Included release tonarino/innernet@v1.6.0 in focal jammy for arm64 armhf.

debian/dists/focal/InRelease

@@ -4,33 +4,51 @@ Hash: SHA512
 Origin: Unofficial Innernet Debian repository
 Label: innernet-debian
 Codename: focal
-Date: Thu, 15 Jun 2023 14:35:31 UTC
-Architectures: amd64
+Date: Sun, 30 Jul 2023 13:18:34 UTC
+Architectures: amd64 armhf arm64
 Components: contrib
 Description: APT repository for https://github.com/tonarino/innernet/.
 MD5Sum:
  09585d6972df6d213e1a2a95a6d7f783 12098 contrib/binary-amd64/Packages
  f71f3ea5d0ab6f8e0dad303f04573e81 4799 contrib/binary-amd64/Packages.gz
  77dc2b012f45038d5be68f81d464ee44 179 contrib/binary-amd64/Release
+ b1dcfb8ffed93c950262d0d18d93e8db 12097 contrib/binary-armhf/Packages
+ 11ffc1ea682429a3cfd051979b9d6dcc 4799 contrib/binary-armhf/Packages.gz
+ 2e56331833f644fa9dad5483acc93e55 179 contrib/binary-armhf/Release
+ 9e4f28eca65271f15f684a56874f433d 12097 contrib/binary-arm64/Packages
+ edc6e00a474363010d79da0a577dbc64 4803 contrib/binary-arm64/Packages.gz
+ 16627cd2b6e090772a75639bb48cd54d 179 contrib/binary-arm64/Release
 SHA1:
  87d9b5312a8e5e99090351a36d09785c02303cf1 12098 contrib/binary-amd64/Packages
  ea7af888161785eae92c690ddf4a3f0cf2f75cc9 4799 contrib/binary-amd64/Packages.gz
  a4f6bbfd6fe4ab5a01909278c4e13b05d6b06f13 179 contrib/binary-amd64/Release
+ d0b3431eb3e21ceb02caa9dd63aaf8b2231e3e5e 12097 contrib/binary-armhf/Packages
+ 3ff371bef4abda8010bc8ad4b8873acfb8bd220e 4799 contrib/binary-armhf/Packages.gz
+ dbfc90ff9af0819e8b73429a32e4691204b11da7 179 contrib/binary-armhf/Release
+ b8d99778297cbd777821c7162c9146d3f0407b6c 12097 contrib/binary-arm64/Packages
+ 2ec88f0de84b12f796712cf8bdd9ae163a5e78d0 4803 contrib/binary-arm64/Packages.gz
+ af10abab9b82b0f8be34be72d478cd7efe4e64b9 179 contrib/binary-arm64/Release
 SHA256:
  ce495f6c9bc1fb23dab42746cf14086dde7f1531922919af49f93708d6f9428c 12098 contrib/binary-amd64/Packages
  466c0a757405ed9c217efb1b5c81f4b722922ee63c462b668a9957f6459a38a9 4799 contrib/binary-amd64/Packages.gz
  67b3f0e511499d8b794eaf1524cea47d2263a1e8e43445c60f311dbef9a50e9c 179 contrib/binary-amd64/Release
+ 749a6859a1f9859ad9963b7f1d2ea665adf505d4e9457cad997600e26e3c2112 12097 contrib/binary-armhf/Packages
+ 5ee9f26a09e21a87dfdb376fa3a6098a61b4fb7056d0957f56b6f43a84f65e25 4799 contrib/binary-armhf/Packages.gz
+ ce7a57575ec61bf1af16351e2366f7114f6ad78e035696abaaac42f80dd8f425 179 contrib/binary-armhf/Release
+ 24f6c2047566e4e6921badbbd7d9a6fe47e59acea3b932a1143bfb1783e63e84 12097 contrib/binary-arm64/Packages
+ e7bc836e26a4d99973dc79ba64ebd6f62dc3e385685bb1963e111466f5205a26 4803 contrib/binary-arm64/Packages.gz
+ 86092179ad14de3750a8a527f8419920154bd761ea7367b9452abe85cfbca03d 179 contrib/binary-arm64/Release
 -----BEGIN PGP SIGNATURE-----
 
-iQGzBAEBCgAdFiEEbYSVpa4ZFZQzkqZZZYKNdDzui2kFAmSLIbQACgkQZYKNdDzu
-i2mZRQv/SFGNKO418HsrtqKpXl6YYyO5btE9s99uVLUIwm5du7IaqakYaoeLNUBy
-grDFLA4e8eQlzEPJfURHql8lIncbTv8pI+34tGr3sigv0d6TgGaaHYNyuTzFWOnw
-j9fOUfr6D0ARRDiKTb19/M/0OFx7boYYTbO9ciNhTvWQ1hA+WS5k4JCH7b8ZYAbT
-CqJ4sKDzSdE5O/TyznAB8PAf7MuyLD1RgqLJsr6ORME7EjVbUSVA8Oo8TFRL5Qe4
-gyjwUSzQ5immV6yxr473eMY7ilGv89VdZkDxMpYkyIlxAitiQbHRRFeQamgkic2J
-1xVQUBDp4iMP4QYaGSO2yz6wqdtU8hGT1yxnjga/+tKWfesSLqKiIOiUnNT0+0u3
-ZlTCDveotoZmjYOU6fk+q5WHofPPOL+kz+gcjMi4Wohe/+cs5NaceNTX84WVCim5
-zjNrfIOUkA3Bs15vfs4lbOHBOydr0LEv+pIC84LUmVc5JUPoO6HNNYTcANpW3rko
-MqOARofn
-=Y37W
+iQGzBAEBCgAdFiEEbYSVpa4ZFZQzkqZZZYKNdDzui2kFAmTGYysACgkQZYKNdDzu
+i2nJWgwAlGrzcAQsvZvsCaQjbWBndiJDtndfj8BQyRORCbbdEQ0pej2KOj7X+BIJ
+/u7fKHLBKQ/oHZ/t7Bijv5z0MG3n1oG1AK0vAwMFr0t8yJQzl6DuwqQrTgeIsAQ5
+3kHoqbxDuFLUssNUcHsl3yWMULHOb8pteavSfjf7YZiBXmr2qhN+OEV69oHlOPju
+UkTPvBTYlt4OPoESLMxk61O1YWB42Y5NpVzx2q6oft5d/D3OzND2SgTrGCQDvWYJ
+55EkN9ddV3hGMqTr216vcq3k0DpHCcUhAd0L2tlyVDnf01mdj9YqtflZM2XfxQ1e
+jdDcvHh9BqDlEG2mODtTpQY6aOuNdKX5sx61Vblf7QiQDQMDI0dg7wsco/KiftcT
+5QGvOGv2dehlJggMEXxF0B6cLzduwSu2O5OlbFUVqvUhXV+5RKSuiV3g+1g4BonS
+faL1bLlMI5iIpO9qJCPvqrVepbRl1bYz7sMIdeVYTGWdcV7MdnZ8RJynIuhlItCk
+oI2X+qhm
+=RQGT
 -----END PGP SIGNATURE-----

debian/dists/focal/Release

@@ -1,19 +1,37 @@
 Origin: Unofficial Innernet Debian repository
 Label: innernet-debian
 Codename: focal
-Date: Thu, 15 Jun 2023 14:35:31 UTC
-Architectures: amd64
+Date: Sun, 30 Jul 2023 13:18:34 UTC
+Architectures: amd64 armhf arm64
 Components: contrib
 Description: APT repository for https://github.com/tonarino/innernet/.
 MD5Sum:
  09585d6972df6d213e1a2a95a6d7f783 12098 contrib/binary-amd64/Packages
  f71f3ea5d0ab6f8e0dad303f04573e81 4799 contrib/binary-amd64/Packages.gz
  77dc2b012f45038d5be68f81d464ee44 179 contrib/binary-amd64/Release
+ b1dcfb8ffed93c950262d0d18d93e8db 12097 contrib/binary-armhf/Packages
+ 11ffc1ea682429a3cfd051979b9d6dcc 4799 contrib/binary-armhf/Packages.gz
+ 2e56331833f644fa9dad5483acc93e55 179 contrib/binary-armhf/Release
+ 9e4f28eca65271f15f684a56874f433d 12097 contrib/binary-arm64/Packages
+ edc6e00a474363010d79da0a577dbc64 4803 contrib/binary-arm64/Packages.gz
+ 16627cd2b6e090772a75639bb48cd54d 179 contrib/binary-arm64/Release
 SHA1:
  87d9b5312a8e5e99090351a36d09785c02303cf1 12098 contrib/binary-amd64/Packages
  ea7af888161785eae92c690ddf4a3f0cf2f75cc9 4799 contrib/binary-amd64/Packages.gz
  a4f6bbfd6fe4ab5a01909278c4e13b05d6b06f13 179 contrib/binary-amd64/Release
+ d0b3431eb3e21ceb02caa9dd63aaf8b2231e3e5e 12097 contrib/binary-armhf/Packages
+ 3ff371bef4abda8010bc8ad4b8873acfb8bd220e 4799 contrib/binary-armhf/Packages.gz
+ dbfc90ff9af0819e8b73429a32e4691204b11da7 179 contrib/binary-armhf/Release
+ b8d99778297cbd777821c7162c9146d3f0407b6c 12097 contrib/binary-arm64/Packages
+ 2ec88f0de84b12f796712cf8bdd9ae163a5e78d0 4803 contrib/binary-arm64/Packages.gz
+ af10abab9b82b0f8be34be72d478cd7efe4e64b9 179 contrib/binary-arm64/Release
 SHA256:
  ce495f6c9bc1fb23dab42746cf14086dde7f1531922919af49f93708d6f9428c 12098 contrib/binary-amd64/Packages
  466c0a757405ed9c217efb1b5c81f4b722922ee63c462b668a9957f6459a38a9 4799 contrib/binary-amd64/Packages.gz
  67b3f0e511499d8b794eaf1524cea47d2263a1e8e43445c60f311dbef9a50e9c 179 contrib/binary-amd64/Release
+ 749a6859a1f9859ad9963b7f1d2ea665adf505d4e9457cad997600e26e3c2112 12097 contrib/binary-armhf/Packages
+ 5ee9f26a09e21a87dfdb376fa3a6098a61b4fb7056d0957f56b6f43a84f65e25 4799 contrib/binary-armhf/Packages.gz
+ ce7a57575ec61bf1af16351e2366f7114f6ad78e035696abaaac42f80dd8f425 179 contrib/binary-armhf/Release
+ 24f6c2047566e4e6921badbbd7d9a6fe47e59acea3b932a1143bfb1783e63e84 12097 contrib/binary-arm64/Packages
+ e7bc836e26a4d99973dc79ba64ebd6f62dc3e385685bb1963e111466f5205a26 4803 contrib/binary-arm64/Packages.gz
+ 86092179ad14de3750a8a527f8419920154bd761ea7367b9452abe85cfbca03d 179 contrib/binary-arm64/Release

