81f774e9c94d9 12098 contrib/binary-amd64/Packages 42614d2b5bb2bc2be526f2aac7a249a78fe9e06b6dfbf174f1b81f774e9c94d9 12098 contrib/binary-amd64/Packages
5e2f2c7f0d4e5b718e3e4429aea9e02ea1d2cda4b8e68357dddae26eae7e0df5 4799 contrib/binary-amd64/Packages.gz 5e2f2c7f0d4e5b718e3e4429aea9e02ea1d2cda4b8e68357dddae26eae7e0df5 4799 contrib/binary-amd64/Packages.gz
67b3f0e511499d8b794eaf1524cea47d2263a1e8e43445c60f311dbef9a50e9c 179 contrib/binary-amd64/Release 67b3f0e511499d8b794eaf1524cea47d2263a1e8e43445c60f311dbef9a50e9c 179 contrib/binary-amd64/Release
6920dfcb12fa912d057fbef51193867d02a2d52a02ac8cbd8e43346e199edf44 12097 contrib/binary-armhf/Packages
0039297dbd77d349e5acf51945cda8f284f3d1813746789c31127472ad019a6e 4798 contrib/binary-armhf/Packages.gz
ce7a57575ec61bf1af16351e2366f7114f6ad78e035696abaaac42f80dd8f425 179 contrib/binary-armhf/Release
eee57fae348c6121d8aee97c08e437cc62471dd87103df971d368e72791b4447 12097 contrib/binary-arm64/Packages
3a77da57917309f4fce907bf2828bd2def020f210d77e18ec80c6b0d58c65475 4802 contrib/binary-arm64/Packages.gz
86092179ad14de3750a8a527f8419920154bd761ea7367b9452abe85cfbca03d 179 contrib/binary-arm64/Release

View File

@ -1,14 +1,14 @@
-----BEGIN PGP SIGNATURE----- -----BEGIN PGP SIGNATURE-----
iQGzBAABCgAdFiEEbYSVpa4ZFZQzkqZZZYKNdDzui2kFAmSMZ38ACgkQZYKNdDzu iQGzBAABCgAdFiEEbYSVpa4ZFZQzkqZZZYKNdDzui2kFAmTGYysACgkQZYKNdDzu
i2k8JAv7BCf7W0Ok+CG1CYf7mLNNoZ92wgIfApqmokrh6t2Wk3dV7KNW8sZRlCGN i2n05Av7BLT2uiKS9iw8jRsX646HfdXNZ7O+XfdLqJxxyCPjPc8yXPBWILhgQ8wE
FfUfFyqbvYYGkToGIi6LEoGzYSsD2PKHmLWnMMBqkbP7H6cLVjiCs7Xc/RFP1vO5 ZARH05xxhbpl0+mVtLDglKdyWjCRHv1ud7ALI3mPNvB4OL15sBUcI5Zqp0UxYgEH
o5xNYme3iM5Sr9iC0i78cusiGmJmM31TWlE6WrLJCK60SjUQgDvdh1SpVGKyiqyO i/9HztmWRORUN0cCDwxdmgBQ5r4pTjEtRqYn6UwL38UD8v+du1n92AwG+jxwqkMk
dorJxqsDvClIDSoCxAJFz23xBrIChZv9zjP4C0ZDDKtGItTmbEG+zsca2f37mfIS yasMbaxK9b5be888BqToKlSuYyLNE5nHDDaqr2gg7Or1W1HcZJcWiH4u4g4foB9p
2H1J5C0eQ2RGMaVzBSWsfQlAbkMq0TrvStPU4oscuBfXF8Asfxhl0AJIL/c5IGfF zrp9w5soeMWfAXH0PkI2iMsyitk5a8WdoLTwFWHJdS8vFN+doKpR57h7AkJ5wSGm
E8jB7o4ifiuyOuRt73yRDaNjJjzHRw6U8IpUMQ12ep3Va7GcMSvX4pnsFb3mmfA4 H/okDyDjXPzogd5+WjyRrc3xGaL7X84gv3WbbIBeiKP9yThvI5HwcsUTHh0okiyZ
Hb50gin7Ug457FgsmqHjgIWfmbZh0Z5kNjJAToJlOylBp1nKmVurDbVei8O7DeoU /ns6P16JBo/jRwwD6cr+DYMcK7lr0YSRjmUbyBh+B5gdud7f70ySxl/9aqVnClCq
2Xquibucq+QgxuMl0vHHlIPoE5ExS7TpMEV5YmaO9S6E8HEcDapkLE8+D1NQNvKO A2XMl7VBUVPi0p+iKN3pmeu79XWlpnl8IUZTQzTIxY922DD1hG2X0LV28Lxhm/Qh
Im2xnCN2 R0fX5+To
=8V8j =KCYo
-----END PGP SIGNATURE----- -----END PGP SIGNATURE-----

View File

@ -0,0 +1,378 @@
Package: innernet
Version: 1.6.0-0ubuntu0~jammy
Architecture: arm64
Vcs-Browser: https://github.com/tonarino/innernet
