How to Get Connected: Difference between revisions

From Cursed Silicons Wiki
Jump to navigation Jump to search
← Older edit
VisualWikitext
m Add a reboot router step and clarify step four in the setup script tutorial
m Remove left-over section from previously removed OPNsense section
 
(2 intermediate revisions by the same user not shown)
Line 30: Line 30:
## <code>ash setup-cghmn.sh init</code>
## <code>ash setup-cghmn.sh init</code>
## You will be asked what network port you'd like to use for the Retro LAN. This is where you will plug in your retro machines to be part of the CGHMN. Choose a port that is not assigned to any OpenWRT interface like '''lan''' or '''wan''' or which not already part of a bridge and enter the Linux interface name, e.g. <code>eth1</code>, then press <code>[Enter]</code> to continue. If your router only has two ports and you're using one for WAN, then you first have to [https://openwrt.org/docs/guide-user/luci/luci.secure#allow_access_from_internet enable the web UI and SSH access via the '''wan''' OpenWRT interface], remove the entire '''lan''' OpenWRT interface and the default <code>br-lan</code> or any other bridge the interface might belong to, to free the network port and continue the setup over the IP address your router got on its WAN side. If you only have a single Ethernet port, you're running on a router setup we can't really recommend, however you can configure VLANs and use a managed switch to both get a WAN DHCP address for internet access and have a separate VLAN for the Retro LAN bridge over a single port. This is commonly referred to as "[[wikipedia:Router_on_a_stick|router on a stick]]". Just enter the VLAN interface name here if you choose to go that route.
## You will be asked what network port you'd like to use for the Retro LAN. This is where you will plug in your retro machines to be part of the CGHMN. Choose a port that is not assigned to any OpenWRT interface like '''lan''' or '''wan''' or which not already part of a bridge and enter the Linux interface name, e.g. <code>eth1</code>, then press <code>[Enter]</code> to continue. If your router only has two ports and you're using one for WAN, then you first have to [https://openwrt.org/docs/guide-user/luci/luci.secure#allow_access_from_internet enable the web UI and SSH access via the '''wan''' OpenWRT interface], remove the entire '''lan''' OpenWRT interface and the default <code>br-lan</code> or any other bridge the interface might belong to, to free the network port and continue the setup over the IP address your router got on its WAN side. If you only have a single Ethernet port, you're running on a router setup we can't really recommend, however you can configure VLANs and use a managed switch to both get a WAN DHCP address for internet access and have a separate VLAN for the Retro LAN bridge over a single port. This is commonly referred to as "[[wikipedia:Router_on_a_stick|router on a stick]]". Just enter the VLAN interface name here if you choose to go that route.
# Now you will be given some information on the console, including a Wireguard public key. Send one of the CGHMN admins (currently CursedSilicon and Snep) that key so we can add your router to our Wireguard server. If you cannot copy-paste, for example, because you're on a VM VNC console, you can run <code>ash setup-cghmn.sh pubkey-qr</code> to get a QR code printout of your public key, which can be scanned with a phone, tablet or software QR code parser to get the key as copy-pastable text.
# Now you will be given some information on the console, including a Wireguard public key. Head over to https://signup.cghmn.org, fill out the form there with your details like an e-mail address we can reach you under and copy over the Wireguard public key from the script output into the appropriate field on the web page. Once your request has been approved, you'll receive an e-mail with your CGHMN Wireguard connections details. Note: If you cannot copy-paste, for example, because you're on a VM VNC console, you can run <code>ash setup-cghmn.sh pubkey-qr</code> to get a QR code with your public key, which can be scanned with a phone, tablet or software QR code parser to get the key as copy-pastable text.
# In return, you will receive a tunnel IPv4 address (<code>100.89.128.x/32</code>) and a routed IPv4 subnet (<code>100.96.x.0/24</code>) from us. These will be needed on the third and final step of the setup script:
# In the e-mail from your sign-up server post approval, you will receive a tunnel IPv4 address (<code>100.65.x.x/32</code>) and a routed IPv4 subnet (<code>100.68.x.0/24</code> and up). These will be needed on the next step
## <code>ash setup-cghmn.sh set-tunnel-ip</code>
# Run <code>ash setup-cghmn.sh set-tunnel-ip</code>, enter your new tunnel IP address with or without the <code>/32</code> subnet mask, enter your routed subnet '''with''' the CIDR netmask and supply your pre-shared key from the e-mail.
# Once the script completed successfully, reboot the router to ensure all interfaces are up properly. After the reboot, your retro devices should receive an IP address in your routed IPv4 subnet on the Retro LAN port you chose above and be able to communicate with other machines on the CGHMN network.
# Once the script completed successfully, reboot the router to ensure all interfaces are up properly. After the reboot, your retro devices should receive an IP address in your routed IPv4 subnet on the Retro LAN port you chose above and be able to communicate with other machines on the CGHMN network.


