diff --git a/debian/db/checksums.db b/debian/db/checksums.db index c9f3708..6874e56 100644 Binary files a/debian/db/checksums.db and b/debian/db/checksums.db differ diff --git a/debian/db/packages.db b/debian/db/packages.db index 4086a1e..349826f 100644 Binary files a/debian/db/packages.db and b/debian/db/packages.db differ diff --git a/debian/db/references.db b/debian/db/references.db index 8edcfc5..ecce26b 100644 Binary files a/debian/db/references.db and b/debian/db/references.db differ diff --git a/debian/db/release.caches.db b/debian/db/release.caches.db index 3eef664..8f93b8d 100644 Binary files a/debian/db/release.caches.db and b/debian/db/release.caches.db differ diff --git a/debian/dists/focal/InRelease b/debian/dists/focal/InRelease index 074ba29..6cba0f6 100644 --- a/debian/dists/focal/InRelease +++ b/debian/dists/focal/InRelease @@ -1,36 +1,36 @@ -----BEGIN PGP SIGNED MESSAGE----- -Hash: SHA512 +Hash: SHA256 Origin: Unofficial Innernet Debian repository Label: innernet-debian Codename: focal -Date: Fri, 12 May 2023 08:20:16 UTC +Date: Fri, 12 May 2023 14:56:39 UTC Architectures: amd64 Components: contrib Description: APT repository for https://github.com/tonarino/innernet/. MD5Sum: - f6d27f7a8871bdebe4280c9c3ebc71d4 11445 contrib/binary-amd64/Packages - 22549a47e28a28b12a2baa1da439285e 4570 contrib/binary-amd64/Packages.gz + d41d8cd98f00b204e9800998ecf8427e 0 contrib/binary-amd64/Packages + 7029066c27ac6f5ef18d660d5741979a 20 contrib/binary-amd64/Packages.gz 77dc2b012f45038d5be68f81d464ee44 179 contrib/binary-amd64/Release SHA1: - e3facde4370461820390d32d5f4fea9959ee883c 11445 contrib/binary-amd64/Packages - 395685ad6722e2ecd8321710289cc69599b2baea 4570 contrib/binary-amd64/Packages.gz + da39a3ee5e6b4b0d3255bfef95601890afd80709 0 contrib/binary-amd64/Packages + 46c6643f07aa7f6bfe7118de926b86defc5087c4 20 contrib/binary-amd64/Packages.gz a4f6bbfd6fe4ab5a01909278c4e13b05d6b06f13 179 contrib/binary-amd64/Release SHA256: - f76c4cec4b313891b8311ee611dc0e329dcb825ab87900b1d1d665061a54f030 11445 contrib/binary-amd64/Packages - 1c068e26dd5f42fb95fb3def07e810fb11381f92c8cf59fc35751c3c0c1ab378 4570 contrib/binary-amd64/Packages.gz + e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 0 contrib/binary-amd64/Packages + 59869db34853933b239f1e2219cf7d431da006aa919635478511fabbfc8849d2 20 contrib/binary-amd64/Packages.gz 67b3f0e511499d8b794eaf1524cea47d2263a1e8e43445c60f311dbef9a50e9c 179 contrib/binary-amd64/Release -----BEGIN PGP SIGNATURE----- -iQGzBAEBCgAdFiEEbYSVpa4ZFZQzkqZZZYKNdDzui2kFAmRd9sEACgkQZYKNdDzu -i2n8kwv+NbBk8JtOc+12F1slV4Wh2PiBfI7xp6O4aDUBmLoNbl0jr8VoyYVVGusN -rI049w1/1LbD3aJiaza4xKx77xCudN/ZgvnwfmzDcXVrRifBTfOI4WWBzr7SIi+c -qz7fFYNro7OhNCcxqnzAHJWmvm5Ks3+EoBWFCCIoat+dXL7fGFNzRtc5h3Yq3Z+D -1MR5rIs10TnslwyuQSFGkWH8ODAtiHw7VgKkerxj5IbjWodWo5JCEmzoXd0xF2g3 -1USRoxruqpm24E7lF29ihDV+QKVM8xfql+kBnIqDizYAipOkTOzm5sqA9C3VUr0F -cDOHNw/vUvo8oUno/yQAOnOVfx+VMcFZERZ9jX1thEV1Iv2K+6KG63BkVyiP//pl -zO2qjaN2uRkXV0u9hZLKwhSvQSJPQXoXQ6H5t9mgfi39PYBbBgsh7putHCI6BAmV -6syhtQOQSabZhkiPQIkUgLYb75AVAQLHBQTvvJDHEVYuj1UgtaCdfLhgAOCexdkj -WjGQ5z1W -=iS48 +iQGzBAEBCAAdFiEEbYSVpa4ZFZQzkqZZZYKNdDzui2kFAmReU6cACgkQZYKNdDzu +i2ncbAv+MSmVzQHbG3YPEVCRMCdZZOeHos5GvzO7VGhoabPsxFtPbthYW/waSPok +a19jRcXWhhTiRL0+uuA6hyY/kXNk0wbKsfZ4jwtWx/YLJB/TcFLUmNGognGUtJfc +o63AI6Aa4w14ST5UJ/yiTnj0aAy6u0fSyJGQ2C7L7OqvPp4KZfGYrksT2vYpgibI +IRfZG/9638KDBR0kPQUw5I2nADbpTADZNmo/MXCLHzkCADUn1Ehkx2F4pFgwXpi7 +Rjin5ZjEsxR2X+koi7qVzlLwXI0Uk6lazvFo18v0LJRZHW51VNeghHTs1OzQaNac +ZyWIgUNkwJA/4O6Ren6Egl0/uaZW9Sxmag1cI98RR5oDkiB0CoFnUpKHSr50gBQt +hdV1VoJilQ8ClmY811TZz5IL0BGJZpmf3YQqleC91WAIYV+mY1IGWMgXR5zTByPF +oW8hfaP1CfSXh21vMTBLZzh1tHBf3f9RJcJjw24ruTYLWOinSq83ID4lhJi7Vq8a +sseMD9Jr +=Llk0 -----END PGP SIGNATURE----- diff --git a/debian/dists/focal/Release b/debian/dists/focal/Release index c84f11c..022490f 100644 --- a/debian/dists/focal/Release +++ b/debian/dists/focal/Release @@ -1,19 +1,19 @@ Origin: Unofficial Innernet Debian repository Label: innernet-debian Codename: focal -Date: Fri, 12 May 2023 08:20:16 UTC +Date: Fri, 12 May 2023 14:56:39 UTC Architectures: amd64 Components: contrib Description: APT repository for https://github.com/tonarino/innernet/. MD5Sum: - f6d27f7a8871bdebe4280c9c3ebc71d4 11445 contrib/binary-amd64/Packages - 22549a47e28a28b12a2baa1da439285e 4570 contrib/binary-amd64/Packages.gz + d41d8cd98f00b204e9800998ecf8427e 0 contrib/binary-amd64/Packages + 7029066c27ac6f5ef18d660d5741979a 20 contrib/binary-amd64/Packages.gz 77dc2b012f45038d5be68f81d464ee44 179 contrib/binary-amd64/Release SHA1: - e3facde4370461820390d32d5f4fea9959ee883c 11445 contrib/binary-amd64/Packages - 395685ad6722e2ecd8321710289cc69599b2baea 4570 contrib/binary-amd64/Packages.gz + da39a3ee5e6b4b0d3255bfef95601890afd80709 0 contrib/binary-amd64/Packages + 46c6643f07aa7f6bfe7118de926b86defc5087c4 20 contrib/binary-amd64/Packages.gz a4f6bbfd6fe4ab5a01909278c4e13b05d6b06f13 179 contrib/binary-amd64/Release SHA256: - f76c4cec4b313891b8311ee611dc0e329dcb825ab87900b1d1d665061a54f030 11445 contrib/binary-amd64/Packages - 1c068e26dd5f42fb95fb3def07e810fb11381f92c8cf59fc35751c3c0c1ab378 4570 contrib/binary-amd64/Packages.gz + e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 0 contrib/binary-amd64/Packages + 59869db34853933b239f1e2219cf7d431da006aa919635478511fabbfc8849d2 20 contrib/binary-amd64/Packages.gz 67b3f0e511499d8b794eaf1524cea47d2263a1e8e43445c60f311dbef9a50e9c 179 contrib/binary-amd64/Release diff --git a/debian/dists/focal/Release.gpg b/debian/dists/focal/Release.gpg index bf775d6..beb38a9 100644 --- a/debian/dists/focal/Release.gpg +++ b/debian/dists/focal/Release.gpg @@ -1,14 +1,14 @@ -----BEGIN PGP SIGNATURE----- -iQGzBAABCgAdFiEEbYSVpa4ZFZQzkqZZZYKNdDzui2kFAmRd9sAACgkQZYKNdDzu -i2mSTwv/QpJlyftF+p0Y7/TgCZTVsF9/UuMpMRBH+2gY8ZNt3RByuca7d9qzK9nx -a290PzMUWrItblXwolxvxFWWpNrwrQ0eoc+D9cv7CpmlehznrD3zURuJChNyVd/d -YnOMtipHR5O0fZK5UJtNLq6ZTdxAZYFolaj2xIbmISrI0uoegII3OTGz6iAN/u5C -B4JKPJo5JuY6p5sgC57DDCQuIy5c6wp2sfhHey8RYil5aU2IJnTJx/vM0d+hX0LL -+hEdVAQMtCHYZFoR3IpNasddTA0Ug/q4oi4Zcl/IDiH/tTPKfF5lVoyHqD0mz7ue -NLVFm9WMcRh9u2VDdNsX0Q8AOrzVYIaVGUB8zcTNXwGoSuXdwF9WxT/WOPanRBI0 -esHQ9Jq0sQcMFv3Scdjq11iR0seq0IOWlM9h5EXU+lyelHwv+trMbxqleCU2O9N3 -IA+sPeKt3s1v2amXzHTQFnoYwqvjduLnVidpHL3eH/5QCGjaDhEK0yOsvxSRpf35 -p+/ZF0Xw -=SegE +iQGzBAABCAAdFiEEbYSVpa4ZFZQzkqZZZYKNdDzui2kFAmReU6cACgkQZYKNdDzu +i2n6dgv/U7FIQ7kThavV/Y/atjkdyVOvM11tQo7NgDVwTwfajdqVldc6YgobPIHd +u1Wp8mH192kYhMUqPD5as0QuvBSLn6EJRMiBBSi4lYaRgvUUJBBp4eBHI5bPUMkj +r7owCVW+fzVs13TxtqS9+Scjkn3cJ3V6jJWJ9IoI9Lyx05mE9HUGWhysnDGfGr2L +LmWFF4dIcyH3Gk5a9POBOjVf6SEGKjtcL7vq/JnNSVcsOYis0sy3Mg+drO7FXoOm +V/OERe0dwYM4hSfPzo/W5awFT2/Xp3Du3Ta+M4O+g0wxPbcRTrF5gAdoF7Hujv80 +DDScp8L29Q8imnh6OMLco2Ir0hyXkGU4XOVF0gDzILVtGGuilfQoDvYqURba8rKw +CVByQtr4i5R183T25OL19X+cK3pDG850a+4fWfs/MgUUcR5PjcjGTq85/rIPVCRk +4WCtBCYfU9l/v5Hu8JSxI88yhaMqxPhzOX4bF20u2gruxOniH0f65GrjeSSraYgC +O0BAD9lt +=Pc+a -----END PGP SIGNATURE----- diff --git a/debian/dists/focal/contrib/binary-amd64/Packages b/debian/dists/focal/contrib/binary-amd64/Packages index 2a9e69c..e69de29 100644 --- a/debian/dists/focal/contrib/binary-amd64/Packages +++ b/debian/dists/focal/contrib/binary-amd64/Packages @@ -1,369 +0,0 @@ -Package: innernet -Version: 1.5.5-0ubuntu0~focal -Architecture: amd64 -Vcs-Browser: https://github.com/tonarino/innernet -Vcs-Git: https://github.com/tonarino/innernet -Homepage: https://github.com/tonarino/innernet -Maintainer: tonari -Installed-Size: 5759 -Depends: systemd, libgcc1, libc6 -Recommends: wireguard -Priority: optional -Section: net -Filename: pool/contrib/i/innernet/innernet_1.5.5-0ubuntu0~focal_amd64.deb -Size: 939712 -SHA256: 920928b6a121d58994d69562ac15ff19ab63343ac27e5c35c4da3e8854932fb9 -SHA1: d668e3d513936d1610c43bdf4fd8c5407aee5c45 -MD5sum: b8de44c86ea2f3315aa7768f13770577 -Description: A client to manage innernet network interfaces. - innernet client binary for fetching peer information and conducting admin tasks - such as adding a new peer. - -Package: innernet-server -Version: 1.5.5-0ubuntu0~focal -Architecture: amd64 -Maintainer: tonari -Installed-Size: 3937 -Depends: libgcc1, zlib1g, systemd, libsqlite3-0, libc6 -Recommends: wireguard -Source: innernet -Priority: optional -Section: net -Filename: pool/contrib/i/innernet-server/innernet-server_1.5.5-0ubuntu0~focal_amd64.deb -Size: 1419844 -SHA256: d3e09c49d837e8b679fe718b33bf82d1941e383fecf61e4a0d326159eca2cf09 -SHA1: c1ccc872b83f5098f012b4997c0c9b45ea5207b7 -MD5sum: 99ced787f8c8e8afd40cb6e48e3f0c95 -Description: A server to coordinate innernet networks. - # innernet - . - A private network system that uses [WireGuard](https://wireguard.com) under the - hood. See the [announcement blog - post](https://blog.tonari.no/introducing-innernet) for a longer-winded - explanation. - . - - . - `innernet` is similar in its goals to Slack's - [nebula](https://github.com/slackhq/nebula) or - [Tailscale](https://tailscale.com/), but takes a bit of a different approach. - It aims to take advantage of existing networking concepts like CIDRs and the - security properties of WireGuard to turn your computer's basic IP networking - into more powerful ACL primitives. - . - `innernet` is not an official WireGuard project, and WireGuard is a registered - trademark of Jason A. Donenfeld. - . - This has not received an independent security audit, and should be considered - experimental software at this early point in its lifetime. - . - ## Usage - . - ### Server Creation - . - Every `innernet` network needs a coordination server to manage peers and - provide endpoint information so peers can directly connect to each other. - Create a new one with - . - ```sh - sudo innernet-server new - ``` - . - The init wizard will ask you questions about your network and give you some - reasonable defaults. It's good to familiarize yourself with [network - CIDRs](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) as a lot - of innernet's access control is based upon them. As an example, let's say the - root CIDR for this network is `10.60.0.0/16`. Server initialization creates a - special "infra" CIDR which contains the `innernet` server itself and is - reachable from all CIDRs on the network. - . - Next we'll also create a `humans` CIDR where we can start adding some peers. - . - ```sh - sudo innernet-server add-cidr - ``` - . - For the parent CIDR, you can simply choose your network's root CIDR. The name - will be `humans`, and the CIDR will be `10.60.64.0/24` (not a great example - unless you only want to support 256 humans, but it works for now...). - . - By default, peers which exist in this new CIDR will only be able to contact - peers in the same CIDR, and the special "infra" CIDR which was created when the - server was initialized. - . - A typical workflow for creating a new network is to create an admin peer from - the `innernet-server` CLI, and then continue using that admin peer via the - `innernet` client CLI to add any further peers or network CIDRs. - . - ```sh - sudo innernet-server add-peer - ``` - . - Select the `humans` CIDR, and the CLI will automatically suggest the next - available IP address. Any name is fine, just answer "yes" when asked if you - would like to make the peer an admin. The process of adding a peer results in - an invitation file. This file contains just enough information for the new peer - to contact the `innernet` server and redeem its invitation. It should be - transferred securely to the new peer, and it can only be used once to - initialize the peer. - . - You can run the server with `innernet-server serve `, or if you're - on Linux and want to run it via `systemctl`, run `systemctl enable --now - innernet-server@`. If you're on a home network, don't forget to - configure port forwarding to the `Listen Port` you specified when creating the - `innernet` server. - . - ### Peer Initialization - . - Let's assume the invitation file generated in the steps above have been - transferred to the machine a network admin will be using. - . - You can initialize the client with - . - ```sh - sudo innernet install /path/to/invitation.toml - ``` - . - You can customize the network name if you want to, or leave it at the default. - `innernet` will then connect to the `innernet` server via WireGuard, generate a - new key pair, and register that pair with the server. The private key in the - invitation file can no longer be used. - . - If everything was successful, the new peer is on the network. You can run - things like - . - ```sh - sudo innernet list - ``` - . - or - . - ```sh - sudo innernet list --tree - ``` - . - to view the current network and all CIDRs visible to this peer. - . - Since we created an admin peer, we can also add new peers and CIDRs from this - peer via `innernet` instead of having to always run commands on the server. - . - ### Adding Associations between CIDRs - . - In order for peers from one CIDR to be able to contact peers in another CIDR, - those two CIDRs must be "associated" with each other. - . - With the admin peer we created above, let's add a new CIDR for