Included release tonarino/innernet@v1.6.0 in focal jammy for arm64 armhf.
parent
c4a45291c6
commit
4a3eff3072
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
|
@ -4,33 +4,51 @@ Hash: SHA512
|
||||||
Origin: Unofficial Innernet Debian repository
|
Origin: Unofficial Innernet Debian repository
|
||||||
Label: innernet-debian
|
Label: innernet-debian
|
||||||
Codename: focal
|
Codename: focal
|
||||||
Date: Thu, 15 Jun 2023 14:35:31 UTC
|
Date: Sun, 30 Jul 2023 13:18:34 UTC
|
||||||
Architectures: amd64
|
Architectures: amd64 armhf arm64
|
||||||
Components: contrib
|
Components: contrib
|
||||||
Description: APT repository for https://github.com/tonarino/innernet/.
|
Description: APT repository for https://github.com/tonarino/innernet/.
|
||||||
MD5Sum:
|
MD5Sum:
|
||||||
09585d6972df6d213e1a2a95a6d7f783 12098 contrib/binary-amd64/Packages
|
09585d6972df6d213e1a2a95a6d7f783 12098 contrib/binary-amd64/Packages
|
||||||
f71f3ea5d0ab6f8e0dad303f04573e81 4799 contrib/binary-amd64/Packages.gz
|
f71f3ea5d0ab6f8e0dad303f04573e81 4799 contrib/binary-amd64/Packages.gz
|
||||||
77dc2b012f45038d5be68f81d464ee44 179 contrib/binary-amd64/Release
|
77dc2b012f45038d5be68f81d464ee44 179 contrib/binary-amd64/Release
|
||||||
|
b1dcfb8ffed93c950262d0d18d93e8db 12097 contrib/binary-armhf/Packages
|
||||||
|
11ffc1ea682429a3cfd051979b9d6dcc 4799 contrib/binary-armhf/Packages.gz
|
||||||
|
2e56331833f644fa9dad5483acc93e55 179 contrib/binary-armhf/Release
|
||||||
|
9e4f28eca65271f15f684a56874f433d 12097 contrib/binary-arm64/Packages
|
||||||
|
edc6e00a474363010d79da0a577dbc64 4803 contrib/binary-arm64/Packages.gz
|
||||||
|
16627cd2b6e090772a75639bb48cd54d 179 contrib/binary-arm64/Release
|
||||||
SHA1:
|
SHA1:
|
||||||
87d9b5312a8e5e99090351a36d09785c02303cf1 12098 contrib/binary-amd64/Packages
|
87d9b5312a8e5e99090351a36d09785c02303cf1 12098 contrib/binary-amd64/Packages
|
||||||
ea7af888161785eae92c690ddf4a3f0cf2f75cc9 4799 contrib/binary-amd64/Packages.gz
|
ea7af888161785eae92c690ddf4a3f0cf2f75cc9 4799 contrib/binary-amd64/Packages.gz
|
||||||
a4f6bbfd6fe4ab5a01909278c4e13b05d6b06f13 179 contrib/binary-amd64/Release
|
a4f6bbfd6fe4ab5a01909278c4e13b05d6b06f13 179 contrib/binary-amd64/Release
|
||||||
|
d0b3431eb3e21ceb02caa9dd63aaf8b2231e3e5e 12097 contrib/binary-armhf/Packages
|
||||||
|
3ff371bef4abda8010bc8ad4b8873acfb8bd220e 4799 contrib/binary-armhf/Packages.gz
|
||||||
|
dbfc90ff9af0819e8b73429a32e4691204b11da7 179 contrib/binary-armhf/Release
|
||||||
|
b8d99778297cbd777821c7162c9146d3f0407b6c 12097 contrib/binary-arm64/Packages
|
||||||
|
2ec88f0de84b12f796712cf8bdd9ae163a5e78d0 4803 contrib/binary-arm64/Packages.gz
|
||||||
|
af10abab9b82b0f8be34be72d478cd7efe4e64b9 179 contrib/binary-arm64/Release
|
||||||
SHA256:
|
SHA256:
|
||||||
ce495f6c9bc1fb23dab42746cf14086dde7f1531922919af49f93708d6f9428c 12098 contrib/binary-amd64/Packages
|
ce495f6c9bc1fb23dab42746cf14086dde7f1531922919af49f93708d6f9428c 12098 contrib/binary-amd64/Packages
|
||||||
466c0a757405ed9c217efb1b5c81f4b722922ee63c462b668a9957f6459a38a9 4799 contrib/binary-amd64/Packages.gz
|
466c0a757405ed9c217efb1b5c81f4b722922ee63c462b668a9957f6459a38a9 4799 contrib/binary-amd64/Packages.gz
|
||||||
67b3f0e511499d8b794eaf1524cea47d2263a1e8e43445c60f311dbef9a50e9c 179 contrib/binary-amd64/Release
|
67b3f0e511499d8b794eaf1524cea47d2263a1e8e43445c60f311dbef9a50e9c 179 contrib/binary-amd64/Release
|
||||||
|
749a6859a1f9859ad9963b7f1d2ea665adf505d4e9457cad997600e26e3c2112 12097 contrib/binary-armhf/Packages
|
||||||
|
5ee9f26a09e21a87dfdb376fa3a6098a61b4fb7056d0957f56b6f43a84f65e25 4799 contrib/binary-armhf/Packages.gz
|
||||||
|
ce7a57575ec61bf1af16351e2366f7114f6ad78e035696abaaac42f80dd8f425 179 contrib/binary-armhf/Release
|
||||||
|
24f6c2047566e4e6921badbbd7d9a6fe47e59acea3b932a1143bfb1783e63e84 12097 contrib/binary-arm64/Packages
|
||||||
|
e7bc836e26a4d99973dc79ba64ebd6f62dc3e385685bb1963e111466f5205a26 4803 contrib/binary-arm64/Packages.gz
|
||||||
|
86092179ad14de3750a8a527f8419920154bd761ea7367b9452abe85cfbca03d 179 contrib/binary-arm64/Release
|
||||||
-----BEGIN PGP SIGNATURE-----
|
-----BEGIN PGP SIGNATURE-----
|
||||||
|
|
||||||
iQGzBAEBCgAdFiEEbYSVpa4ZFZQzkqZZZYKNdDzui2kFAmSLIbQACgkQZYKNdDzu
|
iQGzBAEBCgAdFiEEbYSVpa4ZFZQzkqZZZYKNdDzui2kFAmTGYysACgkQZYKNdDzu
|
||||||
i2mZRQv/SFGNKO418HsrtqKpXl6YYyO5btE9s99uVLUIwm5du7IaqakYaoeLNUBy
|
i2nJWgwAlGrzcAQsvZvsCaQjbWBndiJDtndfj8BQyRORCbbdEQ0pej2KOj7X+BIJ
|
||||||
grDFLA4e8eQlzEPJfURHql8lIncbTv8pI+34tGr3sigv0d6TgGaaHYNyuTzFWOnw
|
/u7fKHLBKQ/oHZ/t7Bijv5z0MG3n1oG1AK0vAwMFr0t8yJQzl6DuwqQrTgeIsAQ5
|
||||||
j9fOUfr6D0ARRDiKTb19/M/0OFx7boYYTbO9ciNhTvWQ1hA+WS5k4JCH7b8ZYAbT
|
3kHoqbxDuFLUssNUcHsl3yWMULHOb8pteavSfjf7YZiBXmr2qhN+OEV69oHlOPju
|
||||||
CqJ4sKDzSdE5O/TyznAB8PAf7MuyLD1RgqLJsr6ORME7EjVbUSVA8Oo8TFRL5Qe4
|
UkTPvBTYlt4OPoESLMxk61O1YWB42Y5NpVzx2q6oft5d/D3OzND2SgTrGCQDvWYJ
|
||||||
gyjwUSzQ5immV6yxr473eMY7ilGv89VdZkDxMpYkyIlxAitiQbHRRFeQamgkic2J
|
55EkN9ddV3hGMqTr216vcq3k0DpHCcUhAd0L2tlyVDnf01mdj9YqtflZM2XfxQ1e
|
||||||
1xVQUBDp4iMP4QYaGSO2yz6wqdtU8hGT1yxnjga/+tKWfesSLqKiIOiUnNT0+0u3
|
jdDcvHh9BqDlEG2mODtTpQY6aOuNdKX5sx61Vblf7QiQDQMDI0dg7wsco/KiftcT
|
||||||
ZlTCDveotoZmjYOU6fk+q5WHofPPOL+kz+gcjMi4Wohe/+cs5NaceNTX84WVCim5
|
5QGvOGv2dehlJggMEXxF0B6cLzduwSu2O5OlbFUVqvUhXV+5RKSuiV3g+1g4BonS
|
||||||
zjNrfIOUkA3Bs15vfs4lbOHBOydr0LEv+pIC84LUmVc5JUPoO6HNNYTcANpW3rko
|
faL1bLlMI5iIpO9qJCPvqrVepbRl1bYz7sMIdeVYTGWdcV7MdnZ8RJynIuhlItCk
|
||||||
MqOARofn
|
oI2X+qhm
|
||||||
=Y37W
|
=RQGT
|
||||||
-----END PGP SIGNATURE-----
|
-----END PGP SIGNATURE-----
|
||||||
|
|
|
@ -1,19 +1,37 @@
|
||||||
Origin: Unofficial Innernet Debian repository
|
Origin: Unofficial Innernet Debian repository
|
||||||
Label: innernet-debian
|
Label: innernet-debian
|
||||||
Codename: focal
|
Codename: focal
|
||||||
Date: Thu, 15 Jun 2023 14:35:31 UTC
|
Date: Sun, 30 Jul 2023 13:18:34 UTC
|
||||||
Architectures: amd64
|
Architectures: amd64 armhf arm64
|
||||||
Components: contrib
|
Components: contrib
|
||||||
Description: APT repository for https://github.com/tonarino/innernet/.
|
Description: APT repository for https://github.com/tonarino/innernet/.
|
||||||
MD5Sum:
|
MD5Sum:
|
||||||
09585d6972df6d213e1a2a95a6d7f783 12098 contrib/binary-amd64/Packages
|
09585d6972df6d213e1a2a95a6d7f783 12098 contrib/binary-amd64/Packages
|
||||||
f71f3ea5d0ab6f8e0dad303f04573e81 4799 contrib/binary-amd64/Packages.gz
|
f71f3ea5d0ab6f8e0dad303f04573e81 4799 contrib/binary-amd64/Packages.gz
|
||||||
77dc2b012f45038d5be68f81d464ee44 179 contrib/binary-amd64/Release
|
77dc2b012f45038d5be68f81d464ee44 179 contrib/binary-amd64/Release
|
||||||
|
b1dcfb8ffed93c950262d0d18d93e8db 12097 contrib/binary-armhf/Packages
|
||||||
|
11ffc1ea682429a3cfd051979b9d6dcc 4799 contrib/binary-armhf/Packages.gz
|
||||||
|
2e56331833f644fa9dad5483acc93e55 179 contrib/binary-armhf/Release
|
||||||
|
9e4f28eca65271f15f684a56874f433d 12097 contrib/binary-arm64/Packages
|
||||||
|
edc6e00a474363010d79da0a577dbc64 4803 contrib/binary-arm64/Packages.gz
|
||||||
|
16627cd2b6e090772a75639bb48cd54d 179 contrib/binary-arm64/Release
|
||||||
SHA1:
|
SHA1:
|
||||||
87d9b5312a8e5e99090351a36d09785c02303cf1 12098 contrib/binary-amd64/Packages
|
87d9b5312a8e5e99090351a36d09785c02303cf1 12098 contrib/binary-amd64/Packages
|
||||||
ea7af888161785eae92c690ddf4a3f0cf2f75cc9 4799 contrib/binary-amd64/Packages.gz
|
ea7af888161785eae92c690ddf4a3f0cf2f75cc9 4799 contrib/binary-amd64/Packages.gz
|
||||||
a4f6bbfd6fe4ab5a01909278c4e13b05d6b06f13 179 contrib/binary-amd64/Release
|
a4f6bbfd6fe4ab5a01909278c4e13b05d6b06f13 179 contrib/binary-amd64/Release
|
||||||
|
d0b3431eb3e21ceb02caa9dd63aaf8b2231e3e5e 12097 contrib/binary-armhf/Packages
|
||||||
|
3ff371bef4abda8010bc8ad4b8873acfb8bd220e 4799 contrib/binary-armhf/Packages.gz
|
||||||
|
dbfc90ff9af0819e8b73429a32e4691204b11da7 179 contrib/binary-armhf/Release
|
||||||
|
b8d99778297cbd777821c7162c9146d3f0407b6c 12097 contrib/binary-arm64/Packages
|
||||||
|
2ec88f0de84b12f796712cf8bdd9ae163a5e78d0 4803 contrib/binary-arm64/Packages.gz
|
||||||
|
af10abab9b82b0f8be34be72d478cd7efe4e64b9 179 contrib/binary-arm64/Release
|
||||||
SHA256:
|
SHA256:
|
||||||
ce495f6c9bc1fb23dab42746cf14086dde7f1531922919af49f93708d6f9428c 12098 contrib/binary-amd64/Packages
|
ce495f6c9bc1fb23dab42746cf14086dde7f1531922919af49f93708d6f9428c 12098 contrib/binary-amd64/Packages
|
||||||
466c0a757405ed9c217efb1b5c81f4b722922ee63c462b668a9957f6459a38a9 4799 contrib/binary-amd64/Packages.gz
|
466c0a757405ed9c217efb1b5c81f4b722922ee63c462b668a9957f6459a38a9 4799 contrib/binary-amd64/Packages.gz
|
||||||
67b3f0e511499d8b794eaf1524cea47d2263a1e8e43445c60f311dbef9a50e9c 179 contrib/binary-amd64/Release
|
67b3f0e511499d8b794eaf1524cea47d2263a1e8e43445c60f311dbef9a50e9c 179 contrib/binary-amd64/Release
|
||||||
|
749a6859a1f9859ad9963b7f1d2ea665adf505d4e9457cad997600e26e3c2112 12097 contrib/binary-armhf/Packages
|
||||||
|
5ee9f26a09e21a87dfdb376fa3a6098a61b4fb7056d0957f56b6f43a84f65e25 4799 contrib/binary-armhf/Packages.gz
|
||||||
|
ce7a57575ec61bf1af16351e2366f7114f6ad78e035696abaaac42f80dd8f425 179 contrib/binary-armhf/Release
|
||||||
|
24f6c2047566e4e6921badbbd7d9a6fe47e59acea3b932a1143bfb1783e63e84 12097 contrib/binary-arm64/Packages
|
||||||
|
e7bc836e26a4d99973dc79ba64ebd6f62dc3e385685bb1963e111466f5205a26 4803 contrib/binary-arm64/Packages.gz
|
||||||
|
86092179ad14de3750a8a527f8419920154bd761ea7367b9452abe85cfbca03d 179 contrib/binary-arm64/Release
|
||||||
|
|
|
@ -1,14 +1,14 @@
|
||||||
-----BEGIN PGP SIGNATURE-----
|
-----BEGIN PGP SIGNATURE-----
|
||||||
|
|
||||||
iQGzBAABCgAdFiEEbYSVpa4ZFZQzkqZZZYKNdDzui2kFAmSLIbMACgkQZYKNdDzu
|
iQGzBAABCgAdFiEEbYSVpa4ZFZQzkqZZZYKNdDzui2kFAmTGYyoACgkQZYKNdDzu
|
||||||
i2kUyQv8D9dnijsB3JR1kyTufLtncukYje8AgOHS4HTqZIrUeS2hTrdf00llvPiy
|
i2lPdQv8DmSn+7u1+uudvM8K1fU9ShDGeZYtbyC2WhmX1OrI+aq8RQYO2qw6HVcj
|
||||||
METLUrckiwzVWF+9bK/ZWK3rlWPQ6i8ulqUHU7Ec9dfXqYzeesG8DI3jn3ICUfLM
|
