First Attempt at the DN42 Experimental Network

What is the DN42 network?

img

Decentralized Network 42 (DN42) is a decentralized, end-to-end encrypted network built using VPNs and software/hardware Border Gateway Protocol (BGP). However, unlike traditional VPNs, DN42 does not provide VPN exit services, such as bypassing network censorship or unlocking streaming content. Instead, DN42 aims to simulate the internet. It employs numerous technologies currently used on the internet backbone (such as BGP and recursive DNS) to effectively simulate a real network environment.

Via Lan Tian’s Blog

Why DN42

Routing Experiment

Participating in dn42 is primarily useful for learning routing technologies such as BGP, using a reasonably large network (> 1500 AS, > 1700 prefixes).

Since dn42 is very similar to the Internet, it can be used as a hands-on testing ground for new ideas, or simply to learn real networking stuff that you probably can’t do on the Internet (BGP multihoming, transit). The biggest advantage when compared to the Internet: if you break something in the network, you won’t have any big network operator yelling angrily at you.

Connect hackroom

dn42 is also a great way to connect hacker spaces in a secure way, so that they can provide services to each other.

Have you ever wanted to SSH on your Raspberry Pi hosted at your local hacker space and had trouble doing so because of NAT? If your hacker space was using dn42, it could have been much easier…

Via Home (dn42.dev)

Register DN42

Require

  • Have a Linux virtual machine (WSL is sufficient for Windows)
  • Familiarity with Linux commands and basic networking skills

Official Tutorial:https://dn42.dev/howto/Getting-Started

First, sign up for a git account (https://git.dn42.dev/user/sign_up). Once activated, fork the repository (https://git.dn42.dev/dn42/registry) and save it locally. Then clone it locally.

1
git clone https://git.dn42.dev/icecliffs/registry.git
  • Then create a new file [uppercase nickname]-MNT under data/mntner, catch Master Tony.

img

Contents

  • mntner: Stands for maintainer, indicating the name of this account, which is the same as the file name.
  • admin-c: Stands for admin contact, which needs to point to the person file created later, typically [nickname]-DN42.
  • tech-c: Stands for tech contact, which needs to point to the person file created later, typically [nickname]-DN42.
  • mnt-by: Stands for maintain by, which points to the account itself, typically [nickname]-MNT.
  • source: Fixed to DN42.
  • auth: Your personal authentication information. Two types are generally accepted: GPG public key and SSH public key.

Via DN42 Experimental Network Introduction and Registration Tutorial

1
2
3
4
5
6
7
8
mntner: ICECLIFFS-MNT
admin-c: ICECLIFFS-DN42
tech-c: ICECLIFFS-DN42
mnt-by: ICECLIFFS-MNT
source: DN42
auth: pgp-fingerprint 0BE2C259A99AE5B767BC1A2CA3550E3691FF9467
auth: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPOEzWsohqYxXP+cgl7OFUMPr28IPF/nTErMHtOXS6ZV
remarks: rYu1nser (IceCliffs) Hi :), My blog: https://iloli.moe
  • Create a file named [Uppercase Nickname]-DN42 under data/person

The content is:

  • person: Your nickname.
  • e-mail: Your email address.
  • contact: Optional, other contact information for you, such as IRC, Telegram, etc.
  • nic-hdl: The NIC handle, which points to the file itself, the same as the file name, [nickname]-DN42.
  • mnt-by: The maintainer, which points to your previous mntner file, [nickname]-MNT.
  • source: Fixed to DN42.
1
2
3
4
5
6
7
8
9
10
person: rYu1nser
contact: iloli.moe
contact: Telegram: @icecliffs
contact: GitHub: @icecliffs
contact: Twitter: @icecliffs
nic-hdl: ICECLIFFS-DN42
mnt-by: ICECLIFFS-MNT
pgp-fingerprint: 0BE2C259A99AE5B767BC1A2CA3550E3691FF9467
source: DN42
remarks: rYu1nser (IceCliffs) Hi :), My blog: https://iloli.moe
  • Next, you need to assign an ASN number. Pick any one you like (range: 4242420000 - 4242423999). For example, mine is AS4242422291. As of 2022/12/3 00:00:00, there should be this many numbers.

img

1
2
3
4
5
6
7
8
aut-num: AS4242422291
as-name: ICECLIFFS-AS
descr: I love this huge spider web, https://o;p;o/,pe.
remarks: Twitter: @icecliiffs, Telegram: @icecliffs
admin-c: ICECLIFFS-DN42
tech-c: ICECLIFFS-DN42
mnt-by: ICECLIFFS-MNT
source: DN42

I’m too lazy to write the rest of the steps, so I recommend checking out Lantian’s guide. I followed his instructions.