=== Get Connected - Manually (Linux, Wireguard only, GRETAP follows shortly) ===
=== Get Connected - Manually (Linux, Wireguard/IP traffic only) ===
In case you want to setup a connection into the network manually, here are the required steps and information you should be needing:
In case you want to setup a connection into the network manually, here are the required steps and information you should be needing:


Line 43: Line 43:


* NEVER share your private key, even with us! It should never be required outside of your own Wireguard setup!
* NEVER share your private key, even with us! It should never be required outside of your own Wireguard setup!
* You will, however, need to share your public key with us. Send CursedSilicon or Snep on the Discord or via IRC a message including the public key and we'll add you to the tunnel.
* You will, however, need to share your public key with us. Head over to https://signup.cghmn.org, fill out the forms with some details like an e-mail address we can reach you under and paste the newly generated public key into the public key field.
* In return, you'll get two IP addresses from us: Your tunnel IP address, with which your router talks to our router, and a routed subnet, from which you can assign IPs to your own machines so they can talk to other CGHMN member devices on the network without NAT in the way.
* After submitting your request, we'll approve it as soon as possible and you'll get two IP addresses sent over to your specified e-mail: Your tunnel IP address, with which ''your'' router talks to ''our'' router, and a routed subnet, from which you can assign IPs to your own machines so they can talk to other CGHMN member devices on the network without NAT in the way.
* Next, you'll need to fill a Wireguard configuration file with the two IP addresses, like below:
* In the e-mail, you will also find a full Wireguard configuration looking a little like this:


  [Interface]
  [Interface]
  PrivateKey = <Your private key goes here>
  PrivateKey = xxx
  Address = <Your tunnel IP address goes here>/32
  Address = 100.65.0.xxx/32
DNS = 100.89.128.0
MTU = 1420
   
   
  [Peer]
  [Peer]
  PublicKey = k/QiJIbMakMKgTCHVt8/D+8k4DzRVM6U33F3gMZfRUg=
  PublicKey = k/QiJIbMakMKgTCHVt8/D+8k4DzRVM6U33F3gMZfRUg=
  Endpoint = wg-admin.cursedsilicon.net:42070
  Endpoint = us.wg.cghmn.org:42070
  AllowedIPs = 100.64.0.0/10
  AllowedIPs = 100.64.0.0/10
  PersistentKeepalive = 15
  PersistentKeepalive = 15
PresharedKey = xxx


* Save this file as <code>wg-cghmn.conf</code>, for example.
* Copy this configuration to a file, <code>wg-cghmn.conf</code>, for example.
* If you use wg-quick like below, you can also add the line <code>DNS = 100.64.12.2</code> in the [Interface] section to make use of our DNS resolvers and access other CGHMN member's services through domain names, though be adviced that we cannot guarantee public internet address lookups, which means this might break internet access for the host you're opening this Wireguard tunnel from! Alternatively, for advanced users, one can setup dnsmasq to automatically pull any domains we offer within the CGHMN and forward them to our DNS resolvers with the help of [https://raw.githubusercontent.com/CGHMN/openwrt-scripts/refs/heads/main/dns/update-dns-forwards.sh this script from our GitHub] and having it being run periodically through cron, systemd-timers or similar. See [[CGHMN DNS Information#dnsmasq Synchronization Script|this Wiki article]] for more information.
* Then, run <code>wg-quick up ./wg-cghmn.conf</code>, perhaps requiring <code>doas</code>/<code>sudo</code>, to bring the tunnel up and connect to the network!
* Then, run <code>wg-quick up ./wg-cghmn.conf</code>, perhaps requiring <code>doas</code>/<code>sudo</code>, to bring the tunnel up and connect to the network!


