Advanced Configuration

Config file format

In GNUnet realm, all components obey the same pattern to get configuration values. According to this pattern, once the component has been installed, the installation deploys default values in $prefix/share/gnunet/config.d/, in .conf files. In order to override these defaults, the user can write a custom .conf file and either pass it to the component at execution time, or name it gnunet.conf and place it under $HOME/.config/.

A config file is a text file containing sections, and each section contains its values. The right format follows:

[section1]
value1 = string
value2 = 23

[section2]
value21 = string
value22 = /path22

Throughout any configuration file, it is possible to use $-prefixed variables, like $VAR, especially when they represent filenames in in the filesystem. It is also possible to provide defaults values for those variables that are unset, by using the following syntax:

${VAR:-default}

However, there are two ways a user can set $-prefixable variables: (a) by defining them under a [paths] section

[paths]
GNUNET_DEPLOYMENT_SHARED = ${HOME}/shared-data
..
[section-x]
path-x = ${GNUNET_DEPLOYMENT_SHARED}/x

or (b) by setting them in the environment

$ export VAR=/x

The configuration loader will give precedence to variables set under [path], though.

The utility ‘gnunet-config‘, which gets installed along with GNUnet, serves to get and set configuration values without directly editing the .conf file. The option ‘-f‘ is particularly useful to resolve filenames, when they use several levels of $-expanded variables. See ‘gnunet-config --help‘.

Note that, in this stage of development, the file $HOME/.config/gnunet.conf can contain sections for all the components. .. _The-Single_002dUser-Setup:

The Single-User Setup

For the single-user setup, you do not need to do anything special and can just start the GNUnet background processes using gnunet-arm. By default, GNUnet looks in ~/.config/gnunet.conf for a configuration (or $XDG_CONFIG_HOME/gnunet.conf if $XDG_CONFIG_HOME is defined). If your configuration lives elsewhere, you need to pass the -c FILENAME option to all GNUnet commands.

Assuming the configuration file is called ~/.config/gnunet.conf, you start your peer using the gnunet-arm command (say as user gnunet) using:

gnunet-arm -c ~/.config/gnunet.conf -s

The "-s" option here is for "start". The command should return almost instantly. If you want to stop GNUnet, you can use:

gnunet-arm -c ~/.config/gnunet.conf -e

The "-e" option here is for "end".

Note that this will only start the basic peer, no actual applications will be available. If you want to start the file-sharing service, use (after starting GNUnet):

gnunet-arm -c ~/.config/gnunet.conf -i fs

The "-i fs" option here is for "initialize" the "fs" (file-sharing) application. You can also selectively kill only file-sharing support using

gnunet-arm -c ~/.config/gnunet.conf -k fs

Assuming that you want certain services (like file-sharing) to be always automatically started whenever you start GNUnet, you can activate them by setting "IMMEDIATE_START=YES" in the respective section of the configuration file (for example, "[fs]"). Then GNUnet with file-sharing support would be started whenever you enter:

gnunet-arm -c ~/.config/gnunet.conf -s

Alternatively, you can combine the two options:

gnunet-arm -c ~/.config/gnunet.conf -s -i fs

Using gnunet-arm is also the preferred method for initializing GNUnet from init.

Finally, you should edit your crontab (using the crontab command) and insert a line

@reboot gnunet-arm -c ~/.config/gnunet.conf -s

to automatically start your peer whenever your system boots.

The Multi-User Setup

This requires you to create a user gnunet and an additional group gnunetdns, prior to running make install during installation. Then, you create a configuration file /etc/gnunet.conf which should contain the lines:

[arm]
START_SYSTEM_SERVICES = YES
START_USER_SERVICES = NO

Then, perform the same steps to run GNUnet as in the per-user configuration, except as user gnunet (including the crontab installation). You may also want to run gnunet-setup to configure your peer (databases, etc.). Make sure to pass -c /etc/gnunet.conf to all commands. If you run gnunet-setup as user gnunet, you might need to change permissions on /etc/gnunet.conf so that the gnunet user can write to the file (during setup).

Afterwards, you need to perform another setup step for each normal user account from which you want to access GNUnet. First, grant the normal user ($USER) permission to the group gnunet:

# adduser $USER gnunet

Then, create a configuration file in ~/.config/gnunet.conf for the $USER with the lines:

[arm]
START_SYSTEM_SERVICES = NO
START_USER_SERVICES = YES

This will ensure that gnunet-arm when started by the normal user will only run services that are per-user, and otherwise rely on the system-wide services. Note that the normal user may run gnunet-setup, but the configuration would be ineffective as the system-wide services will use /etc/gnunet.conf and ignore options set by individual users.

Again, each user should then start the peer using gnunet-arm -s — and strongly consider adding logic to start the peer automatically to their crontab.

Afterwards, you should see two (or more, if you have more than one USER) gnunet-service-arm processes running in your system.