Sk+MuN2m1FxDV85mcCWA/VKzRcfiBn3Yybyzn75Pbeyl5TgRnHu9FKET5VSYH7gy
|
||||||
+oqpRyYXW7jXJNJDJafLSYzd/K+CfmlItNMSsbR2k52GoxA52R/vRlDtrCmb7TjM
|
9ulqONG18nZbshdS57GUwoxjlT2HVwjOLvQ7IKvX88DTKXQzkc7eiiZ3FCgOhX64
|
||||||
DhnXBzUfYLGAq+XBhM5QQnb6Ine6Evjg0Y1pU0wDcU9kJ1iJ7fDFFHJI2vN3P3qS
|
ocGxIB4x6P6q2pCsEGhPGqdjUcYUGe98udxDlhQ99+EgtgtiCCowGtx6gqMuXj1g
|
||||||
43TRULqTGjGsZ2mL3kNj0NmXggUd2d4xx7KnftWNBSJ9LxsJ+KgGybswHt3x01sy
|
0FOycQlxhpGSPDQ+TW0vsIAauI3gERrqRPh+ZZbg2o7dQPyDYaXUXCeewpD5VqA1
|
||||||
tQaofImFeWpBhUJO5A3IWAWmMQtKmmUY77+WL7rSKKTo4HGvauyPBEG0EH6qvOE7
|
Gkv0oYRf+SRB215+tewJWTiwAS/Bxh6uxx/bNBk0kcYB3Sc9d6c5GSo78SXuNra1
|
||||||
NBWEDPyn+8CSAYh8VkpjwEJVBNA4rMAkyuRrLmTCPIx9FZRGRG60l7RGuhmCAoHt
|
CHhtFUEKDNMG5aJet0gZBHDEwWl+4mCQsoGc+KzRTPfCgU02SvED75eaAt0pxHMa
|
||||||
mJig5Dskkd/sDGsxJVq1uDMGV3QDstAlHQG30tBZAJ8m61Ca5RrlN4sCi7Vm9urC
|
UjlYKGboA+Zg3FsNxGGRUVjQEAt1Semo4xLI2e/D3J7klxncMFvehzuoro9VV0ab
|
||||||
tSzDD7zd
|
3SLqGF5l
|
||||||
=Fv/e
|
=DsOy
|
||||||
-----END PGP SIGNATURE-----
|
-----END PGP SIGNATURE-----
|
||||||
|
|
|
@ -0,0 +1,378 @@
|
||||||
|
Package: innernet
|
||||||
|
Version: 1.6.0-0ubuntu0~focal
|
||||||
|
Architecture: arm64
|
||||||
|
Vcs-Browser: https://github.com/tonarino/innernet
|
||||||
|
Vcs-Git: https://github.com/tonarino/innernet
|
||||||
|
Homepage: https://github.com/tonarino/innernet
|
||||||
|
Maintainer: tonari <hey@tonari.no>
|
||||||
|
Installed-Size: 2841
|
||||||
|
Depends: libgcc1, systemd, libc6
|
||||||
|
Recommends: wireguard
|
||||||
|
Priority: optional
|
||||||
|
Section: net
|
||||||
|
Filename: pool/contrib/i/innernet/innernet_1.6.0-0ubuntu0~focal_arm64.deb
|
||||||
|
Size: 903012
|
||||||
|
SHA256: d71dd1ea107dea559f8d15c01ae9d58761ba4afee3a9bc7a4c7112e824ce4ab3
|
||||||
|
SHA1: 0139401fd3f08b403fc2a15f3a331c60ff24e570
|
||||||
|
MD5sum: f85aeb8aa51538811ff2238914c4a1ab
|
||||||
|
Description: A client to manage innernet network interfaces.
|
||||||
|
innernet client binary for fetching peer information and conducting admin tasks
|
||||||
|
such as adding a new peer.
|
||||||
|
|
||||||
|
Package: innernet-server
|
||||||
|
Version: 1.6.0-0ubuntu0~focal
|
||||||
|
Architecture: arm64
|
||||||
|
Vcs-Browser: https://github.com/tonarino/innernet
|
||||||
|
Vcs-Git: https://github.com/tonarino/innernet
|
||||||
|
Homepage: https://github.com/tonarino/innernet
|
||||||
|
Maintainer: tonari <hey@tonari.no>
|
||||||
|
Installed-Size: 3886
|
||||||
|
Depends: libc6, libgcc1, zlib1g, systemd, libsqlite3-0
|
||||||
|
Recommends: wireguard
|
||||||
|
Source: innernet
|
||||||
|
Priority: optional
|
||||||
|
Section: net
|
||||||
|
Filename: pool/contrib/i/innernet-server/innernet-server_1.6.0-0ubuntu0~focal_arm64.deb
|
||||||
|
Size: 1355084
|
||||||
|
SHA256: 46e22e21dcff4538ba143c5e32077983816b9c1d6ff7b856255e59df86023048
|
||||||
|
SHA1: 8860342c49b89fa9238bd9ba7abed1d2afa63b54
|
||||||
|
MD5sum: 43de229d49d6134e0801e6338009cf86
|
||||||
|
Description: A server to coordinate innernet networks.
|
||||||
|
# innernet
|
||||||
|
.
|
||||||
|
[![Actively
|
||||||
|
Maintained](https://img.shields.io/badge/Maintenance%20Level-Actively%20Maintained-green.svg)](https://gist.github.com/cheerfulstoic/d107229326a01ff0f333a1d3476e068d)
|
||||||
|
[![MIT](https://img.shields.io/badge/license-MIT-blue.svg)](https://github.com/tonarino/innernet/blob/master/LICENSE)
|
||||||
|
.
|
||||||
|
A private network system that uses [WireGuard](https://wireguard.com) under the
|
||||||
|
hood. See the [announcement blog
|
||||||
|
post](https://blog.tonari.no/introducing-innernet) for a longer-winded
|
||||||
|
explanation.
|
||||||
|
.
|
||||||
|
<img
|
||||||
|
src="https://user-images.githubusercontent.com/373823/118917068-09ae7700-b96b-11eb-80f4-6860072d504d.gif"
|
||||||
|
width="600" height="370">
|
||||||
|
.
|
||||||
|
`innernet` is similar in its goals to Slack's
|
||||||
|
[nebula](https://github.com/slackhq/nebula) or
|
||||||
|
[Tailscale](https://tailscale.com/), but takes a bit of a different approach.
|
||||||
|
It aims to take advantage of existing networking concepts like CIDRs and the
|
||||||
|
security properties of WireGuard to turn your computer's basic IP networking
|
||||||
|
into more powerful ACL primitives.
|
||||||
|
.
|
||||||
|
`innernet` is not an official WireGuard project, and WireGuard is a registered
|
||||||
|
trademark of Jason A. Donenfeld.
|
||||||
|
.
|
||||||
|
This has not received an independent security audit, and should be considered
|
||||||
|
experimental software at this early point in its lifetime.
|
||||||
|
.
|
||||||
|
## Usage
|
||||||
|
.
|
||||||
|
### Server Creation
|
||||||
|
.
|
||||||
|
Every `innernet` network needs a coordination server to manage peers and
|
||||||
|
provide endpoint information so peers can directly connect to each other.
|
||||||
|
Create a new one with
|
||||||
|
.
|
||||||
|
```sh
|
||||||
|
sudo innernet-server new
|
||||||
|
```
|
||||||
|
.
|
||||||
|
The init wizard will ask you questions about your network and give you some
|
||||||
|
reasonable defaults. It's good to familiarize yourself with [network
|
||||||
|
CIDRs](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) as a lot
|
||||||
|
of innernet's access control is based upon them. As an example, let's say the
|
||||||
|
root CIDR for this network is `10.60.0.0/16`. Server initialization creates a
|
||||||
|
special "infra" CIDR which contains the `innernet` server itself and is
|
||||||
|
reachable from all CIDRs on the network.
|
||||||
|
.
|
||||||
|
Next we'll also create a `humans` CIDR where we can start adding some peers.
|
||||||
|
.
|
||||||
|
```sh
|
||||||
|
sudo innernet-server add-cidr <interface>
|
||||||
|
```
|
||||||
|
.
|
||||||
|
For the parent CIDR, you can simply choose your network's root CIDR. The name
|
||||||
|
will be `humans`, and the CIDR will be `10.60.64.0/24` (not a great example
|
||||||
|
unless you only want to support 256 humans, but it works for now...).
|
||||||
|
.
|
||||||
|
By default, peers which exist in this new CIDR will only be able to contact
|
||||||
|
peers in the same CIDR, and the special "infra" CIDR which was created when the
|
||||||
|
server was initialized.
|
||||||
|
.
|
||||||
|
A typical workflow for creating a new network is to create an admin peer from
|
||||||
|
the `innernet-server` CLI, and then continue using that admin peer via the
|
||||||
|
`innernet` client CLI to add any further peers or network CIDRs.
|
||||||
|
.
|
||||||
|
```sh
|
||||||
|
sudo innernet-server add-peer <interface>
|
||||||
|
```
|
||||||
|
.
|
||||||
|
Select the `humans` CIDR, and the CLI will automatically suggest the next
|
||||||
|
available IP address. Any name is fine, just answer "yes" when asked if you
|
||||||
|
would like to make the peer an admin. The process of adding a peer results in
|
||||||
|
an invitation file. This file contains just enough information for the new peer
|
||||||
|
to contact the `innernet` server and redeem its invitation. It should be
|
||||||
|
transferred securely to the new peer, and it can only be used once to
|
||||||
|
initialize the peer.
|
||||||
|
.
|
||||||
|
You can run the server with `innernet-server serve <interface>`, or if you're
|
||||||
|
on Linux and want to run it via `systemctl`, run `systemctl enable --now
|
||||||
|
innernet-server@<interface>`. If you're on a home network, don't forget to
|
||||||
|
configure port forwarding to the `Listen Port` you specified when creating the
|
||||||
|
`innernet` server.
|
||||||
|
.
|
||||||
|
### Peer Initialization
|
||||||
|
.
|
||||||
|
Let's assume the invitation file generated in the steps above have been
|
||||||
|
transferred to the machine a network admin will be using.
|
||||||
|
.
|
||||||
|
You can initialize the client with
|
||||||
|
.
|
||||||
|
```sh
|
||||||
|
sudo innernet install /path/to/invitation.toml
|
||||||
|
```
|
||||||
|
.
|
||||||
|
You can customize the network name if you want to, or leave it at the default.
|
||||||
|
`innernet` will then connect to the `innernet` server via WireGuard, generate a
|
||||||
|
new key pair, and register that pair with the server. The private key in the
|
||||||
|
invitation file can no longer be used.
|
||||||
|
.
|
||||||
|
If everything was successful, the new peer is on the network. You can run
|
||||||
|
things like
|
||||||
|
.
|
||||||
|
```sh
|
||||||
|
sudo innernet list
|
||||||
|
```
|
||||||
|
.
|
||||||
|
or
|
||||||
|
.
|
||||||
|
```sh
|
||||||
|
sudo innernet list --tree
|
||||||
|
```
|
||||||
|
.
|
||||||
|
to view the current network and all CIDRs visible to this peer.
|
||||||
|
.
|
||||||
|
Since we created an admin peer, we can also add new peers and CIDRs from this
|
||||||
|
peer via `innernet` instead of having to always run commands on the server.
|
||||||
|
.
|
||||||
|
### Adding Associations between CIDRs
|
||||||
|
.
|
||||||
|
In order for peers from one CIDR to be able to contact peers in another CIDR,
|
||||||
|
those two CIDRs must be "associated" with each other.
|
||||||
|
.
|
||||||
|
With the admin peer we created above, let's add a new CIDR for some theoretical
|
||||||
|
CI servers we have.
|
||||||
|
.
|
||||||
|
```sh
|
||||||
|
sudo innernet add-cidr <interface>
|
||||||
|
```
|
||||||
|
.
|
||||||
|
The name is `ci-servers` and the CIDR is `10.60.64.0/24`, but for this example
|
||||||
|
it can be anything.
|
||||||
|
.
|
||||||
|
For now, we want peers in the `humans` CIDR to be able to access peers in the
|
||||||
|
`ci-servers` CIDR.
|
||||||
|
.
|
||||||
|
```sh
|
||||||
|
sudo innernet add-association <interface>
|
||||||
|
```
|
||||||
|
.
|
||||||
|
The CLI will ask you to select the two CIDRs you want to associate. That's all
|
||||||
|
it takes to allow peers in two different CIDRs to communicate!
|
||||||
|
.
|
||||||
|
You can verify the association with
|
||||||
|
.
|
||||||
|
```sh
|
||||||
|
sudo innernet list-associations <interface>
|
||||||
|
```
|
||||||
|
.