Line 65: Line 65:


<nowiki>#</nowiki>TODO: Add example of routed subnet configuration, perhaps on a different Wiki site
<nowiki>#</nowiki>TODO: Add example of routed subnet configuration, perhaps on a different Wiki site
=== <s>Get connected - Server Side, the Admins Guide</s> ===
[[File:Example Configuration for new Wireguard Peer on Core Router.png|thumb|Example Configuration for new Wireguard Peer on Core Router]]
To get a member onto the network, they will send an admin of the project their randomly generated Wireguard key during the setup via the OpenWRT script. Here are the steps that admin will have to follow to get them up and running on the server side:
# Log in on the [https://router.core.cghmn:8443 Core Router] over an existing CGHMN network link
# Navigate to VPN -> Wireguard -> Peer Generator
# You will be asked to enter some data for the new peer, enter the following:
## '''Instance:''' <code>WG_Member</code> 
## '''Endpoint:''' <code>wg-admin.cursedsilicon.net:42070</code>
## '''Name:''' <code>member.''<Nickname of the new member>''</code>
## '''Public Key:''' <code>''<their Wireguard public key they've sent over>''</code>
## '''Private Key:''' <code>''<blank>''</code>
## '''Address:''' ''<code><Next highest IP from 100.89.128.0/22, this is their tunnel IP and is auto-filled></code>''
## '''Pre-Shared Key:''' <code>''<blank>''</code>
## '''Allowed IPs:''' <code>''<the same as Address>'', ''<their routed subnet, [[How to Get Connected#But wait, what even is their routed subnet?|see below]]>''</code>
## '''Keepalive interval:''' ''<code><blank></code>''
## '''DNS Servers:''' <code>''<default value>''</code>
# Hit the "Store and generate next" button
# Navigate to VPN -> Wireguard -> Instances
# Hit the "Apply" button
# Do '''either one''' '''(not both!)''' of these steps, depending on if you can SSH into the GRETAP endpoint container:
## SSH into the CGHMN Proxmox Server and enter the command <code>pct enter 10403</code>
## SSH directly into the GRETAP endpoint (formerly VXLAN endpoint) container with <code>ssh root@172.23.4.103</code>
# From there, run the following command: <code>bash /opt/vxlan-scripts/create-vxlan-interface.sh <member-tunnel-ip> <member-name></code> where you replace <code><member-tunnel-ip></code> with the IP tunnel address of the member as it was set above in the '''Address''' field, without the <code>/32</code> CIDR subnet mask, and replace the <code><member-name></code> with the same value you've entered above in the '''Name''' field. For example, like this: <code>bash /opt/vxlan-scripts/create-vxlan-interface.sh 100.89.128.6 member.snep.test</code> This will create a GRETAP (and for legacy purposes, a VXLAN) interface and bring them up automagically. ''Ignore the fact it still says "VXLAN" everywhere, it does both.''
# Now you can send the member their Wireguard Tunnel IP and their routed subnet over and they can finish their client-side setup according to the mini-tutorial above.
# Rember to add the member and their tunnel and subnet IPs to the [[CGHMN-IP-Allocations|IP allocations page]] :)
==== But wait, what even ''is'' their routed subnet? ====
Each members routed subnet comes per default from the <code>100.96.0.0/13</code> IPv4 block and has a <code>/24</code> mask. This subnet is their "Retro LAN", to which all their retro computers are hooked into via the router of their choosing. By default, NAT is enabled on the routers, so it wouldn't make a difference which subnet is used on the remote end for the retro machines. However, if someone wants to host servers in the CGHMN and doesn't want to do port forwading, they can disable NAT and let other membres directly connect to their machines via this routed subnet.
To get the routed subnet of a member, take the number from the last octet of the Wireguard tunnel IP of a member, say <code>100.89.128.'''6'''</code>, and put it into the third octet of the <code>100.96.0.0/13</code> IP block and replace the <code>/13</code> with <code>/24</code>, so you get <code>100.96.'''6'''.0/24</code>. That is their routed subnet, simple as that!


