I'm starting to provide Chinese / English versions of some posts, switch with the Language menu above. 我开始提供部分文章的中文、英文翻译,请使用顶部语言菜单切换。

DN42

If you need assistance on DN42 configuration, you may refer to DN42 Experimental Network: Intro and Registration and my previous posts on DN42.

Here's some links that may assist you in diagnosing problems with our peering.

  • My Looking Glass
    • You can see BIRD routing software status across my nodes, including whether BGP session is established, and whether route is received.
    • You can perform traceroute to either public IP addresses or DN42 ones.
  • Route ROA filtering stats
    • My network only accepts routes that are registered in DN42. Received invalid or unknown routes will be listed here.
    • Invalid route: this IP block is registerd in DN42, but the actual source of route is different from the registration.
    • Unknown route: this IP block isn't registered in DN42.
      • It usually means you announced your personal intranet (such as 192.168.0.0/16 or 10.0.0.0/8) to others by mistake.
      • Or maybe you just registrated and my ROA information isn't updated yet. Please wait 4-8 hours and restart our peering.
      • Or maybe you only created inetnum/inet6num objects, but not route/route6 objects.
      • See the list of unknown IPv4 routes, and the list of unknown IPv6 routes.

"1xRTT" Peering

I live in China, and (many of) you may be on the opposite side of the planet. This means that due to timezone differences, one round of information exchange (you send an email, I respond while you sleep, you see my reply after wake up) may need 24 hours or even more.

Here I provide instructions to perform "1xRTT" peering, which means we can peer with only one email from you and one email from me. Even if you and me are in the same timezone, this will still simplify things.

  1. Choose a server from the list below. Usually this will be the one with lowest latency (ping) to your server.
    • If you have multiple servers in DN42, I'm open to peering with all of them at once.
  2. Choose a type of VPN for tunneling.
    • I usually prefer WireGuard and OpenVPN, but others such as GRE/Plain and ZeroTier will also work.
      • GRE/IPSec configuration is extremely complicated, and different IPSec implementations usually have severe compatibility issues, it may take days or even weeks to debug. Therefore, I no longer accept GRE/IPSec tunnels, and existing tunnels may be disconnected any time.
    • WARN: I DO NOT peer with servers in mainland China, to avoid possible legal issues.
    • I'm also willing to try new types of VPNs - just ask!
  3. Configure BGP daemon and VPN software on your side. You may assume I will use the following configuration:
    • My General Information:
      • ASN: 4242422547
      • Public IP: listed below
      • DN42 IPv4 (IP used in tunnel on my end): listed below
        • If you need an address block (such as /30) for IPv4 tunnel, it will come out of your address space.
        • This is usually needed for hardware routers, such as Mikrotik.
      • DN42 IPv6: fe80::2547 for peering over link-local addresses
        • If you need an address block (such as /64) for IPv6 tunnel, it will come out of your address space.
      • Multiprotocol BGP (MP-BGP):
        • Although I support MP-BGP, I still configure two BGP sesssions (1 IPv4 & 1 IPv6) by default.
        • If you also support MP-BGP and only need one session, just let me know.
    • For creating a tunnel connection:
      • WireGuard/OpenVPN port on my side: last 5 digits of your ASN
        • e.g. 4242420001 means I will use port 20001
      • OpenVPN static key: generated by you, send to me later
      • OpenVPN default configuration: show below
        • If you can't use my default configuration, set something suitable for you and send it to me
      • ZeroTier One: I will request to join your network
        • You may try to invite my server to your network, if possible
  4. Send the following information via email to b980120@hotmail.com:
    • Your General Information:
      • ASN
      • Public IP
        • I prefer IPv4 since IPv6 is tunnelled on some of my servers (HE.NET Tunnelbroker)
      • DN42 IPv4 and IPv6 (IP used in tunnel on your end)
        • Or address blocks, if you need them for the tunnel
        • Including link-local address for IPv6 peering
      • Which server you want to peer with
    • For creating a tunnel connection:
      • WireGuard/OpenVPN port on your side
        • I will assume 22547 if you don't specify
      • OpenVPN static key (generated by you)
      • ZeroTier One: Your network ID (I will request to join your network)
      • OpenVPN custom configuration (if necessary)
  5. Wait till I set up the tunnel and peering, and respond to your email. Usually peering is successful by now.

PS: It's not recommended to contact me over IRC. Although I leave my IRC client running, I only read messages once or twice per month, unless you ask me to do so in email. And IRC chat is unlikely to be instant due to timezone differences.

My Network

  • ASN: 4242422547
  • IPv4 Pool: 172.22.76.184/29 and 172.22.76.96/27
  • IPv6 Pool: fdbc:f9dc:67ad::/48
  • My Side's Default Port: last 5 digits of your ASN
  • Looking glass: https://lg.lantian.pub

Servers

  • Server 1: Hong Kong, China, provider IDC.wiki (originally 50KVM)

    • Domain: 50kvm.lantian.pub
    • Public IPv4: 23.226.61.104 / v4.50kvm.lantian.pub
    • Public IPv6: 2001:470:19:10bd::1 / v6.50kvm.lantian.pub
    • DN42 IPv4: 172.22.76.186 / v4.50kvm.dn42.lantian.pub
    • DN42 IPv6: fdbc:f9dc:67ad:1::1 / v6.50kvm.dn42.lantian.pub
    • Link-local IPv6: fe80::2547
    • WireGuard Public Key: xelzwt1j0aoKjsQnnq8jMjZNLbLucBPwPTvHgFH/czs=
  • Server 2:Los Angeles, United States, provider HostDare

