Included release tonarino/innernet@v1.6.1 in focal jammy for amd64 arm64 armhf.

debian/dists/focal/InRelease

@@ -4,51 +4,51 @@ Hash: SHA512
 Origin: Unofficial Innernet Debian repository
 Label: innernet-debian
 Codename: focal
-Date: Sun, 30 Jul 2023 13:18:34 UTC
+Date: Mon, 22 Jan 2024 14:39:30 UTC
 Architectures: amd64 armhf arm64
 Components: contrib
 Description: APT repository for https://github.com/tonarino/innernet/.
 MD5Sum:
- 09585d6972df6d213e1a2a95a6d7f783 12098 contrib/binary-amd64/Packages
- f71f3ea5d0ab6f8e0dad303f04573e81 4799 contrib/binary-amd64/Packages.gz
+ 2eed532c18080f94efa64a20e0850101 1493 contrib/binary-amd64/Packages
+ 42d48d316784c03b360d12d06bc3e4e6 663 contrib/binary-amd64/Packages.gz
  77dc2b012f45038d5be68f81d464ee44 179 contrib/binary-amd64/Release
- b1dcfb8ffed93c950262d0d18d93e8db 12097 contrib/binary-armhf/Packages
- 11ffc1ea682429a3cfd051979b9d6dcc 4799 contrib/binary-armhf/Packages.gz
+ ad99ee2214dc0e890ca4f4b28d6dbaf0 1493 contrib/binary-armhf/Packages
+ 14b3724f4a55b292edc58e5159320fb0 665 contrib/binary-armhf/Packages.gz
  2e56331833f644fa9dad5483acc93e55 179 contrib/binary-armhf/Release
- 9e4f28eca65271f15f684a56874f433d 12097 contrib/binary-arm64/Packages
- edc6e00a474363010d79da0a577dbc64 4803 contrib/binary-arm64/Packages.gz
+ 3678a76f8c1f7789f33472b0b1425b6e 1492 contrib/binary-arm64/Packages
+ 53f3f8680c0a82954fde16e23c8f10cd 669 contrib/binary-arm64/Packages.gz
  16627cd2b6e090772a75639bb48cd54d 179 contrib/binary-arm64/Release
 SHA1:
- 87d9b5312a8e5e99090351a36d09785c02303cf1 12098 contrib/binary-amd64/Packages
- ea7af888161785eae92c690ddf4a3f0cf2f75cc9 4799 contrib/binary-amd64/Packages.gz
+ 2adb2413fdc1847cc786b4f5bcd3bcb9b63646f6 1493 contrib/binary-amd64/Packages
+ 27f8e6a53160f30fd9b00d8629eebeece2b37357 663 contrib/binary-amd64/Packages.gz
  a4f6bbfd6fe4ab5a01909278c4e13b05d6b06f13 179 contrib/binary-amd64/Release
- d0b3431eb3e21ceb02caa9dd63aaf8b2231e3e5e 12097 contrib/binary-armhf/Packages
- 3ff371bef4abda8010bc8ad4b8873acfb8bd220e 4799 contrib/binary-armhf/Packages.gz
+ f007c3ba7b8da39d1d93bf2ec1e4dd65b1e2bf7a 1493 contrib/binary-armhf/Packages
+ ffa3d9fa4156adc85bd1e1b4b424e25222ef22de 665 contrib/binary-armhf/Packages.gz
  dbfc90ff9af0819e8b73429a32e4691204b11da7 179 contrib/binary-armhf/Release
- b8d99778297cbd777821c7162c9146d3f0407b6c 12097 contrib/binary-arm64/Packages
- 2ec88f0de84b12f796712cf8bdd9ae163a5e78d0 4803 contrib/binary-arm64/Packages.gz
+ fa43b23088efe1cc2d56885126b335066e8a69ed 1492 contrib/binary-arm64/Packages
+ 615ac42f2ee41906f58c3145bb2723bb83bea85a 669 contrib/binary-arm64/Packages.gz
  af10abab9b82b0f8be34be72d478cd7efe4e64b9 179 contrib/binary-arm64/Release
 SHA256:
- ce495f6c9bc1fb23dab42746cf14086dde7f1531922919af49f93708d6f9428c 12098 contrib/binary-amd64/Packages
- 466c0a757405ed9c217efb1b5c81f4b722922ee63c462b668a9957f6459a38a9 4799 contrib/binary-amd64/Packages.gz
+ b555648b373a9d97e37ac3741a6f4e834d79547e42cf1adda20e61e3d5857115 1493 contrib/binary-amd64/Packages
+ 5d51808345cac6ab03939a1ac441cf1e03732f7d134a0b54aac1c20ede7c91f8 663 contrib/binary-amd64/Packages.gz
  67b3f0e511499d8b794eaf1524cea47d2263a1e8e43445c60f311dbef9a50e9c 179 contrib/binary-amd64/Release
- 749a6859a1f9859ad9963b7f1d2ea665adf505d4e9457cad997600e26e3c2112 12097 contrib/binary-armhf/Packages
- 5ee9f26a09e21a87dfdb376fa3a6098a61b4fb7056d0957f56b6f43a84f65e25 4799 contrib/binary-armhf/Packages.gz
+ 17752abfca0e7430b4979fc8c2277e7ad994dc9be693b0adfbc3fdb151306d80 1493 contrib/binary-armhf/Packages
+ aecf0a2cd2a2c80b1102845c275cdfdc93ed6912162f87c0d5bab0fa6f71d231 665 contrib/binary-armhf/Packages.gz
  ce7a57575ec61bf1af16351e2366f7114f6ad78e035696abaaac42f80dd8f425 179 contrib/binary-armhf/Release
- 24f6c2047566e4e6921badbbd7d9a6fe47e59acea3b932a1143bfb1783e63e84 12097 contrib/binary-arm64/Packages
- e7bc836e26a4d99973dc79ba64ebd6f62dc3e385685bb1963e111466f5205a26 4803 contrib/binary-arm64/Packages.gz
+ 99e7bc596aec7edf82bd42e264c73b5a040e8ea8885b4e209c684a767fe17028 1492 contrib/binary-arm64/Packages
+ 97044c4b7f2b0923390858c25b18107fc48da0085a43ea440eaf2c31388a44b3 669 contrib/binary-arm64/Packages.gz
  86092179ad14de3750a8a527f8419920154bd761ea7367b9452abe85cfbca03d 179 contrib/binary-arm64/Release
 -----BEGIN PGP SIGNATURE-----
 
-iQGzBAEBCgAdFiEEbYSVpa4ZFZQzkqZZZYKNdDzui2kFAmTGYysACgkQZYKNdDzu
-i2nJWgwAlGrzcAQsvZvsCaQjbWBndiJDtndfj8BQyRORCbbdEQ0pej2KOj7X+BIJ
-/u7fKHLBKQ/oHZ/t7Bijv5z0MG3n1oG1AK0vAwMFr0t8yJQzl6DuwqQrTgeIsAQ5
-3kHoqbxDuFLUssNUcHsl3yWMULHOb8pteavSfjf7YZiBXmr2qhN+OEV69oHlOPju
-UkTPvBTYlt4OPoESLMxk61O1YWB42Y5NpVzx2q6oft5d/D3OzND2SgTrGCQDvWYJ
-55EkN9ddV3hGMqTr216vcq3k0DpHCcUhAd0L2tlyVDnf01mdj9YqtflZM2XfxQ1e
-jdDcvHh9BqDlEG2mODtTpQY6aOuNdKX5sx61Vblf7QiQDQMDI0dg7wsco/KiftcT
-5QGvOGv2dehlJggMEXxF0B6cLzduwSu2O5OlbFUVqvUhXV+5RKSuiV3g+1g4BonS
-faL1bLlMI5iIpO9qJCPvqrVepbRl1bYz7sMIdeVYTGWdcV7MdnZ8RJynIuhlItCk
-oI2X+qhm
-=RQGT
+iQGzBAEBCgAdFiEEbYSVpa4ZFZQzkqZZZYKNdDzui2kFAmWufiMACgkQZYKNdDzu
+i2mn3gv+JLmQzgnDkwe6xBp4i9HeeAN3VfXBvtqw0lvWRdDjTJci+juhcc6prP/T
+ec8v/afIWzw4BvsilOVbbTUYRUZaRHcaVUpLaFz8gbufGWw5PvJAY0dOqOURnuGP
+PCavrAGxFV7CvPTsIyCL5Zocx8a0I3K/0x5f/37cLr8rvwvOxYZWbwgsYd6zwcpL
+7RxpyMVr8o8CvGxAJuR8SzwRo1izy13ZWzmw8qeJCtfY8jev3Z/V6HuJK3CYhzRa
+HjS3JLWvrVL4QO9uk6bn33pMDp7oFGltRRU4vwtsWBxzSi1/gGSuNlQEBv9SS/6P
+SoV1kPLQw/6CeY+gyAPX+OBOE7GNSwauXVtziMi4ubQ1FQdOD+NQSxPe6Fz1nUQg
+G+YX9b9OErwwjie1UyzCCXDODicrDtDVg2q55s30CA8qpO7GW3FthcYghoh/tne2
+WST9nT5HHXxHGozPEalyiU+44k3o6SblCmsEkHN13XyiMz8qeYRsRBWY0ZwIAqJv
+BTz444mw
+=i42q
 -----END PGP SIGNATURE-----

debian/dists/focal/Release

@@ -1,37 +1,37 @@
 Origin: Unofficial Innernet Debian repository
 Label: innernet-debian
 Codename: focal
-Date: Sun, 30 Jul 2023 13:18:34 UTC
+Date: Mon, 22 Jan 2024 14:39:30 UTC
 Architectures: amd64 armhf arm64
 Components: contrib
 Description: APT repository for https://github.com/tonarino/innernet/.
 MD5Sum:
- 09585d6972df6d213e1a2a95a6d7f783 12098 contrib/binary-amd64/Packages
- f71f3ea5d0ab6f8e0dad303f04573e81 4799 contrib/binary-amd64/Packages.gz
+ 2eed532c18080f94efa64a20e0850101 1493 contrib/binary-amd64/Packages
+ 42d48d316784c03b360d12d06bc3e4e6 663 contrib/binary-amd64/Packages.gz
  77dc2b012f45038d5be68f81d464ee44 179 contrib/binary-amd64/Release
- b1dcfb8ffed93c950262d0d18d93e8db 12097 contrib/binary-armhf/Packages
- 11ffc1ea682429a3cfd051979b9d6dcc 4799 contrib/binary-armhf/Packages.gz
+ ad99ee2214dc0e890ca4f4b28d6dbaf0 1493 contrib/binary-armhf/Packages
+ 14b3724f4a55b292edc58e5159320fb0 665 contrib/binary-armhf/Packages.gz
  2e56331833f644fa9dad5483acc93e55 179 contrib/binary-armhf/Release
- 9e4f28eca65271f15f684a56874f433d 12097 contrib/binary-arm64/Packages
- edc6e00a474363010d79da0a577dbc64 4803 contrib/binary-arm64/Packages.gz
+ 3678a76f8c1f7789f33472b0b1425b6e 1492 contrib/binary-arm64/Packages
+ 53f3f8680c0a82954fde16e23c8f10cd 669 contrib/binary-arm64/Packages.gz
  16627cd2b6e090772a75639bb48cd54d 179 contrib/binary-arm64/Release
 SHA1:
- 87d9b5312a8e5e99090351a36d09785c02303cf1 12098 contrib/binary-amd64/Packages
- ea7af888161785eae92c690ddf4a3f0cf2f75cc9 4799 contrib/binary-amd64/Packages.gz
+ 2adb2413fdc1847cc786b4f5bcd3bcb9b63646f6 1493 contrib/binary-amd64/Packages
+ 27f8e6a53160f30fd9b00d8629eebeece2b37357 663 contrib/binary-amd64/Packages.gz
  a4f6bbfd6fe4ab5a01909278c4e13b05d6b06f13 179 contrib/binary-amd64/Release
- d0b3431eb3e21ceb02caa9dd63aaf8b2231e3e5e 12097 contrib/binary-armhf/Packages
- 3ff371bef4abda8010bc8ad4b8873acfb8bd220e 4799 contrib/binary-armhf/Packages.gz
+ f007c3ba7b8da39d1d93bf2ec1e4dd65b1e2bf7a 1493 contrib/binary-armhf/Packages
+ ffa3d9fa4156adc85bd1e1b4b424e25222ef22de 665 contrib/binary-armhf/Packages.gz
  dbfc90ff9af0819e8b73429a32e4691204b11da7 179 contrib/binary-armhf/Release
- b8d99778297cbd777821c7162c9146d3f0407b6c 12097 contrib/binary-arm64/Packages
- 2ec88f0de84b12f796712cf8bdd9ae163a5e78d0 4803 contrib/binary-arm64/Packages.gz
+ fa43b23088efe1cc2d56885126b335066e8a69ed 1492 contrib/binary-arm64/Packages
+ 615ac42f2ee41906f58c3145bb2723bb83bea85a 669 contrib/binary-arm64/Packages.gz
  af10abab9b82b0f8be34be72d478cd7efe4e64b9 179 contrib/binary-arm64/Release
 SHA256:
- ce495f6c9bc1fb23dab42746cf14086dde7f1531922919af49f93708d6f9428c 12098 contrib/binary-amd64/Packages
- 466c0a757405ed9c217efb1b5c81f4b722922ee63c462b668a9957f6459a38a9 4799 contrib/binary-amd64/Packages.gz
+ b555648b373a9d97e37ac3741a6f4e834d79547e42cf1adda20e61e3d5857115 1493 contrib/binary-amd64/Packages
+ 5d51808345cac6ab03939a1ac441cf1e03732f7d134a0b54aac1c20ede7c91f8 663 contrib/binary-amd64/Packages.gz
  67b3f0e511499d8b794eaf1524cea47d2263a1e8e43445c60f311dbef9a50e9c 179 contrib/binary-amd64/Release
- 749a6859a1f9859ad9963b7f1d2ea665adf505d4e9457cad997600e26e3c2112 12097 contrib/binary-armhf/Packages
- 5ee9f26a09e21a87dfdb376fa3a6098a61b4fb7056d0957f56b6f43a84f65e25 4799 contrib/binary-armhf/Packages.gz
+ 17752abfca0e7430b4979fc8c2277e7ad994dc9be693b0adfbc3fdb151306d80 1493 contrib/binary-armhf/Packages
+ aecf0a2cd2a2c80b1102845c275cdfdc93ed6912162f87c0d5bab0fa6f71d231 665 contrib/binary-armhf/Packages.gz
  ce7a57575ec61bf1af16351e2366f7114f6ad78e035696abaaac42f80dd8f425 179 contrib/binary-armhf/Release
- 24f6c2047566e4e6921badbbd7d9a6fe47e59acea3b932a1143bfb1783e63e84 12097 contrib/binary-arm64/Packages
- e7bc836e26a4d99973dc79ba64ebd6f62dc3e385685bb1963e111466f5205a26 4803 contrib/binary-arm64/Packages.gz
+ 99e7bc596aec7edf82bd42e264c73b5a040e8ea8885b4e209c684a767fe17028 1492 contrib/binary-arm64/Packages
+ 97044c4b7f2b0923390858c25b18107fc48da0085a43ea440eaf2c31388a44b3 669 contrib/binary-arm64/Packages.gz
  86092179ad14de3750a8a527f8419920154bd761ea7367b9452abe85cfbca03d 179 contrib/binary-arm64/Release