|
||||||
|
and associations can be deleted with
|
||||||
|
.
|
||||||
|
```sh
|
||||||
|
sudo innernet delete-associations <interface>
|
||||||
|
```
|
||||||
|
.
|
||||||
|
### Enabling/Disabling Peers
|
||||||
|
.
|
||||||
|
For security reasons, IP addresses cannot be re-used by new peers, and
|
||||||
|
therefore peers cannot be deleted. However, they can be disabled. Disabled
|
||||||
|
peers will not show up in the list of peers when fetching the config for an
|
||||||
|
interface.
|
||||||
|
.
|
||||||
|
Disable a peer with
|
||||||
|
.
|
||||||
|
```su
|
||||||
|
sudo innernet disable-peer <interface>
|
||||||
|
```
|
||||||
|
.
|
||||||
|
Or re-enable a peer with
|
||||||
|
.
|
||||||
|
```su
|
||||||
|
sudo innernet enable-peer <interface>
|
||||||
|
```
|
||||||
|
.
|
||||||
|
### Specifying a Manual Endpoint
|
||||||
|
.
|
||||||
|
The `innernet` server will try to use the internet endpoint it sees from a peer
|
||||||
|
so other peers can connect to that peer as well. This doesn't always work and
|
||||||
|
you may want to set an endpoint explicitly. To set an endpoint, use
|
||||||
|
.
|
||||||
|
```sh
|
||||||
|
sudo innernet override-endpoint <interface>
|
||||||
|
```
|
||||||
|
.
|
||||||
|
You can go back to automatic endpoint discovery with
|
||||||
|
.
|
||||||
|
```sh
|
||||||
|
sudo innernet override-endpoint -u <interface>
|
||||||
|
```
|
||||||
|
.
|
||||||
|
### Setting the Local WireGuard Listen Port
|
||||||
|
.
|
||||||
|
If you want to change the port which WireGuard listens on, use
|
||||||
|
.
|
||||||
|
```sh
|
||||||
|
sudo innernet set-listen-port <interface>
|
||||||
|
```
|
||||||
|
.
|
||||||
|
or unset the port and use a randomized port with
|
||||||
|
.
|
||||||
|
```sh
|
||||||
|
sudo innernet set-listen-port -u <interface>
|
||||||
|
```
|
||||||
|
.
|
||||||
|
### Remove Network
|
||||||
|
.
|
||||||
|
To permanently uninstall a created network, use
|
||||||
|
.
|
||||||
|
```sh
|
||||||
|
sudo innernet-server uninstall <interface>
|
||||||
|
```
|
||||||
|
.
|
||||||
|
Use with care!
|
||||||
|
.
|
||||||
|
## Security recommendations
|
||||||
|
.
|
||||||
|
If you're running a service on innernet, there are some important security
|
||||||
|
considerations.
|
||||||
|
.
|
||||||
|
### Enable strict Reverse Path Filtering ([RFC
|
||||||
|
3704](https://tools.ietf.org/html/rfc3704))
|
||||||
|
.
|
||||||
|
Strict RPF prevents packets from _other_ interfaces from having internal source
|
||||||
|
IP addresses. This is _not_ the default on Linux, even though it is the right
|
||||||
|
choice for 99.99% of situations. You can enable it by adding the following to a
|
||||||
|
`/etc/sysctl.d/60-network-security.conf`:
|
||||||
|
.
|
||||||
|
```
|
||||||
|
net.ipv4.conf.all.rp_filter=1
|
||||||
|
net.ipv4.conf.default.rp_filter=1
|
||||||
|
```
|
||||||
|
.
|
||||||
|
### Bind to the WireGuard device
|
||||||
|
.
|
||||||
|
If possible, to _ensure_ that packets are only ever transmitted over the
|
||||||
|
WireGuard interface, it's recommended that you use `SO_BINDTODEVICE` on Linux
|
||||||
|
or `IP_BOUND_IF` on macOS/BSDs. If you have strict reverse path filtering,
|
||||||
|
though, this is less of a concern.
|
||||||
|
.
|
||||||
|
### IP addresses alone often aren't enough authentication
|
||||||
|
.
|
||||||
|
Even following all the above precautions, rogue applications on a peer's
|
||||||
|
machines could be able to make requests on their behalf unless you add extra
|
||||||
|
layers of authentication to mitigate this CSRF-type vector.
|
||||||
|
.
|
||||||
|
It's recommended that you carefully consider this possibility before deciding
|
||||||
|
that the source IP is sufficient for your authentication needs on a service.
|
||||||
|
.
|
||||||
|
## Installation
|
||||||
|
.
|
||||||
|
innernet has only officially been tested on Linux and MacOS, but we hope to
|
||||||
|
support as many platforms as is feasible!
|
||||||
|
.
|
||||||
|
### Runtime Dependencies
|
||||||
|
.
|
||||||
|
It's assumed that WireGuard is installed on your system, either via the kernel
|
||||||
|
module in Linux 5.6 and later, or via the
|
||||||
|
[`wireguard-go`](https://git.zx2c4.com/wireguard-go/about/) userspace
|
||||||
|
implementation.
|
||||||
|
.
|
||||||
|
[WireGuard Installation Instructions](https://www.wireguard.com/install/)
|
||||||
|
.
|
||||||
|
### Arch Linux
|
||||||
|
.
|
||||||
|
```sh
|
||||||
|
pacman -S innernet
|
||||||
|
```
|
||||||
|
.
|
||||||
|
### Debian and Ubuntu
|
||||||
|
.
|
||||||
|
[**@tommie**](https://github.com/tommie) is kindly providing Debian/Ubuntu
|
||||||
|
innernet builds in the https://github.com/tommie/innernet-debian repository.
|
||||||
|
.
|
||||||
|
### Other Linux Distributions
|
||||||
|
.
|
||||||
|
We're looking for volunteers who are able to set up external builds for popular
|
||||||
|
distributions. Please see issue
|
||||||
|
[#203](https://github.com/tonarino/innernet/issues/203).
|
||||||
|
.
|
||||||
|
### macOS
|
||||||
|
.
|
||||||
|
```sh
|
||||||
|
brew install tonarino/innernet/innernet
|
||||||
|
```
|
||||||
|
.
|
||||||
|
### Cargo
|
||||||
|
.
|
||||||
|
```sh
|
||||||
|
# to install innernet:
|
||||||
|
cargo install --git https://github.com/tonarino/innernet --tag v1.6.0 client
|
||||||
|
.
|
||||||
|
# to install innernet-server:
|
||||||
|
cargo install --git https://github.com/tonarino/innernet --tag v1.6.0 server
|
||||||
|
```
|
||||||
|
.
|
||||||
|
Note that you'll be responsible for updating manually.
|
||||||
|
.
|
||||||
|
## Development
|
||||||
|
.
|
||||||
|
### `innernet-server` Build dependencies
|
||||||
|
.
|
||||||
|
- `rustc` / `cargo` (version 1.50.0 or higher)
|
||||||
|
- `libclang` (see more info at
|
||||||
|
[https://crates.io/crates/clang-sys](https://crates.io/crates/clang-sys))
|
||||||
|
- `libsqlite3`
|
||||||
|
.
|
||||||
|
Build:
|
||||||
|
.
|
||||||
|
```sh
|
||||||
|
cargo build --release --bin innernet-server
|
||||||
|
```
|
||||||
|
.
|
||||||
|
The resulting binary will be located at `./target/release/innernet-server`
|
||||||
|
.
|
||||||
|
### `innernet` Client CLI Build dependencies
|
||||||
|
.
|
||||||
|
- `rustc` / `cargo` (version 1.50.0 or higher)
|
||||||
|
- `libclang` (see more info at
|
||||||
|
[https://crates.io/crates/clang-sys](https://crates.io/crates/clang-sys))
|
||||||
|
.
|
||||||
|
Build:
|
||||||
|
.
|
||||||
|
```sh
|
||||||
|
cargo build --release --bin innernet
|
||||||
|
```
|
||||||
|
.
|
||||||
|
The resulting binary will be located at `./target/release/innernet`
|
||||||
|
.
|
||||||
|
### Releases
|
||||||
|
.
|
||||||
|
Please run the release script from a Linux machine: generated shell completions
|
||||||
|
depend on available wireguard backends and Mac doesn't support the `kernel`
|
||||||
|
backend.
|
||||||
|
.
|
||||||
|
1. Fetch and check-out the `main` branch.
|
||||||
|
2. Run `./release.sh [patch|major|minor|rc]`
|
||||||
|
3. Push the `main` branch and the created tag to the repo.
|
||||||
|
|
Binary file not shown.
|
@ -0,0 +1,5 @@
|
||||||
|
Component: contrib
|
||||||
|
Origin: Unofficial Innernet Debian repository
|
||||||
|
Label: innernet-debian
|
||||||
|
Architecture: arm64
|
||||||
|
Description: APT repository for https://github.com/tonarino/innernet/.
|
|
@ -0,0 +1,378 @@
|
||||||
|
Package: innernet
|
||||||
|
Version: 1.6.0-0ubuntu0~focal
|
||||||
|
Architecture: armhf
|
||||||
|
Vcs-Browser: https://github.com/tonarino/innernet
|
||||||
|
Vcs-Git: https://github.com/tonarino/innernet
|
||||||
|
Homepage: https://github.com/tonarino/innernet
|
||||||
|
Maintainer: tonari <hey@tonari.no>
|
||||||
|
Installed-Size: 2684
|
||||||
|
Depends: libgcc1, libc6, systemd
|
||||||
|
Recommends: wireguard
|
||||||
|
Priority: optional
|
||||||
|
Section: net
|
||||||
|
Filename: pool/contrib/i/innernet/innernet_1.6.0-0ubuntu0~focal_armhf.deb
|
||||||
|
Size: 916708
|
||||||
|
SHA256: 5a659fba5e5410ea9cb5591753075fcc040c92386e3e6382efacd43583e2c782
|
||||||
|
SHA1: 03ac24914abd80fcaee5d0dacd77c2b4aebfd08c
|
||||||
|
MD5sum: b0c21e227ed3ca35815137d941035b1f
|
||||||
|
Description: A client to manage innernet network interfaces.
|
||||||
|
innernet client binary for fetching peer information and conducting admin tasks
|
||||||
|
such as adding a new peer.
|
||||||
|
|
||||||
|
Package: innernet-server
|
||||||
|
Version: 1.6.0-0ubuntu0~focal
|
||||||
|
Architecture: armhf
|
||||||
|
Vcs-Browser: https://github.com/tonarino/innernet
|
||||||
|
Vcs-Git: https://github.com/tonarino/innernet
|
||||||
|
Homepage: https://github.com/tonarino/innernet
|
||||||
|
Maintainer: tonari <hey@tonari.no>
|
||||||
|
Installed-Size: 3343
|
||||||
|
Depends: libgcc1, zlib1g, libc6, libsqlite3-0, systemd
|
||||||
|
Recommends: wireguard
|
||||||
|
Source: innernet
|
||||||
|
Priority: optional
|
||||||
|
Section: net
|
||||||
|
Filename: pool/contrib/i/innernet-server/innernet-server_1.6.0-0ubuntu0~focal_armhf.deb
|
||||||
|
Size: 1337176
|
||||||
|
SHA256: 429c6cbf976e82910bd9be68b772a9264f680ea051c1850074a25e39e6d03059
|
||||||
|
SHA1: d97a2f0ae144af2a67dc6dc9df547fc0b61d3058
|
||||||
|
MD5sum: 105818d65bcc4e3ffbb3feb7dab0867c
|
||||||
|
Description: A server to coordinate innernet networks.
|
||||||
|
# innernet
|
||||||
|
.
|
||||||
|
[![Actively
|
||||||
|
Maintained](https://img.shields.io/badge/Maintenance%20Level-Actively%20Maintained-green.svg)](https://gist.github.com/cheerfulstoic/d107229326a01ff0f333a1d3476e068d)
|
||||||
|
[![MIT](https://img.shields.io/badge/license-MIT-blue.svg)](https://github.com/tonarino/innernet/blob/master/LICENSE)
|
||||||
|
.
|
||||||
|
A private network system that uses [WireGuard](https://wireguard.com) under the
|
||||||
|
hood. See the [announcement blog
|
||||||
|
post](https://blog.tonari.no/introducing-innernet) for a longer-winded
|
||||||
|
explanation.
|
||||||
|
.
|
||||||
|
<img
|
||||||
|
src="https://user-images.githubusercontent.com/373823/118917068-09ae7700-b96b-11eb-80f4-6860072d504d.gif"
|
||||||
|
width="600" height="370">
|
||||||
|
.
|
||||||
|
`innernet` is similar in its goals to Slack's
|
||||||
|
[nebula](https://github.com/slackhq/nebula) or
|
||||||
|
[Tailscale](https://tailscale.com/), but takes a bit of a different approach.
|
||||||
|
It aims to take advantage of existing networking concepts like CIDRs and the
|
||||||
|
security properties of WireGuard to turn your computer's basic IP networking
|
||||||
|
into more powerful ACL primitives.
|
||||||
|
.
|
||||||
|
`innernet` is not an official WireGuard project, and WireGuard is a registered
|
||||||
|
trademark of Jason A. Donenfeld.
|
||||||
|
.
|
||||||
|
This has not received an independent security audit, and should be considered
|
||||||
|
experimental software at this early point in its lifetime.
|
||||||
|
.
|
||||||
|
## Usage
|
||||||
|
.
|
||||||
|
### Server Creation
|
||||||
|
.
|
||||||
|
Every `innernet` network needs a coordination server to manage peers and
|
||||||
|
provide endpoint information so peers can directly connect to each other.
|
||||||
|
Create a new one with
|
||||||
|
.
|
||||||
|
```sh
|
||||||
|
sudo innernet-server new
|
||||||
|
```
|
||||||
|
.
|
||||||
|
The init wizard will ask you questions about your network and give you some
|
||||||
|
reasonable defaults. It's good to familiarize yourself with [network
|
||||||
|
CIDRs](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) as a lot
|
||||||
|
of innernet's access control is based upon them. As an example, let's say the
|
||||||
|
root CIDR for this network is `10.60.0.0/16`. Server initialization creates a
|
||||||
|
special "infra" CIDR which contains the `innernet` server itself and is
|
||||||
|
reachable from all CIDRs on the network.
