DN42实验网络初次尝试

admin
admin
admin
102369
文章
87
评论
2023年7月30日22:14:31评论35 views字数 8091阅读26分58秒阅读模式


DN42实验网络初次尝试

DN42网络是什么?



    去中心化网络42(decentralized network 42,简称为 dn42,下略)是一个去中心化端到端加密的网络,它通过使用 VPN 和软件/硬件的边界网关协议进行构建,但是与其它传统 VPN 不同的是,DN42 本身不提供 VPN 出口服务,即不提供规避网络审查、流媒体解锁等类似服务。相反,DN42 的目的是模拟一个互联网。它使用了大量在目前互联网骨干上应用的技术(例如 BGP 和递归 DNS),可以很好地模拟一个真实的网络环境。


Via Lan Tian's Blog


Why DN42 



路由实验

Participating in dn42 is primarily useful for learning routing technologies such as BGP, using a reasonably large network (> 1500 AS, > 1700 prefixes).


连接黑客空间

Since dn42 is very similar to the Internet, it can be used as a hands-on testing ground for new ideas, or simply to learn real networking stuff that you probably can't do on the Internet (BGP multihoming, transit). The biggest advantage when compared to the Internet: if you break something in the network, you won't have any big network operator yelling angrily at you.


注册DN42



要求

  • 拥有一台Linux虚拟机,Windows的话使用WSL即可

  • 熟悉Linux命令,有一定的寄网(计算机网络寄础)基础

官网教程:https://dn42.dev/howto/Getting-Started


首先到官方git 上申请一个账号(https://git.dn42.dev/user/sign_up)

激活完成后,到这个仓库(https://git.dn42.dev/dn42/registry)

fork一份到你本地上。

接着 clone 一份到本地。


git clone https://git.dn42.dev/icecliffs/registry.git


然后在 data/mntner 下新建一个 [大写昵称]-MNT  的文件,抓到tony师傅惹。


DN42实验网络初次尝试


内容为

  • mntner:即 maintainer(维护者),说明这个账户的名称,与文件名相同。

  • admin-c:即 admin contact(管理员联系信息),需要指向后续创建的 person 文件,一般为 [昵称]-DN42。

  • tech-c:即 tech contact(技术员联系信息),需要指向后续创建的 person 文件,一般也为 [昵称]-DN42。

  • mnt-by:即 maintain by(由谁维护),指向这个账户本身,一般为 [昵称]-MNT。

  • source:固定为 DN42

  • auth:你的个人认证信息。一般接受两种类型:GPG 公钥和 SSH 公钥。

Via DN42 实验网络介绍及注册教程


mntner: ICECLIFFS-MNT

admin-c: ICECLIFFS-DN42

tech-c: ICECLIFFS-DN42

mnt-by: ICECLIFFS-MNT

source: DN42

auth: pgp-fingerprint 0BE2C259A99AE5B767BC1A2CA3550E3691FF9467

auth: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPOEzWsohqYxXP+cgl7OFUMPr28IPF/nTErMHtOXS6ZV

remarks: rYu1nser (IceCliffs) Hi :), My blog:

https://iloli.moe


  • data/person 下新建一个 [大写昵称]-DN42 的文件

内容为

  • person:你的昵称。

  • e-mail:你的邮箱。

  • contact:可选,你的其它联系方式,例如 IRC、Telegram 等。

  • nic-hdl:NIC handle,指向文件本身,与文件名相同,[昵称]-DN42。

  • mnt-by:maintain by(由谁维护),由谁维护,指向你之前的 mntner 文件,[昵称]-MNT。

  • source:固定为 DN42。


person: rYu1nser

contact: iloli.moe

contact: Telegram: @icecliffs

contact: GitHub: @icecliffs

contact: Twitter: @icecliffs

nic-hdl: ICECLIFFS-DN42

mnt-by: ICECLIFFS-MNT

pgp-fingerprint: 0BE2C259A99AE5B767BC1A2CA3550E3691FF9467

source: DN42

remarks: rYu1nser (IceCliffs) Hi :), My blog: https://iloli.moe


接着要分配一个 ASN编号 ,这里随便挑一个你喜欢的(范围:4242420000 – 4242423999),例如我的是 AS4242422291 截至 2022/12/3 00:00:00 应该还有这么多编号


DN42实验网络初次尝试


aut-num: AS4242422291

as-name: ICECLIFFS-AS

descr: I love this huge spider web, https://o;p;o/,pe.

remarks: Twitter: @icecliiffs, Telegram: @icecliffs

admin-c: ICECLIFFS-DN42

tech-c: ICECLIFFS-DN42

mnt-by: ICECLIFFS-MNT

source: DN42


剩下的步骤我懒得写了,建议看lantian师傅的,我是照着他那个来做的()