debian/dists/focal/Release.gpg

@@ -1,14 +1,14 @@
 -----BEGIN PGP SIGNATURE-----
 
-iQGzBAABCgAdFiEEbYSVpa4ZFZQzkqZZZYKNdDzui2kFAmSLIbMACgkQZYKNdDzu
-i2kUyQv8D9dnijsB3JR1kyTufLtncukYje8AgOHS4HTqZIrUeS2hTrdf00llvPiy
-METLUrckiwzVWF+9bK/ZWK3rlWPQ6i8ulqUHU7Ec9dfXqYzeesG8DI3jn3ICUfLM
-+oqpRyYXW7jXJNJDJafLSYzd/K+CfmlItNMSsbR2k52GoxA52R/vRlDtrCmb7TjM
-DhnXBzUfYLGAq+XBhM5QQnb6Ine6Evjg0Y1pU0wDcU9kJ1iJ7fDFFHJI2vN3P3qS
-43TRULqTGjGsZ2mL3kNj0NmXggUd2d4xx7KnftWNBSJ9LxsJ+KgGybswHt3x01sy
-tQaofImFeWpBhUJO5A3IWAWmMQtKmmUY77+WL7rSKKTo4HGvauyPBEG0EH6qvOE7
-NBWEDPyn+8CSAYh8VkpjwEJVBNA4rMAkyuRrLmTCPIx9FZRGRG60l7RGuhmCAoHt
-mJig5Dskkd/sDGsxJVq1uDMGV3QDstAlHQG30tBZAJ8m61Ca5RrlN4sCi7Vm9urC
-tSzDD7zd
-=Fv/e
+iQGzBAABCgAdFiEEbYSVpa4ZFZQzkqZZZYKNdDzui2kFAmTGYyoACgkQZYKNdDzu
+i2lPdQv8DmSn+7u1+uudvM8K1fU9ShDGeZYtbyC2WhmX1OrI+aq8RQYO2qw6HVcj
+Sk+MuN2m1FxDV85mcCWA/VKzRcfiBn3Yybyzn75Pbeyl5TgRnHu9FKET5VSYH7gy
+9ulqONG18nZbshdS57GUwoxjlT2HVwjOLvQ7IKvX88DTKXQzkc7eiiZ3FCgOhX64
+ocGxIB4x6P6q2pCsEGhPGqdjUcYUGe98udxDlhQ99+EgtgtiCCowGtx6gqMuXj1g
+0FOycQlxhpGSPDQ+TW0vsIAauI3gERrqRPh+ZZbg2o7dQPyDYaXUXCeewpD5VqA1
+Gkv0oYRf+SRB215+tewJWTiwAS/Bxh6uxx/bNBk0kcYB3Sc9d6c5GSo78SXuNra1
+CHhtFUEKDNMG5aJet0gZBHDEwWl+4mCQsoGc+KzRTPfCgU02SvED75eaAt0pxHMa
+UjlYKGboA+Zg3FsNxGGRUVjQEAt1Semo4xLI2e/D3J7klxncMFvehzuoro9VV0ab
+3SLqGF5l
+=DsOy
 -----END PGP SIGNATURE-----

