|
@@ -0,0 +1,287 @@
|
|
|
+'use strict';
|
|
|
+// stringify it to reduce size
|
|
|
+const DEFAULT_CONF = JSON.stringify({
|
|
|
+ // Private key:
|
|
|
+ // Your confidentiality and data integrity depend on this key, keep it secret!
|
|
|
+ "privateKey": "ba13c8023eda49bd626ebfda4ecf9abd0eda6e07a8e77f19aa0b20c0d69eb915",
|
|
|
+
|
|
|
+ // This key corresponds to the public key and ipv6 address:
|
|
|
+ "publicKey": "hukfzjh5n30m10303bkhjg1wvuft90s0cqqg5jrjgg781dbly2z0.k",
|
|
|
+ "ipv6": "fccf:4352:ac9:7d1f:b32b:ba08:f086:8432",
|
|
|
+
|
|
|
+ // Anyone connecting and offering these passwords on connection will be allowed.
|
|
|
+ //
|
|
|
+ // WARNING: If a "login" parameter is passed, someone sniffing on the wire can
|
|
|
+ // sniff the packet and crack to find it. If the "login" is not passed
|
|
|
+ // then the hash of the 'password' is effectively the login, therefore
|
|
|
+ // that can be cracked.
|
|
|
+ //
|
|
|
+ "authorizedPasswords":
|
|
|
+ [
|
|
|
+ // A unique string which is known to the client and server.
|
|
|
+ // Specify an optional user to identify the peer locally.
|
|
|
+ // It is not used for authentication.
|
|
|
+ {"password": "jq89d23lbvm26tk4t36yg5ugj717wkr", "user": "default-login"}
|
|
|
+
|
|
|
+ // More passwords should look like this.
|
|
|
+ // {"password": "l5t3tpn7z710p8cxly59zxbmy5n8buu", "user": "my-second-peer"},
|
|
|
+ // {"password": "97ylvcn49q4y19f7w7f248hts5l7pbp", "user": "my-third-peer"},
|
|
|
+ // {"password": "yxdzufqxwkbgp4ubusglxm5su4hwp41", "user": "my-fourth-peer"},
|
|
|
+
|
|
|
+ // Below is an example of your connection credentials
|
|
|
+ // that you can give to other people so they can connect
|
|
|
+ // to you using your default password (from above).
|
|
|
+ // The login field here yourself to your peer and the peerName field
|
|
|
+ // is the name the peer which will be displayed in peerStats
|
|
|
+ // Adding a unique password for each peer is advisable
|
|
|
+ // so that leaks can be isolated.
|
|
|
+ /*
|
|
|
+ "your.external.ip.goes.here:61151": {
|
|
|
+ "login": "default-login",
|
|
|
+ "password":"jq89d23lbvm26tk4t36yg5ugj717wkr",
|
|
|
+ "publicKey":"hukfzjh5n30m10303bkhjg1wvuft90s0cqqg5jrjgg781dbly2z0.k",
|
|
|
+ "peerName":"your-name-goes-here"
|
|
|
+ },
|
|
|
+ */
|
|
|
+ ],
|
|
|
+
|
|
|
+ // Settings for administering and extracting information from your router.
|
|
|
+ // This interface provides functions which can be called through a UDP socket.
|
|
|
+ // See admin/Readme.md for more information about the API and try:
|
|
|
+ // ./tools/cexec
|
|
|
+ // For a list of functions which can be called.
|
|
|
+ // For example: ./tools/cexec 'memory()'
|
|
|
+ // will call a function which gets the core's current memory consumption.
|
|
|
+ // ./tools/cjdnslog
|
|
|
+ // is a tool which uses this admin interface to get logs from cjdns.
|
|
|
+ "admin":
|
|
|
+ {
|
|
|
+ // Port to bind the admin RPC server to.
|
|
|
+ "bind": "127.0.0.1:11234",
|
|
|
+
|
|
|
+ // Password for admin RPC server.
