Included release tonarino/innernet@v1.6.1 in focal jammy for amd64 arm64 armhf.

main
github-actions[bot] 2024-01-22 14:39:32 +00:00
parent 58c46577ae
commit 963995cc7b
46 changed files with 215 additions and 2237 deletions

BIN
debian/db/checksums.db vendored

Binary file not shown.

BIN
debian/db/packages.db vendored

Binary file not shown.

Binary file not shown.

Binary file not shown.

View File

@ -4,51 +4,51 @@ Hash: SHA512
Origin: Unofficial Innernet Debian repository
Label: innernet-debian
Codename: focal
Date: Sun, 30 Jul 2023 13:18:34 UTC
Date: Mon, 22 Jan 2024 14:39:30 UTC
Architectures: amd64 armhf arm64
Components: contrib
Description: APT repository for https://github.com/tonarino/innernet/.
MD5Sum:
09585d6972df6d213e1a2a95a6d7f783 12098 contrib/binary-amd64/Packages
f71f3ea5d0ab6f8e0dad303f04573e81 4799 contrib/binary-amd64/Packages.gz
2eed532c18080f94efa64a20e0850101 1493 contrib/binary-amd64/Packages
42d48d316784c03b360d12d06bc3e4e6 663 contrib/binary-amd64/Packages.gz
77dc2b012f45038d5be68f81d464ee44 179 contrib/binary-amd64/Release
b1dcfb8ffed93c950262d0d18d93e8db 12097 contrib/binary-armhf/Packages
11ffc1ea682429a3cfd051979b9d6dcc 4799 contrib/binary-armhf/Packages.gz
ad99ee2214dc0e890ca4f4b28d6dbaf0 1493 contrib/binary-armhf/Packages
14b3724f4a55b292edc58e5159320fb0 665 contrib/binary-armhf/Packages.gz
2e56331833f644fa9dad5483acc93e55 179 contrib/binary-armhf/Release
9e4f28eca65271f15f684a56874f433d 12097 contrib/binary-arm64/Packages
edc6e00a474363010d79da0a577dbc64 4803 contrib/binary-arm64/Packages.gz
3678a76f8c1f7789f33472b0b1425b6e 1492 contrib/binary-arm64/Packages
53f3f8680c0a82954fde16e23c8f10cd 669 contrib/binary-arm64/Packages.gz
16627cd2b6e090772a75639bb48cd54d 179 contrib/binary-arm64/Release
SHA1:
87d9b5312a8e5e99090351a36d09785c02303cf1 12098 contrib/binary-amd64/Packages
ea7af888161785eae92c690ddf4a3f0cf2f75cc9 4799 contrib/binary-amd64/Packages.gz
2adb2413fdc1847cc786b4f5bcd3bcb9b63646f6 1493 contrib/binary-amd64/Packages
27f8e6a53160f30fd9b00d8629eebeece2b37357 663 contrib/binary-amd64/Packages.gz
a4f6bbfd6fe4ab5a01909278c4e13b05d6b06f13 179 contrib/binary-amd64/Release
d0b3431eb3e21ceb02caa9dd63aaf8b2231e3e5e 12097 contrib/binary-armhf/Packages
3ff371bef4abda8010bc8ad4b8873acfb8bd220e 4799 contrib/binary-armhf/Packages.gz
f007c3ba7b8da39d1d93bf2ec1e4dd65b1e2bf7a 1493 contrib/binary-armhf/Packages
ffa3d9fa4156adc85bd1e1b4b424e25222ef22de 665 contrib/binary-armhf/Packages.gz
dbfc90ff9af0819e8b73429a32e4691204b11da7 179 contrib/binary-armhf/Release
b8d99778297cbd777821c7162c9146d3f0407b6c 12097 contrib/binary-arm64/Packages
2ec88f0de84b12f796712cf8bdd9ae163a5e78d0 4803 contrib/binary-arm64/Packages.gz
fa43b23088efe1cc2d56885126b335066e8a69ed 1492 contrib/binary-arm64/Packages
615ac42f2ee41906f58c3145bb2723bb83bea85a 669 contrib/binary-arm64/Packages.gz
af10abab9b82b0f8be34be72d478cd7efe4e64b9 179 contrib/binary-arm64/Release
SHA256:
ce495f6c9bc1fb23dab42746cf14086dde7f1531922919af49f93708d6f9428c 12098 contrib/binary-amd64/Packages
466c0a757405ed9c217efb1b5c81f4b722922ee63c462b668a9957f6459a38a9 4799 contrib/binary-amd64/Packages.gz
b555648b373a9d97e37ac3741a6f4e834d79547e42cf1adda20e61e3d5857115 1493 contrib/binary-amd64/Packages
5d51808345cac6ab03939a1ac441cf1e03732f7d134a0b54aac1c20ede7c91f8 663 contrib/binary-amd64/Packages.gz
67b3f0e511499d8b794eaf1524cea47d2263a1e8e43445c60f311dbef9a50e9c 179 contrib/binary-amd64/Release
749a6859a1f9859ad9963b7f1d2ea665adf505d4e9457cad997600e26e3c2112 12097 contrib/binary-armhf/Packages
5ee9f26a09e21a87dfdb376fa3a6098a61b4fb7056d0957f56b6f43a84f65e25 4799 contrib/binary-armhf/Packages.gz
17752abfca0e7430b4979fc8c2277e7ad994dc9be693b0adfbc3fdb151306d80 1493 contrib/binary-armhf/Packages
aecf0a2cd2a2c80b1102845c275cdfdc93ed6912162f87c0d5bab0fa6f71d231 665 contrib/binary-armhf/Packages.gz
ce7a57575ec61bf1af16351e2366f7114f6ad78e035696abaaac42f80dd8f425 179 contrib/binary-armhf/Release
24f6c2047566e4e6921badbbd7d9a6fe47e59acea3b932a1143bfb1783e63e84 12097 contrib/binary-arm64/Packages
e7bc836e26a4d99973dc79ba64ebd6f62dc3e385685bb1963e111466f5205a26 4803 contrib/binary-arm64/Packages.gz
99e7bc596aec7edf82bd42e264c73b5a040e8ea8885b4e209c684a767fe17028 1492 contrib/binary-arm64/Packages
97044c4b7f2b0923390858c25b18107fc48da0085a43ea440eaf2c31388a44b3 669 contrib/binary-arm64/Packages.gz
86092179ad14de3750a8a527f8419920154bd761ea7367b9452abe85cfbca03d 179 contrib/binary-arm64/Release
-----BEGIN PGP SIGNATURE-----
iQGzBAEBCgAdFiEEbYSVpa4ZFZQzkqZZZYKNdDzui2kFAmTGYysACgkQZYKNdDzu
i2nJWgwAlGrzcAQsvZvsCaQjbWBndiJDtndfj8BQyRORCbbdEQ0pej2KOj7X+BIJ
/u7fKHLBKQ/oHZ/t7Bijv5z0MG3n1oG1AK0vAwMFr0t8yJQzl6DuwqQrTgeIsAQ5
3kHoqbxDuFLUssNUcHsl3yWMULHOb8pteavSfjf7YZiBXmr2qhN+OEV69oHlOPju
UkTPvBTYlt4OPoESLMxk61O1YWB42Y5NpVzx2q6oft5d/D3OzND2SgTrGCQDvWYJ
55EkN9ddV3hGMqTr216vcq3k0DpHCcUhAd0L2tlyVDnf01mdj9YqtflZM2XfxQ1e
jdDcvHh9BqDlEG2mODtTpQY6aOuNdKX5sx61Vblf7QiQDQMDI0dg7wsco/KiftcT
5QGvOGv2dehlJggMEXxF0B6cLzduwSu2O5OlbFUVqvUhXV+5RKSuiV3g+1g4BonS
faL1bLlMI5iIpO9qJCPvqrVepbRl1bYz7sMIdeVYTGWdcV7MdnZ8RJynIuhlItCk
oI2X+qhm
=RQGT
iQGzBAEBCgAdFiEEbYSVpa4ZFZQzkqZZZYKNdDzui2kFAmWufiMACgkQZYKNdDzu
i2mn3gv+JLmQzgnDkwe6xBp4i9HeeAN3VfXBvtqw0lvWRdDjTJci+juhcc6prP/T
ec8v/afIWzw4BvsilOVbbTUYRUZaRHcaVUpLaFz8gbufGWw5PvJAY0dOqOURnuGP
PCavrAGxFV7CvPTsIyCL5Zocx8a0I3K/0x5f/37cLr8rvwvOxYZWbwgsYd6zwcpL
7RxpyMVr8o8CvGxAJuR8SzwRo1izy13ZWzmw8qeJCtfY8jev3Z/V6HuJK3CYhzRa
HjS3JLWvrVL4QO9uk6bn33pMDp7oFGltRRU4vwtsWBxzSi1/gGSuNlQEBv9SS/6P
SoV1kPLQw/6CeY+gyAPX+OBOE7GNSwauXVtziMi4ubQ1FQdOD+NQSxPe6Fz1nUQg
G+YX9b9OErwwjie1UyzCCXDODicrDtDVg2q55s30CA8qpO7GW3FthcYghoh/tne2
WST9nT5HHXxHGozPEalyiU+44k3o6SblCmsEkHN13XyiMz8qeYRsRBWY0ZwIAqJv
BTz444mw
=i42q
-----END PGP SIGNATURE-----

View File

@ -1,37 +1,37 @@
Origin: Unofficial Innernet Debian repository
Label: innernet-debian
Codename: focal
Date: Sun, 30 Jul 2023 13:18:34 UTC
Date: Mon, 22 Jan 2024 14:39:30 UTC
Architectures: amd64 armhf arm64
Components: contrib
Description: APT repository for https://github.com/tonarino/innernet/.
MD5Sum:
09585d6972df6d213e1a2a95a6d7f783 12098 contrib/binary-amd64/Packages
f71f3ea5d0ab6f8e0dad303f04573e81 4799 contrib/binary-amd64/Packages.gz
2eed532c18080f94efa64a20e0850101 1493 contrib/binary-amd64/Packages
42d48d316784c03b360d12d06bc3e4e6 663 contrib/binary-amd64/Packages.gz
77dc2b012f45038d5be68f81d464ee44 179 contrib/binary-amd64/Release
b1dcfb8ffed93c950262d0d18d93e8db 12097 contrib/binary-armhf/Packages
11ffc1ea682429a3cfd051979b9d6dcc 4799 contrib/binary-armhf/Packages.gz
ad99ee2214dc0e890ca4f4b28d6dbaf0 1493 contrib/binary-armhf/Packages
14b3724f4a55b292edc58e5159320fb0 665 contrib/binary-armhf/Packages.gz
2e56331833f644fa9dad5483acc93e55 179 contrib/binary-armhf/Release
9e4f28eca65271f15f684a56874f433d 12097 contrib/binary-arm64/Packages
edc6e00a474363010d79da0a577dbc64 4803 contrib/binary-arm64/Packages.gz
3678a76f8c1f7789f33472b0b1425b6e 1492 contrib/binary-arm64/Packages
53f3f8680c0a82954fde16e23c8f10cd 669 contrib/binary-arm64/Packages.gz
16627cd2b6e090772a75639bb48cd54d 179 contrib/binary-arm64/Release
SHA1:
87d9b5312a8e5e99090351a36d09785c02303cf1 12098 contrib/binary-amd64/Packages
ea7af888161785eae92c690ddf4a3f0cf2f75cc9 4799 contrib/binary-amd64/Packages.gz
2adb2413fdc1847cc786b4f5bcd3bcb9b63646f6 1493 contrib/binary-amd64/Packages
27f8e6a53160f30fd9b00d8629eebeece2b37357 663 contrib/binary-amd64/Packages.gz
a4f6bbfd6fe4ab5a01909278c4e13b05d6b06f13 179 contrib/binary-amd64/Release
d0b3431eb3e21ceb02caa9dd63aaf8b2231e3e5e 12097 contrib/binary-armhf/Packages
3ff371bef4abda8010bc8ad4b8873acfb8bd220e 4799 contrib/binary-armhf/Packages.gz
f007c3ba7b8da39d1d93bf2ec1e4dd65b1e2bf7a 1493 contrib/binary-armhf/Packages
ffa3d9fa4156adc85bd1e1b4b424e25222ef22de 665 contrib/binary-armhf/Packages.gz
dbfc90ff9af0819e8b73429a32e4691204b11da7 179 contrib/binary-armhf/Release
b8d99778297cbd777821c7162c9146d3f0407b6c 12097 contrib/binary-arm64/Packages
2ec88f0de84b12f796712cf8bdd9ae163a5e78d0 4803 contrib/binary-arm64/Packages.gz
fa43b23088efe1cc2d56885126b335066e8a69ed 1492 contrib/binary-arm64/Packages
615ac42f2ee41906f58c3145bb2723bb83bea85a 669 contrib/binary-arm64/Packages.gz
af10abab9b82b0f8be34be72d478cd7efe4e64b9 179 contrib/binary-arm64/Release
SHA256:
ce495f6c9bc1fb23dab42746cf14086dde7f1531922919af49f93708d6f9428c 12098 contrib/binary-amd64/Packages
466c0a757405ed9c217efb1b5c81f4b722922ee63c462b668a9957f6459a38a9 4799 contrib/binary-amd64/Packages.gz
b555648b373a9d97e37ac3741a6f4e834d79547e42cf1adda20e61e3d5857115 1493 contrib/binary-amd64/Packages
5d51808345cac6ab03939a1ac441cf1e03732f7d134a0b54aac1c20ede7c91f8 663 contrib/binary-amd64/Packages.gz
67b3f0e511499d8b794eaf1524cea47d2263a1e8e43445c60f311dbef9a50e9c 179 contrib/binary-amd64/Release
749a6859a1f9859ad9963b7f1d2ea665adf505d4e9457cad997600e26e3c2112 12097 contrib/binary-armhf/Packages
5ee9f26a09e21a87dfdb376fa3a6098a61b4fb7056d0957f56b6f43a84f65e25 4799 contrib/binary-armhf/Packages.gz
17752abfca0e7430b4979fc8c2277e7ad994dc9be693b0adfbc3fdb151306d80 1493 contrib/binary-armhf/Packages
aecf0a2cd2a2c80b1102845c275cdfdc93ed6912162f87c0d5bab0fa6f71d231 665 contrib/binary-armhf/Packages.gz
ce7a57575ec61bf1af16351e2366f7114f6ad78e035696abaaac42f80dd8f425 179 contrib/binary-armhf/Release
24f6c2047566e4e6921badbbd7d9a6fe47e59acea3b932a1143bfb1783e63e84 12097 contrib/binary-arm64/Packages
e7bc836e26a4d99973dc79ba64ebd6f62dc3e385685bb1963e111466f5205a26 4803 contrib/binary-arm64/Packages.gz
99e7bc596aec7edf82bd42e264c73b5a040e8ea8885b4e209c684a767fe17028 1492 contrib/binary-arm64/Packages
97044c4b7f2b0923390858c25b18107fc48da0085a43ea440eaf2c31388a44b3 669 contrib/binary-arm64/Packages.gz
86092179ad14de3750a8a527f8419920154bd761ea7367b9452abe85cfbca03d 179 contrib/binary-arm64/Release