debian/dists/focal/Release.gpg

@@ -1,14 +1,14 @@
 -----BEGIN PGP SIGNATURE-----
 
-iQGzBAABCgAdFiEEbYSVpa4ZFZQzkqZZZYKNdDzui2kFAmTGYyoACgkQZYKNdDzu
-i2lPdQv8DmSn+7u1+uudvM8K1fU9ShDGeZYtbyC2WhmX1OrI+aq8RQYO2qw6HVcj
-Sk+MuN2m1FxDV85mcCWA/VKzRcfiBn3Yybyzn75Pbeyl5TgRnHu9FKET5VSYH7gy
-9ulqONG18nZbshdS57GUwoxjlT2HVwjOLvQ7IKvX88DTKXQzkc7eiiZ3FCgOhX64
-ocGxIB4x6P6q2pCsEGhPGqdjUcYUGe98udxDlhQ99+EgtgtiCCowGtx6gqMuXj1g
-0FOycQlxhpGSPDQ+TW0vsIAauI3gERrqRPh+ZZbg2o7dQPyDYaXUXCeewpD5VqA1
-Gkv0oYRf+SRB215+tewJWTiwAS/Bxh6uxx/bNBk0kcYB3Sc9d6c5GSo78SXuNra1
-CHhtFUEKDNMG5aJet0gZBHDEwWl+4mCQsoGc+KzRTPfCgU02SvED75eaAt0pxHMa
-UjlYKGboA+Zg3FsNxGGRUVjQEAt1Semo4xLI2e/D3J7klxncMFvehzuoro9VV0ab
-3SLqGF5l
-=DsOy
+iQGzBAABCgAdFiEEbYSVpa4ZFZQzkqZZZYKNdDzui2kFAmWufiIACgkQZYKNdDzu
+i2mQSwv+KUQZ2jeSsHTiFiPBK3796Gbgx6osrA9gIyAaDXf0A0oi7M9gwG2ew0HK
+gMLIKXgtMUeMIsUYp8yewGRAmZH8Mnk0VR2AkN/M17As2mq6GK6qugZiOZqmXhDO
+1LBGTMyden+krhJAfGrcJLJsZ0WBZN2HSzJhnyh3r9ZQA4wzuttkolxiOZuR8V5j
+tuStmYZKdhhY1BvqI+2u7kO1s2iX1G0EIpQcBob+iDpBFQ2SItFRFOihlvf+iiHq
+vJeCdpHY0iCH2prWesV26GsPcXhAOnmP/zJRkv2b7nRMhS0pLJ1ySmxflLZKaw4K
+7eFQaJ42K//etmEwRcOM6l2z6oGE0fKXXEbfyRjG6JViSdEss8X8N7T9uEKpROYU
+btfv3lO9mpuzZtzflyztZbFj+XjQuMMF0OT5BJUbtX+bBXX56V9PIpwpg/7XW86+
+IVO7wXUUUvBIFjQ/S31pEjPQveAW15WcSNCBOCDfLSySpqyEmTHnA0vv/Z7Y1qZr
+WVXtGxhv
+=dNuu
 -----END PGP SIGNATURE-----

debian/dists/focal/contrib/binary-amd64/Packages

@@ -1,378 +1,41 @@
 Package: innernet
-Version: 1.6.0-0ubuntu0~focal
+Version: 1.6.1-0ubuntu0~focal
 Architecture: amd64
 Vcs-Browser: https://github.com/tonarino/innernet
 Vcs-Git: https://github.com/tonarino/innernet
 Homepage: https://github.com/tonarino/innernet
 Maintainer: tonari <hey@tonari.no>
-Installed-Size: 3221
-Depends: systemd, libgcc1, libc6
+Installed-Size: 3541
+Depends: libc6, systemd, libgcc1
 Recommends: wireguard
 Priority: optional
 Section: net
-Filename: pool/contrib/i/innernet/innernet_1.6.0-0ubuntu0~focal_amd64.deb
-Size: 1017076
-SHA256: cd26fa15089a95bf69874116e89469f75a8d01b9fb344c7706a8a36fa804e0b4
-SHA1: c2699d37af2cffea4b19282477acf2b1ef367c21
-MD5sum: 4399b78eef1bbf075041fcb12c03fab8
+Filename: pool/contrib/i/innernet/innernet_1.6.1-0ubuntu0~focal_amd64.deb
+Size: 1111620
+SHA256: cacf84242e097f45af4037fe6d5669f39ac9c57cdb028585e020399ac3dc4791
+SHA1: 494b4cbe7ef2236e4399cb97c3988f8c0d572043
+MD5sum: 3c390c83ab807227421ec01efe63fbc8
 Description: A client to manage innernet network interfaces.
  innernet client binary for fetching peer information and conducting admin tasks
  such as adding a new peer.
 
 Package: innernet-server
-Version: 1.6.0-0ubuntu0~focal
+Version: 1.6.1-0ubuntu0~focal
 Architecture: amd64
 Vcs-Browser: https://github.com/tonarino/innernet
 Vcs-Git: https://github.com/tonarino/innernet
 Homepage: https://github.com/tonarino/innernet
 Maintainer: tonari <hey@tonari.no>
-Installed-Size: 4214
-Depends: libgcc1, zlib1g, libsqlite3-0, libc6, systemd
+Installed-Size: 4538
+Depends: libc6, libsqlite3-0, systemd, zlib1g, libgcc1
 Recommends: wireguard
 Source: innernet
 Priority: optional
 Section: net
-Filename: pool/contrib/i/innernet-server/innernet-server_1.6.0-0ubuntu0~focal_amd64.deb
-Size: 1499216
-SHA256: 539e7a438869dcb5b9a9bf2f2fa76afb1d226584fd2cd011a3c5f8dd8c4bb429
-SHA1: b4a6e87898a68666207fdaa08cd02b6b6b7b9bc9
-MD5sum: cbb3a19ddde8af07ac8cafb3b8cae132
+Filename: pool/contrib/i/innernet-server/innernet-server_1.6.1-0ubuntu0~focal_amd64.deb
+Size: 1590820
+SHA256: 5cf090c669a4c4f12e1ec39e56b3259c1a37249fad9fb5f07283e9e19dc76d28
+SHA1: bcaeafc7ea1a9662f0fc0ca1fb3e6dbc6385fa61
+MD5sum: 65f5fcd0ba8fbc5812991e82e7e460b3
 Description: A server to coordinate innernet networks.
- # innernet
- .
- [![Actively
- Maintained](https://img.shields.io/badge/Maintenance%20Level-Actively%20Maintained-green.svg)](https://gist.github.com/cheerfulstoic/d107229326a01ff0f333a1d3476e068d)
- [![MIT](https://img.shields.io/badge/license-MIT-blue.svg)](https://github.com/tonarino/innernet/blob/master/LICENSE)
- .
- A private network system that uses [WireGuard](https://wireguard.com) under the
- hood. See the [announcement blog
- post](https://blog.tonari.no/introducing-innernet) for a longer-winded
- explanation.
- .
- <img
- src="https://user-images.githubusercontent.com/373823/118917068-09ae7700-b96b-11eb-80f4-6860072d504d.gif"
- width="600" height="370">
- .
- `innernet` is similar in its goals to Slack's
- [nebula](https://github.com/slackhq/nebula) or
- [Tailscale](https://tailscale.com/), but takes a bit of a different approach.
- It aims to take advantage of existing networking concepts like CIDRs and the
- security properties of WireGuard to turn your computer's basic IP networking
- into more powerful ACL primitives.
- .
- `innernet` is not an official WireGuard project, and WireGuard is a registered
- trademark of Jason A. Donenfeld.
- .
- This has not received an independent security audit, and should be considered
- experimental software at this early point in its lifetime.
- .
- ## Usage
- .
- ### Server Creation
- .
- Every `innernet` network needs a coordination server to manage peers and
- provide endpoint information so peers can directly connect to each other.
- Create a new one with
- .
- ```sh
- sudo innernet-server new
- ```
- .
- The init wizard will ask you questions about your network and give you some
- reasonable defaults. It's good to familiarize yourself with [network
- CIDRs](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) as a lot
- of innernet's access control is based upon them. As an example, let's say the
- root CIDR for this network is `10.60.0.0/16`. Server initialization creates a
- special "infra" CIDR which contains the `innernet` server itself and is
- reachable from all CIDRs on the network.
- .
- Next we'll also create a `humans` CIDR where we can start adding some peers.
- .
- ```sh
- sudo innernet-server add-cidr <interface>
- ```
- .
- For the parent CIDR, you can simply choose your network's root CIDR. The name
- will be `humans`, and the CIDR will be `10.60.64.0/24` (not a great example
- unless you only want to support 256 humans, but it works for now...).
- .
- By default, peers which exist in this new CIDR will only be able to contact
- peers in the same CIDR, and the special "infra" CIDR which was created when the
- server was initialized.
- .
- A typical workflow for creating a new network is to create an admin peer from
- the `innernet-server` CLI, and then continue using that admin peer via the
- `innernet` client CLI to add any further peers or network CIDRs.
- .
- ```sh
- sudo innernet-server add-peer <interface>
- ```
- .
- Select the `humans` CIDR, and the CLI will automatically suggest the next
- available IP address. Any name is fine, just answer "yes" when asked if you
- would like to make the peer an admin. The process of adding a peer results in
- an invitation file. This file contains just enough information for the new peer
- to contact the `innernet` server and redeem its invitation. It should be
- transferred securely to the new peer, and it can only be used once to
- initialize the peer.
- .
- You can run the server with `innernet-server serve <interface>`, or if you're
- on Linux and want to run it via `systemctl`, run `systemctl enable --now
- innernet-server@<interface>`. If you're on a home network, don't forget to
- configure port forwarding to the `Listen Port` you specified when creating the
- `innernet` server.
- .
- ### Peer Initialization
- .
- Let's assume the invitation file generated in the steps above have been
- transferred to the machine a network admin will be using.
- .
- You can initialize the client with
- .
- ```sh
- sudo innernet install /path/to/invitation.toml
- ```
- .
- You can customize the network name if you want to, or leave it at the default.
- `innernet` will then connect to the `innernet` server via WireGuard, generate a
- new key pair, and register that pair with the server. The private key in the
- invitation file can no longer be used.
- .
- If everything was successful, the new peer is on the network. You can run
- things like
- .
- ```sh
- sudo innernet list
- ```
- .
- or
- .
- ```sh
- sudo innernet list --tree
- ```
- .
- to view the current network and all CIDRs visible to this peer.
- .
- Since we created an admin peer, we can also add new peers and CIDRs from this
- peer via `innernet` instead of having to always run commands on the server.
- .
- ### Adding Associations between CIDRs
- .
- In order for peers from one CIDR to be able to contact peers in another CIDR,
- those two CIDRs must be "associated" with each other.
- .
- With the admin peer we created above, let's add a new CIDR for some theoretical
- CI servers we have.
- .
- ```sh
- sudo innernet add-cidr <interface>
- ```
- .
- The name is `ci-servers` and the CIDR is `10.60.64.0/24`, but for this example
- it can be anything.
- .
- For now, we want peers in the `humans` CIDR to be able to access peers in the
- `ci-servers` CIDR.
- .
- ```sh
- sudo innernet add-association <interface>
- ```
- .
- The CLI will ask you to select the two CIDRs you want to associate. That's all
- it takes to allow peers in two different CIDRs to communicate!
- .
- You can verify the association with
- .
- ```sh
- sudo innernet list-associations <interface>
- ```
- .
- and associations can be deleted with
- .
- ```sh
- sudo innernet delete-associations <interface>
- ```
- .
- ### Enabling/Disabling Peers
- .
- For security reasons, IP addresses cannot be re-used by new peers, and
- therefore peers cannot be deleted. However, they can be disabled. Disabled
- peers will not show up in the list of peers when fetching the config for an
- interface.
- .
- Disable a peer with
- .
- ```su
- sudo innernet disable-peer <interface>
- ```
- .
- Or re-enable a peer with
- .
- ```su
- sudo innernet enable-peer <interface>
- ```
- .
- ### Specifying a Manual Endpoint
- .
- The `innernet` server will try to use the internet endpoint it sees from a peer
- so other peers can connect to that peer as well. This doesn't always work and
- you may want to set an endpoint explicitly. To set an endpoint, use
- .
- ```sh
- sudo innernet override-endpoint <interface>
- ```
- .
- You can go back to automatic endpoint discovery with
- .
- ```sh
- sudo innernet override-endpoint -u <interface>
- ```
- .
- ### Setting the Local WireGuard Listen Port
- .
- If you want to change the port which WireGuard listens on, use
- .
- ```sh
- sudo innernet set-listen-port <interface>
- ```
- .
- or unset the port and use a randomized port with
- .
- ```sh
- sudo innernet set-listen-port -u <interface>
- ```
- .
- ### Remove Network
- .
- To permanently uninstall a created network, use
- .
- ```sh
- sudo innernet-server uninstall <interface>
- ```
- .
- Use with care!
- .
- ## Security recommendations
- .
- If you're running a service on innernet, there are some important security
- considerations.
- .
- ### Enable strict Reverse Path Filtering ([RFC
- 3704](https://tools.ietf.org/html/rfc3704))
- .
- Strict RPF prevents packets from _other_ interfaces from having internal source
- IP addresses. This is _not_ the default on Linux, even though it is the right
- choice for 99.99% of situations. You can enable it by adding the following to a
- `/etc/sysctl.d/60-network-security.conf`:
- .
- ```
- net.ipv4.conf.all.rp_filter=1
- net.ipv4.conf.default.rp_filter=1
- ```
- .
- ### Bind to the WireGuard device
- .
- If possible, to _ensure_ that packets are only ever transmitted over the
- WireGuard interface, it's recommended that you use `SO_BINDTODEVICE` on Linux
- or `IP_BOUND_IF` on macOS/BSDs. If you have strict reverse path filtering,
- though, this is less of a concern.
- .
- ### IP addresses alone often aren't enough authentication
- .
- Even following all the above precautions, rogue applications on a peer's
- machines could be able to make requests on their behalf unless you add extra
- layers of authentication to mitigate this CSRF-type vector.
- .
- It's recommended that you carefully consider this possibility before deciding
- that the source IP is sufficient for your authentication needs on a service.
- .
- ## Installation
- .
- innernet has only officially been tested on Linux and MacOS, but we hope to
- support as many platforms as is feasible!
- .
- ### Runtime Dependencies
- .
- It's assumed that WireGuard is installed on your system, either via the kernel
- module in Linux 5.6 and later, or via the
- [`wireguard-go`](https://git.zx2c4.com/wireguard-go/about/) userspace
- implementation.
- .
- [WireGuard Installation Instructions](https://www.wireguard.com/install/)
- .
- ### Arch Linux
- .
- ```sh
- pacman -S innernet
- ```
- .
- ### Debian and Ubuntu
- .
- [**@tommie**](https://github.com/tommie) is kindly providing Debian/Ubuntu
- innernet builds in the https://github.com/tommie/innernet-debian repository.
- .
- ### Other Linux Distributions
- .
- We're looking for volunteers who are able to set up external builds for popular
- distributions. Please see issue
- [#203](https://github.com/tonarino/innernet/issues/203).
- .
- ### macOS
- .
- ```sh
- brew install tonarino/innernet/innernet
- ```
- .
- ### Cargo
- .
- ```sh
- # to install innernet:
- cargo install --git https://github.com/tonarino/innernet --tag v1.6.0 client
- .
- # to install innernet-server:
- cargo install --git https://github.com/tonarino/innernet --tag v1.6.0 server
- ```
- .
- Note that you'll be responsible for updating manually.
- .
- ## Development
- .
- ### `innernet-server` Build dependencies
- .
- - `rustc` / `cargo` (version 1.50.0 or higher)
- - `libclang` (see more info at
- [https://crates.io/crates/clang-sys](https://crates.io/crates/clang-sys))
- - `libsqlite3`
- .
- Build:
- .
- ```sh
- cargo build --release --bin innernet-server
- ```
- .
- The resulting binary will be located at `./target/release/innernet-server`
- .
- ### `innernet` Client CLI Build dependencies
- .
- - `rustc` / `cargo` (version 1.50.0 or higher)
- - `libclang` (see more info at
- [https://crates.io/crates/clang-sys](https://crates.io/crates/clang-sys))
- .
- Build:
- .
- ```sh
- cargo build --release --bin innernet
- ```
- .
- The resulting binary will be located at `./target/release/innernet`
- .
- ### Releases
- .
- Please run the release script from a Linux machine: generated shell completions
- depend on available wireguard backends and Mac doesn't support the `kernel`
- backend. 
- .
- 1. Fetch and check-out the `main` branch.
- 2. Run `./release.sh [patch|major|minor|rc]`
- 3. Push the `main` branch and the created tag to the repo.
 

