Skip to content


Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
branch: feature-2-laye…

This branch is 3051 commits behind cjdelisle:master

Fetching latest commit…

Cannot retrieve the latest commit at this time

Failed to load latest commit information.


Dear Reader,
    I suppose you are here because you are interested in alternative networks,
perhaps for censorship resistance, perhaps network security and I have no doubt you are wondering what
the hell this thing is supposed to do.
We can all find common ground in the statement that The Internet is painfully insecure. Free speech
and privacy advocates find it insecure against government listening and blocking, governments find
it insecure against hackers taking systems over and leaking secrets, and internet service providers
find it insecure against DDoS kiddies who use large swarms of zombie machines to send enough traffic
to overload a network link. These are, however, all different views of the same problem.

We have a number of somewhat competing offerings to solve this problem from ISPs and government.
We have IPSEC, DNSSEC, numerous proposals from the mundane to the wild and whacky such as "internet
drivers licenses".
The people who have developed these proposals are unfortunately limited in their thinking. ISPs are
unable to see past the now almost 30 year old routing protocols which glue together the internet of
today. Government actors are conditioned to think of something as secure when they have control over
it. A quick look at x509 (the authentication system behind SSL) shows us that central points of
failure inevitably live up to their name. In order to have a central authority, the people must not
only be able to trust his motives but they must be able to trust his system's integrity as well.
Recently people's email was compromised when DigiNotar certificate authority was hacked and used to
forge gmail certificates.

It is worthy of note that the vulnerability in DNS which ICE exploited to take down websites
they deemed "dedicated to copyright infringement" was also used by Anonymous to replace a movie
industry website with a manifesto.

--------------------   A System Is Only Secure When Nobody Has Total Control   --------------------

What is cjdns?
It is a routing engine designed for security, scalability, speed and ease of use.
The dream: You type ./cjdns and give it an interface which connects another node and it gives you an
ipv6 address generated from a public encryption key and a virtual network card (TUN device) which
you can use to send packets to anyone in the cjdns network to which you are connected.

How does it work?
In order to understand how cjdns works, it is important to understand how the existing internet works
when you send a packet, at each "intersection in the road" the router reads the address on the packet
and decides which turn it should take. In the cjdns net, a packet goes to a router and the router
labels the packet with directions to a router which will be able to best handle it. That is, a router
which is near by in physical space and has an address which is numerically close to the destination
address of the packet. The directions which are added to the packet allow it to go through a number
of routers without much handling, they just read the label and bounce the packet wherever the next
bits in the label tell them to. Routers have a responsibility to "keep in touch" with other routers
that are numerically close to their address and also routers which are physically close to them.
The router engine is a modified implementation of the Kademlia DHT design.

How close is it to complete?
If we're lucky, we'll have a live test network for Christmas.

What about DNS?
DNS is a complex system to implement and highly complex to implement without central authority, if
you would like to offer help with this part, I invite you to come join.

If you are still interested in this project and want to follow it, get in the channel on IRC:

Thank you for your time and interest,

Caleb James DeLisle  ==  cjdelisle  ==  cjd

##### SNIP #####
Please read this, or atleast skim it ;)

--- Possibly outdated below.
--- Please check IRC for the latest info

Some raw pastes for the curious: (like this doc)

##### SNIP #####
How To compile cjdns on Debian 6 (Squeeze) 

Hint1: You did a backup recently ;)
Hint2: Might work same under Ubuntu.

# [command] lines are commands
- [comment] lines are comments (or instructions/ it!)
* [therest] is obvious

-Remove older versions of deps

-Be sure libevent is gone and remove if found. It will cause problems during the build.
# dpkg -l | grep ^ii| grep libevent
ii  libevent-dev                    1.3e-3                     Development libraries, header files and docs
ii  libevent1                       1.3e-3                     An asynchronous event notification library
# apt-get remove libevent-dev

-Note: You may need to (re)compile TOR if you use it.