View File

@ -1,14 +1,14 @@
-----BEGIN PGP SIGNATURE-----
iQGzBAABCgAdFiEEbYSVpa4ZFZQzkqZZZYKNdDzui2kFAmTGYyoACgkQZYKNdDzu
i2lPdQv8DmSn+7u1+uudvM8K1fU9ShDGeZYtbyC2WhmX1OrI+aq8RQYO2qw6HVcj
Sk+MuN2m1FxDV85mcCWA/VKzRcfiBn3Yybyzn75Pbeyl5TgRnHu9FKET5VSYH7gy
9ulqONG18nZbshdS57GUwoxjlT2HVwjOLvQ7IKvX88DTKXQzkc7eiiZ3FCgOhX64
ocGxIB4x6P6q2pCsEGhPGqdjUcYUGe98udxDlhQ99+EgtgtiCCowGtx6gqMuXj1g
0FOycQlxhpGSPDQ+TW0vsIAauI3gERrqRPh+ZZbg2o7dQPyDYaXUXCeewpD5VqA1
Gkv0oYRf+SRB215+tewJWTiwAS/Bxh6uxx/bNBk0kcYB3Sc9d6c5GSo78SXuNra1
CHhtFUEKDNMG5aJet0gZBHDEwWl+4mCQsoGc+KzRTPfCgU02SvED75eaAt0pxHMa
UjlYKGboA+Zg3FsNxGGRUVjQEAt1Semo4xLI2e/D3J7klxncMFvehzuoro9VV0ab
3SLqGF5l
=DsOy
iQGzBAABCgAdFiEEbYSVpa4ZFZQzkqZZZYKNdDzui2kFAmWufiIACgkQZYKNdDzu
i2mQSwv+KUQZ2jeSsHTiFiPBK3796Gbgx6osrA9gIyAaDXf0A0oi7M9gwG2ew0HK
gMLIKXgtMUeMIsUYp8yewGRAmZH8Mnk0VR2AkN/M17As2mq6GK6qugZiOZqmXhDO
1LBGTMyden+krhJAfGrcJLJsZ0WBZN2HSzJhnyh3r9ZQA4wzuttkolxiOZuR8V5j
tuStmYZKdhhY1BvqI+2u7kO1s2iX1G0EIpQcBob+iDpBFQ2SItFRFOihlvf+iiHq
vJeCdpHY0iCH2prWesV26GsPcXhAOnmP/zJRkv2b7nRMhS0pLJ1ySmxflLZKaw4K
7eFQaJ42K//etmEwRcOM6l2z6oGE0fKXXEbfyRjG6JViSdEss8X8N7T9uEKpROYU
btfv3lO9mpuzZtzflyztZbFj+XjQuMMF0OT5BJUbtX+bBXX56V9PIpwpg/7XW86+
IVO7wXUUUvBIFjQ/S31pEjPQveAW15WcSNCBOCDfLSySpqyEmTHnA0vv/Z7Y1qZr
WVXtGxhv
=dNuu
-----END PGP SIGNATURE-----

View File

@ -1,378 +1,41 @@
Package: innernet
Version: 1.6.0-0ubuntu0~focal
Version: 1.6.1-0ubuntu0~focal
Architecture: amd64
Vcs-Browser: https://github.com/tonarino/innernet
Vcs-Git: https://github.com/tonarino/innernet
Homepage: https://github.com/tonarino/innernet
Maintainer: tonari <hey@tonari.no>
Installed-Size: 3221
Depends: systemd, libgcc1, libc6
Installed-Size: 3541
Depends: libc6, systemd, libgcc1
Recommends: wireguard
Priority: optional
Section: net
Filename: pool/contrib/i/innernet/innernet_1.6.0-0ubuntu0~focal_amd64.deb
Size: 1017076
SHA256: cd26fa15089a95bf69874116e89469f75a8d01b9fb344c7706a8a36fa804e0b4
SHA1: c2699d37af2cffea4b19282477acf2b1ef367c21
MD5sum: 4399b78eef1bbf075041fcb12c03fab8
Filename: pool/contrib/i/innernet/innernet_1.6.1-0ubuntu0~focal_amd64.deb
Size: 1111620
SHA256: cacf84242e097f45af4037fe6d5669f39ac9c57cdb028585e020399ac3dc4791
SHA1: 494b4cbe7ef2236e4399cb97c3988f8c0d572043
MD5sum: 3c390c83ab807227421ec01efe63fbc8
Description: A client to manage innernet network interfaces.
innernet client binary for fetching peer information and conducting admin tasks
such as adding a new peer.
Package: innernet-server
Version: 1.6.0-0ubuntu0~focal
Version: 1.6.1-0ubuntu0~focal
Architecture: amd64
Vcs-Browser: https://github.com/tonarino/innernet
Vcs-Git: https://github.com/tonarino/innernet
Homepage: https://github.com/tonarino/innernet
Maintainer: tonari <hey@tonari.no>
Installed-Size: 4214
Depends: libgcc1, zlib1g, libsqlite3-0, libc6, systemd
Installed-Size: 4538
Depends: libc6, libsqlite3-0, systemd, zlib1g, libgcc1
Recommends: wireguard
Source: innernet
Priority: optional
Section: net
Filename: pool/contrib/i/innernet-server/innernet-server_1.6.0-0ubuntu0~focal_amd64.deb
Size: 1499216
SHA256: 539e7a438869dcb5b9a9bf2f2fa76afb1d226584fd2cd011a3c5f8dd8c4bb429
SHA1: b4a6e87898a68666207fdaa08cd02b6b6b7b9bc9
MD5sum: cbb3a19ddde8af07ac8cafb3b8cae132
Filename: pool/contrib/i/innernet-server/innernet-server_1.6.1-0ubuntu0~focal_amd64.deb
Size: 1590820
SHA256: 5cf090c669a4c4f12e1ec39e56b3259c1a37249fad9fb5f07283e9e19dc76d28
SHA1: bcaeafc7ea1a9662f0fc0ca1fb3e6dbc6385fa61
MD5sum: 65f5fcd0ba8fbc5812991e82e7e460b3
Description: A server to coordinate innernet networks.
# innernet
.
[![Actively
Maintained](https://img.shields.io/badge/Maintenance%20Level-Actively%20Maintained-green.svg)](https://gist.github.com/cheerfulstoic/d107229326a01ff0f333a1d3476e068d)
[![MIT](https://img.shields.io/badge/license-MIT-blue.svg)](https://github.com/tonarino/innernet/blob/master/LICENSE)
.
A private network system that uses [WireGuard](https://wireguard.com) under the
hood. See the [announcement blog
post](https://blog.tonari.no/introducing-innernet) for a longer-winded
explanation.
.
<img
src="https://user-images.githubusercontent.com/373823/118917068-09ae7700-b96b-11eb-80f4-6860072d504d.gif"
width="600" height="370">
.
`innernet` is similar in its goals to Slack's
[nebula](https://github.com/slackhq/nebula) or
[Tailscale](https://tailscale.com/), but takes a bit of a different approach.
It aims to take advantage of existing networking concepts like CIDRs and the
security properties of WireGuard to turn your computer's basic IP networking
into more powerful ACL primitives.
.
`innernet` is not an official WireGuard project, and WireGuard is a registered
trademark of Jason A. Donenfeld.
.
This has not received an independent security audit, and should be considered
experimental software at this early point in its lifetime.
.
## Usage
.
### Server Creation
.
Every `innernet` network needs a coordination server to manage peers and
provide endpoint information so peers can directly connect to each other.
Create a new one with
.
```sh
sudo innernet-server new
```
.
The init wizard will ask you questions about your network and give you some
reasonable defaults. It's good to familiarize yourself with [network
CIDRs](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) as a lot
of innernet's access control is based upon them. As an example, let's say the
root CIDR for this network is `10.60.0.0/16`. Server initialization creates a
special "infra" CIDR which contains the `innernet` server itself and is
reachable from all CIDRs on the network.
.
Next we'll also create a `humans` CIDR where we can start adding some peers.
.
```sh
sudo innernet-server add-cidr <interface>
```
.
For the parent CIDR, you can simply choose your network's root CIDR. The name
will be `humans`, and the CIDR will be `10.60.64.0/24` (not a great example
unless you only want to support 256 humans, but it works for now...).
.
By default, peers which exist in this new CIDR will only be able to contact
peers in the same CIDR, and the special "infra" CIDR which was created when the
server was initialized.
.
A typical workflow for creating a new network is to create an admin peer from
the `innernet-server` CLI, and then continue using that admin peer via the
`innernet` client CLI to add any further peers or network CIDRs.
.
```sh
sudo innernet-server add-peer <interface>
```
.
Select the `humans` CIDR, and the CLI will automatically suggest the next
available IP address. Any name is fine, just answer "yes" when asked if you
would like to make the peer an admin. The process of adding a peer results in
an invitation file. This file contains just enough information for the new peer
to contact the `innernet` server and redeem its invitation. It should be
transferred securely to the new peer, and it can only be used once to
initialize the peer.
.
You can run the server with `innernet-server serve <interface>`, or if you're
on Linux and want to run it via `systemctl`, run `systemctl enable --now
innernet-server@<interface>`. If you're on a home network, don't forget to
configure port forwarding to the `Listen Port` you specified when creating the
`innernet` server.
.
### Peer Initialization
.
Let's assume the invitation file generated in the steps above have been
transferred to the machine a network admin will be using.
.
You can initialize the client with
.
```sh
sudo innernet install /path/to/invitation.toml
```
.
You can customize the network name if you want to, or leave it at the default.
`innernet` will then connect to the `innernet` server via WireGuard, generate a
new key pair, and register that pair with the server. The private key in the
invitation file can no longer be used.
.
If everything was successful, the new peer is on the network. You can run
things like
.
```sh
sudo innernet list
```
.
or
.
```sh
sudo innernet list --tree
```
.
to view the current network and all CIDRs visible to this peer.
.
Since we created an admin peer, we can also add new peers and CIDRs from this
peer via `innernet` instead of having to always run commands on the server.
.
### Adding Associations between CIDRs
.
In order for peers from one CIDR to be able to contact peers in another CIDR,
those two CIDRs must be "associated" with each other.
.
With the admin peer we created above, let's add a new CIDR for some theoretical
CI servers we have.
.
```sh
sudo innernet add-cidr <interface>
```
.
The name is `ci-servers` and the CIDR is `10.60.64.0/24`, but for this example
it can be anything.
.
For now, we want peers in the `humans` CIDR to be able to access peers in the
`ci-servers` CIDR.
.
```sh
sudo innernet add-association <interface>
```
.
The CLI will ask you to select the two CIDRs you want to associate. That's all
it takes to allow peers in two different CIDRs to communicate!
.
You can verify the association with
.
```sh
sudo innernet list-associations <interface>
```
.
and associations can be deleted with
.
```sh
sudo innernet delete-associations <interface>
```
.
### Enabling/Disabling Peers
.
For security reasons, IP addresses cannot be re-used by new peers, and
therefore peers cannot be deleted. However, they can be disabled. Disabled
peers will not show up in the list of peers when fetching the config for an
interface.
.
Disable a peer with
.
```su
sudo innernet disable-peer <interface>
```
.
Or re-enable a peer with
.
```su
sudo innernet enable-peer <interface>
```
.
### Specifying a Manual Endpoint
.
The `innernet` server will try to use the internet endpoint it sees from a peer
so other peers can connect to that peer as well. This doesn't always work and
you may want to set an endpoint explicitly. To set an endpoint, use
.
```sh
sudo innernet override-endpoint <interface>
```
.
You can go back to automatic endpoint discovery with
.
```sh
sudo innernet override-endpoint -u <interface>
```
.
### Setting the Local WireGuard Listen Port
.
If you want to change the port which WireGuard listens on, use
.
```sh
sudo innernet set-listen-port <interface>
```
.
or unset the port and use a randomized port with
.
```sh
sudo innernet set-listen-port -u <interface>
```
.
### Remove Network
.
To permanently uninstall a created network, use
.
```sh
sudo innernet-server uninstall <interface>
```
.
Use with care!
.
## Security recommendations
.
If you're running a service on innernet, there are some important security
considerations.
.
### Enable strict Reverse Path Filtering ([RFC
3704](https://tools.ietf.org/html/rfc3704))
.
Strict RPF prevents packets from _other_ interfaces from having internal source
IP addresses. This is _not_ the default on Linux, even though it is the right
choice for 99.99% of situations. You can enable it by adding the following to a
`/etc/sysctl.d/60-network-security.conf`:
.
```
net.ipv4.conf.all.rp_filter=1
net.ipv4.conf.default.rp_filter=1
```
.
### Bind to the WireGuard device
.
If possible, to _ensure_ that packets are only ever transmitted over the
WireGuard interface, it's recommended that you use `SO_BINDTODEVICE` on Linux
or `IP_BOUND_IF` on macOS/BSDs. If you have strict reverse path filtering,
though, this is less of a concern.
.
### IP addresses alone often aren't enough authentication
.
Even following all the above precautions, rogue applications on a peer's
machines could be able to make requests on their behalf unless you add extra
layers of authentication to mitigate this CSRF-type vector.
.
It's recommended that you carefully consider this possibility before deciding
that the source IP is sufficient for your authentication needs on a service.
.
## Installation
.
innernet has only officially been tested on Linux and MacOS, but we hope to
support as many platforms as is feasible!
.
### Runtime Dependencies
.
It's assumed that WireGuard is installed on your system, either via the kernel
module in Linux 5.6 and later, or via the
[`wireguard-go`](https://git.zx2c4.com/wireguard-go/about/) userspace
implementation.
.
[WireGuard Installation Instructions](https://www.wireguard.com/install/)
.
### Arch Linux
.
```sh
pacman -S innernet
```
.
### Debian and Ubuntu
.
[**@tommie**](https://github.com/tommie) is kindly providing Debian/Ubuntu
innernet builds in the https://github.com/tommie/innernet-debian repository.
.
### Other Linux Distributions
.
We're looking for volunteers who are able to set up external builds for popular
distributions. Please see issue
[#203](https://github.com/tonarino/innernet/issues/203).
.
### macOS
.
```sh
brew install tonarino/innernet/innernet
```
.
### Cargo
.
```sh
# to install innernet:
cargo install --git https://github.com/tonarino/innernet --tag v1.6.0 client
.
# to install innernet-server:
cargo install --git https://github.com/tonarino/innernet --tag v1.6.0 server
```
.
Note that you'll be responsible for updating manually.
.
## Development
.
### `innernet-server` Build dependencies
.
- `rustc` / `cargo` (version 1.50.0 or higher)
- `libclang` (see more info at
[https://crates.io/crates/clang-sys](https://crates.io/crates/clang-sys))
- `libsqlite3`
.
Build:
.
```sh
cargo build --release --bin innernet-server
```
.
The resulting binary will be located at `./target/release/innernet-server`
.
### `innernet` Client CLI Build dependencies
.
- `rustc` / `cargo` (version 1.50.0 or higher)
- `libclang` (see more info at
[https://crates.io/crates/clang-sys](https://crates.io/crates/clang-sys))
.
Build:
.
```sh
cargo build --release --bin innernet
```
.
The resulting binary will be located at `./target/release/innernet`
.
### Releases
.
Please run the release script from a Linux machine: generated shell completions
depend on available wireguard backends and Mac doesn't support the `kernel`
backend.
.
1. Fetch and check-out the `main` branch.
2. Run `./release.sh [patch|major|minor|rc]`
3. Push the `main` branch and the created tag to the repo.

