tinc IPv6 VPN router on a Raspberry Pi – part two
Jan 16th, 2015 by Anders Kringstad


Warning: The following paragraphs will be a bit technical, but that’s unfortunately the only way to differentiate between the users and administrators of such solutions. Hence, if you are not a sysadmin, or more than mildly interested in poking around with servers running Linux, configuring network interfaces and adding software to your servers.. get in touch with your local guru, as she or he will help you get things sorted quite nicely!

TL;DR: Quick and dirty copy-paste howto for both server/router and Raspberry Pi will follow in part three.

In part one we looked at setting the Raspberry Pi up with the needed connectivity to be able to download software from the Internet and explore it though SSH. Now, let’s get to the good stuff.

After getting the Pi onto the Internet, we can SSH into it and get tinc set up. You also need a dual stack connected server somewhere that talks to the Internet. I’m in luck as I happen to have native IPv6 connectivity all around, at work (ITsjefen AS), at my spare time NGO cyber anti crime organisation (Underworld), at home (Canal Digital/Telenor Norway) and of course the place that pioneered IPv6 connectivity in Norway – The Student Society of Trondheim (Studentersamfundet). For this project we’ll use a virtual server on a dedicated network at ITsjefen.

First you need to set up your server running Linux. I enjoy Ubuntu, so I’ll stick with Ubuntu 14.04.1 LTS 64bit for this one. After installing your server and getting it up and running IPv4 and IPv6 with dual stack connectivity you need to install and configure the tinc VPN software along with the needed configuration to act as a IPv6 router.

Tinc (yes, I know they spell their project name with small letters, even if it’s in the beginning of a sentence) is installed from the standard Ubuntu package repositories using your choice of apt or aptitude. I usually prefer aptitude. Run ‘aptitude install tinc‘ as root to get tinc installed. The configuration files are in /etc/tinc – the directory will seem a bit empty and you will need to populate it yourself with the proper configuration files.

The structure of the /etc/tinc directory should be as follows:
nets.boot – contains network that you would like to auto-connect/launch at boot-time: “v6router”
v6router – create this directory to contain the configuration of your IPv6 router.

The /etc/tinc/v6router directory should have the following files in it:
tinc.conf – the configuration file for this VPN.
tinc-down – script file to run at shutdown. Remember to make this an executable after creation.
tinc-up – script file to run at startup. Remember to make this an executable after creation.
hosts – directory containing one file: v6router

The /etc/tinc/v6router/tinc.conf file should look somewhat as follows:

Name = v6router 
Mode = switch 

The v6router file in the hosts directory should contain an IPv4 address line and an IPv6 subnet definition (of one IP). It also should have your public key to authenticate against connecting clients.

The layout of the file is as follows:

Address = 92.62.3X.XXX
Subnet = 2a02:2c8:ffff::1/128

Now you need to generate the private and public keys for your router you need to run the command ‘tincd -n v6router -K4096‘. This will create a key pair with the names rsa_key.priv and the public key being automatically added to the v6router-file in the hosts directory.
The files tinc-down and tinc-up are the script files that contain the commands needed to make your router act as a router and route a subnet to your Raspberry Pi and getting it connected to your router. You need to make these two executable scripts. The layout of the tinc-up script file is as follows:

# Enable tinc - add routes 
ip link set $INTERFACE up 
ip -6 addr add 2a02:2c8:ffff::1/64 dev $INTERFACE 
ip -6 route add 2a02:2c8:ffff::/48 dev $INTERFACE

# Static routing table – clients
ip -6 route add 2a02:2c8:ffff:2::/64 via 2a02:2c8:ffff::2 

As you can see, the file contains both a definition of your router itself and sets up a /48 to use for your clients (e.g. your Raspberry Pi). If you only have ONE Raspberry Pi, a whole /48 is a bit over the top, but since we’re creating a design that can be used by hundred or thousands of nodes here, we’ll spend a whole /48. A /48 is also the default delegation handed out to Business customers at most ISPs so having a /64 for your router with a /48 added for it’s nodes makes sense Business-wise.
The file tinc-down does the above in reverse, tearing down the connectivity and routing when tinc is shut down. The contents of the file should be something like:

# Static routing table - remove routes for clients 
ip -6 route del 2a02:2c8:ffff:2::/64 via 2a02:2c8:ffff::2 

# Disable tinc - remove routes and interface 
ip -6 route del 2a02:2c8:ffff::/48 dev $INTERFACE 
ip -6 addr del 2a02:2c8:ffff::1/64 dev $INTERFACE 
ip -6 link set $INTERFACE down

The idea behind the setup is so that you will know the node by it’s IPv6 address based upon it’s prefix and endpoint address. Hence, using this configuration your Raspberry Pi would be 2a02:2c8:ffff::2 and talk to your v6router server at 2a02:2c8:ffff::1. The v6router would then hand out the subnet 2a02:2c8:ffff:2::/64 to your Raspberry Pi, giving it a network to attach clients on it’s LAN on. An IPv6-enabled device on your LAN would then be able to talk to the Internet via the IPv6 VPN.