|
||||||
|
.
|
||||||
|
Next we'll also create a `humans` CIDR where we can start adding some peers.
|
||||||
|
.
|
||||||
|
```sh
|
||||||
|
sudo innernet-server add-cidr <interface>
|
||||||
|
```
|
||||||
|
.
|
||||||
|
For the parent CIDR, you can simply choose your network's root CIDR. The name
|
||||||
|
will be `humans`, and the CIDR will be `10.60.64.0/24` (not a great example
|
||||||
|
unless you only want to support 256 humans, but it works for now...).
|
||||||
|
.
|
||||||
|
By default, peers which exist in this new CIDR will only be able to contact
|
||||||
|
peers in the same CIDR, and the special "infra" CIDR which was created when the
|
||||||
|
server was initialized.
|
||||||
|
.
|
||||||
|
A typical workflow for creating a new network is to create an admin peer from
|
||||||
|
the `innernet-server` CLI, and then continue using that admin peer via the
|
||||||
|
`innernet` client CLI to add any further peers or network CIDRs.
|
||||||
|
.
|
||||||
|
```sh
|
||||||
|
sudo innernet-server add-peer <interface>
|
||||||
|
```
|
||||||
|
.
|
||||||
|
Select the `humans` CIDR, and the CLI will automatically suggest the next
|
||||||
|
available IP address. Any name is fine, just answer "yes" when asked if you
|
||||||
|
would like to make the peer an admin. The process of adding a peer results in
|
||||||
|
an invitation file. This file contains just enough information for the new peer
|
||||||
|
to contact the `innernet` server and redeem its invitation. It should be
|
||||||
|
transferred securely to the new peer, and it can only be used once to
|
||||||
|
initialize the peer.
|
||||||
|
.
|
||||||
|
You can run the server with `innernet-server serve <interface>`, or if you're
|
||||||
|
on Linux and want to run it via `systemctl`, run `systemctl enable --now
|
||||||
|
innernet-server@<interface>`. If you're on a home network, don't forget to
|
||||||
|
configure port forwarding to the `Listen Port` you specified when creating the
|
||||||
|
`innernet` server.
|
||||||
|
.
|
||||||
|
### Peer Initialization
|
||||||
|
.
|
||||||
|
Let's assume the invitation file generated in the steps above have been
|
||||||
|
transferred to the machine a network admin will be using.
|
||||||
|
.
|
||||||
|
You can initialize the client with
|
||||||
|
.
|
||||||
|
```sh
|
||||||
|
sudo innernet install /path/to/invitation.toml
|
||||||
|
```
|
||||||
|
.
|
||||||
|
You can customize the network name if you want to, or leave it at the default.
|
||||||
|
`innernet` will then connect to the `innernet` server via WireGuard, generate a
|
||||||
|
new key pair, and register that pair with the server. The private key in the
|
||||||
|
invitation file can no longer be used.
|
||||||
|
.
|
||||||
|
If everything was successful, the new peer is on the network. You can run
|
||||||
|
things like
|
||||||
|
.
|
||||||
|
```sh
|
||||||
|
sudo innernet list
|
||||||
|
```
|
||||||
|
.
|
||||||
|
or
|
||||||
|
.
|
||||||
|
```sh
|
||||||
|
sudo innernet list --tree
|
||||||
|
```
|
||||||
|
.
|
||||||
|
to view the current network and all CIDRs visible to this peer.
|
||||||
|
.
|
||||||
|
Since we created an admin peer, we can also add new peers and CIDRs from this
|
||||||
|
peer via `innernet` instead of having to always run commands on the server.
|
||||||
|
.
|
||||||
|
### Adding Associations between CIDRs
|
||||||
|
.
|
||||||
|
In order for peers from one CIDR to be able to contact peers in another CIDR,
|
||||||
|
those two CIDRs must be "associated" with each other.
|
||||||
|
.
|
||||||
|
With the admin peer we created above, let's add a new CIDR for some theoretical
|
||||||
|
CI servers we have.
|
||||||
|
.
|
||||||
|
```sh
|
||||||
|
sudo innernet add-cidr <interface>
|
||||||
|
```
|
||||||
|
.
|
||||||
|
The name is `ci-servers` and the CIDR is `10.60.64.0/24`, but for this example
|
||||||
|
it can be anything.
|
||||||
|
.
|
||||||
|
For now, we want peers in the `humans` CIDR to be able to access peers in the
|
||||||
|
`ci-servers` CIDR.
|
||||||
|
.
|
||||||
|
```sh
|
||||||
|
sudo innernet add-association <interface>
|
||||||
|
```
|
||||||
|
.
|
||||||
|
The CLI will ask you to select the two CIDRs you want to associate. That's all
|
||||||
|
it takes to allow peers in two different CIDRs to communicate!
|
||||||
|
.
|
||||||
|
You can verify the association with
|
||||||
|
.
|
||||||
|
```sh
|
||||||
|
sudo innernet list-associations <interface>
|
||||||
|
```
|
||||||
|
.
|
||||||
|
and associations can be deleted with
|
||||||
|
.
|
||||||
|
```sh
|
||||||
|
sudo innernet delete-associations <interface>
|
||||||
|
```
|
||||||
|
.
|
||||||
|
### Enabling/Disabling Peers
|
||||||
|
.
|
||||||
|
For security reasons, IP addresses cannot be re-used by new peers, and
|
||||||
|
therefore peers cannot be deleted. However, they can be disabled. Disabled
|
||||||
|
peers will not show up in the list of peers when fetching the config for an
|
||||||
|
interface.
|
||||||
|
.
|
||||||
|
Disable a peer with
|
||||||
|
.
|
||||||
|
```su
|
||||||
|
sudo innernet disable-peer <interface>
|
||||||
|
```
|
||||||
|
.
|
||||||
|
Or re-enable a peer with
|
||||||
|
.
|
||||||
|
```su
|
||||||
|
sudo innernet enable-peer <interface>
|
||||||
|
```
|
||||||
|
.
|
||||||
|
### Specifying a Manual Endpoint
|
||||||
|
.
|
||||||
|
The `innernet` server will try to use the internet endpoint it sees from a peer
|
||||||
|
so other peers can connect to that peer as well. This doesn't always work and
|
||||||
|
you may want to set an endpoint explicitly. To set an endpoint, use
|
||||||
|
.
|
||||||
|
```sh
|
||||||
|
sudo innernet override-endpoint <interface>
|
||||||
|
```
|
||||||
|
.
|
||||||
|
You can go back to automatic endpoint discovery with
|
||||||
|
.
|
||||||
|
```sh
|
||||||
|
sudo innernet override-endpoint -u <interface>
|
||||||
|
```
|
||||||
|
.
|
||||||
|
### Setting the Local WireGuard Listen Port
|
||||||
|
.
|
||||||
|
If you want to change the port which WireGuard listens on, use
|
||||||
|
.
|
||||||
|
```sh
|
||||||
|
sudo innernet set-listen-port <interface>
|
||||||
|
```
|
||||||
|
.
|
||||||
|
or unset the port and use a randomized port with
|
||||||
|
.
|
||||||
|
```sh
|
||||||
|
sudo innernet set-listen-port -u <interface>
|
||||||
|
```
|
||||||
|
.
|
||||||
|
### Remove Network
|
||||||
|
.
|
||||||
|
To permanently uninstall a created network, use
|
||||||
|
.
|
||||||
|
```sh
|
||||||
|
sudo innernet-server uninstall <interface>
|
||||||
|
```
|
||||||
|
.
|
||||||
|
Use with care!
|
||||||
|
.
|
||||||
|
## Security recommendations
|
||||||
|
.
|
||||||
|
If you're running a service on innernet, there are some important security
|
||||||
|
considerations.
|
||||||
|
.
|
||||||
|
### Enable strict Reverse Path Filtering ([RFC
|
||||||
|
3704](https://tools.ietf.org/html/rfc3704))
|
||||||
|
.
|
||||||
|
Strict RPF prevents packets from _other_ interfaces from having internal source
|
||||||
|
IP addresses. This is _not_ the default on Linux, even though it is the right
|
||||||
|
choice for 99.99% of situations. You can enable it by adding the following to a
|
||||||
|
`/etc/sysctl.d/60-network-security.conf`:
|
||||||
|
.
|
||||||
|
```
|
||||||
|
net.ipv4.conf.all.rp_filter=1
|
||||||
|
net.ipv4.conf.default.rp_filter=1
|
||||||
|
```
|
||||||
|
.
|
||||||
|
### Bind to the WireGuard device
|
||||||
|
.
|
||||||
|
If possible, to _ensure_ that packets are only ever transmitted over the
|
||||||
|
WireGuard interface, it's recommended that you use `SO_BINDTODEVICE` on Linux
|
||||||
|
or `IP_BOUND_IF` on macOS/BSDs. If you have strict reverse path filtering,
|
||||||
|
though, this is less of a concern.
|
||||||
|
.
|
||||||
|
### IP addresses alone often aren't enough authentication
|
||||||
|
.
|
||||||
|
Even following all the above precautions, rogue applications on a peer's
|
||||||
|
machines could be able to make requests on their behalf unless you add extra
|
||||||
|
layers of authentication to mitigate this CSRF-type vector.
|
||||||
|
.
|
||||||
|
It's recommended that you carefully consider this possibility before deciding
|
||||||
|
that the source IP is sufficient for your authentication needs on a service.
|
||||||
|
.
|
||||||
|
## Installation
|
||||||
|
.
|
||||||
|
innernet has only officially been tested on Linux and MacOS, but we hope to
|
||||||
|
support as many platforms as is feasible!
|
||||||
|
.
|
||||||
|
### Runtime Dependencies
|
||||||
|
.
|
||||||
|
It's assumed that WireGuard is installed on your system, either via the kernel
|
||||||
|
module in Linux 5.6 and later, or via the
|
||||||
|
[`wireguard-go`](https://git.zx2c4.com/wireguard-go/about/) userspace
|
||||||
|
implementation.
|
||||||
|
.
|
||||||
|
[WireGuard Installation Instructions](https://www.wireguard.com/install/)
|
||||||
|
.
|
||||||
|
### Arch Linux
|
||||||
|
.
|
||||||
|
```sh
|
||||||
|
pacman -S innernet
|
||||||
|
```
|
||||||
|
.
|
||||||
|
### Debian and Ubuntu
|
||||||
|
.
|
||||||
|
[**@tommie**](https://github.com/tommie) is kindly providing Debian/Ubuntu
|
||||||
|
innernet builds in the https://github.com/tommie/innernet-debian repository.
|
||||||
|
.
|
||||||
|
### Other Linux Distributions
|
||||||
|
.
|
||||||
|
We're looking for volunteers who are able to set up external builds for popular
|
||||||
|
distributions. Please see issue
|
||||||
|
[#203](https://github.com/tonarino/innernet/issues/203).
|
||||||
|
.
|
||||||
|
### macOS
|
||||||
|
.
|
||||||
|
```sh
|
||||||
|
brew install tonarino/innernet/innernet
|
||||||
|
```
|
||||||
|
.
|
||||||
|
### Cargo
|
||||||
|
.
|
||||||
|
```sh
|
||||||
|
# to install innernet:
|
||||||
|
cargo install --git https://github.com/tonarino/innernet --tag v1.6.0 client
|
||||||
|
.
|
||||||
|
# to install innernet-server:
|
||||||
|
cargo install --git https://github.com/tonarino/innernet --tag v1.6.0 server
|
||||||
|
```
|
||||||
|
.
|
||||||
|
Note that you'll be responsible for updating manually.
|
||||||
|
.
|
||||||
|
## Development
|
||||||
|
.
|
||||||
|
### `innernet-server` Build dependencies
|
||||||
|
.
|
||||||
|
- `rustc` / `cargo` (version 1.50.0 or higher)
|
||||||
|
- `libclang` (see more info at
|
||||||
|
[https://crates.io/crates/clang-sys](https://crates.io/crates/clang-sys))
|
||||||
|
- `libsqlite3`
|
||||||
|
.
|
||||||
|
Build:
|
||||||
|
.
|
||||||
|
```sh
|
||||||
|
cargo build --release --bin innernet-server
|
||||||
|
```
|
||||||
|
.
|
||||||
|
The resulting binary will be located at `./target/release/innernet-server`
|
||||||
|
.
|
||||||
|
### `innernet` Client CLI Build dependencies
|
||||||
|
.
|
||||||
|
- `rustc` / `cargo` (version 1.50.0 or higher)
|
||||||
|
- `libclang` (see more info at
|
||||||
|
[https://crates.io/crates/clang-sys](https://crates.io/crates/clang-sys))
|
||||||
|
.
|
||||||
|
Build:
|
||||||
|
.
|
||||||
|
```sh
|
||||||
|
cargo build --release --bin innernet
|
||||||
|
```
|
||||||
|
.
|
||||||
|
The resulting binary will be located at `./target/release/innernet`
|
||||||
|
.
|
||||||
|
### Releases
|
||||||
|
.
|
||||||
|
Please run the release script from a Linux machine: generated shell completions
|
||||||
|
depend on available wireguard backends and Mac doesn't support the `kernel`
|
||||||
|
backend.
|
||||||
|
.
|
||||||
|
1. Fetch and check-out the `main` branch.
|
||||||
|
2. Run `./release.sh [patch|major|minor|rc]`
|
||||||
|
3. Push the `main` branch and the created tag to the repo.
|
||||||
|
|
Binary file not shown.
|
@ -0,0 +1,5 @@
|
||||||
|
Component: contrib
|
||||||
|
Origin: Unofficial Innernet Debian repository
|
||||||
|
Label: innernet-debian
|
||||||
|
Architecture: armhf
|
||||||
|
Description: APT repository for https://github.com/tonarino/innernet/.
|
|
@ -4,33 +4,51 @@ Hash: SHA512
|
||||||
Origin: Unofficial Innernet Debian repository
|
Origin: Unofficial Innernet Debian repository
|
||||||
Label: innernet-debian
|
Label: innernet-debian
|
||||||
Codename: jammy
|
Codename: jammy
|
||||||
Date: Fri, 16 Jun 2023 13:45:35 UTC
|
Date: Sun, 30 Jul 2023 13:18:35 UTC
|
||||||
Architectures: amd64
|
Architectures: amd64 armhf arm64
|
||||||
Components: contrib
|
Components: contrib
|
||||||
Description: APT repository for https://github.com/tonarino/innernet/.