View File

@ -1,378 +1,41 @@
Package: innernet
Version: 1.6.0-0ubuntu0~focal
Version: 1.6.1-0ubuntu0~focal
Architecture: arm64
Vcs-Browser: https://github.com/tonarino/innernet
Vcs-Git: https://github.com/tonarino/innernet
Homepage: https://github.com/tonarino/innernet
Maintainer: tonari <hey@tonari.no>
Installed-Size: 2841
Depends: libgcc1, systemd, libc6
Installed-Size: 3097
Depends: libc6, libgcc1, systemd
Recommends: wireguard
Priority: optional
Section: net
Filename: pool/contrib/i/innernet/innernet_1.6.0-0ubuntu0~focal_arm64.deb
Size: 903012
SHA256: d71dd1ea107dea559f8d15c01ae9d58761ba4afee3a9bc7a4c7112e824ce4ab3
SHA1: 0139401fd3f08b403fc2a15f3a331c60ff24e570
MD5sum: f85aeb8aa51538811ff2238914c4a1ab
Filename: pool/contrib/i/innernet/innernet_1.6.1-0ubuntu0~focal_arm64.deb
Size: 996348
SHA256: 4cbb067b10d23478cdcc4bfc55ab21e57edc338b842f339cfc493ebd943a52bd
SHA1: 741a5339bfdfd890c063d70b08287b772bca97e5
MD5sum: 304643085d804b48f535073ee3f65f0f
Description: A client to manage innernet network interfaces.
innernet client binary for fetching peer information and conducting admin tasks
such as adding a new peer.
Package: innernet-server
Version: 1.6.0-0ubuntu0~focal
Version: 1.6.1-0ubuntu0~focal
Architecture: arm64
Vcs-Browser: https://github.com/tonarino/innernet
Vcs-Git: https://github.com/tonarino/innernet
Homepage: https://github.com/tonarino/innernet
Maintainer: tonari <hey@tonari.no>
Installed-Size: 3886
Depends: libc6, libgcc1, zlib1g, systemd, libsqlite3-0
Installed-Size: 4146
Depends: zlib1g, systemd, libgcc1, libsqlite3-0, libc6
Recommends: wireguard
Source: innernet
Priority: optional
Section: net
Filename: pool/contrib/i/innernet-server/innernet-server_1.6.0-0ubuntu0~focal_arm64.deb
Size: 1355084
SHA256: 46e22e21dcff4538ba143c5e32077983816b9c1d6ff7b856255e59df86023048
SHA1: 8860342c49b89fa9238bd9ba7abed1d2afa63b54
MD5sum: 43de229d49d6134e0801e6338009cf86
Filename: pool/contrib/i/innernet-server/innernet-server_1.6.1-0ubuntu0~focal_arm64.deb
Size: 1445676
SHA256: f09f81ae098b4058e9531ef72d28369ea2011c9e71c226ada5ebd8e76fb41dea
SHA1: 1039acb66fe9aaa8f77d68fae41c24340737990f
MD5sum: ce39d9f66ae6013d12f10fc22a6023b6
Description: A server to coordinate innernet networks.
# innernet
.
[![Actively
Maintained](https://img.shields.io/badge/Maintenance%20Level-Actively%20Maintained-green.svg)](https://gist.github.com/cheerfulstoic/d107229326a01ff0f333a1d3476e068d)
[![MIT](https://img.shields.io/badge/license-MIT-blue.svg)](https://github.com/tonarino/innernet/blob/master/LICENSE)
.
A private network system that uses [WireGuard](https://wireguard.com) under the
hood. See the [announcement blog
post](https://blog.tonari.no/introducing-innernet) for a longer-winded
explanation.
.
<img
src="https://user-images.githubusercontent.com/373823/118917068-09ae7700-b96b-11eb-80f4-6860072d504d.gif"
width="600" height="370">
.
`innernet` is similar in its goals to Slack's
[nebula](https://github.com/slackhq/nebula) or
[Tailscale](https://tailscale.com/), but takes a bit of a different approach.
It aims to take advantage of existing networking concepts like CIDRs and the
security properties of WireGuard to turn your computer's basic IP networking
into more powerful ACL primitives.
.
`innernet` is not an official WireGuard project, and WireGuard is a registered
trademark of Jason A. Donenfeld.
.
This has not received an independent security audit, and should be considered
experimental software at this early point in its lifetime.
.
## Usage
.
### Server Creation
.
Every `innernet` network needs a coordination server to manage peers and
provide endpoint information so peers can directly connect to each other.
Create a new one with
.
```sh
sudo innernet-server new
```
.
The init wizard will ask you questions about your network and give you some
reasonable defaults. It's good to familiarize yourself with [network
CIDRs](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) as a lot
of innernet's access control is based upon them. As an example, let's say the
root CIDR for this network is `10.60.0.0/16`. Server initialization creates a
special "infra" CIDR which contains the `innernet` server itself and is
reachable from all CIDRs on the network.
.
Next we'll also create a `humans` CIDR where we can start adding some peers.
.
```sh
sudo innernet-server add-cidr <interface>
```
.
For the parent CIDR, you can simply choose your network's root CIDR. The name
will be `humans`, and the CIDR will be `10.60.64.0/24` (not a great example
unless you only want to support 256 humans, but it works for now...).
.
By default, peers which exist in this new CIDR will only be able to contact
peers in the same CIDR, and the special "infra" CIDR which was created when the
server was initialized.
.
A typical workflow for creating a new network is to create an admin peer from
the `innernet-server` CLI, and then continue using that admin peer via the
`innernet` client CLI to add any further peers or network CIDRs.
.
```sh
sudo innernet-server add-peer <interface>
```
.
Select the `humans` CIDR, and the CLI will automatically suggest the next
available IP address. Any name is fine, just answer "yes" when asked if you
would like to make the peer an admin. The process of adding a peer results in
an invitation file. This file contains just enough information for the new peer
to contact the `innernet` server and redeem its invitation. It should be
transferred securely to the new peer, and it can only be used once to
initialize the peer.
.
You can run the server with `innernet-server serve <interface>`, or if you're
on Linux and want to run it via `systemctl`, run `systemctl enable --now
innernet-server@<interface>`. If you're on a home network, don't forget to
configure port forwarding to the `Listen Port` you specified when creating the
`innernet` server.
.
### Peer Initialization
.
Let's assume the invitation file generated in the steps above have been
transferred to the machine a network admin will be using.
.
You can initialize the client with
.
```sh
sudo innernet install /path/to/invitation.toml
```
.
You can customize the network name if you want to, or leave it at the default.
`innernet` will then connect to the `innernet` server via WireGuard, generate a
new key pair, and register that pair with the server. The private key in the
invitation file can no longer be used.
.
If everything was successful, the new peer is on the network. You can run
things like
.
```sh
sudo innernet list
```
.
or
.
```sh
sudo innernet list --tree
```
.
to view the current network and all CIDRs visible to this peer.
.
Since we created an admin peer, we can also add new peers and CIDRs from this
peer via `innernet` instead of having to always run commands on the server.
.
### Adding Associations between CIDRs
.
In order for peers from one CIDR to be able to contact peers in another CIDR,
those two CIDRs must be "associated" with each other.
.
With the admin peer we created above, let's add a new CIDR for some theoretical
CI servers we have.
.
```sh
sudo innernet add-cidr <interface>
```
.
The name is `ci-servers` and the CIDR is `10.60.64.0/24`, but for this example
it can be anything.
.
For now, we want peers in the `humans` CIDR to be able to access peers in the
`ci-servers` CIDR.
.
```sh
sudo innernet add-association <interface>
```
.
The CLI will ask you to select the two CIDRs you want to associate. That's all
it takes to allow peers in two different CIDRs to communicate!
.
You can verify the association with
.
```sh
sudo innernet list-associations <interface>
```
.
and associations can be deleted with
.
```sh
sudo innernet delete-associations <interface>
```
.
### Enabling/Disabling Peers
.
For security reasons, IP addresses cannot be re-used by new peers, and
therefore peers cannot be deleted. However, they can be disabled. Disabled
peers will not show up in the list of peers when fetching the config for an
interface.
.
Disable a peer with
.
```su
sudo innernet disable-peer <interface>
```
.
Or re-enable a peer with
.
```su
sudo innernet enable-peer <interface>
```
.
### Specifying a Manual Endpoint
.
The `innernet` server will try to use the internet endpoint it sees from a peer
so other peers can connect to that peer as well. This doesn't always work and
you may want to set an endpoint explicitly. To set an endpoint, use
.
```sh
sudo innernet override-endpoint <interface>
```
.
You can go back to automatic endpoint discovery with
.
```sh
sudo innernet override-endpoint -u <interface>
```
.
### Setting the Local WireGuard Listen Port
.
If you want to change the port which WireGuard listens on, use
.
```sh
sudo innernet set-listen-port <interface>
```
.
or unset the port and use a randomized port with
.
```sh
sudo innernet set-listen-port -u <interface>
```
.
### Remove Network
.
To permanently uninstall a created network, use
.
```sh
sudo innernet-server uninstall <interface>
```
.
Use with care!
.
## Security recommendations
.
If you're running a service on innernet, there are some important security
considerations.
.
### Enable strict Reverse Path Filtering ([RFC
3704](https://tools.ietf.org/html/rfc3704))
.
Strict RPF prevents packets from _other_ interfaces from having internal source
IP addresses. This is _not_ the default on Linux, even though it is the right
choice for 99.99% of situations. You can enable it by adding the following to a
`/etc/sysctl.d/60-network-security.conf`:
.
```
net.ipv4.conf.all.rp_filter=1
net.ipv4.conf.default.rp_filter=1
```
.
### Bind to the WireGuard device
.
If possible, to _ensure_ that packets are only ever transmitted over the
WireGuard interface, it's recommended that you use `SO_BINDTODEVICE` on Linux
or `IP_BOUND_IF` on macOS/BSDs. If you have strict reverse path filtering,
though, this is less of a concern.
.
### IP addresses alone often aren't enough authentication
.
Even following all the above precautions, rogue applications on a peer's
machines could be able to make requests on their behalf unless you add extra
layers of authentication to mitigate this CSRF-type vector.
.
It's recommended that you carefully consider this possibility before deciding
that the source IP is sufficient for your authentication needs on a service.
.
## Installation
.
innernet has only officially been tested on Linux and MacOS, but we hope to
support as many platforms as is feasible!
.
### Runtime Dependencies
.
It's assumed that WireGuard is installed on your system, either via the kernel
module in Linux 5.6 and later, or via the
[`wireguard-go`](https://git.zx2c4.com/wireguard-go/about/) userspace
implementation.
.
[WireGuard Installation Instructions](https://www.wireguard.com/install/)
.
### Arch Linux
.
```sh
pacman -S innernet
```
.
### Debian and Ubuntu
.
[**@tommie**](https://github.com/tommie) is kindly providing Debian/Ubuntu
innernet builds in the https://github.com/tommie/innernet-debian repository.
.
### Other Linux Distributions
.
We're looking for volunteers who are able to set up external builds for popular
distributions. Please see issue
[#203](https://github.com/tonarino/innernet/issues/203).
.
### macOS
.
```sh
brew install tonarino/innernet/innernet
```
.
### Cargo
.
```sh
# to install innernet:
cargo install --git https://github.com/tonarino/innernet --tag v1.6.0 client
.
# to install innernet-server:
cargo install --git https://github.com/tonarino/innernet --tag v1.6.0 server
```
.
Note that you'll be responsible for updating manually.
.
## Development
.
### `innernet-server` Build dependencies
.
- `rustc` / `cargo` (version 1.50.0 or higher)
- `libclang` (see more info at
[https://crates.io/crates/clang-sys](https://crates.io/crates/clang-sys))
- `libsqlite3`
.
Build:
.
```sh
cargo build --release --bin innernet-server
```
.
The resulting binary will be located at `./target/release/innernet-server`
.
### `innernet` Client CLI Build dependencies
.
- `rustc` / `cargo` (version 1.50.0 or higher)
- `libclang` (see more info at
[https://crates.io/crates/clang-sys](https://crates.io/crates/clang-sys))
.
Build:
.
```sh
cargo build --release --bin innernet
```
.
The resulting binary will be located at `./target/release/innernet`
.
### Releases
.
Please run the release script from a Linux machine: generated shell completions
depend on available wireguard backends and Mac doesn't support the `kernel`
backend.
.
1. Fetch and check-out the `main` branch.
2. Run `./release.sh [patch|major|minor|rc]`
3. Push the `main` branch and the created tag to the repo.

