====== vpn1.erfurt.freifunk.net ====== Dies ist ein VPN-Server. ===== HINWEISE ===== * DNS-Name noch nicht angepasst: Für IPv6 funktioniert SSH-Login also nicht über DNS-Namen! * Port 1234 für fastd und 10000 für fastd-Backbone zeigen bereits auf die VM * Port 10001 zeigt weiterhin auf die VM gluon-ffef, diese hat noch die Karte und darf im Backbone nicht aus dem VPN entfernt werden ===== Serverinformationen ===== ==== Administratoren ==== * [[user:mape2k|mape2k]] (Inhaber/Bereitsteller) * [[user:bt909|bt909]] * [[user:hipposen|hipposen]] ==== IP/DNS ==== * vpn1.erfurt.freifunk.net * 144.76.76.98 * 2a01:4f8:191:9461:13::1 ==== Dienste ==== * SSH (Port 1035) * fastd (Port 1234) ==== Software ==== * Debian 8 (Jessie) * Installation-Optionen: SSH-Server, Standard-Systemutilities ===== Installation ===== ==== Installierte Pakete (System) ==== * mc * screen * vim * sudo ==== Netzwerk ==== === Pakete === * bridge-utils === Konfiguration Routing === * IPv6-Forwarding generell aktivieren * kann nicht Interface-bezogen aktiviert werden * IPv4-Forwarding wird von fastd Interface-bezogen aktiviert net.ipv6.conf.all.forwarding = 1 === Konfiguration Routingtabellen === * gesonderte Routingtabelle für Freifunk-internen Datenverkehr 23 ffef === Konfiguration Bridge (Freifunk-Netz) === # Bridge (Freifunk) iface brffef inet static bridge_ports none address 10.99.1.1 broadcast 10.99.1.255 netmask 255.255.128.0 post-up /sbin/ip route add 10.99.0.0/17 dev $IFACE table ffef post-up /sbin/ip rule add iif $IFACE table ffef priority 200 post-up /sbin/ip rule add oif $IFACE table ffef priority 201 post-up echo 1 > /proc/sys/net/ipv4/conf/$IFACE/forwarding pre-down echo 0 > /proc/sys/net/ipv4/conf/$IFACE/forwarding pre-down /sbin/ip route del 10.99.0.0/17 dev $IFACE table ffef pre-down /sbin/ip rule del oif $IFACE table ffef priority 201 pre-down /sbin/ip rule del iif $IFACE table ffef priority 200 iface brffef inet6 static address fd0a:d928:b30d:94f7:1::1 netmask 64 ====fastd==== ===Repository=== * Jessie-Backports verwenden deb http://ftp.debian.org/debian jessie-backports main === Pakete === * fastd * apt-get -t jessie-backports install fastd === Workaround für fehlerhafte Startskripte === * cp /lib/systemd/system/fastd.service /etc/systemd/system/fastd@.service * systemctl daemon-reload Quelle: [[https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=823801]] === Backbone-Verbindung === * mkdir -p /etc/fastd/backbone/peers * fastd --generate-key 2016-05-23 18:40:15 +0000 --- Info: Reading 32 bytes from /dev/random... Secret: XXX Public: YYY * /etc/fastd/backbone/secret.conf mit Secret-Key befüllen secret "XXX"; * Public-Key auf __anderen__ Backbone-VPN-Servern einrichten # VPN-Server vpn1.erfurt.freifunk.net key "YYY"; remote "vpn1.erfurt.freifunk.net" port 10000; * Fastd-Konfiguration * IP-Adresse des VPN-Servers im Backbone setzen * Policy-Routing für ffef-Routingtabelle setzen * IPv4-Forwarding für fastd-Interface aktivieren * Keepalived starten/beenden (Floating IP für statische) log level info; interface "mesh-vpn-bb"; mode tap; method "null+salsa2012+umac"; method "null"; include "secret.conf"; bind any:10000; mtu 1426; include peers from "peers"; on up " ip link set up dev $INTERFACE ip address add 10.99.254.7/24 broadcast 10.99.254.255 dev $INTERFACE ip route add 10.99.254.0/24 dev $INTERFACE table ffef ip rule add iif mesh-vpn-bb table ffef priority 300 ip rule add from 10.99.254.7 table ffef priority 301 ip route add default via 10.99.254.1 table ffef echo 1 > /proc/sys/net/ipv4/conf/$INTERFACE/forwarding systemctl start keepalived "; on down " systemctl stop keepalived echo 0 > /proc/sys/net/ipv4/conf/$INTERFACE/forwarding ip route del default via 10.99.254.1 table ffef ip rule del iif mesh-vpn-bb table ffef priority 300 ip rule del from 10.99.254.7 table ffef priority 301 ip route del 10.99.254.0/24 dev $INTERFACE table ffef ip address del 10.99.254.7/24 broadcast 10.99.254.255 dev $INTERFACE ip link set down dev $INTERFACE "; * Dateien aus /etc/fastd/backbone/peers/ von anderen VPN-Servern übernehmen * FIXME: Synchronisierbar gestalten oder aus zentralem Repository beziehen === Node-Verbindung === * mkdir -p /etc/fastd/nodes/peers * fastd --generate-key 2016-05-23 23:07:46 +0000 --- Info: Reading 32 bytes from /dev/random... Secret: XXX Public: YYY * /etc/fastd/nodes/secret.conf mit Secret-Key befüllen secret "XXX"; * Public-Key ins Wiki und die Firmware übernehmen * Fastd-Konfiguration * IP-/MAC-Adressen der Nodes nicht loggen * IPv4-Forwarding für fastd-Interface aktivieren log level info; interface "mesh-vpn"; mode tap; method "null+salsa2012+umac"; method "salsa2012+gmac"; hide ip addresses yes; hide mac addresses yes; include "secret.conf"; bind any:1234; mtu 1426; include peers from "peers"; on up " ip link set address de:ff:ef:ff:ef:01 up dev $INTERFACE ip link set up dev $INTERFACE echo 1 > /proc/sys/net/ipv4/conf/$INTERFACE/forwarding "; on down " echo 0 > /proc/sys/net/ipv4/conf/$INTERFACE/forwarding ip link set down dev $INTERFACE "; * Netzwerkeinstellungen für Batman über Distribution vornehmen # Fastd-Interface (Nodes) allow-hotplug mesh-vpn iface mesh-vpn inet6 manual post-up /usr/local/sbin/batctl -m bat0 if add $IFACE post-up /sbin/ip link set dev bat0 up * Dateien für Nodes nach /etc/fastd/nodes/peers/ kopieren * FIXME: Synchronisierbar gestalten oder aus zentralem Repository beziehen === Cronjob zum Syncen der Node-VPN-Keys === # Get vpn keys for nodes * * * * * root [[ $(rsync -ai --delete 10.99.254.10::nodes/ /etc/fastd/nodes/peers/) ]] && killall -SIGHUP fastd === Starten und zum Runlevel hinzufügen === * systemctl start fastd@backbone * systemctl enable fastd@backbone * systemctl start fastd@nodes * systemctl enable fastd@nodes ==== Batman ==== Wir verwenden noch Batman adv 2013.4.0 (compat level 14). Deshalb müssen wir die Kernel-Pakete und batctl selbst bauen === Pakete === * install * build-essential * linux-headers-amd64 * git * gnupg-curl === Kernelmodul bauen === * mkdir ~/build * cd ~/build * git clone https://github.com/freifunk-gluon/batman-adv-legacy * cd batman-adv-legacy * make * make install * modprobe batman-adv * dmesg [42600.480585] batman_adv: B.A.T.M.A.N. advanced 2013.4.0-23-g91eab38-dirty (compatibility version 14) loaded batman-adv === batctl === * mkdir ~/build * cd ~/build * wget http://downloads.open-mesh.org/batman/releases/batman-adv-2013.4.0/batctl-2013.4.0.tar.gz * tar xzf batctl-2013.4.0.tar.gz * cd batctl-2013.4.0 * make * make install === Netzwerkkonfiguration === # Batman-Interface allow-hotplug bat0 iface bat0 inet6 manual post-up /sbin/brctl addif brffef $IFACE post-up /usr/local/sbin/batctl -m $IFACE it 10000 post-up /usr/local/sbin/batctl -m $IFACE gw server 96mbit/96mbit pre-down /sbin/brctl delif bat0 $IFACE || true ====Quagga==== * FIXME: Generell überprüfen, ICVPN1 Konfiganpassung === Pakete === * quagga * telnet zebra=yes bgpd=yes ! -*- zebra -*- ! ! zebra sample configuration file ! ! $Id: zebra.conf.sample,v 1.1 2002/12/13 20:15:30 paul Exp $ ! hostname vpn1.erfurt.freifunk.net password xxxx enable password xxxx ! ! Interface's description. ! !interface lo ! description test of desc. ! !interface sit0 ! multicast ! ! Static default route sample. ! !ip route 0.0.0.0/0 203.181.89.241 ! log file /var/log/quagga/zebra.log ! use src ip for local connection route-map RM_SET_SOURCE permit 10 set src 10.99.254.7 ip protocol bgp route-map RM_SET_SOURCE table 23 hostname vpn1 password [PASSWORD] ! ! enable debug log ! debug bgp updates ! ! router bgp 65099002 bgp router-id 10.99.254.7 bgp confederation identifier 65099 bgp confederation peers 65099001 network 10.99.8.0/22 neighbor ffef-backbone peer-group neighbor ffef-backbone soft-reconfiguration inbound neighbor ffef-backbone prefix-list ffef-backbone-in in neighbor ffef-backbone prefix-list ffef-backbone-out out ! neighbor 10.99.254.1 remote-as 65099001 ! neighbor 10.99.254.1 description icvpn2_suicider ! neighbor 10.99.254.1 prefix-list ffef-backbone-in in ! neighbor 10.99.254.1 prefix-list ffef-backbone-out out neighbor 10.99.254.10 remote-as 65099001 neighbor 10.99.254.10 description icvpn2_hipposen neighbor 10.99.254.10 prefix-list ffef-backbone-in in neighbor 10.99.254.10 prefix-list ffef-backbone-out out ! neighbor 10.99.254.8 remote-as 65099002 ! neighbor 10.99.254.8 description vpn3_ichirou ! neighbor 10.99.254.8 peer-group ffef-backbone neighbor 10.99.254.9 remote-as 65099002 neighbor 10.99.254.9 description vpn2_bt909 neighbor 10.99.254.9 peer-group ffef-backbone ip prefix-list ffef-backbone-in description *** Backbone IP-Filter eingehend *** ip prefix-list ffef-backbone-in seq 10 permit 0.0.0.0/0 ip prefix-list ffef-backbone-in seq 19 deny 10.99.16.0/22 ip prefix-list ffef-backbone-in seq 20 permit 10.99.0.0/16 le 32 ip prefix-list ffef-backbone-in seq 21 permit 10.0.0.0/8 le 32 ip prefix-list ffef-backbone-in seq 30 permit 172.16.0.0/12 le 32 ip prefix-list ffef-backbone-in seq 99 deny 0.0.0.0/0 le 32 ip prefix-list ffef-backbone-out description *** Backbone IP-Filter ausgehend *** ip prefix-list ffef-backbone-out seq 10 deny 0.0.0.0/0 ip prefix-list ffef-backbone-out seq 20 permit 10.99.0.0/16 le 32 ip prefix-list ffef-backbone-out seq 99 deny 0.0.0.0/0 le 32 ! ! log file /var/log/quagga/bgpd.log ! !log stdout