=== After you get connected ===
=== After you get connected ===

Latest revision as of 17:17, 21 March 2026

This is a quick and dirty "how do I get on CGHMN"

Since the service is in "open beta" these steps are a bit vague and manual. But over time as we figure out what works we'll add more connection methods and better documentation

Step 1:

Let us know you'd like to connect!

(We'll need information from you such as your Wireguard Pubkey to let you connect to the network)

Example CGHMN Router Setup using a GL-AR300M and basic network switch

Hardware requirements

To connect your retro machine(s) to the CGHMN, you'll need the following:

  • An Ethernet connection on your retro device(s) of choice, with a TCP/IP (v4) stack for now! TrumpetWinSock, Microsoft TCP/IP, whatever. It all works.
  • Something with the ability to run Wireguard and forward IPv4 packets at the minimum and, for any non-IP packets, gretap and nftables. Personally we recommend something running OpenWRT, like the GL-AR300M which we have successfully tested to work. We're currently working on a pre-built image for some select routers to make the setup easier for new members. A script to configure already existing OpenWRT instances can be found below.
  • Alternatively, you can also run the CGHMN routing on any standard Linux box which has at least one Ethernet port and either a second one or WiFi for internet connectivity. A basic script to set up a Linux machine as a router is posted below (TODO!).
  • Optionally: A simple network switch, in case you want to add multiple machines to the network. You plug one end into the CGHMN Router box and then your clients can all access CGHMN. Super easy!

On the right is an example of what a CGHMN router setup could look like.

Get connected - With OpenWRT

If you chose to go with an OpenWRT compatible router or want to run OpenWRT on typical x86 hardware/in a VM, you can follow these steps to get yourself connected to the CGHMN:

  1. Update your OpenWRT install to the latest version to ensure all required packages are available and compatible.
  2. Download this script from GitHub to your OpenWRT router: wget https://cghmn.snep.zip/connect.sh
  3. Run the following commands on the router:
    1. ash setup-cghmn.sh install-pkgs
    2. Reboot the router, this step is necessary if you intend to use the web UI for any other configuration or see the status of the CGHMN connection, to make LuCI recognize Wireguard connections.
    3. ash setup-cghmn.sh init
    4. You will be asked what network port you'd like to use for the Retro LAN. This is where you will plug in your retro machines to be part of the CGHMN. Choose a port that is not assigned to any OpenWRT interface like lan or wan or which not already part of a bridge and enter the Linux interface name, e.g. eth1, then press [Enter] to continue. If your router only has two ports and you're using one for WAN, then you first have to enable the web UI and SSH access via the wan OpenWRT interface, remove the entire lan OpenWRT interface and the default br-lan or any other bridge the interface might belong to, to free the network port and continue the setup over the IP address your router got on its WAN side. If you only have a single Ethernet port, you're running on a router setup we can't really recommend, however you can configure VLANs and use a managed switch to both get a WAN DHCP address for internet access and have a separate VLAN for the Retro LAN bridge over a single port. This is commonly referred to as "router on a stick". Just enter the VLAN interface name here if you choose to go that route.
  4. Now you will be given some information on the console, including a Wireguard public key. Head over to https://signup.cghmn.org, fill out the form there with your details like an e-mail address we can reach you under and copy over the Wireguard public key from the script output into the appropriate field on the web page. Once your request has been approved, you'll receive an e-mail with your CGHMN Wireguard connections details. Note: If you cannot copy-paste, for example, because you're on a VM VNC console, you can run ash setup-cghmn.sh pubkey-qr to get a QR code with your public key, which can be scanned with a phone, tablet or software QR code parser to get the key as copy-pastable text.
  5. In the e-mail from your sign-up server post approval, you will receive a tunnel IPv4 address (100.65.x.x/32) and a routed IPv4 subnet (100.68.x.0/24 and up). These will be needed on the next step
  6. Run ash setup-cghmn.sh set-tunnel-ip, enter your new tunnel IP address with or without the /32 subnet mask, enter your routed subnet with the CIDR netmask and supply your pre-shared key from the e-mail.
  7. Once the script completed successfully, reboot the router to ensure all interfaces are up properly. After the reboot, your retro devices should receive an IP address in your routed IPv4 subnet on the Retro LAN port you chose above and be able to communicate with other machines on the CGHMN network.