|
|
|
+ // This is a static password by default, so that tools like
|
|
|
+ // ./tools/cexec can use the API without you creating a
|
|
|
+ // config file at ~/.cjdnsadmin first. If you decide to
|
|
|
+ // expose the admin API to the network, change the password!
|
|
|
+ "password": "NONE"
|
|
|
+ },
|
|
|
+
|
|
|
+ // Interfaces to connect to the switch core.
|
|
|
+ "interfaces":
|
|
|
+ {
|
|
|
+ // The interface which connects over UDP/IP based VPN tunnel.
|
|
|
+ "UDPInterface":
|
|
|
+ [
|
|
|
+ {
|
|
|
+ // Bind to this port.
|
|
|
+ "bind": "0.0.0.0:61151",
|
|
|
+
|
|
|
+ // Nodes to connect to (IPv4 only).
|
|
|
+ "connectTo":
|
|
|
+ {
|
|
|
+ // Add connection credentials here to join the network
|
|
|
+ // If you have several, don't forget the separating commas
|
|
|
+ // They should look like:
|
|
|
+ // "ipv4 address:port": {
|
|
|
+ // "login": "(optional) name your peer has for you"
|
|
|
+ // "password": "password to connect with",
|
|
|
+ // "publicKey": "remote node key.k",
|
|
|
+ // "peerName": "(optional) human-readable name for peer"
|
|
|
+ // },
|
|
|
+ // Ask somebody who is already connected.
|
|
|
+ }
|
|
|
+ },
|
|
|
+ {
|
|
|
+ // Bind to this port.
|
|
|
+ "bind": "[::]:61151",
|
|
|
+
|
|
|
+ // Nodes to connect to (IPv6 only).
|
|
|
+ "connectTo":
|
|
|
+ {
|
|
|
+ // Add connection credentials here to join the network
|
|
|
+ // Ask somebody who is already connected.
|
|
|
+ }
|
|
|
+ }
|
|
|
+ ]
|
|
|
+,
|
|
|
+ "ETHInterface":
|
|
|
+ [
|
|
|
+ // Alternatively bind to just one device and either beacon and/or
|
|
|
+ // connect to a specified MAC address
|
|
|
+ {
|
|
|
+ // Bind to this device (interface name, not MAC)
|
|
|
+ // "all" is a pseudo-name which will try to connect to all devices.
|
|
|
+ "bind": "all",
|
|
|
+
|
|
|
+ // Auto-connect to other cjdns nodes on the same network.
|
|
|
+ // Options:
|
|
|
+ //
|
|
|
+ // 0 -- Disabled.
|
|
|
+ //
|
|
|
+ // 1 -- Accept beacons, this will cause cjdns to accept incoming
|
|
|
+ // beacon messages and try connecting to the sender.
|
|
|
+ //
|
|
|
+ // 2 -- Accept and send beacons, this will cause cjdns to broadcast
|
|
|
+ // messages on the local network which contain a randomly
|
|
|
+ // generated per-session password, other nodes which have this
|
|
|
+ // set to 1 or 2 will hear the beacon messages and connect
|
|
|
+ // automatically.
|
|
|
+ //
|
|
|
+ "beacon": 2,
|
|
|
+
|
|
|
+ // Node(s) to connect to manually
|
|
|
+ // Note: does not work with "all" pseudo-device-name
|
|
|
+ "connectTo":
|
|
|
+ {
|
|
|
+ // Credentials for connecting look similar to UDP credentials
|
|
|
+ // except they begin with the mac address, for example:
|
|
|
+ // "01:02:03:04:05:06":{"password":"a","publicKey":"b"}
|
|
|
+ }
|
|
|
+ }
|
|
|
+ ]
|
|
|
+
|
|
|
+ },
|
|
|
+
|
|
|
+ // Configuration for the router.
|
|
|
+ "router":
|
|
|
+ {
|
|
|
+ // The interface which is used for connecting to the cjdns network.
