Juche Necromancy

Democracy dies in darkness

Running LibreMesh w/o Internet

  • Sun 17 May 2020
  • blog

A while back I wrote about the community networks around Cuba. As a bonus I feel it worthwhile to show you all how you could run your own, with end-to-end Yggdrasil encryption and Internet software updates for your router without sharing said connection with those who join your public access point (you could do this if you prefer, but I don't personally want to get into any trouble so I'm playing it safe). Since this isn't exactly the purpose of LibreMesh there is some manual configuration you will need to do for this setup to work. You'll need any LibreMesh/OpenWrt/LEDE compatible router and optionally a machine (in my case a RasPi 4) to run whatever services you want. This guide is focused on Ubuntu 20.04 LTS on said machine.

This could be useful for setting up and alternative mass network, free and for the people, without the corporate tracking of the modern-day Internet. The beauty of having a LibreMesh router is that any other ones in its perimeter will automatically cooperate with it to form a decentralised alternative.

First things first you're going to want to download the release for your router and flash it. This is outside the scope of this guide, but searching your router model + flash OpenWrt (the OS LibreMesh is based off) should direct you to what you'll need to do. This guide is written with the lime-default image in mind, so that's what I recommend.

Once that's done, connect to your newly flashed router and point your browser to thisnode.info to setup root authentication. Following the written steps there should be simple enough. Connect an ethernet cable to any compatible port in your main router and the other end to the WAN (Internet) port in your LibreMesh one. Note that for a short while you will be sharing your Internet publically while you setup the firewall.

If you're on Windows, use PuTTY to connect to root@thisnode.info and if you're on GNU+Linux, you'll know what to do. Login and run vim /etc/config/firewall. There scroll to the very bottom and paste the following rules:

config rule
        option name 'Reject LAN to WAN traffic'
        option src 'lan'
        option dest 'wan'
        option proto 'all'
        option target 'REJECT'

config rule
        option name 'Reject BMX to WAN traffic'
        option src 'bmxtun'
        option dest 'wan'
        option proto 'all'
        option target 'REJECT'

With this, you will be able to update your router online, but the rest of your users will not be able to access the Internet. I would personally like to allow my Pi through it as well for apt updates, but don't know the best method for this yet. If you know, email me at necrojuche@tutanota.com and I will happily edit it in here, with credit if desired.

For end-to-end encryption you're going to want to install Yggdrasil on your host machine, the one that will serve your services. You can install it on GNU+Linux following this guide.

Once installed enable it with sudo systemctl enable yggdrasil and start it with sudo service yggdrasil start. Since this will be a public network it's worth setting up a strong enough firewall. So run sudo ufw enable to start UFW. This will prevent Yggdrasil from finding local peers (and possibly future SSH connections), so we will have to remedy that.

Edit your Yggdrasil conf file with vim /etc/yggdrasil.conf and look for LinkLocalTCPPort, change its value to LinkLocalTCPPort: 9002 or whichever port you want, changing it when appropriate while following this guide. Alright, you're almost ready.

Execute sudo ufw allow 9001/udp and sudo ufw allow 9002 to let Yggdrasil find local peers. For SSH, you'll want to run sudo ufw allow from <your local ip> to any port 22. And lastly, Yggdrasil uses the 0200::/7 address range, so if you want to make your services available through Yggdrasil only, depending on their ports (in my case 80), you could run something like sudo ufw allow from 0200::/7 to any port 80. To learn more about UFW you can check out this wiki page.

And you're done! Good luck on your networks!