debian/dists/focal/contrib/binary-arm64/Packages

@@ -1,378 +1,41 @@
 Package: innernet
-Version: 1.6.0-0ubuntu0~focal
+Version: 1.6.1-0ubuntu0~focal
 Architecture: arm64
 Vcs-Browser: https://github.com/tonarino/innernet
 Vcs-Git: https://github.com/tonarino/innernet
 Homepage: https://github.com/tonarino/innernet
 Maintainer: tonari <hey@tonari.no>
-Installed-Size: 2841
-Depends: libgcc1, systemd, libc6
+Installed-Size: 3097
+Depends: libc6, libgcc1, systemd
 Recommends: wireguard
 Priority: optional
 Section: net
-Filename: pool/contrib/i/innernet/innernet_1.6.0-0ubuntu0~focal_arm64.deb
-Size: 903012
-SHA256: d71dd1ea107dea559f8d15c01ae9d58761ba4afee3a9bc7a4c7112e824ce4ab3
-SHA1: 0139401fd3f08b403fc2a15f3a331c60ff24e570
-MD5sum: f85aeb8aa51538811ff2238914c4a1ab
+Filename: pool/contrib/i/innernet/innernet_1.6.1-0ubuntu0~focal_arm64.deb
+Size: 996348
+SHA256: 4cbb067b10d23478cdcc4bfc55ab21e57edc338b842f339cfc493ebd943a52bd
+SHA1: 741a5339bfdfd890c063d70b08287b772bca97e5
+MD5sum: 304643085d804b48f535073ee3f65f0f
 Description: A client to manage innernet network interfaces.
  innernet client binary for fetching peer information and conducting admin tasks
  such as adding a new peer.
 
 Package: innernet-server
-Version: 1.6.0-0ubuntu0~focal
+Version: 1.6.1-0ubuntu0~focal
 Architecture: arm64
 Vcs-Browser: https://github.com/tonarino/innernet
 Vcs-Git: https://github.com/tonarino/innernet
 Homepage: https://github.com/tonarino/innernet
 Maintainer: tonari <hey@tonari.no>
-Installed-Size: 3886
-Depends: libc6, libgcc1, zlib1g, systemd, libsqlite3-0
+Installed-Size: 4146
+Depends: zlib1g, systemd, libgcc1, libsqlite3-0, libc6
 Recommends: wireguard
 Source: innernet
 Priority: optional
 Section: net
-Filename: pool/contrib/i/innernet-server/innernet-server_1.6.0-0ubuntu0~focal_arm64.deb
-Size: 1355084
-SHA256: 46e22e21dcff4538ba143c5e32077983816b9c1d6ff7b856255e59df86023048
-SHA1: 8860342c49b89fa9238bd9ba7abed1d2afa63b54
-MD5sum: 43de229d49d6134e0801e6338009cf86
+Filename: pool/contrib/i/innernet-server/innernet-server_1.6.1-0ubuntu0~focal_arm64.deb
+Size: 1445676
+SHA256: f09f81ae098b4058e9531ef72d28369ea2011c9e71c226ada5ebd8e76fb41dea
+SHA1: 1039acb66fe9aaa8f77d68fae41c24340737990f
+MD5sum: ce39d9f66ae6013d12f10fc22a6023b6
 Description: A server to coordinate innernet networks.
- # innernet
- .
- [![Actively
- Maintained](https://img.shields.io/badge/Maintenance%20Level-Actively%20Maintained-green.svg)](https://gist.github.com/cheerfulstoic/d107229326a01ff0f333a1d3476e068d)
- [![MIT](https://img.shields.io/badge/license-MIT-blue.svg)](https://github.com/tonarino/innernet/blob/master/LICENSE)
- .
- A private network system that uses [WireGuard](https://wireguard.com) under the
- hood. See the [announcement blog
- post](https://blog.tonari.no/introducing-innernet) for a longer-winded
- explanation.
- .
- <img
- src="https://user-images.githubusercontent.com/373823/118917068-09ae7700-b96b-11eb-80f4-6860072d504d.gif"
- width="600" height="370">
- .
- `innernet` is similar in its goals to Slack's
- [nebula](https://github.com/slackhq/nebula) or
- [Tailscale](https://tailscale.com/), but takes a bit of a different approach.
- It aims to take advantage of existing networking concepts like CIDRs and the
- security properties of WireGuard to turn your computer's basic IP networking
- into more powerful ACL primitives.
- .
- `innernet` is not an official WireGuard project, and WireGuard is a registered
- trademark of Jason A. Donenfeld.
- .
- This has not received an independent security audit, and should be considered
- experimental software at this early point in its lifetime.
- .
- ## Usage
- .
- ### Server Creation
- .
- Every `innernet` network needs a coordination server to manage peers and
- provide endpoint information so peers can directly connect to each other.
- Create a new one with
- .
- ```sh
- sudo innernet-server new
- ```
- .
- The init wizard will ask you questions about your network and give you some
- reasonable defaults. It's good to familiarize yourself with [network
- CIDRs](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) as a lot
- of innernet's access control is based upon them. As an example, let's say the
- root CIDR for this network is `10.60.0.0/16`. Server initialization creates a
- special "infra" CIDR which contains the `innernet` server itself and is
- reachable from all CIDRs on the network.
- .
- Next we'll also create a `humans` CIDR where we can start adding some peers.
- .
- ```sh
- sudo innernet-server add-cidr <interface>
- ```
- .
- For the parent CIDR, you can simply choose your network's root CIDR. The name
- will be `humans`, and the CIDR will be `10.60.64.0/24` (not a great example
- unless you only want to support 256 humans, but it works for now...).
- .
- By default, peers which exist in this new CIDR will only be able to contact
- peers in the same CIDR, and the special "infra" CIDR which was created when the
- server was initialized.
- .
- A typical workflow for creating a new network is to create an admin peer from
- the `innernet-server` CLI, and then continue using that admin peer via the
- `innernet` client CLI to add any further peers or network CIDRs.
- .
- ```sh
- sudo innernet-server add-peer <interface>
- ```
- .
- Select the `humans` CIDR, and the CLI will automatically suggest the next
- available IP address. Any name is fine, just answer "yes" when asked if you
- would like to make the peer an admin. The process of adding a peer results in
- an invitation file. This file contains just enough information for the new peer
- to contact the `innernet` server and redeem its invitation. It should be
- transferred securely to the new peer, and it can only be used once to
- initialize the peer.
- .
- You can run the server with `innernet-server serve <interface>`, or if you're
- on Linux and want to run it via `systemctl`, run `systemctl enable --now
- innernet-server@<interface>`. If you're on a home network, don't forget to
- configure port forwarding to the `Listen Port` you specified when creating the
- `innernet` server.
- .
- ### Peer Initialization
- .
- Let's assume the invitation file generated in the steps above have been
- transferred to the machine a network admin will be using.
- .
- You can initialize the client with
- .
- ```sh
- sudo innernet install /path/to/invitation.toml
- ```
- .
- You can customize the network name if you want to, or leave it at the default.
- `innernet` will then connect to the `innernet` server via WireGuard, generate a
- new key pair, and register that pair with the server. The private key in the
- invitation file can no longer be used.
- .
- If everything was successful, the new peer is on the network. You can run
- things like
- .
- ```sh
- sudo innernet list
- ```
- .
- or
- .
- ```sh
- sudo innernet list --tree
- ```
- .
- to view the current network and all CIDRs visible to this peer.
- .
- Since we created an admin peer, we can also add new peers and CIDRs from this
- peer via `innernet` instead of having to always run commands on the server.
- .
- ### Adding Associations between CIDRs
- .
- In order for peers from one CIDR to be able to contact peers in another CIDR,
- those two CIDRs must be "associated" with each other.
- .
- With the admin peer we created above, let's add a new CIDR for some theoretical
- CI servers we have.
- .
- ```sh
- sudo innernet add-cidr <interface>
- ```
- .
- The name is `ci-servers` and the CIDR is `10.60.64.0/24`, but for this example
- it can be anything.
- .
- For now, we want peers in the `humans` CIDR to be able to access peers in the
- `ci-servers` CIDR.
- .
- ```sh
- sudo innernet add-association <interface>
- ```
- .
- The CLI will ask you to select the two CIDRs you want to associate. That's all
- it takes to allow peers in two different CIDRs to communicate!
- .
- You can verify the association with
- .
- ```sh
- sudo innernet list-associations <interface>
- ```
- .
- and associations can be deleted with
- .
- ```sh
- sudo innernet delete-associations <interface>
- ```
- .
- ### Enabling/Disabling Peers
- .
- For security reasons, IP addresses cannot be re-used by new peers, and
- therefore peers cannot be deleted. However, they can be disabled. Disabled
- peers will not show up in the list of peers when fetching the config for an
- interface.
- .
- Disable a peer with
- .
- ```su
- sudo innernet disable-peer <interface>
- ```
- .
- Or re-enable a peer with
- .
- ```su
- sudo innernet enable-peer <interface>
- ```
- .
- ### Specifying a Manual Endpoint
- .
- The `innernet` server will try to use the internet endpoint it sees from a peer
- so other peers can connect to that peer as well. This doesn't always work and
- you may want to set an endpoint explicitly. To set an endpoint, use
- .
- ```sh
- sudo innernet override-endpoint <interface>
- ```
- .
- You can go back to automatic endpoint discovery with
- .
- ```sh
- sudo innernet override-endpoint -u <interface>
- ```
- .
- ### Setting the Local WireGuard Listen Port
- .
- If you want to change the port which WireGuard listens on, use
- .
- ```sh
- sudo innernet set-listen-port <interface>
- ```
- .
- or unset the port and use a randomized port with
- .
- ```sh
- sudo innernet set-listen-port -u <interface>
- ```
- .
- ### Remove Network
- .
- To permanently uninstall a created network, use
- .
- ```sh
- sudo innernet-server uninstall <interface>
- ```
- .
- Use with care!
- .
- ## Security recommendations
- .
- If you're running a service on innernet, there are some important security
- considerations.
- .
- ### Enable strict Reverse Path Filtering ([RFC
- 3704](https://tools.ietf.org/html/rfc3704))
- .
- Strict RPF prevents packets from _other_ interfaces from having internal source
- IP addresses. This is _not_ the default on Linux, even though it is the right
- choice for 99.99% of situations. You can enable it by adding the following to a
- `/etc/sysctl.d/60-network-security.conf`:
- .
- ```
- net.ipv4.conf.all.rp_filter=1
- net.ipv4.conf.default.rp_filter=1
- ```
- .
- ### Bind to the WireGuard device
- .
- If possible, to _ensure_ that packets are only ever transmitted over the
- WireGuard interface, it's recommended that you use `SO_BINDTODEVICE` on Linux
- or `IP_BOUND_IF` on macOS/BSDs. If you have strict reverse path filtering,
- though, this is less of a concern.
- .
- ### IP addresses alone often aren't enough authentication
- .
- Even following all the above precautions, rogue applications on a peer's
- machines could be able to make requests on their behalf unless you add extra
- layers of authentication to mitigate this CSRF-type vector.
- .
- It's recommended that you carefully consider this possibility before deciding
- that the source IP is sufficient for your authentication needs on a service.
- .
- ## Installation
- .
- innernet has only officially been tested on Linux and MacOS, but we hope to
- support as many platforms as is feasible!
- .
- ### Runtime Dependencies
- .
- It's assumed that WireGuard is installed on your system, either via the kernel
- module in Linux 5.6 and later, or via the
- [`wireguard-go`](https://git.zx2c4.com/wireguard-go/about/) userspace
- implementation.
- .
- [WireGuard Installation Instructions](https://www.wireguard.com/install/)
- .
- ### Arch Linux
- .
- ```sh
- pacman -S innernet
- ```
- .
- ### Debian and Ubuntu
- .
- [**@tommie**](https://github.com/tommie) is kindly providing Debian/Ubuntu
- innernet builds in the https://github.com/tommie/innernet-debian repository.
- .
- ### Other Linux Distributions
- .
- We're looking for volunteers who are able to set up external builds for popular
- distributions. Please see issue
- [#203](https://github.com/tonarino/innernet/issues/203).
- .
- ### macOS
- .
- ```sh
- brew install tonarino/innernet/innernet
- ```
- .
- ### Cargo
- .
- ```sh
- # to install innernet:
- cargo install --git https://github.com/tonarino/innernet --tag v1.6.0 client
- .
- # to install innernet-server:
- cargo install --git https://github.com/tonarino/innernet --tag v1.6.0 server
- ```
- .
- Note that you'll be responsible for updating manually.
- .
- ## Development
- .
- ### `innernet-server` Build dependencies
- .
- - `rustc` / `cargo` (version 1.50.0 or higher)
- - `libclang` (see more info at
- [https://crates.io/crates/clang-sys](https://crates.io/crates/clang-sys))
- - `libsqlite3`
- .
- Build:
- .
- ```sh
- cargo build --release --bin innernet-server
- ```
- .
- The resulting binary will be located at `./target/release/innernet-server`
- .
- ### `innernet` Client CLI Build dependencies
- .
- - `rustc` / `cargo` (version 1.50.0 or higher)
- - `libclang` (see more info at
- [https://crates.io/crates/clang-sys](https://crates.io/crates/clang-sys))
- .
- Build:
- .
- ```sh
- cargo build --release --bin innernet
- ```
- .
- The resulting binary will be located at `./target/release/innernet`
- .
- ### Releases
- .
- Please run the release script from a Linux machine: generated shell completions
- depend on available wireguard backends and Mac doesn't support the `kernel`
- backend. 
- .
- 1. Fetch and check-out the `main` branch.
- 2. Run `./release.sh [patch|major|minor|rc]`
- 3. Push the `main` branch and the created tag to the repo.
 

