I'm starting to provide Chinese / English versions of some articles, switch with the Language menu above. 我开始提供部分文章的中文、英文翻译,请使用顶部语言菜单切换。

DN42

If you need assistance on DN42 configuration, you may refer to DN42 Experimental Network: Intro and Registration and my previous articles on DN42.

"1xRTT" Peering

I live in China, and (many of) you may be on the opposite side of the planet. This means that due to timezone differences, one round of information exchange (you send an email, I respond while you sleep, you see my reply after wake up) may need 24 hours or even more.

Here I provide instructions to perform "1xRTT" peering, which means we can peer with only one email from you and one email from me. Even if you and me are in the same timezone, this will still simplify things.

  1. Choose a server from the list below. Usually this will be the one with lowest latency (ping) to your server.
    • If you have multiple servers in DN42, I'm open to peering with all of them at once.
  2. Choose a type of VPN for tunneling.
    • I usually prefer WireGuard and OpenVPN, but others such as GRE/IPSec, GRE/Plain and ZeroTier will also work.
    • WARN: I DO NOT peer with servers in mainland China, to avoid possible legal issues.
    • I'm also willing to try new types of VPNs - just ask!
  3. Configure BGP daemon and VPN software on your side. You may assume I will use the following configuration:
    • My General Information:
      • ASN: 4242422547
      • Public IP: listed below
      • DN42 IPv4 (IP used in tunnel on my end): listed below
        • If you need an address block (such as /30) for IPv4 tunnel, it will come out of your address space.
        • This is usually needed for hardware routers, such as Mikrotik.
      • DN42 IPv6: fe80::2547 for peering over link-local addresses
        • If you need an address block (such as /64) for IPv6 tunnel, it will come out of your address space.
      • Multiprotocol BGP (MP-BGP):
        • Although I support MP-BGP, I still configure two BGP sesssions (1 IPv4 & 1 IPv6) by default.
        • If you also support MP-BGP and only need one session, just let me know.
    • For creating a tunnel connection:
      • WireGuard/OpenVPN port on my side: last 5 digits of your ASN
        • e.g. 4242420001 means I will use port 20001
      • OpenVPN static key: generated by you, send to me later
      • GRE/IPSec public key: listed below
      • OpenVPN/IPSec default configuration: show below
        • If you can't use my default configuration, set something suitable for you and send it to me
      • ZeroTier One: I will request to join your network
        • You may try to invite my server to your network, if possible
  4. Send the following information via email to b980120@hotmail.com:
    • Your General Information:
      • ASN
      • Public IP
        • I prefer IPv4 since IPv6 is tunnelled on some of my servers (HE.NET Tunnelbroker)
      • DN42 IPv4 and IPv6 (IP used in tunnel on your end)
        • Or address blocks, if you need them for the tunnel
        • Including link-local address for IPv6 peering
      • Which server you want to peer with
    • For creating a tunnel connection:
      • WireGuard/OpenVPN port on your side
        • I will assume 22547 if you don't specify
      • OpenVPN static key (generated by you)
      • GRE/IPSec public key
      • ZeroTier One: Your network ID (I will request to join your network)
      • OpenVPN/IPSec custom configuration (if necessary)
  5. Wait till I set up the tunnel and peering, and respond to your email. Usually peering is successful by now.

PS: It's not recommended to contact me over IRC. Although I leave my IRC client running, I only read messages once or twice per month, unless you ask me to do so in email. And IRC chat is unlikely to be instant due to timezone differences.

My Network

  • ASN: 4242422547
  • IPv4 Pool: 172.22.76.184/29 and 172.22.76.96/27
  • IPv6 Pool: fdbc:f9dc:67ad::/48
  • My Side's Default Port: last 5 digits of your ASN
  • Looking glass: https://lg.lantian.pub

Servers

  • Server 1: Hong Kong, China, provider GigsGigsCloud

    • Domain: gigsgigscloud.lantian.pub

    • Public IPv4: 103.42.215.193

    • Public IPv6: 2001:470:19:10bb::1

      • This node has extremely high latency (~150ms) to HE tunnel broker, so IPv4 is strongly preferred, unless you only have IPv6.
    • DN42 IPv4: 172.22.76.186

    • DN42 IPv6: fdbc:f9dc:67ad::8b:c606:ba01

    • Link-local IPv6: fe80::2547

    • WireGuard Public Key: xelzwt1j0aoKjsQnnq8jMjZNLbLucBPwPTvHgFH/czs=

    • IPSec Public Key:

