freifunk:infrastruktur:server:vpn1

Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen angezeigt.

Link zu dieser Vergleichsansicht

Beide Seiten der vorigen Revision Vorhergehende Überarbeitung
Nächste Überarbeitung		 Vorhergehende Überarbeitung
freifunk:infrastruktur:server:vpn1 [23.05.2016 18:34] mape2kfreifunk:infrastruktur:server:vpn1 [28.06.2020 19:05] (aktuell) hipposen
Zeile 60: Zeile 60:
   * gesonderte Routingtabelle für Freifunk-internen Datenverkehr   * gesonderte Routingtabelle für Freifunk-internen Datenverkehr
  
-<file|/etc/iproute2/rt_table>+<file|/etc/iproute2/rt_tables>
 23 ffef 23 ffef
 </file> </file>
Zeile 100: Zeile 100:
   * fastd   * fastd
     * apt-get -t jessie-backports install fastd     * apt-get -t jessie-backports install fastd
 +
 +=== Workaround für fehlerhafte Startskripte ===
 +
 +  * cp /lib/systemd/system/fastd.service /etc/systemd/system/fastd@.service
 +  * systemctl daemon-reload
 +
 +Quelle: [[https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=823801]]
 +
 +=== Backbone-Verbindung ===
 +
 +  * mkdir -p /etc/fastd/backbone/peers
 +  * <nowiki>fastd --generate-key</nowiki>
 +
 +<code|fastd --generate-key>
 +2016-05-23 18:40:15 +0000 --- Info: Reading 32 bytes from /dev/random...
 +Secret: XXX
 +Public: YYY
 +</code>
 +
 +  * /etc/fastd/backbone/secret.conf mit Secret-Key befüllen
 +
 +<file|/etc/fastd/backbone/secret.conf>
 +secret "XXX";
 +</file>
 +
 +  * Public-Key auf __anderen__ Backbone-VPN-Servern einrichten
 +
 +<file|/etc/fastd/backbone/peers/vpn1.erfurt.freifunk.net.conf>
 +# VPN-Server vpn1.erfurt.freifunk.net
 +key "YYY";
 +remote "vpn1.erfurt.freifunk.net" port 10000;
 +</file>
 +
 +  * Fastd-Konfiguration
 +    * IP-Adresse des VPN-Servers im Backbone setzen
 +    * Policy-Routing für ffef-Routingtabelle setzen
 +    * IPv4-Forwarding für fastd-Interface aktivieren
 +    * Keepalived starten/beenden (Floating IP für statische)
 +
 +<file|/etc/fastd/backbone/fastd.conf>
 +log level info;
 +interface "mesh-vpn-bb";
 +mode tap;
 +method "null+salsa2012+umac";
 +method "null";
 +include "secret.conf";
 +bind any:10000;
 +mtu 1426;
 +include peers from "peers";
 +
 +on up "
 +   ip link set up dev $INTERFACE
 +   ip address add 10.99.254.7/24 broadcast 10.99.254.255 dev $INTERFACE
 +   ip route add 10.99.254.0/24 dev $INTERFACE table ffef
 +   ip rule add iif mesh-vpn-bb table ffef priority 300
 +   ip rule add from 10.99.254.7 table ffef priority 301
 +   ip route add default via 10.99.254.1 table ffef
 +   echo 1 > /proc/sys/net/ipv4/conf/$INTERFACE/forwarding
 +   systemctl start keepalived
 +";
 +
 +on down "
 +   systemctl stop keepalived
 +   echo 0 > /proc/sys/net/ipv4/conf/$INTERFACE/forwarding
 +   ip route del default via 10.99.254.1 table ffef
 +   ip rule del iif mesh-vpn-bb table ffef priority 300
 +   ip rule del from 10.99.254.7 table ffef priority 301
 +   ip route del 10.99.254.0/24 dev $INTERFACE table ffef
 +   ip address del 10.99.254.7/24 broadcast 10.99.254.255 dev $INTERFACE
 +   ip link set down dev $INTERFACE
 +";
 +</file>
 +
 +  * Dateien aus /etc/fastd/backbone/peers/ von anderen VPN-Servern übernehmen
 +    * FIXME: Synchronisierbar gestalten oder aus zentralem Repository beziehen
 +
 +=== Node-Verbindung ===
 +
 +  * mkdir -p /etc/fastd/nodes/peers
 +  * <nowiki>fastd --generate-key</nowiki>
 +
 +<code|fastd --generate-key>
 +2016-05-23 23:07:46 +0000 --- Info: Reading 32 bytes from /dev/random...
