Re: [lime-users] VPN

Hey Nicolas, ever make any progress on this? I've been dormant but ready to start back up, given a little instruction. On 03/08/2017 04:52 AM, Nk wrote: > Hi Marvin > > Sorry for the late reply > > I think we’ve solved our spam issues so I hope this mail reaches > you correctly now. > > I have actually just purchased two new hex routers for our network > and I’ll set them up tonight or tomorrow night. I’ll document the > process as I’m doing it and send you a link to it. > > Hope we’re still in time ;] > > On 22 Feb 2017, 04:36 +0100, Marvin Arnold &lt;marvin(a)unplugged.im&gt;im>, > wrote: >> >> We have successfully setup the hex to connect to our streisand. >> But my IP address is still the local one and not the VPN. How do >> we route the traffic correctly? It didn't automagically work by >> just plugging it up like you said. >> >> >> On 02/17/2017 10:07 AM, Leonardo Taborda wrote: >>> thanks Nicolas. Now it is more clear. >>> El 17/02/17 a las 04:14, nk(a)os.vu escribió: >>>> Hi Leonardo This is to protect those who share their Internet >>>> connection with the mesh network from being responsible for >>>> other people's traffic. Streisand is amazing and the VPSs >>>> available on arubacloud.com only cost 1€ a month, the lowest >>>> price we have ever found, with the benefit of being close to us >>>> [they're located in Arezzo and we're in Milano] for very low >>>> latency and they have of course an IP recognized as Italian in >>>> all of the geoIP databases, so that users don't notice any >>>> difference when navigating to websites like Google that trace >>>> your ip location and adapt the language of their website. Im >>>> getting speeds between 100 and 120mbps down with l2tp+ipsec on >>>> my Hex and that makes for a very good amount of bandwidth to be >>>> shared with the network. Nicolas Sent from Nine >>>> ________________________________ From: Leonardo Taborda >>>> &lt;leonardotaborda(a)networkbogota.org&gt; Sent: Feb 16, 2017 23:46 >>>> To: lime-users(a)lists.libremesh.org Subject: Re: [lime-users] VPN >>>>> Hello Nicolas and Marvin This is really interesting, I had no >>>>> idea about streisand. If you guys are setting up this in a >>>>> mesh network, is it for browsing safely or taking advantage of >>>>> the ease of setting up vpns? El 16/02/17 a las 10:00, Nicolas >>>>> North escribió: >>>>>> Hi again! I’m glad you received it this time and are testing >>>>>> it out. I definitely have no windows machines either ;] And >>>>>> actually you don’t need any configuration files for >>>>>> streisand. Once you’ve set up your instance just navigate to >>>>>> your server’s web address and log in with the provided >>>>>> credentials. Then when you see this screen: Select >>>>>> L2TP/IPsec. Then on the next screen press linux, and copy the >>>>>> credentials you find there in the Hex admin page’s >>>>>> configuration in the appropriate fields. That will get you up >>>>>> and running in no time. Remember to select max MTU and RMU to >>>>>> 1280 if you’re getting fragmented packets [I for instance >>>>>> could not access http://speedtest.net before I corrected >>>>>> these values, exactly because of packet fragmentation]. Let >>>>>> me know if you need any further help! Nicolas From: Marvin >>>>>> Arnold &lt;marvin(a)unplugged.im&gt; <mailto:marvin@unplugged.im> >>>>>> Reply: libremesh users &lt;lime-users(a)lists.libremesh.org&gt; >>>>>> <mailto:lime-users@lists.libremesh.org> Date: 16 February >>>>>> 2017 at 15:49:26 To: lime-users(a)lists.libremesh.org >>>>>> &lt;lime-users(a)lists.libremesh.org&gt; >>>>>> <mailto:lime-users@lists.libremesh.org> Subject: Re: >>>>>> [lime-users] VPN >>>>>>> Thanks for resharing Nicolas, the original never did find my >>>>>>> mailbox. We tried configuring this setup but hit a wall >>>>>>> because we don't have windows machines. Is there no easy way >>>>>>> to take the configuration files Streisand spits out and >>>>>>> upload them directly to the hex? Alternatively, we're not >>>>>>> sure what which settings to copy over from that file and put >>>>>>> into the hex. On 02/15/2017 02:27 AM, Nicolas North wrote: >>>>>>>> Hi Marvin I’m sorry but I’m having some serious spam issues >>>>>>>> since i’ve migrated my mailserver. Here is the mail i had >>>>>>>> sent you. Hope you receive it! –––––––––––––––– Hi Marvin >>>>>>>> Sorry for the late reply. We’re using Hexes as vpn-only >>>>>>>> devices, with the following setup: ||| ISP Router ||| <=> >>>>>>>> ||| Hex VPN Router ||| <=> ||| LiMe Router ||| | wifi adhoc >>>>>>>> | [other LiMe routers] This is the guide we’ve been >>>>>>>> following >>>>>>>> [https://matthewmcclatchey.com/using-private-internet-accesss-vpn-with-mikro…], >>>>>>>> with the exception of the fact that our vpn is lt2p+ipsec, >>>>>>>> and that we’ve had to set max mtu and max mru values to >>>>>>>> 1280 for some reason as packets were getting fragmented >>>>>>>> with our setup. If you connect a cable from the ISP’s >>>>>>>> router’s lan to the Hex’s wan, and another cable from the >>>>>>>> Hex’s lan to the LiMe router’s wan, you’ll have all of your >>>>>>>> internet-bound traffic from inside your mesh network >>>>>>>> sandboxed inside the VPN with no exceptions. The hex has >>>>>>>> some kind of "persistent tunnel” enabled by default, so >>>>>>>> drops the connection if the vpn breaks for some reason, >>>>>>>> even though it never has unless we actually rebooted the >>>>>>>> remote vpn server for testing purposes. I suggest giving >>>>>>>> the Hex an address like 172.16.0.1 to avoid conflicts with >>>>>>>> other more common subnets. We set all our ISP routers to >>>>>>>> 192.168.0.1 and LiMe uses 10.13.0.1 etc… so we’re good to >>>>>>>> go. Also, as a bonus, we try to pair all LiMe routers with >>>>>>>> an openwrt “simple AP” router, that takes care of the AP >>>>>>>> level and lets the LiMe router handle only the adhoc >>>>>>>> meshing level, for maximum wireless efficiency. We give APs >>>>>>>> static addresses of 10.13.64.1, 2, 3, and so on. They must >>>>>>>> all be different. Try and stay out of the DHCP range which >>>>>>>> starts at 100 I think. This last part [the AP addressing] >>>>>>>> is all trial and error and experimental so it might be >>>>>>>> wrong, but for us it works. We still need to figure out how >>>>>>>> to scale addressing for APs so we’re open to suggestions. >>>>>>>> While we’re at it: *TLDR question: what static IPv4 address >>>>>>>> to give a simple AP connected to the lan of a LiMe router? >>>>>>>> Is 10.13.64.1 - 10.13.64.99 a good range? How do we scale >>>>>>>> beyond that since every AP in the entire network must have >>>>>>>> a different IP?* Let me know how this works for you. To >>>>>>>> those answering the question: thank you in advance. Nicolas >>>>>>>> From: Marvin Arnold &lt;marvin(a)unplugged.im&gt; >>>>>>>> <mailto:marvin@unplugged.im> Reply: Marvin Arnold >>>>>>>> &lt;marvin(a)unplugged.im&gt; <mailto:marvin@unplugged.im> Date: 14 >>>>>>>> February 2017 at 02:19:38 To: pau(a)dabax.net &lt;pau(a)dabax.net&gt; >>>>>>>> <mailto:pau@dabax.net>, nk(a)os.vu &lt;nk(a)os.vu&gt; >>>>>>>> <mailto:nk@os.vu> Subject: Re: [lime-users] VPN >>>>>>>>> Hi Pau, Nicolas, Maybe I'm losing my head, but I can't >>>>>>>>> find the original email from Nicolas being quoted. It >>>>>>>>> looks like it may be the additional VPN setup tips we are >>>>>>>>> looking for. I've checked my spam and don't see any hidden >>>>>>>>> messages... On 02/13/2017 06:43 PM, Ilario wrote: >>>>>>>>>> Hi Nicolas! I think I missed some of your emails in >>>>>>>>>> Gmail's spam folder... Answer inline: 2017-02-13 1:51 >>>>>>>>>> GMT+01:00 Nicolas North &lt;nk(a)os.vu&gt;vu>: >>>>>>>>>>> Also, as a bonus, we try to pair all LiMe routers with >>>>>>>>>>> an openwrt “simple AP” router, that >>>>>>>>> takes care of >>>>>>>>>>> the AP level and lets the LiMe router handle only the adhoc >>>>>>>>> meshing level, >>>>>>>>>>> for maximum wireless efficiency. >>>>>>>>>> That's really wise :) >>>>>>>>>>> We give APs static addresses of 10.13.64.1, 2, 3, and so >>>>>>>>>>> on. >>>>>>>>> They must all >>>>>>>>>>> be different. Try and stay out of the DHCP range which >>>>>>>>>>> starts at >>>>>>>>> 100 I >>>>>>>>>>> think. >>>>>>>>>> A very interesting question. There's no option for DHCP >>>>>>>>>> range in /etc/config/lime* files (and this is ok). But I >>>>>>>>>> supposed that the range was defined in /etc/config/dhcp, >>>>>>>>>> which on LibreMesh is identical than on OpenWrt/LEDE and >>>>>>>>>> contains: # cat /etc/config/dhcp [...] config dhcp 'lan' >>>>>>>>>> option interface 'lan' option start '100' option limit >>>>>>>>>> '150' option leasetime '1h' But trying to ask for a DHCP >>>>>>>>>> lease I received an IPv4 out of the 10.x.x.100-250 range, >>>>>>>>>> looking around I found that the DHCP range for anygw is >>>>>>>>>> hardcoded: >>>>>>>>> https://github.com/libremesh/lime-packages/commit/3a6596d50b3c0446b988f84d3… >>>>>>>>> >>>>>>>>>> resulting in the whole subnet... No good. @devs? Anyway, >>>>>>>>>> do you need static IP addresses at the AP routers? You >>>>>>>>>> could also let them take the IP from LiMe (and LiMe would >>>>>>>>>> take care of avoiding collisions). Additionally, if you >>>>>>>>>> let LiMe routers to autoassign their own IPv4, they will >>>>>>>>>> span over the whole subnet, unless you specify a smaller >>>>>>>>>> "subnet" (not a real subnet, just a range) for >>>>>>>>>> auto-assignment, as explained in /etc/config/lime-example >>>>>>>>>> in the comment on the main_ipv4_address option: >>>>>>>>> https://github.com/libremesh/lime-packages/blob/2ce5ffa96de5b0b5abb507076b0… >>>>>>>>> >>>>>>>>>> For example: # cat /etc/config/lime config lime 'network' >>>>>>>>>> option main_ipv4_address '10.13.128.0/16/17' will limit >>>>>>>>>> the autoassignment of IPv4 to the second half of the >>>>>>>>>> broadcast domain. Bye! Ilario >>>>>>>>>> _______________________________________________ >>>>>>>>>> lime-users mailing list lime-users(a)lists.libremesh.org >>>>>>>>>> https://lists.libremesh.org/mailman/listinfo/lime-users >>>>>>> _______________________________________________ lime-users >>>>>>> mailing list lime-users(a)lists.libremesh.org >>>>>>> https://lists.libremesh.org/mailman/listinfo/lime-users >>>>>> _______________________________________________ lime-users >>>>>> mailing list lime-users(a)lists.libremesh.org >>>>>> https://lists.libremesh.org/mailman/listinfo/lime-users >>>>> -- Cordialmente Leonardo Taborda Ángel >>>>> leonardotaborda(a)networkbogota.org www.networkbogota.org "When >>>>> there is a will, there is a way" >>>>> >>>>> >>>>> _______________________________________________ lime-users >>>>> mailing list lime-users(a)lists.libremesh.org >>>>> https://lists.libremesh.org/mailman/listinfo/lime-users >>> >>> -- Cordialmente Leonardo Taborda Ángel >>> leonardotaborda(a)networkbogota.org www.networkbogota.org "When >>> there is a will, there is a way" >>> >>> >>> _______________________________________________ lime-users >>> mailing list lime-users(a)lists.libremesh.org >>> https://lists.libremesh.org/mailman/listinfo/lime-users >> >> _______________________________________________ >> lime-users mailing list >> lime-users(a)lists.libremesh.org >> https://lists.libremesh.org/mailman/listinfo/lime-users > > > _______________________________________________ lime-users mailing > list lime-users(a)lists.libremesh.org > https://lists.libremesh.org/mailman/listinfo/lime-users _______________________________________________ lime-users mailing list lime-users(a)lists.libremesh.org https://lists.libremesh.org/mailman/listinfo/lime-users