debian/dists/focal/contrib/binary-arm64/Packages

@@ -0,0 +1,378 @@
+Package: innernet
+Version: 1.6.0-0ubuntu0~focal
+Architecture: arm64
+Vcs-Browser: https://github.com/tonarino/innernet
+Vcs-Git: https://github.com/tonarino/innernet
+Homepage: https://github.com/tonarino/innernet
+Maintainer: tonari <hey@tonari.no>
+Installed-Size: 2841
+Depends: libgcc1, systemd, libc6
+Recommends: wireguard
+Priority: optional
+Section: net
+Filename: pool/contrib/i/innernet/innernet_1.6.0-0ubuntu0~focal_arm64.deb
+Size: 903012
+SHA256: d71dd1ea107dea559f8d15c01ae9d58761ba4afee3a9bc7a4c7112e824ce4ab3
+SHA1: 0139401fd3f08b403fc2a15f3a331c60ff24e570
+MD5sum: f85aeb8aa51538811ff2238914c4a1ab
+Description: A client to manage innernet network interfaces.
+ innernet client binary for fetching peer information and conducting admin tasks
+ such as adding a new peer.
+
+Package: innernet-server
+Version: 1.6.0-0ubuntu0~focal
+Architecture: arm64
+Vcs-Browser: https://github.com/tonarino/innernet
+Vcs-Git: https://github.com/tonarino/innernet
+Homepage: https://github.com/tonarino/innernet
+Maintainer: tonari <hey@tonari.no>
+Installed-Size: 3886
+Depends: libc6, libgcc1, zlib1g, systemd, libsqlite3-0
+Recommends: wireguard
+Source: innernet
+Priority: optional
+Section: net
+Filename: pool/contrib/i/innernet-server/innernet-server_1.6.0-0ubuntu0~focal_arm64.deb
+Size: 1355084
+SHA256: 46e22e21dcff4538ba143c5e32077983816b9c1d6ff7b856255e59df86023048
+SHA1: 8860342c49b89fa9238bd9ba7abed1d2afa63b54
+MD5sum: 43de229d49d6134e0801e6338009cf86
+Description: A server to coordinate innernet networks.
+ # innernet
+ .
+ [![Actively
+ Maintained](https://img.shields.io/badge/Maintenance%20Level-Actively%20Maintained-green.svg)](https://gist.github.com/cheerfulstoic/d107229326a01ff0f333a1d3476e068d)
+ [![MIT](https://img.shields.io/badge/license-MIT-blue.svg)](https://github.com/tonarino/innernet/blob/master/LICENSE)
+ .
+ A private network system that uses [WireGuard](https://wireguard.com) under the
+ hood. See the [announcement blog
+ post](https://blog.tonari.no/introducing-innernet) for a longer-winded
+ explanation.
+ .
+ <img
+ src="https://user-images.githubusercontent.com/373823/118917068-09ae7700-b96b-11eb-80f4-6860072d504d.gif"
+ width="600" height="370">
+ .
+ `innernet` is similar in its goals to Slack's
+ [nebula](https://github.com/slackhq/nebula) or
+ [Tailscale](https://tailscale.com/), but takes a bit of a different approach.
+ It aims to take advantage of existing networking concepts like CIDRs and the
+ security properties of WireGuard to turn your computer's basic IP networking
+ into more powerful ACL primitives.
+ .
+ `innernet` is not an official WireGuard project, and WireGuard is a registered
+ trademark of Jason A. Donenfeld.
+ .
+ This has not received an independent security audit, and should be considered
+ experimental software at this early point in its lifetime.
+ .
+ ## Usage
+ .
+ ### Server Creation
+ .
+ Every `innernet` network needs a coordination server to manage peers and
+ provide endpoint information so peers can directly connect to each other.
+ Create a new one with
+ .
+ ```sh
+ sudo innernet-server new
+ ```
+ .
+ The init wizard will ask you questions about your network and give you some
+ reasonable defaults. It's good to familiarize yourself with [network
+ CIDRs](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) as a lot
+ of innernet's access control is based upon them. As an example, let's say the
+ root CIDR for this network is `10.60.0.0/16`. Server initialization creates a
+ special "infra" CIDR which contains the `innernet` server itself and is
+ reachable from all CIDRs on the network.
+ .
+ Next we'll also create a `humans` CIDR where we can start adding some peers.
+ .
+ ```sh
+ sudo innernet-server add-cidr <interface>
+ ```
+ .
+ For the parent CIDR, you can simply choose your network's root CIDR. The name
+ will be `humans`, and the CIDR will be `10.60.64.0/24` (not a great example
+ unless you only want to support 256 humans, but it works for now...).
+ .
+ By default, peers which exist in this new CIDR will only be able to contact
+ peers in the same CIDR, and the special "infra" CIDR which was created when the
+ server was initialized.
+ .
+ A typical workflow for creating a new network is to create an admin peer from
+ the `innernet-server` CLI, and then continue using that admin peer via the
+ `innernet` client CLI to add any further peers or network CIDRs.
+ .
+ ```sh
+ sudo innernet-server add-peer <interface>
+ ```
+ .
+ Select the `humans` CIDR, and the CLI will automatically suggest the next
+ available IP address. Any name is fine, just answer "yes" when asked if you
+ would like to make the peer an admin. The process of adding a peer results in
+ an invitation file. This file contains just enough information for the new peer
+ to contact the `innernet` server and redeem its invitation. It should be
+ transferred securely to the new peer, and it can only be used once to
+ initialize the peer.
+ .
+ You can run the server with `innernet-server serve <interface>`, or if you're
+ on Linux and want to run it via `systemctl`, run `systemctl enable --now
+ innernet-server@<interface>`. If you're on a home network, don't forget to
+ configure port forwarding to the `Listen Port` you specified when creating the
+ `innernet` server.
+ .
+ ### Peer Initialization
+ .
+ Let's assume the invitation file generated in the steps above have been
+ transferred to the machine a network admin will be using.
+ .
+ You can initialize the client with
+ .
+ ```sh
+ sudo innernet install /path/to/invitation.toml
+ ```
+ .
+ You can customize the network name if you want to, or leave it at the default.
+ `innernet` will then connect to the `innernet` server via WireGuard, generate a
+ new key pair, and register that pair with the server. The private key in the
+ invitation file can no longer be used.
+ .
+ If everything was successful, the new peer is on the network. You can run
+ things like
+ .
+ ```sh
+ sudo innernet list
+ ```
+ .
+ or
+ .
+ ```sh
+ sudo innernet list --tree
+ ```
+ .
+ to view the current network and all CIDRs visible to this peer.
+ .
+ Since we created an admin peer, we can also add new peers and CIDRs from this
+ peer via `innernet` instead of having to always run commands on the server.
+ .
+ ### Adding Associations between CIDRs
+ .
+ In order for peers from one CIDR to be able to contact peers in another CIDR,
+ those two CIDRs must be "associated" with each other.
+ .
+ With the admin peer we created above, let's add a new CIDR for some theoretical
+ CI servers we have.
+ .
+ ```sh
+ sudo innernet add-cidr <interface>
+ ```
+ .
+ The name is `ci-servers` and the CIDR is `10.60.64.0/24`, but for this example
+ it can be anything.
+ .
+ For now, we want peers in the `humans` CIDR to be able to access peers in the
+ `ci-servers` CIDR.
+ .
+ ```sh
+ sudo innernet add-association <interface>
+ ```
+ .
+ The CLI will ask you to select the two CIDRs you want to associate. That's all
+ it takes to allow peers in two different CIDRs to communicate!
+ .
+ You can verify the association with
+ .
+ ```sh
+ sudo innernet list-associations <interface>
+ ```
+ .
+ and associations can be deleted with
+ .
+ ```sh
+ sudo innernet delete-associations <interface>
+ ```
+ .
+ ### Enabling/Disabling Peers
+ .
+ For security reasons, IP addresses cannot be re-used by new peers, and
+ therefore peers cannot be deleted. However, they can be disabled. Disabled
+ peers will not show up in the list of peers when fetching the config for an
+ interface.
+ .
+ Disable a peer with
+ .
+ ```su
+ sudo innernet disable-peer <interface>
+ ```
+ .
+ Or re-enable a peer with
+ .
+ ```su
+ sudo innernet enable-peer <interface>
+ ```
+ .
+ ### Specifying a Manual Endpoint
+ .
+ The `innernet` server will try to use the internet endpoint it sees from a peer
+ so other peers can connect to that peer as well. This doesn't always work and
+ you may want to set an endpoint explicitly. To set an endpoint, use
+ .
+ ```sh
+ sudo innernet override-endpoint <interface>
+ ```
+ .
+ You can go back to automatic endpoint discovery with
+ .
+ ```sh
+ sudo innernet override-endpoint -u <interface>
+ ```
+ .
+ ### Setting the Local WireGuard Listen Port
+ .
+ If you want to change the port which WireGuard listens on, use
+ .
+ ```sh
+ sudo innernet set-listen-port <interface>
+ ```
+ .
+ or unset the port and use a randomized port with
+ .
+ ```sh
+ sudo innernet set-listen-port -u <interface>
+ ```
+ .
+ ### Remove Network
+ .
+ To permanently uninstall a created network, use
+ .
+ ```sh
+ sudo innernet-server uninstall <interface>
+ ```
+ .
+ Use with care!
+ .
+ ## Security recommendations
+ .
+ If you're running a service on innernet, there are some important security
+ considerations.
+ .
+ ### Enable strict Reverse Path Filtering ([RFC
+ 3704](https://tools.ietf.org/html/rfc3704))
+ .
+ Strict RPF prevents packets from _other_ interfaces from having internal source
+ IP addresses. This is _not_ the default on Linux, even though it is the right
+ choice for 99.99% of situations. You can enable it by adding the following to a
+ `/etc/sysctl.d/60-network-security.conf`:
+ .
+ ```
+ net.ipv4.conf.all.rp_filter=1
+ net.ipv4.conf.default.rp_filter=1
+ ```
+ .
+ ### Bind to the WireGuard device
+ .
+ If possible, to _ensure_ that packets are only ever transmitted over the
+ WireGuard interface, it's recommended that you use `SO_BINDTODEVICE` on Linux
+ or `IP_BOUND_IF` on macOS/BSDs. If you have strict reverse path filtering,
+ though, this is less of a concern.
+ .
+ ### IP addresses alone often aren't enough authentication
+ .
+ Even following all the above precautions, rogue applications on a peer's
+ machines could be able to make requests on their behalf unless you add extra
+ layers of authentication to mitigate this CSRF-type vector.
+ .
+ It's recommended that you carefully consider this possibility before deciding
+ that the source IP is sufficient for your authentication needs on a service.
+ .
+ ## Installation
+ .
+ innernet has only officially been tested on Linux and MacOS, but we hope to
+ support as many platforms as is feasible!
+ .
+ ### Runtime Dependencies
+ .
+ It's assumed that WireGuard is installed on your system, either via the kernel
+ module in Linux 5.6 and later, or via the
+ [`wireguard-go`](https://git.zx2c4.com/wireguard-go/about/) userspace
+ implementation.
+ .
+ [WireGuard Installation Instructions](https://www.wireguard.com/install/)
+ .
+ ### Arch Linux
+ .
+ ```sh
+ pacman -S innernet
+ ```
+ .
+ ### Debian and Ubuntu
+ .
+ [**@tommie**](https://github.com/tommie) is kindly providing Debian/Ubuntu
+ innernet builds in the https://github.com/tommie/innernet-debian repository.
+ .
+ ### Other Linux Distributions
+ .
+ We're looking for volunteers who are able to set up external builds for popular
+ distributions. Please see issue
+ [#203](https://github.com/tonarino/innernet/issues/203).
+ .
+ ### macOS
+ .
+ ```sh
+ brew install tonarino/innernet/innernet
+ ```
+ .
+ ### Cargo
+ .
+ ```sh
+ # to install innernet:
+ cargo install --git https://github.com/tonarino/innernet --tag v1.6.0 client
+ .
+ # to install innernet-server:
+ cargo install --git https://github.com/tonarino/innernet --tag v1.6.0 server
+ ```
+ .
+ Note that you'll be responsible for updating manually.
+ .
+ ## Development
+ .
+ ### `innernet-server` Build dependencies
+ .
+ - `rustc` / `cargo` (version 1.50.0 or higher)
+ - `libclang` (see more info at
+ [https://crates.io/crates/clang-sys](https://crates.io/crates/clang-sys))
+ - `libsqlite3`
+ .
+ Build:
+ .
+ ```sh
+ cargo build --release --bin innernet-server
+ ```
+ .
+ The resulting binary will be located at `./target/release/innernet-server`
+ .
+ ### `innernet` Client CLI Build dependencies
+ .
+ - `rustc` / `cargo` (version 1.50.0 or higher)
+ - `libclang` (see more info at
+ [https://crates.io/crates/clang-sys](https://crates.io/crates/clang-sys))
+ .
+ Build:
+ .
+ ```sh
+ cargo build --release --bin innernet
+ ```
+ .
+ The resulting binary will be located at `./target/release/innernet`
+ .
+ ### Releases
+ .
+ Please run the release script from a Linux machine: generated shell completions
+ depend on available wireguard backends and Mac doesn't support the `kernel`
+ backend. 
+ .
+ 1. Fetch and check-out the `main` branch.
+ 2. Run `./release.sh [patch|major|minor|rc]`
+ 3. Push the `main` branch and the created tag to the repo.
+

debian/dists/focal/contrib/binary-arm64/Release

@@ -0,0 +1,5 @@
+Component: contrib
+Origin: Unofficial Innernet Debian repository
+Label: innernet-debian
+Architecture: arm64
+Description: APT repository for https://github.com/tonarino/innernet/.