View File

@ -1,378 +1,41 @@
Package: innernet
Version: 1.6.0-0ubuntu0~focal
Version: 1.6.1-0ubuntu0~focal
Architecture: armhf
Vcs-Browser: https://github.com/tonarino/innernet
Vcs-Git: https://github.com/tonarino/innernet
Homepage: https://github.com/tonarino/innernet
Maintainer: tonari <hey@tonari.no>
Installed-Size: 2684
Depends: libgcc1, libc6, systemd
Installed-Size: 2964
Depends: libgcc1, systemd, libc6
Recommends: wireguard
Priority: optional
Section: net
Filename: pool/contrib/i/innernet/innernet_1.6.0-0ubuntu0~focal_armhf.deb
Size: 916708
SHA256: 5a659fba5e5410ea9cb5591753075fcc040c92386e3e6382efacd43583e2c782
SHA1: 03ac24914abd80fcaee5d0dacd77c2b4aebfd08c
MD5sum: b0c21e227ed3ca35815137d941035b1f
Filename: pool/contrib/i/innernet/innernet_1.6.1-0ubuntu0~focal_armhf.deb
Size: 1005280
SHA256: 144834c9ae90445110342ddd032994c6f90a47a07a97aace37b2490fe85e13d8
SHA1: 45267cbbea12a873d8aba9477b7bad59b6fdbf2f
MD5sum: de313d6bc2990a36955cebd34e328dbb
Description: A client to manage innernet network interfaces.
innernet client binary for fetching peer information and conducting admin tasks
such as adding a new peer.
Package: innernet-server
Version: 1.6.0-0ubuntu0~focal
Version: 1.6.1-0ubuntu0~focal
Architecture: armhf
Vcs-Browser: https://github.com/tonarino/innernet
Vcs-Git: https://github.com/tonarino/innernet
Homepage: https://github.com/tonarino/innernet
Maintainer: tonari <hey@tonari.no>
Installed-Size: 3343
Depends: libgcc1, zlib1g, libc6, libsqlite3-0, systemd
Installed-Size: 3627
Depends: libsqlite3-0, zlib1g, systemd, libgcc1, libc6
Recommends: wireguard
Source: innernet
Priority: optional
Section: net
Filename: pool/contrib/i/innernet-server/innernet-server_1.6.0-0ubuntu0~focal_armhf.deb
Size: 1337176
SHA256: 429c6cbf976e82910bd9be68b772a9264f680ea051c1850074a25e39e6d03059
SHA1: d97a2f0ae144af2a67dc6dc9df547fc0b61d3058
MD5sum: 105818d65bcc4e3ffbb3feb7dab0867c
Filename: pool/contrib/i/innernet-server/innernet-server_1.6.1-0ubuntu0~focal_armhf.deb
Size: 1427788
SHA256: ecc84c8d03f42fa02e4b827be17f79769871171fe7617da65cea97200eca4b29
SHA1: f700e1d31662a507f90c00b9ab09ea4c5596ba2f
MD5sum: 3f0337283e95cfea0156fb9e8cebc03e
Description: A server to coordinate innernet networks.
# innernet
.
[![Actively
Maintained](https://img.shields.io/badge/Maintenance%20Level-Actively%20Maintained-green.svg)](https://gist.github.com/cheerfulstoic/d107229326a01ff0f333a1d3476e068d)
[![MIT](https://img.shields.io/badge/license-MIT-blue.svg)](https://github.com/tonarino/innernet/blob/master/LICENSE)
.
A private network system that uses [WireGuard](https://wireguard.com) under the
hood. See the [announcement blog
post](https://blog.tonari.no/introducing-innernet) for a longer-winded
explanation.
.
<img
src="https://user-images.githubusercontent.com/373823/118917068-09ae7700-b96b-11eb-80f4-6860072d504d.gif"
width="600" height="370">
.
`innernet` is similar in its goals to Slack's
[nebula](https://github.com/slackhq/nebula) or
[Tailscale](https://tailscale.com/), but takes a bit of a different approach.
It aims to take advantage of existing networking concepts like CIDRs and the
security properties of WireGuard to turn your computer's basic IP networking
into more powerful ACL primitives.
.
`innernet` is not an official WireGuard project, and WireGuard is a registered
trademark of Jason A. Donenfeld.
.
This has not received an independent security audit, and should be considered
experimental software at this early point in its lifetime.
.
## Usage
.
### Server Creation
.
Every `innernet` network needs a coordination server to manage peers and
provide endpoint information so peers can directly connect to each other.
Create a new one with
.
```sh
sudo innernet-server new
```
.
The init wizard will ask you questions about your network and give you some
reasonable defaults. It's good to familiarize yourself with [network
CIDRs](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) as a lot
of innernet's access control is based upon them. As an example, let's say the
root CIDR for this network is `10.60.0.0/16`. Server initialization creates a
special "infra" CIDR which contains the `innernet` server itself and is
reachable from all CIDRs on the network.
.
Next we'll also create a `humans` CIDR where we can start adding some peers.
.
```sh
sudo innernet-server add-cidr <interface>
```
.
For the parent CIDR, you can simply choose your network's root CIDR. The name
will be `humans`, and the CIDR will be `10.60.64.0/24` (not a great example
unless you only want to support 256 humans, but it works for now...).
.
By default, peers which exist in this new CIDR will only be able to contact
peers in the same CIDR, and the special "infra" CIDR which was created when the
server was initialized.
.
A typical workflow for creating a new network is to create an admin peer from
the `innernet-server` CLI, and then continue using that admin peer via the
`innernet` client CLI to add any further peers or network CIDRs.
.
```sh
sudo innernet-server add-peer <interface>
```
.
Select the `humans` CIDR, and the CLI will automatically suggest the next
available IP address. Any name is fine, just answer "yes" when asked if you
would like to make the peer an admin. The process of adding a peer results in
an invitation file. This file contains just enough information for the new peer
to contact the `innernet` server and redeem its invitation. It should be
transferred securely to the new peer, and it can only be used once to
initialize the peer.
.
You can run the server with `innernet-server serve <interface>`, or if you're
on Linux and want to run it via `systemctl`, run `systemctl enable --now
innernet-server@<interface>`. If you're on a home network, don't forget to
configure port forwarding to the `Listen Port` you specified when creating the
`innernet` server.
.
### Peer Initialization
.
Let's assume the invitation file generated in the steps above have been
transferred to the machine a network admin will be using.
.
You can initialize the client with
.
```sh
sudo innernet install /path/to/invitation.toml
```
.
You can customize the network name if you want to, or leave it at the default.
`innernet` will then connect to the `innernet` server via WireGuard, generate a
new key pair, and register that pair with the server. The private key in the
invitation file can no longer be used.
.
If everything was successful, the new peer is on the network. You can run
things like
.
```sh
sudo innernet list
```
.
or
.
```sh
sudo innernet list --tree
```
.
to view the current network and all CIDRs visible to this peer.
.
Since we created an admin peer, we can also add new peers and CIDRs from this
peer via `innernet` instead of having to always run commands on the server.
.
### Adding Associations between CIDRs
.
In order for peers from one CIDR to be able to contact peers in another CIDR,
those two CIDRs must be "associated" with each other.
.
With the admin peer we created above, let's add a new CIDR for some theoretical
CI servers we have.
.
```sh
sudo innernet add-cidr <interface>
```
.
The name is `ci-servers` and the CIDR is `10.60.64.0/24`, but for this example
it can be anything.
.
For now, we want peers in the `humans` CIDR to be able to access peers in the
`ci-servers` CIDR.
.
```sh
sudo innernet add-association <interface>
```
.
The CLI will ask you to select the two CIDRs you want to associate. That's all
it takes to allow peers in two different CIDRs to communicate!
.
You can verify the association with
.
```sh
sudo innernet list-associations <interface>
```
.
and associations can be deleted with
.
```sh
sudo innernet delete-associations <interface>
```
.
### Enabling/Disabling Peers
.
For security reasons, IP addresses cannot be re-used by new peers, and
therefore peers cannot be deleted. However, they can be disabled. Disabled
peers will not show up in the list of peers when fetching the config for an
interface.
.
Disable a peer with
.
```su
sudo innernet disable-peer <interface>
```
.
Or re-enable a peer with
.
```su
sudo innernet enable-peer <interface>
```
.
### Specifying a Manual Endpoint
.
The `innernet` server will try to use the internet endpoint it sees from a peer
so other peers can connect to that peer as well. This doesn't always work and
you may want to set an endpoint explicitly. To set an endpoint, use
.
```sh
sudo innernet override-endpoint <interface>
```
.
You can go back to automatic endpoint discovery with
.
```sh
sudo innernet override-endpoint -u <interface>
```
.
### Setting the Local WireGuard Listen Port
.
If you want to change the port which WireGuard listens on, use
.
```sh
sudo innernet set-listen-port <interface>
```
.
or unset the port and use a randomized port with
.
```sh
sudo innernet set-listen-port -u <interface>
```
.
### Remove Network
.
To permanently uninstall a created network, use
.
```sh
sudo innernet-server uninstall <interface>
```
.
Use with care!
.
## Security recommendations
.
If you're running a service on innernet, there are some important security
considerations.
.
### Enable strict Reverse Path Filtering ([RFC
3704](https://tools.ietf.org/html/rfc3704))
.
Strict RPF prevents packets from _other_ interfaces from having internal source
IP addresses. This is _not_ the default on Linux, even though it is the right
choice for 99.99% of situations. You can enable it by adding the following to a
`/etc/sysctl.d/60-network-security.conf`:
.
```
net.ipv4.conf.all.rp_filter=1
net.ipv4.conf.default.rp_filter=1
```
.
### Bind to the WireGuard device
.
If possible, to _ensure_ that packets are only ever transmitted over the
WireGuard interface, it's recommended that you use `SO_BINDTODEVICE` on Linux
or `IP_BOUND_IF` on macOS/BSDs. If you have strict reverse path filtering,
though, this is less of a concern.
.
### IP addresses alone often aren't enough authentication
.
Even following all the above precautions, rogue applications on a peer's
machines could be able to make requests on their behalf unless you add extra
layers of authentication to mitigate this CSRF-type vector.
.
It's recommended that you carefully consider this possibility before deciding
that the source IP is sufficient for your authentication needs on a service.
.
## Installation
.
innernet has only officially been tested on Linux and MacOS, but we hope to
support as many platforms as is feasible!
.
### Runtime Dependencies
.
It's assumed that WireGuard is installed on your system, either via the kernel
module in Linux 5.6 and later, or via the
[`wireguard-go`](https://git.zx2c4.com/wireguard-go/about/) userspace
implementation.
.
[WireGuard Installation Instructions](https://www.wireguard.com/install/)
.
### Arch Linux
.
```sh
pacman -S innernet
```
.
### Debian and Ubuntu
.
[**@tommie**](https://github.com/tommie) is kindly providing Debian/Ubuntu
innernet builds in the https://github.com/tommie/innernet-debian repository.
.
### Other Linux Distributions
.
We're looking for volunteers who are able to set up external builds for popular
distributions. Please see issue
[#203](https://github.com/tonarino/innernet/issues/203).
.
### macOS
.
```sh
brew install tonarino/innernet/innernet
```
.
### Cargo
.
```sh
# to install innernet:
cargo install --git https://github.com/tonarino/innernet --tag v1.6.0 client
.
# to install innernet-server:
cargo install --git https://github.com/tonarino/innernet --tag v1.6.0 server
```
.
Note that you'll be responsible for updating manually.
.
## Development
.
### `innernet-server` Build dependencies
.
- `rustc` / `cargo` (version 1.50.0 or higher)
- `libclang` (see more info at
[https://crates.io/crates/clang-sys](https://crates.io/crates/clang-sys))
- `libsqlite3`
.
Build:
.
```sh
cargo build --release --bin innernet-server
```
.
The resulting binary will be located at `./target/release/innernet-server`
.
### `innernet` Client CLI Build dependencies
.
- `rustc` / `cargo` (version 1.50.0 or higher)
- `libclang` (see more info at
[https://crates.io/crates/clang-sys](https://crates.io/crates/clang-sys))
.
Build:
.
```sh
cargo build --release --bin innernet
```
.
The resulting binary will be located at `./target/release/innernet`
.
### Releases
.
Please run the release script from a Linux machine: generated shell completions
depend on available wireguard backends and Mac doesn't support the `kernel`
backend.
.
1. Fetch and check-out the `main` branch.
2. Run `./release.sh [patch|major|minor|rc]`
3. Push the `main` branch and the created tag to the repo.