Get Connected - Manually (Linux, Wireguard/IP traffic only)

In case you want to setup a connection into the network manually, here are the required steps and information you should be needing:

  • Generate a Wireguard private key and public key, this command writes a fresh Wireguard private key to private-key and the corresponsing public key to public-key:
$ wg genkey | tee private-key | wg pubkey > public-key
  • NEVER share your private key, even with us! It should never be required outside of your own Wireguard setup!
  • You will, however, need to share your public key with us. Head over to https://signup.cghmn.org, fill out the forms with some details like an e-mail address we can reach you under and paste the newly generated public key into the public key field.
  • After submitting your request, we'll approve it as soon as possible and you'll get two IP addresses sent over to your specified e-mail: Your tunnel IP address, with which your router talks to our router, and a routed subnet, from which you can assign IPs to your own machines so they can talk to other CGHMN member devices on the network without NAT in the way.
  • In the e-mail, you will also find a full Wireguard configuration looking a little like this:
[Interface]
PrivateKey = xxx
Address = 100.65.0.xxx/32

[Peer]
PublicKey = k/QiJIbMakMKgTCHVt8/D+8k4DzRVM6U33F3gMZfRUg=
Endpoint = us.wg.cghmn.org:42070
AllowedIPs = 100.64.0.0/10
PersistentKeepalive = 15
PresharedKey = xxx
  • Copy this configuration to a file, wg-cghmn.conf, for example.
  • If you use wg-quick like below, you can also add the line DNS = 100.64.12.2 in the [Interface] section to make use of our DNS resolvers and access other CGHMN member's services through domain names, though be adviced that we cannot guarantee public internet address lookups, which means this might break internet access for the host you're opening this Wireguard tunnel from! Alternatively, for advanced users, one can setup dnsmasq to automatically pull any domains we offer within the CGHMN and forward them to our DNS resolvers with the help of this script from our GitHub and having it being run periodically through cron, systemd-timers or similar. See this Wiki article for more information.
  • Then, run wg-quick up ./wg-cghmn.conf, perhaps requiring doas/sudo, to bring the tunnel up and connect to the network!

This should bring whatever system you've set the tunnel up on onto the network and is now reachable for other members on the network, as long as the firewall on your device is congfigured accordingly, of course.

#TODO: Add example of routed subnet configuration, perhaps on a different Wiki site

After you get connected

There are a few optional things you might want to do.

Network mailing list

There is a mailing list you can subscribe to if you want to be notified about things that may affect CGHMN or core services. You can subscribe to the list here: https://berwick-upon-tweed.cobaltqu.be/postorius/lists/cghmn-announce.lists.cobaltqu.be/.


If you need to post to the list, you will need to subscribe before you can be added to the list of poster.

Explore things available on the network

There is a collection of services people are running - things like email/hosting/chat/search/etc.

Retrieved from "https://wiki.cursedsilicon.net/index.php?title=How_to_Get_Connected&oldid=347"