invpn

Installing InVPN
	================
	InVPN requires you to have Qt installed, with OpenSSL support.
	It also requires your kernel to have the tun module enabled and loaded. If
	properly loaded, a /dev/net/tun device should exist. If not, try to
	modprobe tun, and if still unsuccessful, recompile your kernel.
	Once everything is ready you can compile InVPN by running the following
	commands:
	$ tar xjf invpn-x.y.z.tar.bz2
	$ cd invpn-x.y.z
	$ qmake
	$ make
	...
	$ make install
	...
	This will install the /usr/sbin/invpn file.
	Now that you have invpn installed, you will need to generate a configuration
	file and some SSL keys.
	Configuring InVPN - the SSL keys
	================================
	InVPN uses the SSL protocol to communicate between nodes, however rather than
	trusting all CA on the world, we trust only one CA, which is the one created by
	the maintainer of the network (probably you). This CA will allow you to sign
	requests from nodes wishing to join the network, so its private key should be
	kept secure.
	There is a ton of documentation online on how to create a SSL CA, and we also
	provide an example on the source tarball (in "conf", remember to edit
	"tibanne.cnf" to put your own details, and you'll get keys for two clients).
	Anyway if you are still in the InVPN source root, here are some helpful
	commands.
	* Step 1: Generate a CA (needed only once)
	------------------------------------------
	CA stands for Certificate Authority. By providing your CA certificate to each
	node as a CA, those nodes will know they can trust any other node whose
	certificate has been signed by the same CA. Note that you can actually give
	more than one CA as authoritative to InVPN instances, meaning those nodes will
	actually accept both authorities. You can also make more complex configurations
	with chains (have one master CA, intermediate CA, and final certificates) but
	we won't be covering this here.
	This step is done with only two commands. First, generate a private key and a
	signature request:
	$ openssl req -config conf/tibanne.cnf -newkey rsa:4096 -nodes -keyout invpn_ca.key -out invpn_ca.req
	(fill details so it matches you. What you write there has no technical
	reprecussion)
	Then self-sign to generate the CA certificate (we make it valid for 6000 days
	here, up to you to choose another value):
	$ openssl x509 -req -signkey invpn_ca.key -extfile conf/tibanne.cnf -set_serial 0 -extensions v3_ca -days 6000 -in invpn_ca.req -out invpn_ca.crt
	Now you have three files:
	* invpn_ca.req: Useless, you can remove it now
	* invpn_ca.crt: That's the certificate of your CA. You will need to copy it to
	your nodes. You can publish it, if you want too.
	* invpn_ca.key: This is your CA's private key. Keep it in the most secure place
	as anyone having a copy of this file could join your VPN and/or
	cause a lot of damage.
	* Step 2: Generate a node certificate (for each node)
	-----------------------------------------------------
	Now that you have your CA, each of your node will need a ceritificate issued by
	your own CA.
	The recommanded way is of course to never copy the node private key outside of
	the node. SSL makes this easy thanks to certificate signing requests. Let's see
	how this goes step by step.
	First, run this on the node:
	$ openssl req -config conf/tibanne.cnf -newkey rsa:4096 -nodes -keyout invpn.key -out invpn.req
	You can put the details you want, except for "Common Name (eg, YOUR name)
	[CA]", which should be the mac address for this node. Example:
	Common Name (eg, YOUR name) [CA]: 02:50:56:00:00:01
	Now that you have a private key and a certificate signature request on your
	node, copy the certificate signature request to your CA host (best if not an
	online system in terms of security and use something like an USB key), then:
	$ openssl x509 -req -CA invpn_ca.crt -CAkey invpn_ca.key -extfile conf/tibanne.cnf -CAcreateserial -extensions v3_notca -days 365 -in invpn.req -out invpn.crt
	You can now return invpn.crt (and invpn_ca.crt) to the node, and your node
	will be ready for use!
	Configuring InVPN - the config file
	===================================
	Now that your node is ready to be recognized by other nodes thanks to its new
	certificate, you need some configuration.
	First, let's make sure we have at least those 3 files:
	* invpn.crt: The certificate for the client (gen. by the CA, Step 2.2)
	* invpn.key: The private key for the client (gen. by the client, Step 2.1)
	* invpn_ca.crt: The CA (Step 1)
	The configuration file itself is actually easy. Assuming you put all of this in
	the /etc/invpn/ directory (that you need to create yourself), you can then
	create a configuration file that would look like this:
	[ssl]
	key=/etc/invpn/invpn.key
	cert=/etc/invpn/invpn.crt
	ca=/etc/invpn/invpn_ca.crt
	[network]
	port=47741
	cache=/etc/invpn/invpn.cache
	The [ssl] part should only contain key, cert and ca. The ca file can contain
	more than one certificate concatenated (if many CA).
	The [network] part supports the following options:
	* port: the port to listen to. Once set you shouldn't change it on a node
	* cache: The cache file where known nodes are recorded
	* init: An initial node to connect to when the cache is empty. It should be the
	address of a node you know you're going to keep for a long time. The
	value is written in the format macaddr@ip:port, so it would look like:
	02:50:56:00:00:01@192.168.0.1:47441
	* no_incoming: Prevent other hosts from connecting to this host (ie. if behind
	a NAT, setting this option will avoid a lot of useless traffic)
	* no_relay: Set this for low traffic nodes that you want to take part in the
	network anyway. Also good for non permanent nodes. This implies
	no_incoming too so no incoming connection will be received either.
	The main idea behind this option is to use it on a laptop you use
	to connect to the network from times to times. from https://github.com/MagicalTux/invpn/blob/master/INSTALL https://github.com/MagicalTux/invpn