Aktuelle Version vom 9. Juni 2023, 23:39 Uhr

Note for Buildup and Teardown

Please bear with us during buildup and teardown. The GPN 2023 build up takes place on Wednesday, June, 7th and tear down starts on Sunday, May, 11th.

Please understand that we're quite a busy folk during that time and we have a lot of stuff getting set up or torn down. This means, we're not angry with anybody, but have a tight schedule we have to follow in order get everything done in time - especially during build up on Wednesday.

If we're very busy or too exhausted and don't find the time to answer your questions or requests, please give us some time and come back later when there is less business at the GPN NOC Desk.

Network

Yes, we've got internet. Some networks are unfiltered, e.g. no firewall, no NAT and use public IP adresses. Please make sure, all your devices are up-to-date and services running on your devices are configured securely. We recommend to activate a firewall. There are firewalled networks as well filtering out some of the inbound network requests. For details, see below

Please bring your own network cable (3m - 5m) with you. When connecting your device to the switch, please make sure the cable does not form a tripping hazard or spans between tables.

Please consider using a wired connecting in order to save air time. Due to a lot of access points located GPN, HfG and ZKM, air time is really tight.

Wi-Fi (recommended)

Connect to: GPN21-open

No password needed!

We offer WPA3 based opportunistic encryption on this SSID.

Wi-Fi (advanced)

Credentials (Default: Protected from connections outside the event)

SSID: GPN21
Mode: WPA2-Enterprise
- TTLS/PAP or PEAP/MSCHAPv2
  - (But not TTLS/MASCHAPv2)
Username and Passwort
- for PEAP/MSCHAPv2:
  - Username/Identity: gpn
  - Password: gpn
  - Domain: radius.gpn-noc.de
  - CA certificate: Use system certificate Note: For Google Pixel 6 (Pro) with Android 12
- for TTLS/PAP
  - Domain: radius.gpn-noc.de
  - Everything else: <anything you like - we don't care>

If you want to check that you really connect to the insecure network of your choice, please verify the certificate of CN radius.gpn-noc.de is issued by Let's Encrypt.

Credentials (Protected from every incoming connection)

SSID: GPN21
Mode: WPA2-Enterprise
- TTLS/PAP or PEAP/MSCHAPv2
  - (But not TTLS/MASCHAPv2)
Username and Passwort
- for PEAP/MSCHAPv2:
  - Username/Identity: protect-me
  - Password: protect-me
  - Domain: radius.gpn-noc.de
  - CA certificate: Use system certificate Note: For Google Pixel 6 (Pro) with Android 12
- for TTLS/PAP
  - Domain: radius.gpn-noc.de
  - Everything else: <anything you like - we don't care>

If you want to check that you really connect to the insecure network of your choice, please verify the certificate of CN radius.gpn-noc.de is issued by Let's Encrypt.

Credentials (not firewalled)

SSID: GPN21
Mode: WPA2-Enterprise
- TTLS/PAP or PEAP/MSCHAPv2
  - (But not TTLS/MASCHAPv2)
Username and Passwort
- for PEAP/MSCHAPv2:
  - Username/Identity: no-firewall
  - Password: no-firewall
  - Domain: radius.gpn-noc.de
  - CA certificate: Use system certificate Note: For Google Pixel 6 (Pro) with Android 12
- for TTLS/PAP
  - Domain: radius.gpn-noc.de
  - Everything else: <anything you like - we don't care>

If you want to check that you really connect to the insecure network of your choice, please verify the certificate of CN radius.gpn-noc.de is issued by Let's Encrypt.

wpa_supplicant.conf

network={
    ssid="GPN21"
    key_mgmt=WPA-EAP
    eap=TTLS
    identity="wiki"
    password="binzufauldaspwzuaendern"
    # ca path on debian 11.x, modify accordingly
    ca_cert="/etc/ssl/certs/ISRG_Root_X1.pem"
    altsubject_match="DNS:radius.gpn-noc.de"
    phase2="auth=PAP"
}

iwd

Create a file under /var/lib/iwd/GPN21.8021x with the following:

[Security]
  EAP-Method=TTLS
  EAP-Identity=open@identity.com
  #EAP-TTLS-CACert=/certs/ca-cert.pem
  EAP-TTLS-Phase2-Method=Tunneled-PAP
  EAP-TTLS-Phase2-Identity=wiki
  EAP-TTLS-Phase2-Password=binzufauldaspwzuaendern
  #EAP-TTLS-ServerDomainMask=*.domain.com

