openwireless.ch in Brunnen

I heard of mesh networks before,  be it from the OneLaptopPerChild or the German Freifunker community. But the recent episode of ChaosRadio about the MeshPotato got me interested enough to give it a try. The meshing community here in Switzerland is organized at openwireless.ch. Sure, I could buy a compatible router and install the provided firmware. But being a true geek I wanted to see how it works on hardware that I already have. So I started with these three devices:

I wanted to allow access to the internet, but only through an anonymizing service, so I wouldn’t get into trouble if somebody does something illegal over my wire.

NETWORK INTERFACES

For mesh networks, the wireless cards have to run in ad-hoc mode. Not all drivers have good support for that. The only problem I found with ad-hoc, is that the freerunner sometimes looses all wifi connection after some hours and needs a reboot. But I have no idea if it’s related to ad-hoc mode. So here are the settings I use:

alix : /etc/network/interfaces

freerunner: script to switch to meshing

netbook: Recent versions of the gnome network manager can handle all the ad-hoc settings on the GUI

Galaxy: The hacking required to get the Galaxy to mesh was too much for a phone on contract. Would be nice, it that became simpler…

OLSR

First, Install the olsrd package on all the three devices (apt-get install olsrd). That’s for the routing. Configure it in /etc/olsrd.conf. It’s best if you register with openwireless.ch to get an ip address assigned to your hotspot. Use 255.255.255.255 for broadcast and 02:ca:ff:ee:ba:be as BSSID. Now you can run olsrd -d 2 on the commmandline to get some debug output. To be able to run it as a daemon, you ‘ll have to enable it in /etc/default/olsrd and either specify the config file we edited before, or apply your settings also in /etc/olsrd/olsrd.conf . With the command route you can see the routing table on the machines. If you configured one as an internet uplink, it should appear as default gateway on the others automatically. If that doesn’t work out, check the upd traffic on port 698 on the wifi interfaces all the machines involved. I use iptraf for that, but tcpdump or ngrep should work as well.

DHCP

To eliminate error sources I used static ip adresses first, and only switched to DHCP once the olsr meshing ran well. Normally dnsmasq is used for DHCP as well. I use (apt-get install dhcp3-server) instead, as that’s the first howto for ubuntu that I stumbled across, and I didn’t know that dnsmasq can handle DHCP. The configuration is easily done in /etc/dhcp3/dhcpd.conf  Here is the important part:

option domain-name "openwireless.ch";
option domain-name-servers 10.247.200.50;
subnet 10.247.0.0 netmask 255.255.0.0{
  range 10.247.200.51 10.247.200.63;
  option subnet-mask 255.255.0.0;
  option broadcast-address 255.255.255.255;
}

Note that I give only the address of the uplink as a single DNS. More on that later in the TOR section.

DNS

First I tried to route the DNS through NAT to the internet and back. I couldn’t get that to work with iptables. Next I installed dnsmasq, which worked well. But in the end I use the dns proxy from tor to avoid dns leaks.

TOR

As mentioned above, I wanted to send internet traffic from the mesh through an anonymizer. Lately you hear about tor everywhere (apt-get install tor). So, why not give it a try. The configuration is done in /etc/tor/torrc . Its well documented, and you have a socks proxy up in no time, but for that you have to configure your browser. I wanted a transparent proxy. So I messed around with iptables for a while. Then I discovered that I really have to add settings to the /etc/tor/torrc file that were not documented in there like many others, but on the howtos in the internet:

# Transparent proxy
AutomapHostsOnResolve 1
TransPort 9040
TransListenAddress 127.0.0.1
TransListenAddress 10.247.200.50
DNSPort 53
DNSListenAddress 10.247.200.50

IPTABLES

From what I read, the firewalling and routing is usually done with iptables and all the examples I found were done that way. I spent hours reading through documentation and examples. It just didn’t do what I wanted: my transparent tor proxy wouldn’t work.

VUURMUUR

After I got frustrated with iptables, I started to search for something a bit more userfriendly with a ncurses gui, that I could run via ssh on the alix. That’s when I found vuurmuur (apt-get install vuurmuur vuurmuur-conf). You’re much better guided to set up your rules, and when you’re done, you can have a look at the iptables script it generates. But don’t be surprised if it’s way longer that what you did by hand. It also has nice logging and throttling (traffic shaping).

vuurmuur_rules

vuurmuur generated iptables script

DHCP RELAY

Then I thought about what happens if a new user is not in the range of my hotspot where the DHCP server runs. He couldn’t join the mesh! So I found (apt-get install dhcp3-relay). I had to specify the DHCP server to rely to, which I didn’t like so much. I installed it on the freerunner and have yet to test it.

Well, I hope some people here in Brunnen will join the mesh…