      -----BEGIN PUBLIC KEY-----
      MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAzy8ZqMazr2Ur6jiEoVdr
      1d8WJaWTySaSwQqhkMnWKNv9Zuk4aITyBxHmtNfVexJGploAeby0zCqLS8CiNbor
      odPgOPjJdVzkgu6nS+mq1mrjMtrUYJE+GkoILpFoz3z5zS40q2eLh1TJUGQdhSai
      dTkLiAB6XbBXUBZUPDdBGeKQ72EYBck2oJKpe8B/gXXGwyZqlM7h3h4w8XkOYcrF
      CI6wbpusiPKaSOW1TkgHHBlIo0qje+Hbax+HcBlrRiftWl5cgVxyS5G7FvNgFVj5
      H3Tlvhh+wnhdaYQcsaWvcUDHZhOGqeIO1OJMXZ1oi55Mhr7/gFEw1ELk9VWVM+Mj
      KmAY/7X7l2fupt7QqFHh453kT1P6v75GnLyGLcbgIkAFJyqWiGUT0/TcTEtXimDn
      +e4Tt5XBYr6YoKsF2YZtcQbQp0UyUGECvKbU1JAmpJoZl+6nUdv89RCOTxvyxpv9
      0cSX2NLt05nA93BBKm5wwjClIrablF6nnvuWY3pQrneZFgz9iDaBRqQJWpcfw8Qa
      v1Oi/Uug7kl/v/OZEV7xMV71e5OnQlWjwp5dhmIgmkUMEsEviFoVwUPnDsgamzF4
      p1iBnYAPBVbJm2pTv/AerKdCBOj6XwGu2N12bZNtSuDFbZR7tOTytB+/tcQBXaPu
      2DslNqlf/ddRj0Avj5pV/5UCAwEAAQ==
      -----END PUBLIC KEY-----
      
  • Server 2:Los Angeles, United States, provider HostDare

    • Domain: hostdare.lantian.pub

    • Public IPv4: 185.186.147.110

    • Public IPv6: 2607:fcd0:100:b100::198a:b7f6

    • DN42 IPv4: 172.22.76.185

    • DN42 IPv6: fdbc:f9dc:67ad::dd:c85a:8a93

    • Link-local IPv6: fe80::2547

    • WireGuard Public Key: zyATu8FW392WFFNAz7ZH6+4TUutEYEooPPirwcoIiXo=

    • IPSec Public Key:

      -----BEGIN PUBLIC KEY-----
      MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAw5uRE2augI9l4pCKG6Kh
      qFTXGIcxtp367yLnKb5SPlYt3p2evpo58KNYMZtB50/iaUy/jkBDWEYPuwXMmKc1
      hjWC3C1/ZS5KLlM8zY3S7LCc+GhJw5DuC7dQpeadLzpKpIOqzcIOUh0qe0mkOXCS
      f+ulgCYTH1nh5xENvfV0ulxv37SjdZFjORGwIYpARvdJ6DsyEbyNyDsm8Va8XLen
      DQrVZjQM0Dw8BcFqIysVpPsjGzddO58KUCln02Y+l9OUXuH46z5i4SdpqpAS60q3
      hhJNzSSZCvfs38/fEelq3rAn+73lXBJKKtBgmYku+t2/stfQuV3Jem7EcM21nnWJ
      aKBem8+WRmWvYbr1eJZBYSbIQNaPgN8kcnapUq0VPS8jS2vmx63uATnetc0ZN5yG
      1t8HMmkAN2QB9+Hl28iVvYCgwK3R0wRfZNlIMLechMjHlyi2Pp9+0hMB1yRH6+tq
      isYGJtm2ZqQ+1+Z17FLb1zNBoMniV+rdkMXxJT7sac5dFv3J4nbxdDYQzdK2gUq+
      6ZOtBjgJF66GogwaclL0XdU8PANwfzOSapsnjeo3O7EOteEc/1Tf2sFU0KzcxY2B
      3rKqHX/sThD3xaBbF1sS/JvN9yTrPcCOIzAePlKA+3+n7JabtKRtVvJXUwmidwja
      OLIBFYyHNksKOBYLkeFhrAMCAwEAAQ==
      -----END PUBLIC KEY-----
      
  • Server 3: New York, United States, provider VirMach

    • Domain: virmach-ny1g.lantian.pub

    • Public IPv4: 107.172.134.89

    • Public IPv6: 2001:470:1f07:54d::1

    • DN42 IPv4: 172.22.76.190

    • DN42 IPv6: fdbc:f9dc:67ad::cc:433e:da3b

    • Link-local IPv6: fe80::2547

    • WireGuard Public Key: a+zL2tDWjwxBXd2bho2OjR/BEmRe2tJF9DHFmZIE+Rk=

    • IPSec Public Key:

