Adding the Cipe module...

**medwards67** · 07-30-2003, 06:04 PM

Hello,

We're trying to recompile the Knoppix kernel so that we can add Cipe capability to the CD. Anyone done that yet? We're having a small problem re-compiling due to the xfs file system. We are unable to patch the kernel so that we can even attempt to incorporate Cipe. Any direction pathing for xfs so we can re-compile the kernel would be appreciated, I hope it's just cockpit error here. Again, if anyone has a Cipe enabled kernel alreay up, we're interested in trying it out. Otherwise we'll keep trying this.

Thanks in advance for any help,

Mike

**mack** · 08-15-2003, 12:21 AM

You don't really need all that patching to compile a kernel for knoppix. The xfs patch is optional. My remastered Knoppix works without it.

The only thing you do need is the tiny patch for making the commandline 512 instead of 256. Find it in /usr/src/knoppix.patch.

I haven't remastered with Cipe myself since I'm using Tinc instead, it you shouldn't have a problem. Just go ahead and try it. Compile the kernel and modules, replace the modules in miniroot.gz, and boot it. If it doesn't work, post the results here and we'll see what can be done.

**garyng** · 08-15-2003, 12:57 AM

out of curiosity, why cipe or tinc rather than FreeS/Wan which seems to have better interoperability ?

**mack** · 08-15-2003, 03:20 AM

Originally Posted by garyng

out of curiosity, why cipe or tinc rather than FreeS/Wan which seems to have better interoperability ?

Habbit. FreeS/Wan used to be a bitch to configure when all you want is a trivial vpn. Haven't tried it recently but I heard its easier now.

FreeS/Wan didn't work as a module and required a kernel patch while cipe was a module.

Tinc was even easier to get used to, since it didn't do any kernel stuff. It uses /dev/tap0 (or tun0 on Solaris) and runs in usermode.

How much time does it take you to set up a trivial vpn using FreeS/Wan nowadays ?
With tinc, it takes about two minutes once you're used to it.

**garyng** · 08-15-2003, 03:51 AM

now I have gotten your attention, may I ask some tinc/cipe setup question concerning XP<->linux

How would I (of is it possible) to do the following :

XP<---->NAT Router<-------Internet--------->NAT Router<-------->XP/Linux

I have installed tinc for win32 on XP and don't know how to proceed from there. I just got the network icon showing 'network cable being unplugged'.

**mack** · 08-15-2003, 11:25 AM

Originally Posted by garyng

now I have gotten your attention, may I ask some tinc/cipe setup question concerning XP<->linux

How would I (of is it possible) to do the following :

XP<---->NAT Router<-------Internet--------->NAT Router<-------->XP/Linux

I have installed tinc for win32 on XP and don't know how to proceed from there. I just got the network icon showing 'network cable being unplugged'.

I didn't even know there is a version for windows, let alone tried it.

The above setup is a big problematic. How do you get packets going between the two NATed hosts ? I see only two solutions:

1. Have the NAT Router on at least one side forward connections on the tinc port to the host behind it. In iptables, you can use the DNAT target for that. Thats what I usually do.

2. If you don't control any of the routers, you'll have no choice but to use a third host on the internet. This host will act as a tinc hub with a fixed IP, and both users will open connections to it. This is ideal for roaming users who need to vpn between themselves. The caveat is that you need to protect this "hub" since it encrypts/decrypts all packets and an would be the ideal place for attackers to tap into your vpn.

Actually, if there are only two participating hosts, you could have a variation of #2, which is safer. Just have some host act as a datapipe on some port. The two hosts will connect that host, and all traffic will be forwarded between them. You could do that without writing any code, by using socat(1), which is a great tool to use anyway.