View File

@ -4,51 +4,51 @@ Hash: SHA512
Origin: Unofficial Innernet Debian repository
Label: innernet-debian
Codename: jammy
Date: Sun, 30 Jul 2023 13:18:35 UTC
Date: Mon, 22 Jan 2024 14:39:31 UTC
Architectures: amd64 armhf arm64
Components: contrib
Description: APT repository for https://github.com/tonarino/innernet/.
MD5Sum:
c3fb046e579f2886ef6b3cf3e219ba05 12098 contrib/binary-amd64/Packages
e09b77d60d34ab4af3b28265d59cea19 4799 contrib/binary-amd64/Packages.gz
d0ba34ce3b6d9952f14fec62fc228396 1493 contrib/binary-amd64/Packages
45d906fa5e0acef087cecfbb88637cfb 664 contrib/binary-amd64/Packages.gz
77dc2b012f45038d5be68f81d464ee44 179 contrib/binary-amd64/Release
780524704fdb47454787362f650f63b2 12097 contrib/binary-armhf/Packages
092d4159daa0a41922473929fb72b666 4798 contrib/binary-armhf/Packages.gz
1a7d078d59f956c36cb9af24421d58b5 1493 contrib/binary-armhf/Packages
73e7d5f7a070e2a977dba83528666735 670 contrib/binary-armhf/Packages.gz
2e56331833f644fa9dad5483acc93e55 179 contrib/binary-armhf/Release
774c59f064602c6d2a571c4927700ea1 12097 contrib/binary-arm64/Packages
111c0179f59c4f065197f95058495807 4802 contrib/binary-arm64/Packages.gz
3835ac29b2e4abdbb03761a7def4ca1a 1492 contrib/binary-arm64/Packages
9a76fb55773a8927dbf5d6772883a67d 670 contrib/binary-arm64/Packages.gz
16627cd2b6e090772a75639bb48cd54d 179 contrib/binary-arm64/Release
SHA1:
24f3f3be92fa94c5c91f4e1016a87dc3bee36bc0 12098 contrib/binary-amd64/Packages
91350afc9bc7f37a9fa65c7827fd0161cefc2791 4799 contrib/binary-amd64/Packages.gz
44a8bc649737cef228c1636fce540cd8e0bd9879 1493 contrib/binary-amd64/Packages
cb92cb8c8d1575e349c7b0a036cd428c1bb2be2e 664 contrib/binary-amd64/Packages.gz
a4f6bbfd6fe4ab5a01909278c4e13b05d6b06f13 179 contrib/binary-amd64/Release
ba0280a48581058691a8a392862fbf3820b841d0 12097 contrib/binary-armhf/Packages
b7d567b2b284f0734227eaa771004539525a2d90 4798 contrib/binary-armhf/Packages.gz
182817b310588626db5d70cde4f7cf153f51227f 1493 contrib/binary-armhf/Packages
82bb11445b2c40739fad0483330f954fd02d70e5 670 contrib/binary-armhf/Packages.gz
dbfc90ff9af0819e8b73429a32e4691204b11da7 179 contrib/binary-armhf/Release
6d826c8431b6b5983b654a37a34d68efa4148b8a 12097 contrib/binary-arm64/Packages
1c5ee6f104cf87055db66f368be7792d52a60094 4802 contrib/binary-arm64/Packages.gz
d5be2800fa329c667af096b9715c717296158a59 1492 contrib/binary-arm64/Packages
5e263fc169fe81663708613e5ac650ba67a27cc7 670 contrib/binary-arm64/Packages.gz
af10abab9b82b0f8be34be72d478cd7efe4e64b9 179 contrib/binary-arm64/Release
SHA256:
42614d2b5bb2bc2be526f2aac7a249a78fe9e06b6dfbf174f1b81f774e9c94d9 12098 contrib/binary-amd64/Packages
5e2f2c7f0d4e5b718e3e4429aea9e02ea1d2cda4b8e68357dddae26eae7e0df5 4799 contrib/binary-amd64/Packages.gz
9624962ee4713509b15a98e0a940b277bda2631737834b46a58d7c033e45924a 1493 contrib/binary-amd64/Packages
511c0f3415d3b7ad70f0a09d63a1e7d9bbc4b05ef5a20ccc3255b2121ecc6993 664 contrib/binary-amd64/Packages.gz
67b3f0e511499d8b794eaf1524cea47d2263a1e8e43445c60f311dbef9a50e9c 179 contrib/binary-amd64/Release
6920dfcb12fa912d057fbef51193867d02a2d52a02ac8cbd8e43346e199edf44 12097 contrib/binary-armhf/Packages
0039297dbd77d349e5acf51945cda8f284f3d1813746789c31127472ad019a6e 4798 contrib/binary-armhf/Packages.gz
6bdaf958dea865165073e34b7b5ebd42e4ad26c2df9b14bfcdc906f34b5bc2df 1493 contrib/binary-armhf/Packages
4a56ffd40c240288d1c5acd68d3238bf05c726e01e52ec0d26f4f285eddde04a 670 contrib/binary-armhf/Packages.gz
ce7a57575ec61bf1af16351e2366f7114f6ad78e035696abaaac42f80dd8f425 179 contrib/binary-armhf/Release
eee57fae348c6121d8aee97c08e437cc62471dd87103df971d368e72791b4447 12097 contrib/binary-arm64/Packages
3a77da57917309f4fce907bf2828bd2def020f210d77e18ec80c6b0d58c65475 4802 contrib/binary-arm64/Packages.gz
dd736db09149c25a8036d9a458e41c284901800c8333df94bb6e3e5569718f6f 1492 contrib/binary-arm64/Packages
21696fb8c8c88d03f04a24d302f2985e8373657f3de6d747bd76f699e1fd8cd8 670 contrib/binary-arm64/Packages.gz
86092179ad14de3750a8a527f8419920154bd761ea7367b9452abe85cfbca03d 179 contrib/binary-arm64/Release
-----BEGIN PGP SIGNATURE-----
iQGzBAEBCgAdFiEEbYSVpa4ZFZQzkqZZZYKNdDzui2kFAmTGYysACgkQZYKNdDzu
i2kz1wv+NcR8ROJf8Azw6AQPyL8gzuT2c9gRVcMEMGvMtbU/phJQXZReBGgvdcZX
r5hY3SwMdvgXxPzWhYr1lnhA71NmPhUxjc2H+J0dGULxMnvoyQ88/UQQpaAIyZsq
JuuT1D5QHJ9ZWI3SGDKOcdsb2ix51sYVoYsRx/OO5RlYofLfAgU0wGrfa0pUj3l9
OVO0QBeqyb4Xs2+3sjQH8NsJd3bIHOR65ULXJ33R/Bbkt0VYYgApiCMDVifJWMko
HOZvH0lCvgVy5QE2Dg3KC/8nEVglky3cwwpnN6GWAMTFEFwArZ9IGfcNJmjfuwDz
eUgNUnzItCHJyu8G1bX1IgKIHBMkJB9qXbr5DhDjVN8UrfD92A25ZXzbSsgzC6Zc
O0Wt0xSuqmoaluwnePxmA/cmV3ffvdIBnBnXEKFaTf1l3aHcDAG0Zmh6/9abKx78
Ey17a8voz9U3gRRZG2YTTVYIWhqPVxaPnC14slZzuC2CDWZBVF2f74sCYPqH6SF+
zAGYm7Ur
=6gHL
iQGzBAEBCgAdFiEEbYSVpa4ZFZQzkqZZZYKNdDzui2kFAmWufiMACgkQZYKNdDzu
i2lsTAv/ZGKpG7zpwbFeZhKCqq8OXDBke26RS1AA9O6VIPT7pgVUuASAIEWTLp76
E1KMYBS2zZzmWclepgPlevt6VS0RW/s2rSSaohQBUNPhzDq92Qoi2D0qoaxijMDy
t4T2XHWI8PBZWQY7TuunaYXiRy8yL4kXjORKycjR0XUGGQDT8Dfjn9JQokhgWdt5
YV3erdNrG+LqPtaS7sL0woMfptj6XBzIC/6+iD0D1ppZXWBcrfJsSrMjNfq8yNsH
7Wvo9p2eB/yZXyIsECL0bCvvQgOYPyn1hZFaJRzud6IsgUIs2evzRVBxwC5cN8Ly
XmgPKYtd6Ra/VLMkUxNBSaq5+bkVCo2CcbHwshCGN8XAnyzfKlu114rFNjh+jZo9
sH/tUN6yTzo+KZc0xIMZZl1UTKW57UTKcp0hlABzUDHqedWWNxngB1ltQqHavKZG
M+gYbBQtEbwpvnSSJszqEDCqwkee/86lJe5yyehJykDmDWWNOgUH0eK6nyadO7GP
6HoZzgM1
=2H5/
-----END PGP SIGNATURE-----

View File

@ -1,37 +1,37 @@
Origin: Unofficial Innernet Debian repository
Label: innernet-debian
Codename: jammy
Date: Sun, 30 Jul 2023 13:18:35 UTC
Date: Mon, 22 Jan 2024 14:39:31 UTC
Architectures: amd64 armhf arm64
Components: contrib
Description: APT repository for https://github.com/tonarino/innernet/.
MD5Sum:
c3fb046e579f2886ef6b3cf3e219ba05 12098 contrib/binary-amd64/Packages
e09b77d60d34ab4af3b28265d59cea19 4799 contrib/binary-amd64/Packages.gz
d0ba34ce3b6d9952f14fec62fc228396 1493 contrib/binary-amd64/Packages
45d906fa5e0acef087cecfbb88637cfb 664 contrib/binary-amd64/Packages.gz
77dc2b012f45038d5be68f81d464ee44 179 contrib/binary-amd64/Release
780524704fdb47454787362f650f63b2 12097 contrib/binary-armhf/Packages
092d4159daa0a41922473929fb72b666 4798 contrib/binary-armhf/Packages.gz
1a7d078d59f956c36cb9af24421d58b5 1493 contrib/binary-armhf/Packages
73e7d5f7a070e2a977dba83528666735 670 contrib/binary-armhf/Packages.gz
2e56331833f644fa9dad5483acc93e55 179 contrib/binary-armhf/Release
774c59f064602c6d2a571c4927700ea1 12097 contrib/binary-arm64/Packages
111c0179f59c4f065197f95058495807 4802 contrib/binary-arm64/Packages.gz
3835ac29b2e4abdbb03761a7def4ca1a 1492 contrib/binary-arm64/Packages
9a76fb55773a8927dbf5d6772883a67d 670 contrib/binary-arm64/Packages.gz
16627cd2b6e090772a75639bb48cd54d 179 contrib/binary-arm64/Release
SHA1:
24f3f3be92fa94c5c91f4e1016a87dc3bee36bc0 12098 contrib/binary-amd64/Packages
91350afc9bc7f37a9fa65c7827fd0161cefc2791 4799 contrib/binary-amd64/Packages.gz
44a8bc649737cef228c1636fce540cd8e0bd9879 1493 contrib/binary-amd64/Packages
cb92cb8c8d1575e349c7b0a036cd428c1bb2be2e 664 contrib/binary-amd64/Packages.gz
a4f6bbfd6fe4ab5a01909278c4e13b05d6b06f13 179 contrib/binary-amd64/Release
ba0280a48581058691a8a392862fbf3820b841d0 12097 contrib/binary-armhf/Packages
b7d567b2b284f0734227eaa771004539525a2d90 4798 contrib/binary-armhf/Packages.gz
182817b310588626db5d70cde4f7cf153f51227f 1493 contrib/binary-armhf/Packages
82bb11445b2c40739fad0483330f954fd02d70e5 670 contrib/binary-armhf/Packages.gz
dbfc90ff9af0819e8b73429a32e4691204b11da7 179 contrib/binary-armhf/Release
6d826c8431b6b5983b654a37a34d68efa4148b8a 12097 contrib/binary-arm64/Packages
1c5ee6f104cf87055db66f368be7792d52a60094 4802 contrib/binary-arm64/Packages.gz
d5be2800fa329c667af096b9715c717296158a59 1492 contrib/binary-arm64/Packages
5e263fc169fe81663708613e5ac650ba67a27cc7 670 contrib/binary-arm64/Packages.gz
af10abab9b82b0f8be34be72d478cd7efe4e64b9 179 contrib/binary-arm64/Release
SHA256:
42614d2b5bb2bc2be526f2aac7a249a78fe9e06b6dfbf174f1b81f774e9c94d9 12098 contrib/binary-amd64/Packages
5e2f2c7f0d4e5b718e3e4429aea9e02ea1d2cda4b8e68357dddae26eae7e0df5 4799 contrib/binary-amd64/Packages.gz
9624962ee4713509b15a98e0a940b277bda2631737834b46a58d7c033e45924a 1493 contrib/binary-amd64/Packages
511c0f3415d3b7ad70f0a09d63a1e7d9bbc4b05ef5a20ccc3255b2121ecc6993 664 contrib/binary-amd64/Packages.gz
67b3f0e511499d8b794eaf1524cea47d2263a1e8e43445c60f311dbef9a50e9c 179 contrib/binary-amd64/Release
6920dfcb12fa912d057fbef51193867d02a2d52a02ac8cbd8e43346e199edf44 12097 contrib/binary-armhf/Packages
0039297dbd77d349e5acf51945cda8f284f3d1813746789c31127472ad019a6e 4798 contrib/binary-armhf/Packages.gz
6bdaf958dea865165073e34b7b5ebd42e4ad26c2df9b14bfcdc906f34b5bc2df 1493 contrib/binary-armhf/Packages
4a56ffd40c240288d1c5acd68d3238bf05c726e01e52ec0d26f4f285eddde04a 670 contrib/binary-armhf/Packages.gz
ce7a57575ec61bf1af16351e2366f7114f6ad78e035696abaaac42f80dd8f425 179 contrib/binary-armhf/Release
eee57fae348c6121d8aee97c08e437cc62471dd87103df971d368e72791b4447 12097 contrib/binary-arm64/Packages
3a77da57917309f4fce907bf2828bd2def020f210d77e18ec80c6b0d58c65475 4802 contrib/binary-arm64/Packages.gz
dd736db09149c25a8036d9a458e41c284901800c8333df94bb6e3e5569718f6f 1492 contrib/binary-arm64/Packages
21696fb8c8c88d03f04a24d302f2985e8373657f3de6d747bd76f699e1fd8cd8 670 contrib/binary-arm64/Packages.gz
86092179ad14de3750a8a527f8419920154bd761ea7367b9452abe85cfbca03d 179 contrib/binary-arm64/Release

View File

@ -1,14 +1,14 @@
-----BEGIN PGP SIGNATURE-----
iQGzBAABCgAdFiEEbYSVpa4ZFZQzkqZZZYKNdDzui2kFAmTGYysACgkQZYKNdDzu
i2n05Av7BLT2uiKS9iw8jRsX646HfdXNZ7O+XfdLqJxxyCPjPc8yXPBWILhgQ8wE
ZARH05xxhbpl0+mVtLDglKdyWjCRHv1ud7ALI3mPNvB4OL15sBUcI5Zqp0UxYgEH
i/9HztmWRORUN0cCDwxdmgBQ5r4pTjEtRqYn6UwL38UD8v+du1n92AwG+jxwqkMk
yasMbaxK9b5be888BqToKlSuYyLNE5nHDDaqr2gg7Or1W1HcZJcWiH4u4g4foB9p
zrp9w5soeMWfAXH0PkI2iMsyitk5a8WdoLTwFWHJdS8vFN+doKpR57h7AkJ5wSGm
H/okDyDjXPzogd5+WjyRrc3xGaL7X84gv3WbbIBeiKP9yThvI5HwcsUTHh0okiyZ
/ns6P16JBo/jRwwD6cr+DYMcK7lr0YSRjmUbyBh+B5gdud7f70ySxl/9aqVnClCq
A2XMl7VBUVPi0p+iKN3pmeu79XWlpnl8IUZTQzTIxY922DD1hG2X0LV28Lxhm/Qh
R0fX5+To
=KCYo
iQGzBAABCgAdFiEEbYSVpa4ZFZQzkqZZZYKNdDzui2kFAmWufiMACgkQZYKNdDzu
i2nldwv9EvoTJjFOfH7ZsGKNm5ankg4Z48/HdWn+3i0V8MYNR+52x9IvDRzuOOWu
byDZNnGb3NrabPwihuucVaNsUwWMV4ICpQogZTViNfyT8ibHvImssavq/TUDxWYn
RGBMexqJBdmlCT/uS4F9OevujEy23/8Hd+ONIBufho9WpSI7ecZ+IavvkPI+AxuY
4PL4otJire6QFLbiH0Bg4T2Og1ITyJ66Qogy0CutywDJ+L34fBzQ+ItP2iDLiTiM
hBgxGxVkCmfalAWgMqFEgWNfBVtjYVjoOPhKUCIkuv3v0g+saXmFLw3LRCjEZEqv
GHha/JtVlFxrrMyRW8SS3FcWOC0P3fJWAXpGyJk0mFafQQ62k9tlWoC/FXHEuJhm
e/1IT791QoDcow/3qcpacDPdYR5J4+U1whRNbgCB0Ch/gKChXIx8dDRRjlD6d6oO
aPp46Ws3KWkmRaf6/cFBPGp+dEOZaH3qAebpgDkKoFAZdpbo8OrW4YA1yE8kgalH
QoOqcgtK
=5slL
-----END PGP SIGNATURE-----

View File

@ -1,378 +1,41 @@
Package: innernet
Version: 1.6.0-0ubuntu0~jammy
Version: 1.6.1-0ubuntu0~jammy
Architecture: amd64
Vcs-Browser: https://github.com/tonarino/innernet
Vcs-Git: https://github.com/tonarino/innernet
Homepage: https://github.com/tonarino/innernet
Maintainer: tonari <hey@tonari.no>
Installed-Size: 3221
Depends: libgcc1, libc6, systemd
Installed-Size: 3541
Depends: libc6, libgcc1, systemd
Recommends: wireguard
Priority: optional
Section: net
Filename: pool/contrib/i/innernet/innernet_1.6.0-0ubuntu0~jammy_amd64.deb
Size: 1016428
SHA256: 34d49ed7822a4cc0075fe955de25cdcf864b476b4452cb1669aa157893a6cc7b
SHA1: 0f8b42ec0a444c2f4d1b72a83fd4f65486642203
MD5sum: 7626cc801e7ccee26418f34f52b316ec
Filename: pool/contrib/i/innernet/innernet_1.6.1-0ubuntu0~jammy_amd64.deb
Size: 1111060
SHA256: a2199bc536b90e9980fba90c5e33f7361bbc07e32074b4df5b5acaed50c98e35
SHA1: 4540848ddf75dea14a169ab711b708d05f6f7d9c
MD5sum: e697ae946563c517e14a65c2b7e10ef7
Description: A client to manage innernet network interfaces.
innernet client binary for fetching peer information and conducting admin tasks
such as adding a new peer.
Package: innernet-server
Version: 1.6.0-0ubuntu0~jammy
Version: 1.6.1-0ubuntu0~jammy
Architecture: amd64
Vcs-Browser: https://github.com/tonarino/innernet
Vcs-Git: https://github.com/tonarino/innernet
Homepage: https://github.com/tonarino/innernet
Maintainer: tonari <hey@tonari.no>
Installed-Size: 4214
Depends: zlib1g, libgcc1, libc6, libsqlite3-0, systemd
Installed-Size: 4546
Depends: libc6, zlib1g, systemd, libgcc1, libsqlite3-0
Recommends: wireguard
Source: innernet
Priority: optional
Section: net
Filename: pool/contrib/i/innernet-server/innernet-server_1.6.0-0ubuntu0~jammy_amd64.deb
Size: 1501092
SHA256: c2ff81de23dfc44a24aebe2458d6b9877f3bb0028f9f799e174010ca197f6f34
SHA1: 5f097ef49ae29ac3ac5190b0178d8a949aeea318
MD5sum: 7ad2ac098f91f4d9e14943c76ef466b9
Filename: pool/contrib/i/innernet-server/innernet-server_1.6.1-0ubuntu0~jammy_amd64.deb
Size: 1592544
SHA256: a5bf00a9e6f15db999a83f8df764ba4b053eb9984e8885bac5c186c2d1be1e78
SHA1: fac0cb56bfb0b6b26a84ce7748ff8855184de188
MD5sum: 56646c8d746af8b1a15e44182861f981
Description: A server to coordinate innernet networks.
# innernet
.
[![Actively
Maintained](https://img.shields.io/badge/Maintenance%20Level-Actively%20Maintained-green.svg)](https://gist.github.com/cheerfulstoic/d107229326a01ff0f333a1d3476e068d)
[![MIT](https://img.shields.io/badge/license-MIT-blue.svg)](https://github.com/tonarino/innernet/blob/master/LICENSE)
.
A private network system that uses [WireGuard](https://wireguard.com) under the
hood. See the [announcement blog
post](https://blog.tonari.no/introducing-innernet) for a longer-winded
explanation.
.
<img
src="https://user-images.githubusercontent.com/373823/118917068-09ae7700-b96b-11eb-80f4-6860072d504d.gif"
width="600" height="370">
.
`innernet` is similar in its goals to Slack's
[nebula](https://github.com/slackhq/nebula) or
[Tailscale](https://tailscale.com/), but takes a bit of a different approach.
It aims to take advantage of existing networking concepts like CIDRs and the
security properties of WireGuard to turn your computer's basic IP networking
into more powerful ACL primitives.
.
`innernet` is not an official WireGuard project, and WireGuard is a registered
trademark of Jason A. Donenfeld.
.
This has not received an independent security audit, and should be considered
experimental software at this early point in its lifetime.
.
## Usage
.
### Server Creation
.
Every `innernet` network needs a coordination server to manage peers and
provide endpoint information so peers can directly connect to each other.
Create a new one with
.
```sh
sudo innernet-server new
```
.
The init wizard will ask you questions about your network and give you some
reasonable defaults. It's good to familiarize yourself with [network
CIDRs](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) as a lot
of innernet's access control is based upon them. As an example, let's say the
root CIDR for this network is `10.60.0.0/16`. Server initialization creates a
special "infra" CIDR which contains the `innernet` server itself and is
reachable from all CIDRs on the network.
.
Next we'll also create a `humans` CIDR where we can start adding some peers.
.
```sh
sudo innernet-server add-cidr <interface>
```
.
For the parent CIDR, you can simply choose your network's root CIDR. The name
will be `humans`, and the CIDR will be `10.60.64.0/24` (not a great example
unless you only want to support 256 humans, but it works for now...).
.
By default, peers which exist in this new CIDR will only be able to contact
peers in the same CIDR, and the special "infra" CIDR which was created when the
server was initialized.
.
A typical workflow for creating a new network is to create an admin peer from
the `innernet-server` CLI, and then continue using that admin peer via the
`innernet` client CLI to add any further peers or network CIDRs.
.
```sh
sudo innernet-server add-peer <interface>
```
.
Select the `humans` CIDR, and the CLI will automatically suggest the next
available IP address. Any name is fine, just answer "yes" when asked if you
would like to make the peer an admin. The process of adding a peer results in
an invitation file. This file contains just enough information for the new peer
to contact the `innernet` server and redeem its invitation. It should be
transferred securely to the new peer, and it can only be used once to
initialize the peer.
.
You can run the server with `innernet-server serve <interface>`, or if you're
on Linux and want to run it via `systemctl`, run `systemctl enable --now
innernet-server@<interface>`. If you're on a home network, don't forget to
configure port forwarding to the `Listen Port` you specified when creating the
`innernet` server.
.
### Peer Initialization
.
Let's assume the invitation file generated in the steps above have been
transferred to the machine a network admin will be using.
.
You can initialize the client with
.
```sh
sudo innernet install /path/to/invitation.toml
```
.
You can customize the network name if you want to, or leave it at the default.
`innernet` will then connect to the `innernet` server via WireGuard, generate a
new key pair, and register that pair with the server. The private key in the
invitation file can no longer be used.
.
If everything was successful, the new peer is on the network. You can run
things like
.
```sh
sudo innernet list
```
.
or
.
```sh
sudo innernet list --tree
```
.
to view the current network and all CIDRs visible to this peer.
.
Since we created an admin peer, we can also add new peers and CIDRs from this
peer via `innernet` instead of having to always run commands on the server.
.
### Adding Associations between CIDRs
.
In order for peers from one CIDR to be able to contact peers in another CIDR,
those two CIDRs must be "associated" with each other.
.
With the admin peer we created above, let's add a new CIDR for some theoretical
CI servers we have.
.
```sh
sudo innernet add-cidr <interface>
```
.
The name is `ci-servers` and the CIDR is `10.60.64.0/24`, but for this example
it can be anything.
.
For now, we want peers in the `humans` CIDR to be able to access peers in the
`ci-servers` CIDR.
.
```sh
sudo innernet add-association <interface>
```
.
The CLI will ask you to select the two CIDRs you want to associate. That's all
it takes to allow peers in two different CIDRs to communicate!
.
You can verify the association with
.
```sh
sudo innernet list-associations <interface>
```
.
and associations can be deleted with
.
```sh
sudo innernet delete-associations <interface>
```
.
### Enabling/Disabling Peers
.
For security reasons, IP addresses cannot be re-used by new peers, and
therefore peers cannot be deleted. However, they can be disabled. Disabled
peers will not show up in the list of peers when fetching the config for an
interface.
.
Disable a peer with
.
```su
sudo innernet disable-peer <interface>
```
.
Or re-enable a peer with
.
```su
sudo innernet enable-peer <interface>
```
.
### Specifying a Manual Endpoint
.
The `innernet` server will try to use the internet endpoint it sees from a peer
so other peers can connect to that peer as well. This doesn't always work and
you may want to set an endpoint explicitly. To set an endpoint, use
.
```sh
sudo innernet override-endpoint <interface>
```
.
You can go back to automatic endpoint discovery with
.
```sh
sudo innernet override-endpoint -u <interface>
```
.
### Setting the Local WireGuard Listen Port
.
If you want to change the port which WireGuard listens on, use
.
```sh
sudo innernet set-listen-port <interface>
```
.
or unset the port and use a randomized port with
.
```sh
sudo innernet set-listen-port -u <interface>
```
.
### Remove Network
.
To permanently uninstall a created network, use
.
```sh
sudo innernet-server uninstall <interface>
```
.
Use with care!
.
## Security recommendations
.
If you're running a service on innernet, there are some important security
considerations.
.
### Enable strict Reverse Path Filtering ([RFC
3704](https://tools.ietf.org/html/rfc3704))
.
Strict RPF prevents packets from _other_ interfaces from having internal source
IP addresses. This is _not_ the default on Linux, even though it is the right
choice for 99.99% of situations. You can enable it by adding the following to a
`/etc/sysctl.d/60-network-security.conf`:
.
```
net.ipv4.conf.all.rp_filter=1
net.ipv4.conf.default.rp_filter=1
```
.
### Bind to the WireGuard device
.
If possible, to _ensure_ that packets are only ever transmitted over the
WireGuard interface, it's recommended that you use `SO_BINDTODEVICE` on Linux
or `IP_BOUND_IF` on macOS/BSDs. If you have strict reverse path filtering,
though, this is less of a concern.
.
### IP addresses alone often aren't enough authentication
.
Even following all the above precautions, rogue applications on a peer's
machines could be able to make requests on their behalf unless you add extra
layers of authentication to mitigate this CSRF-type vector.
.
It's recommended that you carefully consider this possibility before deciding
that the source IP is sufficient for your authentication needs on a service.
.
## Installation
.
innernet has only officially been tested on Linux and MacOS, but we hope to
support as many platforms as is feasible!
.
### Runtime Dependencies
.
It's assumed that WireGuard is installed on your system, either via the kernel
module in Linux 5.6 and later, or via the
[`wireguard-go`](https://git.zx2c4.com/wireguard-go/about/) userspace
implementation.
.
[WireGuard Installation Instructions](https://www.wireguard.com/install/)
.
### Arch Linux
.
```sh
pacman -S innernet
```
.
### Debian and Ubuntu
.
[**@tommie**](https://github.com/tommie) is kindly providing Debian/Ubuntu
innernet builds in the https://github.com/tommie/innernet-debian repository.
.
### Other Linux Distributions
.
We're looking for volunteers who are able to set up external builds for popular
distributions. Please see issue
[#203](https://github.com/tonarino/innernet/issues/203).
.
### macOS
.
```sh
brew install tonarino/innernet/innernet
```
.
### Cargo
.
```sh
# to install innernet:
cargo install --git https://github.com/tonarino/innernet --tag v1.6.0 client
.
# to install innernet-server:
cargo install --git https://github.com/tonarino/innernet --tag v1.6.0 server
```
.
Note that you'll be responsible for updating manually.
.
## Development
.
### `innernet-server` Build dependencies
.
- `rustc` / `cargo` (version 1.50.0 or higher)
- `libclang` (see more info at
[https://crates.io/crates/clang-sys](https://crates.io/crates/clang-sys))
- `libsqlite3`
.
Build:
.
```sh
cargo build --release --bin innernet-server
```
.
The resulting binary will be located at `./target/release/innernet-server`
.
### `innernet` Client CLI Build dependencies
.
- `rustc` / `cargo` (version 1.50.0 or higher)
- `libclang` (see more info at
[https://crates.io/crates/clang-sys](https://crates.io/crates/clang-sys))
.
Build:
.
```sh
cargo build --release --bin innernet
```
.
The resulting binary will be located at `./target/release/innernet`
.
### Releases
.
Please run the release script from a Linux machine: generated shell completions
depend on available wireguard backends and Mac doesn't support the `kernel`
backend.
.
1. Fetch and check-out the `main` branch.
2. Run `./release.sh [patch|major|minor|rc]`
3. Push the `main` branch and the created tag to the repo.

View File

@ -1,378 +1,41 @@
Package: innernet
Version: 1.6.0-0ubuntu0~jammy
Version: 1.6.1-0ubuntu0~jammy
Architecture: arm64
Vcs-Browser: https://github.com/tonarino/innernet
Vcs-Git: https://github.com/tonarino/innernet
Homepage: https://github.com/tonarino/innernet
Maintainer: tonari <hey@tonari.no>
Installed-Size: 2841
Installed-Size: 3097
Depends: systemd, libc6, libgcc1
Recommends: wireguard
Priority: optional
Section: net
Filename: pool/contrib/i/innernet/innernet_1.6.0-0ubuntu0~jammy_arm64.deb
Size: 902852
SHA256: 7bf0f695bc867bb7f6747053a9eab859452a518515f27b0d1e39b266b0e415f5
SHA1: 1ac7265a5385e190f2ae1df9b08e257ec55aa2fe
MD5sum: db11e7151b7f8c2f8b77709612a89a60
Filename: pool/contrib/i/innernet/innernet_1.6.1-0ubuntu0~jammy_arm64.deb
Size: 995220
SHA256: 87a58cb3d42255ea03511295fac164ffe0a2b4cf62e68a5d4b508667d05a1ad2
SHA1: d037fd9e29ec53b131e475c05c662f19f796b442
MD5sum: 34fb83b980a495a5297ed31e50d915d3
Description: A client to manage innernet network interfaces.
innernet client binary for fetching peer information and conducting admin tasks
such as adding a new peer.
Package: innernet-server
Version: 1.6.0-0ubuntu0~jammy
Version: 1.6.1-0ubuntu0~jammy
Architecture: arm64
Vcs-Browser: https://github.com/tonarino/innernet
Vcs-Git: https://github.com/tonarino/innernet
Homepage: https://github.com/tonarino/innernet
Maintainer: tonari <hey@tonari.no>
Installed-Size: 3894
Depends: zlib1g, libsqlite3-0, libc6, libgcc1, systemd
Installed-Size: 4170
Depends: libc6, libgcc1, zlib1g, libsqlite3-0, systemd
Recommends: wireguard
Source: innernet
Priority: optional
Section: net
Filename: pool/contrib/i/innernet-server/innernet-server_1.6.0-0ubuntu0~jammy_arm64.deb
Size: 1354844
SHA256: f04eb9854c2105b3e21304377a3a9667405151d576f7bb5a9c4965123b76d221
SHA1: 06bb485cdafafcc6b82e36a65f601ecc628f6fca
MD5sum: 17b01c31ad740f3d20fcad896eeb67e9
Filename: pool/contrib/i/innernet-server/innernet-server_1.6.1-0ubuntu0~jammy_arm64.deb
Size: 1445556
SHA256: 9027eb9c0fa3f76f29c4b1ecf766544e464271d0b2c1b3be01e72130325b0b74
SHA1: f14527054ba19e9cafe77333d11a6b5f53db3a30
MD5sum: b42eb200e43ccb9fbe1f9b70af7f51a8
Description: A server to coordinate innernet networks.
# innernet
.
[![Actively
Maintained](https://img.shields.io/badge/Maintenance%20Level-Actively%20Maintained-green.svg)](https://gist.github.com/cheerfulstoic/d107229326a01ff0f333a1d3476e068d)
[![MIT](https://img.shields.io/badge/license-MIT-blue.svg)](https://github.com/tonarino/innernet/blob/master/LICENSE)
.
A private network system that uses [WireGuard](https://wireguard.com) under the
hood. See the [announcement blog
post](https://blog.tonari.no/introducing-innernet) for a longer-winded
explanation.
.
<img
src="https://user-images.githubusercontent.com/373823/118917068-09ae7700-b96b-11eb-80f4-6860072d504d.gif"
width="600" height="370">
.
`innernet` is similar in its goals to Slack's
[nebula](https://github.com/slackhq/nebula) or
[Tailscale](https://tailscale.com/), but takes a bit of a different approach.
It aims to take advantage of existing networking concepts like CIDRs and the
security properties of WireGuard to turn your computer's basic IP networking
into more powerful ACL primitives.
.
`innernet` is not an official WireGuard project, and WireGuard is a registered
trademark of Jason A. Donenfeld.
.
This has not received an independent security audit, and should be considered
experimental software at this early point in its lifetime.
.
## Usage
.
### Server Creation
.
Every `innernet` network needs a coordination server to manage peers and
provide endpoint information so peers can directly connect to each other.
Create a new one with
.
```sh
sudo innernet-server new
```
.
The init wizard will ask you questions about your network and give you some
reasonable defaults. It's good to familiarize yourself with [network
CIDRs](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) as a lot
of innernet's access control is based upon them. As an example, let's say the
root CIDR for this network is `10.60.0.0/16`. Server initialization creates a
special "infra" CIDR which contains the `innernet` server itself and is
reachable from all CIDRs on the network.
.
Next we'll also create a `humans` CIDR where we can start adding some peers.
.
```sh
sudo innernet-server add-cidr <interface>
```
.
For the parent CIDR, you can simply choose your network's root CIDR. The name
will be `humans`, and the CIDR will be `10.60.64.0/24` (not a great example
unless you only want to support 256 humans, but it works for now...).
.
By default, peers which exist in this new CIDR will only be able to contact
peers in the same CIDR, and the special "infra" CIDR which was created when the
server was initialized.
.
A typical workflow for creating a new network is to create an admin peer from
the `innernet-server` CLI, and then continue using that admin peer via the
`innernet` client CLI to add any further peers or network CIDRs.
.
```sh
sudo innernet-server add-peer <interface>
```
.
Select the `humans` CIDR, and the CLI will automatically suggest the next
available IP address. Any name is fine, just answer "yes" when asked if you
would like to make the peer an admin. The process of adding a peer results in
an invitation file. This file contains just enough information for the new peer
to contact the `innernet` server and redeem its invitation. It should be
transferred securely to the new peer, and it can only be used once to
initialize the peer.
.
You can run the server with `innernet-server serve <interface>`, or if you're
on Linux and want to run it via `systemctl`, run `systemctl enable --now
innernet-server@<interface>`. If you're on a home network, don't forget to
configure port forwarding to the `Listen Port` you specified when creating the
`innernet` server.
.
### Peer Initialization
.
Let's assume the invitation file generated in the steps above have been
transferred to the machine a network admin will be using.
.
You can initialize the client with
.
```sh
sudo innernet install /path/to/invitation.toml
```
.
You can customize the network name if you want to, or leave it at the default.
`innernet` will then connect to the `innernet` server via WireGuard, generate a
new key pair, and register that pair with the server. The private key in the
invitation file can no longer be used.
.
If everything was successful, the new peer is on the network. You can run
things like
.
```sh
sudo innernet list
```
.
or
.
```sh
sudo innernet list --tree
```
.
to view the current network and all CIDRs visible to this peer.
.
Since we created an admin peer, we can also add new peers and CIDRs from this
peer via `innernet` instead of having to always run commands on the server.
.
### Adding Associations between CIDRs
.
In order for peers from one CIDR to be able to contact peers in another CIDR,
those two CIDRs must be "associated" with each other.
.
With the admin peer we created above, let's add a new CIDR for some theoretical
CI servers we have.
.
```sh
sudo innernet add-cidr <interface>
```
.
The name is `ci-servers` and the CIDR is `10.60.64.0/24`, but for this example
it can be anything.
.
For now, we want peers in the `humans` CIDR to be able to access peers in the
`ci-servers` CIDR.
.
```sh
sudo innernet add-association <interface>
```
.
The CLI will ask you to select the two CIDRs you want to associate. That's all
it takes to allow peers in two different CIDRs to communicate!
.
You can verify the association with
.
```sh
sudo innernet list-associations <interface>
```
.
and associations can be deleted with
.
```sh
sudo innernet delete-associations <interface>
```
.
### Enabling/Disabling Peers
.
For security reasons, IP addresses cannot be re-used by new peers, and
therefore peers cannot be deleted. However, they can be disabled. Disabled
peers will not show up in the list of peers when fetching the config for an
interface.
.
Disable a peer with
.
```su
sudo innernet disable-peer <interface>
```
.
Or re-enable a peer with
.
```su
sudo innernet enable-peer <interface>
```
.
### Specifying a Manual Endpoint
.
The `innernet` server will try to use the internet endpoint it sees from a peer
so other peers can connect to that peer as well. This doesn't always work and
you may want to set an endpoint explicitly. To set an endpoint, use
.
```sh
sudo innernet override-endpoint <interface>
```
.
You can go back to automatic endpoint discovery with
.
```sh
sudo innernet override-endpoint -u <interface>
```
.
### Setting the Local WireGuard Listen Port
.
If you want to change the port which WireGuard listens on, use
.
```sh
sudo innernet set-listen-port <interface>
```
.
or unset the port and use a randomized port with
.
```sh
sudo innernet set-listen-port -u <interface>
```
.
### Remove Network
.
To permanently uninstall a created network, use
.
```sh
sudo innernet-server uninstall <interface>
```
.
Use with care!
.
## Security recommendations
.
If you're running a service on innernet, there are some important security
considerations.
.
### Enable strict Reverse Path Filtering ([RFC
3704](https://tools.ietf.org/html/rfc3704))
.
Strict RPF prevents packets from _other_ interfaces from having internal source
IP addresses. This is _not_ the default on Linux, even though it is the right
choice for 99.99% of situations. You can enable it by adding the following to a
`/etc/sysctl.d/60-network-security.conf`:
.
```
net.ipv4.conf.all.rp_filter=1
net.ipv4.conf.default.rp_filter=1
```
.
### Bind to the WireGuard device
.
If possible, to _ensure_ that packets are only ever transmitted over the
WireGuard interface, it's recommended that you use `SO_BINDTODEVICE` on Linux
or `IP_BOUND_IF` on macOS/BSDs. If you have strict reverse path filtering,
though, this is less of a concern.
.
### IP addresses alone often aren't enough authentication
.
Even following all the above precautions, rogue applications on a peer's
machines could be able to make requests on their behalf unless you add extra
layers of authentication to mitigate this CSRF-type vector.
.
It's recommended that you carefully consider this possibility before deciding
that the source IP is sufficient for your authentication needs on a service.
.
## Installation
.
innernet has only officially been tested on Linux and MacOS, but we hope to
support as many platforms as is feasible!
.
### Runtime Dependencies
.
It's assumed that WireGuard is installed on your system, either via the kernel
module in Linux 5.6 and later, or via the
[`wireguard-go`](https://git.zx2c4.com/wireguard-go/about/) userspace
implementation.
.
[WireGuard Installation Instructions](https://www.wireguard.com/install/)
.
### Arch Linux
.
```sh
pacman -S innernet
```
.
### Debian and Ubuntu
.
[**@tommie**](https://github.com/tommie) is kindly providing Debian/Ubuntu
innernet builds in the https://github.com/tommie/innernet-debian repository.
.
### Other Linux Distributions
.
We're looking for volunteers who are able to set up external builds for popular
distributions. Please see issue
[#203](https://github.com/tonarino/innernet/issues/203).
.
### macOS
.
```sh
brew install tonarino/innernet/innernet
```
.
### Cargo
.
```sh
# to install innernet:
cargo install --git https://github.com/tonarino/innernet --tag v1.6.0 client
.
# to install innernet-server:
cargo install --git https://github.com/tonarino/innernet --tag v1.6.0 server
```
.
Note that you'll be responsible for updating manually.
.
## Development
.
### `innernet-server` Build dependencies
.
- `rustc` / `cargo` (version 1.50.0 or higher)
- `libclang` (see more info at
[https://crates.io/crates/clang-sys](https://crates.io/crates/clang-sys))
- `libsqlite3`
.
Build:
.
```sh
cargo build --release --bin innernet-server
```
.
The resulting binary will be located at `./target/release/innernet-server`
.
### `innernet` Client CLI Build dependencies
.
- `rustc` / `cargo` (version 1.50.0 or higher)
- `libclang` (see more info at
[https://crates.io/crates/clang-sys](https://crates.io/crates/clang-sys))
.
Build:
.
```sh
cargo build --release --bin innernet
```
.
The resulting binary will be located at `./target/release/innernet`
.
### Releases
.
Please run the release script from a Linux machine: generated shell completions
depend on available wireguard backends and Mac doesn't support the `kernel`
backend.
.
1. Fetch and check-out the `main` branch.
2. Run `./release.sh [patch|major|minor|rc]`
3. Push the `main` branch and the created tag to the repo.