|
|
|
+ "interface":
|
|
|
+ {
|
|
|
+ // The type of interface (only TUNInterface is supported for now)
|
|
|
+ "type": "TUNInterface"
|
|
|
+ // The type of tunfd (only "android" for now)
|
|
|
+ // If "android" here, the tunDevice should be used as the pipe path
|
|
|
+ // to transfer the tun file description.
|
|
|
+ // "tunfd" : "android"
|
|
|
+ },
|
|
|
+
|
|
|
+ // System for tunneling IPv4 and ICANN IPv6 through cjdns.
|
|
|
+ // This is using the cjdns switch layer as a VPN carrier.
|
|
|
+ "ipTunnel":
|
|
|
+ {
|
|
|
+ // Nodes allowed to connect to us.
|
|
|
+ // When a node with the given public key connects, give them the
|
|
|
+ // ip4 and/or ip6 addresses listed.
|
|
|
+ "allowedConnections":
|
|
|
+ [
|
|
|
+ // Give the client an address on 192.168.1.0/24, and an address
|
|
|
+ // it thinks has all of IPv6 behind it.
|
|
|
+ // ip4Prefix is the set of addresses which are routable from the tun
|
|
|
+ // for example, if you're advertizing a VPN into a company network
|
|
|
+ // which exists in 10.123.45.0/24 space, ip4Prefix should be 24
|
|
|
+ // default is 32 for ipv4 and 128 for ipv6
|
|
|
+ // so by default it will not install a route
|
|
|
+ // ip4Alloc is the block of addresses which are allocated to the
|
|
|
+ // for example if you want to issue 4 addresses to the client, those
|
|
|
+ // being 192.168.123.0 to 192.168.123.3, you would set this to 30
|
|
|
+ // default is 32 for ipv4 and 128 for ipv6 (1 address)
|
|
|
+ // {
|
|
|
+ // "publicKey": "f64hfl7c4uxt6krmhPutTheRealAddressOfANodeHere7kfm5m0.k",
|
|
|
+ // "ip4Address": "192.168.1.24",
|
|
|
+ // "ip4Prefix": 0,
|
|
|
+ // "ip4Alloc": 32,
|
|
|
+ // "ip6Address": "2001:123:ab::10",
|
|
|
+ // "ip6Prefix": 0
|
|
|
+ // "ip6Alloc": 64,
|
|
|
+ // },
|
|
|
+
|
|
|
+ // It's ok to only specify one address and prefix/alloc are optional.
|
|
|
+ // {
|
|
|
+ // "publicKey": "ydq8csdk8p8ThisIsJustAnExampleAddresstxuyqdf27hvn2z0.k",
|
|
|
+ // "ip4Address": "192.168.1.25",
|
|
|
+ // "ip4Prefix": 0,
|
|
|
+ // }
|
|
|
+ ],
|
|
|
+
|
|
|
+ "outgoingConnections":
|
|
|
+ [
|
|
|
+ // Connect to one or more machines and ask them for IP addresses.
|
|
|
+ // "6743gf5tw80ExampleExampleExampleExamplevlyb23zfnuzv0.k",
|
|
|
+ // "pw9tfmr8pcrExampleExampleExampleExample8rhg1pgwpwf80.k",
|
|
|
+ // "g91lxyxhq0kExampleExampleExampleExample6t0mknuhw75l0.k"
|
|
|
+ ]
|
|
|
+ }
|
|
|
+ },
|
|
|
+
|
|
|
+ // Dropping permissions.
|
|
|
+ // In the event of a serious security exploit in cjdns, leak of confidential
|
|
|
+ // network traffic and/or keys is highly likely but the following rules are
|
|
|
+ // designed to prevent the attack from spreading to the system on which cjdns
|
|
|
+ // is running.
|
|
|
+ // Counter-intuitively, cjdns is *more* secure if it is started as root because
|
|
|
+ // non-root users do not have permission to use chroot or change usernames,
|
|
|
+ // limiting the effectiveness of the mitigations herein.
|
|
|
+ "security":
|
|
|
+ [
|
|
|
+ // Change the user id to sandbox the cjdns process after it starts.