Vcs-Git: https://github.com/tonarino/innernet
Homepage: https://github.com/tonarino/innernet
Maintainer: tonari <hey@tonari.no>
Installed-Size: 2841
Depends: systemd, libc6, libgcc1
Recommends: wireguard
Priority: optional
Section: net
Filename: pool/contrib/i/innernet/innernet_1.6.0-0ubuntu0~jammy_arm64.deb
Size: 902852
SHA256: 7bf0f695bc867bb7f6747053a9eab859452a518515f27b0d1e39b266b0e415f5
SHA1: 1ac7265a5385e190f2ae1df9b08e257ec55aa2fe
MD5sum: db11e7151b7f8c2f8b77709612a89a60
Description: A client to manage innernet network interfaces.
innernet client binary for fetching peer information and conducting admin tasks
such as adding a new peer.
Package: innernet-server
Version: 1.6.0-0ubuntu0~jammy
Architecture: arm64
Vcs-Browser: https://github.com/tonarino/innernet
Vcs-Git: https://github.com/tonarino/innernet
Homepage: https://github.com/tonarino/innernet
Maintainer: tonari <hey@tonari.no>
Installed-Size: 3894
Depends: zlib1g, libsqlite3-0, libc6, libgcc1, systemd
Recommends: wireguard
Source: innernet
Priority: optional
Section: net
Filename: pool/contrib/i/innernet-server/innernet-server_1.6.0-0ubuntu0~jammy_arm64.deb
Size: 1354844
SHA256: f04eb9854c2105b3e21304377a3a9667405151d576f7bb5a9c4965123b76d221
SHA1: 06bb485cdafafcc6b82e36a65f601ecc628f6fca
MD5sum: 17b01c31ad740f3d20fcad896eeb67e9
Description: A server to coordinate innernet networks.
# innernet
.
[![Actively
Maintained](https://img.shields.io/badge/Maintenance%20Level-Actively%20Maintained-green.svg)](https://gist.github.com/cheerfulstoic/d107229326a01ff0f333a1d3476e068d)
[![MIT](https://img.shields.io/badge/license-MIT-blue.svg)](https://github.com/tonarino/innernet/blob/master/LICENSE)
.
A private network system that uses [WireGuard](https://wireguard.com) under the
hood. See the [announcement blog
post](https://blog.tonari.no/introducing-innernet) for a longer-winded
explanation.
.
<img
src="https://user-images.githubusercontent.com/373823/118917068-09ae7700-b96b-11eb-80f4-6860072d504d.gif"
width="600" height="370">
.
`innernet` is similar in its goals to Slack's
[nebula](https://github.com/slackhq/nebula) or
[Tailscale](https://tailscale.com/), but takes a bit of a different approach.
It aims to take advantage of existing networking concepts like CIDRs and the
security properties of WireGuard to turn your computer's basic IP networking
into more powerful ACL primitives.
.
`innernet` is not an official WireGuard project, and WireGuard is a registered
trademark of Jason A. Donenfeld.
.
This has not received an independent security audit, and should be considered
experimental software at this early point in its lifetime.
.
## Usage
.
### Server Creation
.
