You are here

Configuring the GNUnet VPN Exit Service

Primary tabs

If you want to allow other users to share your Internet connection (yes, this may be dangerous, just as running a Tor exit node) or want to provide access to services on your host (this should be less dangerous, as long as those services are secure), you have to enable the GNUnet exit daemon.

You then get to specify which exit functions you want to provide. By enabling the exit daemon, you will always automatically provide exit functions for manually configured local services (this component of the system is under development and not documented further at this time). As for those services you explicitly specify the target IP address and port, there is no significant security risk in doing so.

Furthermore, you can serve as a DNS, IPv4 or IPv6 exit to the Internet. Being a DNS exit is usually pretty harmless. However, enabling IPv4 or IPv6-exit without further precautions may enable adversaries to access your local network, send spam, attack other systems from your Internet connection and to other mischief that will appear to come from your machine. This may or may not get you into legal trouble. If you want to allow IPv4 or IPv6-exit functionality, you should strongly consider adding additional firewall rules manually to protect your local network and to restrict outgoing TCP traffic (i.e. by not allowing access to port 25). While we plan to improve exit-filtering in the future, you're currently on your own here. Essentially, be prepared for any kind of IP-traffic to exit the respective TUN interface (and GNUnet will enable IP-forwarding and NAT for the interface automatically).

Additional configuration options of the exit as shown by the gnunet-setup tool are:

IP Address of external DNS resolver

If DNS traffic is to exit your machine, it will be send to this DNS resolver. You can specify an IPv4 or IPv6 address.

IPv4 address for Exit interface

This is the IPv4 address the Interface will get. Make the mask of the address big enough (255.255.0.0 or, even better, 255.0.0.0) to allow more mappings of IP addresses into this range. As for the VPN interface, any unused, private IPv4 address range will do.

IPv6 address for Exit interface

The public IPv6 address the interface will get. If your kernel is not a very recent kernel and you are willing to manually enable IPv6-NAT, the IPv6 address you specify here must be a globally routed IPv6 address of your host.

Suppose your host has the address 2001:4ca0::1234/64, then using
2001:4ca0::1:0/112 would be fine (keep the first 64 bits, then change at least one bit in the range before the bitmask, in the example above we changed bit 111 from 0 to 1).

You may also have to configure your router to route traffic for the entire subnet (2001:4ca0::1:0/112 for example) through your computer (this should be automatic with IPv6, but obviously anything can be disabled).