debian/dists/focal/contrib/binary-armhf/Packages

@@ -0,0 +1,378 @@
+Package: innernet
+Version: 1.6.0-0ubuntu0~focal
+Architecture: armhf
+Vcs-Browser: https://github.com/tonarino/innernet
+Vcs-Git: https://github.com/tonarino/innernet
+Homepage: https://github.com/tonarino/innernet
+Maintainer: tonari <hey@tonari.no>
+Installed-Size: 2684
+Depends: libgcc1, libc6, systemd
+Recommends: wireguard
+Priority: optional
+Section: net
+Filename: pool/contrib/i/innernet/innernet_1.6.0-0ubuntu0~focal_armhf.deb
+Size: 916708
+SHA256: 5a659fba5e5410ea9cb5591753075fcc040c92386e3e6382efacd43583e2c782
+SHA1: 03ac24914abd80fcaee5d0dacd77c2b4aebfd08c
+MD5sum: b0c21e227ed3ca35815137d941035b1f
+Description: A client to manage innernet network interfaces.
+ innernet client binary for fetching peer information and conducting admin tasks
+ such as adding a new peer.
+
+Package: innernet-server
+Version: 1.6.0-0ubuntu0~focal
+Architecture: armhf
+Vcs-Browser: https://github.com/tonarino/innernet
+Vcs-Git: https://github.com/tonarino/innernet
+Homepage: https://github.com/tonarino/innernet
+Maintainer: tonari <hey@tonari.no>
+Installed-Size: 3343
+Depends: libgcc1, zlib1g, libc6, libsqlite3-0, systemd
+Recommends: wireguard
+Source: innernet
+Priority: optional
+Section: net
+Filename: pool/contrib/i/innernet-server/innernet-server_1.6.0-0ubuntu0~focal_armhf.deb
+Size: 1337176
+SHA256: 429c6cbf976e82910bd9be68b772a9264f680ea051c1850074a25e39e6d03059
+SHA1: d97a2f0ae144af2a67dc6dc9df547fc0b61d3058
+MD5sum: 105818d65bcc4e3ffbb3feb7dab0867c
+Description: A server to coordinate innernet networks.
+ # innernet
+ .
+ [![Actively
+ Maintained](https://img.shields.io/badge/Maintenance%20Level-Actively%20Maintained-green.svg)](https://gist.github.com/cheerfulstoic/d107229326a01ff0f333a1d3476e068d)
+ [![MIT](https://img.shields.io/badge/license-MIT-blue.svg)](https://github.com/tonarino/innernet/blob/master/LICENSE)
+ .
+ A private network system that uses [WireGuard](https://wireguard.com) under the
+ hood. See the [announcement blog
+ post](https://blog.tonari.no/introducing-innernet) for a longer-winded
+ explanation.
+ .
+ <img
+ src="https://user-images.githubusercontent.com/373823/118917068-09ae7700-b96b-11eb-80f4-6860072d504d.gif"
+ width="600" height="370">
+ .
+ `innernet` is similar in its goals to Slack's
+ [nebula](https://github.com/slackhq/nebula) or
+ [Tailscale](https://tailscale.com/), but takes a bit of a different approach.
+ It aims to take advantage of existing networking concepts like CIDRs and the
+ security properties of WireGuard to turn your computer's basic IP networking
+ into more powerful ACL primitives.
+ .
+ `innernet` is not an official WireGuard project, and WireGuard is a registered
+ trademark of Jason A. Donenfeld.
+ .
+ This has not received an independent security audit, and should be considered
+ experimental software at this early point in its lifetime.
+ .
+ ## Usage
+ .
+ ### Server Creation
+ .
+ Every `innernet` network needs a coordination server to manage peers and
+ provide endpoint information so peers can directly connect to each other.
+ Create a new one with
+ .
+ ```sh
+ sudo innernet-server new
+ ```
+ .
+ The init wizard will ask you questions about your network and give you some
+ reasonable defaults. It's good to familiarize yourself with [network
+ CIDRs](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) as a lot
+ of innernet's access control is based upon them. As an example, let's say the
+ root CIDR for this network is `10.60.0.0/16`. Server initialization creates a
+ special "infra" CIDR which contains the `innernet` server itself and is
+ reachable from all CIDRs on the network.
+ .
+ Next we'll also create a `humans` CIDR where we can start adding some peers.
+ .
+ ```sh
+ sudo innernet-server add-cidr <interface>
+ ```
+ .
+ For the parent CIDR, you can simply choose your network's root CIDR. The name
+ will be `humans`, and the CIDR will be `10.60.64.0/24` (not a great example
+ unless you only want to support 256 humans, but it works for now...).
+ .
+ By default, peers which exist in this new CIDR will only be able to contact
+ peers in the same CIDR, and the special "infra" CIDR which was created when the
+ server was initialized.
+ .
+ A typical workflow for creating a new network is to create an admin peer from
+ the `innernet-server` CLI, and then continue using that admin peer via the
+ `innernet` client CLI to add any further peers or network CIDRs.
+ .
+ ```sh
+ sudo innernet-server add-peer <interface>
+ ```
+ .
+ Select the `humans` CIDR, and the CLI will automatically suggest the next
+ available IP address. Any name is fine, just answer "yes" when asked if you
+ would like to make the peer an admin. The process of adding a peer results in
+ an invitation file. This file contains just enough information for the new peer
+ to contact the `innernet` server and redeem its invitation. It should be
+ transferred securely to the new peer, and it can only be used once to
+ initialize the peer.
+ .
+ You can run the server with `innernet-server serve <interface>`, or if you're
+ on Linux and want to run it via `systemctl`, run `systemctl enable --now
+ innernet-server@<interface>`. If you're on a home network, don't forget to
+ configure port forwarding to the `Listen Port` you specified when creating the
+ `innernet` server.
+ .
+ ### Peer Initialization
+ .
+ Let's assume the invitation file generated in the steps above have been
+ transferred to the machine a network admin will be using.
+ .
+ You can initialize the client with
+ .
+ ```sh
+ sudo innernet install /path/to/invitation.toml
+ ```
+ .
+ You can customize the network name if you want to, or leave it at the default.
+ `innernet` will then connect to the `innernet` server via WireGuard, generate a
+ new key pair, and register that pair with the server. The private key in the
+ invitation file can no longer be used.
+ .
+ If everything was successful, the new peer is on the network. You can run
+ things like
+ .
+ ```sh
+ sudo innernet list
+ ```
+ .
+ or
+ .
+ ```sh
+ sudo innernet list --tree
+ ```
+ .
+ to view the current network and all CIDRs visible to this peer.
+ .
+ Since we created an admin peer, we can also add new peers and CIDRs from this
+ peer via `innernet` instead of having to always run commands on the server.
+ .
+ ### Adding Associations between CIDRs
+ .
+ In order for peers from one CIDR to be able to contact peers in another CIDR,
+ those two CIDRs must be "associated" with each other.
+ .
+ With the admin peer we created above, let's add a new CIDR for some theoretical
+ CI servers we have.
+ .
+ ```sh
+ sudo innernet add-cidr <interface>
+ ```
+ .
+ The name is `ci-servers` and the CIDR is `10.60.64.0/24`, but for this example
+ it can be anything.
+ .
+ For now, we want peers in the `humans` CIDR to be able to access peers in the
+ `ci-servers` CIDR.
+ .
+ ```sh
+ sudo innernet add-association <interface>
+ ```
+ .
+ The CLI will ask you to select the two CIDRs you want to associate. That's all
+ it takes to allow peers in two different CIDRs to communicate!
+ .
+ You can verify the association with
+ .
+ ```sh
+ sudo innernet list-associations <interface>
+ ```
+ .
+ and associations can be deleted with
+ .
+ ```sh
+ sudo innernet delete-associations <interface>
+ ```
+ .
+ ### Enabling/Disabling Peers
+ .
+ For security reasons, IP addresses cannot be re-used by new peers, and
+ therefore peers cannot be deleted. However, they can be disabled. Disabled
+ peers will not show up in the list of peers when fetching the config for an
+ interface.
+ .
+ Disable a peer with
+ .
+ ```su
+ sudo innernet disable-peer <interface>
+ ```
+ .
+ Or re-enable a peer with
+ .
+ ```su
+ sudo innernet enable-peer <interface>
+ ```
+ .
+ ### Specifying a Manual Endpoint
+ .
+ The `innernet` server will try to use the internet endpoint it sees from a peer
+ so other peers can connect to that peer as well. This doesn't always work and
+ you may want to set an endpoint explicitly. To set an endpoint, use
+ .
+ ```sh
+ sudo innernet override-endpoint <interface>
+ ```
+ .
+ You can go back to automatic endpoint discovery with
+ .
+ ```sh
+ sudo innernet override-endpoint -u <interface>
+ ```
+ .
+ ### Setting the Local WireGuard Listen Port
+ .
+ If you want to change the port which WireGuard listens on, use
+ .
+ ```sh
+ sudo innernet set-listen-port <interface>
+ ```
+ .
+ or unset the port and use a randomized port with
+ .
+ ```sh
+ sudo innernet set-listen-port -u <interface>
+ ```
+ .
+ ### Remove Network
+ .
+ To permanently uninstall a created network, use
+ .
+ ```sh
+ sudo innernet-server uninstall <interface>
+ ```
+ .
+ Use with care!
+ .
+ ## Security recommendations
+ .
+ If you're running a service on innernet, there are some important security
+ considerations.
+ .
+ ### Enable strict Reverse Path Filtering ([RFC
+ 3704](https://tools.ietf.org/html/rfc3704))
+ .
+ Strict RPF prevents packets from _other_ interfaces from having internal source
+ IP addresses. This is _not_ the default on Linux, even though it is the right
+ choice for 99.99% of situations. You can enable it by adding the following to a
+ `/etc/sysctl.d/60-network-security.conf`:
+ .
+ ```
+ net.ipv4.conf.all.rp_filter=1
+ net.ipv4.conf.default.rp_filter=1
+ ```
+ .
+ ### Bind to the WireGuard device
+ .
+ If possible, to _ensure_ that packets are only ever transmitted over the
+ WireGuard interface, it's recommended that you use `SO_BINDTODEVICE` on Linux
+ or `IP_BOUND_IF` on macOS/BSDs. If you have strict reverse path filtering,
+ though, this is less of a concern.
+ .
+ ### IP addresses alone often aren't enough authentication
+ .
+ Even following all the above precautions, rogue applications on a peer's
+ machines could be able to make requests on their behalf unless you add extra
+ layers of authentication to mitigate this CSRF-type vector.
+ .
+ It's recommended that you carefully consider this possibility before deciding
+ that the source IP is sufficient for your authentication needs on a service.
+ .
+ ## Installation
+ .
+ innernet has only officially been tested on Linux and MacOS, but we hope to
+ support as many platforms as is feasible!
+ .
+ ### Runtime Dependencies
+ .
+ It's assumed that WireGuard is installed on your system, either via the kernel
+ module in Linux 5.6 and later, or via the
+ [`wireguard-go`](https://git.zx2c4.com/wireguard-go/about/) userspace
+ implementation.
+ .
+ [WireGuard Installation Instructions](https://www.wireguard.com/install/)
+ .
+ ### Arch Linux
+ .
+ ```sh
+ pacman -S innernet
+ ```
+ .
+ ### Debian and Ubuntu
+ .
+ [**@tommie**](https://github.com/tommie) is kindly providing Debian/Ubuntu
+ innernet builds in the https://github.com/tommie/innernet-debian repository.
+ .
+ ### Other Linux Distributions
+ .
+ We're looking for volunteers who are able to set up external builds for popular
+ distributions. Please see issue
+ [#203](https://github.com/tonarino/innernet/issues/203).
+ .
+ ### macOS
+ .
+ ```sh
+ brew install tonarino/innernet/innernet
+ ```
+ .
+ ### Cargo
+ .
+ ```sh
+ # to install innernet:
+ cargo install --git https://github.com/tonarino/innernet --tag v1.6.0 client
+ .
+ # to install innernet-server:
+ cargo install --git https://github.com/tonarino/innernet --tag v1.6.0 server
+ ```
+ .
+ Note that you'll be responsible for updating manually.
+ .
+ ## Development
+ .
+ ### `innernet-server` Build dependencies
+ .
+ - `rustc` / `cargo` (version 1.50.0 or higher)
+ - `libclang` (see more info at
+ [https://crates.io/crates/clang-sys](https://crates.io/crates/clang-sys))
+ - `libsqlite3`
+ .
+ Build:
+ .
+ ```sh
+ cargo build --release --bin innernet-server
+ ```
+ .
+ The resulting binary will be located at `./target/release/innernet-server`
+ .
+ ### `innernet` Client CLI Build dependencies
+ .
+ - `rustc` / `cargo` (version 1.50.0 or higher)
+ - `libclang` (see more info at
+ [https://crates.io/crates/clang-sys](https://crates.io/crates/clang-sys))
+ .
+ Build:
+ .
+ ```sh
+ cargo build --release --bin innernet
+ ```
+ .
+ The resulting binary will be located at `./target/release/innernet`
+ .
+ ### Releases
+ .
+ Please run the release script from a Linux machine: generated shell completions
+ depend on available wireguard backends and Mac doesn't support the `kernel`
+ backend. 
+ .
+ 1. Fetch and check-out the `main` branch.
+ 2. Run `./release.sh [patch|major|minor|rc]`
+ 3. Push the `main` branch and the created tag to the repo.
+

debian/dists/focal/contrib/binary-armhf/Release

@@ -0,0 +1,5 @@
+Component: contrib
+Origin: Unofficial Innernet Debian repository
+Label: innernet-debian
+Architecture: armhf
+Description: APT repository for https://github.com/tonarino/innernet/.