|
Description: APT repository for https://github.com/tonarino/innernet/.
|
||||||
MD5Sum:
|
MD5Sum:
|
||||||
c3fb046e579f2886ef6b3cf3e219ba05 12098 contrib/binary-amd64/Packages
|
c3fb046e579f2886ef6b3cf3e219ba05 12098 contrib/binary-amd64/Packages
|
||||||
e09b77d60d34ab4af3b28265d59cea19 4799 contrib/binary-amd64/Packages.gz
|
e09b77d60d34ab4af3b28265d59cea19 4799 contrib/binary-amd64/Packages.gz
|
||||||
77dc2b012f45038d5be68f81d464ee44 179 contrib/binary-amd64/Release
|
77dc2b012f45038d5be68f81d464ee44 179 contrib/binary-amd64/Release
|
||||||
|
780524704fdb47454787362f650f63b2 12097 contrib/binary-armhf/Packages
|
||||||
|
092d4159daa0a41922473929fb72b666 4798 contrib/binary-armhf/Packages.gz
|
||||||
|
2e56331833f644fa9dad5483acc93e55 179 contrib/binary-armhf/Release
|
||||||
|
774c59f064602c6d2a571c4927700ea1 12097 contrib/binary-arm64/Packages
|
||||||
|
111c0179f59c4f065197f95058495807 4802 contrib/binary-arm64/Packages.gz
|
||||||
|
16627cd2b6e090772a75639bb48cd54d 179 contrib/binary-arm64/Release
|
||||||
SHA1:
|
SHA1:
|
||||||
24f3f3be92fa94c5c91f4e1016a87dc3bee36bc0 12098 contrib/binary-amd64/Packages
|
24f3f3be92fa94c5c91f4e1016a87dc3bee36bc0 12098 contrib/binary-amd64/Packages
|
||||||
91350afc9bc7f37a9fa65c7827fd0161cefc2791 4799 contrib/binary-amd64/Packages.gz
|
91350afc9bc7f37a9fa65c7827fd0161cefc2791 4799 contrib/binary-amd64/Packages.gz
|
||||||
a4f6bbfd6fe4ab5a01909278c4e13b05d6b06f13 179 contrib/binary-amd64/Release
|
a4f6bbfd6fe4ab5a01909278c4e13b05d6b06f13 179 contrib/binary-amd64/Release
|
||||||
|
ba0280a48581058691a8a392862fbf3820b841d0 12097 contrib/binary-armhf/Packages
|
||||||
|
b7d567b2b284f0734227eaa771004539525a2d90 4798 contrib/binary-armhf/Packages.gz
|
||||||
|
dbfc90ff9af0819e8b73429a32e4691204b11da7 179 contrib/binary-armhf/Release
|
||||||
|
6d826c8431b6b5983b654a37a34d68efa4148b8a 12097 contrib/binary-arm64/Packages
|
||||||
|
1c5ee6f104cf87055db66f368be7792d52a60094 4802 contrib/binary-arm64/Packages.gz
|
||||||
|
af10abab9b82b0f8be34be72d478cd7efe4e64b9 179 contrib/binary-arm64/Release
|
||||||
SHA256:
|
SHA256:
|
||||||
42614d2b5bb2bc2be526f2aac7a249a78fe9e06b6dfbf174f1b81f774e9c94d9 12098 contrib/binary-amd64/Packages
|
42614d2b5bb2bc2be526f2aac7a249a78fe9e06b6dfbf174f1b81f774e9c94d9 12098 contrib/binary-amd64/Packages
|
||||||
5e2f2c7f0d4e5b718e3e4429aea9e02ea1d2cda4b8e68357dddae26eae7e0df5 4799 contrib/binary-amd64/Packages.gz
|
5e2f2c7f0d4e5b718e3e4429aea9e02ea1d2cda4b8e68357dddae26eae7e0df5 4799 contrib/binary-amd64/Packages.gz
|
||||||
67b3f0e511499d8b794eaf1524cea47d2263a1e8e43445c60f311dbef9a50e9c 179 contrib/binary-amd64/Release
|
67b3f0e511499d8b794eaf1524cea47d2263a1e8e43445c60f311dbef9a50e9c 179 contrib/binary-amd64/Release
|
||||||
|
6920dfcb12fa912d057fbef51193867d02a2d52a02ac8cbd8e43346e199edf44 12097 contrib/binary-armhf/Packages
|
||||||
|
0039297dbd77d349e5acf51945cda8f284f3d1813746789c31127472ad019a6e 4798 contrib/binary-armhf/Packages.gz
|
||||||
|
ce7a57575ec61bf1af16351e2366f7114f6ad78e035696abaaac42f80dd8f425 179 contrib/binary-armhf/Release
|
||||||
|
eee57fae348c6121d8aee97c08e437cc62471dd87103df971d368e72791b4447 12097 contrib/binary-arm64/Packages
|
||||||
|
3a77da57917309f4fce907bf2828bd2def020f210d77e18ec80c6b0d58c65475 4802 contrib/binary-arm64/Packages.gz
|
||||||
|
86092179ad14de3750a8a527f8419920154bd761ea7367b9452abe85cfbca03d 179 contrib/binary-arm64/Release
|
||||||
-----BEGIN PGP SIGNATURE-----
|
-----BEGIN PGP SIGNATURE-----
|
||||||
|
|
||||||
iQGzBAEBCgAdFiEEbYSVpa4ZFZQzkqZZZYKNdDzui2kFAmSMZ4AACgkQZYKNdDzu
|
iQGzBAEBCgAdFiEEbYSVpa4ZFZQzkqZZZYKNdDzui2kFAmTGYysACgkQZYKNdDzu
|
||||||
i2msrAv/flrJ7B8kMVB35KVN+TNkplpEOUjb0aa+xBQ4+1h1TaZftrJRxNgTHpmz
|
i2kz1wv+NcR8ROJf8Azw6AQPyL8gzuT2c9gRVcMEMGvMtbU/phJQXZReBGgvdcZX
|
||||||
Y8L4l7xTJxEI+rMvJ6SDWxK7/BGyHzdOIlF49u6lRtI1KJWAEXCPNas2FszKIywy
|
r5hY3SwMdvgXxPzWhYr1lnhA71NmPhUxjc2H+J0dGULxMnvoyQ88/UQQpaAIyZsq
|
||||||
mdf+1UGZ4fgtMXJfMblpDua95pDaUH11vuB2Ty1kLl6ELmG136sR/5w1laP6N10I
|
JuuT1D5QHJ9ZWI3SGDKOcdsb2ix51sYVoYsRx/OO5RlYofLfAgU0wGrfa0pUj3l9
|
||||||
y8HTL5poEQOQMeX6cSiYPyiVMUKZgacs1gEv0Z0sksgwDMdghFUUN6poZlG5RfCC
|
OVO0QBeqyb4Xs2+3sjQH8NsJd3bIHOR65ULXJ33R/Bbkt0VYYgApiCMDVifJWMko
|
||||||
7s9NJNKEAiuvcyikP+TrJT0H/JsDO7LJRyZXvxlfS5xoxBWUgc/kCjbh638TtSOP
|
HOZvH0lCvgVy5QE2Dg3KC/8nEVglky3cwwpnN6GWAMTFEFwArZ9IGfcNJmjfuwDz
|
||||||
wPkhPhxedPBgfQ0Ri46P5J+D+qsg7Ck0QsA+nhEUdrQ0ajWB1iBuuuhkflKvkBBj
|
eUgNUnzItCHJyu8G1bX1IgKIHBMkJB9qXbr5DhDjVN8UrfD92A25ZXzbSsgzC6Zc
|
||||||
ft/F672ysXKhSQpW/+ljUjWrkHoA/9Rg25cJOZF4gBUGoavOentnfEjq9h14Qrnl
|
O0Wt0xSuqmoaluwnePxmA/cmV3ffvdIBnBnXEKFaTf1l3aHcDAG0Zmh6/9abKx78
|
||||||
1PPb8ANL+wyTQP6zd5mV7j/3cahyQiZldoVkjXRJ6EQ6Ro/E7e+SrAi/9+2rIKiB
|
Ey17a8voz9U3gRRZG2YTTVYIWhqPVxaPnC14slZzuC2CDWZBVF2f74sCYPqH6SF+
|
||||||
/w7rJEA7
|
zAGYm7Ur
|
||||||
=XTJH
|
=6gHL
|
||||||
-----END PGP SIGNATURE-----
|
-----END PGP SIGNATURE-----
|
||||||
|
|
|
@ -1,19 +1,37 @@
|
||||||
Origin: Unofficial Innernet Debian repository
|
Origin: Unofficial Innernet Debian repository
|
||||||
Label: innernet-debian
|
Label: innernet-debian
|
||||||
Codename: jammy
|
Codename: jammy
|
||||||
Date: Fri, 16 Jun 2023 13:45:35 UTC
|
Date: Sun, 30 Jul 2023 13:18:35 UTC
|
||||||
Architectures: amd64
|
Architectures: amd64 armhf arm64
|
||||||
Components: contrib
|
Components: contrib
|
||||||
Description: APT repository for https://github.com/tonarino/innernet/.
|
Description: APT repository for https://github.com/tonarino/innernet/.
|
||||||
MD5Sum:
|
MD5Sum:
|
||||||
c3fb046e579f2886ef6b3cf3e219ba05 12098 contrib/binary-amd64/Packages
|
c3fb046e579f2886ef6b3cf3e219ba05 12098 contrib/binary-amd64/Packages
|
||||||
e09b77d60d34ab4af3b28265d59cea19 4799 contrib/binary-amd64/Packages.gz
|
e09b77d60d34ab4af3b28265d59cea19 4799 contrib/binary-amd64/Packages.gz
|
||||||
77dc2b012f45038d5be68f81d464ee44 179 contrib/binary-amd64/Release
|
77dc2b012f45038d5be68f81d464ee44 179 contrib/binary-amd64/Release
|
||||||
|
780524704fdb47454787362f650f63b2 12097 contrib/binary-armhf/Packages
|
||||||
|
092d4159daa0a41922473929fb72b666 4798 contrib/binary-armhf/Packages.gz
|
||||||
|
2e56331833f644fa9dad5483acc93e55 179 contrib/binary-armhf/Release
|
||||||
|
774c59f064602c6d2a571c4927700ea1 12097 contrib/binary-arm64/Packages
|
||||||
|
111c0179f59c4f065197f95058495807 4802 contrib/binary-arm64/Packages.gz
|
||||||
|
16627cd2b6e090772a75639bb48cd54d 179 contrib/binary-arm64/Release
|
||||||
SHA1:
|
SHA1:
|
||||||
24f3f3be92fa94c5c91f4e1016a87dc3bee36bc0 12098 contrib/binary-amd64/Packages
|
24f3f3be92fa94c5c91f4e1016a87dc3bee36bc0 12098 contrib/binary-amd64/Packages
|
||||||
91350afc9bc7f37a9fa65c7827fd0161cefc2791 4799 contrib/binary-amd64/Packages.gz
|
91350afc9bc7f37a9fa65c7827fd0161cefc2791 4799 contrib/binary-amd64/Packages.gz
|
||||||
a4f6bbfd6fe4ab5a01909278c4e13b05d6b06f13 179 contrib/binary-amd64/Release
|
a4f6bbfd6fe4ab5a01909278c4e13b05d6b06f13 179 contrib/binary-amd64/Release
|
||||||
|
ba0280a48581058691a8a392862fbf3820b841d0 12097 contrib/binary-armhf/Packages
|
||||||
|
b7d567b2b284f0734227eaa771004539525a2d90 4798 contrib/binary-armhf/Packages.gz
|
||||||
|
dbfc90ff9af0819e8b73429a32e4691204b11da7 179 contrib/binary-armhf/Release
|
||||||
|
6d826c8431b6b5983b654a37a34d68efa4148b8a 12097 contrib/binary-arm64/Packages
|
||||||
|
1c5ee6f104cf87055db66f368be7792d52a60094 4802 contrib/binary-arm64/Packages.gz
|
||||||
|
af10abab9b82b0f8be34be72d478cd7efe4e64b9 179 contrib/binary-arm64/Release
|
||||||
SHA256:
|
SHA256:
|
||||||
42614d2b5bb2bc2be526f2aac7a249a78fe9e06b6dfbf174f1b81f774e9c94d9 12098 contrib/binary-amd64/Packages
|
42614d2b5bb2bc2be526f2aac7a249a78fe9e06b6dfbf174f1b81f774e9c94d9 12098 contrib/binary-amd64/Packages
|
||||||
5e2f2c7f0d4e5b718e3e4429aea9e02ea1d2cda4b8e68357dddae26eae7e0df5 4799 contrib/binary-amd64/Packages.gz
|
5e2f2c7f0d4e5b718e3e4429aea9e02ea1d2cda4b8e68357dddae26eae7e0df5 4799 contrib/binary-amd64/Packages.gz
|
||||||
67b3f0e511499d8b794eaf1524cea47d2263a1e8e43445c60f311dbef9a50e9c 179 contrib/binary-amd64/Release
|
67b3f0e511499d8b794eaf1524cea47d2263a1e8e43445c60f311dbef9a50e9c 179 contrib/binary-amd64/Release
|
||||||
|
6920dfcb12fa912d057fbef51193867d02a2d52a02ac8cbd8e43346e199edf44 12097 contrib/binary-armhf/Packages
|
||||||
|
0039297dbd77d349e5acf51945cda8f284f3d1813746789c31127472ad019a6e 4798 contrib/binary-armhf/Packages.gz
|
||||||
|
ce7a57575ec61bf1af16351e2366f7114f6ad78e035696abaaac42f80dd8f425 179 contrib/binary-armhf/Release
|
||||||
|
eee57fae348c6121d8aee97c08e437cc62471dd87103df971d368e72791b4447 12097 contrib/binary-arm64/Packages
|
||||||
|
3a77da57917309f4fce907bf2828bd2def020f210d77e18ec80c6b0d58c65475 4802 contrib/binary-arm64/Packages.gz
|
||||||
|
86092179ad14de3750a8a527f8419920154bd761ea7367b9452abe85cfbca03d 179 contrib/binary-arm64/Release
|
||||||
|
|
|
@ -1,14 +1,14 @@
|
||||||
-----BEGIN PGP SIGNATURE-----
|
-----BEGIN PGP SIGNATURE-----
|
||||||
|
|
||||||
iQGzBAABCgAdFiEEbYSVpa4ZFZQzkqZZZYKNdDzui2kFAmSMZ38ACgkQZYKNdDzu
|
iQGzBAABCgAdFiEEbYSVpa4ZFZQzkqZZZYKNdDzui2kFAmTGYysACgkQZYKNdDzu
|
||||||
i2k8JAv7BCf7W0Ok+CG1CYf7mLNNoZ92wgIfApqmokrh6t2Wk3dV7KNW8sZRlCGN
|
i2n05Av7BLT2uiKS9iw8jRsX646HfdXNZ7O+XfdLqJxxyCPjPc8yXPBWILhgQ8wE
|
||||||
FfUfFyqbvYYGkToGIi6LEoGzYSsD2PKHmLWnMMBqkbP7H6cLVjiCs7Xc/RFP1vO5
|
ZARH05xxhbpl0+mVtLDglKdyWjCRHv1ud7ALI3mPNvB4OL15sBUcI5Zqp0UxYgEH
|
||||||
o5xNYme3iM5Sr9iC0i78cusiGmJmM31TWlE6WrLJCK60SjUQgDvdh1SpVGKyiqyO
|
i/9HztmWRORUN0cCDwxdmgBQ5r4pTjEtRqYn6UwL38UD8v+du1n92AwG+jxwqkMk
|
||||||
dorJxqsDvClIDSoCxAJFz23xBrIChZv9zjP4C0ZDDKtGItTmbEG+zsca2f37mfIS
|
yasMbaxK9b5be888BqToKlSuYyLNE5nHDDaqr2gg7Or1W1HcZJcWiH4u4g4foB9p
|
||||||
2H1J5C0eQ2RGMaVzBSWsfQlAbkMq0TrvStPU4oscuBfXF8Asfxhl0AJIL/c5IGfF
|
zrp9w5soeMWfAXH0PkI2iMsyitk5a8WdoLTwFWHJdS8vFN+doKpR57h7AkJ5wSGm
|
||||||
E8jB7o4ifiuyOuRt73yRDaNjJjzHRw6U8IpUMQ12ep3Va7GcMSvX4pnsFb3mmfA4
|
H/okDyDjXPzogd5+WjyRrc3xGaL7X84gv3WbbIBeiKP9yThvI5HwcsUTHh0okiyZ
|