指路🔜:DN42 实验网络介绍及注册教程(2022-06 更新) | Lan Tian @ Blog

我的IPv6:fd6d:acf4:0742::_48

我的IPv4:172.23.244.0/26

关于IP段,在这里可以找到dn42未分配的IP段,https://explorer.burble.com/free#/

我的PR,可以说是惨不忍睹惹 :D:https://git.dn42.dev/dn42/registry/pulls/2342


DN42实验网络初次尝试

之后慢慢等,等他把你合并。



[NOTE] ## Scan Started at 2022-12-03 18:51:34

CHECK data/mntner/ICECLIFFS-MNT PASS MNTNERS: ICECLIFFS-MNT

[NOTE] ## Scan Completed at 2022-12-03 18:51:38

[NOTE] ## Scan Started at 2022-12-03 18:51:38

[INFO] fd24:e2b2:ea31::/48

CHECK data/inet6num/fd24:e2b2:ea31::_48 PASS MNTNERS: ICECLIFFS-MNT

CHECK data/route/172.23.244.0_26 PASS MNTNERS: ICECLIFFS-MNT

CHECK data/inetnum/172.23.244.0_26 PASS MNTNERS: ICECLIFFS-MNT

CHECK data/person/ICECLIFFS-DN42 PASS MNTNERS: ICECLIFFS-MNT

CHECK data/mntner/ICECLIFFS-MNT PASS MNTNERS: ICECLIFFS-MNT

CHECK data/route6/fd24:e2b2:ea31::_48 PASS MNTNERS: ICECLIFFS-MNT

CHECK data/aut-num/AS4242422291 PASS MNTNERS: ICECLIFFS-MNT

[NOTE] ## Scan Completed at 2022-12-03 18:51:40


[INFO] [[['@as-min', 'AS0000000001'], ['@as-max', 'AS4294967294'], ['as-block', 'AS1-AS4294967294'], ['mnt-by',

'DN42-MNT'], ['policy', 'closed']], [['@as-min', 'AS4242420000'], ['@as-max', 'AS4242423999'], ['as-block', 'A

S4242420000-AS4242423999'], ['mnt-by', 'DN42-MNT'], ['policy', 'open']]] 

[NOTE] Policy is open for parent object 

POLICY ICECLIFFS-MNT aut-num AS4242422291 PASS

[INFO] Checking inetnum type

[INFO] ['fd24e2b2ea3100000000000000000000', 'fd24e2b2ea31ffffffffffffffffffff', '048']

[NOTE] Policy is open for parent object

POLICY ICECLIFFS-MNT inet6num fd24:e2b2:ea31::/48 PASS

[INFO] Checking inetnum type

[INFO] ['00000000000000000000ffffac17f400', '00000000000000000000ffffac17f43f', '122']

[NOTE] Policy is open for parent object

POLICY ICECLIFFS-MNT inetnum 172.23.244.0/26 PASS

[NOTE] ICECLIFFS-MNT does not currently exist

POLICY ICECLIFFS-MNT mntner ICECLIFFS-MNT PASS

[NOTE] ICECLIFFS-DN42 does not currently exist

POLICY ICECLIFFS-MNT person ICECLIFFS-DN42 PASS

[INFO] Checking route type

[INFO] ['00000000000000000000ffffac17f400', '00000000000000000000ffffac17f43f', '122']

[NOTE] Policy is open for parent object

POLICY ICECLIFFS-MNT route 172.23.244.0/26 PASS

[INFO] Checking route type

[INFO] ['fd24e2b2ea3100000000000000000000', 'fd24e2b2ea31ffffffffffffffffffff', '048']

[NOTE] Policy is open for parent object

POLICY ICECLIFFS-MNT route6 fd24:e2b2:ea31::/48 PASS


DN42实验网络初次尝试



建立Peer



由于DN42是模拟一整个互联网,因此没有任何官方服务器供我们接入,我们需要自己接入一台服务器到DN42里边。

配置之前现在 sysctl.conf 里边加几条配置,https://dn42.dev/howto/networksettings


  1. 一定要关闭 rp_filter 并开启转发功能

  2. The first rule of dn42: Always disable rp_filter.

  3. The third rule of dn42: Allow ip forwarding!

  4. 记得一定要关掉防火墙,否则会出现一些不可抗力的事


net.ipv4.ip_forward=1

net.ipv6.conf.default.forwarding=1

net.ipv6.conf.all.forwarding=1

net.ipv4.conf.default.rp_filter=0

net.ipv4.conf.all.rp_filter=0


生效:sysctl -p


















寻找Peer节点

直接到:https://dn42.us/peers

或者到其他人的博客/网站上看看有没有。

例如我的:

