Home > Documentation > Beginner
Janmesh - Setting up encrypted ad-hoc mesh network using cjdns and Linux
Welcome to the place where things start. Here you'll find beginner documentation.
Once your mesh is working, you may want to read How to share internet access from one machine connected to the mesh to another one.
Tutorial n°1 : How to deploy a local Janmesh network between two computers from nothing
This tutorial is meant to be used with Ubuntu 22.04 LTS or newer, up-to-date Debian, and other Ubuntu-based or Debian-based GNU/Linux distributions, and can be easily adapted to any other distro.
Objectives of this tutorial
The point of this tutorial is to inter-connect computers through a wifi network (SSID http://janmesh.net), and add an encryption and authentication layer with cjdns. It will make these machines a part of the Janmesh meshlocal.
You'll have to follow this tutorial on a single computer if you want to join the Janmesh network through wifi admitting there's another station at range. If you wish to set up the network from scratch on several computers in your area, you'll need to apply these steps on each of them.
General prerequisite
We will asume in this tutorial that your Linux computer is connected to your home LAN network and have Internet access through one network interface, and that you have one available wifi interface devoted to operate the mesh.
In short this means
- If your computer has only one wifi interface available, and is connected to your home LAN through Ethernet, it's OK
- If your computer is connected to your home lan via Wifi, you will need a second wifi interface devoted to the meshlocal. You can, if say you have a laptop, and the second interface is an USB one, safely simply unplug the USB-Janmesh wifi one when you have to move away and don't need the mesh, and once at home with neighbours at range, replug it, it will autoconfigure and spawn without any action needed.
A quick note about wifi support in Linux: Since linux Wifi modules ("drivers") are mostly maintained and developped by volunteers, the focus is mainly put on Managed mode (to connect to an access point as a client, say in a public place or at home to your local ISP-Box), and ad-hoc support which allows acentered communication is not always complete and working as expected.
Admitting your Wifi has a module, it is not enough to be certain that this particular wifi will be able to operate ad-hoc properly.
- Tip: As an alternative, if you absolutely need Janmesh connectivity for a device that cannot use ad-hoc, you can consider using batman-adv under Cjdns in your stack (an http://janmesh.net/bat SSID for your batman-enabled wifi is then recommended, and a corresponding information page about B.A.T.M.A.N Advanced is planned to be set up at this web address on the Janmesh site).
Most notably, batman-adv, which is software devoted specifically to meshlocals, is able to distribute wifi connectivity in Master (managed) mode to devices that have trouble with ad-hoc. Also, it interconnects with any Batman-adv from the same SSID at range.
On top of this, Cjdns then provides authentification and end-to-end encryption and is likely to merge batman and ad hoc neighbours-to-neighbours networks if only one person at range is operating both ad-hoc and batman, with cjdns on top of both.
A quick note about the range: The Main Thing with the Janmesh project is that techonologies used implies routing between nodes ; the more people join the network, the more the range of the whole network extends. Two stations that are unable to connect directly will be able to talk to each other with intermediate ones relaying/routing their (end-to-end encrypted) data.
Out of range network segments can easily be connected together using a tunnel inside The Ordinary Internet. It's a core feature of Cjdns, and currently by far its main use. One people somewhere will need to configure it to accept entering connections from another people and redirect incoming connexions from his/her ISPBox, then the other people just need to be a "leaf" peer by entering the IP adress of this box and the credential provided by the first person, and, voila, the two network segments are merged as long as internet is available.
The addressing
We will use link-local addresses, which have the advantage to be automatically set up. They are used only for the physical layer (ad-hoc wifi) of the network, that is to say any machine within the range of your own wifi. It's then sufficient for the scale of any area, because this methods allows about 65000 addresses, and most of the time one household will only need one or a handful of addresses.
And now here we go
Defintion: Root commands an non-root, user commands
TODO
Step 0: install required software
In a terminal emulator, enter the following command line (needs an internet access) :
$ sudo apt-get install git ufw build-essential wireless-tools bison flex nodejs
Step 1 : Mesh setup
Step 1.1: installation and configuration of cjdns
Cjdns installation
Download, compile and install cjdns (needs an internet access) :
$ cd /opt
$ sudo mkdir cjdns
$ sudo chown <your username for this linux machine> cjdns
$ git clone https://github.com/cjdelisle/cjdns.git
$ cd cjdns
Then continue with
$ ./do
[TODO add extra info about Rust]
$ sudo ln -s /opt/cjdns/cjdroute /usr/bin
$ sudo su
# (umask 077 && ./cjdroute --genconf > /etc/cjdroute.conf)
# exit
Step 1.2: block any non-cjdns traffic on wireless interface, block any incoming cjdns traffic
We will have to, for each machines, search into the congiguration file of cjdns which port it's using. you can open this file with the command :
sudo nano /etc/cjdroute.conf
The port number is at the line containing:
"your.external.ip.goes.here:65011": {
(you can quit nano with [CONTROL]+X)
this is now necessary to take note of the port number (In this case, it will be 65011). This number is randomly generated and won't be the same on your hardware. Write it down, we will need it!
It is also a good idead to write down your IpV6 Cjdns address, of the form aaaa:bbbb:cccc:dddd:eeee:ffff, also indicated in this file, since it is the adress you can pass around to neighbours to authenticate connections from your machine or allow them to access any kind of service you will run on it.
We want here to block all the trafic on the wifi interface used by the mesh, except for the cjdns's port (65011 in this case).
This number in the next lines should be adjust with your cjdns port number.
You can have the actual name of your (currently still marked unmanaged if you got several ones) wifi interface with the command iwconfig
$ sudo ufw default allow
$ sudo ufw allow in on <your wifi interface> to any port <your cjdns port number>
$ sudo ufw deny in on <your wifi interface>
$ sudo ufw enable
Next step is to block any incoming traffic from Cjdns' tun0 interface as a whole.
$ sudo ufw deny in on tun0
If you wish later to open a particular service, add an allow in on tun0 to any port <your service's port> rule BEFORE this one. TIP you may want to use Gufw, which is an easy to use graphical front-end to ufw to do so.
Then launch cjdns with
$ sudo su
# cjdroute < /etc/cjdroute.conf
# exit
Step 2: Set up the wifi
iwconfig command once again can give you the name of your (currently still marked unmanaged if you got several ones) wifi interface.
$ nmcli conn add connection.id janmesh ipv4.method link-local ipv6.method link-local autoconnect yes type wifi ifname <your wifi interface> mode adhoc ssid http://janmesh.net
Step 3: add startup scripts to make the changes permanent
TODO
Licensing: this tutorial is licensed under Creative Commons BY-SA 4.0 license. Contributors to date: Shangri-l, Nomys.