||||||
Hb50gin7Ug457FgsmqHjgIWfmbZh0Z5kNjJAToJlOylBp1nKmVurDbVei8O7DeoU
|
/ns6P16JBo/jRwwD6cr+DYMcK7lr0YSRjmUbyBh+B5gdud7f70ySxl/9aqVnClCq
|
||||||
2Xquibucq+QgxuMl0vHHlIPoE5ExS7TpMEV5YmaO9S6E8HEcDapkLE8+D1NQNvKO
|
A2XMl7VBUVPi0p+iKN3pmeu79XWlpnl8IUZTQzTIxY922DD1hG2X0LV28Lxhm/Qh
|
||||||
Im2xnCN2
|
R0fX5+To
|
||||||
=8V8j
|
=KCYo
|
||||||
-----END PGP SIGNATURE-----
|
-----END PGP SIGNATURE-----
|
||||||
|
|
|
@ -0,0 +1,378 @@
|
||||||
|
Package: innernet
|
||||||
|
Version: 1.6.0-0ubuntu0~jammy
|
||||||
|
Architecture: arm64
|
||||||
|
Vcs-Browser: https://github.com/tonarino/innernet
|
||||||
|
Vcs-Git: https://github.com/tonarino/innernet
|
||||||
|
Homepage: https://github.com/tonarino/innernet
|
||||||
|
Maintainer: tonari <hey@tonari.no>
|
||||||
|
Installed-Size: 2841
|
||||||
|
Depends: systemd, libc6, libgcc1
|
||||||
|
Recommends: wireguard
|
||||||
|
Priority: optional
|
||||||
|
Section: net
|
||||||
|
Filename: pool/contrib/i/innernet/innernet_1.6.0-0ubuntu0~jammy_arm64.deb
|
||||||
|
Size: 902852
|
||||||
|
SHA256: 7bf0f695bc867bb7f6747053a9eab859452a518515f27b0d1e39b266b0e415f5
|
||||||
|
SHA1: 1ac7265a5385e190f2ae1df9b08e257ec55aa2fe
|
||||||
|
MD5sum: db11e7151b7f8c2f8b77709612a89a60
|
||||||
|
Description: A client to manage innernet network interfaces.
|
||||||
|
innernet client binary for fetching peer information and conducting admin tasks
|
||||||
|
such as adding a new peer.
|
||||||
|
|
||||||
|
Package: innernet-server
|
||||||
|
Version: 1.6.0-0ubuntu0~jammy
|
||||||
|
Architecture: arm64
|
||||||
|
Vcs-Browser: https://github.com/tonarino/innernet
|
||||||
|
Vcs-Git: https://github.com/tonarino/innernet
|
||||||
|
Homepage: https://github.com/tonarino/innernet
|
||||||
|
Maintainer: tonari <hey@tonari.no>
|
||||||
|
Installed-Size: 3894
|
||||||
|
Depends: zlib1g, libsqlite3-0, libc6, libgcc1, systemd
|
||||||
|
Recommends: wireguard
|
||||||
|
Source: innernet
|
||||||
|
Priority: optional
|
||||||
|
Section: net
|
||||||
|
Filename: pool/contrib/i/innernet-server/innernet-server_1.6.0-0ubuntu0~jammy_arm64.deb
|
||||||
|
Size: 1354844
|
||||||
|
SHA256: f04eb9854c2105b3e21304377a3a9667405151d576f7bb5a9c4965123b76d221
|
||||||
|
SHA1: 06bb485cdafafcc6b82e36a65f601ecc628f6fca
|
||||||
|
MD5sum: 17b01c31ad740f3d20fcad896eeb67e9
|
||||||
|
Description: A server to coordinate innernet networks.
|
||||||
|
# innernet
|
||||||
|
.
|
||||||
|
[![Actively
|
||||||
|
Maintained](https://img.shields.io/badge/Maintenance%20Level-Actively%20Maintained-green.svg)](https://gist.github.com/cheerfulstoic/d107229326a01ff0f333a1d3476e068d)
|
||||||
|
[![MIT](https://img.shields.io/badge/license-MIT-blue.svg)](https://github.com/tonarino/innernet/blob/master/LICENSE)
|
||||||
|
.
|
||||||
|
A private network system that uses [WireGuard](https://wireguard.com) under the
|
||||||
|
hood. See the [announcement blog
|
||||||
|
post](https://blog.tonari.no/introducing-innernet) for a longer-winded
|
||||||
|
explanation.
|
||||||
|
.
|
||||||
|
<img
|
||||||
|
src="https://user-images.githubusercontent.com/373823/118917068-09ae7700-b96b-11eb-80f4-6860072d504d.gif"
|
||||||
|
width="600" height="370">
|
||||||
|
.
|
||||||
|
`innernet` is similar in its goals to Slack's
|
||||||
|
[nebula](https://github.com/slackhq/nebula) or
|
||||||
|
[Tailscale](https://tailscale.com/), but takes a bit of a different approach.
|
||||||
|
It aims to take advantage of existing networking concepts like CIDRs and the
|
||||||
|
security properties of WireGuard to turn your computer's basic IP networking
|
||||||
|
into more powerful ACL primitives.
|
||||||
|
.
|
||||||
|
`innernet` is not an official WireGuard project, and WireGuard is a registered
|
||||||
|
trademark of Jason A. Donenfeld.
|
||||||
|
.
|
||||||
|
This has not received an independent security audit, and should be considered
|
||||||
|
experimental software at this early point in its lifetime.
|
||||||
|
.
|
||||||
|
## Usage
|
||||||
|
.
|
||||||
|
### Server Creation
|
||||||
|
.
|
||||||
|
Every `innernet` network needs a coordination server to manage peers and
|
||||||
|
provide endpoint information so peers can directly connect to each other.
|
||||||
|
Create a new one with
|
||||||
|
.
|
||||||
|
```sh
|
||||||
|
sudo innernet-server new
|
||||||
|
```
|
||||||
|
.
|
||||||
|
The init wizard will ask you questions about your network and give you some
|
||||||
|
reasonable defaults. It's good to familiarize yourself with [network
|
||||||
|
CIDRs](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) as a lot
|
||||||
|
of innernet's access control is based upon them. As an example, let's say the
|
||||||
|
root CIDR for this network is `10.60.0.0/16`. Server initialization creates a
|
||||||
|
special "infra" CIDR which contains the `innernet` server itself and is
|
||||||
|
reachable from all CIDRs on the network.
|
||||||
|
.
|
||||||
|
Next we'll also create a `humans` CIDR where we can start adding some peers.
|
||||||
|
.
|
||||||
|
```sh
|
||||||
|
sudo innernet-server add-cidr <interface>
|
||||||
|
```
|
||||||
|
.
|
||||||
|
For the parent CIDR, you can simply choose your network's root CIDR. The name
|
||||||
|
will be `humans`, and the CIDR will be `10.60.64.0/24` (not a great example
|
||||||
|
unless you only want to support 256 humans, but it works for now...).
|
||||||
|
.
|
||||||
|
By default, peers which exist in this new CIDR will only be able to contact
|
||||||
|
peers in the same CIDR, and the special "infra" CIDR which was created when the
|
||||||
|
server was initialized.
|
||||||
|
.
|
||||||
|
A typical workflow for creating a new network is to create an admin peer from
|
||||||
|
the `innernet-server` CLI, and then continue using that admin peer via the
|
||||||
|
`innernet` client CLI to add any further peers or network CIDRs.
|
||||||
|
.
|
||||||
|
```sh
|
||||||
|
sudo innernet-server add-peer <interface>
|
||||||
|
```
|
||||||
|
.
|
||||||
|
Select the `humans` CIDR, and the CLI will automatically suggest the next
|
||||||
|
available IP address. Any name is fine, just answer "yes" when asked if you
|
||||||
|
would like to make the peer an admin. The process of adding a peer results in
|
||||||
|
an invitation file. This file contains just enough information for the new peer
|
||||||
|
to contact the `innernet` server and redeem its invitation. It should be
|
||||||
|
transferred securely to the new peer, and it can only be used once to
|
||||||
|
initialize the peer.
|
||||||
|
.
|
||||||
|
You can run the server with `innernet-server serve <interface>`, or if you're
|
||||||
|
on Linux and want to run it via `systemctl`, run `systemctl enable --now
|
||||||
|
innernet-server@<interface>`. If you're on a home network, don't forget to
|
||||||
|
configure port forwarding to the `Listen Port` you specified when creating the
|
||||||
|
`innernet` server.
|
||||||
|
.
|
||||||
|
### Peer Initialization
|
||||||
|
.
|
||||||
|
Let's assume the invitation file generated in the steps above have been
|
||||||
|
transferred to the machine a network admin will be using.
|
||||||
|
.
|
||||||
|
You can initialize the client with
|
||||||
|
.
|
||||||
|
```sh
|
||||||
|
sudo innernet install /path/to/invitation.toml
|
||||||
|
```
|
||||||
|
.
|
||||||
|
You can customize the network name if you want to, or leave it at the default.
|
||||||
|
`innernet` will then connect to the `innernet` server via WireGuard, generate a
|
||||||
|
new key pair, and register that pair with the server. The private key in the
|
||||||
|
invitation file can no longer be used.
|
||||||
|
.
|
||||||
|
If everything was successful, the new peer is on the network. You can run
|
||||||
|
things like
|
||||||
|
.
|
||||||
|
```sh
|
||||||
|
sudo innernet list
|
||||||
|
```
|
||||||
|
.
|
||||||
|
or
|
||||||
|
.
|
||||||
|
```sh
|
||||||
|
sudo innernet list --tree
|
||||||
|
```
|
||||||
|
.
|
||||||
|
to view the current network and all CIDRs visible to this peer.
|
||||||
|
.
|
||||||
|
Since we created an admin peer, we can also add new peers and CIDRs from this
|
||||||
|
peer via `innernet` instead of having to always run commands on the server.
|
||||||
|
.
|
||||||
|
### Adding Associations between CIDRs
|
||||||
|
.
|
||||||
|
In order for peers from one CIDR to be able to contact peers in another CIDR,
|
||||||
|
those two CIDRs must be "associated" with each other.
|
||||||
|
.
|
||||||
|
With the admin peer we created above, let's add a new CIDR for some theoretical
|
||||||
|
CI servers we have.
|
||||||
|
.
|
||||||
|
```sh
|
||||||
|
sudo innernet add-cidr <interface>
|
||||||
|
```
|
||||||
|
.
|
||||||
|
The name is `ci-servers` and the CIDR is `10.60.64.0/24`, but for this example
|
||||||
|
it can be anything.
|
||||||
|
.
|
||||||
|
For now, we want peers in the `humans` CIDR to be able to access peers in the
|
||||||
|
`ci-servers` CIDR.
|
||||||
|
.
|
||||||
|
```sh
|
||||||
|
sudo innernet add-association <interface>
|
||||||
|
```
|
||||||
|
.
|
||||||
|
The CLI will ask you to select the two CIDRs you want to associate. That's all
|
||||||
|
it takes to allow peers in two different CIDRs to communicate!
|
||||||
|
.
|
||||||
|
You can verify the association with
|
||||||
|
.
|
||||||
|
```sh
|
||||||
|
sudo innernet list-associations <interface>
|
||||||
|
```
|
||||||
|
.
|
||||||
|
and associations can be deleted with
|
||||||
|
.
|
||||||
|
```sh
|
||||||
|
sudo innernet delete-associations <interface>
|
||||||
|
```
|
||||||
|
.
|
||||||
|
### Enabling/Disabling Peers
|
||||||
|
.
|
||||||
|
For security reasons, IP addresses cannot be re-used by new peers, and
|
||||||
|
therefore peers cannot be deleted. However, they can be disabled. Disabled
|
||||||
|
peers will not show up in the list of peers when fetching the config for an
|
||||||
|
interface.
|
||||||
|
.
|
||||||
|
Disable a peer with
|
||||||
|
.
