How to Get Connected: Difference between revisions

This is a quick and dirty "how do I get on CGHMN"

Right now since the service is in "closed beta" these steps are a bit vague and manual. But over time as we figure out what works we'll add more connection methods and better documentation

Right now to get connected you effectively need three things, hardware wise:

Hardware requirements

To connect your retro machine(s) to the CGHMN, you'll need the following:

• An Ethernet connection on your retro device(s) of choice, with a TCP/IP (v4) stack for now! TrumpetWinSock, Microsoft TCP/IP, whatever. It all works.

• Something with the ability to run Wireguard and forward IPv4 packets at the minimum and, for any non-IP packets, gretap and nftables. Personally we recommend something running OpenWRT, like the GL-AR300M which we have successfully tested to work. We're currently working on a pre-built image for some select routers to make the setup easier for new members. A script to configure already existing OpenWRT instances can be found below.
• Alternatively, you can also run the CGHMN routing on any standard Linux box which has at least one Ethernet port and either a second one or WiFi for internet connectivity. A basic script to set up a Linux machine as a router is posted below (TODO!).

• Optionally: A simple network switch, in case you want to add multiple machines to the network. You plug one end into the CGHMN Router box and then your clients can all access CGHMN. Super easy!

On the right is an example of what a CGHMN router setup could look like.

Get connected - With OpenWRT

If you chose to go with an OpenWRT compatible router or want to run OpenWRT on typical x86 hardware/in a VM, you can follow these steps to get yourself connected to the CGHMN:

1. Update your OpenWRT install to the latest version to ensure all required packages are available and compatible.
2. Download this script from GitHub to your OpenWRT router via SSH
3. Run the following commands on the router:
   1. ash setup-cghmn.sh install-pkgs
   2. ash setup-cghmn.sh init
   3. You will be asked what network port you'd like to use for the Retro LAN. This is where you will plug in your retro machines to be part of the CGHMN. Choose a port that is not assigned to any OpenWRT interface like lan or wan or which not already part of a bridge and enter the Linux interface name, e.g. eth1, then press [Enter] to continue. If your router only has two ports and you're using one for WAN, then you first have to enable the web UI and SSH access via the wan OpenWRT interface, remove the entire lan OpenWRT interface to free the network port and continue the setup over the IP address your router got on its WAN side. If you only have a single Ethernet port, you're running on a router setup we can't really recommend, however you can configure VLANs and use a managed switch to both get a WAN DHCP address for internet access and have a separate VLAN for the Retro LAN bridge over a single port. This is commonly referred to as "router on a stick". Just enter the VLAN interface name here if you choose to go that route.
4. Now you will be given some information on the console, including a Wireguard public key. Send one of the CGHMN admins (currently CursedSilicon and Snep) that key so we can add your router to our Wireguard server.
5. In return, you will receive a tunnel IPv4 address (100.89.128.x/32) and a routed IPv4 subnet (100.96.x.0/24) from us. These will be needed on the third and final step of the setup script:
   1. ash setup-cghmn.sh set-tunnel-ip
6. Once the script completed successfully, reboot the router to ensure all interfaces are up properly. After the reboot, your retro devices should receive an IP address in your routed IPv4 subnet on the Retro LAN port you chose above and be able to communicate with other machines on the CGHMN network.

# TODO: Add Linux commands to get connected without OpenWRT

Get connected - Server Side, the Admins Guide

To get a member onto the network, they will send an admin of the project their randomly generated Wireguard key during the setup via the OpenWRT script. Here are the steps that admin will have to follow to get them up and running on the server side:

1. Log in on the Core Router over an existing CGHMN network link
2. Navigate to VPN -> Wireguard -> Peer Generator
3. You will be asked to enter some data for the new peer, enter the following:
   1. Instance: WG_Member
   2. Endpoint: wg-admin.cursedsilicon.net:42070
   3. Name: member.<Nickname of the new member>
   4. Public Key: <their Wireguard public key they've sent over>
   5. Private Key: <blank>
   6. Address: <Next highest IP from 100.89.128.0/22, this is their tunnel IP and is auto-filled>
   7. Pre-Shared Key: <blank>
   8. Allowed IPs: <the same as Address>, <their routed subnet, see below>
   9. Keepalive interval: <blank>
   10. DNS Servers: <default value>
4. Hit the "Store and generate next" button
5. Navigate to VPN -> Wireguard -> Instances
6. Hit the "Apply" button
7. Do either one of these steps, depending on if you can SSH into the GRETAP endpoint container:
   1. SSH into the CGHMN Proxmox Server and enter the command pct enter 10403
   2. SSH directly into the GRETAP endpoint (formerly VXLAN endpoint) container with ssh root@172.23.4.103
8. From there, run the following command: bash /opt/vxlan-scripts/create-vxlan-interface.sh <member-tunnel-ip> <member-name> where you replace <member-tunnel-ip> with the IP tunnel address of the member as it was set above in the Address field, without the /32 CIDR subnet mask, and replace the <member-name> with the same value you've entered above in the Name field. For example, like this: bash /opt/vxlan-scripts/create-vxlan-interface.sh 100.89.128.6 member.snep.test This will create a GRETAP (and for legacy purposes, a VXLAN) interface and bring them up automagically. Ignore the fact it still says "VXLAN" everywhere, it does both.
9. Now you can send the member their Wireguard Tunnel IP and their routed subnet over and they can finish their client-side setup according to the mini-tutorial above.
10. Rember to add the member and their tunnel and subnet IPs to the IP allocations page :)

But wait, what even is their routed subnet?

Each members routed subnet comes per default from the 100.96.0.0/13 IPv4 block and has a /24 mask. This subnet is their "Retro LAN", to which all their retro computers are hooked into via the router of their choosing. By default, NAT is enabled on the routers, so it wouldn't make a difference which subnet is used on the remote end for the retro machines. However, if someone wants to host servers in the CGHMN and doesn't want to do port forwading, they can disable NAT and let other membres directly connect to their machines via this routed subnet.

To get the routed subnet of a member, take the number from the last octet of the Wireguard tunnel IP of a member, say 100.89.128.6, and put it into the third octet of the 100.96.0.0/13 IP block and replace the /13 with /24, so you get 100.96.6.0/24. That is their routed subnet, simple as that!