diff --git a/debian/conf/distributions b/debian/conf/distributions index debb277..1126c4d 100644 --- a/debian/conf/distributions +++ b/debian/conf/distributions @@ -1,8 +1,16 @@ Origin: Unofficial Innernet Debian repository Label: innernet-debian Description: APT repository for https://github.com/tonarino/innernet/. -Codename: bullseye -Suite: unstable +Codename: focal +Architectures: amd64 +Components: contrib +DebOverride: deboverride +SignWith: 65828D743CEE8B69 + +Origin: Unofficial Innernet Debian repository +Label: innernet-debian +Description: APT repository for https://github.com/tonarino/innernet/. +Codename: jammy Architectures: amd64 Components: contrib DebOverride: deboverride diff --git a/debian/db/checksums.db b/debian/db/checksums.db index 5d5b4bd..5b7bec6 100644 Binary files a/debian/db/checksums.db and b/debian/db/checksums.db differ diff --git a/debian/db/packages.db b/debian/db/packages.db index 8b61004..eb84fad 100644 Binary files a/debian/db/packages.db and b/debian/db/packages.db differ diff --git a/debian/db/references.db b/debian/db/references.db index c09b584..0dc52c2 100644 Binary files a/debian/db/references.db and b/debian/db/references.db differ diff --git a/debian/dists/bullseye b/debian/dists/bullseye new file mode 120000 index 0000000..aae2fdc --- /dev/null +++ b/debian/dists/bullseye @@ -0,0 +1 @@ +focal \ No newline at end of file diff --git a/debian/dists/bullseye/InRelease b/debian/dists/bullseye/InRelease deleted file mode 100644 index e440d00..0000000 --- a/debian/dists/bullseye/InRelease +++ /dev/null @@ -1,37 +0,0 @@ ------BEGIN PGP SIGNED MESSAGE----- -Hash: SHA512 - -Origin: Unofficial Innernet Debian repository -Label: innernet-debian -Suite: unstable -Codename: bullseye -Date: Fri, 17 Feb 2023 14:57:19 UTC -Architectures: amd64 -Components: contrib -Description: APT repository for https://github.com/tonarino/innernet/. -MD5Sum: - dc6484db792bff09c9bb00bd04b27517 11385 contrib/binary-amd64/Packages - 6481ea8418baf391c66dc947f39c3ac1 4553 contrib/binary-amd64/Packages.gz - 054c9a1e8a25809201dc62d407f4e83e 197 contrib/binary-amd64/Release -SHA1: - 043aa17a5aff2a1e038d511aa07c50a12492fd3b 11385 contrib/binary-amd64/Packages - 047bca9f171603eee4fc05b26fec0dc743a9fcdd 4553 contrib/binary-amd64/Packages.gz - 27df8ea870558476a122fd03363988c0ff791151 197 contrib/binary-amd64/Release -SHA256: - a76cdc06a8b41bf88d72444616ca261f568548ea76b3d34105438bbb7f76871f 11385 contrib/binary-amd64/Packages - 80204890ba9c360e302b0619a46650b40dea89958f890359906bfa422496772b 4553 contrib/binary-amd64/Packages.gz - 852d73d87a0a610605e16f05c4b773ed6fda9a47be68fb4809171988c79f96ed 197 contrib/binary-amd64/Release ------BEGIN PGP SIGNATURE----- - -iQGzBAEBCgAdFiEEbYSVpa4ZFZQzkqZZZYKNdDzui2kFAmPvldAACgkQZYKNdDzu -i2ntQgv/Z3NU1HRAB3ObbfIuHNK2qPI6ZgxtbnI0mp+UIAeGvRfoCTFgFOc5vhQu -z2rb5G/YPoR0VKFIf5TFLe7wMPz8uJY6flnFpk+TSoaTZrZflfEVOOrSmo41kNAx -zgvocmvgDq80ufZVJOkTvQcdwf49QihLXZcMCkJbnvcgRYAhmVEhKgv3L3WgmLoJ -ab5IPJEUuN/t2Q/VTYCa21RgynvS4n4x5lD9CR2jpWIk8Fs4/UWRaKAZu9NJKqVQ -GcMuYxQ0dlcje6xZ2D6PyEe+pI3UnXAw7UanjJp+Y1eqBuKV7ys7V0fND1SSrtqE -QRjwCwl29fTdqBFN211AVRo0rNJytJafCuvAxnNCVA3pQKh7PvFaNazcNzfvPmsB -XW7KsxwI7sEAs+SdVPXQwW6x6+wF0zQaJnS95fSPAkyhvkPIZ0iq8yoIg0wpV5Fa -VQir748+NAwqRtobjrDfVORH6b3mhYFRM4EOG8q+COgMJGIWcroguezsa5Pahofq -pV3WbSMp -=vfRf ------END PGP SIGNATURE----- diff --git a/debian/dists/bullseye/Release b/debian/dists/bullseye/Release deleted file mode 100644 index 7305724..0000000 --- a/debian/dists/bullseye/Release +++ /dev/null @@ -1,20 +0,0 @@ -Origin: Unofficial Innernet Debian repository -Label: innernet-debian -Suite: unstable -Codename: bullseye -Date: Fri, 17 Feb 2023 14:57:19 UTC -Architectures: amd64 -Components: contrib -Description: APT repository for https://github.com/tonarino/innernet/. -MD5Sum: - dc6484db792bff09c9bb00bd04b27517 11385 contrib/binary-amd64/Packages - 6481ea8418baf391c66dc947f39c3ac1 4553 contrib/binary-amd64/Packages.gz - 054c9a1e8a25809201dc62d407f4e83e 197 contrib/binary-amd64/Release -SHA1: - 043aa17a5aff2a1e038d511aa07c50a12492fd3b 11385 contrib/binary-amd64/Packages - 047bca9f171603eee4fc05b26fec0dc743a9fcdd 4553 contrib/binary-amd64/Packages.gz - 27df8ea870558476a122fd03363988c0ff791151 197 contrib/binary-amd64/Release -SHA256: - a76cdc06a8b41bf88d72444616ca261f568548ea76b3d34105438bbb7f76871f 11385 contrib/binary-amd64/Packages - 80204890ba9c360e302b0619a46650b40dea89958f890359906bfa422496772b 4553 contrib/binary-amd64/Packages.gz - 852d73d87a0a610605e16f05c4b773ed6fda9a47be68fb4809171988c79f96ed 197 contrib/binary-amd64/Release diff --git a/debian/dists/bullseye/Release.gpg b/debian/dists/bullseye/Release.gpg deleted file mode 100644 index 045539a..0000000 --- a/debian/dists/bullseye/Release.gpg +++ /dev/null @@ -1,14 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQGzBAABCgAdFiEEbYSVpa4ZFZQzkqZZZYKNdDzui2kFAmPvlc8ACgkQZYKNdDzu -i2mFngv9F+lcRTWzgTleuL0dem+pv9Y3Lu8IafQU9XeD7i7q9OhJ3Zf8QCW6mn7x -m7iVveBgmcuiZeuXgNiiqflwJjZlDCP+eaDTI1ucwnMwod6F0uRfxMF1rj3+pKLA -TssQT0XROBtpaTtpNByGaPiXycqAJ95plf3hkPKtAFK1QaGPqROiEQL9b+UCbAV8 -0lki2qpYawMYECk8EcMvIUKPE3BKWiqSihmboC3TaCiIVnoj1Y46v2zgyNzdI5dJ -5iDNYSogQT25o9PDl5ontce4vRzhgbfBvL0AkHx4pF0+GWaj9JWYKaOsTjdh8yQ4 -sWi2kz1Eh8Fobtc83p+I27aTvxq8iQ58nOPngTdO8LdrukU6BN4RjIf9kd5DaOga -h+UdPOtA+uYfdEG0aXEeAKn9kysF0wpHUV2iy86ZRW3880QcChAF5Leawi28yQyQ -6Qpcg7roBjb2PEEZnAEyZFkn25ZgSHgNpjqpShz8v2dVATbkevRFO83CZsTn/SCn -Qs9wkU72 -=OKYZ ------END PGP SIGNATURE----- diff --git a/debian/dists/bullseye/contrib/binary-amd64/Packages b/debian/dists/bullseye/contrib/binary-amd64/Packages deleted file mode 100644 index 4daeb9f..0000000 --- a/debian/dists/bullseye/contrib/binary-amd64/Packages +++ /dev/null @@ -1,369 +0,0 @@ -Package: innernet -Version: 1.5.5 -Architecture: amd64 -Vcs-Browser: https://github.com/tonarino/innernet -Vcs-Git: https://github.com/tonarino/innernet -Homepage: https://github.com/tonarino/innernet -Maintainer: tonari -Installed-Size: 5751 -Depends: systemd, libc6, libgcc1 -Recommends: wireguard -Priority: optional -Section: net -Filename: pool/contrib/i/innernet/innernet_1.5.5_amd64.deb -Size: 937816 -SHA256: 431f70acd934a1c256b5c5191e1ccf4a40c037318c99878bae28f87501c3119d -SHA1: 86018c48822b620c8badae6d3b87bc2c0d4bc12e -MD5sum: 489513385d66b36335fdf7cc7aa9dd41 -Description: A client to manage innernet network interfaces. - innernet client binary for fetching peer information and conducting admin tasks - such as adding a new peer. - -Package: innernet-server -Version: 1.5.5 -Architecture: amd64 -Maintainer: tonari -Installed-Size: 3929 -Depends: zlib1g, libsqlite3-0, systemd, libc6, libgcc1 -Recommends: wireguard -Source: innernet -Priority: optional -Section: net -Filename: pool/contrib/i/innernet-server/innernet-server_1.5.5_amd64.deb -Size: 1417760 -SHA256: a28852a8df78f43610cc8b77eb4889a8acda5f0f0744ccaa642830f831d37bdd -SHA1: 1663a2a2b1b9739d59143fb5d97f9ab99d07a174 -MD5sum: ebb0196c7621d207ffd5c04862d21dda -Description: A server to coordinate innernet networks. - # innernet - . - A private network system that uses [WireGuard](https://wireguard.com) under the - hood. See the [announcement blog - post](https://blog.tonari.no/introducing-innernet) for a longer-winded - explanation. - . - - . - `innernet` is similar in its goals to Slack's - [nebula](https://github.com/slackhq/nebula) or - [Tailscale](https://tailscale.com/), but takes a bit of a different approach. - It aims to take