[Settings]
  AutoConnect=true

netctl

Description='GPN21 secure WPA2 802.1X config'
Interface=wlp4s0
Connection=wireless
Security=wpa-configsection
IP=dhcp
ESSID=GPN21
WPAConfigSection=(
    'ssid="GPN21"'
    'proto=RSN WPA'
    'key_mgmt=WPA-EAP'
    'eap=TTLS'
    'identity="wiki"'
    'password="binzufauldaspwzuaendern"'
    'ca_cert="/etc/ssl/certs/ISRG_Root_X1.pem"'
    'altsubject_match="DNS:radius.gpn-noc.de"'
    'phase2="auth=PAP"'
)

Network manager (text file)

Create a file /etc/NetworkManager/system-connections/GPN21.nmconnection with the following:

[connection]
id=GPN21
uuid=a60a535f-57cb-4fe8-9688-7ff9bd315311
type=wifi
autoconnect=false

[wifi]
mode=infrastructure
ssid=GPN21

[wifi-security]
key-mgmt=wpa-eap

[802-1x]
ca-cert=/etc/ssl/certs/ISRG_Root_X1.pem
domain-suffix-match=radius.gpn-noc.de
eap=ttls;
identity=gpn
password=gpn
phase2-auth=pap

[ipv4]
method=auto

[ipv6]
addr-gen-mode=stable-privacy
method=auto

[proxy]

Make sure non-root users do not have read/write permissions for this file - Network Manager will ignore configuration files with incorrect permissions set. Then, reload the connections and start the service:

sudo nmcli connection reload
nmcli c up GPN21

NetworkManager (GUI nm-connection-editor)

Certificate path: /etc/ssl/certs/ISRG_Root_X1.pem

Colocation

YES, we'll have a colocation again and we can provide you with:

10GbE SFP+ ports. We do not lend transceivers. We never have and never will - ever!!! The colo switch is a Cisco Nexus and usually accepts a wide range of transceivers.
1000Base-T (1GBE) ports / 10GBase-T is available as well.

Label your stuff!

Please mark your server with

your nickname.
and your DECT- or cellphone-number.
and your e-mail adress to get in contact with you.

Otherwise we have to disconnect your server.

Location

The colocation can be found on the 1. OG (2nd floor) on the 'bridge' between both hack centers.

Addressing

IP addressing is static only. We use "Laundry Clip DHCP": Get your laundry clip at the NOC Desk and attach it to your network cable. Please bring back the laundry clips after the event.

Configure your network interfaces like this (X is your laundry clip number):

IPv4

Address: 94.45.226.X/24
Gateway: 94.45.226.1

IPv6

Address: 2001:67c:20a1:226::X/64
Gateway: 2001:67c:20a1:226::1

You can encode your clip number as hex, but don't need to!

In case of problems, find us at the NOC desk or call DECT 662.

Pixelflut

You have built your own fancy Pixelflut and want to bring it along to GPN?
But you don't know where to place it or connect it with enough uplink?

=> Please come to the NOC Desk and ask our staff. We'll be there for you starting Thursday afternoon, e.g. after the Opening (if build up is already finished).

Please also consider limiting the Pixelflut traffic to local traffic, only.

Android 11 Config Screenshots

(Sorry, german language OS)