Every `innernet` network needs a coordination server to manage peers and
provide endpoint information so peers can directly connect to each other.
Create a new one with
.
```sh
sudo innernet-server new
```
.
The init wizard will ask you questions about your network and give you some
reasonable defaults. It's good to familiarize yourself with [network
CIDRs](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) as a lot
of innernet's access control is based upon them. As an example, let's say the
root CIDR for this network is `10.60.0.0/16`. Server initialization creates a
special "infra" CIDR which contains the `innernet` server itself and is
reachable from all CIDRs on the network.
.
Next we'll also create a `humans` CIDR where we can start adding some peers.
.
```sh
sudo innernet-server add-cidr <interface>
```
.
For the parent CIDR, you can simply choose your network's root CIDR. The name
will be `humans`, and the CIDR will be `10.60.64.0/24` (not a great example
unless you only want to support 256 humans, but it works for now...).
.
By default, peers which exist in this new CIDR will only be able to contact
peers in the same CIDR, and the special "infra" CIDR which was created when the
server was initialized.
.
A typical workflow for creating a new network is to create an admin peer from
the `innernet-server` CLI, and then continue using that admin peer via the
`innernet` client CLI to add any further peers or network CIDRs.
.
```sh
sudo innernet-server add-peer <interface>
```
.
Select the `humans` CIDR, and the CLI will automatically suggest the next
available IP address. Any name is fine, just answer "yes" when asked if you
would like to make the peer an admin. The process of adding a peer results in
an invitation file. This file contains just enough information for the new peer
to contact the `innernet` server and redeem its invitation. It should be
transferred securely to the new peer, and it can only be used once to
initialize the peer.
.
You can run the server with `innernet-server serve <interface>`, or if you're
on Linux and want to run it via `systemctl`, run `systemctl enable --now
innernet-server@<interface>`. If you're on a home network, don't forget to
configure port forwarding to the `Listen Port` you specified when creating the
`innernet` server.
.
### Peer Initialization
.
Let's assume the invitation file generated in the steps above have been
transferred to the machine a network admin will be using.
.
You can initialize the client with
.
```sh
sudo innernet install /path/to/invitation.toml
```
.
You can customize the network name if you want to, or leave it at the default.
`innernet` will then connect to the `innernet` server via WireGuard, generate a
new key pair, and register that pair with the server. The private key in the
invitation file can no longer be used.
.
If everything was successful, the new peer is on the network. You can run
things like
.
```sh
sudo innernet list
```
.
or
.
```sh
sudo innernet list --tree
```
.
to view the current network and all CIDRs visible to this peer.
.
Since we created an admin peer, we can also add new peers and CIDRs from this
peer via `innernet` instead of having to always run commands on the server.
.
### Adding Associations between CIDRs
.
In order for peers from one CIDR to be able to contact peers in another CIDR,
those two CIDRs must be "associated" with each other.
.
With the admin peer we created above, let's add a new CIDR for some theoretical
CI servers we have.
.
```sh
sudo innernet add-cidr <interface>
```
.
The name is `ci-servers` and the CIDR is `10.60.64.0/24`, but for this example
it can be anything.
.
For now, we want peers in the `humans` CIDR to be able to access peers in the
`ci-servers` CIDR.
.
```sh
sudo innernet add-association <interface>
```
.
The CLI will ask you to select the two CIDRs you want to associate. That's all
it takes to allow peers in two different CIDRs to communicate!
.
You can verify the association with
.
```sh
sudo innernet list-associations <interface>
```
.
and associations can be deleted with
.
```sh
sudo innernet delete-associations <interface>
```
.
### Enabling/Disabling Peers
.
For security reasons, IP addresses cannot be re-used by new peers, and
therefore peers cannot be deleted. However, they can be disabled. Disabled
peers will not show up in the list of peers when fetching the config for an
interface.
.
Disable a peer with
.
```su
sudo innernet disable-peer <interface>
```
.
Or re-enable a peer with
.
```su
sudo innernet enable-peer <interface>
```
.
### Specifying a Manual Endpoint
.
The `innernet` server will try to use the internet endpoint it sees from a peer
so other peers can connect to that peer as well. This doesn't always work and
you may want to set an endpoint explicitly. To set an endpoint, use
.