--Get newest versions of deps, some additional things
# apt-get install build-essential cmake git

--libevent2 required:

- Grab the stable tarball from libevent and untar
- CHECK for LATEST version
# wget
# tar -xzf libevent-2.0.16-stable.tar.gz

- Enter directory and compile libevent
# cd libevent-2.0.16-stable
# ./configure
- resolve missing dependencies if needed and run again until all errors gone
# make
# make install

-Grab it and go there
# git clone cjdns
# cd cjdns

-Setup build dir and go there
# mkdir build
# cd build

-You Likely want DEBUG logs: (this is VERY ALPHA after all)
# export Log_LEVEL=DEBUG

# cmake ..

# make

-Look for:
Linking C executable DNSTools_test
[100%] Built target DNSTools_test

--ALL DONE! Wanna test? Sure.

##### SNIP #####
-Use screen or such to get a few ttys, Xterms, pipe to log and bg, whatever.

-TESTING Instructions:
-Change to the cjdns/build directory if you need to

-Run cjdroute without options for HELP
# ./cjdroute

Step 1:
  Generate a new configuration file.
    ./cjdroute --genconf > cjdroute.conf

Step 2:
  From a root shell or using sudo, run use these commands:

  Create a cjdns user so it can run unprivileged.
    useradd cjdns

  Create a new TUN device and give the cjdns user authority to access it:
    /sbin/ip tuntap add mode tun user cjdns
    /sbin/ip tuntap list | grep `id -u cjdns`
  The output of the last command will tell you the name of the new device.
  This is needed to edit the configuration file.

Step 3:
  Edit the configuration file, fill in the key from the node to connect to and your
  password as well as the bind address to listen for UDP packets on and the
  passwords of other nodes who are allowed to connect to this node.
  Also replace "tunDevice": "tun0" with the name of the TUN device gotten in step 2

Step 4:
  Get the commands to run in order to prepare your TUN device by running:
    ./cjdroute --getcmds < cjdroute.conf
  These commands should be executed as root now every time the system restarts.

Step 5:
  Fire it up!
    sudo -u cjdns ./cjdroute < cjdroute.conf

  To delete a tunnel, use this command:
    /sbin/ip tuntap del mode tun <name of tunnel>

##### SNIP #####
** Known issues:

-Old versions of the IP utility do not work for creating tunnel devices
# ip -V
ip utility, iproute2-ss080725
# /sbin/ip tuntap add mode tun user cjdns
Object "tuntap" is unknown, try "ip help".
# /sbin/ip tuntap list
Object "tuntap" is unknown, try "ip help".

# ip -V
ip utility, iproute2-ss100519
# /sbin/ip tuntap list
tun0: tun user 1001

The fix, for now grab a copy of a newer 'ip' binary and copy it to your home dir. Replacing the system binaries is not likely a good idea.

** Currently we are still debugging some routing issues.
If you want to help out, load up a few VMs or physical boxen,
link them, see what happens, tell us! :)

Lots of bugs to fix yet, but hey, its talking now!!

##### SNIP #####
** Self Check your IPv6 addy to be sure you are not offering more services then you intended to ;)
- Use ifconfig -a to find your tun device's IP address (same as above)

# nmap -6 -n -r -v -p1-65535 -sT fcf7:75f0:82e3:327c:7112:b9ab:d1f9:bbbe

Starting Nmap 5.61TEST2 ( ) at 2011-12-29 20:40 EST
Initiating Connect Scan at 20:40
Scanning fcf7:75f0:82e3:327c:7112:b9ab:d1f9:bbbe [65535 ports]
Completed Connect Scan at 20:40, 4.38s elapsed (65535 total ports)
Nmap scan report for fcf7:75f0:82e3:327c:7112:b9ab:d1f9:bbbe
Host is up (0.00073s latency).
All 65535 scanned ports on fcf7:75f0:82e3:327c:7112:b9ab:d1f9:bbbe are closed

Read data files from: /usr/local/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 4.60 seconds
           Raw packets sent: 0 (0B) | Rcvd: 0 (0B)

If you see anything open, fix it.

Some examples:

ssh - /etc/ssh/sshd_config
^^ Replace with your STATIC IP (or map dhcp via mac)

samba - /etc/samba/smb.conf
interfaces = eth0                                                       
bind interfaces only = Yes
^^ this will not bind to tun0 (or whichever device)

--Thats IT for now.

Got More? Tell us on IRC.


Something went wrong with that request. Please try again.