Name :          ICECLIFFS-NET

ASN  :          AS424242291

IPv4 :          172.23.244.0/26

IPv6 :          fd24:e2b2:ea31::/48

-----------------------------------------

Nodes:

> Japan, Asia: 172.244.0.1



















建立隧道

这里建议参考官方教程:

https://dn42.dev/howto/wireguard

首先生成公私钥

wg genkey | tee privatekey | wg pubkey > publickey


如果出现命令未找到,这是因为你没安装 Wireguard


apt-get update

apt-get install wireguard-tools wireguard-dkms


然后在 /etc/wireguard/ 下改改配置


# tunnel.conf

[Interface]

PrivateKey = <自己的私钥>

ListenPort = <本地UDP端口,ASN后5位>

Table = Off

PostUp = /bin/ip addr add <自己的DN42 IPv4地址> peer <对面的DN42 IPv4地址> dev %i


[Peer]

PublicKey = <对面的公钥>

# at least one peer needs to provide this one

Endpoint = <对面的IP和端口>

# in theory this could be restricted to dn42 networks,

# however it is easier to do this with iptables/bgp filters/routing table 

# instead just like for openvpn-based peerings

AllowedIPs = 0.0.0.0/0,::/0


改后好直接 wg-quick up [配置文件] 即可,然后敲一下 wg 看看能不能成功连上,如果成功连上会显示 TRANSFER 字样


DN42实验网络初次尝试




















建立BGP会话

这里建议照着官网来做

https://wiki.dn42.us/howto/Bird2

安装

wget -O - http://bird.network.cz/debian/apt.key | apt-key add - 

apt-get install lsb-release 

echo "deb http://bird.network.cz/debian/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/bird.list 

apt-get update 

apt-get install bird2


建议直接套模板 https://wiki.dn42.us/howto/Bird2


Replace <OWNAS> with your autonomous system number, e.g. 4242421234

Replace <OWNIP> with the ip that your router is going to have, this is usually the first non-zero ip in your subnet. (E.g. x.x.x.65 in an x.x.x.64/28 network)

Similarly, replace <OWNIPv6> with the first non-zero ip in your ipv6 subnet.

Then replace <OWNNET> with the IPv4 subnet that was assigned to you.

The same goes for <OWNNETv6>, but it takes an IPv6 subnet (Who’d have thought).

Keep in mind that you’ll have to enter both networks in the OWNNET{,v6} and OWNNETSET{,v6}, the two variables are required due to set parsing difficulties with variables.


然后按照上述替换一下(/etc/bird.conf)

################################################

# Variable header #

################################################

define OWNAS = 4242422291;

define OWNIP = 172.23.244.1;

define OWNIPv6 = fd24:e2b2:ea31::6;;

define OWNNET = 172.23.244.0/26;

define OWNNETv6 = fd24:e2b2:ea31::/48;

define OWNNETSET = [172.23.244.0/26+];

define OWNNETSETv6 = [fd24:e2b2:ea31::/48+];

################################################

# Header end #

################################################


接着配置一下 ROA (Route Origin Authorization),这个一定要配好,可以写个 crontab 让他定时下载文件


The example config above relies on ROA configuration files in /etc/bird/roa_dn42{,_v6}.conf. These should be automatically downloaded and updated every so often to prevent BGP highjacking, see the bird1 page for more details and links to the ROA files. Note: edit the links to replace roa_bird1 to say roa_bird2 if using the cron jobs listed on that page.


详见:https://wiki.dn42.us/howto/Bird#route-origin-authorization0




















设置Peers

Please note: This section assumes that you’ve already got a tunnel to your peering partner setup.

在这里新建个文件夹


# mkdir -p /etc/bird/peers


详见:https://wiki.dn42.us/howto/Bird2

全部配置好后启动Bird bird -c /etc/bird.conf

查看连接状态:birdc show protocol



图形化



DN42实验网络初次尝试

https://dn42.jh0project.com/map

DN42实验网络初次尝试

https://map42.0x7f.cc/

DN42实验网络初次尝试

https://bgp42.strexp.net/map2


参考



  • https://miaotony.xyz/2021/03/25/Server_DN42

  • https://lantian.pub/article/modify-website/dn42-experimental-network-2020.lantian/

  • https://dn42.dev/howto/Registry-Authentication

  • https://iloli.moe/studying/202212022982.html









原文始发于微信公众号(Gh0xE9):DN42实验网络初次尝试

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2023年7月30日22:14:31
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   DN42实验网络初次尝试http://cn-sec.com/archives/1918672.html

发表评论

匿名网友 填写信息