      -----BEGIN PUBLIC KEY-----
      MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAvi/9B2Ms73OqyITx7fmF
      euImT7rHexwQ8Xz6Hdn8O6FfPK9XLBYRnxYxOT616PNfwHxZpddQgE9ilgmCmGH/
      W/7+gF+Ub0WfPPsmCjQ0XoYB32bEv9FTuF0Z94A2HGB4DW7b4zRcwC63NgTWLZ1t
      S+josno+1Q4pwmffNipPm/Z3jH+DMoJep8ShqANG3JKnzAR40X1XHv9KpYIgyIgZ
      QGChXK55rY7zprQQ+Hab2sHZ1vAlsfQ0OitgIYqc770Tewfz9AWbOLqz6WIPifKg
      9Mhzli1dsO5rBG3VG3KAuJOejiEZKrG1EteWW24Zv5iRCh2qTbiyZmHHlKpwukOw
      UwLyE3k8b8ZnAF0rpZ3Amq0W1zZXI6M9VXtcyHUPUCFICdTluE9UHHpFDCQvolqO
      UuEzqJ6FyAXMhH14JG19uM+uGcbLEtFOQR13iQK8LnVWVl3nF3AqHUthdXCmWqb/
      IjfcThEFvno4qE95ByOzIW3/AR+IWSU1XDEQZieIztQqJvUADUl60j4lbM5+SbLw
      uBcAjWSK8wLeUqy8CLeIv41olKnpPXTNbouu+E/7qxOLEfjkx6QZ3DhN1UGtPFQS
      Xt1p+DuItBlcE2vJzADHTCb3LsdhMQ3q3reH9DVbDxyIxrKxpcVJHHI37rboBDl9
      BWxEF0pSRIaVU2DExNVLz6ECAwEAAQ==
      -----END PUBLIC KEY-----
      
  • Server 4: Frankfurt, Germany, provider Virtono

    • Domain: virtono.lantian.pub
    • Public IPv4: 45.138.97.165
    • Public IPv6: 2001:ac8:20:3::433a:a05d
    • DN42 IPv4: 172.22.76.187
    • DN42 IPv6: fdbc:f9dc:67ad::20:5549:a809
    • Link-local IPv6: fe80::2547
    • WireGuard Public Key: DkmSBCIgrxPPZmT07DraoCSD/jSByjPkYqHJWfVZ5hM=
    • IPSec Public Key: None yet (will generate one if someone ever needs IPSec)
  • Server 5: Romania, provider HostSolutions

    • Domain: hostsolutions.lantian.pub
    • Public IPv4: 45.14.150.211
    • Public IPv6: 2001:470:1f1b:bb::1
      • This node has high latency (~50ms) to HE tunnel broker, so IPv4 is preferred, unless you only have IPv6.
    • DN42 IPv4: 172.22.76.188
    • DN42 IPv6: fdbc:f9dc:67ad::b2:9dd9:af42
    • Link-local IPv6: fe80::2547
    • WireGuard Public Key: o1khch2IZ5IbVgEm8kIKyCtqj1hfkRb+OP51tOBrwSk=
    • IPSec Public Key: None yet (will generate one if someone ever needs IPSec)

My Config Templates (Default Parameters)

If you plan to copy my templates, remember to swap information of both sides, such as IPs.

OpenVPN:

proto         udp
mode          p2p
remote        [YOUR_IP]
rport         22547
local         [MY_IP]
lport         [LAST_5_DIGITS_OF_YOUR_ASN]
dev-type      tun
resolv-retry  infinite
dev           dn42-[PEER_NAME]
comp-lzo
persist-key
persist-tun
tun-ipv6
cipher        aes-256-cbc
ifconfig      [MY_DN42_IP] [YOUR_DN42_IP]
ifconfig-ipv6 fe80::2547 [YOUR_LINK_LOCAL_IP]

# Remove stable-privacy IPv6 address
script-security 2
up "/bin/sh -c '/sbin/sysctl -w net.ipv6.conf.$dev.autoconf=0 && /sbin/sysctl -w net.ipv6.conf.$dev.accept_ra=0 && /sbin/sysctl -w net.ipv6.conf.$dev.addr_gen_mode=1'"

<secret>[STATIC_KEY]</secret>

ipsec.conf:

conn dn42-[PEER_NAME]
    keyexchange=ikev1
    ike=aes128-sha384-ecp384!
    esp=aes128gcm16-ecp384!
    ikelifetime=28800s
    authby=pubkey
    dpdaction=restart
    lifetime=3600s
    type=transport
    auto=start
    keyingtries=%forever
    left=[MY_IP]
    right=[YOUR_IP]
    leftrsasigkey=/etc/ipsec.d/public/mykey.pem
    rightrsasigkey=/etc/ipsec.d/public/[YOUR_KEY].pem