debian/dists/focal/contrib/binary-armhf/Packages

@@ -1,378 +1,41 @@
 Package: innernet
-Version: 1.6.0-0ubuntu0~focal
+Version: 1.6.1-0ubuntu0~focal
 Architecture: armhf
 Vcs-Browser: https://github.com/tonarino/innernet
 Vcs-Git: https://github.com/tonarino/innernet
 Homepage: https://github.com/tonarino/innernet
 Maintainer: tonari <hey@tonari.no>
-Installed-Size: 2684
-Depends: libgcc1, libc6, systemd
+Installed-Size: 2964
+Depends: libgcc1, systemd, libc6
 Recommends: wireguard
 Priority: optional
 Section: net
-Filename: pool/contrib/i/innernet/innernet_1.6.0-0ubuntu0~focal_armhf.deb
-Size: 916708
-SHA256: 5a659fba5e5410ea9cb5591753075fcc040c92386e3e6382efacd43583e2c782
-SHA1: 03ac24914abd80fcaee5d0dacd77c2b4aebfd08c
-MD5sum: b0c21e227ed3ca35815137d941035b1f
+Filename: pool/contrib/i/innernet/innernet_1.6.1-0ubuntu0~focal_armhf.deb
+Size: 1005280
+SHA256: 144834c9ae90445110342ddd032994c6f90a47a07a97aace37b2490fe85e13d8
+SHA1: 45267cbbea12a873d8aba9477b7bad59b6fdbf2f
+MD5sum: de313d6bc2990a36955cebd34e328dbb
 Description: A client to manage innernet network interfaces.
  innernet client binary for fetching peer information and conducting admin tasks
  such as adding a new peer.
 
 Package: innernet-server
-Version: 1.6.0-0ubuntu0~focal
+Version: 1.6.1-0ubuntu0~focal
 Architecture: armhf
 Vcs-Browser: https://github.com/tonarino/innernet
 Vcs-Git: https://github.com/tonarino/innernet
 Homepage: https://github.com/tonarino/innernet
 Maintainer: tonari <hey@tonari.no>
-Installed-Size: 3343
-Depends: libgcc1, zlib1g, libc6, libsqlite3-0, systemd
+Installed-Size: 3627
+Depends: libsqlite3-0, zlib1g, systemd, libgcc1, libc6
 Recommends: wireguard
 Source: innernet
 Priority: optional
 Section: net
-Filename: pool/contrib/i/innernet-server/innernet-server_1.6.0-0ubuntu0~focal_armhf.deb
-Size: 1337176
-SHA256: 429c6cbf976e82910bd9be68b772a9264f680ea051c1850074a25e39e6d03059
-SHA1: d97a2f0ae144af2a67dc6dc9df547fc0b61d3058
-MD5sum: 105818d65bcc4e3ffbb3feb7dab0867c
+Filename: pool/contrib/i/innernet-server/innernet-server_1.6.1-0ubuntu0~focal_armhf.deb
+Size: 1427788
+SHA256: ecc84c8d03f42fa02e4b827be17f79769871171fe7617da65cea97200eca4b29
+SHA1: f700e1d31662a507f90c00b9ab09ea4c5596ba2f
+MD5sum: 3f0337283e95cfea0156fb9e8cebc03e
 Description: A server to coordinate innernet networks.
- # innernet
- .
- [![Actively
- Maintained](https://img.shields.io/badge/Maintenance%20Level-Actively%20Maintained-green.svg)](https://gist.github.com/cheerfulstoic/d107229326a01ff0f333a1d3476e068d)
- [![MIT](https://img.shields.io/badge/license-MIT-blue.svg)](https://github.com/tonarino/innernet/blob/master/LICENSE)
- .
- A private network system that uses [WireGuard](https://wireguard.com) under the
- hood. See the [announcement blog
- post](https://blog.tonari.no/introducing-innernet) for a longer-winded
- explanation.
- .
- <img
- src="https://user-images.githubusercontent.com/373823/118917068-09ae7700-b96b-11eb-80f4-6860072d504d.gif"
- width="600" height="370">
- .
- `innernet` is similar in its goals to Slack's
- [nebula](https://github.com/slackhq/nebula) or
- [Tailscale](https://tailscale.com/), but takes a bit of a different approach.
- It aims to take advantage of existing networking concepts like CIDRs and the
- security properties of WireGuard to turn your computer's basic IP networking
- into more powerful ACL primitives.
- .
- `innernet` is not an official WireGuard project, and WireGuard is a registered
- trademark of Jason A. Donenfeld.
- .
- This has not received an independent security audit, and should be considered
- experimental software at this early point in its lifetime.
- .
- ## Usage
- .
- ### Server Creation
- .
- Every `innernet` network needs a coordination server to manage peers and
- provide endpoint information so peers can directly connect to each other.
- Create a new one with
- .
- ```sh
- sudo innernet-server new
- ```
- .
- The init wizard will ask you questions about your network and give you some
- reasonable defaults. It's good to familiarize yourself with [network
- CIDRs](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) as a lot
- of innernet's access control is based upon them. As an example, let's say the
- root CIDR for this network is `10.60.0.0/16`. Server initialization creates a
- special "infra" CIDR which contains the `innernet` server itself and is
- reachable from all CIDRs on the network.
- .
- Next we'll also create a `humans` CIDR where we can start adding some peers.
- .
- ```sh
- sudo innernet-server add-cidr <interface>
- ```
- .
- For the parent CIDR, you can simply choose your network's root CIDR. The name
- will be `humans`, and the CIDR will be `10.60.64.0/24` (not a great example
- unless you only want to support 256 humans, but it works for now...).
- .
- By default, peers which exist in this new CIDR will only be able to contact
- peers in the same CIDR, and the special "infra" CIDR which was created when the
- server was initialized.
- .
- A typical workflow for creating a new network is to create an admin peer from
- the `innernet-server` CLI, and then continue using that admin peer via the
- `innernet` client CLI to add any further peers or network CIDRs.
- .
- ```sh
- sudo innernet-server add-peer <interface>
- ```
- .
- Select the `humans` CIDR, and the CLI will automatically suggest the next
- available IP address. Any name is fine, just answer "yes" when asked if you
- would like to make the peer an admin. The process of adding a peer results in
- an invitation file. This file contains just enough information for the new peer
- to contact the `innernet` server and redeem its invitation. It should be
- transferred securely to the new peer, and it can only be used once to
- initialize the peer.
- .
- You can run the server with `innernet-server serve <interface>`, or if you're
- on Linux and want to run it via `systemctl`, run `systemctl enable --now
- innernet-server@<interface>`. If you're on a home network, don't forget to
- configure port forwarding to the `Listen Port` you specified when creating the
- `innernet` server.
- .
- ### Peer Initialization
- .
- Let's assume the invitation file generated in the steps above have been
- transferred to the machine a network admin will be using.
- .
- You can initialize the client with
- .
- ```sh
- sudo innernet install /path/to/invitation.toml
- ```
- .
- You can customize the network name if you want to, or leave it at the default.
- `innernet` will then connect to the `innernet` server via WireGuard, generate a
- new key pair, and register that pair with the server. The private key in the
- invitation file can no longer be used.
- .
- If everything was successful, the new peer is on the network. You can run
- things like
- .
- ```sh
- sudo innernet list
- ```
- .
- or
- .
- ```sh
- sudo innernet list --tree
- ```
- .
- to view the current network and all CIDRs visible to this peer.
- .
- Since we created an admin peer, we can also add new peers and CIDRs from this
- peer via `innernet` instead of having to always run commands on the server.
- .
- ### Adding Associations between CIDRs
- .
- In order for peers from one CIDR to be able to contact peers in another CIDR,
- those two CIDRs must be "associated" with each other.
- .
- With the admin peer we created above, let's add a new CIDR for some theoretical
- CI servers we have.
- .
- ```sh
- sudo innernet add-cidr <interface>
- ```
- .
- The name is `ci-servers` and the CIDR is `10.60.64.0/24`, but for this example
- it can be anything.
- .
- For now, we want peers in the `humans` CIDR to be able to access peers in the
- `ci-servers` CIDR.
- .
- ```sh
- sudo innernet add-association <interface>
- ```
- .
- The CLI will ask you to select the two CIDRs you want to associate. That's all
- it takes to allow peers in two different CIDRs to communicate!
- .
- You can verify the association with
- .
- ```sh
- sudo innernet list-associations <interface>
- ```
- .
- and associations can be deleted with
- .
- ```sh
- sudo innernet delete-associations <interface>
- ```
- .
- ### Enabling/Disabling Peers
- .
- For security reasons, IP addresses cannot be re-used by new peers, and
- therefore peers cannot be deleted. However, they can be disabled. Disabled
- peers will not show up in the list of peers when fetching the config for an
- interface.
- .
- Disable a peer with
- .
- ```su
- sudo innernet disable-peer <interface>
- ```
- .
- Or re-enable a peer with
- .
- ```su
- sudo innernet enable-peer <interface>
- ```
- .
- ### Specifying a Manual Endpoint
- .
- The `innernet` server will try to use the internet endpoint it sees from a peer
- so other peers can connect to that peer as well. This doesn't always work and
- you may want to set an endpoint explicitly. To set an endpoint, use
- .
- ```sh
- sudo innernet override-endpoint <interface>
- ```
- .
- You can go back to automatic endpoint discovery with
- .
- ```sh
- sudo innernet override-endpoint -u <interface>
- ```
- .
- ### Setting the Local WireGuard Listen Port
- .
- If you want to change the port which WireGuard listens on, use
- .
- ```sh
- sudo innernet set-listen-port <interface>
- ```
- .
- or unset the port and use a randomized port with
- .
- ```sh
- sudo innernet set-listen-port -u <interface>
- ```
- .
- ### Remove Network
- .
- To permanently uninstall a created network, use
- .
- ```sh
- sudo innernet-server uninstall <interface>
- ```
- .
- Use with care!
- .
- ## Security recommendations
- .
- If you're running a service on innernet, there are some important security
- considerations.
- .
- ### Enable strict Reverse Path Filtering ([RFC
- 3704](https://tools.ietf.org/html/rfc3704))
- .
- Strict RPF prevents packets from _other_ interfaces from having internal source
- IP addresses. This is _not_ the default on Linux, even though it is the right
- choice for 99.99% of situations. You can enable it by adding the following to a
- `/etc/sysctl.d/60-network-security.conf`:
- .
- ```
- net.ipv4.conf.all.rp_filter=1
- net.ipv4.conf.default.rp_filter=1
- ```
- .
- ### Bind to the WireGuard device
- .
- If possible, to _ensure_ that packets are only ever transmitted over the
- WireGuard interface, it's recommended that you use `SO_BINDTODEVICE` on Linux
- or `IP_BOUND_IF` on macOS/BSDs. If you have strict reverse path filtering,
- though, this is less of a concern.
- .
- ### IP addresses alone often aren't enough authentication
- .
- Even following all the above precautions, rogue applications on a peer's
- machines could be able to make requests on their behalf unless you add extra
- layers of authentication to mitigate this CSRF-type vector.
- .
- It's recommended that you carefully consider this possibility before deciding
- that the source IP is sufficient for your authentication needs on a service.
- .
- ## Installation
- .
- innernet has only officially been tested on Linux and MacOS, but we hope to
- support as many platforms as is feasible!
- .
- ### Runtime Dependencies
- .
- It's assumed that WireGuard is installed on your system, either via the kernel
- module in Linux 5.6 and later, or via the
- [`wireguard-go`](https://git.zx2c4.com/wireguard-go/about/) userspace
- implementation.
- .
- [WireGuard Installation Instructions](https://www.wireguard.com/install/)
- .
- ### Arch Linux
- .
- ```sh
- pacman -S innernet
- ```
- .
- ### Debian and Ubuntu
- .
- [**@tommie**](https://github.com/tommie) is kindly providing Debian/Ubuntu
- innernet builds in the https://github.com/tommie/innernet-debian repository.
- .
- ### Other Linux Distributions
- .
- We're looking for volunteers who are able to set up external builds for popular
- distributions. Please see issue
- [#203](https://github.com/tonarino/innernet/issues/203).
- .
- ### macOS
- .
- ```sh
- brew install tonarino/innernet/innernet
- ```
- .
- ### Cargo
- .
- ```sh
- # to install innernet:
- cargo install --git https://github.com/tonarino/innernet --tag v1.6.0 client
- .
- # to install innernet-server:
- cargo install --git https://github.com/tonarino/innernet --tag v1.6.0 server
- ```
- .
- Note that you'll be responsible for updating manually.
- .
- ## Development
- .
- ### `innernet-server` Build dependencies
- .
- - `rustc` / `cargo` (version 1.50.0 or higher)
- - `libclang` (see more info at
- [https://crates.io/crates/clang-sys](https://crates.io/crates/clang-sys))
- - `libsqlite3`
- .
- Build:
- .
- ```sh
- cargo build --release --bin innernet-server
- ```
- .
- The resulting binary will be located at `./target/release/innernet-server`
- .
- ### `innernet` Client CLI Build dependencies
- .
- - `rustc` / `cargo` (version 1.50.0 or higher)
- - `libclang` (see more info at
- [https://crates.io/crates/clang-sys](https://crates.io/crates/clang-sys))
- .
- Build:
- .
- ```sh
- cargo build --release --bin innernet
- ```
- .
- The resulting binary will be located at `./target/release/innernet`
- .
- ### Releases
- .
- Please run the release script from a Linux machine: generated shell completions
- depend on available wireguard backends and Mac doesn't support the `kernel`
- backend. 
- .
- 1. Fetch and check-out the `main` branch.
- 2. Run `./release.sh [patch|major|minor|rc]`
- 3. Push the `main` branch and the created tag to the repo.
 

