Client

From Bondix Wiki
Revision as of 14:08, 25 June 2021 by Red (talk | contribs)

The Bondix SANE client is the software that you install on your supported router, which establishes a connection to the server using multiple WAN links.

For OpenWRT based routers, please check this page.

Installation

Log into your router via SSH and do the following:

Create installation directory mkdir -p /opt/bondix

cd /opt/bondix

Download installation package curl -o sane.tar.gz <DOWNLOAD-URL>
Extract package tar -xvzf sane.tar.gz

You can verify that the correct version has been installed with the command /opt/bondix/client/saneclient --version

If successful, it should print its version string.

Configuration

Configuration is done using JSON commands. These can either be sent via a raw TCP socket (localhost:5113), or written to a configuration file (in a json-array) that is parsed at start-up. This allows both a fixed configuration as well as adjustments during runtime without the need to restart the service. By default, SANE checks for the existence of a configuration file in its installation directory (e.g. /opt/bondix/client/saneclient.json) and at /etc/saneclient.json. If you want SANE to load a configuration from a different location, you can specify it using a command line parameter.

Quick Start

This example provides the minimal necessities to get a tunnel up and running:

[
  {"action": "create", "target": "tunnel", "name": "TUNNELNAME", "password": "TUNNELPASSWORD"},
  {"action": "add-server", "target": "tunnel", "host": "ENDPOINTSERVER", "port": "443"},
  {"action": "create-interfaces", "target": "tunnel", "interfaces": {
    "eth1": "mobileAggressive",
    "wwan0": "mobileAggressive",
    "wwan1": "mobileAggressive"
  }},
  {"target": "tunnel", "action": "set-preset", "preset": "bonding"}
]

Command Structure

A JSON command has the following structure: {"target": "<module>", "action": "<command>", [...additional values...]}

Where <module> specifies the configuration submodule and <command> specifies what should be done.

System Commands

{"target": "system", 
  "action": "shutdown"
}

Shuts down the client and terminates.
{"target": "system", 
  "action": "set-log", 
  "file": "/var/log/saneclient.log", 
  "fileMode": "append"
}

Enables logging to file or changes output file.
Parameters
file The filename that the log should be written to. Required.
fileMode can be append or overwrite. Required.
{"target": "system", 
  "action": "set-webinterface", 
  "host": "0.0.0.0", 
  "port": "80",
  "allowConfig": false, 
  "allowMonitor": true, 
  "configApiKey": "123456", 
  "webroot": "/tmp/"
}

Enables the integrated webserver & debug webinterface.
Parameters
host IP that the service should listen on. Required.
port TCP Port that the service should listen on. Required.
allowConfig En- or disables web configuration. Not required, enabled by default.
allowMonitor En- or disables web monitor. Not required, enabled by default.
configApiKey The password required to access configuration & monitor. Not required, "123456" by default.
webroot Web root directory. Points to the "www" subdirectory in installation directory. Not required, changing not advised.

Tunnel Commands

{"target": "tunnel", 
  "action": "create", 
  "name": "MyTunnel", 
  "password: "1234", 
  "server": "10.0.0.1", 
  "interfaceName": "bndx0", 
  "values": {...}
}

create

Sets up basic tunnel configuration.

Parameters
name Tunnel Name. Required.
password Password. Required.
server Endpoint target IP. Optional.
interfaceName Desired name of the virtual tunnel network interface. Optional.
values A JSON object containing configuration parameters for the tunnel.
{"target": "tunnel", 
  "action": "add-server", 
  "host": "10.0.0.1", 
  "port": "443"
}

add-server

Adds a endpoint server. If multiple servers are added, the client will cycle through them until a connection has been established successfully.

Parameters
host IP or host of the destination server. Required.
port Port of the destination server. Optional (Default: "443").
{"target": "tunnel", 
  "action": "create-interfaces", 
  "interfaces": { 
    "wwan0": "mobile", 
    "eth1": "ethernet"
  } 
}

create-interfaces

Creates channels for the specified interfaces using presets.

Parameters
interfaces a JSON object where each key is a network interface name, with the corresponding value being a preset name. Required.
{"target": "tunnel", 
  "action": "set-preset", 
  "preset": "Bonding"
}

set-preset

Applies a tunnel preset. See Presets for more info.

Parameters
name Name of the tunnel preset. Required.
{"target": "tunnel", 
  "action": "set-ifname", 
  "name": "bondix0"
  } 
}

set-ifname

Renames the virtual network tunnel interface.

Parameters
name The name that the interface should be renamed to. Required.
{"target": "tunnel", 
  "action": "set-cert-check", 
  "enabled": true
  } 
}

set-cert-check

Enables or disables verification of the server's SSL certificate. TODO: Which root cert dir is used when no custom root certificate is provided?

Parameters
enabled Enables or disables SSL certificate verification. Required.
{"target": "tunnel", 
  "action": "set-root-ca", 
  "file": "/etc/ssl/foobar.pub"
  } 
}

set-root-ca

Specifies a root certificate that can be used to verify the authenticity of the remote server. When used, SSL server verification will be automatically enabled.

Parameters
file location of the public root certificate file. Required.
{"target": "tunnel", 
  "action": "set-certificate", 
  "cert": "/etc/ssl/foobar.pem"
  "key": "/etc/ssl/foobar.key"
  } 
}

set-certificate

Loads a tunnel client certificate. See Certificates for further information.

Parameters
cert location of the public certificate file. Required.
key location of the private certificate key file. Required.
{"target": "tunnel", 
  "action": "embed-certs", 
  "cert": "...",
  "key": "...",
  "root": "..."
  } 
}

embed-certs

A helper functions to embed tunnel & root certificate inside the configuration instead of an external file. Performs the same actions as set-certificate and set-root-ca combined.

Parameters
cert The tunnel public certificate as string. Required. key The tunnel private certificate key as string. Required. root The public root certificate for server verification. Required.



Running

The software can be run in the shell using /opt/bondix/client/saneclient, where it will run in the foreground. However, it is recommended to start the service automatically on startup, which can be different depending on the platform.

Parameters

--daemon Runs the software as a daemon.
--nopid Does not attempt to create a pid-file at /var/run/saneclient.pid
--listflags Lists available feature flags
--flags <FLAG1> <FLAG2>... Enables the specified flag(s). Multiple flags are separated using space.
</path/to/filename.json> JSON configuration file that should be used

Feature Flags

Feature flags are switches that enable certain features that are otherwise unavailable. These features are usually experimental and should be used with caution.

useBlake Switches from SHA256 to the "blake" hashing algorithm. Depending on architecture, this can slightly improve performance.
useBlake3 Switches to the "blake3" hashing algorithm. Depending on architecture, this can slightly improve performance.
disableHash Disables hashing completely, allowing potential MitM, with a vast speed improvement.
useMMSG uses useMMSG linux socket API to send & receive multiple UDP packets at once. This improves performance under load, while stable there are some corner cases which can trigger error messages in the log.
channelRoutes Makes the client create specific routes for each channel. Experimental, do not use.
bondingProxy Enables the TCP Bonding Proxy.