    • Domain: hostdare.lantian.pub
    • Public IPv4: 185.186.147.110 / v4.hostdare.lantian.pub
    • Public IPv6: 2607:fcd0:100:b100::198a:b7f6 / v6.hostdare.lantian.pub
    • DN42 IPv4: 172.22.76.185 / v4.hostdare.dn42.lantian.pub
    • DN42 IPv6: fdbc:f9dc:67ad:3::1 / v6.hostdare.dn42.lantian.pub
    • Link-local IPv6: fe80::2547
    • WireGuard Public Key: zyATu8FW392WFFNAz7ZH6+4TUutEYEooPPirwcoIiXo=
  • Server 3: New York, United States, provider VirMach

    • Domain: virmach-ny1g.lantian.pub
    • Public IPv4: 107.172.134.89 / v4.virmach-ny1g.lantian.pub
    • Public IPv6: 2001:470:1f07:54d::1 / v6.virmach-ny1g.lantian.pub
    • DN42 IPv4: 172.22.76.190 / v4.virmach-ny1g.dn42.lantian.pub
    • DN42 IPv6: fdbc:f9dc:67ad:8::1 / v6.virmach-ny1g.dn42.lantian.pub
    • Link-local IPv6: fe80::2547
    • WireGuard Public Key: a+zL2tDWjwxBXd2bho2OjR/BEmRe2tJF9DHFmZIE+Rk=
  • Server 4: Roost, Bissen, Luxemborg, provider BuyVM

    • Domain: buyvm.lantian.pub
    • Public IPv4: 107.189.12.254 / v4.buyvm.lantian.pub
    • Public IPv6: 2605:6400:30:f22f::1 / v6.buyvm.lantian.pub
    • DN42 IPv4: 172.22.76.187 / v4.buyvm.dn42.lantian.pub
    • DN42 IPv6: fdbc:f9dc:67ad:2::1 / v6.buyvm.dn42.lantian.pub
    • Link-local IPv6: fe80::2547
    • WireGuard Public Key: DkmSBCIgrxPPZmT07DraoCSD/jSByjPkYqHJWfVZ5hM=

These templates are from your perspective, you don't need to swap sides when using them on your server.

OpenVPN:

proto         udp
mode          p2p

# my (or your peer's) server IP
remote        185.186.147.110
# my (or your peer's) tunnel port, last 5 digits of your ASN
rport         21234
# your server IP
local         12.34.56.78
# your tunnel port, usually 22547 (or last 5 digits of your peer's ASN)
lport         22547

dev-type      tun
resolv-retry  infinite
dev           dn42-lantian    # change to whatever you want
comp-lzo
persist-key
persist-tun
tun-ipv6
cipher        aes-256-cbc
# first is your DN42 IPv4, second is mine (or your peer's)
ifconfig      172.21.2.3 172.22.76.185
# first is your link-local IPv6, second is mine (or your peer's)
ifconfig-ipv6 fe80::1234 fe80::2547

# Post-up script that:
# 1. Remove stable-privacy IPv6 address
# 2. Assigns preferred outbound IPv6 address (fd12:3456:7890::1 in this case)
script-security 2
up "/bin/sh -c '/sbin/sysctl -w net.ipv6.conf.$dev.autoconf=0 && /sbin/sysctl -w net.ipv6.conf.$dev.accept_ra=0 && /sbin/sysctl -w net.ipv6.conf.$dev.addr_gen_mode=1 && /sbin/ip addr add fd12:3456:7890::1/128 dev $dev'"

# Set to static key for our tunnel
# Generated with openvpn --genkey --secret static.key
<secret>
-----BEGIN OpenVPN Static key V1-----
0123456789abcdef0123456789abcdef
# ...
# key contents
# ...
0123456789abcdef0123456789abcdef
-----END OpenVPN Static key V1-----
</secret>

WireGuard config (for use with wg-quick up):

[Interface]
# Your WireGuard private key
PrivateKey = ABCDEFABCDEFABCDEFABCDEFABCDEFABCDEFABCDEFA=
# Port number on your side
ListenPort = 22547
Table = off
# Add your link-local IPv6 (fe80::1234 in this case)
PostUp = ip addr add fe80::1234/64 dev %i
# Add your DN42 IPv6 address (fd12:3456:7890::1 in this case)
PostUp = ip addr add fd12:3456:7890::1/128 dev %i
# First IP is your DN42 IPv4, second is mine
PostUp = ip addr add 172.21.2.3 peer 172.22.76.185 dev %i
PostUp = sysctl -w net.ipv6.conf.%i.autoconf=0

[Peer]
# Set to my (or your peer's) public key
PublicKey = zyATu8FW392WFFNAz7ZH6+4TUutEYEooPPirwcoIiXo=
# Set to my (or your peer's) node IP and port, the port is last 5 digits of your ASN
Endpoint = hostdare.lantian.pub:21234
AllowedIPs = 10.0.0.0/8, 172.20.0.0/14, 172.31.0.0/16, fd00::/8, fe80::/64