debian/dists/jammy/InRelease

@@ -4,51 +4,51 @@ Hash: SHA512
 Origin: Unofficial Innernet Debian repository
 Label: innernet-debian
 Codename: jammy
-Date: Sun, 30 Jul 2023 13:18:35 UTC
+Date: Mon, 22 Jan 2024 14:39:31 UTC
 Architectures: amd64 armhf arm64
 Components: contrib
 Description: APT repository for https://github.com/tonarino/innernet/.
 MD5Sum:
- c3fb046e579f2886ef6b3cf3e219ba05 12098 contrib/binary-amd64/Packages
- e09b77d60d34ab4af3b28265d59cea19 4799 contrib/binary-amd64/Packages.gz
+ d0ba34ce3b6d9952f14fec62fc228396 1493 contrib/binary-amd64/Packages
+ 45d906fa5e0acef087cecfbb88637cfb 664 contrib/binary-amd64/Packages.gz
  77dc2b012f45038d5be68f81d464ee44 179 contrib/binary-amd64/Release
- 780524704fdb47454787362f650f63b2 12097 contrib/binary-armhf/Packages
- 092d4159daa0a41922473929fb72b666 4798 contrib/binary-armhf/Packages.gz
+ 1a7d078d59f956c36cb9af24421d58b5 1493 contrib/binary-armhf/Packages
+ 73e7d5f7a070e2a977dba83528666735 670 contrib/binary-armhf/Packages.gz
  2e56331833f644fa9dad5483acc93e55 179 contrib/binary-armhf/Release
- 774c59f064602c6d2a571c4927700ea1 12097 contrib/binary-arm64/Packages
- 111c0179f59c4f065197f95058495807 4802 contrib/binary-arm64/Packages.gz
+ 3835ac29b2e4abdbb03761a7def4ca1a 1492 contrib/binary-arm64/Packages
+ 9a76fb55773a8927dbf5d6772883a67d 670 contrib/binary-arm64/Packages.gz
  16627cd2b6e090772a75639bb48cd54d 179 contrib/binary-arm64/Release
 SHA1:
- 24f3f3be92fa94c5c91f4e1016a87dc3bee36bc0 12098 contrib/binary-amd64/Packages
- 91350afc9bc7f37a9fa65c7827fd0161cefc2791 4799 contrib/binary-amd64/Packages.gz
+ 44a8bc649737cef228c1636fce540cd8e0bd9879 1493 contrib/binary-amd64/Packages
+ cb92cb8c8d1575e349c7b0a036cd428c1bb2be2e 664 contrib/binary-amd64/Packages.gz
  a4f6bbfd6fe4ab5a01909278c4e13b05d6b06f13 179 contrib/binary-amd64/Release
- ba0280a48581058691a8a392862fbf3820b841d0 12097 contrib/binary-armhf/Packages
- b7d567b2b284f0734227eaa771004539525a2d90 4798 contrib/binary-armhf/Packages.gz
+ 182817b310588626db5d70cde4f7cf153f51227f 1493 contrib/binary-armhf/Packages
+ 82bb11445b2c40739fad0483330f954fd02d70e5 670 contrib/binary-armhf/Packages.gz
  dbfc90ff9af0819e8b73429a32e4691204b11da7 179 contrib/binary-armhf/Release
- 6d826c8431b6b5983b654a37a34d68efa4148b8a 12097 contrib/binary-arm64/Packages
- 1c5ee6f104cf87055db66f368be7792d52a60094 4802 contrib/binary-arm64/Packages.gz
+ d5be2800fa329c667af096b9715c717296158a59 1492 contrib/binary-arm64/Packages
+ 5e263fc169fe81663708613e5ac650ba67a27cc7 670 contrib/binary-arm64/Packages.gz
  af10abab9b82b0f8be34be72d478cd7efe4e64b9 179 contrib/binary-arm64/Release
 SHA256:
- 42614d2b5bb2bc2be526f2aac7a249a78fe9e06b6dfbf174f1b81f774e9c94d9 12098 contrib/binary-amd64/Packages
- 5e2f2c7f0d4e5b718e3e4429aea9e02ea1d2cda4b8e68357dddae26eae7e0df5 4799 contrib/binary-amd64/Packages.gz
+ 9624962ee4713509b15a98e0a940b277bda2631737834b46a58d7c033e45924a 1493 contrib/binary-amd64/Packages
+ 511c0f3415d3b7ad70f0a09d63a1e7d9bbc4b05ef5a20ccc3255b2121ecc6993 664 contrib/binary-amd64/Packages.gz
  67b3f0e511499d8b794eaf1524cea47d2263a1e8e43445c60f311dbef9a50e9c 179 contrib/binary-amd64/Release
- 6920dfcb12fa912d057fbef51193867d02a2d52a02ac8cbd8e43346e199edf44 12097 contrib/binary-armhf/Packages
- 0039297dbd77d349e5acf51945cda8f284f3d1813746789c31127472ad019a6e 4798 contrib/binary-armhf/Packages.gz
+ 6bdaf958dea865165073e34b7b5ebd42e4ad26c2df9b14bfcdc906f34b5bc2df 1493 contrib/binary-armhf/Packages
+ 4a56ffd40c240288d1c5acd68d3238bf05c726e01e52ec0d26f4f285eddde04a 670 contrib/binary-armhf/Packages.gz
  ce7a57575ec61bf1af16351e2366f7114f6ad78e035696abaaac42f80dd8f425 179 contrib/binary-armhf/Release
- eee57fae348c6121d8aee97c08e437cc62471dd87103df971d368e72791b4447 12097 contrib/binary-arm64/Packages
- 3a77da57917309f4fce907bf2828bd2def020f210d77e18ec80c6b0d58c65475 4802 contrib/binary-arm64/Packages.gz
+ dd736db09149c25a8036d9a458e41c284901800c8333df94bb6e3e5569718f6f 1492 contrib/binary-arm64/Packages
+ 21696fb8c8c88d03f04a24d302f2985e8373657f3de6d747bd76f699e1fd8cd8 670 contrib/binary-arm64/Packages.gz
  86092179ad14de3750a8a527f8419920154bd761ea7367b9452abe85cfbca03d 179 contrib/binary-arm64/Release
 -----BEGIN PGP SIGNATURE-----
 
-iQGzBAEBCgAdFiEEbYSVpa4ZFZQzkqZZZYKNdDzui2kFAmTGYysACgkQZYKNdDzu
-i2kz1wv+NcR8ROJf8Azw6AQPyL8gzuT2c9gRVcMEMGvMtbU/phJQXZReBGgvdcZX
-r5hY3SwMdvgXxPzWhYr1lnhA71NmPhUxjc2H+J0dGULxMnvoyQ88/UQQpaAIyZsq
-JuuT1D5QHJ9ZWI3SGDKOcdsb2ix51sYVoYsRx/OO5RlYofLfAgU0wGrfa0pUj3l9
-OVO0QBeqyb4Xs2+3sjQH8NsJd3bIHOR65ULXJ33R/Bbkt0VYYgApiCMDVifJWMko
-HOZvH0lCvgVy5QE2Dg3KC/8nEVglky3cwwpnN6GWAMTFEFwArZ9IGfcNJmjfuwDz
-eUgNUnzItCHJyu8G1bX1IgKIHBMkJB9qXbr5DhDjVN8UrfD92A25ZXzbSsgzC6Zc
-O0Wt0xSuqmoaluwnePxmA/cmV3ffvdIBnBnXEKFaTf1l3aHcDAG0Zmh6/9abKx78
-Ey17a8voz9U3gRRZG2YTTVYIWhqPVxaPnC14slZzuC2CDWZBVF2f74sCYPqH6SF+
-zAGYm7Ur
-=6gHL
+iQGzBAEBCgAdFiEEbYSVpa4ZFZQzkqZZZYKNdDzui2kFAmWufiMACgkQZYKNdDzu
+i2lsTAv/ZGKpG7zpwbFeZhKCqq8OXDBke26RS1AA9O6VIPT7pgVUuASAIEWTLp76
+E1KMYBS2zZzmWclepgPlevt6VS0RW/s2rSSaohQBUNPhzDq92Qoi2D0qoaxijMDy
+t4T2XHWI8PBZWQY7TuunaYXiRy8yL4kXjORKycjR0XUGGQDT8Dfjn9JQokhgWdt5
+YV3erdNrG+LqPtaS7sL0woMfptj6XBzIC/6+iD0D1ppZXWBcrfJsSrMjNfq8yNsH
+7Wvo9p2eB/yZXyIsECL0bCvvQgOYPyn1hZFaJRzud6IsgUIs2evzRVBxwC5cN8Ly
+XmgPKYtd6Ra/VLMkUxNBSaq5+bkVCo2CcbHwshCGN8XAnyzfKlu114rFNjh+jZo9
+sH/tUN6yTzo+KZc0xIMZZl1UTKW57UTKcp0hlABzUDHqedWWNxngB1ltQqHavKZG
+M+gYbBQtEbwpvnSSJszqEDCqwkee/86lJe5yyehJykDmDWWNOgUH0eK6nyadO7GP
+6HoZzgM1
+=2H5/
 -----END PGP SIGNATURE-----

debian/dists/jammy/Release

@@ -1,37 +1,37 @@
 Origin: Unofficial Innernet Debian repository
 Label: innernet-debian
 Codename: jammy
-Date: Sun, 30 Jul 2023 13:18:35 UTC
+Date: Mon, 22 Jan 2024 14:39:31 UTC
 Architectures: amd64 armhf arm64
 Components: contrib
 Description: APT repository for https://github.com/tonarino/innernet/.
 MD5Sum:
- c3fb046e579f2886ef6b3cf3e219ba05 12098 contrib/binary-amd64/Packages
- e09b77d60d34ab4af3b28265d59cea19 4799 contrib/binary-amd64/Packages.gz
+ d0ba34ce3b6d9952f14fec62fc228396 1493 contrib/binary-amd64/Packages
+ 45d906fa5e0acef087cecfbb88637cfb 664 contrib/binary-amd64/Packages.gz
  77dc2b012f45038d5be68f81d464ee44 179 contrib/binary-amd64/Release
- 780524704fdb47454787362f650f63b2 12097 contrib/binary-armhf/Packages
- 092d4159daa0a41922473929fb72b666 4798 contrib/binary-armhf/Packages.gz
+ 1a7d078d59f956c36cb9af24421d58b5 1493 contrib/binary-armhf/Packages
+ 73e7d5f7a070e2a977dba83528666735 670 contrib/binary-armhf/Packages.gz
  2e56331833f644fa9dad5483acc93e55 179 contrib/binary-armhf/Release
- 774c59f064602c6d2a571c4927700ea1 12097 contrib/binary-arm64/Packages
- 111c0179f59c4f065197f95058495807 4802 contrib/binary-arm64/Packages.gz
+ 3835ac29b2e4abdbb03761a7def4ca1a 1492 contrib/binary-arm64/Packages
+ 9a76fb55773a8927dbf5d6772883a67d 670 contrib/binary-arm64/Packages.gz
  16627cd2b6e090772a75639bb48cd54d 179 contrib/binary-arm64/Release
 SHA1:
- 24f3f3be92fa94c5c91f4e1016a87dc3bee36bc0 12098 contrib/binary-amd64/Packages
- 91350afc9bc7f37a9fa65c7827fd0161cefc2791 4799 contrib/binary-amd64/Packages.gz
+ 44a8bc649737cef228c1636fce540cd8e0bd9879 1493 contrib/binary-amd64/Packages
+ cb92cb8c8d1575e349c7b0a036cd428c1bb2be2e 664 contrib/binary-amd64/Packages.gz
  a4f6bbfd6fe4ab5a01909278c4e13b05d6b06f13 179 contrib/binary-amd64/Release
- ba0280a48581058691a8a392862fbf3820b841d0 12097 contrib/binary-armhf/Packages
- b7d567b2b284f0734227eaa771004539525a2d90 4798 contrib/binary-armhf/Packages.gz
+ 182817b310588626db5d70cde4f7cf153f51227f 1493 contrib/binary-armhf/Packages
+ 82bb11445b2c40739fad0483330f954fd02d70e5 670 contrib/binary-armhf/Packages.gz
  dbfc90ff9af0819e8b73429a32e4691204b11da7 179 contrib/binary-armhf/Release
- 6d826c8431b6b5983b654a37a34d68efa4148b8a 12097 contrib/binary-arm64/Packages
- 1c5ee6f104cf87055db66f368be7792d52a60094 4802 contrib/binary-arm64/Packages.gz
+ d5be2800fa329c667af096b9715c717296158a59 1492 contrib/binary-arm64/Packages
+ 5e263fc169fe81663708613e5ac650ba67a27cc7 670 contrib/binary-arm64/Packages.gz
  af10abab9b82b0f8be34be72d478cd7efe4e64b9 179 contrib/binary-arm64/Release
 SHA256:
- 42614d2b5bb2bc2be526f2aac7a249a78fe9e06b6dfbf174f1b81f774e9c94d9 12098 contrib/binary-amd64/Packages
- 5e2f2c7f0d4e5b718e3e4429aea9e02ea1d2cda4b8e68357dddae26eae7e0df5 4799 contrib/binary-amd64/Packages.gz
+ 9624962ee4713509b15a98e0a940b277bda2631737834b46a58d7c033e45924a 1493 contrib/binary-amd64/Packages
+ 511c0f3415d3b7ad70f0a09d63a1e7d9bbc4b05ef5a20ccc3255b2121ecc6993 664 contrib/binary-amd64/Packages.gz
  67b3f0e511499d8b794eaf1524cea47d2263a1e8e43445c60f311dbef9a50e9c 179 contrib/binary-amd64/Release
- 6920dfcb12fa912d057fbef51193867d02a2d52a02ac8cbd8e43346e199edf44 12097 contrib/binary-armhf/Packages
- 0039297dbd77d349e5acf51945cda8f284f3d1813746789c31127472ad019a6e 4798 contrib/binary-armhf/Packages.gz
+ 6bdaf958dea865165073e34b7b5ebd42e4ad26c2df9b14bfcdc906f34b5bc2df 1493 contrib/binary-armhf/Packages
+ 4a56ffd40c240288d1c5acd68d3238bf05c726e01e52ec0d26f4f285eddde04a 670 contrib/binary-armhf/Packages.gz
  ce7a57575ec61bf1af16351e2366f7114f6ad78e035696abaaac42f80dd8f425 179 contrib/binary-armhf/Release
- eee57fae348c6121d8aee97c08e437cc62471dd87103df971d368e72791b4447 12097 contrib/binary-arm64/Packages
- 3a77da57917309f4fce907bf2828bd2def020f210d77e18ec80c6b0d58c65475 4802 contrib/binary-arm64/Packages.gz
+ dd736db09149c25a8036d9a458e41c284901800c8333df94bb6e3e5569718f6f 1492 contrib/binary-arm64/Packages
+ 21696fb8c8c88d03f04a24d302f2985e8373657f3de6d747bd76f699e1fd8cd8 670 contrib/binary-arm64/Packages.gz
  86092179ad14de3750a8a527f8419920154bd761ea7367b9452abe85cfbca03d 179 contrib/binary-arm64/Release

