-
Notifications
You must be signed in to change notification settings - Fork 21
Installation
This page walks through the requirements for deploying a production Conjure station including environment setup and station configuration.
sudo apt install libzmq3-dev redis-server libgmp3-dev pkg-config libssl-dev
make
#future
# sudo make install
The setup that needs to be done on a station before it can begin operating currently involves setting up the iptables and ip route plumbing to route packets through the OS from detector to app and back. You can look at the Environment Setup page for full instructions, here we will run an abbreviated scripted version.
-
Decide / determine the answer to the following questions
- Do we need to run with Tapdance?
- How many cores you will be running on? (How many cores is Tapdance running on?)
- If tapdance is running, which cores is it running on?
- What are the IP addresses (v4 and v6) of the interface that will be used for sending proxy traffic?
-
Modify the
on-reboot.sh
script on a per machine basis based on the answers above:
IP4_ADDR="<YOUR_LOCAL_IPV4_ADDR>"
IP6_ADDR="[<YOUR_LOCAL_IPV6_ADDR>]"
CORE_COUNT=<NUMBER_OF_CORES_TO_RUN_ON>
OFFSET=<OFFSET_FOR_PFRING_QUEUE_ID>
If you are not running Tapdance on the same station you should set OFFSET_FOR_PFRING_QUEUE_ID
to 0.
The CORE_COUNT
and OFFSET
here are used to set up the tun interfaces. During this set-up we align the tun numbers with the PF_RING queue IDs. This is not required, but it allows us to ensure that queues used by different stations (Tapdance or Conjure-Dev) cant collide on either tun or PF_RING queue IDs.
For further configuration options see the Configuration wiki page.
If tapdance is not running then we need to start the pf_ring zbalance_ipc
ourselves.
cd PF_RING/userland/examples_zc
sudo ./zbalance_ipc -i zc:eth1,zc:eth0 -n 2 -c 10 -g 1 -m 1
If tapdance is running we need to add a second output queue to the /opt/tapdance/start_zbalance_ipc.sh
script then restart zbalance.service
. We add another queue of ${TD_CORECOUNT}
to the command assuming we want to run the same number of cores for Tapdance that we do for Conjure.
$ git diff start_zbalance_ipc.sh
diff --git a/start_zbalance_ipc.sh b/start_zbalance_ipc.sh
index 74253e1..d565757 100755
--- a/start_zbalance_ipc.sh
+++ b/start_zbalance_ipc.sh
@@ -28,4 +28,4 @@ do
didfirst=1
fi
done
-sudo ./PF_RING/userland/examples_zc/zbalance_ipc -i $ifcarg -c ${TD_CLUSTER_ID} -n ${TD_CORECOUNT} -m ${ZBALANCE_HASH_MODE} -g ${ZBALANCE_CORE}
+sudo ./PF_RING/userland/examples_zc/zbalance_ipc -i $ifcarg -c ${TD_CLUSTER_ID} -n ${TD_CORECOUNT},${TD_CORECOUNT} -m ${ZBALANCE_HASH_MODE} -g ${ZBALANCE_CORE}
# simple
sudo ./dark-decoy -c 98 -n 2 -K conf/station_key -l 5
# Avoiding Tapdance
sudo ./dark-decoy -c 98 -n 6 -K ./conf/statin_key -l 5 -o 9 -z 6 > log/detector.log 2>&1
# Options
# REQUIRED
# -c <cluster_id> - The cluster id specified to PF_RING when starting `zbalance_ipc`
# OPTIONAL
# -n <cpu_procs> - Number of cores to be used (default -1 = all cores)
# -s <skip_core> - specify core_id to be skipped when allocating threads.
# -K <keyfile_name> - Specify custom private key to be used by station
# -a <zmq_address> - Custom Address of ZMQ server
# DEBUG
# -l <log_interval> - In seconds, interval between logging of bandwidth, tag checks/s, etc.
# -o <core_affinity_offset> - Start processes on $core_affinity_offset+$cpu_procs.
# This allows us to run debug/production pf_rings on different cores
# entirely (which rust likes), and with different cluster_ids.
# -z <queue_offset> PF_RING queue ID offset to avoid using the same queues and tunX interfaces
# as another Tapdance or Conjure instance on the server.
cd application
./application
Start by building the Conjure Command line interface(cli) client.
git clone git@github.com:refraction-networking/gotapdance.git
cd cli
go get ./...
go build -a .
This cli creates a minimal connection to the conjure station. To run this you will need a clientconf and the roots file from conjure assets. You can again choose to use either the dev or full clientconf by replacing the 'ClientConf` file in the assets directory.
# start the proxy
./cli -connect-addr="<destination:port>" -debug
# To demonstrate a working proxy tunnel we can grab a TLS cert from <destination:port> using openssl.
openssl s_client -connect 127.0.0.1:10500
Alternatively open a SOCKS5 proxy connection over Conjure to <destination:port>
- make sure the connect-addr
is a server that you have ssh access to.
ssh -D 1080 -q -C -N user@127.0.0.1 -p 10500
Once the connection is successfully set your browsers SOCKS5 proxy to use 127.0.0.1:10500
or whatever local port you chose.