```sh
sudo innernet override-endpoint <interface>
```
.
You can go back to automatic endpoint discovery with
.
```sh
sudo innernet override-endpoint -u <interface>
```
.
### Setting the Local WireGuard Listen Port
.
If you want to change the port which WireGuard listens on, use
.
```sh
sudo innernet set-listen-port <interface>
```
.
or unset the port and use a randomized port with
.
```sh
sudo innernet set-listen-port -u <interface>
```
.
### Remove Network
.
To permanently uninstall a created network, use
.
```sh
sudo innernet-server uninstall <interface>
```
.
Use with care!
.
## Security recommendations
.
If you're running a service on innernet, there are some important security
considerations.
.
### Enable strict Reverse Path Filtering ([RFC
3704](https://tools.ietf.org/html/rfc3704))
.
Strict RPF prevents packets from _other_ interfaces from having internal source
IP addresses. This is _not_ the default on Linux, even though it is the right
choice for 99.99% of situations. You can enable it by adding the following to a
`/etc/sysctl.d/60-network-security.conf`:
.
```
net.ipv4.conf.all.rp_filter=1
net.ipv4.conf.default.rp_filter=1
```
.
### Bind to the WireGuard device
.
If possible, to _ensure_ that packets are only ever transmitted over the
WireGuard interface, it's recommended that you use `SO_BINDTODEVICE` on Linux
or `IP_BOUND_IF` on macOS/BSDs. If you have strict reverse path filtering,
though, this is less of a concern.
.
### IP addresses alone often aren't enough authentication
.
Even following all the above precautions, rogue applications on a peer's
machines could be able to make requests on their behalf unless you add extra
layers of authentication to mitigate this CSRF-type vector.
.
It's recommended that you carefully consider this possibility before deciding
that the source IP is sufficient for your authentication needs on a service.
.
## Installation
.
innernet has only officially been tested on Linux and MacOS, but we hope to
support as many platforms as is feasible!
.
### Runtime Dependencies
.
It's assumed that WireGuard is installed on your system, either via the kernel
module in Linux 5.6 and later, or via the
[`wireguard-go`](https://git.zx2c4.com/wireguard-go/about/) userspace
implementation.
.
[WireGuard Installation Instructions](https://www.wireguard.com/install/)
.
### Arch Linux
.
```sh
pacman -S innernet
```
.
### Debian and Ubuntu
.
[**@tommie**](https://github.com/tommie) is kindly providing Debian/Ubuntu
innernet builds in the https://github.com/tommie/innernet-debian repository.
.
### Other Linux Distributions
.
We're looking for volunteers who are able to set up external builds for popular
distributions. Please see issue
[#203](https://github.com/tonarino/innernet/issues/203).
.
### macOS
.
```sh
brew install tonarino/innernet/innernet
```
.
### Cargo
.
```sh
# to install innernet:
cargo install --git https://github.com/tonarino/innernet --tag v1.6.0 client
.
# to install innernet-server:
cargo install --git https://github.com/tonarino/innernet --tag v1.6.0 server
```
.
Note that you'll be responsible for updating manually.
.
## Development
.
### `innernet-server` Build dependencies
.
- `rustc` / `cargo` (version 1.50.0 or higher)
- `libclang` (see more info at
[https://crates.io/crates/clang-sys](https://crates.io/crates/clang-sys))
- `libsqlite3`
.
Build:
.
```sh
cargo build --release --bin innernet-server
```
.
The resulting binary will be located at `./target/release/innernet-server`
.
### `innernet` Client CLI Build dependencies
.
- `rustc` / `cargo` (version 1.50.0 or higher)
- `libclang` (see more info at
[https://crates.io/crates/clang-sys](https://crates.io/crates/clang-sys))
.
Build:
.
```sh
cargo build --release --bin innernet
```
.
The resulting binary will be located at `./target/release/innernet`
.
### Releases
.
Please run the release script from a Linux machine: generated shell completions
depend on available wireguard backends and Mac doesn't support the `kernel`
backend.
.
