I have wanted to create a way to secure the communicates between the my VPS’s that are located at several geologically different datacenters. Normally each server being it’s own island is not an issue, but this does not work very well if you want the servers to communicate on a secure channel for monitoring and deploying configuration. This type of communication is normally done on an internal network that does not route publicly. Some of the more standard configuration options would be to setup a VPN, or host all the systems in one location on the same subnet. These options are all good but do provide the same interest as setting up CJDNS to route the traffic. Here I will cover how to setup CJDNS to communicate between two freshly installed Ubuntu 14.04 systems.
First we need to install the the prerequisites to build the current version of CJDNS.
sudo apt-get install git build-essential nodejs
Next we will need to download a copy of the project from GIT and run the build.
sudo mkdir -p /opt/cjdns
sudo git clone https://github.com/cjdelisle/cjdns.git /opt/cjdns
CJDNS will use the tun device to communicate, we need to verify that it is working properly.
If we see
cat: /dev/net/tun: File descriptor in bad state then everything is working properly at this stage.
If we see
cat: /dev/net/tun: No such file or directory we will need to create the tun device by running the following commands.
sudo mkdir -p /dev/net
sudo mknod /dev/net/tun c 10 200
sudo chmod 0666 /dev/net/tun
If we get the result of
cat: /dev/net/tun: Operation not permitted it is likely that your VPS provider has not enabled TUN/TAP device by default. You will need to be activated the TUN/TAP device from the VPS control panel, or by creating a support ticket with your VPS provider.
Next we need to generate the the config file.
sudo mkdir -p /etc/cjdns
sudo chmod 755 /etc/cjdns
./cjdroute --genconf > ~/cjdroute.conf
sudo mv ~/cjdroute.conf /etc/cjdns/cjdroute.conf
Now we need to make some changes to the config file. Open ‘/etc/cjdns/cjdroute.conf’ in an editor and make the following changes.
Find the setting
"beacon": 2; and change it to
"beacon": 0; to prevent connections to other systems that are broadcasting.
Find the line
"your.external.ip.goes.here" in the
"authorizedPasswords" section and replace it with your external IP address. In the same section locate the line
"peerName":"your-name-goes-here" And change the value
"your-name-goes-here" to a human readable name for the system like
Next copy the connection credentials that we just configured, they should look like this:
This is an example connection and will not work if used. We will now past this into the
"connectTo" section for IPv4 or IPv6 depending on what the system.
We will want to set one of the systems to print the log to the terminal for testing by changing the following settings. First we will set
"noBackground":1, and uncommenting the line
"logTo":"stdout" in the config. Remember this step is for testing only will will need to be reverted after we have confirmed that the setup is functional.
Now we will want to start the service on the systems by running the following command.
sudo /opt/cjdns/cjdroute < /etc/cjdns/cjdroute.conf
To test if the connection has been setup successfully we will want to ping the IPv6 address assigned to the tun device. The IPv6 address is located at the start of the config file at the setting
Now that we have a CJDNS working we need to setup a proper init script to run on startup, and to control the service. I have modified the init script provided at https://github.com/ProjectMeshnet/CJDNS-init.d-Script/ to work with this guide, you can download it from http://www.jenovarain.com/blog/wp-content/uploads/2016/05/cjdns.txt.
Run the following commands to download and configure the script.
sudo cp cjdns.txt /etc/init.d/cjdns
sudo chmod +x /etc/init.d/cjdns
sudo update-rc.d cjdns defaults
You can now test the new init script by running the following command:
sudo service cjdns status
You should see
Cjdns is running if everything is working properly.
You should now have CJDNS setup and configured to start on boot and peered with both system letting you securely route data between the two systems.
We have not covered restricting communication between the systems to only use this new route, and how to segregate peer connections if you connect to other CJDNS peers.