 +Secret: XXX
 +Public: YYY
 +</code>
 +
 +  * /etc/fastd/nodes/secret.conf mit Secret-Key befüllen
 +
 +<file|/etc/fastd/nodes/secret.conf>
 +secret "XXX";
 +</file>
 +
 +  * Public-Key ins Wiki und die Firmware übernehmen
 +
 +  * Fastd-Konfiguration
 +    * IP-/MAC-Adressen der Nodes nicht loggen
 +    * IPv4-Forwarding für fastd-Interface aktivieren
 +
 +<file|/etc/fastd/nodes/fastd.conf>
 +log level info;
 +interface "mesh-vpn";
 +mode tap;
 +method "null+salsa2012+umac";
 +method "salsa2012+gmac";
 +hide ip addresses yes;
 +hide mac addresses yes;
 +include "secret.conf";
 +
 +bind any:1234;
 +mtu 1426;
 +include peers from "peers";
 +
 +on up "
 +   ip link set address de:ff:ef:ff:ef:01 up dev $INTERFACE
 +   ip link set up dev $INTERFACE
 +   echo 1 > /proc/sys/net/ipv4/conf/$INTERFACE/forwarding
 +";
 +
 +on down "
 +   echo 0 > /proc/sys/net/ipv4/conf/$INTERFACE/forwarding
 +   ip link set down dev $INTERFACE
 +";
 +</file>
 +
 +  * Netzwerkeinstellungen für Batman über Distribution vornehmen
 +
 +<file|/etc/network/interfaces.d/mesh-vpn>
 +# Fastd-Interface (Nodes)
 +allow-hotplug mesh-vpn
 +iface mesh-vpn inet6 manual
 +  post-up         /usr/local/sbin/batctl -m bat0 if add $IFACE
 +  post-up         /sbin/ip link set dev bat0 up
 +</file>
 +
 +  * Dateien für Nodes nach /etc/fastd/nodes/peers/ kopieren
 +    * FIXME: Synchronisierbar gestalten oder aus zentralem Repository beziehen
 +
 +=== Cronjob zum Syncen der Node-VPN-Keys ===
 +
 +<file|/etc/crontab>
 +# Get vpn keys for nodes
 +* * * * * root [[ $(rsync -ai --delete 10.99.254.10::nodes/ /etc/fastd/nodes/peers/) ]] && killall -SIGHUP fastd
 +</file>
 +
 +=== Starten und zum Runlevel hinzufügen ===
 +
 +  * systemctl start fastd@backbone
 +  * systemctl enable fastd@backbone
 +  * systemctl start fastd@nodes
 +  * systemctl enable fastd@nodes
 +
 +==== Batman ====
 +
 +Wir verwenden noch Batman adv 2013.4.0 (compat level 14). Deshalb müssen wir die Kernel-Pakete und batctl selbst bauen
 +
 +=== Pakete ===
 +
 +  * install
 +  * build-essential
 +  * linux-headers-amd64
 +  * git
 +  * gnupg-curl
 +
 +=== Kernelmodul bauen ===
 +
 +  * mkdir ~/build
 +  * cd ~/build
 +  * git clone https://github.com/freifunk-gluon/batman-adv-legacy
 +  * cd batman-adv-legacy
 +  * make
 +  * make install
 +
 +  * modprobe batman-adv
 +  * dmesg
 +<code|dmesg>
 +[42600.480585] batman_adv: B.A.T.M.A.N. advanced 2013.4.0-23-g91eab38-dirty (compatibility version 14) loaded
 +</code>
 +
 +<file|/etc/modules>
 +batman-adv
 +</file>
 +
 +=== batctl ===
 +
 +  * mkdir ~/build
 +  * cd ~/build
 +  * wget http://downloads.open-mesh.org/batman/releases/batman-adv-2013.4.0/batctl-2013.4.0.tar.gz
 +  * tar xzf batctl-2013.4.0.tar.gz
 +  * cd batctl-2013.4.0
 +  * make
 +  * make install
 +
 +=== Netzwerkkonfiguration ===
 +
 +<file|/etc/network/interfaces.d/bat0>
 +# Batman-Interface
 +allow-hotplug bat0
 +iface bat0 inet6 manual
 +  post-up         /sbin/brctl addif brffef $IFACE
 +  post-up         /usr/local/sbin/batctl -m $IFACE it 10000
 +  post-up         /usr/local/sbin/batctl -m $IFACE gw server 96mbit/96mbit
 +  pre-down        /sbin/brctl delif bat0 $IFACE || true
 +</file>
 +
 +====Quagga====
 +* FIXME: Generell überprüfen, ICVPN1 Konfiganpassung 
 +=== Pakete ===
 +
 +  * quagga
 +  * telnet
 +
 +<file|/etc/quagga/daemons>
 +zebra=yes
 +bgpd=yes
 +</file>
 +
 +<file|/etc/quagga/zebra.conf>
 +! -*- zebra -*-
 +!