1. Fetch and check-out the `main` branch.
2. Run `./release.sh [patch|major|minor|rc]`
3. Push the `main` branch and the created tag to the repo.

Binary file not shown.

View File

@ -0,0 +1,5 @@
Component: contrib
Origin: Unofficial Innernet Debian repository
Label: innernet-debian
Architecture: arm64
Description: APT repository for https://github.com/tonarino/innernet/.

View File

@ -0,0 +1,378 @@
Package: innernet
Version: 1.6.0-0ubuntu0~jammy
Architecture: armhf
Vcs-Browser: https://github.com/tonarino/innernet
Vcs-Git: https://github.com/tonarino/innernet
Homepage: https://github.com/tonarino/innernet
Maintainer: tonari <hey@tonari.no>
Installed-Size: 2684
Depends: systemd, libc6, libgcc1
Recommends: wireguard
Priority: optional
Section: net
Filename: pool/contrib/i/innernet/innernet_1.6.0-0ubuntu0~jammy_armhf.deb
Size: 916336
SHA256: 47221ab713613019c4d0f7a8003cb705378ce24336960ddf363a1336bb2522a7
SHA1: affc688405f58e5d652a5b7ea1436fbe87fc4b6c
MD5sum: dc3f5ad622a48fa819ed58b9529a9e2e
Description: A client to manage innernet network interfaces.
innernet client binary for fetching peer information and conducting admin tasks
such as adding a new peer.
Package: innernet-server
Version: 1.6.0-0ubuntu0~jammy
Architecture: armhf
Vcs-Browser: https://github.com/tonarino/innernet
Vcs-Git: https://github.com/tonarino/innernet
Homepage: https://github.com/tonarino/innernet
Maintainer: tonari <hey@tonari.no>
Installed-Size: 3339
Depends: libc6, zlib1g, libgcc1, systemd, libsqlite3-0
Recommends: wireguard
Source: innernet
Priority: optional
Section: net
Filename: pool/contrib/i/innernet-server/innernet-server_1.6.0-0ubuntu0~jammy_armhf.deb
Size: 1340692
SHA256: 09dcc6fe8a55c2889e29a052c39b75075e9a9b2646a3e93325380d3da2534c4e
SHA1: ae4de2b7fab124b4e07b1a16aee328dd60b8fc3c
MD5sum: dbc69bb8a2a2403c2bc7dab402ee04e0
Description: A server to coordinate innernet networks.
# innernet
.
[![Actively
Maintained](https://img.shields.io/badge/Maintenance%20Level-Actively%20Maintained-green.svg)](https://gist.github.com/cheerfulstoic/d107229326a01ff0f333a1d3476e068d)
[![MIT](https://img.shields.io/badge/license-MIT-blue.svg)](https://github.com/tonarino/innernet/blob/master/LICENSE)
.
A private network system that uses [WireGuard](https://wireguard.com) under the
hood. See the [announcement blog
post](https://blog.tonari.no/introducing-innernet) for a longer-winded
explanation.
.
<img
src="https://user-images.githubusercontent.com/373823/118917068-09ae7700-b96b-11eb-80f4-6860072d504d.gif"
width="600" height="370">
.
`innernet` is similar in its goals to Slack's
[nebula](https://github.com/slackhq/nebula) or
[Tailscale](https://tailscale.com/), but takes a bit of a different approach.
It aims to take advantage of existing networking concepts like CIDRs and the
security properties of WireGuard to turn your computer's basic IP networking
into more powerful ACL primitives.
.
`innernet` is not an official WireGuard project, and WireGuard is a registered
trademark of Jason A. Donenfeld.
.
This has not received an independent security audit, and should be considered
experimental software at this early point in its lifetime.
.
## Usage
.
### Server Creation
.
Every `innernet` network needs a coordination server to manage peers and
provide endpoint information so peers can directly connect to each other.
Create a new one with
.
```sh
sudo innernet-server new
```
.
The init wizard will ask you questions about your network and give you some
reasonable defaults. It's good to familiarize yourself with [network
CIDRs](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) as a lot
of innernet's access control is based upon them. As an example, let's say the
root CIDR for this network is `10.60.0.0/16`. Server initialization creates a
special "infra" CIDR which contains the `innernet` server itself and is
reachable from all CIDRs on the network.