Guidelines: DN42 Experimental Network Introduction and Registration Tutorial (Updated June 2022) | Lan Tian @ Blog

My IPv6: fd6d:acf4:0742::_48

My IPv4: 172.23.244.0/26

Regarding IP ranges, you can find DN42’s unassigned IP ranges here: https://explorer.burble.com/free#/

My PR is pretty terrible :D: https://git.dn42.dev/dn42/registry/pulls/2342

img

Then wait patiently until to merge you.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
[NOTE] ## Scan Started at 2022-12-03 18:51:34
CHECK data/mntner/ICECLIFFS-MNT PASS MNTNERS: ICECLIFFS-MNT
[NOTE] ## Scan Completed at 2022-12-03 18:51:38
[NOTE] ## Scan Started at 2022-12-03 18:51:38
[INFO] fd24:e2b2:ea31::/48
CHECK data/inet6num/fd24:e2b2:ea31::_48 PASS MNTNERS: ICECLIFFS-MNT
CHECK data/route/172.23.244.0_26 PASS MNTNERS: ICECLIFFS-MNT
CHECK data/inetnum/172.23.244.0_26 PASS MNTNERS: ICECLIFFS-MNT
CHECK data/person/ICECLIFFS-DN42 PASS MNTNERS: ICECLIFFS-MNT
CHECK data/mntner/ICECLIFFS-MNT PASS MNTNERS: ICECLIFFS-MNT
CHECK data/route6/fd24:e2b2:ea31::_48 PASS MNTNERS: ICECLIFFS-MNT
CHECK data/aut-num/AS4242422291 PASS MNTNERS: ICECLIFFS-MNT
[NOTE] ## Scan Completed at 2022-12-03 18:51:40
[INFO] [[['@as-min', 'AS0000000001'], ['@as-max', 'AS4294967294'], ['as-block', 'AS1-AS4294967294'], ['mnt-by',
'DN42-MNT'], ['policy', 'closed']], [['@as-min', 'AS4242420000'], ['@as-max', 'AS4242423999'], ['as-block', 'A
S4242420000-AS4242423999'], ['mnt-by', 'DN42-MNT'], ['policy', 'open']]]
[NOTE] Policy is open for parent object
POLICY ICECLIFFS-MNT aut-num AS4242422291 PASS
[INFO] Checking inetnum type
[INFO] ['fd24e2b2ea3100000000000000000000', 'fd24e2b2ea31ffffffffffffffffffff', '048']
[NOTE] Policy is open for parent object
POLICY ICECLIFFS-MNT inet6num fd24:e2b2:ea31::/48 PASS
[INFO] Checking inetnum type
[INFO] ['00000000000000000000ffffac17f400', '00000000000000000000ffffac17f43f', '122']
[NOTE] Policy is open for parent object
POLICY ICECLIFFS-MNT inetnum 172.23.244.0/26 PASS
[NOTE] ICECLIFFS-MNT does not currently exist
POLICY ICECLIFFS-MNT mntner ICECLIFFS-MNT PASS
[NOTE] ICECLIFFS-DN42 does not currently exist
POLICY ICECLIFFS-MNT person ICECLIFFS-DN42 PASS
[INFO] Checking route type
[INFO] ['00000000000000000000ffffac17f400', '00000000000000000000ffffac17f43f', '122']
[NOTE] Policy is open for parent object
POLICY ICECLIFFS-MNT route 172.23.244.0/26 PASS
[INFO] Checking route type
[INFO] ['fd24e2b2ea3100000000000000000000', 'fd24e2b2ea31ffffffffffffffffffff', '048']
[NOTE] Policy is open for parent object
POLICY ICECLIFFS-MNT route6 fd24:e2b2:ea31::/48 PASS

img

Establishing a Peer

Since DN42 simulates the entire internet, there aren’t any official servers for us to connect to. We need to connect our own server to DN42.

Before configuring, add a few lines to sysctl.conf. See https://dn42.dev/howto/networksettings

Make sure to disable rp_filter and enable forwarding.

The first rule of dn42: Always disable rp_filter.

The third rule of dn42: Allow ip forwarding!

Remember to disable the firewall, otherwise something unforeseen may happen

1
2
3
4
5
net.ipv4.ip_forward=1
net.ipv6.conf.default.forwarding=1
net.ipv6.conf.all.forwarding=1
net.ipv4.conf.default.rp_filter=0
net.ipv4.conf.all.rp_filter=0

execute sysctl -p

Finding Peer Nodes

Go directly to: https://dn42.us/peers

Or check other people’s blogs/websites for the same.

