About the so-called Pirate Box
Everything started when I found not less than three pirate boxes running at the PSES 2012 conferences and all of them were unaware of the two other. Worse, you could connect to one piratebox or to the internet, but not both, because pirate box runs off-line.
And this is the main problem of this thing. I mean, if I want to download and share, I use the bittorent system, you shouldn’t be afraid of the legal consequences of the act of sharing things you like.
But still, those wireless router are damn small (they literally fit in a hand), they need not much power to run and they have some interesting routing capabilities (multiple SSID, bridging, meshing, you name it) and I was thinking that, deploying this kind of hardware cold be a way to cover areas with poor connectivity and works collaboratively to route packets. This is pretty much how the internet works.
So, I was thinking about a meshed network of sharing content boxes that could access to the Intertubes and share this access. But accessing the clearternet is not interesting. With some Telecomix folks we think and works a lot around darknet and weird protocols, because they are fun. And right now, we are working with cjdns – which is not about DNS. Also, a box already configured offering to everyone an access through a VPN can remove the pain of configuring it for non tech-savvy users, and so to have more people using darknets and vpn.
And I have a TP-Link WR703N dedicated to this experimentation.
Flashing
Before everything, we need to flash a firmware onto the small router (there’s only 4MB of disk to store everything, it’s quite tight). I used the sysupgrade for Attitude adjustment image (and found my way through the Chinese menu). Nothing specific here,the device works perfectly fine
Routed AP
Then I wanted that my box connect to a LAN (connected to the clearternet), to set up an Access-Point and to route everything that come from the AP to get through the LAN and then to the darknet (configured to work over the clearternet as a darknet usually do)
Quite easy, since there’s a recipe for it in the openwrt wiki. However, I did changed some things, so let’s review the different files one after the other.
/etc/config/wireless
config wifi-device radio0 option type mac80211 option channel 11 option macaddr ec:17:2f:e0:44:52 option hwmode 11ng option htmode HT20 list ht_capab SHORT-GI-20 list ht_capab SHORT-GI-40 list ht_capab RX-STBC1 list ht_capab DSSS_CCK-40
Nothing specific here, the default are good and I don’t need more.
config wifi-iface option device radio0 option network wifi option mode ap option ssid ChaosBox option encryption none
First interface, configured as an open AP in a dedicated network and without a key. I want everyone to be able to use my VPN without having to found a key.
config wifi-iface option device radio0 option network babel option mode adhoc option ssid ChaosBabel option encryption none
And since I can do multiple SSID on the box, I will use this later for meshing the ChaosBoxes together (and using babel, because it works out of the box). It works, but I haven’t tested it, so it will be the subject of a different post.
/etc/config/network
config interface ‘loopback’ option ifname ‘lo’ option proto ‘static’ option ipaddr ‘127.0.0.1’ option netmask ‘255.0.0.0’
Loop back interface.
config interface ‘lan’ option ifname ‘eth0’ option type ‘bridge’ option proto ‘dhcp’
I move the default configuration (static) to a dynamic one. I will then benefit of what the LAN I’m connected onto will offer, notably a gateway to the internet. And probably some DNS cache.
config interface ‘wifi’ option proto ‘static’ option ipaddr ‘10.0.42.1’ option netmask ‘255.255.255.0’
This is my wireless network, the interface corresponding to the wireless device configured in AP mode. I will use the 10.0.42.0/24 network, mostly because the 192.168 ones are over-common and I do not want to have a problem with that.
config interface ‘tcxnet’ option proto ‘none’ option ifname ‘tun0’
This one is mainly here to define things that I’ll later use in the firewall.