debian/dists/jammy/Release.gpg

@@ -1,14 +1,14 @@
 -----BEGIN PGP SIGNATURE-----
 
-iQGzBAABCgAdFiEEbYSVpa4ZFZQzkqZZZYKNdDzui2kFAmTGYysACgkQZYKNdDzu
-i2n05Av7BLT2uiKS9iw8jRsX646HfdXNZ7O+XfdLqJxxyCPjPc8yXPBWILhgQ8wE
-ZARH05xxhbpl0+mVtLDglKdyWjCRHv1ud7ALI3mPNvB4OL15sBUcI5Zqp0UxYgEH
-i/9HztmWRORUN0cCDwxdmgBQ5r4pTjEtRqYn6UwL38UD8v+du1n92AwG+jxwqkMk
-yasMbaxK9b5be888BqToKlSuYyLNE5nHDDaqr2gg7Or1W1HcZJcWiH4u4g4foB9p
-zrp9w5soeMWfAXH0PkI2iMsyitk5a8WdoLTwFWHJdS8vFN+doKpR57h7AkJ5wSGm
-H/okDyDjXPzogd5+WjyRrc3xGaL7X84gv3WbbIBeiKP9yThvI5HwcsUTHh0okiyZ
-/ns6P16JBo/jRwwD6cr+DYMcK7lr0YSRjmUbyBh+B5gdud7f70ySxl/9aqVnClCq
-A2XMl7VBUVPi0p+iKN3pmeu79XWlpnl8IUZTQzTIxY922DD1hG2X0LV28Lxhm/Qh
-R0fX5+To
-=KCYo
+iQGzBAABCgAdFiEEbYSVpa4ZFZQzkqZZZYKNdDzui2kFAmWufiMACgkQZYKNdDzu
+i2nldwv9EvoTJjFOfH7ZsGKNm5ankg4Z48/HdWn+3i0V8MYNR+52x9IvDRzuOOWu
+byDZNnGb3NrabPwihuucVaNsUwWMV4ICpQogZTViNfyT8ibHvImssavq/TUDxWYn
+RGBMexqJBdmlCT/uS4F9OevujEy23/8Hd+ONIBufho9WpSI7ecZ+IavvkPI+AxuY
+4PL4otJire6QFLbiH0Bg4T2Og1ITyJ66Qogy0CutywDJ+L34fBzQ+ItP2iDLiTiM
+hBgxGxVkCmfalAWgMqFEgWNfBVtjYVjoOPhKUCIkuv3v0g+saXmFLw3LRCjEZEqv
+GHha/JtVlFxrrMyRW8SS3FcWOC0P3fJWAXpGyJk0mFafQQ62k9tlWoC/FXHEuJhm
+e/1IT791QoDcow/3qcpacDPdYR5J4+U1whRNbgCB0Ch/gKChXIx8dDRRjlD6d6oO
+aPp46Ws3KWkmRaf6/cFBPGp+dEOZaH3qAebpgDkKoFAZdpbo8OrW4YA1yE8kgalH
+QoOqcgtK
+=5slL
 -----END PGP SIGNATURE-----

debian/dists/jammy/contrib/binary-amd64/Packages

@@ -1,378 +1,41 @@
 Package: innernet
-Version: 1.6.0-0ubuntu0~jammy
+Version: 1.6.1-0ubuntu0~jammy
 Architecture: amd64
 Vcs-Browser: https://github.com/tonarino/innernet
 Vcs-Git: https://github.com/tonarino/innernet
 Homepage: https://github.com/tonarino/innernet
 Maintainer: tonari <hey@tonari.no>
-Installed-Size: 3221
-Depends: libgcc1, libc6, systemd
+Installed-Size: 3541
+Depends: libc6, libgcc1, systemd
 Recommends: wireguard
 Priority: optional
 Section: net
-Filename: pool/contrib/i/innernet/innernet_1.6.0-0ubuntu0~jammy_amd64.deb
-Size: 1016428
-SHA256: 34d49ed7822a4cc0075fe955de25cdcf864b476b4452cb1669aa157893a6cc7b
-SHA1: 0f8b42ec0a444c2f4d1b72a83fd4f65486642203
-MD5sum: 7626cc801e7ccee26418f34f52b316ec
+Filename: pool/contrib/i/innernet/innernet_1.6.1-0ubuntu0~jammy_amd64.deb
+Size: 1111060
+SHA256: a2199bc536b90e9980fba90c5e33f7361bbc07e32074b4df5b5acaed50c98e35
+SHA1: 4540848ddf75dea14a169ab711b708d05f6f7d9c
+MD5sum: e697ae946563c517e14a65c2b7e10ef7
 Description: A client to manage innernet network interfaces.
  innernet client binary for fetching peer information and conducting admin tasks
  such as adding a new peer.
 
 Package: innernet-server
-Version: 1.6.0-0ubuntu0~jammy
+Version: 1.6.1-0ubuntu0~jammy
 Architecture: amd64
 Vcs-Browser: https://github.com/tonarino/innernet
 Vcs-Git: https://github.com/tonarino/innernet
 Homepage: https://github.com/tonarino/innernet
 Maintainer: tonari <hey@tonari.no>
-Installed-Size: 4214
-Depends: zlib1g, libgcc1, libc6, libsqlite3-0, systemd
+Installed-Size: 4546
+Depends: libc6, zlib1g, systemd, libgcc1, libsqlite3-0
 Recommends: wireguard
 Source: innernet
 Priority: optional
 Section: net
-Filename: pool/contrib/i/innernet-server/innernet-server_1.6.0-0ubuntu0~jammy_amd64.deb
-Size: 1501092
-SHA256: c2ff81de23dfc44a24aebe2458d6b9877f3bb0028f9f799e174010ca197f6f34
-SHA1: 5f097ef49ae29ac3ac5190b0178d8a949aeea318
-MD5sum: 7ad2ac098f91f4d9e14943c76ef466b9
+Filename: pool/contrib/i/innernet-server/innernet-server_1.6.1-0ubuntu0~jammy_amd64.deb
+Size: 1592544
+SHA256: a5bf00a9e6f15db999a83f8df764ba4b053eb9984e8885bac5c186c2d1be1e78
+SHA1: fac0cb56bfb0b6b26a84ce7748ff8855184de188
+MD5sum: 56646c8d746af8b1a15e44182861f981
 Description: A server to coordinate innernet networks.
- # innernet
- .
- [![Actively
- Maintained](https://img.shields.io/badge/Maintenance%20Level-Actively%20Maintained-green.svg)](https://gist.github.com/cheerfulstoic/d107229326a01ff0f333a1d3476e068d)
- [![MIT](https://img.shields.io/badge/license-MIT-blue.svg)](https://github.com/tonarino/innernet/blob/master/LICENSE)
- .
- A private network system that uses [WireGuard](https://wireguard.com) under the
- hood. See the [announcement blog
- post](https://blog.tonari.no/introducing-innernet) for a longer-winded
- explanation.
- .
- <img
- src="https://user-images.githubusercontent.com/373823/118917068-09ae7700-b96b-11eb-80f4-6860072d504d.gif"
- width="600" height="370">
- .
- `innernet` is similar in its goals to Slack's
- [nebula](https://github.com/slackhq/nebula) or
- [Tailscale](https://tailscale.com/), but takes a bit of a different approach.
- It aims to take advantage of existing networking concepts like CIDRs and the
- security properties of WireGuard to turn your computer's basic IP networking
- into more powerful ACL primitives.
- .
- `innernet` is not an official WireGuard project, and WireGuard is a registered
- trademark of Jason A. Donenfeld.
- .
- This has not received an independent security audit, and should be considered
- experimental software at this early point in its lifetime.
- .
- ## Usage
- .
- ### Server Creation
- .
- Every `innernet` network needs a coordination server to manage peers and
- provide endpoint information so peers can directly connect to each other.
- Create a new one with
- .
- ```sh
- sudo innernet-server new
- ```
- .
- The init wizard will ask you questions about your network and give you some
- reasonable defaults. It's good to familiarize yourself with [network
- CIDRs](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) as a lot
- of innernet's access control is based upon them. As an example, let's say the
- root CIDR for this network is `10.60.0.0/16`. Server initialization creates a
- special "infra" CIDR which contains the `innernet` server itself and is
- reachable from all CIDRs on the network.
- .
- Next we'll also create a `humans` CIDR where we can start adding some peers.
- .
- ```sh
- sudo innernet-server add-cidr <interface>
- ```
- .
- For the parent CIDR, you can simply choose your network's root CIDR. The name
- will be `humans`, and the CIDR will be `10.60.64.0/24` (not a great example
- unless you only want to support 256 humans, but it works for now...).
- .
- By default, peers which exist in this new CIDR will only be able to contact
- peers in the same CIDR, and the special "infra" CIDR which was created when the
- server was initialized.
- .
- A typical workflow for creating a new network is to create an admin peer from
- the `innernet-server` CLI, and then continue using that admin peer via the
- `innernet` client CLI to add any further peers or network CIDRs.
- .
- ```sh
- sudo innernet-server add-peer <interface>
- ```
- .
- Select the `humans` CIDR, and the CLI will automatically suggest the next
- available IP address. Any name is fine, just answer "yes" when asked if you
- would like to make the peer an admin. The process of adding a peer results in
- an invitation file. This file contains just enough information for the new peer
- to contact the `innernet` server and redeem its invitation. It should be
- transferred securely to the new peer, and it can only be used once to
- initialize the peer.
- .
- You can run the server with `innernet-server serve <interface>`, or if you're
- on Linux and want to run it via `systemctl`, run `systemctl enable --now
- innernet-server@<interface>`. If you're on a home network, don't forget to
- configure port forwarding to the `Listen Port` you specified when creating the
- `innernet` server.
- .
- ### Peer Initialization
- .
- Let's assume the invitation file generated in the steps above have been
- transferred to the machine a network admin will be using.
- .
- You can initialize the client with
- .
- ```sh
- sudo innernet install /path/to/invitation.toml
- ```
- .
- You can customize the network name if you want to, or leave it at the default.
- `innernet` will then connect to the `innernet` server via WireGuard, generate a
- new key pair, and register that pair with the server. The private key in the
- invitation file can no longer be used.
- .
- If everything was successful, the new peer is on the network. You can run
- things like
- .
- ```sh
- sudo innernet list
- ```
- .
- or
- .
- ```sh
- sudo innernet list --tree
- ```
- .
- to view the current network and all CIDRs visible to this peer.
- .
- Since we created an admin peer, we can also add new peers and CIDRs from this
- peer via `innernet` instead of having to always run commands on the server.
- .
- ### Adding Associations between CIDRs
- .
- In order for peers from one CIDR to be able to contact peers in another CIDR,
- those two CIDRs must be "associated" with each other.
- .
- With the admin peer we created above, let's add a new CIDR for some theoretical
- CI servers we have.
- .
- ```sh
- sudo innernet add-cidr <interface>
- ```
- .
- The name is `ci-servers` and the CIDR is `10.60.64.0/24`, but for this example
- it can be anything.
- .
- For now, we want peers in the `humans` CIDR to be able to access peers in the
- `ci-servers` CIDR.
- .
- ```sh
- sudo innernet add-association <interface>
- ```
- .
- The CLI will ask you to select the two CIDRs you want to associate. That's all
- it takes to allow peers in two different CIDRs to communicate!
- .
- You can verify the association with
- .
- ```sh
- sudo innernet list-associations <interface>
- ```
- .
- and associations can be deleted with
- .
- ```sh
- sudo innernet delete-associations <interface>
- ```
- .
- ### Enabling/Disabling Peers
- .
- For security reasons, IP addresses cannot be re-used by new peers, and
- therefore peers cannot be deleted. However, they can be disabled. Disabled
- peers will not show up in the list of peers when fetching the config for an
- interface.
- .
- Disable a peer with
- .
- ```su
- sudo innernet disable-peer <interface>
- ```
- .
- Or re-enable a peer with
- .
- ```su
- sudo innernet enable-peer <interface>
- ```
- .
- ### Specifying a Manual Endpoint
- .
- The `innernet` server will try to use the internet endpoint it sees from a peer
- so other peers can connect to that peer as well. This doesn't always work and
- you may want to set an endpoint explicitly. To set an endpoint, use
- .
- ```sh
- sudo innernet override-endpoint <interface>
- ```
- .
- You can go back to automatic endpoint discovery with
- .
- ```sh
- sudo innernet override-endpoint -u <interface>
- ```
- .
- ### Setting the Local WireGuard Listen Port
- .
- If you want to change the port which WireGuard listens on, use
- .
- ```sh
- sudo innernet set-listen-port <interface>
- ```
- .
- or unset the port and use a randomized port with
- .
- ```sh
- sudo innernet set-listen-port -u <interface>
- ```
- .
- ### Remove Network
- .
- To permanently uninstall a created network, use
- .
- ```sh
- sudo innernet-server uninstall <interface>
- ```
- .
- Use with care!
- .
- ## Security recommendations
- .
- If you're running a service on innernet, there are some important security
- considerations.
- .
- ### Enable strict Reverse Path Filtering ([RFC
- 3704](https://tools.ietf.org/html/rfc3704))
- .
- Strict RPF prevents packets from _other_ interfaces from having internal source
- IP addresses. This is _not_ the default on Linux, even though it is the right
- choice for 99.99% of situations. You can enable it by adding the following to a
- `/etc/sysctl.d/60-network-security.conf`:
- .
- ```
- net.ipv4.conf.all.rp_filter=1
- net.ipv4.conf.default.rp_filter=1
- ```
- .
- ### Bind to the WireGuard device
- .
- If possible, to _ensure_ that packets are only ever transmitted over the
- WireGuard interface, it's recommended that you use `SO_BINDTODEVICE` on Linux
- or `IP_BOUND_IF` on macOS/BSDs. If you have strict reverse path filtering,
- though, this is less of a concern.
- .
- ### IP addresses alone often aren't enough authentication
- .
- Even following all the above precautions, rogue applications on a peer's
- machines could be able to make requests on their behalf unless you add extra
- layers of authentication to mitigate this CSRF-type vector.
- .
- It's recommended that you carefully consider this possibility before deciding
- that the source IP is sufficient for your authentication needs on a service.
- .
- ## Installation
- .
- innernet has only officially been tested on Linux and MacOS, but we hope to
- support as many platforms as is feasible!
- .
- ### Runtime Dependencies
- .
- It's assumed that WireGuard is installed on your system, either via the kernel
- module in Linux 5.6 and later, or via the
- [`wireguard-go`](https://git.zx2c4.com/wireguard-go/about/) userspace
- implementation.
- .
- [WireGuard Installation Instructions](https://www.wireguard.com/install/)
- .
- ### Arch Linux
- .
- ```sh
- pacman -S innernet
- ```
- .
- ### Debian and Ubuntu
- .
- [**@tommie**](https://github.com/tommie) is kindly providing Debian/Ubuntu
- innernet builds in the https://github.com/tommie/innernet-debian repository.
- .
- ### Other Linux Distributions
- .
- We're looking for volunteers who are able to set up external builds for popular
- distributions. Please see issue
- [#203](https://github.com/tonarino/innernet/issues/203).
- .
- ### macOS
- .
- ```sh
- brew install tonarino/innernet/innernet
- ```
- .
- ### Cargo
- .
- ```sh
- # to install innernet:
- cargo install --git https://github.com/tonarino/innernet --tag v1.6.0 client
- .
- # to install innernet-server:
- cargo install --git https://github.com/tonarino/innernet --tag v1.6.0 server
- ```
- .
- Note that you'll be responsible for updating manually.
- .
- ## Development
- .
- ### `innernet-server` Build dependencies
- .
- - `rustc` / `cargo` (version 1.50.0 or higher)
- - `libclang` (see more info at
- [https://crates.io/crates/clang-sys](https://crates.io/crates/clang-sys))
- - `libsqlite3`
- .
- Build:
- .
- ```sh
- cargo build --release --bin innernet-server
- ```
- .
- The resulting binary will be located at `./target/release/innernet-server`
- .
- ### `innernet` Client CLI Build dependencies
- .
- - `rustc` / `cargo` (version 1.50.0 or higher)
- - `libclang` (see more info at
- [https://crates.io/crates/clang-sys](https://crates.io/crates/clang-sys))
- .
- Build:
- .
- ```sh
- cargo build --release --bin innernet
- ```
- .
- The resulting binary will be located at `./target/release/innernet`
- .
- ### Releases
- .
- Please run the release script from a Linux machine: generated shell completions
- depend on available wireguard backends and Mac doesn't support the `kernel`
- backend. 
- .
- 1. Fetch and check-out the `main` branch.
- 2. Run `./release.sh [patch|major|minor|rc]`
- 3. Push the `main` branch and the created tag to the repo.
 