.
Next we'll also create a `humans` CIDR where we can start adding some peers.
.
```sh
sudo innernet-server add-cidr <interface>
```
.
For the parent CIDR, you can simply choose your network's root CIDR. The name
will be `humans`, and the CIDR will be `10.60.64.0/24` (not a great example
unless you only want to support 256 humans, but it works for now...).
.
By default, peers which exist in this new CIDR will only be able to contact
peers in the same CIDR, and the special "infra" CIDR which was created when the
server was initialized.
.
A typical workflow for creating a new network is to create an admin peer from
the `innernet-server` CLI, and then continue using that admin peer via the
`innernet` client CLI to add any further peers or network CIDRs.
.
```sh
sudo innernet-server add-peer <interface>
```
.
Select the `humans` CIDR, and the CLI will automatically suggest the next
available IP address. Any name is fine, just answer "yes" when asked if you
would like to make the peer an admin. The process of adding a peer results in
an invitation file. This file contains just enough information for the new peer
to contact the `innernet` server and redeem its invitation. It should be
transferred securely to the new peer, and it can only be used once to
initialize the peer.
.
You can run the server with `innernet-server serve <interface>`, or if you're
on Linux and want to run it via `systemctl`, run `systemctl enable --now
innernet-server@<interface>`. If you're on a home network, don't forget to
configure port forwarding to the `Listen Port` you specified when creating the
`innernet` server.
.
### Peer Initialization
.
Let's assume the invitation file generated in the steps above have been
transferred to the machine a network admin will be using.
.
You can initialize the client with
.
```sh
sudo innernet install /path/to/invitation.toml
```
.
You can customize the network name if you want to, or leave it at the default.
`innernet` will then connect to the `innernet` server via WireGuard, generate a
new key pair, and register that pair with the server. The private key in the
invitation file can no longer be used.
.
If everything was successful, the new peer is on the network. You can run
things like
.
```sh
sudo innernet list
```
.
or
.
```sh
sudo innernet list --tree
```
.
to view the current network and all CIDRs visible to this peer.
.
Since we created an admin peer, we can also add new peers and CIDRs from this
peer via `innernet` instead of having to always run commands on the server.
.
### Adding Associations between CIDRs
.
In order for peers from one CIDR to be able to contact peers in another CIDR,
those two CIDRs must be "associated" with each other.
.
With the admin peer we created above, let's add a new CIDR for some theoretical
CI servers we have.
.
```sh
sudo innernet add-cidr <interface>
```
.
The name is `ci-servers` and the CIDR is `10.60.64.0/24`, but for this example
it can be anything.
.
For now, we want peers in the `humans` CIDR to be able to access peers in the
`ci-servers` CIDR.
.
```sh
sudo innernet add-association <interface>
```
.
The CLI will ask you to select the two CIDRs you want to associate. That's all
it takes to allow peers in two different CIDRs to communicate!
.
You can verify the association with
.
```sh
sudo innernet list-associations <interface>
```
.
and associations can be deleted with
.
```sh
sudo innernet delete-associations <interface>
```
.
### Enabling/Disabling Peers
.
For security reasons, IP addresses cannot be re-used by new peers, and
therefore peers cannot be deleted. However, they can be disabled. Disabled
peers will not show up in the list of peers when fetching the config for an
interface.
.
Disable a peer with
.
```su
sudo innernet disable-peer <interface>
```
.
Or re-enable a peer with
.
```su
sudo innernet enable-peer <interface>
```
.
### Specifying a Manual Endpoint
.
The `innernet` server will try to use the internet endpoint it sees from a peer
so other peers can connect to that peer as well. This doesn't always work and
you may want to set an endpoint explicitly. To set an endpoint, use
.
```sh
sudo innernet override-endpoint <interface>
```
.
You can go back to automatic endpoint discovery with
.
```sh
sudo innernet override-endpoint -u <interface>
```
.
### Setting the Local WireGuard Listen Port
.
If you want to change the port which WireGuard listens on, use
.
