Re6st (also called Re6stnet and pronounced resist) creates a resilient, scalable, ipv6 network on top of an existing ipv4 network, by creating tunnels on the fly, and then routing targeted traffic through these tunnels. Re6st is developed and maintained by Nexedi (see our full free software stack).
re6st can be used to:
A re6stnet network consists of at least one server (re6st-registry) and many nodes (re6stnet). The server is only used to deliver certificates for secure authentication of peers, and to bootstrap new nodes. re6stnet can detect and take into account nodes present on the local network.
re6stnet guarantees that if there exists a route between two machines, traffic will be correctly routed between these two machines. Even if the registry node is down, the probability that the network is not connected is very low for big enough networks (more than a hundred nodes).
Since nodes don't need to know the whole graph of the network, re6stnet is easily scalable to tens of thousand of nodes.
You can get the source code in the following Git repository: https://lab.nexedi.com/nexedi/re6stnet/ (Github mirror) or browse it online.
It is also published on PyPI.
We are providing a re6st-node package for many distributions. In order to install it, go to
https://build.opensuse.org/package/show/home:VIFIBnexedi/Re6stnet
and find your distribution on the build result at the right of the page. Once you have your distribution name <DISTRIB_NAME>, the repository to add is:
http://download.opensuse.org/repositories/home:/VIFIBnexedi/<DISTRIB_NAME>
For example (as root):
Ubuntu 16.04:
echo "deb http://download.opensuse.org/repositories/home:/VIFIBnexedi/xUbuntu_16.04 ./" >/etc/apt/sources.list.d/re6stnet.listwget -qO - https://download.opensuse.org/repositories/home:/VIFIBnexedi/xUbuntu_16.04/Release.key |apt-key add -
Debian 9:
echo "deb http://download.opensuse.org/repositories/home:/VIFIBnexedi/Debian_9.0 ./" >/etc/apt/sources.list.d/re6stnet.listwget -qO - https://download.opensuse.org/repositories/home:/VIFIBnexedi/Debian_9.0/Release.key |apt-key add -
Then:
apt updateapt install re6st-node
The packaging is maintained at https://lab.nexedi.com/nexedi/slapos.package/tree/master/obs/re6st
re6stnet is also distributed as a Python egg: https://pypi.org/project/re6stnet/
See also setup.py for Python dependencies.
re6stnet runs a node of a re6st network. It establishes connections with other nodes by creating OpenVPN tunnels and uses Babel for routing.
re6stnet --registry registry-url --dh dh-path --ca ca-path --cert cert-path --key key-path [options...] [-- [openvpn-options...]]
Use re6stnet --help to get the complete list of options. If you already have IPv6 connectivity by autoconfiguration and still want to use it for communications that are unrelated to this network, then:
--default option
).net.ipv6.conf.<iface>.accept_ra
sysctl to value 2 and trigger SLAAC with rdisc6 <iface>
to restore the default route if the kernel removed while enabling forwarding.Following environment variables are available for processes started with --up
or --daemon
:
--main-interface
optionIf the /etc/re6stnet/re6stnet.conf configuration file exists, re6stnet is automatically started as a system daemon, by systemd
(1). Debian package also provides SysV init scripts.
--default
optionWhen re6st is configured to route all your IPv6 traffic (--default
), any other interface providing IPv6 must have no default route. Otherwise, re6st either refuses to start or aborts if it detect a default route.
It is required to configure properly every connection defined in NetworkManager because default settings are wrong and conflict with re6st. If --default
is used, then disable IPv6, else enable the following options in the [ipv6] section:
ignore-auto-routes=truenever-default=true
In applets, these options are usually named:
Once you know the registry URL of an existing network, use re6st-conf to get a certificate:
re6st-conf --registry http://re6st.example.com/
Use -r
option to add public information to your certificate. A token will be sent to the email you specify, in order to confirm your subscription. Files will be created by default in current directory and they are all required for re6stnet:
re6stnet --dh dh2048.pem --ca ca.crt --cert cert.crt --key cert.key \ --registry http://re6st.example.com/
First you need to know the prefix of your network: let's suppose it is 2001:db8:42::/48. From it, you computes the serial number of the Certificate authority (CA) that will be used by the registry node to sign delivered certificates, as follows: translate the significant part to hexadecimal (ie. 20010db80042) add a 1 as the most significant digit:
openssl req -nodes -new -x509 -key ca.key -set_serial 0x120010db80042 \ -days 365 -out ca.crt
(see re6st-registry --help
for examples to create key/dh files).
The CA email will be used as sender for mails containing tokens. The registry can now be started:
re6st-registry --ca ca.crt --key ca.key --mailhost smtp.example.com
The registry uses the builtin HTTP server of Python. For security, it should be behind a proxy like Apache. The first registered node should be always up because its presence is used by all other nodes to garantee they are connected to the network. The registry also emits UDP packets that are forwarded via a localhost re6st node, and it is recommended that this is the first one:
re6st-conf --registry http://localhost/
If re6st-conf is run in the directory containing CA files, ca.crt will be overridden without harm. See previous section for more information to create a node. For bootstrapping, you may have to explicitly set an IP in the configuration of the first node, via the --ip
option. Otherwise, additional nodes won't be able to connect to it.
You can force tunnels to be established/kept between specific nodes using the 'neighbour' option. Use the command below to get the CN.
openssl x509 -noout -subject -in /etc/re6stnet/cert.crt
Also you can use 'interface' option to find other re6st nodes on the same network segment.
Q: Why Is Bootstraping Taking So Long?
A: When many nodes are saturated or behind unconfigurated NAT, it may take some time to bootstrap. However, if you really think something goes wrong, you should first enable OpenVPN logs and increase verbosity: see commented directives in configuration generated by re6st-conf.
Q: What Are Potential Causes For Setup Failures?
A: A common failure is caused by a misconfigured firewall:
--pp
option.Other security components may also break re6st. For example, default SELinux configuration on Fedora prevents execution of OpenVPN server processes.
re6st is Free Software, licensed under the terms of the GNU GPL v3 (or later). For details, please see Nexedi licensing.
For more information, please contact Jean-Paul, CEO of Nexedi (+33 629 02 44 25).