debian/dists/jammy/contrib/binary-arm64/Packages

@@ -1,378 +1,41 @@
 Package: innernet
-Version: 1.6.0-0ubuntu0~jammy
+Version: 1.6.1-0ubuntu0~jammy
 Architecture: arm64
 Vcs-Browser: https://github.com/tonarino/innernet
 Vcs-Git: https://github.com/tonarino/innernet
 Homepage: https://github.com/tonarino/innernet
 Maintainer: tonari <hey@tonari.no>
-Installed-Size: 2841
+Installed-Size: 3097
 Depends: systemd, libc6, libgcc1
 Recommends: wireguard
 Priority: optional
 Section: net
-Filename: pool/contrib/i/innernet/innernet_1.6.0-0ubuntu0~jammy_arm64.deb
-Size: 902852
-SHA256: 7bf0f695bc867bb7f6747053a9eab859452a518515f27b0d1e39b266b0e415f5
-SHA1: 1ac7265a5385e190f2ae1df9b08e257ec55aa2fe
-MD5sum: db11e7151b7f8c2f8b77709612a89a60
+Filename: pool/contrib/i/innernet/innernet_1.6.1-0ubuntu0~jammy_arm64.deb
+Size: 995220
+SHA256: 87a58cb3d42255ea03511295fac164ffe0a2b4cf62e68a5d4b508667d05a1ad2
+SHA1: d037fd9e29ec53b131e475c05c662f19f796b442
+MD5sum: 34fb83b980a495a5297ed31e50d915d3
 Description: A client to manage innernet network interfaces.
  innernet client binary for fetching peer information and conducting admin tasks
  such as adding a new peer.
 
 Package: innernet-server
-Version: 1.6.0-0ubuntu0~jammy
+Version: 1.6.1-0ubuntu0~jammy
 Architecture: arm64
 Vcs-Browser: https://github.com/tonarino/innernet
 Vcs-Git: https://github.com/tonarino/innernet
 Homepage: https://github.com/tonarino/innernet
 Maintainer: tonari <hey@tonari.no>
-Installed-Size: 3894
-Depends: zlib1g, libsqlite3-0, libc6, libgcc1, systemd
+Installed-Size: 4170
+Depends: libc6, libgcc1, zlib1g, libsqlite3-0, systemd
 Recommends: wireguard
 Source: innernet
 Priority: optional
 Section: net
-Filename: pool/contrib/i/innernet-server/innernet-server_1.6.0-0ubuntu0~jammy_arm64.deb
-Size: 1354844
-SHA256: f04eb9854c2105b3e21304377a3a9667405151d576f7bb5a9c4965123b76d221
-SHA1: 06bb485cdafafcc6b82e36a65f601ecc628f6fca
-MD5sum: 17b01c31ad740f3d20fcad896eeb67e9
+Filename: pool/contrib/i/innernet-server/innernet-server_1.6.1-0ubuntu0~jammy_arm64.deb
+Size: 1445556
+SHA256: 9027eb9c0fa3f76f29c4b1ecf766544e464271d0b2c1b3be01e72130325b0b74
+SHA1: f14527054ba19e9cafe77333d11a6b5f53db3a30
+MD5sum: b42eb200e43ccb9fbe1f9b70af7f51a8
 Description: A server to coordinate innernet networks.
- # innernet
- .
- [![Actively
- Maintained](https://img.shields.io/badge/Maintenance%20Level-Actively%20Maintained-green.svg)](https://gist.github.com/cheerfulstoic/d107229326a01ff0f333a1d3476e068d)
- [![MIT](https://img.shields.io/badge/license-MIT-blue.svg)](https://github.com/tonarino/innernet/blob/master/LICENSE)
- .
- A private network system that uses [WireGuard](https://wireguard.com) under the
- hood. See the [announcement blog
- post](https://blog.tonari.no/introducing-innernet) for a longer-winded
- explanation.
- .
- <img
- src="https://user-images.githubusercontent.com/373823/118917068-09ae7700-b96b-11eb-80f4-6860072d504d.gif"
- width="600" height="370">
- .
- `innernet` is similar in its goals to Slack's
- [nebula](https://github.com/slackhq/nebula) or
- [Tailscale](https://tailscale.com/), but takes a bit of a different approach.
- It aims to take advantage of existing networking concepts like CIDRs and the
- security properties of WireGuard to turn your computer's basic IP networking
- into more powerful ACL primitives.
- .
- `innernet` is not an official WireGuard project, and WireGuard is a registered
- trademark of Jason A. Donenfeld.
- .
- This has not received an independent security audit, and should be considered
- experimental software at this early point in its lifetime.
- .
- ## Usage
- .
- ### Server Creation
- .
- Every `innernet` network needs a coordination server to manage peers and
- provide endpoint information so peers can directly connect to each other.
- Create a new one with
- .
- ```sh
- sudo innernet-server new
- ```
- .
- The init wizard will ask you questions about your network and give you some
- reasonable defaults. It's good to familiarize yourself with [network
- CIDRs](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) as a lot
- of innernet's access control is based upon them. As an example, let's say the
- root CIDR for this network is `10.60.0.0/16`. Server initialization creates a
- special "infra" CIDR which contains the `innernet` server itself and is
- reachable from all CIDRs on the network.
- .
- Next we'll also create a `humans` CIDR where we can start adding some peers.
- .
- ```sh
- sudo innernet-server add-cidr <interface>
- ```
- .
- For the parent CIDR, you can simply choose your network's root CIDR. The name
- will be `humans`, and the CIDR will be `10.60.64.0/24` (not a great example
- unless you only want to support 256 humans, but it works for now...).
- .
- By default, peers which exist in this new CIDR will only be able to contact
- peers in the same CIDR, and the special "infra" CIDR which was created when the
- server was initialized.
- .
- A typical workflow for creating a new network is to create an admin peer from
- the `innernet-server` CLI, and then continue using that admin peer via the
- `innernet` client CLI to add any further peers or network CIDRs.
- .
- ```sh
- sudo innernet-server add-peer <interface>
- ```
- .
- Select the `humans` CIDR, and the CLI will automatically suggest the next
- available IP address. Any name is fine, just answer "yes" when asked if you
- would like to make the peer an admin. The process of adding a peer results in
- an invitation file. This file contains just enough information for the new peer
- to contact the `innernet` server and redeem its invitation. It should be
- transferred securely to the new peer, and it can only be used once to
- initialize the peer.
- .
- You can run the server with `innernet-server serve <interface>`, or if you're
- on Linux and want to run it via `systemctl`, run `systemctl enable --now
- innernet-server@<interface>`. If you're on a home network, don't forget to
- configure port forwarding to the `Listen Port` you specified when creating the
- `innernet` server.
- .
- ### Peer Initialization
- .
- Let's assume the invitation file generated in the steps above have been
- transferred to the machine a network admin will be using.
- .
- You can initialize the client with
- .
- ```sh
- sudo innernet install /path/to/invitation.toml
- ```
- .
- You can customize the network name if you want to, or leave it at the default.
- `innernet` will then connect to the `innernet` server via WireGuard, generate a
- new key pair, and register that pair with the server. The private key in the
- invitation file can no longer be used.
- .
- If everything was successful, the new peer is on the network. You can run
- things like
- .
- ```sh
- sudo innernet list
- ```
- .
- or
- .
- ```sh
- sudo innernet list --tree
- ```
- .
- to view the current network and all CIDRs visible to this peer.
- .
- Since we created an admin peer, we can also add new peers and CIDRs from this
- peer via `innernet` instead of having to always run commands on the server.
- .
- ### Adding Associations between CIDRs
- .
- In order for peers from one CIDR to be able to contact peers in another CIDR,
- those two CIDRs must be "associated" with each other.
- .
- With the admin peer we created above, let's add a new CIDR for some theoretical
- CI servers we have.
- .
- ```sh
- sudo innernet add-cidr <interface>
- ```
- .
- The name is `ci-servers` and the CIDR is `10.60.64.0/24`, but for this example
- it can be anything.
- .
- For now, we want peers in the `humans` CIDR to be able to access peers in the
- `ci-servers` CIDR.
- .
- ```sh
- sudo innernet add-association <interface>
- ```
- .
- The CLI will ask you to select the two CIDRs you want to associate. That's all
- it takes to allow peers in two different CIDRs to communicate!
- .
- You can verify the association with
- .
- ```sh
- sudo innernet list-associations <interface>
- ```
- .
- and associations can be deleted with
- .
- ```sh
- sudo innernet delete-associations <interface>
- ```
- .
- ### Enabling/Disabling Peers
- .
- For security reasons, IP addresses cannot be re-used by new peers, and
- therefore peers cannot be deleted. However, they can be disabled. Disabled
- peers will not show up in the list of peers when fetching the config for an
- interface.
- .
- Disable a peer with
- .
- ```su
- sudo innernet disable-peer <interface>
- ```
- .
- Or re-enable a peer with
- .
- ```su
- sudo innernet enable-peer <interface>
- ```
- .
- ### Specifying a Manual Endpoint
- .
- The `innernet` server will try to use the internet endpoint it sees from a peer
- so other peers can connect to that peer as well. This doesn't always work and
- you may want to set an endpoint explicitly. To set an endpoint, use
- .
- ```sh
- sudo innernet override-endpoint <interface>
- ```
- .
- You can go back to automatic endpoint discovery with
- .
- ```sh
- sudo innernet override-endpoint -u <interface>
- ```
- .
- ### Setting the Local WireGuard Listen Port
- .
- If you want to change the port which WireGuard listens on, use
- .
- ```sh
- sudo innernet set-listen-port <interface>
- ```
- .
- or unset the port and use a randomized port with
- .
- ```sh
- sudo innernet set-listen-port -u <interface>
- ```
- .
- ### Remove Network
- .
- To permanently uninstall a created network, use
- .
- ```sh
- sudo innernet-server uninstall <interface>
- ```
- .
- Use with care!
- .
- ## Security recommendations
- .
- If you're running a service on innernet, there are some important security
- considerations.
- .
- ### Enable strict Reverse Path Filtering ([RFC
- 3704](https://tools.ietf.org/html/rfc3704))
- .
- Strict RPF prevents packets from _other_ interfaces from having internal source
- IP addresses. This is _not_ the default on Linux, even though it is the right
- choice for 99.99% of situations. You can enable it by adding the following to a
- `/etc/sysctl.d/60-network-security.conf`:
- .
- ```
- net.ipv4.conf.all.rp_filter=1
- net.ipv4.conf.default.rp_filter=1
- ```
- .
- ### Bind to the WireGuard device
- .
- If possible, to _ensure_ that packets are only ever transmitted over the
- WireGuard interface, it's recommended that you use `SO_BINDTODEVICE` on Linux
- or `IP_BOUND_IF` on macOS/BSDs. If you have strict reverse path filtering,
- though, this is less of a concern.
- .
- ### IP addresses alone often aren't enough authentication
- .
- Even following all the above precautions, rogue applications on a peer's
- machines could be able to make requests on their behalf unless you add extra
- layers of authentication to mitigate this CSRF-type vector.
- .
- It's recommended that you carefully consider this possibility before deciding
- that the source IP is sufficient for your authentication needs on a service.
- .
- ## Installation
- .
- innernet has only officially been tested on Linux and MacOS, but we hope to
- support as many platforms as is feasible!
- .
- ### Runtime Dependencies
- .
- It's assumed that WireGuard is installed on your system, either via the kernel
- module in Linux 5.6 and later, or via the
- [`wireguard-go`](https://git.zx2c4.com/wireguard-go/about/) userspace
- implementation.
- .
- [WireGuard Installation Instructions](https://www.wireguard.com/install/)
- .
- ### Arch Linux
- .
- ```sh
- pacman -S innernet
- ```
- .
- ### Debian and Ubuntu
- .
- [**@tommie**](https://github.com/tommie) is kindly providing Debian/Ubuntu
- innernet builds in the https://github.com/tommie/innernet-debian repository.
- .
- ### Other Linux Distributions
- .
- We're looking for volunteers who are able to set up external builds for popular
- distributions. Please see issue
- [#203](https://github.com/tonarino/innernet/issues/203).
- .
- ### macOS
- .
- ```sh
- brew install tonarino/innernet/innernet
- ```
- .
- ### Cargo
- .
- ```sh
- # to install innernet:
- cargo install --git https://github.com/tonarino/innernet --tag v1.6.0 client
- .
- # to install innernet-server:
- cargo install --git https://github.com/tonarino/innernet --tag v1.6.0 server
- ```
- .
- Note that you'll be responsible for updating manually.
- .
- ## Development
- .
- ### `innernet-server` Build dependencies
- .
- - `rustc` / `cargo` (version 1.50.0 or higher)
- - `libclang` (see more info at
- [https://crates.io/crates/clang-sys](https://crates.io/crates/clang-sys))
- - `libsqlite3`
- .
- Build:
- .
- ```sh
- cargo build --release --bin innernet-server
- ```
- .
- The resulting binary will be located at `./target/release/innernet-server`
- .
- ### `innernet` Client CLI Build dependencies
- .
- - `rustc` / `cargo` (version 1.50.0 or higher)
- - `libclang` (see more info at
- [https://crates.io/crates/clang-sys](https://crates.io/crates/clang-sys))
- .
- Build:
- .
- ```sh
- cargo build --release --bin innernet
- ```
- .
- The resulting binary will be located at `./target/release/innernet`
- .
- ### Releases
- .
- Please run the release script from a Linux machine: generated shell completions
- depend on available wireguard backends and Mac doesn't support the `kernel`
- backend. 
- .
- 1. Fetch and check-out the `main` branch.
- 2. Run `./release.sh [patch|major|minor|rc]`
- 3. Push the `main` branch and the created tag to the repo.
 

