Exit Node Setup Guide

From lokinet wiki
Jump to navigation Jump to search

System setup: VPS 2 virtual cores, 2Gb RAM, 40Gb SSD with Debian Byllseye Version 11.2.

Note - below terminal commands assume login as root or invoking sudo rights with su

Install Lokinet on your VPS

apt update && apt upgrade

apt install lsb-release curl iptables
curl -so /etc/apt/trusted.gpg.d/oxen.gpg https://deb.oxen.io/pub.gpg
echo "deb https://deb.oxen.io $(lsb_release -sc) main" | tee /etc/apt/sources.list.d/oxen.list

apt update
apt install lokinet


NB! Check systemd-resolved status by entering 'head /etc/resolv.conf' -> it should return nameserver 127.3.2.1 

apt update && apt upgrade

Configure Lokinet to become an exit node

mkdir -p /var/lib/lokinet/conf.d
nano /var/lib/lokinet/conf.d/00-exit.ini

Add the following lines: 

[router]
worker-threads=0 
min-connections=12
max-connections=14
   
[network]
keyfile=/var/lib/lokinet/exit.private
ifaddr=10.0.0.1/16
ifname=exit0
hops=2
paths=8
exit=true


Note that exit.loki has one CPU core and has applied worker-threads=4 in settings


Hit Ctrl-X Y to save file and exit editor.


After editing lokinet's ini configs you MUST restart lokinet using to apply changes. 

systemctl restart lokinet

Enable ip forwarding via sysctl

nano /etc/sysctl.conf

add the following lines: 

net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1

Hit Ctrl-X Y to exit and save to /etc/sysctl.conf

Enable changes 

sysctl -p

Setup firewall

Check firewall status 

iptables -S


Default result should return the following: 

-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT

Add firewall rules for basic operation: 

iptables -t nat -A POSTROUTING -s 10.0.0.0/16 -o eth0 -j MASQUERADE
iptables-save
ip6tables -t nat -A POSTROUTING -s fd00::a00:0/112 -o eth0 -j MASQUERADE
ip6tables-save

Add route for lokinet interface's ipv6, this is needed due to a bug in lokinet. 

ip -6 route add fd00::a00:0/112 dev exit0

It is advisable to block ports for SMTP, SMTP over SSL, SMTP over TLS, IRC and IRC over SSL - optional but may save yourself from DDOS attacks. Check with your VPS host in any case. 


   for port in 25 465 587 666{0,1,2,3,4,5,6,7} 6697 ; do
iptables -A FORWARD -s 10.0.0.0/16 -p tcp -m tcp --dport $port -j REJECT --reject-with tcp-reset
ip6tables -A FORWARD -s fd00::a00:0/112 -p tcp -m tcp --dport $port -j REJECT --reject-with tcp-reset
done
iptables-save
ip6tables-save

That unrolls to: 

iptables -A FORWARD -s 10.0.0.0/16 -p tcp -m tcp --dport 25 -j REJECT --reject-with tcp-reset
iptables -A FORWARD -s 10.0.0.0/16 -p tcp -m tcp --dport 465 -j REJECT --reject-with tcp-reset
iptables -A FORWARD -s 10.0.0.0/16 -p tcp -m tcp --dport 587 -j REJECT --reject-with tcp-reset
iptables -A FORWARD -s 10.0.0.0/16 -p tcp -m tcp --dport 6660 -j REJECT --reject-with tcp-reset
iptables -A FORWARD -s 10.0.0.0/16 -p tcp -m tcp --dport 6661 -j REJECT --reject-with tcp-reset
iptables -A FORWARD -s 10.0.0.0/16 -p tcp -m tcp --dport 6662 -j REJECT --reject-with tcp-reset
iptables -A FORWARD -s 10.0.0.0/16 -p tcp -m tcp --dport 6663 -j REJECT --reject-with tcp-reset
iptables -A FORWARD -s 10.0.0.0/16 -p tcp -m tcp --dport 6664 -j REJECT --reject-with tcp-reset
iptables -A FORWARD -s 10.0.0.0/16 -p tcp -m tcp --dport 6665 -j REJECT --reject-with tcp-reset
iptables -A FORWARD -s 10.0.0.0/16 -p tcp -m tcp --dport 6666 -j REJECT --reject-with tcp-reset
iptables -A FORWARD -s 10.0.0.0/16 -p tcp -m tcp --dport 6667 -j REJECT --reject-with tcp-reset
iptables -A FORWARD -s 10.0.0.0/16 -p tcp -m tcp --dport 6697 -j REJECT --reject-with tcp-reset
iptables-save
  
ip6tables -A FORWARD -s fd00::a00:0/112 -p tcp -m tcp --dport 25 -j REJECT --reject-with tcp-reset
ip6tables -A FORWARD -s fd00::a00:0/112 -p tcp -m tcp --dport 465 -j REJECT --reject-with tcp-reset
ip6tables -A FORWARD -s fd00::a00:0/112 -p tcp -m tcp --dport 587 -j REJECT --reject-with tcp-reset
ip6tables -A FORWARD -s fd00::a00:0/112 -p tcp -m tcp --dport 6660 -j REJECT --reject-with tcp-reset
ip6tables -A FORWARD -s fd00::a00:0/112 -p tcp -m tcp --dport 6661 -j REJECT --reject-with tcp-reset
ip6tables -A FORWARD -s fd00::a00:0/112 -p tcp -m tcp --dport 6662 -j REJECT --reject-with tcp-reset
ip6tables -A FORWARD -s fd00::a00:0/112 -p tcp -m tcp --dport 6663 -j REJECT --reject-with tcp-reset
ip6tables -A FORWARD -s fd00::a00:0/112 -p tcp -m tcp --dport 6664 -j REJECT --reject-with tcp-reset
ip6tables -A FORWARD -s fd00::a00:0/112 -p tcp -m tcp --dport 6665 -j REJECT --reject-with tcp-reset
ip6tables -A FORWARD -s fd00::a00:0/112 -p tcp -m tcp --dport 6666 -j REJECT --reject-with tcp-reset
ip6tables -A FORWARD -s fd00::a00:0/112 -p tcp -m tcp --dport 6667 -j REJECT --reject-with tcp-reset
ip6tables -A FORWARD -s fd00::a00:0/112 -p tcp -m tcp --dport 6697 -j REJECT --reject-with tcp-reset
ip6tables-save

Make firewall settings persistent after rebooting system 

apt install iptables-persistent

Choose Yes to saving current rules during install both for IPv4 and IPv6.

Check that iptables have been reloaded with above settings, this will require reboot and logging back in to your server 

reboot 

iptables -S 
iptables -L -n -t nat

Check if Lokinet is up and running

systemctl status lokinet

Retrieve your permanent .loki address (two alternatives): 

host -t cname localhost.loki 127.3.2.1

nslookup -type=cname localhost.loki 127.0.0.1


Monitor your Exit node

apt install lokinetmon iftop munin-node

lokinetmon

iftop -i exit0

Do not forget to create non-root user with sudo rights, disable root login, generate ssh keys and disable ssh login via PasswordAuthentication.

Retrieved from "https://lokinet.wiki/index.php?title=Exit_Node_Setup_Guide&oldid=313"