Access Control for GNUnet

This chapter documents how we plan to make access control work within the GNUnet system for a typical peer. It should be read as a best-practice installation guide for advanced users and builders of binary distributions. The recommendations in this guide apply to POSIX-systems with full support for UNIX domain sockets only.

Note that this is an advanced topic. The discussion presumes a very good understanding of users, groups and file permissions. Normal users on hosts with just a single user can just install GNUnet under their own account (and possibly allow the installer to use SUDO to grant additional permissions for special GNUnet tools that need additional rights). The discussion below largely applies to installations where multiple users share a system and to installations where the best possible security is paramount.

A typical GNUnet system consists of components that fall into four categories:

User interfaces

User interfaces are not security sensitive and are supposed to be run and used by normal system users. The GTK GUIs and most command-line programs fall into this category. Some command-line tools (like gnunet-transport) should be excluded as they offer low-level access that normal users should not need.

System services and support tools

System services should always run and offer services that can then be accessed by the normal users. System services do not require special permissions, but as they are not specific to a particular user, they probably should not run as a particular user. Also, there should typically only be one GNUnet peer per host. System services include the gnunet-service and gnunet-daemon programs; support tools include command-line programs such as gnunet-arm.

Privileged helpers

Some GNUnet components require root rights to open raw sockets or perform other special operations. These gnunet-helper binaries are typically installed SUID and run from services or daemons.

Critical services

Some GNUnet services (such as the DNS service) can manipulate the service in deep and possibly highly security sensitive ways. For example, the DNS service can be used to intercept and alter any DNS query originating from the local machine. Access to the APIs of these critical services and their privileged helpers must be tightly controlled.

Todo

Shorten these subsection titles

Recommendation - Disable access to services via TCP

GNUnet services allow two types of access: via TCP socket or via UNIX domain socket. If the service is available via TCP, access control can only be implemented by restricting connections to a particular range of IP addresses. This is acceptable for non-critical services that are supposed to be available to all users on the local system or local network. However, as TCP is generally less efficient and it is rarely the case that a single GNUnet peer is supposed to serve an entire local network, the default configuration should disable TCP access to all GNUnet services on systems with support for UNIX domain sockets. Since GNUnet 0.9.2, configuration files with TCP access disabled should be generated by default. Users can re-enable TCP access to particular services simply by specifying a non-zero port number in the section of the respective service.

Recommendation - Run most services as system user "gnunet"

GNUnet’s main services should be run as a separate user "gnunet" in a special group "gnunet". The user "gnunet" should start the peer using "gnunet-arm -s" during system startup. The home directory for this user should be /var/lib/gnunet and the configuration file should be /etc/gnunet.conf. Only the gnunet user should have the right to access /var/lib/gnunet (mode: 700).

Recommendation - Control access to services using group "gnunet"

Users that should be allowed to use the GNUnet peer should be added to the group "gnunet". Using GNUnet’s access control mechanism for UNIX domain sockets, those services that are considered useful to ordinary users should be made available by setting "UNIX_MATCH_GID=YES" for those services. Again, as shipped, GNUnet provides reasonable defaults. Permissions to access the transport and core subsystems might additionally be granted without necessarily causing security concerns. Some services, such as DNS, must NOT be made accessible to the "gnunet" group (and should thus only be accessible to the "gnunet" user and services running with this UID).

Recommendation - Limit access to certain SUID binaries by group "gnunet"

Most of GNUnet’s SUID binaries should be safe even if executed by normal users. However, it is possible to reduce the risk a little bit more by making these binaries owned by the group "gnunet" and restricting their execution to user of the group "gnunet" as well (4750).

Recommendation - Limit access to critical gnunet-helper-dns to group "gnunetdns"

A special group "gnunetdns" should be created for controlling access to the "gnunet-helper-dns". The binary should then be owned by root and be in group "gnunetdns" and be installed SUID and only be group-executable (2750). Note that the group "gnunetdns" should have no users in it at all, ever. The "gnunet-service-dns" program should be executed by user "gnunet" (via gnunet-service-arm) with the binary owned by the user "root" and the group "gnunetdns" and be SGID (2700). This way, only "gnunet-service-dns" can change its group to "gnunetdns" and execute the helper, and the helper can then run as root (as per SUID). Access to the API offered by "gnunet-service-dns" is in turn restricted to the user "gnunet" (not the group!), which means that only "benign" services can manipulate DNS queries using "gnunet-service-dns".

Differences between "make install" and these recommendations

The current build system does not set all permissions automatically based on the recommendations above. In particular, it does not use the group "gnunet" at all (so setting gnunet-helpers other than the gnunet-helper-dns to be owned by group "gnunet" must be done manually). Furthermore, ‘make install’ will silently fail to set the DNS binaries to be owned by group "gnunetdns" unless that group already exists (!). An alternative name for the "gnunetdns" group can be specified using the --with-gnunetdns=GRPNAME configure option.

Configuring the hostlist to bootstrap

After installing the software you need to get connected to the GNUnet network. The configuration file included in your download is already configured to connect you to the GNUnet network. In this section the relevant configuration settings are explained.