debian/dists/jammy/contrib/binary-armhf/Packages

@@ -1,378 +1,41 @@
 Package: innernet
-Version: 1.6.0-0ubuntu0~jammy
+Version: 1.6.1-0ubuntu0~jammy
 Architecture: armhf
 Vcs-Browser: https://github.com/tonarino/innernet
 Vcs-Git: https://github.com/tonarino/innernet
 Homepage: https://github.com/tonarino/innernet
 Maintainer: tonari <hey@tonari.no>
-Installed-Size: 2684
-Depends: systemd, libc6, libgcc1
+Installed-Size: 2960
+Depends: libc6, libgcc1, systemd
 Recommends: wireguard
 Priority: optional
 Section: net
-Filename: pool/contrib/i/innernet/innernet_1.6.0-0ubuntu0~jammy_armhf.deb
-Size: 916336
-SHA256: 47221ab713613019c4d0f7a8003cb705378ce24336960ddf363a1336bb2522a7
-SHA1: affc688405f58e5d652a5b7ea1436fbe87fc4b6c
-MD5sum: dc3f5ad622a48fa819ed58b9529a9e2e
+Filename: pool/contrib/i/innernet/innernet_1.6.1-0ubuntu0~jammy_armhf.deb
+Size: 1004904
+SHA256: b7d3c0f0fa9434decce55c25c9610d88c7b01dd94544473d3d7a2c4879de0c38
+SHA1: ea7adbb70f4609c4cca74d16463eab41d7d35197
+MD5sum: 093b407dcb6bb76b3693093ded9fa557
 Description: A client to manage innernet network interfaces.
  innernet client binary for fetching peer information and conducting admin tasks
  such as adding a new peer.
 
 Package: innernet-server
-Version: 1.6.0-0ubuntu0~jammy
+Version: 1.6.1-0ubuntu0~jammy
 Architecture: armhf
 Vcs-Browser: https://github.com/tonarino/innernet
 Vcs-Git: https://github.com/tonarino/innernet
 Homepage: https://github.com/tonarino/innernet
 Maintainer: tonari <hey@tonari.no>
-Installed-Size: 3339
-Depends: libc6, zlib1g, libgcc1, systemd, libsqlite3-0
+Installed-Size: 3627
+Depends: zlib1g, systemd, libc6, libgcc1, libsqlite3-0
 Recommends: wireguard
 Source: innernet
 Priority: optional
 Section: net
-Filename: pool/contrib/i/innernet-server/innernet-server_1.6.0-0ubuntu0~jammy_armhf.deb
-Size: 1340692
-SHA256: 09dcc6fe8a55c2889e29a052c39b75075e9a9b2646a3e93325380d3da2534c4e
-SHA1: ae4de2b7fab124b4e07b1a16aee328dd60b8fc3c
-MD5sum: dbc69bb8a2a2403c2bc7dab402ee04e0
+Filename: pool/contrib/i/innernet-server/innernet-server_1.6.1-0ubuntu0~jammy_armhf.deb
+Size: 1428660
+SHA256: 016cc3d353e7097984f160ac87aad4707c61258c662e1b1f6dc6d6d87a3d804a
+SHA1: d83d133e16ef4e08a581958a4e4290b63604c23f
+MD5sum: 7dafa4b1d8251023196fab6223cae096
 Description: A server to coordinate innernet networks.
- # innernet
- .
- [![Actively
- Maintained](https://img.shields.io/badge/Maintenance%20Level-Actively%20Maintained-green.svg)](https://gist.github.com/cheerfulstoic/d107229326a01ff0f333a1d3476e068d)
- [![MIT](https://img.shields.io/badge/license-MIT-blue.svg)](https://github.com/tonarino/innernet/blob/master/LICENSE)
- .
- A private network system that uses [WireGuard](https://wireguard.com) under the
- hood. See the [announcement blog
- post](https://blog.tonari.no/introducing-innernet) for a longer-winded
- explanation.
- .
- <img
- src="https://user-images.githubusercontent.com/373823/118917068-09ae7700-b96b-11eb-80f4-6860072d504d.gif"
- width="600" height="370">
- .
- `innernet` is similar in its goals to Slack's
- [nebula](https://github.com/slackhq/nebula) or
- [Tailscale](https://tailscale.com/), but takes a bit of a different approach.
- It aims to take advantage of existing networking concepts like CIDRs and the
- security properties of WireGuard to turn your computer's basic IP networking
- into more powerful ACL primitives.
- .
- `innernet` is not an official WireGuard project, and WireGuard is a registered
- trademark of Jason A. Donenfeld.
- .
- This has not received an independent security audit, and should be considered
- experimental software at this early point in its lifetime.
- .
- ## Usage
- .
- ### Server Creation
- .
- Every `innernet` network needs a coordination server to manage peers and
- provide endpoint information so peers can directly connect to each other.
- Create a new one with
- .
- ```sh
- sudo innernet-server new
- ```
- .
- The init wizard will ask you questions about your network and give you some
- reasonable defaults. It's good to familiarize yourself with [network
- CIDRs](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) as a lot
- of innernet's access control is based upon them. As an example, let's say the
- root CIDR for this network is `10.60.0.0/16`. Server initialization creates a
- special "infra" CIDR which contains the `innernet` server itself and is
- reachable from all CIDRs on the network.
- .
- Next we'll also create a `humans` CIDR where we can start adding some peers.
- .
- ```sh
- sudo innernet-server add-cidr <interface>
- ```
- .
- For the parent CIDR, you can simply choose your network's root CIDR. The name
- will be `humans`, and the CIDR will be `10.60.64.0/24` (not a great example
- unless you only want to support 256 humans, but it works for now...).
- .
- By default, peers which exist in this new CIDR will only be able to contact
- peers in the same CIDR, and the special "infra" CIDR which was created when the
- server was initialized.
- .
- A typical workflow for creating a new network is to create an admin peer from
- the `innernet-server` CLI, and then continue using that admin peer via the
- `innernet` client CLI to add any further peers or network CIDRs.
- .
- ```sh
- sudo innernet-server add-peer <interface>
- ```
- .
- Select the `humans` CIDR, and the CLI will automatically suggest the next
- available IP address. Any name is fine, just answer "yes" when asked if you
- would like to make the peer an admin. The process of adding a peer results in
- an invitation file. This file contains just enough information for the new peer
- to contact the `innernet` server and redeem its invitation. It should be
- transferred securely to the new peer, and it can only be used once to
- initialize the peer.
- .
- You can run the server with `innernet-server serve <interface>`, or if you're
- on Linux and want to run it via `systemctl`, run `systemctl enable --now
- innernet-server@<interface>`. If you're on a home network, don't forget to
- configure port forwarding to the `Listen Port` you specified when creating the
- `innernet` server.
- .
- ### Peer Initialization
- .
- Let's assume the invitation file generated in the steps above have been
- transferred to the machine a network admin will be using.
- .
- You can initialize the client with
- .
- ```sh
- sudo innernet install /path/to/invitation.toml
- ```
- .
- You can customize the network name if you want to, or leave it at the default.
- `innernet` will then connect to the `innernet` server via WireGuard, generate a
- new key pair, and register that pair with the server. The private key in the
- invitation file can no longer be used.
- .
- If everything was successful, the new peer is on the network. You can run
- things like
- .
- ```sh
- sudo innernet list
- ```
- .
- or
- .
- ```sh
- sudo innernet list --tree
- ```
- .
- to view the current network and all CIDRs visible to this peer.
- .
- Since we created an admin peer, we can also add new peers and CIDRs from this
- peer via `innernet` instead of having to always run commands on the server.
- .
- ### Adding Associations between CIDRs
- .
- In order for peers from one CIDR to be able to contact peers in another CIDR,
- those two CIDRs must be "associated" with each other.
- .
- With the admin peer we created above, let's add a new CIDR for some theoretical
- CI servers we have.
- .
- ```sh
- sudo innernet add-cidr <interface>
- ```
- .
- The name is `ci-servers` and the CIDR is `10.60.64.0/24`, but for this example
- it can be anything.
- .
- For now, we want peers in the `humans` CIDR to be able to access peers in the
- `ci-servers` CIDR.
- .
- ```sh
- sudo innernet add-association <interface>
- ```
- .
- The CLI will ask you to select the two CIDRs you want to associate. That's all
- it takes to allow peers in two different CIDRs to communicate!
- .
- You can verify the association with
- .
- ```sh
- sudo innernet list-associations <interface>
- ```
- .
- and associations can be deleted with
- .
- ```sh
- sudo innernet delete-associations <interface>
- ```
- .
- ### Enabling/Disabling Peers
- .
- For security reasons, IP addresses cannot be re-used by new peers, and
- therefore peers cannot be deleted. However, they can be disabled. Disabled
- peers will not show up in the list of peers when fetching the config for an
- interface.
- .
- Disable a peer with
- .
- ```su
- sudo innernet disable-peer <interface>
- ```
- .
- Or re-enable a peer with
- .
- ```su
- sudo innernet enable-peer <interface>
- ```
- .
- ### Specifying a Manual Endpoint
- .
- The `innernet` server will try to use the internet endpoint it sees from a peer
- so other peers can connect to that peer as well. This doesn't always work and
- you may want to set an endpoint explicitly. To set an endpoint, use
- .
- ```sh
- sudo innernet override-endpoint <interface>
- ```
- .
- You can go back to automatic endpoint discovery with
- .
- ```sh
- sudo innernet override-endpoint -u <interface>
- ```
- .
- ### Setting the Local WireGuard Listen Port
- .
- If you want to change the port which WireGuard listens on, use
- .
- ```sh
- sudo innernet set-listen-port <interface>
- ```
- .
- or unset the port and use a randomized port with
- .
- ```sh
- sudo innernet set-listen-port -u <interface>
- ```
- .
- ### Remove Network
- .
- To permanently uninstall a created network, use
- .
- ```sh
- sudo innernet-server uninstall <interface>
- ```
- .
- Use with care!
- .
- ## Security recommendations
- .
- If you're running a service on innernet, there are some important security
- considerations.
- .
- ### Enable strict Reverse Path Filtering ([RFC
- 3704](https://tools.ietf.org/html/rfc3704))
- .
- Strict RPF prevents packets from _other_ interfaces from having internal source
- IP addresses. This is _not_ the default on Linux, even though it is the right
- choice for 99.99% of situations. You can enable it by adding the following to a
- `/etc/sysctl.d/60-network-security.conf`:
- .
- ```
- net.ipv4.conf.all.rp_filter=1
- net.ipv4.conf.default.rp_filter=1
- ```
- .
- ### Bind to the WireGuard device
- .
- If possible, to _ensure_ that packets are only ever transmitted over the
- WireGuard interface, it's recommended that you use `SO_BINDTODEVICE` on Linux
- or `IP_BOUND_IF` on macOS/BSDs. If you have strict reverse path filtering,
- though, this is less of a concern.
- .
- ### IP addresses alone often aren't enough authentication
- .
- Even following all the above precautions, rogue applications on a peer's
- machines could be able to make requests on their behalf unless you add extra
- layers of authentication to mitigate this CSRF-type vector.
- .
- It's recommended that you carefully consider this possibility before deciding
- that the source IP is sufficient for your authentication needs on a service.
- .
- ## Installation
- .
- innernet has only officially been tested on Linux and MacOS, but we hope to
- support as many platforms as is feasible!
- .
- ### Runtime Dependencies
- .
- It's assumed that WireGuard is installed on your system, either via the kernel
- module in Linux 5.6 and later, or via the
- [`wireguard-go`](https://git.zx2c4.com/wireguard-go/about/) userspace
- implementation.
- .
- [WireGuard Installation Instructions](https://www.wireguard.com/install/)
- .
- ### Arch Linux
- .
- ```sh
- pacman -S innernet
- ```
- .
- ### Debian and Ubuntu
- .
- [**@tommie**](https://github.com/tommie) is kindly providing Debian/Ubuntu
- innernet builds in the https://github.com/tommie/innernet-debian repository.
- .
- ### Other Linux Distributions
- .
- We're looking for volunteers who are able to set up external builds for popular
- distributions. Please see issue
- [#203](https://github.com/tonarino/innernet/issues/203).
- .
- ### macOS
- .
- ```sh
- brew install tonarino/innernet/innernet
- ```
- .
- ### Cargo
- .
- ```sh
- # to install innernet:
- cargo install --git https://github.com/tonarino/innernet --tag v1.6.0 client
- .
- # to install innernet-server:
- cargo install --git https://github.com/tonarino/innernet --tag v1.6.0 server
- ```
- .
- Note that you'll be responsible for updating manually.
- .
- ## Development
- .
- ### `innernet-server` Build dependencies
- .
- - `rustc` / `cargo` (version 1.50.0 or higher)
- - `libclang` (see more info at
- [https://crates.io/crates/clang-sys](https://crates.io/crates/clang-sys))
- - `libsqlite3`
- .
- Build:
- .
- ```sh
- cargo build --release --bin innernet-server
- ```
- .
- The resulting binary will be located at `./target/release/innernet-server`
- .
- ### `innernet` Client CLI Build dependencies
- .
- - `rustc` / `cargo` (version 1.50.0 or higher)
- - `libclang` (see more info at
- [https://crates.io/crates/clang-sys](https://crates.io/crates/clang-sys))
- .
- Build:
- .
- ```sh
- cargo build --release --bin innernet
- ```
- .
- The resulting binary will be located at `./target/release/innernet`
- .
- ### Releases
- .
- Please run the release script from a Linux machine: generated shell completions
- depend on available wireguard backends and Mac doesn't support the `kernel`
- backend. 
- .
- 1. Fetch and check-out the `main` branch.
- 2. Run `./release.sh [patch|major|minor|rc]`
- 3. Push the `main` branch and the created tag to the repo.