some theoretical - CI servers we have. - . - ```sh - sudo innernet add-cidr - ``` - . - The name is `ci-servers` and the CIDR is `10.60.64.0/24`, but for this example - it can be anything. - . - For now, we want peers in the `humans` CIDR to be able to access peers in the - `ci-servers` CIDR. - . - ```sh - sudo innernet add-association - ``` - . - The CLI will ask you to select the two CIDRs you want to associate. That's all - it takes to allow peers in two different CIDRs to communicate! - . - You can verify the association with - . - ```sh - sudo innernet list-associations - ``` - . - and associations can be deleted with - . - ```sh - sudo innernet delete-associations - ``` - . - ### Enabling/Disabling Peers - . - For security reasons, IP addresses cannot be re-used by new peers, and - therefore peers cannot be deleted. However, they can be disabled. Disabled - peers will not show up in the list of peers when fetching the config for an - interface. - . - Disable a peer with - . - ```su - sudo innernet disable-peer - ``` - . - Or re-enable a peer with - . - ```su - sudo innernet enable-peer - ``` - . - ### Specifying a Manual Endpoint - . - The `innernet` server will try to use the internet endpoint it sees from a peer - so other peers can connect to that peer as well. This doesn't always work and - you may want to set an endpoint explicitly. To set an endpoint, use - . - ```sh - sudo innernet override-endpoint - ``` - . - You can go back to automatic endpoint discovery with - . - ```sh - sudo innernet override-endpoint -u - ``` - . - ### Setting the Local WireGuard Listen Port - . - If you want to change the port which WireGuard listens on, use - . - ```sh - sudo innernet set-listen-port - ``` - . - or unset the port and use a randomized port with - . - ```sh - sudo innernet set-listen-port -u - ``` - . - ### Remove Network - . - To permanently uninstall a created network, use - . - ```sh - sudo innernet-server uninstall - ``` - . - Use with care! - . - ## Security recommendations - . - If you're running a service on innernet, there are some important security - considerations. - . - ### Enable strict Reverse Path Filtering ([RFC - 3704](https://tools.ietf.org/html/rfc3704)) - . - Strict RPF prevents packets from _other_ interfaces from having internal source - IP addresses. This is _not_ the default on Linux, even though it is the right - choice for 99.99% of situations. You can enable it by adding the following to a - `/etc/sysctl.d/60-network-security.conf`: - . - ``` - net.ipv4.conf.all.rp_filter=1 - net.ipv4.conf.default.rp_filter=1 - ``` - . - ### Bind to the WireGuard device - . - If possible, to _ensure_ that packets are only ever transmitted over the - WireGuard interface, it's recommended that you use `SO_BINDTODEVICE` on Linux - or `IP_BOUND_IF` on macOS/BSDs. If you have strict reverse path filtering, - though, this is less of a concern. - . - ### IP addresses alone often aren't enough authentication - . - Even following all the above precautions, rogue applications on a peer's - machines could be able to make requests on their behalf unless you add extra - layers of authentication to mitigate this CSRF-type vector. - . - It's recommended that you carefully consider this possibility before deciding - that the source IP is sufficient for your authentication needs on a service. - . - ## Installation - . - innernet has only officially been tested on Linux and MacOS, but we hope to - support as many platforms as is feasible! - . - ### Runtime Dependencies - . - It's assumed that WireGuard is installed on your system, either via the kernel - module in Linux 5.6 and later, or via the - [`wireguard-go`](https://git.zx2c4.com/wireguard-go/about/) userspace - implementation. - . - [WireGuard Installation Instructions](https://www.wireguard.com/install/) - . - ### Arch Linux - . - ```sh - pacman -S innernet - ``` - . - ### Ubuntu - . - Fetch the appropriate `.deb` packages from - https://github.com/tonarino/innernet/releases and install with - . - ```sh - sudo apt install ./innernet*.deb - ``` - . - ### macOS - . - ```sh - brew install tonarino/innernet/innernet - ``` - . - ### Cargo - . - ```sh - # to install innernet: - cargo install --git https://github.com/tonarino/innernet --tag v1.5.5 client - . - # to install innernet-server: - cargo install --git https://github.com/tonarino/innernet --tag v1.5.5 server - ``` - . - Note that you'll be responsible for updating manually. - . - ## Development - . - ### `innernet-server` Build dependencies - . - - `rustc` / `cargo` (version 1.50.0 or higher) - - `libclang` (see more info at - [https://crates.io/crates/clang-sys](https://crates.io/crates/clang-sys)) - - `libsqlite3` - . - Build: - . - ```sh - cargo build --release --bin innernet-server - ``` - . - The resulting binary will be located at `./target/release/innernet-server` - . - ### `innernet` Client CLI Build dependencies - . - - `rustc` / `cargo` (version 1.50.0 or higher) - - `libclang` (see more info at - [https://crates.io/crates/clang-sys](https://crates.io/crates/clang-sys)) - . - Build: - . - ```sh - cargo build --release --bin innernet - ``` - . - The resulting binary will be located at `./target/release/innernet` - . - ### Releases - . - 1. Run `cargo release [--dry-run] [minor|major|patch|...]` to automatically - bump the crates appropriately. - 2. Create a new git tag (ex. `v0.6.0`). - 3. Push (with tags) to the repo. - . - innernet uses GitHub Actions to automatically produce a debian package for the - [releases page](https://github.com/tonarino/innernet/releases). - diff --git a/debian/dists/focal/contrib/binary-amd64/Packages.gz b/debian/dists/focal/contrib/binary-amd64/Packages.gz index 094bd8b..229151a 100644 Binary files a/debian/dists/focal/contrib/binary-amd64/Packages.gz and b/debian/dists/focal/contrib/binary-amd64/Packages.gz differ diff --git a/debian/pool/contrib/i/innernet-server/innernet-server_1.5.5-0ubuntu0~focal_amd64.deb b/debian/pool/contrib/i/innernet-server/innernet-server_1.5.5-0ubuntu0~focal_amd64.deb deleted file mode 100644 index 1521e0a..0000000 Binary files a/debian/pool/contrib/i/innernet-server/innernet-server_1.5.5-0ubuntu0~focal_amd64.deb and /dev/null differ diff --git a/debian/pool/contrib/i/innernet/innernet_1.5.5-0ubuntu0~focal_amd64.deb b/debian/pool/contrib/i/innernet/innernet_1.5.5-0ubuntu0~focal_amd64.deb deleted file mode 100644 index 40e3c4f..0000000 Binary files a/debian/pool/contrib/i/innernet/innernet_1.5.5-0ubuntu0~focal_amd64.deb and /dev/null differ