To get an initial connection to the GNUnet network and to get to know peers already connected to the network you can use the so called "bootstrap servers". These servers can give you a list of peers connected to the network. To use these bootstrap servers you have to configure the hostlist daemon to activate bootstrapping.

To activate bootstrapping, edit the [hostlist]-section in your configuration file. You have to set the argument -b in the options line:

[hostlist]
OPTIONS = -b

Additionally you have to specify which server you want to use. The default bootstrapping server is "http://v10.gnunet.org/hostlist". [^] To set the server you have to edit the line "SERVERS" in the hostlist section. To use the default server you should set the lines to

SERVERS = http://v10.gnunet.org/hostlist [^]

To use bootstrapping your configuration file should include these lines:

[hostlist]
OPTIONS = -b
SERVERS = http://v10.gnunet.org/hostlist [^]

Besides using bootstrap servers you can configure your GNUnet peer to receive hostlist advertisements. Peers offering hostlists to other peers can send advertisement messages to peers that connect to them. If you configure your peer to receive these messages, your peer can download these lists and connect to the peers included. These lists are persistent, which means that they are saved to your hard disk regularly and are loaded during startup.

To activate hostlist learning you have to add the -e switch to the OPTIONS line in the hostlist section:

[hostlist]
OPTIONS = -b -e

Furthermore you can specify in which file the lists are saved. To save the lists in the file hostlists.file just add the line:

HOSTLISTFILE = hostlists.file

Best practice is to activate both bootstrapping and hostlist learning. So your configuration file should include these lines:

[hostlist]
OPTIONS = -b -e
HTTPPORT = 8080
SERVERS = http://v10.gnunet.org/hostlist [^]
HOSTLISTFILE = $SERVICEHOME/hostlists.file

Disable default bootstrap (private network)

A public node will, by default, connect to a gnunet.org peer to learn of other peers to bootstrap the network.

To avoid this behavior, either:

  • before build, remove the peer entry in $REPO/contrib/hellos

  • after build, remove the peer entry in $PREFIX/share/gnunet/hellos

Conversely, any public keys added to the same directories will make the node always make explicit connections to those corresponding peers.

The use of the HELLOs in this folder can be controlled with the configuration setting USE_INCLUDED_HELLOS of the peerstore service:

$ gnunet-config -s peerstore -o USE_INCLUDED_HELLOS

Note, however, that once the included HELLOs have been parsed, the peerstore will cache them locally in its databse. To purge included HELLOs in this case, the database will have to be deleted.

Unless you want to establish a private network, you should not have to touch this option.

Manually connecting peers

A gnunet node will learn peers to connect to from hostlist servers and/or gossip from connected peers. It will however only connect to a selection of peers on the network.

If you wish to connect to a specific peer apart from the automatically negotiated connections, you can use the hello URI of the peer. The URI is returned by the following command to peer to be connected to:

$ gnunet-hello --export-hello

The URI output is passed to the gnunet-hello command of peer that is connecting:

$ echo "gnunet://hello/..." | gnunet-hello --import-hello

Configuration of the HOSTLIST proxy settings

The hostlist client can be configured to use a proxy to connect to the hostlist server.

The hostlist client supports the following proxy types at the moment:

  • HTTP and HTTP 1.0 only proxy

  • SOCKS 4/4a/5/5 with hostname

In addition authentication at the proxy with username and password can be configured.

To provide these options directly in the configuration, you can enter the following settings in the [hostlist] section of the configuration:

# Type of proxy server,
# Valid values: HTTP, HTTP_1_0, SOCKS4, SOCKS5, SOCKS4A, SOCKS5_HOSTNAME
# Default: HTTP
# PROXY_TYPE = HTTP

# Hostname or IP of proxy server
# PROXY =
# User name for proxy server
# PROXY_USERNAME =
# User password for proxy server
# PROXY_PASSWORD =

Configuring your peer to provide a hostlist

If you operate a peer permanently connected to GNUnet you can configure your peer to act as a hostlist server, providing other peers the list of peers known to him.

Your server can act as a bootstrap server and peers needing to obtain a list of peers can contact it to download this list. To download this hostlist the peer uses HTTP. For this reason you have to build your peer with libgnurl (or libcurl) and microhttpd support.

To configure your peer to act as a bootstrap server you have to add the -p option to OPTIONS in the [hostlist] section of your configuration file. Besides that you have to specify a port number for the http server. In conclusion you have to add the following lines:

[hostlist]
HTTPPORT = 12980
OPTIONS = -p

If your peer acts as a bootstrap server other peers should know about that. You can advertise the hostlist your are providing to other peers. Peers connecting to your peer will get a message containing an advertisement for your hostlist and the URL where it can be downloaded. If this peer is in learning mode, it will test the hostlist and, in the case it can obtain the list successfully, it will save it for bootstrapping.

To activate hostlist advertisement on your peer, you have to set the following lines in your configuration file:

[hostlist]
EXTERNAL_DNS_NAME = example.org
HTTPPORT = 12981
OPTIONS = -p -a

With this configuration your peer will a act as a bootstrap server and advertise this hostlist to other peers connecting to it. The URL used to download the list will be http://example.org:12981/.

Please notice:

  • The hostlist is not human readable, so you should not try to download it using your webbrowser. Just point your GNUnet peer to the address!

  • Advertising without providing a hostlist does not make sense and will not work.

Configuring the datastore

The datastore is what GNUnet uses for long-term storage of file-sharing data. Note that long-term does not mean ‘forever’ since content does have an expiration date, and of course storage space is finite (and hence sometimes content may have to be discarded).

Use the QUOTA option to specify how many bytes of storage space you are willing to dedicate to GNUnet.

In addition to specifying the maximum space GNUnet is allowed to use for the datastore, you need to specify which database GNUnet should use to do so. Currently, you have the choice between sqlite and Postgres.

Configuring the Postgres database

This text describes how to setup the Postgres database for GNUnet.

This Postgres plugin was developed for Postgres 8.3 but might work for earlier versions as well.

Reasons to use Postgres

  • Easier to setup than MySQL

  • Real database

Reasons not to use Postgres

  • Quite slow

  • Still some manual setup required

Manual setup instructions

  • In gnunet.conf set in section DATASTORE the value for DATABASE to postgres.

  • Access Postgres to create a user:

    with Postgres 8.x, use:
    # su - postgres
    $ createuser
    

    and enter the name of the user running GNUnet for the role interactively. Then, when prompted, do not set it to superuser, allow the creation of databases, and do not allow the creation of new roles.

    with Postgres 9.x, use:
    # su - postgres
    $ createuser -d $GNUNET_USER
    

    where $GNUNET_USER is the name of the user running GNUnet.

  • As that user (so typically as user "gnunet"), create a database (or two):

    $ createdb gnunet
    # this way you can run "make check"
    $ createdb gnunetcheck
    

Now you should be able to start gnunet-arm.

Testing the setup manually

You may want to try if the database connection works. First, again login as the user who will run gnunet-arm. Then use:

$ psql gnunet # or gnunetcheck
gnunet=> \dt

If, after you have started gnunet-arm at least once, you get a gn090 table here, it probably works.

Configuring the datacache

The datacache is what GNUnet uses for storing temporary data. This data is expected to be wiped completely each time GNUnet is restarted (or the system is rebooted).

You need to specify how many bytes GNUnet is allowed to use for the datacache using the QUOTA option in the section [dhtcache]. Furthermore, you need to specify which database backend should be used to store the data. Currently, you have the choice between sqLite, MySQL and Postgres.

Configuring the file-sharing service

In order to use GNUnet for file-sharing, you first need to make sure that the file-sharing service is loaded. This is done by setting the START_ON_DEMAND option in section [fs] to "YES". Alternatively, you can run

$ gnunet-arm -i fs

to start the file-sharing service by hand.

Except for configuring the database and the datacache the only important option for file-sharing is content migration.

Content migration allows your peer to cache content from other peers as well as send out content stored on your system without explicit requests. This content replication has positive and negative impacts on both system performance and privacy.

FIXME: discuss the trade-offs. Here is some older text about it...

Setting this option to YES allows gnunetd to migrate data to the local machine. Setting this option to YES is highly recommended for efficiency. Its also the default. If you set this value to YES, GNUnet will store content on your machine that you cannot decrypt. While this may protect you from liability if the judge is sane, it may not (IANAL). If you put illegal content on your machine yourself, setting this option to YES will probably increase your chances to get away with it since you can plausibly deny that you inserted the content. Note that in either case, your anonymity would have to be broken first (which may be possible depending on the size of the GNUnet network and the strength of the adversary).

Configuring logging

Since version 0.9.0, logging in GNUnet is controlled via the -L and -l options. Using -L, a log level can be specified. With log level ERROR only serious errors are logged. The default log level is WARNING which causes anything of concern to be logged. Log level INFO can be used to log anything that might be interesting information whereas DEBUG can be used by developers to log debugging messages (but you need to run ./configure with --enable-logging=verbose to get them compiled). The -l option is used to specify the log file.

Since most GNUnet services are managed by gnunet-arm, using the -l or -L options directly is not possible. Instead, they can be specified using the OPTIONS configuration value in the respective section for the respective service. In order to enable logging globally without editing the OPTIONS values for each service, gnunet-arm supports a GLOBAL_POSTFIX option. The value specified here is given as an extra option to all services for which the configuration does contain a service-specific OPTIONS field.

GLOBAL_POSTFIX can contain the special sequence "{}" which is replaced by the name of the service that is being started. Furthermore, GLOBAL_POSTFIX is special in that sequences starting with "$" anywhere in the string are expanded (according to options in PATHS); this expansion otherwise is only happening for filenames and then the "$" must be the first character in the option. Both of these restrictions do not apply to GLOBAL_POSTFIX. Note that specifying % anywhere in the GLOBAL_POSTFIX disables both of these features.

In summary, in order to get all services to log at level INFO to log-files called SERVICENAME-logs, the following global prefix should be used:

GLOBAL_POSTFIX = -l $SERVICEHOME/{}-logs -L INFO

Configuring the transport service and plugins

The transport service in GNUnet is responsible to maintain basic connectivity to other peers. Besides initiating and keeping connections alive it is also responsible for address validation.

The GNUnet transport supports more than one transport protocol. These protocols are configured together with the transport service.

The configuration section for the transport service itself is quite similar to all the other services

START_ON_DEMAND = YES
@UNIXONLY@ PORT = 2091
HOSTNAME = localhost
HOME = $SERVICEHOME
CONFIG = $DEFAULTCONFIG
BINARY = gnunet-service-transport
#PREFIX = valgrind
NEIGHBOUR_LIMIT = 50
ACCEPT_FROM = 127.0.0.1;
ACCEPT_FROM6 = ::1;
PLUGINS = tcp udp
UNIXPATH = /tmp/gnunet-service-transport.sock

Different are the settings for the plugins to load PLUGINS. The first setting specifies which transport plugins to load.

  • transport-unix A plugin for local only communication with UNIX domain sockets. Used for testing and available on unix systems only. Just set the port

    [transport-unix]
    PORT = 22086
    TESTING_IGNORE_KEYS = ACCEPT_FROM;
    
  • transport-tcp A plugin for communication with TCP. Set port to 0 for client mode with outbound only connections

    [transport-tcp]
    # Use 0 to ONLY advertise as a peer behind NAT (no port binding)
    PORT = 2086
    ADVERTISED_PORT = 2086
    TESTING_IGNORE_KEYS = ACCEPT_FROM;
    # Maximum number of open TCP connections allowed
    MAX_CONNECTIONS = 128
    
  • transport-udp A plugin for communication with UDP. Supports peer discovery using broadcasts.

    [transport-udp]
    PORT = 2086
    BROADCAST = YES
    BROADCAST_INTERVAL = 30 s
    MAX_BPS = 1000000
    TESTING_IGNORE_KEYS = ACCEPT_FROM;
    
  • transport-http HTTP and HTTPS support is split in two part: a client plugin initiating outbound connections and a server part accepting connections from the client. The client plugin just takes the maximum number of connections as an argument.

    [transport-http_client]
    MAX_CONNECTIONS = 128
    TESTING_IGNORE_KEYS = ACCEPT_FROM;
    
    [transport-https_client]
    MAX_CONNECTIONS = 128
    TESTING_IGNORE_KEYS = ACCEPT_FROM;
    

    The server has a port configured and the maximum number of connections. The HTTPS part has two files with the certificate key and the certificate file.

    The server plugin supports reverse proxies, so a external hostname can be set using the EXTERNAL_HOSTNAME setting. The webserver under this address should forward the request to the peer and the configure port.

    [transport-http_server]
    EXTERNAL_HOSTNAME = fulcrum.net.in.tum.de/gnunet
    PORT = 1080
    MAX_CONNECTIONS = 128
    TESTING_IGNORE_KEYS = ACCEPT_FROM;
    
    [transport-https_server]
    PORT = 4433
    CRYPTO_INIT = NORMAL
    KEY_FILE = https.key
    CERT_FILE = https.cert
    MAX_CONNECTIONS = 128
    TESTING_IGNORE_KEYS = ACCEPT_FROM;
    
  • transport-wlan

    The next section describes how to setup the WLAN plugin, so here only the settings. Just specify the interface to use:

    [transport-wlan]
    # Name of the interface in monitor mode (typically monX)
    INTERFACE = mon0
    # Real hardware, no testing
    TESTMODE = 0
    TESTING_IGNORE_KEYS = ACCEPT_FROM;
    

Configuring the WLAN transport plugin

The wlan transport plugin enables GNUnet to send and to receive data on a wlan interface. It has not to be connected to a wlan network as long as sender and receiver are on the same channel. This enables you to get connection to GNUnet where no internet access is possible, for example during catastrophes or when censorship cuts you off from the internet.

Requirements for the WLAN plugin

  • wlan network card with monitor support and packet injection (see aircrack-ng.org)

  • Linux kernel with mac80211 stack, introduced in 2.6.22, tested with 2.6.35 and 2.6.38

  • Wlantools to create the a monitor interface, tested with airmon-ng of the aircrack-ng package

Configuration

There are the following options for the wlan plugin (they should be like this in your default config file, you only need to adjust them if the values are incorrect for your system)

# section for the wlan transport plugin
[transport-wlan]
# interface to use, more information in the
# "Before starting GNUnet" section of the handbook.
INTERFACE = mon0
# testmode for developers:
# 0 use wlan interface,
#1 or 2 use loopback driver for tests 1 = server, 2 = client
TESTMODE = 0

Before starting GNUnet

Before starting GNUnet, you have to make sure that your wlan interface is in monitor mode. One way to put the wlan interface into monitor mode (if your interface name is wlan0) is by executing:

sudo airmon-ng start wlan0

Here is an example what the result should look like:

Interface Chipset Driver
wlan0 Intel 4965 a/b/g/n iwl4965 - [phy0]
(monitor mode enabled on mon0)

The monitor interface is mon0 is the one that you have to put into the configuration file.

Limitations and known bugs

Wlan speed is at the maximum of 1 Mbit/s because support for choosing the wlan speed with packet injection was removed in newer kernels. Please pester the kernel developers about fixing this.

The interface channel depends on the wlan network that the card is connected to. If no connection has been made since the start of the computer, it is usually the first channel of the card. Peers will only find each other and communicate if they are on the same channel. Channels must be set manually, e.g. by using:

iwconfig wlan0 channel 1

Configuring HTTP(S) reverse proxy functionality using Apache or nginx

The HTTP plugin supports data transfer using reverse proxies. A reverse proxy forwards the HTTP request he receives with a certain URL to another webserver, here a GNUnet peer.

So if you have a running Apache or nginx webserver you can configure it to be a GNUnet reverse proxy. Especially if you have a well-known website this improves censorship resistance since it looks as normal surfing behaviour.

To do so, you have to do two things:

  • Configure your webserver to forward the GNUnet HTTP traffic

  • Configure your GNUnet peer to announce the respective address

As an example we want to use GNUnet peer running:

And we want the webserver to accept GNUnet traffic under http://www.foo.org/bar/. The required steps are described here:

Reverse Proxy - Configure your Apache2 HTTP webserver

First of all you need mod_proxy installed.

Edit your webserver configuration. Edit /etc/apache2/apache2.conf or the site-specific configuration file.

In the respective server config,virtual host or directory section add the following lines:

ProxyTimeout 300
ProxyRequests Off
<Location /bar/ >
ProxyPass http://gnunet.foo.org:1080/
ProxyPassReverse http://gnunet.foo.org:1080/
</Location>

Reverse Proxy - Configure your Apache2 HTTPS webserver

We assume that you already have an HTTPS server running, if not please check how to configure a HTTPS host. An uncomplicated to use example is the example configuration file for Apache2/HTTPD provided in apache2/sites-available/default-ssl.

In the respective HTTPS server config,virtual host or directory section add the following lines:

SSLProxyEngine On
ProxyTimeout 300
ProxyRequests Off
<Location /bar/ >
ProxyPass https://gnunet.foo.org:4433/
ProxyPassReverse https://gnunet.foo.org:4433/
</Location>

More information about the apache mod_proxy configuration can be found in the Apache documentation.

Reverse Proxy - Configure your nginx HTTPS webserver

Since nginx does not support chunked encoding, you first of all have to install the chunkin module.

To enable chunkin add:

chunkin on;
error_page 411 = @my_411_error;
location @my_411_error {
chunkin_resume;
}

Edit your webserver configuration. Edit /etc/nginx/nginx.conf or the site-specific configuration file.

In the server section add:

location /bar/ {
proxy_pass http://gnunet.foo.org:1080/;
proxy_buffering off;
proxy_connect_timeout 5; # more than http_server
proxy_read_timeout 350; # 60 default, 300s is GNUnet's idle timeout
proxy_http_version 1.1; # 1.0 default
proxy_next_upstream error timeout invalid_header http_500 http_503 http_502 http_504;
}

Reverse Proxy - Configure your nginx HTTP webserver

Edit your webserver configuration. Edit /etc/nginx/nginx.conf or the site-specific configuration file.

In the server section add:

ssl_session_timeout 6m;
location /bar/
{
proxy_pass https://gnunet.foo.org:4433/;
proxy_buffering off;
proxy_connect_timeout 5; # more than http_server
proxy_read_timeout 350; # 60 default, 300s is GNUnet's idle timeout
proxy_http_version 1.1; # 1.0 default
proxy_next_upstream error timeout invalid_header http_500 http_503 http_502 http_504;
}

Reverse Proxy - Configure your GNUnet peer

To have your GNUnet peer announce the address, you have to specify the EXTERNAL_HOSTNAME option in the [transport-http_server] section:

[transport-http_server]
EXTERNAL_HOSTNAME = http://www.foo.org/bar/

and/or [transport-https_server] section:

[transport-https_server]
EXTERNAL_HOSTNAME = https://www.foo.org/bar/

Now restart your webserver and your peer...

Blacklisting peers

Transport service supports to deny connecting to a specific peer of to a specific peer with a specific transport plugin using the blacklisting component of transport service. With blacklisting it is possible to deny connections to specific peers of to use a specific plugin to a specific peer. Peers can be blacklisted using the configuration or a blacklist client can be asked.

To blacklist peers using the configuration you have to add a section to your configuration containing the peer id of the peer to blacklist and the plugin if required.

Examples:

To blacklist connections to P565... on peer AG2P... using tcp add:

Todo

too long?

Todo

verify whether these still produce errors in pdf output

[transport-blacklist AG2PHES1BARB9IJCPAMJTFPVJ5V3A72S3F2A8SBUB8DAQ2V0O3V8G6G2JU56FHGFOHMQVKBSQFV98TCGTC3RJ1NINP82G0RC00N1520]
P565723JO1C2HSN6J29TAQ22MN6CI8HTMUU55T0FUQG4CMDGGEQ8UCNBKUMB94GC8R9G4FB2SF9LDOBAJ6AMINBP4JHHDD6L7VD801G = tcp

To blacklist connections to P565... on peer AG2P... using all plugins add:

[transport-blacklist-AG2PHES1BARB9IJCPAMJTFPVJ5V3A72S3F2A8SBUB8DAQ2V0O3V8G6G2JU56FHGFOHMQVKBSQFV98TCGTC3RJ1NINP82G0RC00N1520]
P565723JO1C2HSN6J29TAQ22MN6CI8HTMUU55T0FUQG4CMDGGEQ8UCNBKUMB94GC8R9G4FB2SF9LDOBAJ6AMINBP4JHHDD6L7VD801G =

You can also add a blacklist client using the blacklist API. On a blacklist check, blacklisting first checks internally if the peer is blacklisted and if not, it asks the blacklisting clients. Clients are asked if it is OK to connect to a peer ID, the plugin is omitted.

On blacklist check for (peer, plugin)

  • Do we have a local blacklist entry for this peer and this plugin?

  • YES: disallow connection

  • Do we have a local blacklist entry for this peer and all plugins?

  • YES: disallow connection

  • Does one of the clients disallow?

  • YES: disallow connection

Configuration of the HTTP and HTTPS transport plugins

The client parts of the http and https transport plugins can be configured to use a proxy to connect to the hostlist server.

Both the HTTP and HTTPS clients support the following proxy types at the moment:

  • HTTP 1.1 proxy

  • SOCKS 4/4a/5/5 with hostname

In addition authentication at the proxy with username and password can be configured.

To configure these options directly in the configuration, you can configure the following settings in the [transport-http_client] and [transport-https_client] section of the configuration:

# Type of proxy server,
# Valid values: HTTP, SOCKS4, SOCKS5, SOCKS4A, SOCKS5_HOSTNAME
# Default: HTTP
# PROXY_TYPE = HTTP

# Hostname or IP of proxy server
# PROXY =
# User name for proxy server
# PROXY_USERNAME =
# User password for proxy server
# PROXY_PASSWORD =

Configuring the GNUnet VPN

Before configuring the GNUnet VPN, please make sure that system-wide DNS interception is configured properly as described in the section on the GNUnet DNS setup. see Configuring the GNU Name System, if you haven’t done so already.

The default options for the GNUnet VPN are usually sufficient to use GNUnet as a Layer 2 for your Internet connection. However, what you always have to specify is which IP protocol you want to tunnel: IPv4, IPv6 or both. Furthermore, if you tunnel both, you most likely should also tunnel all of your DNS requests. You theoretically can tunnel "only" your DNS traffic, but that usually makes little sense.

The other options as shown on the gnunet-setup tool are:

IPv4 address for interface

This is the IPv4 address the VPN interface will get. You should pick a ‘private’ IPv4 network that is not yet in use for you system. For example, if you use 10.0.0.1/255.255.0.0 already, you might use 10.1.0.1/255.255.0.0. If you use 10.0.0.1/255.0.0.0 already, then you might use 192.168.0.1/255.255.0.0. If your system is not in a private IP-network, using any of the above will work fine. You should try to make the mask of the address big enough (255.255.0.0 or, even better, 255.0.0.0) to allow more mappings of remote IP Addresses into this range. However, even a 255.255.255.0 mask will suffice for most users.

IPv6 address for interface

The IPv6 address the VPN interface will get. Here you can specify any non-link-local address (the address should not begin with fe80:). A subnet Unique Local Unicast (fd00::/8 prefix) that you are currently not using would be a good choice.

Configuring the GNUnet VPN DNS

To resolve names for remote nodes, activate the DNS exit option.

Configuring the GNUnet VPN Exit Service

If you want to allow other users to share your Internet connection (yes, this may be dangerous, just as running a Tor exit node) or want to provide access to services on your host (this should be less dangerous, as long as those services are secure), you have to enable the GNUnet exit daemon.

You then get to specify which exit functions you want to provide. By enabling the exit daemon, you will always automatically provide exit functions for manually configured local services (this component of the system is under development and not documented further at this time). As for those services you explicitly specify the target IP address and port, there is no significant security risk in doing so.

Furthermore, you can serve as a DNS, IPv4 or IPv6 exit to the Internet. Being a DNS exit is usually pretty harmless. However, enabling IPv4 or IPv6-exit without further precautions may enable adversaries to access your local network, send spam, attack other systems from your Internet connection and do other mischiefs that will appear to come from your machine. This may or may not get you into legal trouble. If you want to allow IPv4 or IPv6-exit functionality, you should strongly consider adding additional firewall rules manually to protect your local network and to restrict outgoing TCP traffic (e.g. by not allowing access to port 25). While we plan to improve exit-filtering in the future, you’re currently on your own here. Essentially, be prepared for any kind of IP-traffic to exit the respective TUN interface (and GNUnet will enable IP-forwarding and NAT for the interface automatically).