|
||||||
|
```su
|
||||||
|
sudo innernet disable-peer <interface>
|
||||||
|
```
|
||||||
|
.
|
||||||
|
Or re-enable a peer with
|
||||||
|
.
|
||||||
|
```su
|
||||||
|
sudo innernet enable-peer <interface>
|
||||||
|
```
|
||||||
|
.
|
||||||
|
### Specifying a Manual Endpoint
|
||||||
|
.
|
||||||
|
The `innernet` server will try to use the internet endpoint it sees from a peer
|
||||||
|
so other peers can connect to that peer as well. This doesn't always work and
|
||||||
|
you may want to set an endpoint explicitly. To set an endpoint, use
|
||||||
|
.
|
||||||
|
```sh
|
||||||
|
sudo innernet override-endpoint <interface>
|
||||||
|
```
|
||||||
|
.
|
||||||
|
You can go back to automatic endpoint discovery with
|
||||||
|
.
|
||||||
|
```sh
|
||||||
|
sudo innernet override-endpoint -u <interface>
|
||||||
|
```
|
||||||
|
.
|
||||||
|
### Setting the Local WireGuard Listen Port
|
||||||
|
.
|
||||||
|
If you want to change the port which WireGuard listens on, use
|
||||||
|
.
|
||||||
|
```sh
|
||||||
|
sudo innernet set-listen-port <interface>
|
||||||
|
```
|
||||||
|
.
|
||||||
|
or unset the port and use a randomized port with
|
||||||
|
.
|
||||||
|
```sh
|
||||||
|
sudo innernet set-listen-port -u <interface>
|
||||||
|
```
|
||||||
|
.
|
||||||
|
### Remove Network
|
||||||
|
.
|
||||||
|
To permanently uninstall a created network, use
|
||||||
|
.
|
||||||
|
```sh
|
||||||
|
sudo innernet-server uninstall <interface>
|
||||||
|
```
|
||||||
|
.
|
||||||
|
Use with care!
|
||||||
|
.
|
||||||
|
## Security recommendations
|
||||||
|
.
|
||||||
|
If you're running a service on innernet, there are some important security
|
||||||
|
considerations.
|
||||||
|
.
|
||||||
|
### Enable strict Reverse Path Filtering ([RFC
|
||||||
|
3704](https://tools.ietf.org/html/rfc3704))
|
||||||
|
.
|
||||||
|
Strict RPF prevents packets from _other_ interfaces from having internal source
|
||||||
|
IP addresses. This is _not_ the default on Linux, even though it is the right
|
||||||
|
choice for 99.99% of situations. You can enable it by adding the following to a
|
||||||
|
`/etc/sysctl.d/60-network-security.conf`:
|
||||||
|
.
|
||||||
|
```
|
||||||
|
net.ipv4.conf.all.rp_filter=1
|
||||||
|
net.ipv4.conf.default.rp_filter=1
|
||||||
|
```
|
||||||
|
.
|
||||||
|
### Bind to the WireGuard device
|
||||||
|
.
|
||||||
|
If possible, to _ensure_ that packets are only ever transmitted over the
|
||||||
|
WireGuard interface, it's recommended that you use `SO_BINDTODEVICE` on Linux
|
||||||
|
or `IP_BOUND_IF` on macOS/BSDs. If you have strict reverse path filtering,
|
||||||
|
though, this is less of a concern.
|
||||||
|
.
|
||||||
|
### IP addresses alone often aren't enough authentication
|
||||||
|
.
|
||||||
|
Even following all the above precautions, rogue applications on a peer's
|
||||||
|
machines could be able to make requests on their behalf unless you add extra
|
||||||
|
layers of authentication to mitigate this CSRF-type vector.
|
||||||
|
.
|
||||||
|
It's recommended that you carefully consider this possibility before deciding
|
||||||
|
that the source IP is sufficient for your authentication needs on a service.
|
||||||
|
.
|
||||||
|
## Installation
|
||||||
|
.
|
||||||
|
innernet has only officially been tested on Linux and MacOS, but we hope to
|
||||||
|
support as many platforms as is feasible!
|
||||||
|
.
|
||||||
|
### Runtime Dependencies
|
||||||
|
.
|
||||||
|
It's assumed that WireGuard is installed on your system, either via the kernel
|
||||||
|
module in Linux 5.6 and later, or via the
|
||||||
|
[`wireguard-go`](https://git.zx2c4.com/wireguard-go/about/) userspace
|
||||||
|
implementation.
|
||||||
|
.
|
||||||
|
[WireGuard Installation Instructions](https://www.wireguard.com/install/)
|
||||||
|
.
|
||||||
|
### Arch Linux
|
||||||
|
.
|
||||||
|
```sh
|
||||||
|
pacman -S innernet
|
||||||
|
```
|
||||||
|
.
|
||||||
|
### Debian and Ubuntu
|
||||||
|
.
|
||||||
|
[**@tommie**](https://github.com/tommie) is kindly providing Debian/Ubuntu
|
||||||
|
innernet builds in the https://github.com/tommie/innernet-debian repository.
|
||||||
|
.
|
||||||
|
### Other Linux Distributions
|
||||||
|
.
|
||||||
|
We're looking for volunteers who are able to set up external builds for popular
|
||||||
|
distributions. Please see issue
|
||||||
|
[#203](https://github.com/tonarino/innernet/issues/203).
|
||||||
|
.
|
||||||
|
### macOS
|
||||||
|
.
|
||||||
|
```sh
|
||||||
|
brew install tonarino/innernet/innernet
|
||||||
|
```
|
||||||
|
.
|
||||||
|
### Cargo
|
||||||
|
.
|
||||||
|
```sh
|
||||||
|
# to install innernet:
|
||||||
|
cargo install --git https://github.com/tonarino/innernet --tag v1.6.0 client
|
||||||
|
.
|
||||||
|
# to install innernet-server:
|
||||||
|
cargo install --git https://github.com/tonarino/innernet --tag v1.6.0 server
|
||||||
|
```
|
||||||
|
.
|
||||||
|
Note that you'll be responsible for updating manually.
|
||||||
|
.
|
||||||
|
## Development
|
||||||
|
.
|
||||||
|
### `innernet-server` Build dependencies
|
||||||
|
.
|
||||||
|
- `rustc` / `cargo` (version 1.50.0 or higher)
|
||||||
|
- `libclang` (see more info at
|
||||||
|
[https://crates.io/crates/clang-sys](https://crates.io/crates/clang-sys))
|
||||||
|
- `libsqlite3`
|
||||||
|
.
|
||||||
|
Build:
|
||||||
|
.
|
||||||
|
```sh
|
||||||
|
cargo build --release --bin innernet-server
|
||||||
|
```
|
||||||
|
.
|
||||||
|
The resulting binary will be located at `./target/release/innernet-server`
|
||||||
|
.
|
||||||
|
### `innernet` Client CLI Build dependencies
|
||||||
|
.
|
||||||
|
- `rustc` / `cargo` (version 1.50.0 or higher)
|
||||||
|
- `libclang` (see more info at
|
||||||
|
[https://crates.io/crates/clang-sys](https://crates.io/crates/clang-sys))
|
||||||
|
.
|
||||||
|
Build:
|
||||||
|
.
|
||||||
|
```sh
|
||||||
|
cargo build --release --bin innernet
|
||||||
|
```
|
||||||
|
.
|
||||||
|
The resulting binary will be located at `./target/release/innernet`
|
||||||
|
.
|
||||||
|
### Releases
|
||||||
|
.
|
||||||
|
Please run the release script from a Linux machine: generated shell completions
|
||||||
|
depend on available wireguard backends and Mac doesn't support the `kernel`
|
||||||
|
backend.
|
||||||
|
.
|
||||||
|
1. Fetch and check-out the `main` branch.
|
||||||
|
2. Run `./release.sh [patch|major|minor|rc]`
|
||||||
|
3. Push the `main` branch and the created tag to the repo.
|
||||||
|
|
Binary file not shown.
|
@ -0,0 +1,5 @@
|
||||||
|
Component: contrib
|
||||||
|
Origin: Unofficial Innernet Debian repository
|
||||||
|
Label: innernet-debian
|
||||||
|
Architecture: arm64
|
||||||
|
Description: APT repository for https://github.com/tonarino/innernet/.
|
|
@ -0,0 +1,378 @@
|
||||||
|
Package: innernet
|
||||||
|
Version: 1.6.0-0ubuntu0~jammy
|
||||||
|
Architecture: armhf
|
||||||
|
Vcs-Browser: https://github.com/tonarino/innernet
|
||||||
|
Vcs-Git: https://github.com/tonarino/innernet
|
||||||
|
Homepage: https://github.com/tonarino/innernet
|
||||||
|
Maintainer: tonari <hey@tonari.no>
|
||||||
|
Installed-Size: 2684
|
||||||
|
Depends: systemd, libc6, libgcc1
|
||||||
|
Recommends: wireguard
|
||||||
|
Priority: optional
|
||||||
|
Section: net
|
||||||
|
Filename: pool/contrib/i/innernet/innernet_1.6.0-0ubuntu0~jammy_armhf.deb
|
||||||
|
Size: 916336
|
||||||
|
SHA256: 47221ab713613019c4d0f7a8003cb705378ce24336960ddf363a1336bb2522a7
|
||||||
|
SHA1: affc688405f58e5d652a5b7ea1436fbe87fc4b6c
|
||||||
|
MD5sum: dc3f5ad622a48fa819ed58b9529a9e2e
|
||||||
|
Description: A client to manage innernet network interfaces.
|
||||||
|
innernet client binary for fetching peer information and conducting admin tasks
|
||||||
|
such as adding a new peer.
|
||||||
|
|
||||||
|
Package: innernet-server
|
||||||
|
Version: 1.6.0-0ubuntu0~jammy
|
||||||
|
Architecture: armhf
|
||||||
|
Vcs-Browser: https://github.com/tonarino/innernet
|
||||||
|
Vcs-Git: https://github.com/tonarino/innernet
|
||||||
|
Homepage: https://github.com/tonarino/innernet
|
||||||
|
Maintainer: tonari <hey@tonari.no>
|
||||||
|
Installed-Size: 3339
|
||||||
|
Depends: libc6, zlib1g, libgcc1, systemd, libsqlite3-0
|
||||||
|
Recommends: wireguard
|
||||||
|
Source: innernet
|
||||||
|
Priority: optional
|
||||||
|
Section: net
|
||||||
|
Filename: pool/contrib/i/innernet-server/innernet-server_1.6.0-0ubuntu0~jammy_armhf.deb
|
||||||
|
Size: 1340692
|
||||||
|
SHA256: 09dcc6fe8a55c2889e29a052c39b75075e9a9b2646a3e93325380d3da2534c4e
|
||||||
|
SHA1: ae4de2b7fab124b4e07b1a16aee328dd60b8fc3c
|
||||||
|
MD5sum: dbc69bb8a2a2403c2bc7dab402ee04e0
|
||||||
|
Description: A server to coordinate innernet networks.
|
||||||
|
# innernet
|
||||||
|
.
|
||||||
|
[![Actively
|
||||||
|
Maintained](https://img.shields.io/badge/Maintenance%20Level-Actively%20Maintained-green.svg)](https://gist.github.com/cheerfulstoic/d107229326a01ff0f333a1d3476e068d)
|
||||||
|
[![MIT](https://img.shields.io/badge/license-MIT-blue.svg)](https://github.com/tonarino/innernet/blob/master/LICENSE)
|
||||||
|
.
|
||||||
|
A private network system that uses [WireGuard](https://wireguard.com) under the
|
||||||
|
hood. See the [announcement blog
|
||||||
|
post](https://blog.tonari.no/introducing-innernet) for a longer-winded
|
||||||
|
explanation.
|
||||||
|
.
|
||||||
|
<img
|
||||||
|
src="https://user-images.githubusercontent.com/373823/118917068-09ae7700-b96b-11eb-80f4-6860072d504d.gif"
|
||||||
|
width="600" height="370">
|
||||||
|
.
|
||||||
|
`innernet` is similar in its goals to Slack's
|
||||||
|
[nebula](https://github.com/slackhq/nebula) or
|
||||||
|
[Tailscale](https://tailscale.com/), but takes a bit of a different approach.
|
||||||
|
It aims to take advantage of existing networking concepts like CIDRs and the
|
||||||
|
security properties of WireGuard to turn your computer's basic IP networking
|
||||||
|
into more powerful ACL primitives.
|
||||||
|
.
|
||||||
|
`innernet` is not an official WireGuard project, and WireGuard is a registered
|
||||||
|
trademark of Jason A. Donenfeld.
|
||||||
|
.
|
||||||
|
This has not received an independent security audit, and should be considered
|
||||||
|
experimental software at this early point in its lifetime.
|
||||||
|
.
|
||||||
|
## Usage
|
||||||
|
.
|
||||||
|
### Server Creation
|
||||||
|
.
|
||||||
|
Every `innernet` network needs a coordination server to manage peers and
|
||||||
|
provide endpoint information so peers can directly connect to each other.
|
||||||
|
Create a new one with
|
||||||
|
.
|
||||||
|
```sh
|
||||||
|
sudo innernet-server new
|
||||||
|
```
|
||||||
|
.
|
||||||
|
The init wizard will ask you questions about your network and give you some
|
||||||
|
reasonable defaults. It's good to familiarize yourself with [network
|
||||||
|
CIDRs](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) as a lot
|
||||||
|
of innernet's access control is based upon them. As an example, let's say the
|
||||||
|
root CIDR for this network is `10.60.0.0/16`. Server initialization creates a
|
||||||
|
special "infra" CIDR which contains the `innernet` server itself and is
|
||||||
|
reachable from all CIDRs on the network.
|
||||||
|
.
|
||||||
|
Next we'll also create a `humans` CIDR where we can start adding some peers.
|
||||||
|
.
|
||||||
|
```sh
|
||||||
|
sudo innernet-server add-cidr <interface>
|
||||||
|
```
|
||||||
|
.
|
||||||
|
For the parent CIDR, you can simply choose your network's root CIDR. The name
|
||||||
|
will be `humans`, and the CIDR will be `10.60.64.0/24` (not a great example
|
||||||
|
unless you only want to support 256 humans, but it works for now...).
|
||||||
|
.
|
||||||
|
By default, peers which exist in this new CIDR will only be able to contact
|
||||||
|
peers in the same CIDR, and the special "infra" CIDR which was created when the
|
||||||
|
server was initialized.