```sh
sudo innernet set-listen-port <interface>
```
.
or unset the port and use a randomized port with
.
```sh
sudo innernet set-listen-port -u <interface>
```
.
### Remove Network
.
To permanently uninstall a created network, use
.
```sh
sudo innernet-server uninstall <interface>
```
.
Use with care!
.
## Security recommendations
.
If you're running a service on innernet, there are some important security
considerations.
.
### Enable strict Reverse Path Filtering ([RFC
3704](https://tools.ietf.org/html/rfc3704))
.
Strict RPF prevents packets from _other_ interfaces from having internal source
IP addresses. This is _not_ the default on Linux, even though it is the right
choice for 99.99% of situations. You can enable it by adding the following to a
`/etc/sysctl.d/60-network-security.conf`:
.
```
net.ipv4.conf.all.rp_filter=1
net.ipv4.conf.default.rp_filter=1
```
.
### Bind to the WireGuard device
.
If possible, to _ensure_ that packets are only ever transmitted over the
WireGuard interface, it's recommended that you use `SO_BINDTODEVICE` on Linux
or `IP_BOUND_IF` on macOS/BSDs. If you have strict reverse path filtering,
though, this is less of a concern.
.
### IP addresses alone often aren't enough authentication
.
Even following all the above precautions, rogue applications on a peer's
machines could be able to make requests on their behalf unless you add extra
layers of authentication to mitigate this CSRF-type vector.
.
It's recommended that you carefully consider this possibility before deciding
that the source IP is sufficient for your authentication needs on a service.
.
## Installation
.
innernet has only officially been tested on Linux and MacOS, but we hope to
support as many platforms as is feasible!
.
### Runtime Dependencies
.
It's assumed that WireGuard is installed on your system, either via the kernel
module in Linux 5.6 and later, or via the
[`wireguard-go`](https://git.zx2c4.com/wireguard-go/about/) userspace
implementation.
.
[WireGuard Installation Instructions](https://www.wireguard.com/install/)
.
### Arch Linux
.
```sh
pacman -S innernet
```
.
### Debian and Ubuntu
.
[**@tommie**](https://github.com/tommie) is kindly providing Debian/Ubuntu
innernet builds in the https://github.com/tommie/innernet-debian repository.
.
### Other Linux Distributions
.
We're looking for volunteers who are able to set up external builds for popular
distributions. Please see issue
[#203](https://github.com/tonarino/innernet/issues/203).
.
### macOS
.
```sh
brew install tonarino/innernet/innernet
```
.
### Cargo
.
```sh
# to install innernet:
cargo install --git https://github.com/tonarino/innernet --tag v1.6.0 client
.
# to install innernet-server:
cargo install --git https://github.com/tonarino/innernet --tag v1.6.0 server
```
.
Note that you'll be responsible for updating manually.
.
## Development
.
### `innernet-server` Build dependencies
.
- `rustc` / `cargo` (version 1.50.0 or higher)
- `libclang` (see more info at
[https://crates.io/crates/clang-sys](https://crates.io/crates/clang-sys))
- `libsqlite3`
.
Build:
.
```sh
cargo build --release --bin innernet-server
```
.
The resulting binary will be located at `./target/release/innernet-server`
.
### `innernet` Client CLI Build dependencies
.
- `rustc` / `cargo` (version 1.50.0 or higher)
- `libclang` (see more info at
[https://crates.io/crates/clang-sys](https://crates.io/crates/clang-sys))
.
Build:
.
```sh
cargo build --release --bin innernet
```
.
The resulting binary will be located at `./target/release/innernet`
.
### Releases
.
Please run the release script from a Linux machine: generated shell completions
depend on available wireguard backends and Mac doesn't support the `kernel`
backend.
.
1. Fetch and check-out the `main` branch.
2. Run `./release.sh [patch|major|minor|rc]`
3. Push the `main` branch and the created tag to the repo.

Binary file not shown.

View File

@ -0,0 +1,5 @@
Component: contrib
Origin: Unofficial Innernet Debian repository
Label: innernet-debian
Architecture: armhf
Description: APT repository for https://github.com/tonarino/innernet/.