DN42实验网络初次尝试

DN42网络是什么？

去中心化网络42（decentralized network 42，简称为 dn42，下略），是一个去中心化、端到端加密的网络，它通过使用 VPN 和软件／硬件的边界网关协议进行构建，但是与其它传统 VPN 不同的是，DN42 本身不提供 VPN 出口服务，即不提供规避网络审查、流媒体解锁等类似服务。相反，DN42 的目的是模拟一个互联网。它使用了大量在目前互联网骨干上应用的技术（例如 BGP 和递归 DNS），可以很好地模拟一个真实的网络环境。

Via Lan Tian’s Blog

### Why DN42

#### 路由实验

Participating in dn42 is primarily useful for learning routing technologies such as BGP, using a reasonably large network (> 1500 AS, > 1700 prefixes).

Since dn42 is very similar to the Internet, it can be used as a hands-on testing ground for new ideas, or simply to learn real networking stuff that you probably can’t do on the Internet (BGP multihoming, transit). The biggest advantage when compared to the Internet: if you break something in the network, you won’t have any big network operator yelling angrily at you.

#### 连接黑客空间

dn42 is also a great way to connect hacker spaces in a secure way, so that they can provide services to each other.

Have you ever wanted to SSH on your Raspberry Pi hosted at your local hacker space and had trouble doing so because of NAT? If your hacker space was using dn42, it could have been much easier…

Via Home (dn42.dev)

### Register DN42

#### 要求

• 拥有一台Linux虚拟机，Windows的话使用WSL即可
• 熟悉Linux命令，有一定的寄网（计算机网络寄础）基础

官网教程：https://dn42.dev/howto/Getting-Started

首先到 git 上申请一个账号（https://git.dn42.dev/user/sign_up），激活完成后，到这个仓库（https://git.dn42.dev/dn42/registry）fork一份到你本地上。

接着 clone 一份到本地。

git clone https://git.dn42.dev/icecliffs/registry.git

• 然后在 data/mntner 下新建一个 [大写昵称]-MNT 的文件，抓到tony师傅惹。

内容为

• mntner：即 maintainer（维护者），说明这个账户的名称，与文件名相同。
• admin-c：即 admin contact（管理员联系信息），需要指向后续创建的 person 文件，一般为 [昵称]-DN42。
• tech-c：即 tech contact（技术员联系信息），需要指向后续创建的 person 文件，一般也为 [昵称]-DN42。
• mnt-by：即 maintain by（由谁维护），指向这个账户本身，一般为 [昵称]-MNT。
• source：固定为 DN42。
• auth：你的个人认证信息。一般接受两种类型：GPG 公钥和 SSH 公钥。

Via DN42 实验网络介绍及注册教程

mntner: ICECLIFFS-MNT
admin-c: ICECLIFFS-DN42
tech-c: ICECLIFFS-DN42
mnt-by: ICECLIFFS-MNT
source: DN42
auth: pgp-fingerprint 0BE2C259A99AE5B767BC1A2CA3550E3691FF9467
auth: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPOEzWsohqYxXP+cgl7OFUMPr28IPF/nTErMHtOXS6ZV
remarks: rYu1nser (IceCliffs) Hi :), My blog: https://iloli.moe

• 在 data/person 下新建一个 [大写昵称]-DN42 的文件

内容为

• person：你的昵称。
• e-mail：你的邮箱。
• contact：可选，你的其它联系方式，例如 IRC、Telegram 等。
• nic-hdl：NIC handle，指向文件本身，与文件名相同，[昵称]-DN42。
• mnt-by：maintain by（由谁维护），由谁维护，指向你之前的 mntner 文件，[昵称]-MNT。
• source：固定为 DN42。

person: rYu1nser
contact: iloli.moe
contact: Telegram: @icecliffs
contact: GitHub: @icecliffs
contact: Twitter: @icecliffs
nic-hdl: ICECLIFFS-DN42
mnt-by: ICECLIFFS-MNT
pgp-fingerprint: 0BE2C259A99AE5B767BC1A2CA3550E3691FF9467
source: DN42
remarks: rYu1nser (IceCliffs) Hi :), My blog: https://iloli.moe

• 接着要分配一个 ASN编号 ，这里随便挑一个你喜欢的（范围：4242420000 - 4242423999），例如我的是 AS4242422291 截至 2022/12/3 00:00:00 应该还有这么多编号

aut-num: AS4242422291
as-name: ICECLIFFS-AS
descr: I love this huge spider web, https://o;p;o/,pe.
remarks: Twitter: @icecliiffs, Telegram: @icecliffs
admin-c: ICECLIFFS-DN42
tech-c: ICECLIFFS-DN42
mnt-by: ICECLIFFS-MNT
source: DN42