 +! zebra sample configuration file
 +!
 +! $Id: zebra.conf.sample,v 1.1 2002/12/13 20:15:30 paul Exp $
 +!
 +hostname vpn1.erfurt.freifunk.net
 +password xxxx
 +enable password xxxx
 +!
 +! Interface's description.
 +!
 +!interface lo
 +! description test of desc.
 +!
 +!interface sit0
 +! multicast
 +
 +!
 +! Static default route sample.
 +!
 +!ip route 0.0.0.0/0 203.181.89.241
 +!
 +
 +log file /var/log/quagga/zebra.log
 +
 +! use src ip for local connection
 +route-map RM_SET_SOURCE permit 10
 +set src 10.99.254.7
 +ip protocol bgp route-map RM_SET_SOURCE
 +
 +table 23
 +</file>
 +<file|/etc/quagga/bgp.conf>
 +hostname vpn1
 +password [PASSWORD]
 +!
 +! enable debug log
 +!
 +debug bgp updates
 +!
 +!
 +router bgp 65099002 
 + bgp router-id 10.99.254.7 
 + bgp confederation identifier 65099
 + bgp confederation peers 65099001 
 + network 10.99.8.0/22
 +
 + neighbor ffef-backbone peer-group
 + neighbor ffef-backbone soft-reconfiguration inbound
 + neighbor ffef-backbone prefix-list ffef-backbone-in in
 + neighbor ffef-backbone prefix-list ffef-backbone-out out
 +
 +! neighbor 10.99.254.1 remote-as 65099001
 +! neighbor 10.99.254.1 description icvpn2_suicider
 +! neighbor 10.99.254.1 prefix-list ffef-backbone-in in
 +! neighbor 10.99.254.1 prefix-list ffef-backbone-out out
 +
 + neighbor 10.99.254.10 remote-as 65099001
 + neighbor 10.99.254.10 description icvpn2_hipposen
 + neighbor 10.99.254.10 prefix-list ffef-backbone-in in
 + neighbor 10.99.254.10 prefix-list ffef-backbone-out out
 +
 +! neighbor 10.99.254.8 remote-as 65099002
 +! neighbor 10.99.254.8 description vpn3_ichirou
 +! neighbor 10.99.254.8 peer-group ffef-backbone
 +
 + neighbor 10.99.254.9 remote-as 65099002
 + neighbor 10.99.254.9 description vpn2_bt909
 + neighbor 10.99.254.9 peer-group ffef-backbone
 +
 +ip prefix-list ffef-backbone-in description *** Backbone IP-Filter eingehend ***
 +ip prefix-list ffef-backbone-in seq 10 permit 0.0.0.0/0
 +ip prefix-list ffef-backbone-in seq 19 deny 10.99.16.0/22
 +ip prefix-list ffef-backbone-in seq 20 permit 10.99.0.0/16 le 32
 +ip prefix-list ffef-backbone-in seq 21 permit 10.0.0.0/8 le 32
 +ip prefix-list ffef-backbone-in seq 30 permit 172.16.0.0/12 le 32
 +ip prefix-list ffef-backbone-in seq 99 deny 0.0.0.0/0 le 32
 +
 +ip prefix-list ffef-backbone-out description *** Backbone IP-Filter ausgehend ***
 +ip prefix-list ffef-backbone-out seq 10 deny 0.0.0.0/0
 +ip prefix-list ffef-backbone-out seq 20 permit 10.99.0.0/16 le 32
 +ip prefix-list ffef-backbone-out seq 99 deny 0.0.0.0/0 le 32
 +!
 +!
 +log file /var/log/quagga/bgpd.log
 +!
 +!log stdout
 +
 +
 +</file>
  • freifunk/infrastruktur/server/vpn1.1464028478.txt.gz
  • Zuletzt geändert: 23.05.2016 18:34
  • von mape2k