Klaus' Log

Fr 18 Mai 2018

Running cjdns on a lowendspirit.com box

Posted by Klaus Eisentraut in cjdns   

This blog post describes how to setup and run cjdns on a lowendspirit.com box. I'm using the Norway location and therefore the provider is MrVM.

The first step was to enable TUN device in the client area at https://clients.mrvm.net/. You can check if TUN is enabled by ls /dev/net/tun.

While I was there, I did a reinstall with Debian 9 minimal, too, as I didn't want to use the older Debian 7. Unfortunately, their Debian 9 image seems not to have SSH preinstalled, so I had to connect with the serial console which is also provided in the customer area. There I ran the following commands in order to enable SSH.

apt-get update
apt-get dist-upgrade 
apt-get install ssh
systemctl enable ssh
systemctl start ssh

I had to build cjdns by myself as it is not in the Debian repository by default and cjdns is changing often, so you shouldn't rely on potentially outdated debian packages, too. However, building it requires more than 128MB and can therefore not be done on the target system itself. Furthermore, the kernel in the box is really, really old (2.6.32-042stab127.2) and does not support seccomp. I used the following commands to build it on my Arch Linux box:

pacman -Syu git base-dev python2
git clone https://github.com/cjdelisle/cjdns
cd cjdns/
TARGET_ARCH=x86_64 Seccomp_NO=1 ./cross-do

Afterwards, I uploaded the cjdns binary with SCP and generated a config file.

scp ./cjdroute lowendspiritbox:~/cjdroute
ssh lowendspiritbox
~/cjdroute  --genconf --no-eth > ~/cjdroute.conf
chmod 600 ~/cjdroute.conf

Now I edited the generated cjdroute configuration file. As many lowendspirit boxes share a single IPv4, you only can use a range of 20 predefined ports, in my case 24901 to 24920. So I had to change the UDP listening ports for IPv4 and IPv6 to one of the forwarded ports, otherwise I would not be able to reach the cjdns service from the outside over IPv4. Additionally, I disabled cjdns built-in option to peer over Layer 2 with ETH beacons as some other customers of lowendspirit might also run cjdns and I don't want to connect with them (for now). Finally, I've added an user in order to be able to connect, too. The final config file looks like the following:

{
  "noBackground" : 0,
  "logging" : {

  },
  "security" : [
    {
      "keepNetAdmin" : 1,
      "setuser" : "nobody"
    },
    {
      "chroot" : "/var/run/"
    },
    {
      "nofiles" : 0
    },
    {
      "noforks" : 1
    },
    {
      "seccomp" : 1
    },
    {
      "setupComplete" : 1
    }
  ],
  "router" : {
    "ipTunnel" : {
      "outgoingConnections" : [

      ],
      "allowedConnections" : [

      ]
    },
    "interface" : {
      "type" : "TUNInterface"
    },
    "supernodes" : [

    ]
  },
  "interfaces" : {
    "UDPInterface" : [
      {
        "connectTo" : {

        },
        "bind" : "0.0.0.0:24901"
      },
      {
        "connectTo" : {

        },
        "bind" : "[::]:24901"
      }
    ]
  },
  "admin" : {
    "password" : "NONE",
    "bind" : "127.0.0.1:11234"
  },
  "authorizedPasswords" : [
    {
      "user" : "TODO",
      "password" : "TODO"
    }
  ],
  "ipv6" : "fc12:3456:7890:1234:5678:9012:3456:7890",
  "publicKey" : "1us8d..u3mc.k",
  "privateKey" : "abcd...abcd"
}