GPN21

 Hauptseite |

FAQ

@@ Zeile 1: / Zeile 1: @@
-''' COPIED FROM [[ GPN20:NOC ]] '''
+= Note for Buildup and Teardown =
+''Please bear with us during buildup and teardown.''
+The GPN 2023 build up takes place on Wednesday, June, 7th and tear down starts on Sunday, May, 11th.
-= Buildup / Teardown =
+Please understand that we're quite a busy folk during that time and we have a lot of stuff getting set up or torn down.
-The GPN20 build up takes place on Wednesday, May, 18th and tear down starts on Sunday afternoon, May, 22nd.
-Please understand that we're quite a busy folk during that time and we have a lot of stuff getting set up.
 This means, we're not angry with anybody, but have a tight schedule we have to follow in order get everything done in time - especially during build up on Wednesday.
@@ Zeile 10: / Zeile 9: @@
 = Network =
-Yes, we've got internet. All provided networks are '''unfiltered''', e.g. no firewall, no NAT and use '''public IP adresses'''. Please make sure, all your devices are up-to-date and services running on your devices are configured securely. We recommend to activate a firewall.
+Yes, we've got internet. Some networks are '''unfiltered''', e.g. no firewall, no NAT and use '''public IP adresses'''. Please make sure, all your devices are up-to-date and services running on your devices are configured securely. We recommend to activate a firewall. There are firewalled networks as well filtering out some of the inbound network requests. For details, see below
 Please bring your own network cable (3m - 5m) with you. When connecting your device to the switch, please make sure the cable does not form a tripping hazard or spans between tables.
-== Wi-Fi (encrypted) ==
+Please consider using a wired connecting in order to save air time. Due to a lot of access points located GPN, HfG and ZKM, air time is really tight.
-Please consider using a wired connecting in order to save air time. Due to a lot of (new) access points located GPN, HfG and ZKM, air time is really tight.
+== Wi-Fi (recommended) ==
+Connect to: GPN21-open
+No password needed!
+We offer WPA3 based opportunistic encryption on this SSID.
+== Wi-Fi (advanced) ==
-We'll also have a test stage with 6Ghz Wi-Fi somewhere in the hack center.
-* SSID: GPN20
+=== Credentials (Default: Protected from connections outside the event) ===
+* SSID: GPN21
 * Mode: WPA2-Enterprise
 ** TTLS/PAP or PEAP/MSCHAPv2
@@ Zeile 27: / Zeile 35: @@
 *** Username/Identity: <code>gpn</code>
 *** Password: <code>gpn</code>
-*** Domain: <code>gpn-noc.de</code>
+*** Domain: <code>radius.gpn-noc.de</code>
 *** CA certificate: <code>Use system certificate</code> ''Note: For Google Pixel 6 (Pro) with Android 12''
 ** for TTLS/PAP
@@ Zeile 33: / Zeile 41: @@
 *** Everything else: <anything you like - we don't care>
-You can also use the following credentials:
+If you want to check that you really connect to the insecure network of ''your'' choice, please verify the certificate of CN <code>radius.gpn-noc.de</code> is issued by [https://letsencrypt.org/certificates/ Let's Encrypt].
-* SSID: GPN20
-* Username: <code>protect-me</code>
+=== Credentials (Protected from every incoming connection) ===
-* Password: <code>protect-me</code>
+* SSID: GPN21
-to have a firewall in place blocking incoming requests, only.
+* Mode: WPA2-Enterprise
+** TTLS/PAP or PEAP/MSCHAPv2
+*** ''(But not TTLS/MASCHAPv2)''
+* Username and Passwort
+** for PEAP/MSCHAPv2:
+*** Username/Identity: <code>protect-me</code>
+*** Password: <code>protect-me</code>
+*** Domain: <code>radius.gpn-noc.de</code>
+*** CA certificate: <code>Use system certificate</code> ''Note: For Google Pixel 6 (Pro) with Android 12''
+** for TTLS/PAP
+*** Domain: radius.gpn-noc.de
+*** Everything else: <anything you like - we don't care>
+If you want to check that you really connect to the insecure network of ''your'' choice, please verify the certificate of CN <code>radius.gpn-noc.de</code> is issued by [https://letsencrypt.org/certificates/ Let's Encrypt].
+=== Credentials (not firewalled) ===
+* SSID: GPN21
+* Mode: WPA2-Enterprise
+** TTLS/PAP or PEAP/MSCHAPv2
+*** ''(But not TTLS/MASCHAPv2)''
+* Username and Passwort
+** for PEAP/MSCHAPv2:
+*** Username/Identity: <code>no-firewall</code>
+*** Password: <code>no-firewall</code>
+*** Domain: <code>radius.gpn-noc.de</code>
+*** CA certificate: <code>Use system certificate</code> ''Note: For Google Pixel 6 (Pro) with Android 12''
+** for TTLS/PAP
+*** Domain: radius.gpn-noc.de