debian/dists/jammy/InRelease

@@ -4,33 +4,51 @@ Hash: SHA512
 Origin: Unofficial Innernet Debian repository
 Label: innernet-debian
 Codename: jammy
-Date: Fri, 16 Jun 2023 13:45:35 UTC
-Architectures: amd64
+Date: Sun, 30 Jul 2023 13:18:35 UTC
+Architectures: amd64 armhf arm64
 Components: contrib
 Description: APT repository for https://github.com/tonarino/innernet/.
 MD5Sum:
  c3fb046e579f2886ef6b3cf3e219ba05 12098 contrib/binary-amd64/Packages
  e09b77d60d34ab4af3b28265d59cea19 4799 contrib/binary-amd64/Packages.gz
  77dc2b012f45038d5be68f81d464ee44 179 contrib/binary-amd64/Release
+ 780524704fdb47454787362f650f63b2 12097 contrib/binary-armhf/Packages
+ 092d4159daa0a41922473929fb72b666 4798 contrib/binary-armhf/Packages.gz
+ 2e56331833f644fa9dad5483acc93e55 179 contrib/binary-armhf/Release
+ 774c59f064602c6d2a571c4927700ea1 12097 contrib/binary-arm64/Packages
+ 111c0179f59c4f065197f95058495807 4802 contrib/binary-arm64/Packages.gz
+ 16627cd2b6e090772a75639bb48cd54d 179 contrib/binary-arm64/Release
 SHA1:
  24f3f3be92fa94c5c91f4e1016a87dc3bee36bc0 12098 contrib/binary-amd64/Packages
  91350afc9bc7f37a9fa65c7827fd0161cefc2791 4799 contrib/binary-amd64/Packages.gz
  a4f6bbfd6fe4ab5a01909278c4e13b05d6b06f13 179 contrib/binary-amd64/Release
+ ba0280a48581058691a8a392862fbf3820b841d0 12097 contrib/binary-armhf/Packages
+ b7d567b2b284f0734227eaa771004539525a2d90 4798 contrib/binary-armhf/Packages.gz
+ dbfc90ff9af0819e8b73429a32e4691204b11da7 179 contrib/binary-armhf/Release
+ 6d826c8431b6b5983b654a37a34d68efa4148b8a 12097 contrib/binary-arm64/Packages
+ 1c5ee6f104cf87055db66f368be7792d52a60094 4802 contrib/binary-arm64/Packages.gz
+ af10abab9b82b0f8be34be72d478cd7efe4e64b9 179 contrib/binary-arm64/Release
 SHA256:
  42614d2b5bb2bc2be526f2aac7a249a78fe9e06b6dfbf174f1b81f774e9c94d9 12098 contrib/binary-amd64/Packages
  5e2f2c7f0d4e5b718e3e4429aea9e02ea1d2cda4b8e68357dddae26eae7e0df5 4799 contrib/binary-amd64/Packages.gz
  67b3f0e511499d8b794eaf1524cea47d2263a1e8e43445c60f311dbef9a50e9c 179 contrib/binary-amd64/Release
+ 6920dfcb12fa912d057fbef51193867d02a2d52a02ac8cbd8e43346e199edf44 12097 contrib/binary-armhf/Packages
+ 0039297dbd77d349e5acf51945cda8f284f3d1813746789c31127472ad019a6e 4798 contrib/binary-armhf/Packages.gz
+ ce7a57575ec61bf1af16351e2366f7114f6ad78e035696abaaac42f80dd8f425 179 contrib/binary-armhf/Release
+ eee57fae348c6121d8aee97c08e437cc62471dd87103df971d368e72791b4447 12097 contrib/binary-arm64/Packages
+ 3a77da57917309f4fce907bf2828bd2def020f210d77e18ec80c6b0d58c65475 4802 contrib/binary-arm64/Packages.gz
+ 86092179ad14de3750a8a527f8419920154bd761ea7367b9452abe85cfbca03d 179 contrib/binary-arm64/Release
 -----BEGIN PGP SIGNATURE-----
 
-iQGzBAEBCgAdFiEEbYSVpa4ZFZQzkqZZZYKNdDzui2kFAmSMZ4AACgkQZYKNdDzu
-i2msrAv/flrJ7B8kMVB35KVN+TNkplpEOUjb0aa+xBQ4+1h1TaZftrJRxNgTHpmz
-Y8L4l7xTJxEI+rMvJ6SDWxK7/BGyHzdOIlF49u6lRtI1KJWAEXCPNas2FszKIywy
-mdf+1UGZ4fgtMXJfMblpDua95pDaUH11vuB2Ty1kLl6ELmG136sR/5w1laP6N10I
-y8HTL5poEQOQMeX6cSiYPyiVMUKZgacs1gEv0Z0sksgwDMdghFUUN6poZlG5RfCC
-7s9NJNKEAiuvcyikP+TrJT0H/JsDO7LJRyZXvxlfS5xoxBWUgc/kCjbh638TtSOP
-wPkhPhxedPBgfQ0Ri46P5J+D+qsg7Ck0QsA+nhEUdrQ0ajWB1iBuuuhkflKvkBBj
-ft/F672ysXKhSQpW/+ljUjWrkHoA/9Rg25cJOZF4gBUGoavOentnfEjq9h14Qrnl
-1PPb8ANL+wyTQP6zd5mV7j/3cahyQiZldoVkjXRJ6EQ6Ro/E7e+SrAi/9+2rIKiB
-/w7rJEA7
-=XTJH
+iQGzBAEBCgAdFiEEbYSVpa4ZFZQzkqZZZYKNdDzui2kFAmTGYysACgkQZYKNdDzu
+i2kz1wv+NcR8ROJf8Azw6AQPyL8gzuT2c9gRVcMEMGvMtbU/phJQXZReBGgvdcZX
+r5hY3SwMdvgXxPzWhYr1lnhA71NmPhUxjc2H+J0dGULxMnvoyQ88/UQQpaAIyZsq
+JuuT1D5QHJ9ZWI3SGDKOcdsb2ix51sYVoYsRx/OO5RlYofLfAgU0wGrfa0pUj3l9
+OVO0QBeqyb4Xs2+3sjQH8NsJd3bIHOR65ULXJ33R/Bbkt0VYYgApiCMDVifJWMko
+HOZvH0lCvgVy5QE2Dg3KC/8nEVglky3cwwpnN6GWAMTFEFwArZ9IGfcNJmjfuwDz
+eUgNUnzItCHJyu8G1bX1IgKIHBMkJB9qXbr5DhDjVN8UrfD92A25ZXzbSsgzC6Zc
+O0Wt0xSuqmoaluwnePxmA/cmV3ffvdIBnBnXEKFaTf1l3aHcDAG0Zmh6/9abKx78
+Ey17a8voz9U3gRRZG2YTTVYIWhqPVxaPnC14slZzuC2CDWZBVF2f74sCYPqH6SF+
+zAGYm7Ur
+=6gHL
 -----END PGP SIGNATURE-----

debian/dists/jammy/Release

@@ -1,19 +1,37 @@
 Origin: Unofficial Innernet Debian repository
 Label: innernet-debian
 Codename: jammy
-Date: Fri, 16 Jun 2023 13:45:35 UTC
-Architectures: amd64
+Date: Sun, 30 Jul 2023 13:18:35 UTC
+Architectures: amd64 armhf arm64
 Components: contrib
 Description: APT repository for https://github.com/tonarino/innernet/.
 MD5Sum:
  c3fb046e579f2886ef6b3cf3e219ba05 12098 contrib/binary-amd64/Packages
  e09b77d60d34ab4af3b28265d59cea19 4799 contrib/binary-amd64/Packages.gz
  77dc2b012f45038d5be68f81d464ee44 179 contrib/binary-amd64/Release
+ 780524704fdb47454787362f650f63b2 12097 contrib/binary-armhf/Packages
+ 092d4159daa0a41922473929fb72b666 4798 contrib/binary-armhf/Packages.gz
+ 2e56331833f644fa9dad5483acc93e55 179 contrib/binary-armhf/Release
+ 774c59f064602c6d2a571c4927700ea1 12097 contrib/binary-arm64/Packages
+ 111c0179f59c4f065197f95058495807 4802 contrib/binary-arm64/Packages.gz
+ 16627cd2b6e090772a75639bb48cd54d 179 contrib/binary-arm64/Release
 SHA1:
  24f3f3be92fa94c5c91f4e1016a87dc3bee36bc0 12098 contrib/binary-amd64/Packages
  91350afc9bc7f37a9fa65c7827fd0161cefc2791 4799 contrib/binary-amd64/Packages.gz
  a4f6bbfd6fe4ab5a01909278c4e13b05d6b06f13 179 contrib/binary-amd64/Release
+ ba0280a48581058691a8a392862fbf3820b841d0 12097 contrib/binary-armhf/Packages
+ b7d567b2b284f0734227eaa771004539525a2d90 4798 contrib/binary-armhf/Packages.gz
+ dbfc90ff9af0819e8b73429a32e4691204b11da7 179 contrib/binary-armhf/Release
+ 6d826c8431b6b5983b654a37a34d68efa4148b8a 12097 contrib/binary-arm64/Packages
+ 1c5ee6f104cf87055db66f368be7792d52a60094 4802 contrib/binary-arm64/Packages.gz
+ af10abab9b82b0f8be34be72d478cd7efe4e64b9 179 contrib/binary-arm64/Release
 SHA256:
  42614d2b5bb2bc2be526f2aac7a249a78fe9e06b6dfbf174f1b81f774e9c94d9 12098 contrib/binary-amd64/Packages
  5e2f2c7f0d4e5b718e3e4429aea9e02ea1d2cda4b8e68357dddae26eae7e0df5 4799 contrib/binary-amd64/Packages.gz
  67b3f0e511499d8b794eaf1524cea47d2263a1e8e43445c60f311dbef9a50e9c 179 contrib/binary-amd64/Release
+ 6920dfcb12fa912d057fbef51193867d02a2d52a02ac8cbd8e43346e199edf44 12097 contrib/binary-armhf/Packages
+ 0039297dbd77d349e5acf51945cda8f284f3d1813746789c31127472ad019a6e 4798 contrib/binary-armhf/Packages.gz
+ ce7a57575ec61bf1af16351e2366f7114f6ad78e035696abaaac42f80dd8f425 179 contrib/binary-armhf/Release
+ eee57fae348c6121d8aee97c08e437cc62471dd87103df971d368e72791b4447 12097 contrib/binary-arm64/Packages
+ 3a77da57917309f4fce907bf2828bd2def020f210d77e18ec80c6b0d58c65475 4802 contrib/binary-arm64/Packages.gz
+ 86092179ad14de3750a8a527f8419920154bd761ea7367b9452abe85cfbca03d 179 contrib/binary-arm64/Release