|
||||||
|
.
|
||||||
|
A typical workflow for creating a new network is to create an admin peer from
|
||||||
|
the `innernet-server` CLI, and then continue using that admin peer via the
|
||||||
|
`innernet` client CLI to add any further peers or network CIDRs.
|
||||||
|
.
|
||||||
|
```sh
|
||||||
|
sudo innernet-server add-peer <interface>
|
||||||
|
```
|
||||||
|
.
|
||||||
|
Select the `humans` CIDR, and the CLI will automatically suggest the next
|
||||||
|
available IP address. Any name is fine, just answer "yes" when asked if you
|
||||||
|
would like to make the peer an admin. The process of adding a peer results in
|
||||||
|
an invitation file. This file contains just enough information for the new peer
|
||||||
|
to contact the `innernet` server and redeem its invitation. It should be
|
||||||
|
transferred securely to the new peer, and it can only be used once to
|
||||||
|
initialize the peer.
|
||||||
|
.
|
||||||
|
You can run the server with `innernet-server serve <interface>`, or if you're
|
||||||
|
on Linux and want to run it via `systemctl`, run `systemctl enable --now
|
||||||
|
innernet-server@<interface>`. If you're on a home network, don't forget to
|
||||||
|
configure port forwarding to the `Listen Port` you specified when creating the
|
||||||
|
`innernet` server.
|
||||||
|
.
|
||||||
|
### Peer Initialization
|
||||||
|
.
|
||||||
|
Let's assume the invitation file generated in the steps above have been
|
||||||
|
transferred to the machine a network admin will be using.
|
||||||
|
.
|
||||||
|
You can initialize the client with
|
||||||
|
.
|
||||||
|
```sh
|
||||||
|
sudo innernet install /path/to/invitation.toml
|
||||||
|
```
|
||||||
|
.
|
||||||
|
You can customize the network name if you want to, or leave it at the default.
|
||||||
|
`innernet` will then connect to the `innernet` server via WireGuard, generate a
|
||||||
|
new key pair, and register that pair with the server. The private key in the
|
||||||
|
invitation file can no longer be used.
|
||||||
|
.
|
||||||
|
If everything was successful, the new peer is on the network. You can run
|
||||||
|
things like
|
||||||
|
.
|
||||||
|
```sh
|
||||||
|
sudo innernet list
|
||||||
|
```
|
||||||
|
.
|
||||||
|
or
|
||||||
|
.
|
||||||
|
```sh
|
||||||
|
sudo innernet list --tree
|
||||||
|
```
|
||||||
|
.
|
||||||
|
to view the current network and all CIDRs visible to this peer.
|
||||||
|
.
|
||||||
|
Since we created an admin peer, we can also add new peers and CIDRs from this
|
||||||
|
peer via `innernet` instead of having to always run commands on the server.
|
||||||
|
.
|
||||||
|
### Adding Associations between CIDRs
|
||||||
|
.
|
||||||
|
In order for peers from one CIDR to be able to contact peers in another CIDR,
|
||||||
|
those two CIDRs must be "associated" with each other.
|
||||||
|
.
|
||||||
|
With the admin peer we created above, let's add a new CIDR for some theoretical
|
||||||
|
CI servers we have.
|
||||||
|
.
|
||||||
|
```sh
|
||||||
|
sudo innernet add-cidr <interface>
|
||||||
|
```
|
||||||
|
.
|
||||||
|
The name is `ci-servers` and the CIDR is `10.60.64.0/24`, but for this example
|
||||||
|
it can be anything.
|
||||||
|
.
|
||||||
|
For now, we want peers in the `humans` CIDR to be able to access peers in the
|
||||||
|
`ci-servers` CIDR.
|
||||||
|
.
|
||||||
|
```sh
|
||||||
|
sudo innernet add-association <interface>
|
||||||
|
```
|
||||||
|
.
|
||||||
|
The CLI will ask you to select the two CIDRs you want to associate. That's all
|
||||||
|
it takes to allow peers in two different CIDRs to communicate!
|
||||||
|
.
|
||||||
|
You can verify the association with
|
||||||
|
.
|
||||||
|
```sh
|
||||||
|
sudo innernet list-associations <interface>
|
||||||
|
```
|
||||||
|
.
|
||||||
|
and associations can be deleted with
|
||||||
|
.
|
||||||
|
```sh
|
||||||
|
sudo innernet delete-associations <interface>
|
||||||
|
```
|
||||||
|
.
|
||||||
|
### Enabling/Disabling Peers
|
||||||
|
.
|
||||||
|
For security reasons, IP addresses cannot be re-used by new peers, and
|
||||||
|
therefore peers cannot be deleted. However, they can be disabled. Disabled
|
||||||
|
peers will not show up in the list of peers when fetching the config for an
|
||||||
|
interface.
|
||||||
|
.
|
||||||
|
Disable a peer with
|
||||||
|
.
|
||||||
|
```su
|
||||||
|
sudo innernet disable-peer <interface>
|
||||||
|
```
|
||||||
|
.
|
||||||
|
Or re-enable a peer with
|
||||||
|
.
|
||||||
|
```su
|
||||||
|
sudo innernet enable-peer <interface>
|
||||||
|
```
|
||||||
|
.
|
||||||
|
### Specifying a Manual Endpoint
|
||||||
|
.
|
||||||
|
The `innernet` server will try to use the internet endpoint it sees from a peer
|
||||||
|
so other peers can connect to that peer as well. This doesn't always work and
|
||||||
|
you may want to set an endpoint explicitly. To set an endpoint, use
|
||||||
|
.
|
||||||
|
```sh
|
||||||
|
sudo innernet override-endpoint <interface>
|
||||||
|
```
|
||||||
|
.
|
||||||
|
You can go back to automatic endpoint discovery with
|
||||||
|
.
|
||||||
|
```sh
|
||||||
|
sudo innernet override-endpoint -u <interface>
|
||||||
|
```
|
||||||
|
.
|
||||||
|
### Setting the Local WireGuard Listen Port
|
||||||
|
.
|
||||||
|
If you want to change the port which WireGuard listens on, use
|
||||||
|
.
|
||||||
|
```sh
|
||||||
|
sudo innernet set-listen-port <interface>
|
||||||
|
```
|
||||||
|
.
|
||||||
|
or unset the port and use a randomized port with
|
||||||
|
.
|
||||||
|
```sh
|
||||||
|
sudo innernet set-listen-port -u <interface>
|
||||||
|
```
|
||||||
|
.
|
||||||
|
### Remove Network
|
||||||
|
.
|
||||||
|
To permanently uninstall a created network, use
|
||||||
|
.
|
||||||
|
```sh
|
||||||
|
sudo innernet-server uninstall <interface>
|
||||||
|
```
|
||||||
|
.
|
||||||
|
Use with care!
|
||||||
|
.
|
||||||
|
## Security recommendations
|
||||||
|
.
|
||||||
|
If you're running a service on innernet, there are some important security
|
||||||
|
considerations.
|
||||||
|
.
|
||||||
|
### Enable strict Reverse Path Filtering ([RFC
|
||||||
|
3704](https://tools.ietf.org/html/rfc3704))
|
||||||
|
.
|
||||||
|
Strict RPF prevents packets from _other_ interfaces from having internal source
|
||||||
|
IP addresses. This is _not_ the default on Linux, even though it is the right
|
||||||
|
choice for 99.99% of situations. You can enable it by adding the following to a
|
||||||
|
`/etc/sysctl.d/60-network-security.conf`:
|
||||||
|
.
|
||||||
|
```
|
||||||
|
net.ipv4.conf.all.rp_filter=1
|
||||||
|
net.ipv4.conf.default.rp_filter=1
|
||||||
|
```
|
||||||
|
.
|
||||||
|
### Bind to the WireGuard device
|
||||||
|
.
|
||||||
|
If possible, to _ensure_ that packets are only ever transmitted over the
|
||||||
|
WireGuard interface, it's recommended that you use `SO_BINDTODEVICE` on Linux
|
||||||
|
or `IP_BOUND_IF` on macOS/BSDs. If you have strict reverse path filtering,
|
||||||
|
though, this is less of a concern.
|
||||||
|
.
|
||||||
|
### IP addresses alone often aren't enough authentication
|
||||||
|
.
|
||||||
|
Even following all the above precautions, rogue applications on a peer's
|
||||||
|
machines could be able to make requests on their behalf unless you add extra
|
||||||
|
layers of authentication to mitigate this CSRF-type vector.
|
||||||
|
.
|
||||||
|
It's recommended that you carefully consider this possibility before deciding
|
||||||
|
that the source IP is sufficient for your authentication needs on a service.
|
||||||
|
.
|
||||||
|
## Installation
|
||||||
|
.
|
||||||
|
innernet has only officially been tested on Linux and MacOS, but we hope to
|
||||||
|
support as many platforms as is feasible!
|
||||||
|
.
|
||||||
|
### Runtime Dependencies
|
||||||
|
.
|
||||||
|
It's assumed that WireGuard is installed on your system, either via the kernel
|
||||||
|
module in Linux 5.6 and later, or via the
|
||||||
|
[`wireguard-go`](https://git.zx2c4.com/wireguard-go/about/) userspace
|
||||||
|
implementation.
|
||||||
|
.
|
||||||
|
[WireGuard Installation Instructions](https://www.wireguard.com/install/)
|
||||||
|
.
|
||||||
|
### Arch Linux
|
||||||
|
.
|
||||||
|
```sh
|
||||||
|
pacman -S innernet
|
||||||
|
```
|
||||||
|
.
|
||||||
|
### Debian and Ubuntu
|
||||||
|
.
|
||||||
|
[**@tommie**](https://github.com/tommie) is kindly providing Debian/Ubuntu
|
||||||
|
innernet builds in the https://github.com/tommie/innernet-debian repository.
|
||||||
|
.
|
||||||
|
### Other Linux Distributions
|
||||||
|
.
|
||||||
|
We're looking for volunteers who are able to set up external builds for popular
|
||||||
|
distributions. Please see issue
|
||||||
|
[#203](https://github.com/tonarino/innernet/issues/203).
|
||||||
|
.
|
||||||
|
### macOS
|
||||||
|
.
|
||||||
|
```sh
|
||||||
|
brew install tonarino/innernet/innernet
|
||||||
|
```
|
||||||
|
.
|
||||||
|
### Cargo
|
||||||
|
.
|
||||||
|
```sh
|
||||||
|
# to install innernet:
|
||||||
|
cargo install --git https://github.com/tonarino/innernet --tag v1.6.0 client
|
||||||
|
.
|
||||||
|
# to install innernet-server:
|
||||||
|
cargo install --git https://github.com/tonarino/innernet --tag v1.6.0 server
|
||||||
|
```
|
||||||
|
.
|
||||||
|
Note that you'll be responsible for updating manually.
|
||||||
|
.
|
||||||
|
## Development
|
||||||
|
.
|
||||||
|
### `innernet-server` Build dependencies
|
||||||
|
.
|
||||||
|
- `rustc` / `cargo` (version 1.50.0 or higher)
|
||||||
|
- `libclang` (see more info at
|
||||||
|
[https://crates.io/crates/clang-sys](https://crates.io/crates/clang-sys))
|
||||||
|
- `libsqlite3`
|
||||||
|
.
|
||||||
|
Build:
|
||||||
|
.
|
||||||
|
```sh
|
||||||
|
cargo build --release --bin innernet-server
|
||||||
|
```
|
||||||
|
.
|
||||||
|
The resulting binary will be located at `./target/release/innernet-server`
|
||||||
|
.
|
||||||
|
### `innernet` Client CLI Build dependencies
|
||||||
|
.
|
||||||
|
- `rustc` / `cargo` (version 1.50.0 or higher)
|
||||||
|
- `libclang` (see more info at
|
||||||
|
[https://crates.io/crates/clang-sys](https://crates.io/crates/clang-sys))
|
||||||
|
.
|
||||||
|
Build:
|
||||||
|
.
|
||||||
|
```sh
|
||||||
|
cargo build --release --bin innernet
|
||||||
|
```
|
||||||
|
.
|
||||||
|
The resulting binary will be located at `./target/release/innernet`
|
||||||
|
.
|
||||||
|
### Releases
|
||||||
|
.
|
||||||
|
Please run the release script from a Linux machine: generated shell completions
|
||||||
|
depend on available wireguard backends and Mac doesn't support the `kernel`
|
||||||
|
backend.
|
||||||
|
.
|
||||||
|
1. Fetch and check-out the `main` branch.
|
||||||
|
2. Run `./release.sh [patch|major|minor|rc]`
|
||||||
|
3. Push the `main` branch and the created tag to the repo.
|
||||||
|
|
Binary file not shown.
|
@ -0,0 +1,5 @@
|
||||||
|
Component: contrib
|
||||||
|
Origin: Unofficial Innernet Debian repository
|
||||||
|
Label: innernet-debian
|
||||||
|
Architecture: armhf
|
||||||
|
Description: APT repository for https://github.com/tonarino/innernet/.
|
BIN
debian/pool/contrib/i/innernet-server/innernet-server_1.6.0-0ubuntu0~focal_arm64.deb
vendored
Normal file
BIN
debian/pool/contrib/i/innernet-server/innernet-server_1.6.0-0ubuntu0~focal_arm64.deb
vendored
Normal file
Binary file not shown.
BIN
debian/pool/contrib/i/innernet-server/innernet-server_1.6.0-0ubuntu0~focal_armhf.deb
vendored
Normal file
BIN
debian/pool/contrib/i/innernet-server/innernet-server_1.6.0-0ubuntu0~focal_armhf.deb
vendored
Normal file
Binary file not shown.
BIN
debian/pool/contrib/i/innernet-server/innernet-server_1.6.0-0ubuntu0~jammy_arm64.deb
vendored
Normal file
BIN
debian/pool/contrib/i/innernet-server/innernet-server_1.6.0-0ubuntu0~jammy_arm64.deb
vendored
Normal file
Binary file not shown.
BIN
debian/pool/contrib/i/innernet-server/innernet-server_1.6.0-0ubuntu0~jammy_armhf.deb
vendored
Normal file
BIN
debian/pool/contrib/i/innernet-server/innernet-server_1.6.0-0ubuntu0~jammy_armhf.deb
vendored
Normal file
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Loading…
Reference in New Issue