advantage of existing networking concepts like CIDRs and the - security properties of WireGuard to turn your computer's basic IP networking - into more powerful ACL primitives. - . - `innernet` is not an official WireGuard project, and WireGuard is a registered - trademark of Jason A. Donenfeld. - . - This has not received an independent security audit, and should be considered - experimental software at this early point in its lifetime. - . - ## Usage - . - ### Server Creation - . - Every `innernet` network needs a coordination server to manage peers and - provide endpoint information so peers can directly connect to each other. - Create a new one with - . - ```sh - sudo innernet-server new - ``` - . - The init wizard will ask you questions about your network and give you some - reasonable defaults. It's good to familiarize yourself with [network - CIDRs](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) as a lot - of innernet's access control is based upon them. As an example, let's say the - root CIDR for this network is `10.60.0.0/16`. Server initialization creates a - special "infra" CIDR which contains the `innernet` server itself and is - reachable from all CIDRs on the network. - . - Next we'll also create a `humans` CIDR where we can start adding some peers. - . - ```sh - sudo innernet-server add-cidr - ``` - . - For the parent CIDR, you can simply choose your network's root CIDR. The name - will be `humans`, and the CIDR will be `10.60.64.0/24` (not a great example - unless you only want to support 256 humans, but it works for now...). - . - By default, peers which exist in this new CIDR will only be able to contact - peers in the same CIDR, and the special "infra" CIDR which was created when the - server was initialized. - . - A typical workflow for creating a new network is to create an admin peer from - the `innernet-server` CLI, and then continue using that admin peer via the - `innernet` client CLI to add any further peers or network CIDRs. - . - ```sh - sudo innernet-server add-peer - ``` - . - Select the `humans` CIDR, and the CLI will automatically suggest the next - available IP address. Any name is fine, just answer "yes" when asked if you - would like to make the peer an admin. The process of adding a peer results in - an invitation file. This file contains just enough information for the new peer - to contact the `innernet` server and redeem its invitation. It should be - transferred securely to the new peer, and it can only be used once to - initialize the peer. - . - You can run the server with `innernet-server serve `, or if you're - on Linux and want to run it via `systemctl`, run `systemctl enable --now - innernet-server@`. If you're on a home network, don't forget to - configure port forwarding to the `Listen Port` you specified when creating the - `innernet` server. - . - ### Peer Initialization - . - Let's assume the invitation file generated in the steps above have been - transferred to the machine a network admin will be using. - . - You can initialize the client with - . - ```sh - sudo innernet install /path/to/invitation.toml - ``` - . - You can customize the network name if you want to, or leave it at the default. - `innernet` will then connect to the `innernet` server via WireGuard, generate a - new key pair, and register that pair with the server. The private key in the - invitation file can no longer be used. - . - If everything was successful, the new peer is on the network. You can run - things like - . - ```sh - sudo innernet list - ``` - . - or - . - ```sh - sudo innernet list --tree - ``` - . - to view the current network and all CIDRs visible to this peer. - . - Since we created an admin peer, we can also add