debian/dists/jammy/Release.gpg

@@ -1,14 +1,14 @@
 -----BEGIN PGP SIGNATURE-----
 
-iQGzBAABCgAdFiEEbYSVpa4ZFZQzkqZZZYKNdDzui2kFAmSMZ38ACgkQZYKNdDzu
-i2k8JAv7BCf7W0Ok+CG1CYf7mLNNoZ92wgIfApqmokrh6t2Wk3dV7KNW8sZRlCGN
-FfUfFyqbvYYGkToGIi6LEoGzYSsD2PKHmLWnMMBqkbP7H6cLVjiCs7Xc/RFP1vO5
-o5xNYme3iM5Sr9iC0i78cusiGmJmM31TWlE6WrLJCK60SjUQgDvdh1SpVGKyiqyO
-dorJxqsDvClIDSoCxAJFz23xBrIChZv9zjP4C0ZDDKtGItTmbEG+zsca2f37mfIS
-2H1J5C0eQ2RGMaVzBSWsfQlAbkMq0TrvStPU4oscuBfXF8Asfxhl0AJIL/c5IGfF
-E8jB7o4ifiuyOuRt73yRDaNjJjzHRw6U8IpUMQ12ep3Va7GcMSvX4pnsFb3mmfA4
-Hb50gin7Ug457FgsmqHjgIWfmbZh0Z5kNjJAToJlOylBp1nKmVurDbVei8O7DeoU
-2Xquibucq+QgxuMl0vHHlIPoE5ExS7TpMEV5YmaO9S6E8HEcDapkLE8+D1NQNvKO
-Im2xnCN2
-=8V8j
+iQGzBAABCgAdFiEEbYSVpa4ZFZQzkqZZZYKNdDzui2kFAmTGYysACgkQZYKNdDzu
+i2n05Av7BLT2uiKS9iw8jRsX646HfdXNZ7O+XfdLqJxxyCPjPc8yXPBWILhgQ8wE
+ZARH05xxhbpl0+mVtLDglKdyWjCRHv1ud7ALI3mPNvB4OL15sBUcI5Zqp0UxYgEH
+i/9HztmWRORUN0cCDwxdmgBQ5r4pTjEtRqYn6UwL38UD8v+du1n92AwG+jxwqkMk
+yasMbaxK9b5be888BqToKlSuYyLNE5nHDDaqr2gg7Or1W1HcZJcWiH4u4g4foB9p
+zrp9w5soeMWfAXH0PkI2iMsyitk5a8WdoLTwFWHJdS8vFN+doKpR57h7AkJ5wSGm
+H/okDyDjXPzogd5+WjyRrc3xGaL7X84gv3WbbIBeiKP9yThvI5HwcsUTHh0okiyZ
+/ns6P16JBo/jRwwD6cr+DYMcK7lr0YSRjmUbyBh+B5gdud7f70ySxl/9aqVnClCq
+A2XMl7VBUVPi0p+iKN3pmeu79XWlpnl8IUZTQzTIxY922DD1hG2X0LV28Lxhm/Qh
+R0fX5+To
+=KCYo
 -----END PGP SIGNATURE-----

debian/dists/jammy/contrib/binary-arm64/Packages

@@ -0,0 +1,378 @@
+Package: innernet
+Version: 1.6.0-0ubuntu0~jammy
+Architecture: arm64
+Vcs-Browser: https://github.com/tonarino/innernet
+Vcs-Git: https://github.com/tonarino/innernet
+Homepage: https://github.com/tonarino/innernet
+Maintainer: tonari <hey@tonari.no>
+Installed-Size: 2841
+Depends: systemd, libc6, libgcc1
+Recommends: wireguard
+Priority: optional
+Section: net
+Filename: pool/contrib/i/innernet/innernet_1.6.0-0ubuntu0~jammy_arm64.deb
+Size: 902852
+SHA256: 7bf0f695bc867bb7f6747053a9eab859452a518515f27b0d1e39b266b0e415f5
+SHA1: 1ac7265a5385e190f2ae1df9b08e257ec55aa2fe
+MD5sum: db11e7151b7f8c2f8b77709612a89a60
+Description: A client to manage innernet network interfaces.
+ innernet client binary for fetching peer information and conducting admin tasks
+ such as adding a new peer.
+
+Package: innernet-server
+Version: 1.6.0-0ubuntu0~jammy
+Architecture: arm64
+Vcs-Browser: https://github.com/tonarino/innernet
+Vcs-Git: https://github.com/tonarino/innernet
+Homepage: https://github.com/tonarino/innernet
+Maintainer: tonari <hey@tonari.no>
+Installed-Size: 3894
+Depends: zlib1g, libsqlite3-0, libc6, libgcc1, systemd
+Recommends: wireguard
+Source: innernet
+Priority: optional
+Section: net
+Filename: pool/contrib/i/innernet-server/innernet-server_1.6.0-0ubuntu0~jammy_arm64.deb
+Size: 1354844
+SHA256: f04eb9854c2105b3e21304377a3a9667405151d576f7bb5a9c4965123b76d221
+SHA1: 06bb485cdafafcc6b82e36a65f601ecc628f6fca
+MD5sum: 17b01c31ad740f3d20fcad896eeb67e9
+Description: A server to coordinate innernet networks.
+ # innernet
+ .
+ [![Actively
+ Maintained](https://img.shields.io/badge/Maintenance%20Level-Actively%20Maintained-green.svg)](https://gist.github.com/cheerfulstoic/d107229326a01ff0f333a1d3476e068d)
+ [![MIT](https://img.shields.io/badge/license-MIT-blue.svg)](https://github.com/tonarino/innernet/blob/master/LICENSE)
+ .
+ A private network system that uses [WireGuard](https://wireguard.com) under the
+ hood. See the [announcement blog
+ post](https://blog.tonari.no/introducing-innernet) for a longer-winded
+ explanation.
+ .
+ <img
+ src="https://user-images.githubusercontent.com/373823/118917068-09ae7700-b96b-11eb-80f4-6860072d504d.gif"
+ width="600" height="370">
+ .
+ `innernet` is similar in its goals to Slack's
+ [nebula](https://github.com/slackhq/nebula) or
+ [Tailscale](https://tailscale.com/), but takes a bit of a different approach.
+ It aims to take advantage of existing networking concepts like CIDRs and the
+ security properties of WireGuard to turn your computer's basic IP networking
+ into more powerful ACL primitives.
+ .
+ `innernet` is not an official WireGuard project, and WireGuard is a registered
+ trademark of Jason A. Donenfeld.
+ .
+ This has not received an independent security audit, and should be considered
+ experimental software at this early point in its lifetime.
+ .
+ ## Usage
+ .
+ ### Server Creation
+ .
+ Every `innernet` network needs a coordination server to manage peers and
+ provide endpoint information so peers can directly connect to each other.
+ Create a new one with
+ .
+ ```sh
+ sudo innernet-server new
+ ```
+ .
+ The init wizard will ask you questions about your network and give you some
+ reasonable defaults. It's good to familiarize yourself with [network
+ CIDRs](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) as a lot
+ of innernet's access control is based upon them. As an example, let's say the
+ root CIDR for this network is `10.60.0.0/16`. Server initialization creates a
+ special "infra" CIDR which contains the `innernet` server itself and is
+ reachable from all CIDRs on the network.
+ .
+ Next we'll also create a `humans` CIDR where we can start adding some peers.
+ .
+ ```sh
+ sudo innernet-server add-cidr <interface>
+ ```
+ .
+ For the parent CIDR, you can simply choose your network's root CIDR. The name
+ will be `humans`, and the CIDR will be `10.60.64.0/24` (not a great example
+ unless you only want to support 256 humans, but it works for now...).
+ .
+ By default, peers which exist in this new CIDR will only be able to contact
+ peers in the same CIDR, and the special "infra" CIDR which was created when the
+ server was initialized.
+ .
+ A typical workflow for creating a new network is to create an admin peer from
+ the `innernet-server` CLI, and then continue using that admin peer via the
+ `innernet` client CLI to add any further peers or network CIDRs.
+ .
+ ```sh
+ sudo innernet-server add-peer <interface>
+ ```
+ .
+ Select the `humans` CIDR, and the CLI will automatically suggest the next
+ available IP address. Any name is fine, just answer "yes" when asked if you
+ would like to make the peer an admin. The process of adding a peer results in
+ an invitation file. This file contains just enough information for the new peer
+ to contact the `innernet` server and redeem its invitation. It should be
+ transferred securely to the new peer, and it can only be used once to
+ initialize the peer.
+ .
+ You can run the server with `innernet-server serve <interface>`, or if you're
+ on Linux and want to run it via `systemctl`, run `systemctl enable --now
+ innernet-server@<interface>`. If you're on a home network, don't forget to
+ configure port forwarding to the `Listen Port` you specified when creating the
+ `innernet` server.
+ .
+ ### Peer Initialization
+ .
+ Let's assume the invitation file generated in the steps above have been
+ transferred to the machine a network admin will be using.
+ .
+ You can initialize the client with
+ .
+ ```sh
