commit 86f921adfa15bfe90d01cb2f7c913651b6640c29
parent 371a6e8e77a0e3887a50d3d4338f85aba3f15229
Author: Stefan Koch <programming@stefan-koch.name>
Date: Sun, 20 Dec 2020 19:18:48 +0100
update readme to sudo approach
Diffstat:
2 files changed, 12 insertions(+), 96 deletions(-)
diff --git a/README.md b/README.md
@@ -51,27 +51,21 @@ bin/setup-tap-vde.sh -u username -i 192.168.0.10/24 -g 192.168.0.1 -e eth0
It's possible to connect different VMs on possibly different hosts with a VPN.
For each virtual network a tinc instance is started.
-This means that we have to create an unknown number of networks dynamically
-upon user request. To somehow solve the problem that as a standard user we
-cannot modify network devices without the `CAP_NET_ADMIN` capability, we
-create a pre-defined number of unconfigured network devices `net-vpn-1` to
-`net-vpn-k`.
-The mapping between the dummy VPN devices and user-chosen VPN names is then
-done by aetherscale.
+In order to allow dynamic creation of network device entries we use `sudo`
+calls to the `ip` utility. To auto-configure IPv6 addresses of VPNs inside
+the guest VM we use IPv6 Router Advertisement messages. We run a `radvd`
+server that sends out the prefixes for IPv6 addresses. `radvd` also requires
+root permissions (or to be exact `CAP_NET_RAW` permissions).
-To create the dummy VPN interfaces (including bridging) run:
+To allow these calls you have to enable passwordless sudo permissions with
+the following entry in `visudo`:
-```bash
-bin/setup-vpn-tap-vde.sh -u username -n 10 -p 2001:db8:85a3
+```
+youruser ALL=(ALL) NOPASSWD: /usr/bin/ip, /usr/bin/radvd
```
-`-p` defines the IPv6 prefix from which submasks for private subnets will be
-chosen. It must be a `/48` prefix from which each VPN will receive a `/64`
-prefix.
-
-This is not a nice solution and ideally network interfaces should be
-created on-the-fly, but Linux capabilities inheritance to subprocesses
-seems quite complicated, and without inheritance we'd have to grant
+This is not a perfect solution but Linux capabilities inheritance to
+subprocesses seems quite complicated, and without inheritance we'd have to grant
`CAP_NET_ADMIN` to both `ip` and `tincd`. This might be undesired, because
then any user can change network devices. Another option could be to
assign `CAP_NET_ADMIN` to the user running aetherscale, but this seems to
@@ -81,38 +75,6 @@ binary that is to be executed.
While this in my opinion would be a reasonable choice for a production
program, it feels too heavy for a proof-of-concept tool.
-For IPv6 auto-configuration you must have a program for router
-advertisement running, e.g. radvd. Since radvd requires `CAP_NET_RAW`,
-you'll have to run it externally from aetherscale, aetherscale cannot
-autostart it.
-
-An example configuration file for two pre-configured subnets could look like:
-
-```
-interface aeth-vpnbr-1 {
- AdvSendAdvert on;
- MinRtrAdvInterval 3;
- MaxRtrAdvInterval 10;
- prefix ::/64 {
- AdvOnLink on;
- AdvAutonomous on;
- AdvRouterAddr off;
- };
-};
-
-interface aeth-vpnbr-2 {
- AdvSendAdvert on;
- MinRtrAdvInterval 3;
- MaxRtrAdvInterval 10;
- prefix ::/64 {
- AdvOnLink on;
- AdvAutonomous on;
- AdvRouterAddr off;
- };
-};
-```
-
-
## Usage
The server can be started with:
@@ -200,6 +162,7 @@ Stuff I use for computing (and thus have learnt something about so far):
- VDE could also be relevant, but currently out of scope
- layer-2 VPN with tinc
- `libguestfs` for analyzing and changing images
+- IPv6, radvd
## Contribution
diff --git a/bin/setup-vpn-tap-vde.sh b/bin/setup-vpn-tap-vde.sh
@@ -1,47 +0,0 @@
-#!/usr/bin/env bash
-
-usage() {
- echo "Usage: $0 -u USER -n NUM-DEVICES -p IPv6-48-PREFIX"
-}
-
-while getopts ":hu:n:p:" opt; do
- case "$opt" in
- h|\?)
- usage
- exit 0
- ;;
- u) user=$OPTARG
- ;;
- n) num_devices=$OPTARG
- ;;
- p) prefix=$OPTARG
- ;;
- esac
-done
-
-if [[ -z $user || -z $num_devices || -z $prefix]]; then
- usage
- echo
- echo "Please specify all required arguments"
- exit 1
-fi
-
-for i in $(seq 1 $num_devices); do
- bridge_name=aeth-vpnbr-$i
- tinc_name=aeth-vpntnc-$i
- vde_name=aeth-vpnvde-$i
-
- ip link add $bridge_name type bridge
- ip link set $bridge_name up
-
- ip tuntap add dev $tinc_name mode tap user $user
- ip link set $tinc_name up
- ip link set $tinc_name master $bridge_name
- ip addr flush dev $tinc_name
-
- ip tuntap add dev $vde_name mode tap user $user
- ip link set dev $vde_name up
- ip link set $vde_name master $bridge_name
-
- ip addr add $prefix:$i::1/64 dev $bridge_name
-done