剩下的步骤我懒得写了，建议看lantian师傅的，我是照着他那个来做的（）

指路🔜：DN42 实验网络介绍及注册教程（2022-06 更新） | Lan Tian @ Blog

我的IPv6：fd6d:acf4:0742::_48

我的IPv4：172.23.244.0/26

关于IP段，在这里可以找到dn42未分配的IP段，https://explorer.burble.com/free#/

我的PR，可以说是惨不忍睹惹 :D：https://git.dn42.dev/dn42/registry/pulls/2342

之后慢慢等，等他把你合并。

[NOTE] ## Scan Started at 2022-12-03 18:51:34
CHECK data/mntner/ICECLIFFS-MNT PASS MNTNERS: ICECLIFFS-MNT
[NOTE] ## Scan Completed at 2022-12-03 18:51:38
[NOTE] ## Scan Started at 2022-12-03 18:51:38
[INFO] fd24:e2b2:ea31::/48
CHECK data/inet6num/fd24:e2b2:ea31::_48 PASS MNTNERS: ICECLIFFS-MNT
CHECK data/route/172.23.244.0_26 PASS MNTNERS: ICECLIFFS-MNT
CHECK data/inetnum/172.23.244.0_26 PASS MNTNERS: ICECLIFFS-MNT
CHECK data/person/ICECLIFFS-DN42 PASS MNTNERS: ICECLIFFS-MNT
CHECK data/mntner/ICECLIFFS-MNT PASS MNTNERS: ICECLIFFS-MNT
CHECK data/route6/fd24:e2b2:ea31::_48 PASS MNTNERS: ICECLIFFS-MNT
CHECK data/aut-num/AS4242422291 PASS MNTNERS: ICECLIFFS-MNT
[NOTE] ## Scan Completed at 2022-12-03 18:51:40
[INFO] [[['@as-min', 'AS0000000001'], ['@as-max', 'AS4294967294'], ['as-block', 'AS1-AS4294967294'], ['mnt-by',
'DN42-MNT'], ['policy', 'closed']], [['@as-min', 'AS4242420000'], ['@as-max', 'AS4242423999'], ['as-block', 'A
S4242420000-AS4242423999'], ['mnt-by', 'DN42-MNT'], ['policy', 'open']]] 
[NOTE] Policy is open for parent object 
POLICY ICECLIFFS-MNT aut-num AS4242422291 PASS
[INFO] Checking inetnum type
[INFO] ['fd24e2b2ea3100000000000000000000', 'fd24e2b2ea31ffffffffffffffffffff', '048']
[NOTE] Policy is open for parent object
POLICY ICECLIFFS-MNT inet6num fd24:e2b2:ea31::/48 PASS
[INFO] Checking inetnum type
[INFO] ['00000000000000000000ffffac17f400', '00000000000000000000ffffac17f43f', '122']
[NOTE] Policy is open for parent object
POLICY ICECLIFFS-MNT inetnum 172.23.244.0/26 PASS
[NOTE] ICECLIFFS-MNT does not currently exist
POLICY ICECLIFFS-MNT mntner ICECLIFFS-MNT PASS
[NOTE] ICECLIFFS-DN42 does not currently exist
POLICY ICECLIFFS-MNT person ICECLIFFS-DN42 PASS
[INFO] Checking route type
[INFO] ['00000000000000000000ffffac17f400', '00000000000000000000ffffac17f43f', '122']
[NOTE] Policy is open for parent object
POLICY ICECLIFFS-MNT route 172.23.244.0/26 PASS
[INFO] Checking route type
[INFO] ['fd24e2b2ea3100000000000000000000', 'fd24e2b2ea31ffffffffffffffffffff', '048']
[NOTE] Policy is open for parent object
POLICY ICECLIFFS-MNT route6 fd24:e2b2:ea31::/48 PASS

### 建立Peer

由于DN42是模拟一整个互联网，因此没有任何官方服务器供我们接入，我们需要自己接入一台服务器到DN42里边。

配置之前现在 sysctl.conf 里边加几条配置，https://dn42.dev/howto/networksettings

一定要关闭 rp_filter 并开启转发功能

The first rule of dn42: Always disable rp_filter.

The third rule of dn42: Allow ip forwarding!