View File

@ -1,378 +1,41 @@
Package: innernet
Version: 1.6.0-0ubuntu0~jammy
Version: 1.6.1-0ubuntu0~jammy
Architecture: armhf
Vcs-Browser: https://github.com/tonarino/innernet
Vcs-Git: https://github.com/tonarino/innernet
Homepage: https://github.com/tonarino/innernet
Maintainer: tonari <hey@tonari.no>
Installed-Size: 2684
Depends: systemd, libc6, libgcc1
Installed-Size: 2960
Depends: libc6, libgcc1, systemd
Recommends: wireguard
Priority: optional
Section: net
Filename: pool/contrib/i/innernet/innernet_1.6.0-0ubuntu0~jammy_armhf.deb
Size: 916336
SHA256: 47221ab713613019c4d0f7a8003cb705378ce24336960ddf363a1336bb2522a7
SHA1: affc688405f58e5d652a5b7ea1436fbe87fc4b6c
MD5sum: dc3f5ad622a48fa819ed58b9529a9e2e
Filename: pool/contrib/i/innernet/innernet_1.6.1-0ubuntu0~jammy_armhf.deb
Size: 1004904
SHA256: b7d3c0f0fa9434decce55c25c9610d88c7b01dd94544473d3d7a2c4879de0c38
SHA1: ea7adbb70f4609c4cca74d16463eab41d7d35197
MD5sum: 093b407dcb6bb76b3693093ded9fa557
Description: A client to manage innernet network interfaces.
innernet client binary for fetching peer information and conducting admin tasks
such as adding a new peer.
Package: innernet-server
Version: 1.6.0-0ubuntu0~jammy
Version: 1.6.1-0ubuntu0~jammy
Architecture: armhf
Vcs-Browser: https://github.com/tonarino/innernet
Vcs-Git: https://github.com/tonarino/innernet
Homepage: https://github.com/tonarino/innernet
Maintainer: tonari <hey@tonari.no>
Installed-Size: 3339
Depends: libc6, zlib1g, libgcc1, systemd, libsqlite3-0
Installed-Size: 3627
Depends: zlib1g, systemd, libc6, libgcc1, libsqlite3-0
Recommends: wireguard
Source: innernet
Priority: optional
Section: net
Filename: pool/contrib/i/innernet-server/innernet-server_1.6.0-0ubuntu0~jammy_armhf.deb
Size: 1340692
SHA256: 09dcc6fe8a55c2889e29a052c39b75075e9a9b2646a3e93325380d3da2534c4e
SHA1: ae4de2b7fab124b4e07b1a16aee328dd60b8fc3c
MD5sum: dbc69bb8a2a2403c2bc7dab402ee04e0
Filename: pool/contrib/i/innernet-server/innernet-server_1.6.1-0ubuntu0~jammy_armhf.deb
Size: 1428660
SHA256: 016cc3d353e7097984f160ac87aad4707c61258c662e1b1f6dc6d6d87a3d804a
SHA1: d83d133e16ef4e08a581958a4e4290b63604c23f
MD5sum: 7dafa4b1d8251023196fab6223cae096
Description: A server to coordinate innernet networks.
# innernet
.
[![Actively
Maintained](https://img.shields.io/badge/Maintenance%20Level-Actively%20Maintained-green.svg)](https://gist.github.com/cheerfulstoic/d107229326a01ff0f333a1d3476e068d)
[![MIT](https://img.shields.io/badge/license-MIT-blue.svg)](https://github.com/tonarino/innernet/blob/master/LICENSE)
.
A private network system that uses [WireGuard](https://wireguard.com) under the
hood. See the [announcement blog
post](https://blog.tonari.no/introducing-innernet) for a longer-winded
explanation.
.
<img
src="https://user-images.githubusercontent.com/373823/118917068-09ae7700-b96b-11eb-80f4-6860072d504d.gif"
width="600" height="370">
.
`innernet` is similar in its goals to Slack's
[nebula](https://github.com/slackhq/nebula) or
[Tailscale](https://tailscale.com/), but takes a bit of a different approach.
It aims to take advantage of existing networking concepts like CIDRs and the
security properties of WireGuard to turn your computer's basic IP networking
into more powerful ACL primitives.
.
`innernet` is not an official WireGuard project, and WireGuard is a registered
trademark of Jason A. Donenfeld.
.
This has not received an independent security audit, and should be considered
experimental software at this early point in its lifetime.
.
## Usage
.
### Server Creation
.
Every `innernet` network needs a coordination server to manage peers and
provide endpoint information so peers can directly connect to each other.
Create a new one with
.
```sh
sudo innernet-server new
```
.
The init wizard will ask you questions about your network and give you some
reasonable defaults. It's good to familiarize yourself with [network
CIDRs](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) as a lot
of innernet's access control is based upon them. As an example, let's say the
root CIDR for this network is `10.60.0.0/16`. Server initialization creates a
special "infra" CIDR which contains the `innernet` server itself and is
reachable from all CIDRs on the network.
.
Next we'll also create a `humans` CIDR where we can start adding some peers.
.
```sh
sudo innernet-server add-cidr <interface>
```
.
For the parent CIDR, you can simply choose your network's root CIDR. The name
will be `humans`, and the CIDR will be `10.60.64.0/24` (not a great example
unless you only want to support 256 humans, but it works for now...).
.
By default, peers which exist in this new CIDR will only be able to contact
peers in the same CIDR, and the special "infra" CIDR which was created when the
server was initialized.
.
A typical workflow for creating a new network is to create an admin peer from
the `innernet-server` CLI, and then continue using that admin peer via the
`innernet` client CLI to add any further peers or network CIDRs.
.
```sh
sudo innernet-server add-peer <interface>
```
.
Select the `humans` CIDR, and the CLI will automatically suggest the next
available IP address. Any name is fine, just answer "yes" when asked if you
would like to make the peer an admin. The process of adding a peer results in
an invitation file. This file contains just enough information for the new peer
to contact the `innernet` server and redeem its invitation. It should be
transferred securely to the new peer, and it can only be used once to
initialize the peer.
.
You can run the server with `innernet-server serve <interface>`, or if you're
on Linux and want to run it via `systemctl`, run `systemctl enable --now
innernet-server@<interface>`. If you're on a home network, don't forget to
configure port forwarding to the `Listen Port` you specified when creating the
`innernet` server.
.
### Peer Initialization
.
Let's assume the invitation file generated in the steps above have been
transferred to the machine a network admin will be using.
.
You can initialize the client with
.
```sh
sudo innernet install /path/to/invitation.toml
```
.
You can customize the network name if you want to, or leave it at the default.
`innernet` will then connect to the `innernet` server via WireGuard, generate a
new key pair, and register that pair with the server. The private key in the
invitation file can no longer be used.
.
If everything was successful, the new peer is on the network. You can run
things like
.
```sh
sudo innernet list
```
.
or
.
```sh
sudo innernet list --tree
```
.
to view the current network and all CIDRs visible to this peer.
.
Since we created an admin peer, we can also add new peers and CIDRs from this
peer via `innernet` instead of having to always run commands on the server.
.
### Adding Associations between CIDRs
.
In order for peers from one CIDR to be able to contact peers in another CIDR,
those two CIDRs must be "associated" with each other.
.
With the admin peer we created above, let's add a new CIDR for some theoretical
CI servers we have.
.
```sh
sudo innernet add-cidr <interface>
```
.
The name is `ci-servers` and the CIDR is `10.60.64.0/24`, but for this example
it can be anything.
.
For now, we want peers in the `humans` CIDR to be able to access peers in the
`ci-servers` CIDR.
.
```sh
sudo innernet add-association <interface>
```
.
The CLI will ask you to select the two CIDRs you want to associate. That's all
it takes to allow peers in two different CIDRs to communicate!
.
You can verify the association with
.
```sh
sudo innernet list-associations <interface>
```
.
and associations can be deleted with
.
```sh
sudo innernet delete-associations <interface>
```
.
### Enabling/Disabling Peers
.
For security reasons, IP addresses cannot be re-used by new peers, and
therefore peers cannot be deleted. However, they can be disabled. Disabled
peers will not show up in the list of peers when fetching the config for an
interface.
.
Disable a peer with
.
```su
sudo innernet disable-peer <interface>
```
.
Or re-enable a peer with
.
```su
sudo innernet enable-peer <interface>
```
.
### Specifying a Manual Endpoint
.
The `innernet` server will try to use the internet endpoint it sees from a peer
so other peers can connect to that peer as well. This doesn't always work and
you may want to set an endpoint explicitly. To set an endpoint, use
.
```sh
sudo innernet override-endpoint <interface>
```
.
You can go back to automatic endpoint discovery with
.
```sh
sudo innernet override-endpoint -u <interface>
```
.
### Setting the Local WireGuard Listen Port
.
If you want to change the port which WireGuard listens on, use
.
```sh
sudo innernet set-listen-port <interface>
```
.
or unset the port and use a randomized port with
.
```sh
sudo innernet set-listen-port -u <interface>
```
.
### Remove Network
.
To permanently uninstall a created network, use
.
```sh
sudo innernet-server uninstall <interface>
```
.
Use with care!
.
## Security recommendations
.
If you're running a service on innernet, there are some important security
considerations.
.
### Enable strict Reverse Path Filtering ([RFC
3704](https://tools.ietf.org/html/rfc3704))
.
Strict RPF prevents packets from _other_ interfaces from having internal source
IP addresses. This is _not_ the default on Linux, even though it is the right
choice for 99.99% of situations. You can enable it by adding the following to a
`/etc/sysctl.d/60-network-security.conf`:
.
```
net.ipv4.conf.all.rp_filter=1
net.ipv4.conf.default.rp_filter=1
```
.
### Bind to the WireGuard device
.
If possible, to _ensure_ that packets are only ever transmitted over the
WireGuard interface, it's recommended that you use `SO_BINDTODEVICE` on Linux
or `IP_BOUND_IF` on macOS/BSDs. If you have strict reverse path filtering,
though, this is less of a concern.
.
### IP addresses alone often aren't enough authentication
.
Even following all the above precautions, rogue applications on a peer's
machines could be able to make requests on their behalf unless you add extra
layers of authentication to mitigate this CSRF-type vector.
.
It's recommended that you carefully consider this possibility before deciding
that the source IP is sufficient for your authentication needs on a service.
.
## Installation
.
innernet has only officially been tested on Linux and MacOS, but we hope to
support as many platforms as is feasible!
.
### Runtime Dependencies
.
It's assumed that WireGuard is installed on your system, either via the kernel
module in Linux 5.6 and later, or via the
[`wireguard-go`](https://git.zx2c4.com/wireguard-go/about/) userspace
implementation.
.
[WireGuard Installation Instructions](https://www.wireguard.com/install/)
.
### Arch Linux
.
```sh
pacman -S innernet
```
.
### Debian and Ubuntu
.
[**@tommie**](https://github.com/tommie) is kindly providing Debian/Ubuntu
innernet builds in the https://github.com/tommie/innernet-debian repository.
.
### Other Linux Distributions
.
We're looking for volunteers who are able to set up external builds for popular
distributions. Please see issue
[#203](https://github.com/tonarino/innernet/issues/203).
.
### macOS
.
```sh
brew install tonarino/innernet/innernet
```
.
### Cargo
.
```sh
# to install innernet:
cargo install --git https://github.com/tonarino/innernet --tag v1.6.0 client
.
# to install innernet-server:
cargo install --git https://github.com/tonarino/innernet --tag v1.6.0 server
```
.
Note that you'll be responsible for updating manually.
.
## Development
.
### `innernet-server` Build dependencies
.
- `rustc` / `cargo` (version 1.50.0 or higher)
- `libclang` (see more info at
[https://crates.io/crates/clang-sys](https://crates.io/crates/clang-sys))
- `libsqlite3`
.
Build:
.
```sh
cargo build --release --bin innernet-server
```
.
The resulting binary will be located at `./target/release/innernet-server`
.
### `innernet` Client CLI Build dependencies
.
- `rustc` / `cargo` (version 1.50.0 or higher)
- `libclang` (see more info at
[https://crates.io/crates/clang-sys](https://crates.io/crates/clang-sys))
.
Build:
.
```sh
cargo build --release --bin innernet
```
.
The resulting binary will be located at `./target/release/innernet`
.
### Releases
.
Please run the release script from a Linux machine: generated shell completions
depend on available wireguard backends and Mac doesn't support the `kernel`
backend.
.
1. Fetch and check-out the `main` branch.
2. Run `./release.sh [patch|major|minor|rc]`
3. Push the `main` branch and the created tag to the repo.