+ sudo innernet install /path/to/invitation.toml
+ ```
+ .
+ You can customize the network name if you want to, or leave it at the default.
+ `innernet` will then connect to the `innernet` server via WireGuard, generate a
+ new key pair, and register that pair with the server. The private key in the
+ invitation file can no longer be used.
+ .
+ If everything was successful, the new peer is on the network. You can run
+ things like
+ .
+ ```sh
+ sudo innernet list
+ ```
+ .
+ or
+ .
+ ```sh
+ sudo innernet list --tree
+ ```
+ .
+ to view the current network and all CIDRs visible to this peer.
+ .
+ Since we created an admin peer, we can also add new peers and CIDRs from this
+ peer via `innernet` instead of having to always run commands on the server.
+ .
+ ### Adding Associations between CIDRs
+ .
+ In order for peers from one CIDR to be able to contact peers in another CIDR,
+ those two CIDRs must be "associated" with each other.
+ .
+ With the admin peer we created above, let's add a new CIDR for some theoretical
+ CI servers we have.
+ .
+ ```sh
+ sudo innernet add-cidr <interface>
+ ```
+ .
+ The name is `ci-servers` and the CIDR is `10.60.64.0/24`, but for this example
+ it can be anything.
+ .
+ For now, we want peers in the `humans` CIDR to be able to access peers in the
+ `ci-servers` CIDR.
+ .
+ ```sh
+ sudo innernet add-association <interface>
+ ```
+ .
+ The CLI will ask you to select the two CIDRs you want to associate. That's all
+ it takes to allow peers in two different CIDRs to communicate!
+ .
+ You can verify the association with
+ .
+ ```sh
+ sudo innernet list-associations <interface>
+ ```
+ .
+ and associations can be deleted with
+ .
+ ```sh
+ sudo innernet delete-associations <interface>
+ ```
+ .
+ ### Enabling/Disabling Peers
+ .
+ For security reasons, IP addresses cannot be re-used by new peers, and
+ therefore peers cannot be deleted. However, they can be disabled. Disabled
+ peers will not show up in the list of peers when fetching the config for an
+ interface.
+ .
+ Disable a peer with
+ .
+ ```su
+ sudo innernet disable-peer <interface>
+ ```
+ .
+ Or re-enable a peer with
+ .
+ ```su
+ sudo innernet enable-peer <interface>
+ ```
+ .
+ ### Specifying a Manual Endpoint
+ .
+ The `innernet` server will try to use the internet endpoint it sees from a peer
+ so other peers can connect to that peer as well. This doesn't always work and
+ you may want to set an endpoint explicitly. To set an endpoint, use
+ .
+ ```sh
+ sudo innernet override-endpoint <interface>
+ ```
+ .
+ You can go back to automatic endpoint discovery with
+ .
+ ```sh
+ sudo innernet override-endpoint -u <interface>
+ ```
+ .
+ ### Setting the Local WireGuard Listen Port
+ .
+ If you want to change the port which WireGuard listens on, use
+ .
+ ```sh
+ sudo innernet set-listen-port <interface>
+ ```
+ .
+ or unset the port and use a randomized port with
+ .
+ ```sh
+ sudo innernet set-listen-port -u <interface>
+ ```
+ .
+ ### Remove Network
+ .
+ To permanently uninstall a created network, use
+ .
+ ```sh
+ sudo innernet-server uninstall <interface>
+ ```
+ .
+ Use with care!
+ .
+ ## Security recommendations
+ .
+ If you're running a service on innernet, there are some important security
+ considerations.
+ .
+ ### Enable strict Reverse Path Filtering ([RFC
+ 3704](https://tools.ietf.org/html/rfc3704))
+ .
+ Strict RPF prevents packets from _other_ interfaces from having internal source
+ IP addresses. This is _not_ the default on Linux, even though it is the right
+ choice for 99.99% of situations. You can enable it by adding the following to a
+ `/etc/sysctl.d/60-network-security.conf`:
+ .
+ ```
+ net.ipv4.conf.all.rp_filter=1
+ net.ipv4.conf.default.rp_filter=1
+ ```
+ .
+ ### Bind to the WireGuard device
+ .
+ If possible, to _ensure_ that packets are only ever transmitted over the
+ WireGuard interface, it's recommended that you use `SO_BINDTODEVICE` on Linux
+ or `IP_BOUND_IF` on macOS/BSDs. If you have strict reverse path filtering,
+ though, this is less of a concern.
+ .
+ ### IP addresses alone often aren't enough authentication
+ .
+ Even following all the above precautions, rogue applications on a peer's
+ machines could be able to make requests on their behalf unless you add extra
+ layers of authentication to mitigate this CSRF-type vector.
+ .
+ It's recommended that you carefully consider this possibility before deciding
+ that the source IP is sufficient for your authentication needs on a service.
+ .
+ ## Installation
+ .
+ innernet has only officially been tested on Linux and MacOS, but we hope to
+ support as many platforms as is feasible!
+ .
+ ### Runtime Dependencies
+ .
+ It's assumed that WireGuard is installed on your system, either via the kernel
+ module in Linux 5.6 and later, or via the
+ [`wireguard-go`](https://git.zx2c4.com/wireguard-go/about/) userspace
+ implementation.
+ .
+ [WireGuard Installation Instructions](https://www.wireguard.com/install/)
+ .
+ ### Arch Linux
+ .
+ ```sh
+ pacman -S innernet
+ ```
+ .
+ ### Debian and Ubuntu
+ .
+ [**@tommie**](https://github.com/tommie) is kindly providing Debian/Ubuntu
+ innernet builds in the https://github.com/tommie/innernet-debian repository.
+ .
+ ### Other Linux Distributions
+ .
+ We're looking for volunteers who are able to set up external builds for popular
+ distributions. Please see issue
+ [#203](https://github.com/tonarino/innernet/issues/203).
+ .
+ ### macOS
+ .
+ ```sh
+ brew install tonarino/innernet/innernet
+ ```
+ .
+ ### Cargo
+ .
+ ```sh
+ # to install innernet:
+ cargo install --git https://github.com/tonarino/innernet --tag v1.6.0 client
+ .
+ # to install innernet-server:
+ cargo install --git https://github.com/tonarino/innernet --tag v1.6.0 server
+ ```
+ .
+ Note that you'll be responsible for updating manually.
+ .
+ ## Development
+ .
+ ### `innernet-server` Build dependencies
+ .
+ - `rustc` / `cargo` (version 1.50.0 or higher)
+ - `libclang` (see more info at
+ [https://crates.io/crates/clang-sys](https://crates.io/crates/clang-sys))
+ - `libsqlite3`
+ .
+ Build:
+ .
+ ```sh
+ cargo build --release --bin innernet-server
+ ```
+ .
+ The resulting binary will be located at `./target/release/innernet-server`
+ .
+ ### `innernet` Client CLI Build dependencies
+ .
+ - `rustc` / `cargo` (version 1.50.0 or higher)
+ - `libclang` (see more info at
+ [https://crates.io/crates/clang-sys](https://crates.io/crates/clang-sys))
+ .
+ Build:
+ .
+ ```sh
+ cargo build --release --bin innernet
+ ```
+ .
+ The resulting binary will be located at `./target/release/innernet`
+ .
+ ### Releases
+ .
+ Please run the release script from a Linux machine: generated shell completions
+ depend on available wireguard backends and Mac doesn't support the `kernel`
+ backend. 
+ .
+ 1. Fetch and check-out the `main` branch.
+ 2. Run `./release.sh [patch|major|minor|rc]`
+ 3. Push the `main` branch and the created tag to the repo.
+