|
|
|
+ // If keepNetAdmin is set to 0, IPTunnel will be unable to set IP addresses
|
|
|
+ // and ETHInterface will be unable to hot-add new interfaces
|
|
|
+ // Use { "setuser": 0 } to disable.
|
|
|
+ // Default: enabled with keepNetAdmin
|
|
|
+ { "setuser": "nobody", "keepNetAdmin": 1 },
|
|
|
+
|
|
|
+ // Chroot changes the filesystem root directory which cjdns sees, blocking it
|
|
|
+ // from accessing files outside of the chroot sandbox, if the user does not
|
|
|
+ // have permission to use chroot(), this will fail quietly.
|
|
|
+ // Use { "chroot": 0 } to disable.
|
|
|
+ // Default: enabled (using "/var/run")
|
|
|
+ { "chroot": "/var/run/" },
|
|
|
+
|
|
|
+ // Nofiles is a deprecated security feature which prevents cjdns from opening
|
|
|
+ // any files at all, using this will block setting of IP addresses and
|
|
|
+ // hot-adding ETHInterface devices but for users who do not need this, it
|
|
|
+ // provides a formidable sandbox.
|
|
|
+ // Default: disabled
|
|
|
+ { "nofiles": 0 },
|
|
|
+
|
|
|
+ // Noforks will prevent cjdns from spawning any new processes or threads,
|
|
|
+ // this prevents many types of exploits from attacking the wider system.
|
|
|
+ // Default: enabled
|
|
|
+ { "noforks": 1 },
|
|
|
+
|
|
|
+ // Seccomp is the most advanced sandboxing feature in cjdns, it uses
|
|
|
+ // SECCOMP_BPF to filter the system calls which cjdns is able to make on a
|
|
|
+ // linux system, strictly limiting it's access to the outside world
|
|
|
+ // This will fail quietly on any non-linux system
|
|
|
+ // Default: enabled
|
|
|
+ { "seccomp": 1 },
|
|
|
+
|
|
|
+ // The client sets up the core using a sequence of RPC calls, the responses
|
|
|
+ // to these calls are verified but in the event that the client crashes
|
|
|
+ // setup of the core completes, it could leave the core in an insecure state
|
|
|
+ // This call constitutes the client telling the core that the security rules
|
|
|
+ // have been fully applied and the core may run. Without it, the core will
|
|
|
+ // exit within a few seconds with return code 232.
|
|
|
+ // Default: enabled
|
|
|
+ { "setupComplete": 1 }
|
|
|
+ ],
|
|
|
+
|
|
|
+ // Logging
|
|
|
+ "logging":
|
|
|
+ {
|
|
|
+ // Uncomment to have cjdns log to stdout rather than making logs available
|
|
|
+ // via the admin socket.
|
|
|
+ // "logTo":"stdout"
|
|
|
+ },
|
|
|
+
|
|
|
+ // If set to non-zero, cjdns will not fork to the background.
|
|
|
+ // Recommended for use in conjunction with "logTo":"stdout".
|
|
|
+ "noBackground":0,
|
|
|
+
|
|
|
+ // Pipe file will store in this path, recommended value: /tmp (for unix),
|
|
|
+ // \\\\.\\pipe (for windows)
|
|
|
+ // /data/local/tmp (for rooted android)
|
|
|
+ // /data/data/AppName (for non-root android)
|
|
|
+ "pipe":"/tmp",
|
|
|
+});
|
|
|
+
|
|
|
+module.exports.defaultConfLen = () => { return DEFAULT_CONF.length; };
|
|
|
+module.exports.defaultConf = (x) => {
|
|
|
+ const out = [];
|
|
|
+ for (let i = 0; i < DEFAULT_CONF.length; i++) {
|
|
|
+ out.push(x + '[' + i + ']=' + DEFAULT_CONF.charCodeAt(i) + ';');
|
|
|
+ }
|
|
|
+ return out.join('\n');
|
|
|
+}
|