+*** Everything else: <anything you like - we don't care>
 If you want to check that you really connect to the insecure network of ''your'' choice, please verify the certificate of CN <code>radius.gpn-noc.de</code> is issued by [https://letsencrypt.org/certificates/ Let's Encrypt].
@@ Zeile 43: / Zeile 79: @@
 === wpa_supplicant.conf ===
   network={
-      ssid="GPN20"
+      ssid="GPN21"
       key_mgmt=WPA-EAP
       eap=TTLS
@@ Zeile 53: / Zeile 89: @@
       phase2="auth=PAP"
   }
+=== iwd ===
+Create a file under <code>/var/lib/iwd/GPN21.8021x</code> with the following:
+ <nowiki>
+[Security]
+  EAP-Method=TTLS
+  EAP-Identity=open@identity.com
+  #EAP-TTLS-CACert=/certs/ca-cert.pem
+  EAP-TTLS-Phase2-Method=Tunneled-PAP
+  EAP-TTLS-Phase2-Identity=wiki
+  EAP-TTLS-Phase2-Password=binzufauldaspwzuaendern
+  #EAP-TTLS-ServerDomainMask=*.domain.com
+[Settings]
+  AutoConnect=true
+ </nowiki>
 === netctl ===
-  Description='GPN20 secure WPA2 802.1X config'
+  Description='GPN21 secure WPA2 802.1X config'
   Interface=wlp4s0
   Connection=wireless
   Security=wpa-configsection
   IP=dhcp
-  ESSID=GPN20
+  ESSID=GPN21
   WPAConfigSection=(
-      'ssid="GPN20"'
+      'ssid="GPN21"'
       'proto=RSN WPA'
       'key_mgmt=WPA-EAP'
@@ Zeile 74: / Zeile 126: @@
 === Network manager (text file) ===
-Create a file <code>/etc/NetworkManager/system-connections/GPN20.nmconnection</code> with the following:
+Create a file <code>/etc/NetworkManager/system-connections/GPN21.nmconnection</code> with the following:
   [connection]
-  id=GPN20
+  id=GPN21
   uuid=a60a535f-57cb-4fe8-9688-7ff9bd315311
   type=wifi
@@ Zeile 84: / Zeile 136: @@
   [wifi]
   mode=infrastructure
-  ssid=GPN20
+  ssid=GPN21
   [wifi-security]
@@ Zeile 106: / Zeile 158: @@
   [proxy]
-Then, start the service:
+Make sure non-root users do not have read/write permissions for this file - Network Manager will ignore configuration files with incorrect permissions set. Then, reload the connections and start the service:
-  nmcli c up GPN20
+ sudo nmcli connection reload
+  nmcli c up GPN21
 === NetworkManager (GUI nm-connection-editor) ===
@@ Zeile 119: / Zeile 172: @@
 YES, we'll have a colocation again and we can provide you with:
-* 10GbE SFP+ ports. We do not lend transceivers. (we never have and never will - ever!!!)
+* 10GbE SFP+ ports. We do not lend transceivers. We never have and never will - ever!!! The colo switch is a Cisco Nexus and usually accepts a wide range of transceivers.
 * 1000Base-T (1GBE) ports / 10GBase-T is available as well.
+=== Label your stuff! ===
 Please mark your server with
-* your '''nickname'''
+* your '''nickname'''.
-* and your '''DECT-''' or '''cellphone-number'''
+* and your '''DECT-''' or '''cellphone-number'''.
-* and your '''e-mail adress''' to get in contact with you
+* and your '''e-mail adress''' to get in contact with you.
 Otherwise we have to disconnect your server.
-Please see the local signs for more information.
+=== Location ===
+The colocation can be found on the 1. OG (2nd floor) on the 'bridge' between both hack centers.
-In case of problems, find us at the NOC desk or call DECT 1209 or 662.
+=== Addressing ===
+IP addressing is static only. We use "Laundry Clip DHCP": Get your laundry clip at the NOC Desk and attach it to your network cable. Please bring back the laundry clips after the event.
-=== Colocation-Location ===
+Configure your network interfaces like this (X is your laundry clip number):
-The colocation can be found on the 1. OG (2nd floor) between the two glass ceiling sections of the hackcenter, towards the handrail on the southern side.
+==== IPv4 ====
+ Address: 94.45.226.X/24
+ Gateway: 94.45.226.1
+==== IPv6 ====
+ Address: 2001:67c:20a1:226::X/64
+ Gateway: 2001:67c:20a1:226::1
+You ''can'' encode your clip number as hex, but don't need to!
+In case of problems, find us at the NOC desk or call DECT 662.
 == Pixelflut ==
@@ Zeile 141: / Zeile 211: @@
 => Please come to the NOC Desk and ask our staff. We'll be there for you starting Thursday afternoon, e.g. after the Opening (if build up is already finished).
+''' Please also consider limiting the Pixelflut traffic to local traffic, only.'''
 == Android 11 Config Screenshots ==
 [[Datei:Gpn20-wlan-Android-11-1.png|240px|link=Datei:Gpn20-wlan-Android-11-1.png]]
 [[Datei:Android-11-2.png|240px|link=Datei:Android-11-2.png]]
 (Sorry, german language OS)
-{{Navigationsleiste GPN20}}
+{{Navigationsleiste GPN21}}
-[[Kategorie: GPN20]]
+[[Kategorie: GPN21]]