debian/dists/jammy/contrib/binary-arm64/Release

@@ -0,0 +1,5 @@
+Component: contrib
+Origin: Unofficial Innernet Debian repository
+Label: innernet-debian
+Architecture: arm64
+Description: APT repository for https://github.com/tonarino/innernet/.

debian/dists/jammy/contrib/binary-armhf/Packages

@@ -0,0 +1,378 @@
+Package: innernet
+Version: 1.6.0-0ubuntu0~jammy
+Architecture: armhf
+Vcs-Browser: https://github.com/tonarino/innernet
+Vcs-Git: https://github.com/tonarino/innernet
+Homepage: https://github.com/tonarino/innernet
+Maintainer: tonari <hey@tonari.no>
+Installed-Size: 2684
+Depends: systemd, libc6, libgcc1
+Recommends: wireguard
+Priority: optional
+Section: net
+Filename: pool/contrib/i/innernet/innernet_1.6.0-0ubuntu0~jammy_armhf.deb
+Size: 916336
+SHA256: 47221ab713613019c4d0f7a8003cb705378ce24336960ddf363a1336bb2522a7
+SHA1: affc688405f58e5d652a5b7ea1436fbe87fc4b6c
+MD5sum: dc3f5ad622a48fa819ed58b9529a9e2e
+Description: A client to manage innernet network interfaces.
+ innernet client binary for fetching peer information and conducting admin tasks
+ such as adding a new peer.
+
+Package: innernet-server
+Version: 1.6.0-0ubuntu0~jammy
+Architecture: armhf
+Vcs-Browser: https://github.com/tonarino/innernet
+Vcs-Git: https://github.com/tonarino/innernet
+Homepage: https://github.com/tonarino/innernet
+Maintainer: tonari <hey@tonari.no>
+Installed-Size: 3339
+Depends: libc6, zlib1g, libgcc1, systemd, libsqlite3-0
+Recommends: wireguard
+Source: innernet
+Priority: optional
+Section: net
+Filename: pool/contrib/i/innernet-server/innernet-server_1.6.0-0ubuntu0~jammy_armhf.deb
+Size: 1340692
+SHA256: 09dcc6fe8a55c2889e29a052c39b75075e9a9b2646a3e93325380d3da2534c4e
+SHA1: ae4de2b7fab124b4e07b1a16aee328dd60b8fc3c
+MD5sum: dbc69bb8a2a2403c2bc7dab402ee04e0
+Description: A server to coordinate innernet networks.
+ # innernet
+ .
+ [![Actively
+ Maintained](https://img.shields.io/badge/Maintenance%20Level-Actively%20Maintained-green.svg)](https://gist.github.com/cheerfulstoic/d107229326a01ff0f333a1d3476e068d)
+ [![MIT](https://img.shields.io/badge/license-MIT-blue.svg)](https://github.com/tonarino/innernet/blob/master/LICENSE)
+ .
+ A private network system that uses [WireGuard](https://wireguard.com) under the
+ hood. See the [announcement blog
+ post](https://blog.tonari.no/introducing-innernet) for a longer-winded
+ explanation.
+ .
+ <img
+ src="https://user-images.githubusercontent.com/373823/118917068-09ae7700-b96b-11eb-80f4-6860072d504d.gif"
+ width="600" height="370">
+ .
+ `innernet` is similar in its goals to Slack's
+ [nebula](https://github.com/slackhq/nebula) or
+ [Tailscale](https://tailscale.com/), but takes a bit of a different approach.
+ It aims to take advantage of existing networking concepts like CIDRs and the
+ security properties of WireGuard to turn your computer's basic IP networking
+ into more powerful ACL primitives.
+ .
+ `innernet` is not an official WireGuard project, and WireGuard is a registered
+ trademark of Jason A. Donenfeld.
+ .
+ This has not received an independent security audit, and should be considered
+ experimental software at this early point in its lifetime.
+ .
+ ## Usage
+ .
+ ### Server Creation
+ .
+ Every `innernet` network needs a coordination server to manage peers and
+ provide endpoint information so peers can directly connect to each other.
+ Create a new one with
+ .
+ ```sh
+ sudo innernet-server new
+ ```
+ .
+ The init wizard will ask you questions about your network and give you some
+ reasonable defaults. It's good to familiarize yourself with [network
+ CIDRs](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) as a lot
+ of innernet's access control is based upon them. As an example, let's say the
+ root CIDR for this network is `10.60.0.0/16`. Server initialization creates a
+ special "infra" CIDR which contains the `innernet` server itself and is
+ reachable from all CIDRs on the network.
+ .
+ Next we'll also create a `humans` CIDR where we can start adding some peers.
+ .
+ ```sh
+ sudo innernet-server add-cidr <interface>
+ ```
+ .
+ For the parent CIDR, you can simply choose your network's root CIDR. The name
+ will be `humans`, and the CIDR will be `10.60.64.0/24` (not a great example
+ unless you only want to support 256 humans, but it works for now...).
+ .
+ By default, peers which exist in this new CIDR will only be able to contact
+ peers in the same CIDR, and the special "infra" CIDR which was created when the
+ server was initialized.
+ .
+ A typical workflow for creating a new network is to create an admin peer from
+ the `innernet-server` CLI, and then continue using that admin peer via the
+ `innernet` client CLI to add any further peers or network CIDRs.
+ .
+ ```sh
+ sudo innernet-server add-peer <interface>
+ ```
+ .
+ Select the `humans` CIDR, and the CLI will automatically suggest the next
+ available IP address. Any name is fine, just answer "yes" when asked if you
+ would like to make the peer an admin. The process of adding a peer results in
+ an invitation file. This file contains just enough information for the new peer
+ to contact the `innernet` server and redeem its invitation. It should be
+ transferred securely to the new peer, and it can only be used once to
+ initialize the peer.
+ .
+ You can run the server with `innernet-server serve <interface>`, or if you're
+ on Linux and want to run it via `systemctl`, run `systemctl enable --now
+ innernet-server@<interface>`. If you're on a home network, don't forget to
+ configure port forwarding to the `Listen Port` you specified when creating the
+ `innernet` server.
+ .
+ ### Peer Initialization
+ .
+ Let's assume the invitation file generated in the steps above have been
+ transferred to the machine a network admin will be using.
+ .
+ You can initialize the client with
+ .
+ ```sh
+ sudo innernet install /path/to/invitation.toml
+ ```
+ .
+ You can customize the network name if you want to, or leave it at the default.
+ `innernet` will then connect to the `innernet` server via WireGuard, generate a
+ new key pair, and register that pair with the server. The private key in the
+ invitation file can no longer be used.
+ .
+ If everything was successful, the new peer is on the network. You can run
+ things like
+ .
+ ```sh
+ sudo innernet list
+ ```
+ .
+ or
+ .
+ ```sh
+ sudo innernet list --tree
+ ```
+ .
+ to view the current network and all CIDRs visible to this peer.
+ .
+ Since we created an admin peer, we can also add new peers and CIDRs from this
+ peer via `innernet` instead of having to always run commands on the server.
+ .
+ ### Adding Associations between CIDRs
+ .
+ In order for peers from one CIDR to be able to contact peers in another CIDR,
+ those two CIDRs must be "associated" with each other.
+ .
+ With the admin peer we created above, let's add a new CIDR for some theoretical
+ CI servers we have.
+ .
+ ```sh
+ sudo innernet add-cidr <interface>
+ ```
+ .
+ The name is `ci-servers` and the CIDR is `10.60.64.0/24`, but for this example
+ it can be anything.
+ .
+ For now, we want peers in the `humans` CIDR to be able to access peers in the
+ `ci-servers` CIDR.
+ .
+ ```sh
+ sudo innernet add-association <interface>
+ ```
+ .
+ The CLI will ask you to select the two CIDRs you want to associate. That's all
+ it takes to allow peers in two different CIDRs to communicate!
+ .
+ You can verify the association with
+ .
+ ```sh
+ sudo innernet list-associations <interface>
+ ```
+ .
+ and associations can be deleted with
+ .
+ ```sh
+ sudo innernet delete-associations <interface>
+ ```
+ .
+ ### Enabling/Disabling Peers
+ .
+ For security reasons, IP addresses cannot be re-used by new peers, and
+ therefore peers cannot be deleted. However, they can be disabled. Disabled
+ peers will not show up in the list of peers when fetching the config for an
+ interface.
+ .
+ Disable a peer with
+ .
+ ```su
+ sudo innernet disable-peer <interface>
+ ```
+ .
+ Or re-enable a peer with
+ .
+ ```su
+ sudo innernet enable-peer <interface>
+ ```
+ .
+ ### Specifying a Manual Endpoint
+ .
+ The `innernet` server will try to use the internet endpoint it sees from a peer
+ so other peers can connect to that peer as well. This doesn't always work and
+ you may want to set an endpoint explicitly. To set an endpoint, use
+ .
+ ```sh
+ sudo innernet override-endpoint <interface>
+ ```
+ .
+ You can go back to automatic endpoint discovery with
+ .
+ ```sh
+ sudo innernet override-endpoint -u <interface>
+ ```
+ .
+ ### Setting the Local WireGuard Listen Port
+ .
+ If you want to change the port which WireGuard listens on, use
+ .
+ ```sh
+ sudo innernet set-listen-port <interface>
+ ```
+ .
+ or unset the port and use a randomized port with
+ .
+ ```sh
+ sudo innernet set-listen-port -u <interface>
+ ```
+ .
+ ### Remove Network
+ .
+ To permanently uninstall a created network, use
+ .
+ ```sh
+ sudo innernet-server uninstall <interface>
+ ```
+ .
+ Use with care!
+ .
+ ## Security recommendations
+ .
+ If you're running a service on innernet, there are some important security
+ considerations.
+ .
+ ### Enable strict Reverse Path Filtering ([RFC
+ 3704](https://tools.ietf.org/html/rfc3704))
+ .
+ Strict RPF prevents packets from _other_ interfaces from having internal source
+ IP addresses. This is _not_ the default on Linux, even though it is the right
+ choice for 99.99% of situations. You can enable it by adding the following to a
+ `/etc/sysctl.d/60-network-security.conf`:
+ .
+ ```
+ net.ipv4.conf.all.rp_filter=1
+ net.ipv4.conf.default.rp_filter=1
+ ```
+ .
+ ### Bind to the WireGuard device
+ .
+ If possible, to _ensure_ that packets are only ever transmitted over the
+ WireGuard interface, it's recommended that you use `SO_BINDTODEVICE` on Linux
+ or `IP_BOUND_IF` on macOS/BSDs. If you have strict reverse path filtering,
+ though, this is less of a concern.
+ .
+ ### IP addresses alone often aren't enough authentication
+ .
+ Even following all the above precautions, rogue applications on a peer's
+ machines could be able to make requests on their behalf unless you add extra
+ layers of authentication to mitigate this CSRF-type vector.
+ .
+ It's recommended that you carefully consider this possibility before deciding
+ that the source IP is sufficient for your authentication needs on a service.
+ .
+ ## Installation
+ .
+ innernet has only officially been tested on Linux and MacOS, but we hope to
+ support as many platforms as is feasible!
+ .
+ ### Runtime Dependencies
+ .
+ It's assumed that WireGuard is installed on your system, either via the kernel
+ module in Linux 5.6 and later, or via the
+ [`wireguard-go`](https://git.zx2c4.com/wireguard-go/about/) userspace
+ implementation.
+ .
+ [WireGuard Installation Instructions](https://www.wireguard.com/install/)
+ .
+ ### Arch Linux
+ .
+ ```sh
+ pacman -S innernet
+ ```
+ .
+ ### Debian and Ubuntu
+ .
+ [**@tommie**](https://github.com/tommie) is kindly providing Debian/Ubuntu
+ innernet builds in the https://github.com/tommie/innernet-debian repository.
+ .
+ ### Other Linux Distributions
+ .
+ We're looking for volunteers who are able to set up external builds for popular
+ distributions. Please see issue
+ [#203](https://github.com/tonarino/innernet/issues/203).
+ .
+ ### macOS
+ .
+ ```sh
+ brew install tonarino/innernet/innernet
+ ```
+ .
+ ### Cargo
+ .
+ ```sh
+ # to install innernet:
+ cargo install --git https://github.com/tonarino/innernet --tag v1.6.0 client
+ .
+ # to install innernet-server:
+ cargo install --git https://github.com/tonarino/innernet --tag v1.6.0 server
+ ```
+ .
+ Note that you'll be responsible for updating manually.
+ .
+ ## Development
+ .
+ ### `innernet-server` Build dependencies
+ .
+ - `rustc` / `cargo` (version 1.50.0 or higher)
+ - `libclang` (see more info at
+ [https://crates.io/crates/clang-sys](https://crates.io/crates/clang-sys))
+ - `libsqlite3`
+ .
+ Build:
+ .
+ ```sh
+ cargo build --release --bin innernet-server
+ ```
+ .
+ The resulting binary will be located at `./target/release/innernet-server`
+ .
+ ### `innernet` Client CLI Build dependencies
+ .
+ - `rustc` / `cargo` (version 1.50.0 or higher)
+ - `libclang` (see more info at
+ [https://crates.io/crates/clang-sys](https://crates.io/crates/clang-sys))
+ .
+ Build:
+ .
+ ```sh
+ cargo build --release --bin innernet
+ ```
+ .
+ The resulting binary will be located at `./target/release/innernet`
+ .
+ ### Releases
+ .
+ Please run the release script from a Linux machine: generated shell completions
+ depend on available wireguard backends and Mac doesn't support the `kernel`
+ backend. 
+ .
+ 1. Fetch and check-out the `main` branch.
+ 2. Run `./release.sh [patch|major|minor|rc]`
+ 3. Push the `main` branch and the created tag to the repo.
+

debian/dists/jammy/contrib/binary-armhf/Release

@@ -0,0 +1,5 @@
+Component: contrib
+Origin: Unofficial Innernet Debian repository
+Label: innernet-debian
+Architecture: armhf
+Description: APT repository for https://github.com/tonarino/innernet/.