In the case of the project for Nordic these “clients” was the nRF51 kits with their Bluetooth connectivity. The nice part of this is that you are able to add and manage solutions based on static IPv6 nodes behind dynamic IPv4 network endpoints and the traversal of NAT have so far been no problem with the providers this have been tested with. Until we reach a stage with fully deployed IPv6 networking in both corporate and residential networks, this will in some way probably be the best way to achieve managed services based on this technology.

Future connected homes
The scope of the Bluetooth IPv6 connectivity are not yet observed by the general public, but I myself see a connected not too distant future home with smart devices that actually will tell my shopping application on my phone that “YES, your wife have already taken the last milk out of the fridge, you need to buy two, not one litres”. There will probably also be initiatives from makers of such devices, such as Electrolux  and Samsung (yes I know they are already playing with both their heat pumps and their washing machines over your local WLAN) who will provide on-site remote service by the use of connected appliances that talk to services at the manufacturers network. Such services could be perhaps a monthly check in that will give you a nice status page saying that yes, your Samsung fridge motor is still running and that ice crusher machine on the freezer-part of the two-door monster is actually in need of a check up – Would you like a repairman on site or a remote diagnostic ran?

In part three I will provide the cut-and-paste setup howto for your own tinc IPv6 VPN mesh network and explore some of the things you need to think about before setting up any services that actually talk with the Internet on any such solutions. Until then I would very much recommend the Nordic Semiconductor IPv6 brewed coffee demo at CES2015. I hope lot’s of people have had good IPv6 brewed coffee! Hope to see that machine at Trondheim Developer Conference 2015 in October!


Re: Who governs the Internet?
May 26th, 2011 by Anders Kringstad

Diplo Foundation: Internet Governance anno 2004©
After posting my previous ramblings on the subject of Internet Governance (IG) I’ve been quite busy in my head, thinking about where I stand on this subject and how best to define the various aspects of IG within the so-called «Nordic model» that applies to Government, Business and Citizen of Iceland, Norway, Sweden, Finland and Denmark (the Nordic countries). This time, I’m exploring parts of IG in the Nordics, as seen from Norway.

First of all, I’m not so sure that the Internet are seen in the same way in the Nordic region as a whole. I might be wrong, but Finland seem to be ahead of both Norway and Sweden, with Iceland and Denmark fast approaching from behind. Internet access is written into law as a citizen right in Finland and Sweden but not in the other countries (yet). With the United Nations pushing to make basic Internet access a human right (2003) and a renewal of this as a ‘fundamental right’ at the 2005 World Summit of the Information Society (WSIS) in Tunis, more countries are bound to make basic Internet access law for it’s citizen. In all the Nordic countries 80-95% of the population have access to the Internet on a daily basis if they wish to; at home, work/school or at Internet cafés, by cellphone et.c.

The WSIS Working Group (WG) on Internet Governance (WGIG), set up by the Secretary-General of the United Nations, after the first part of the WSIS in Geneva (2003) were asked to “investigate and make proposals for action, as appropriate, on the governance of the Internet by 2005″. Three defined issues represented the different objectives of the WG. One of these, “Develop a working definition of Internet Governance” are found in the report delivered by the WG:

“Internet governance is the development and application by Governments, the private sector and civil society, in their respective roles, of shared principles, norms, rules, decision-making procedures, and programs that shape the evolution and use of the Internet”[1]

In Norway the Government have for the past three-four years, to a degree, tried handed down the task of governing/policing the Internet from a juridical view, to private sector law companies and Internet providers, who for their part, are hard working not to become the ‘Norwegian Internet Police’ (NIP). I think that with the recent changes in policy and proposed laws in Norway we are likely to see a private sector NIP emerging quite quickly as providers of online services and access to Internet resources are required by law to police their users activities.