Additional configuration options of the exit as shown by the gnunet-setup tool are:

IP Address of external DNS resolver

If DNS traffic is to exit your machine, it will be send to this DNS resolver. You can specify an IPv4 or IPv6 address.

IPv4 address for Exit interface

This is the IPv4 address the Interface will get. Make the mask of the address big enough (255.255.0.0 or, even better, 255.0.0.0) to allow more mappings of IP addresses into this range. As for the VPN interface, any unused, private IPv4 address range will do.

IPv6 address for Exit interface

The public IPv6 address the interface will get. If your kernel is not a very recent kernel and you are willing to manually enable IPv6-NAT, the IPv6 address you specify here must be a globally routed IPv6 address of your host.

Suppose your host has the address 2001:4ca0::1234/64, then using 2001:4ca0::1:0/112 would be fine (keep the first 64 bits, then change at least one bit in the range before the bitmask, in the example above we changed bit 111 from 0 to 1).

You may also have to configure your router to route traffic for the entire subnet (2001:4ca0::1:0/112 for example) through your computer (this should be automatic with IPv6, but obviously anything can be disabled).

Bandwidth Configuration

You can specify how many bandwidth GNUnet is allowed to use to receive and send data. This is important for users with limited bandwidth or traffic volume.

Configuring NAT

Most hosts today do not have a normal global IP address but instead are behind a router performing Network Address Translation (NAT) which assigns each host in the local network a private IP address. As a result, these machines cannot trivially receive inbound connections from the Internet. GNUnet supports NAT traversal to enable these machines to receive incoming connections from other peers despite their limitations.

In an ideal world, you can press the "Attempt automatic configuration" button in gnunet-setup to automatically configure your peer correctly. Alternatively, your distribution might have already triggered this automatic configuration during the installation process. However, automatic configuration can fail to determine the optimal settings, resulting in your peer either not receiving as many connections as possible, or in the worst case it not connecting to the network at all.

To manually configure the peer, you need to know a few things about your network setup. First, determine if you are behind a NAT in the first place. This is always the case if your IP address starts with "10.*" or "192.168.*". Next, if you have control over your NAT router, you may choose to manually configure it to allow GNUnet traffic to your host. If you have configured your NAT to forward traffic on ports 2086 (and possibly 1080) to your host, you can check the "NAT ports have been opened manually" option, which corresponds to the "PUNCHED_NAT" option in the configuration file. If you did not punch your NAT box, it may still be configured to support UPnP, which allows GNUnet to automatically configure it. In that case, you need to install the "upnpc" command, enable UPnP (or PMP) on your NAT box and set the "Enable NAT traversal via UPnP or PMP" option (corresponding to "ENABLE_UPNP" in the configuration file).

Some NAT boxes can be traversed using the autonomous NAT traversal method. This requires certain GNUnet components to be installed with "SUID" privileges on your system (so if you’re installing on a system you do not have administrative rights to, this will not work). If you installed as ‘root’, you can enable autonomous NAT traversal by checking the "Enable NAT traversal using ICMP method". The ICMP method requires a way to determine your NAT’s external (global) IP address. This can be done using either UPnP, DynDNS, or by manual configuration. If you have a DynDNS name or know your external IP address, you should enter that name under "External (public) IPv4 address" (which corresponds to the "EXTERNAL_ADDRESS" option in the configuration file). If you leave the option empty, GNUnet will try to determine your external IP address automatically (which may fail, in which case autonomous NAT traversal will then not work).

Finally, if you yourself are not behind NAT but want to be able to connect to NATed peers using autonomous NAT traversal, you need to check the "Enable connecting to NATed peers using ICMP method" box.

Peer configuration for distributors (e.g. Operating Systems)

The "GNUNET_DATA_HOME" in "[PATHS]" in /etc/gnunet.conf should be manually set to "/var/lib/gnunet/data/" as the default "~/.local/share/gnunet/" is probably not that appropriate in this case. Similarly, distributors may consider pointing "GNUNET_RUNTIME_DIR" to "/var/run/gnunet/" and "GNUNET_HOME" to "/var/lib/gnunet/". Also, should a distributor decide to override system defaults, all of these changes should be done in a custom /etc/gnunet.conf and not in the files in the config.d/ directory.

Given the proposed access permissions, the "gnunet-setup" tool must be run as use "gnunet" (and with option "-c /etc/gnunet.conf" so that it modifies the system configuration). As always, gnunet-setup should be run after the GNUnet peer was stopped using "gnunet-arm -e". Distributors might want to include a wrapper for gnunet-setup that allows the desktop-user to "sudo" (e.g. using gtksudo) to the "gnunet" user account and then runs "gnunet-arm -e", "gnunet-setup" and "gnunet-arm -s" in sequence.