/etc/config/firewall
config defaults
option syn_flood 1
option input ACCEPT
option output ACCEPT
option forward REJECT
So, defaults. They are good and protect a little bit your box.
config zone
option name wifi
option network ‘wifi’ option input ACCEPT option output ACCEPT
option forward REJECT
The zone for all the traffic coming from the wifi network.
config zone
option name lan
option network ‘lan’
option input ACCEPT
option output ACCEPT
option forward REJECT
option masq 1
option mtu_fix 1
The zone for all the traffic coming from the lan. Well, nothing will really come from it but you see what I meant. However we want to masquerade (after all, you can probably found things like a mpd or a nfs share on the lan).
config zone
option name tcxnet
option network ‘tcxnet’
option input ACCEPT option output ACCEPT option forward REJECT
option masq 1
option mtu_fix 1
This zone is for everything going through the tcxnet interface (that will be our cjdns). As for the lan, and since we want to use services inside the darknet, we will masquerade.
config forwarding
option src wifi
option dest lanconfig forwarding
option src wifi
option dest tcxnet
And now, let’s forward the traffic through both the lan and the tcxnet zone.
/etc/config/dhcp
[…] config dhcp wifi option interface wifi option start 100 option limit 150 option leasetime 12h
This is the only dhcp pool I have. I want to address the wireless part. 50 address should be enough.
More info
For more info about those configurations, you should read the openwrt wiki
The fun parts
CJDNS
Now, the real fun begin. First, let’s install CJDNS. Quite easy thanks to the build made by fremont:
opkg update && opkg install http://v4.seanode.meshwith.me/openwrt/ar71xx/packages/cjdns_0.4-SNAPSHOT_ar71xx.ipk –force-depen ds
I use the force-depends flag, for nacl and kernel version on attitude adjustment because they will raise some unneeded conflicts.
And then, following the instructions available in the cryptoanarchy wiki, generate a configuration, add peers and start cjdns:
cjdroute –genconf > /etc/cjdroute.conf
cjdroute < /etc/cjdroute.conf > /dev/null &
No logs, sorry, I haven’t the room for that. Plus I do not likes it.
Proxy
I’ve tried a lot of things, and it appears that the way to have it working is to simply use a SOCKS proxy and to connect thr
ough it.
I’ve installed srelay because it appears to works simply. And to fit in the 4 MB space I have.
opkg install srelay
We need to configure it to get it working, edit the /etc/srelay.conf file delete everything and have it looking like that:
allow local subnet to access socks proxy
0.0.0.0 any
Then just start srelay using the automagick init.d script:
/etc/init.d/srelay enable /etc/init.d/srelay start
It will start on the 1080 port on your openWRT box.
Connect
Now, start a computer, activate wifi, connect to the ‘ChaosBox’ ESSID and ask for an IP via dhcp.
Start a browser and configures it to use a SOCKS 5 proxy and use the parameters used to start srelay. The proxy address is 10.0.42.1 and the port is 1080.
You have to disable the option to forward the DNS queries through the proxy for srelay can’t understand them yet. Also, you have to check that your DNS resolver has been set-up by dhcp and is ‘10.0.42.1’. If it’s not,edit your /etc/resolv.conf file and add this line on top:
nameserver 10.0.42.1
Now, you have two tests to run. First the plainternet, test to load the http://telecomix.org page. If it works, go on the second test.
Try to use the darknet. If you’re connected to the Hyperboria darknet, you can test going on Nodeinfo.hype: http://[fc5d:baa5:61fc:6ffd:9554:67f0:e290:7535]/.
If it works, congratulations 🙂
Aftermath
Why don’t you NAT?
Well, I tried. CJDNS address are in ipv6. So, I’ve choosed an ipv6 prefix, anounced it to be served in the wifi interface and tried to route through cjdns. However, the source IP mismatched.
And ipv6 NAT are out of the table for openWRT. So, I was unable to do it that way.
Why didn’t use Tor?
Simple, openwrt + Tor (in fact the libcrypto) are overweighted and go beyong 4 MB. So, I’ll had to use an external storage connected on the USB port. But then, the power consumption will go high. Also, I need an external devices connected, that can be separated from the router.
You spoke about mesh before?
And you didn’t see it. Yep, I need to do that. But tunneling through cjdns was such a pain. But babel works quite easily.
EDITED 08/17/2012 I changed a little bit about the srelay configuration, did not work as expected at first.
EDITED 09/13/2012 I updated the client configuration part since srelay can’t forward DNS queries. Also, we did some tests at Le Loop yesterday evening and meshing is quite advanced now, I’ll do a post to that at a later time.
EDITED 26/11/2012 The URL for the ipk has changed