Let’s start with the part where many governments faulty  ‘Govern’ as ‘limiting access’:
As a technical somewhat technically oriented and policy-interested person I find it a bit hard to see a central governmental control of the Internet in Norway happen in a way that will hinder unwanted activities by citizens. The fact that it’ll be harder for ordinary citizen to carry out perfectly legal online activity and just as simple as before to do online criminal activity it’s enticing to see how many politicians of the western world see it as their job to implement digital restrictions on their subjects.

The ‘strike first’ policies with technical/digital hindering of negatively charged activities should certainly not be adopted in such a civilised country as ours? (Many people ask themselves this as the European Union have adapted the directive of data retention (“Directive 2006/24/EC”) Well?
Seen from a political view there is nothing wrong with creating digital walls that will hinder your subjects to do things not permitted by law. There’s only one problem here: We do not build such walls in our offline, physical society. There is no wall outside a nursery that will hinder a unscrupulous  individual taking pictures of the kids there. Nor is there someone taking notice on how many residence doors you approach, walk by or enter, and wish to use this information to decide if you’re a likely criminal.
Seen from a business view there is equally nothing wrong with having digital security in place and do a (technical part now, folks) package inspection on a content level (DPI) to make sure no corporate secrets are leaked. As long as this digital security is automatic, non-identifying of employees it’s for most people employed, ok. As many companies today have a set of rules for the use of computers and how to act online, what to access et.c. when representing the company/at work a little line or two about package inspection are probably being entered into the next rewrite of those rules.
I believe that it’s at work people are most likely to meet a page that tells them that ‘this part of the Internet is closed to you due to company policy’. This part of corporate culture and Information Security is a tipping point in peoples view of restriction of access. Regardless of company, there’s two camps here: Permissive or restrictive access. Restrictive access is of course the part with that incriminating page that tells you that /this/ is not something you should be doing at work. Working with permissive policies leaves the choices to the user, under the knowledge that the company might very well log their access, should something criminal happen down the road.
Seen from a residential view there is certainly something wrong with a paid-for Internet connection being monitored and logged for ‘future reference’ should something occur in your neighbourhood, or origin from the residential Internet connection that is not in line with local law. This rocks the very clear, and so far, unmovable principle that we are all equal to the law and are seen as innocent unless proven guilty.

So? Back to the main issue eh?
Who governs the Internet? It is clear through the definition by the WGIG[1] that the Internet is governed by a set of multi-stakeholders from three main parties, namely Government (G), Business (B) and Citizen (C). Within these there are a number of sub-representations such as Residential (R), Non-Governmental Organisations (NGO), Religious communities (R)
However, there is, even today, not a clear view of how to make sure that we are all equally treated in the scope of the Internet as a vital and more and more important part of our life. There have recently been great strides towards creating common ground for all, and this is certainly an evolving work on this, currently at the e-G8 and the G8-forum in France.

Right now I only see one thing as rock solid: As the Internet evolves the way it is governed will also evolve. What once was a academic research project have certainly come a long way since the 1960ies.

[1] Working definition of Internet Governance, published in the report from the Working Group on Internet Governance (WGIG), 2005, page 4

Defying the divide of “Internet access”, a starting point is needed
May 26th, 2011 by Anders Kringstad

As part of my eLearing assignment this week on Internet Governance there is a debate sparked about how to bridge the divide of having “Internet access”. I’ve been giving this a few moments of my time, and will use this entry, and comments on it/follow up posts, as part of my gaining of insight into the sub-subject of having Internet access.

Many countries have defined Internet access as an fundamental right, but they have, cleverly, not defined ‘how’ this access should be provided for, and if it is to cost their population money.

So, how does people get online in todays world?
In many countries basic Internet access is first established through the use of an mobile browser on ones cellphone.

After this, many, many, many people have access to the Internet through Internet cafés in their local community or through educational institutions or work.

Thirdly, residential Internet access is spreading in all parts of the world, with Europe, the Pacific region of Asia and the northern parts of America as the head of the pack.

Finding a solution that globally defines “basic Internet access” or “Internet access” is key to being able to bridge this divide for the future generations. To make that happen, we need the nations of the world to unite under a common definition that have been agreed on in a neutral fora.
The G8 or G20 is no such fora, nor is the EU or other regional foras of trade/governmental membership. The UN might be a starting point, but I’m not sure of the UN is right either.

»  Substance:WordPress   »  Style:Ahren Ahimsa