记得一定要关掉防火墙，否则会出现一些不可抗力的事

net.ipv4.ip_forward=1
net.ipv6.conf.default.forwarding=1
net.ipv6.conf.all.forwarding=1
net.ipv4.conf.default.rp_filter=0
net.ipv4.conf.all.rp_filter=0

生效：sysctl -p

#### 寻找Peer节点

直接到：https://dn42.us/peers

或者到其他人的博客/网站上看看有没有。

例如我的：

Name :          ICECLIFFS-NET
ASN  :          AS424242291
IPv4 :          172.23.244.0/26
IPv6 :          fd24:e2b2:ea31::/48
-----------------------------------------
Nodes:
> Japan, Asia: 172.244.0.1

#### 建立隧道

这里建议参考官方教程：https://dn42.dev/howto/wireguard

首先生成公私钥

wg genkey | tee privatekey | wg pubkey > publickey

如果出现命令未找到，这是因为你没安装 Wireguard

apt-get update
apt-get install wireguard-tools wireguard-dkms

然后在 /etc/wireguard/ 下改改配置

# tunnel.conf
[Interface]
PrivateKey = <自己的私钥>
ListenPort = <本地UDP端口，ASN后5位>
Table = Off
PostUp = /bin/ip addr add <自己的DN42 IPv4地址> peer <对面的DN42 IPv4地址> dev %i

[Peer]
PublicKey = <对面的公钥>
# at least one peer needs to provide this one
Endpoint = <对面的IP和端口>
# in theory this could be restricted to dn42 networks,
# however it is easier to do this with iptables/bgp filters/routing table 
# instead just like for openvpn-based peerings
AllowedIPs = 0.0.0.0/0,::/0

改后好直接 wg-quick up [配置文件] 即可，然后敲一下 wg 看看能不能成功连上，如果成功连上会显示 [label]Transfer [/label] 字样

如果

#### 建立BGP会话

这里建议照着官网来做

https://wiki.dn42.us/howto/Bird2

安装

wget -O - http://bird.network.cz/debian/apt.key | apt-key add - 
apt-get install lsb-release 
echo "deb http://bird.network.cz/debian/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/bird.list 
apt-get update 
apt-get install bird2

建议直接套模板 https://wiki.dn42.us/howto/Bird2

Replace <OWNAS> with your autonomous system number, e.g. 4242421234

Replace <OWNIP> with the ip that your router is going to have, this is usually the first non-zero ip in your subnet. (E.g. x.x.x.65 in an x.x.x.64/28 network)

Similarly, replace <OWNIPv6> with the first non-zero ip in your ipv6 subnet.

Then replace <OWNNET> with the IPv4 subnet that was assigned to you.

The same goes for <OWNNETv6>, but it takes an IPv6 subnet (Who’d have thought).

Keep in mind that you’ll have to enter both networks in the OWNNET{,v6} and OWNNETSET{,v6}, the two variables are required due to set parsing difficulties with variables.

然后按照上述替换一下（/etc/bird.conf）

################################################
# Variable header #
################################################
define OWNAS = 4242422291;
define OWNIP = 172.23.244.1;
define OWNIPv6 = fd24:e2b2:ea31::6;;
define OWNNET = 172.23.244.0/26;
define OWNNETv6 = fd24:e2b2:ea31::/48;
define OWNNETSET = [172.23.244.0/26+];
define OWNNETSETv6 = [fd24:e2b2:ea31::/48+];
################################################
# Header end #
################################################

接着配置一下 ROA (Route Origin Authorization)，这个一定要配好，可以写个 crontab 让他定时下载文件

The example config above relies on ROA configuration files in /etc/bird/roa_dn42{,_v6}.conf. These should be automatically downloaded and updated every so often to prevent BGP highjacking, see the bird1 page for more details and links to the ROA files. Note: edit the links to replace roa_bird1 to say roa_bird2 if using the cron jobs listed on that page.

详见：https://wiki.dn42.us/howto/Bird#route-origin-authorization0

#### 设置Peers

Please note: This section assumes that you’ve already got a tunnel to your peering partner setup.

在这里新建个文件夹

# mkdir -p /etc/bird/peers

详见：https://wiki.dn42.us/howto/Bird2

全部配置好后启动Bird bird -c /etc/bird.conf

查看连接状态：birdc show protocol

### 图形化

https://dn42.jh0project.com/map

https://map42.0x7f.cc/

https://bgp42.strexp.net/map2

### 参考

https://miaotony.xyz/2021/03/25/Server_DN42

https://lantian.pub/article/modify-website/dn42-experimental-network-2020.lantian/

https://dn42.dev/howto/Registry-Authentication