new peers and CIDRs from this - peer via `innernet` instead of having to always run commands on the server. - . - ### Adding Associations between CIDRs - . - In order for peers from one CIDR to be able to contact peers in another CIDR, - those two CIDRs must be "associated" with each other. - . - With the admin peer we created above, let's add a new CIDR for some theoretical - CI servers we have. - . - ```sh - sudo innernet add-cidr - ``` - . - The name is `ci-servers` and the CIDR is `10.60.64.0/24`, but for this example - it can be anything. - . - For now, we want peers in the `humans` CIDR to be able to access peers in the - `ci-servers` CIDR. - . - ```sh - sudo innernet add-association - ``` - . - The CLI will ask you to select the two CIDRs you want to associate. That's all - it takes to allow peers in two different CIDRs to communicate! - . - You can verify the association with - . - ```sh - sudo innernet list-associations - ``` - . - and associations can be deleted with - . - ```sh - sudo innernet delete-associations - ``` - . - ### Enabling/Disabling Peers - . - For security reasons, IP addresses cannot be re-used by new peers, and - therefore peers cannot be deleted. However, they can be disabled. Disabled - peers will not show up in the list of peers when fetching the config for an - interface. - . - Disable a peer with - . - ```su - sudo innernet disable-peer - ``` - . - Or re-enable a peer with - . - ```su - sudo innernet enable-peer - ``` - . - ### Specifying a Manual Endpoint - . - The `innernet` server will try to use the internet endpoint it sees from a peer - so other peers can connect to that peer as well. This doesn't always work and - you may want to set an endpoint explicitly. To set an endpoint, use - . - ```sh - sudo innernet override-endpoint - ``` - . - You can go back to automatic endpoint discovery with - . - ```sh - sudo innernet override-endpoint -u - ``` - . - ### Setting the Local WireGuard Listen Port - . - If you want to change the port which WireGuard listens on, use - . - ```sh - sudo innernet set-listen-port - ``` - . - or unset the port and use a randomized port with - . - ```sh - sudo innernet set-listen-port -u - ``` - . - ### Remove Network - . - To permanently uninstall a created network, use - . - ```sh - sudo innernet-server uninstall - ``` - . - Use with care! - . - ## Security recommendations - . - If you're running a service on innernet, there are some important security - considerations. - . - ### Enable strict Reverse Path Filtering ([RFC - 3704](https://tools.ietf.org/html/rfc3704)) - . - Strict RPF prevents packets from _other_ interfaces from having internal source - IP addresses. This is _not_ the default on Linux, even though it is the right - choice for 99.99% of situations. You can enable it by adding the following to a - `/etc/sysctl.d/60-network-security.conf`: - . - ``` - net.ipv4.conf.all.rp_filter=1 - net.ipv4.conf.default.rp_filter=1 - ``` - . - ### Bind to the WireGuard device - . - If possible, to _ensure_ that packets are only ever transmitted over the - WireGuard interface, it's recommended that you use `SO_BINDTODEVICE` on Linux - or `IP_BOUND_IF` on macOS/BSDs. If you have strict reverse path filtering, - though, this is less of a concern. - . - ### IP addresses alone often aren't enough authentication - . - Even following all the above precautions, rogue applications on a peer's - machines could be able to make requests on their behalf unless you add extra - layers of authentication to mitigate this CSRF-type vector. - . - It's recommended that you carefully consider this possibility before deciding - that the source IP is sufficient for your authentication needs on a service. - . - ## Installation - . - innernet has only officially been tested on Linux and MacOS, but we hope to - support as many platforms as is feasible! - . - ### Runtime Dependencies - . - It's assumed that WireGuard is installed on your system, either via the kernel - module in Linux 5.6 and later, or via the - [`wireguard-go`](https://git.zx2c4.com/wireguard-go/about/) userspace - implementation. - . - [WireGuard Installation Instructions](https://www.wireguard.com/install/) - . - ### Arch Linux - . - ```sh - pacman -S innernet - ``` - . - ### Ubuntu - . - Fetch the appropriate `.deb` packages from - https://github.com/tonarino/innernet/releases and install with - . - ```sh - sudo apt install ./innernet*.deb - ``` - . - ### macOS - . - ```sh - brew install tonarino/innernet/innernet - ``` - . - ### Cargo - . - ```sh - # to install innernet: - cargo install --git https://github.com/tonarino/innernet --tag v1.5.5 client - . - # to install innernet-server: - cargo install --git https://github.com/tonarino/innernet --tag v1.5.5 server - ``` - . - Note that you'll be responsible for updating manually. - . - ## Development - . - ### `innernet-server` Build dependencies - . - - `rustc` / `cargo` (version 1.50.0 or higher) - - `libclang` (see more info at - [https://crates.io/crates/clang-sys](https://crates.io/crates/clang-sys)) - - `libsqlite3` - . - Build: - . - ```sh - cargo build --release --bin innernet-server - ``` - . - The resulting binary will be located at `./target/release/innernet-server` - . - ### `innernet` Client CLI Build dependencies - . - - `rustc` / `cargo` (version 1.50.0 or higher) - - `libclang` (see more info at - [https://crates.io/crates/clang-sys](https://crates.io/crates/clang-sys)) - . - Build: - . - ```sh - cargo build --release --bin innernet - ``` - . - The resulting binary will be located at `./target/release/innernet` - . - ### Releases - . - 1. Run `cargo release [--dry-run] [minor|major|patch|...]` to automatically - bump the crates appropriately. - 2. Create a new git tag (ex. `v0.6.0`). - 3. Push (with tags) to the repo. - . - innernet uses GitHub Actions to automatically produce a debian package for the - [releases page](https://github.com/tonarino/innernet/releases). - diff --git a/debian/dists/bullseye/contrib/binary-amd64/Packages.gz b/debian/dists/bullseye/contrib/binary-amd64/Packages.gz deleted file mode 100644 index 2510461..0000000 Binary files a/debian/dists/bullseye/contrib/binary-amd64/Packages.gz and /dev/null differ diff --git a/debian/dists/bullseye/contrib/binary-amd64/Release b/debian/dists/bullseye/contrib/binary-amd64/Release deleted file mode 100644 index 4febefe..0000000 --- a/debian/dists/bullseye/contrib/binary-amd64/Release +++ /dev/null @@ -1,6 +0,0 @@ -Archive: unstable -Component: contrib -Origin: Unofficial Innernet Debian repository -Label: innernet-debian -Architecture: amd64 -Description: APT repository for https://github.com/tonarino/innernet/. diff --git a/debian/dists/unstable b/debian/dists/unstable deleted file mode 120000 index 91bf492..0000000 --- a/debian/dists/unstable +++ /dev/null @@ -1 +0,0 @@ -bullseye \ No newline at end of file diff --git a/debian/pool/contrib/i/innernet-server/innernet-server_1.5.5_amd64.deb b/debian/pool/contrib/i/innernet-server/innernet-server_1.5.5_amd64.deb deleted file mode 100644 index e704b00..0000000 Binary files a/debian/pool/contrib/i/innernet-server/innernet-server_1.5.5_amd64.deb and /dev/null differ diff --git a/debian/pool/contrib/i/innernet/innernet_1.5.5_amd64.deb b/debian/pool/contrib/i/innernet/innernet_1.5.5_amd64.deb deleted file mode 100644 index ce0135d..0000000 Binary files a/debian/pool/contrib/i/innernet/innernet_1.5.5_amd64.deb and /dev/null differ