For example, mine:

1
2
3
4
5
6
7
Name :          ICECLIFFS-NET
ASN : AS424242291
IPv4 : 172.23.244.0/26
IPv6 : fd24:e2b2:ea31::/48
-----------------------------------------
Nodes:
> Japan, Asia: 172.244.0.1

Establishing a wireguard

We recommend referring to the official tutorial: https://dn42.dev/howto/wireguard

First, generate public and private keys.

1
wg genkey | tee privatekey | wg pubkey > publickey

If the command is not found, it is because you have not installed Wireguard

1
2
apt-get update
apt-get install wireguard-tools wireguard-dkms

Then change the configuration under /etc/wireguard/

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
# tunnel.conf
[Interface]
PrivateKey = <自己的私钥>
ListenPort = <本地UDP端口,ASN后5位>
Table = Off
PostUp = /bin/ip addr add <自己的DN42 IPv4地址> peer <对面的DN42 IPv4地址> dev %i

[Peer]
PublicKey = <对面的公钥>
# at least one peer needs to provide this one
Endpoint = <对面的IP和端口>
# in theory this could be restricted to dn42 networks,
# however it is easier to do this with iptables/bgp filters/routing table
# instead just like for openvpn-based peerings
AllowedIPs = 0.0.0.0/0,::/0

After making the changes, simply wg-quick up [configuration file] and type wg to see if the connection is successful. If so, the “[label]Transfer[/label]” message will appear.

img

Establishing a BGP

It is recommended to follow the official website

https://wiki.dn42.us/howto/Bird2

Install

1
2
3
4
5
wget -O - http://bird.network.cz/debian/apt.key | apt-key add - 
apt-get install lsb-release
echo "deb http://bird.network.cz/debian/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/bird.list
apt-get update
apt-get install bird2

It is recommended to use the template directly https://wiki.dn42.us/howto/Bird2

Replace <OWNAS> with your autonomous system number, e.g. 4242421234

Replace <OWNIP> with the ip that your router is going to have, this is usually the first non-zero ip in your subnet. (E.g. x.x.x.65 in an x.x.x.64/28 network)

Similarly, replace <OWNIPv6> with the first non-zero ip in your ipv6 subnet.

Then replace <OWNNET> with the IPv4 subnet that was assigned to you.

The same goes for <OWNNETv6>, but it takes an IPv6 subnet (Who’d have thought).

Keep in mind that you’ll have to enter both networks in the OWNNET{,v6} and OWNNETSET{,v6}, the two variables are required due to set parsing difficulties with variables.

Then replace it as above (/etc/bird.conf)

1
2
3
4
5
6
7
8
9
10
11
12
13
################################################
# Variable header #
################################################
define OWNAS = 4242422291;
define OWNIP = 172.23.244.1;
define OWNIPv6 = fd24:e2b2:ea31::6;;
define OWNNET = 172.23.244.0/26;
define OWNNETv6 = fd24:e2b2:ea31::/48;
define OWNNETSET = [172.23.244.0/26+];
define OWNNETSETv6 = [fd24:e2b2:ea31::/48+];
################################################
# Header end #
################################################

Next, configure ROA (Route Origin Authorization). This must be configured properly. You can write a crontab` to let it download files regularly.

The example config above relies on ROA configuration files in /etc/bird/roa_dn42{,_v6}.conf. These should be automatically downloaded and updated every so often to prevent BGP highjacking, see the bird1 page for more details and links to the ROA files. Note: edit the links to replace roa_bird1 to say roa_bird2 if using the cron jobs listed on that page.

See: https://wiki.dn42.us/howto/Bird#route-origin-authorization0

Setting up Peers

Please note: This section assumes that you’ve already got a tunnel to your peering partner setup.

Create a new folder here

1
# mkdir -p /etc/bird/peers

For details, see: https://wiki.dn42.us/howto/Bird2

After completing all configurations, start Bird with bird -c /etc/bird.conf

Check the connection status with birdc show protocol

Graphical

img

https://dn42.jh0project.com/map

img

https://map42.0x7f.cc/

img

https://bgp42.strexp.net/map2

References

https://miaotony.xyz/2021/03/25/Server_DN42

https://lantian.pub/article/modify-website/dn42-experimental-network-2020.lantian/

https://dn42.dev/howto/Registry-Authentication