Friday, July 26, 2013

Your Own DarkNet: Retroshare

There are various DarkNet systems available, for example FreeNet, Retroshare, TOR, Ricochet and GnuNet.  These are also known as Friend to Friend networks and creates a Virtual Private Mesh Network between trusted parties.

FreeNet is a little different, in that it can operate in two modes - public and private - where the private mode is a true DarkNet.  The Onion Router (TOR) is also a kind of public DarkNet proxy service which is very easy to use - do get the TOR Browser package - called Orbot on Android - very handy.

With a DarkNet, you can exchange files and chat in complete security - well, as secure as the other endpoints.  So if any of the endpoints run an untrustworthy operating system such as MS Windows, then one could argue that the whole circle is probably not secure.

Retroshare and other systems like it are not completely Black.  With a sniffer, an attacker can glean a little bit of information on who is connected to who, especially when one party is using unsecured WiFi, but they won't get far.

A private DarkNet is useful for Geeks who do support for their whole family and can set the whole mesh net up.  Same as for a corporate network, you can only go black if you have control over all the end points.  As soon as data needs to travel outside your VPN mesh net, it is free to anyone to sniff, spy, gloat and giggle over.

Always remember that the Public Internet is exactly that - it is Public...

Retroshare

The Retroshare application is cross platform and offers an easy way to transfer files between machines.  It also provides voice, video, chat and discussion fora.


You can set up multiple circles of trust, for example 'herman-work' and 'herman-home'. For me it provides a secure alternative to Dropbox and other insecure online FTP services.  Retroshare also works fine between mobile machines.   They always manage to find each other again!

First Steps

Before you start, get two or more machines that you want to be able to connect.  It could even be two virtual machines.  Make sure that the network connections between them are working properly before continuing.

Enable uPnP on your internet gateway.  This is by far the easiest way to ensure that the connection to the wide wide world will be trouble free.

If you only want to install on one machine, then you can test your connection with a public chat server, for example http://retrochat.piratenpartei.at/

Do install Keepass (Windows), KeepassX (Linux, Mac), or KeepassDroid (Android) on each of your machines.  If you put the (it is encrypted!) password database in Dropbox or Copy.com, then you can access your passwords everywhere and only need to remember the long master password.  You can then easily use random highly secure gobbledygook passwords for everything else.

As soon as you start to get serious about security, you will descend into password hell, unless you install a cross platform password manager.  I have over a hundred passwords and most of them are random sequences that are impossible to remember or type by hand.  KeepassX preserves my sanity.


Installation on a Mac

The downloads are here:
http://retroshare.sourceforge.net/downloads.html

On a Mac, download the file, run it, drag it to the Applications folder, then Ctrl-Click to run it the first time.

Installation on Windows

That should be just as easy as on a Mac, but if you are so worried about security that you want to use Retroshare, then you probably should go out and buy a Mac or a Linux machine first and dump your Windows machine in a river...

Installation on Linux

You can download Retroshare for Fedora 20 from here:


Get these files:
  • retroshare-0.5.5c-1.1.x86_64.rpm
  • retroshare-debuginfo-0.5.5c-1.1.x86_64.rpm
  • retroshare-nogui-0.5.5c-1.1.x86_64.rpm
  • retroshare-plugins-0.5.5c-1.1.x86_64.rpm
Use rpm to install them in this order:
      # rpm -ivh retroshare-nogui-0.5.5c-1.1.x86_64.rpm
      # rpm -ivh retroshare-0.5.5c-1.1.x86_64.rpm
      # rpm -ivh retroshare-debuginfo-0.5.5c-1.1.x86_64.rpm
      # rpm -ivh retroshare-plugins-0.5.5c-1.1.x86_64.rpm

Setup 

To test Retroshare, you can install it on multiple virtual machines and on each one create a new identity.  Once you are comfortable with it, you can transfer your main ID from one of your machines to every machine you own, so that you can work everywhere with the same ID.  This is done with a key Export, Import and Certificate exchange between the two locations.

You need to generate a PGP key, which is your ID in the Retroshare system.  For that, you need a strong password.  Therefore, install KeepassX, if you haven’t got it already, and generate a password of at least 16 characters for good security.  You need to enter this password 3 times,  twice at the start and once more when you generated the new identity and it wants to save it in the GPG key ring.

Once the ID key pair is generated, Retroshare should start up, you’ll have to authorize installation of the plugins and then all should be well.

More information here: http://retroshare.wikidot.com/ and here: http://retroshareteam.wordpress.com/2012/11/03/retroshares-anonymous-routing-model/

The biggest issue is that you need to use uPnP in your internet router or forward a port manually to make it work through a NAT firewall.

Some more on NAT firewalls here: http://retroshare.sourceforge.net/wiki/index.php/Frequently_Asked_Questions#Can_I_connect_from_behind_a_Firewall.3F_How_Do_I_set_the_Firewall.3F

For best results, your circle of friends should have at least one, 'always on' computer somewhere.  The initial connection IP address is exchanged together with your PGP key and thereafter your machines are tracked through a Distributed Hash Table (DHT).  Provided that at least one computer in your circle of friends is still at the last address you reached it at, your machine should be able to connect with everybody no matter how much you or them have moved around.  This static member could be a little Raspberry Pi, or a Beaglebone Black.  More on that later!


Connect to Others

Retroshare has an Add a Friend Wizard (the little blue man at the top left) which will allow you to send the friend your Certificate and he has to send you his - both of you must accept it to complete the handshake.  

The first time you do this, I suggest that you use the Enter Certificate Manually method.  Then just highlight copy and paste the certificates to each other.  At the bottom of the certificate, Retroshare appends your IP address.  This enables the receiving party to connect back to you the first time - thereafter it will consult the DHT.



You can also send the certs by email, but that requires email to be set up already, which may not be the case if you are experimenting on a new virtual machine.

If everything (uPnP and DHT) is working, you should be able to connect.  If it fails, check that the two virtual machines are in the same subnet and can ping each other, turn their firewalls off and so on, otherwise nothing is going to work.


I hope that works and you can successfully go over to the Dark Side.

May The Force be with you...

No comments:

Post a Comment

On topic comments are welcome. Junk will be deleted.