Skip to content

Set up SCION endhost and connect to local AS infrastructure


In this tutorial we will cover the steps necessary to configure a SCION endhost that will connect to an already running SCION AS. This is useful in situations where your host can take advantage of an existing local SCION infrastructure.

Depending on how the SCION AS is set up, the steps for configuring the endhost will slightly differ.

Running AS infrastructure executes in a VM

In the first way, the SCION AS runs inside a virtual machine (VM). The following figure depicts this scenario.

SCION AS in virtual machine

The installation steps of the AS are covered in the following tutorials:

Running AS infrastructure natively on a system

In the second way, the SCION AS is executing natively on a host machine. The following figure depicts this scenario.

SCION running natively

The installation steps for this setup is described in the following tutorial pages:


Throughout this setup we will use host and endhost IP addresses on both machines. In order to make everything easier to follow it is necessary to create two environment variables HOST_IP and ENDHOST_IP with respective addresses on both machines as they will be used throughout this setup. Execute following commands replacing correct IP addresses with correct ones:

export HOST_IP=""
export ENDHOST_IP=""

Step One - Installing SCION on endhost

Any platform that runs SCION can be used as an endhost. To install SCION on different platforms you can follow one of the tutorials:

Also, SCION VMs can be configured to be used as endhost.

Step Two - Copy initial configuration

After the SCION environment is successfully installed on your endhost device, we can start the configuration process. First of all, we need to stop the currently running SCION environment and remove the old gen directory.

cd $SC
./ stop
rm -rf gen

The next step is to make sure both endhost and SCION AS share the same AS configuration, i.e., the same gen directory. This can be done in several ways, but the easiest is to copy it directly from the AS system.

Executing the following command from SCION AS copies the complete gen directory to endhost. Note that you will need to replace endhost_user with appropriate user name on the endhost.

scp -r ${SC}/gen endhost_user@${ENDHOST_IP}:/home/endhost_user/go/src/

Step Three - Remove unnecessary services

The next step is to disable unnecessary SCION services, like the border router, beacon server, etc., on the endhost device. This can be done by editing configuration file on the endhost's system:

vim $SC/gen/ISD{ISD_NUMBER}/AS{AS_NUMBER}/supervisord.conf

It is sufficient to remove last 2 lines that look similar to this:

programs = br17-ffaa_1_a-1,bs17-ffaa_1_a-1,cs17-ffaa_1_a-1,ps17-ffaa_1_a-1,sd17-ffaa_1_a

We need to tell the endhost's sciond about its address. For that edit the file on the endhost's system:

vim $SC/gen/ISD{ISD_NUMBER}/AS{AS_NUMBER}/endhost/sciond.toml

In that file, you will find a section that starts with [sd] and looks similar to this:

Reliable = "/run/shm/sciond/default.sock"
Public = "17-ffaa:1:a,[]:0"
Unix = "/run/shm/sciond/default.unix"

In that section substitute the 'Public' line with the following one:

Public = "17-ffaa:1:a,[]:0"

Ensure you replace 17-ffaa:1:a with your AS's IA, and with the correct endhost's IP address. As you can see, you just specified the public IP of your endhost.

Next we need to remove all directories except endhost from $SC/gen/ISD{ISD_NUMBER}/AS{AS_NUMBER}/ directory.

rm -rf *-*

Step Four - Iptable rules


This step is only necessary if you are running the AS SCION infrastructure inside a Virtual Machine. If this is not the case, proceed to step five.

Configuration files we copied from VM in first step contain address This address is not accessible outside the VM and we need to rewrite it to the host's IP address, so that packets get routed correctly. This can be done with iptables.

sudo apt install netfilter-persistent iptables-persistent

sudo iptables -t nat -A OUTPUT -m udp -p udp -d -j DNAT --to-destination ${HOST_IP}

sudo netfilter-persistent save

Step Five - Restart SCION

Last step is to reload configuration and restart SCION on your endhost system.

~/.local/bin/supervisorctl -c supervisor/supervisord.conf shutdown
./ run

Next steps

The best way to verify endhost configuration is by running properly is by running some demo applications: