Unterschiede
Hier werden die Unterschiede zwischen zwei Versionen angezeigt.
Nächste Überarbeitung | Vorhergehende Überarbeitung | ||
freifunk:infrastruktur:server:vpn1 [23.05.2016 11:04] – angelegt mape2k | freifunk:infrastruktur:server:vpn1 [28.06.2020 21:05] (aktuell) – hipposen | ||
---|---|---|---|
Zeile 40: | Zeile 40: | ||
* sudo | * sudo | ||
- | ==== Installierte Pakete (Firmware bauen) | + | ==== Netzwerk |
- | * make | + | === Pakete === |
- | * git | + | |
- | * python | + | |
- | * bzip2 | + | |
- | * gcc | + | |
- | * g++ | + | |
- | * libncurses-dev | + | |
- | * libssl-dev | + | |
- | * libz-dev | + | |
- | * gawk | + | |
- | * subversion | + | |
- | * xz-utils | + | |
- | ==== Tools für Firmware-Signatur ==== | + | * bridge-utils |
- | === Quellen | + | === Konfiguration Routing |
- | * [[https:// | + | * IPv6-Forwarding generell aktivieren |
- | * [[http:// | + | * kann nicht Interface-bezogen aktiviert werden |
+ | * IPv4-Forwarding wird von fastd Interface-bezogen aktiviert | ||
- | === Debian-Pakete einbinden === | + | < |
+ | net.ipv6.conf.all.forwarding | ||
+ | </ | ||
- | [[user: | + | === Konfiguration Routingtabellen === |
- | * / | + | * gesonderte Routingtabelle für Freifunk-internen Datenverkehr |
- | < | + | < |
- | deb http:// | + | 23 ffef |
</ | </ | ||
- | * Repository-GPG-Key einbinden | + | === Konfiguration Bridge (Freifunk-Netz) === |
- | * // | + | |
- | === Notwendige Pakete === | + | < |
+ | # Bridge (Freifunk) | ||
+ | iface brffef inet static | ||
+ | bridge_ports none | ||
+ | address 10.99.1.1 | ||
+ | broadcast 10.99.1.255 | ||
+ | netmask 255.255.128.0 | ||
+ | post-up /sbin/ip route add 10.99.0.0/ | ||
+ | post-up /sbin/ip rule add iif $IFACE table ffef priority 200 | ||
+ | post-up /sbin/ip rule add oif $IFACE table ffef priority 201 | ||
+ | post-up echo 1 > / | ||
+ | pre-down echo 0 > / | ||
+ | pre-down /sbin/ip route del 10.99.0.0/ | ||
+ | pre-down /sbin/ip rule del oif $IFACE table ffef priority 201 | ||
+ | pre-down /sbin/ip rule del iif $IFACE table ffef priority 200 | ||
+ | iface brffef inet6 static | ||
+ | address fd0a: | ||
+ | netmask 64 | ||
+ | </ | ||
- | Jetzt einfach das folgende Paket installieren: | + | ====fastd==== |
- | * ecdsautils | + | ===Repository=== |
- | ==== Firmware-Mirror ==== | + | * Jessie-Backports verwenden |
- | === Notwendige Pakete === | + | < |
+ | deb http:// | ||
+ | </ | ||
- | * rsync | + | === Pakete === |
- | === Konfiguration === | + | * fastd |
+ | * apt-get -t jessie-backports install fastd | ||
- | * / | + | === Workaround für fehlerhafte Startskripte === |
- | <file|/etc/rsyncd.conf> | + | * cp / |
- | uid = nobody | + | * systemctl daemon-reload |
- | gid = nogroup | + | |
- | max connections = 25 | + | |
- | socket options = SO_KEEPALIVE | + | |
- | [firmware] | + | Quelle: |
- | | + | |
- | | + | === Backbone-Verbindung === |
- | | + | |
+ | * mkdir -p /etc/fastd/backbone/ | ||
+ | | ||
+ | |||
+ | < | ||
+ | 2016-05-23 18:40:15 +0000 --- Info: Reading 32 bytes from / | ||
+ | Secret: XXX | ||
+ | Public: YYY | ||
+ | </ | ||
+ | |||
+ | | ||
+ | |||
+ | < | ||
+ | secret " | ||
</ | </ | ||
- | === Nachbereitung / Start === | + | * Public-Key auf __anderen__ Backbone-VPN-Servern einrichten |
- | * //**systemctl enable rsync.service**// | + | < |
- | * // | + | # VPN-Server vpn1.erfurt.freifunk.net |
+ | key " | ||
+ | remote " | ||
+ | </ | ||
+ | |||
+ | * Fastd-Konfiguration | ||
+ | * IP-Adresse des VPN-Servers im Backbone setzen | ||
+ | * Policy-Routing für ffef-Routingtabelle setzen | ||
+ | * IPv4-Forwarding für fastd-Interface aktivieren | ||
+ | * Keepalived starten/ | ||
+ | |||
+ | < | ||
+ | log level info; | ||
+ | interface " | ||
+ | mode tap; | ||
+ | method " | ||
+ | method " | ||
+ | include " | ||
+ | bind any: | ||
+ | mtu 1426; | ||
+ | include peers from " | ||
+ | |||
+ | on up " | ||
+ | | ||
+ | ip address add 10.99.254.7/ | ||
+ | ip route add 10.99.254.0/ | ||
+ | ip rule add iif mesh-vpn-bb table ffef priority 300 | ||
+ | ip rule add from 10.99.254.7 table ffef priority 301 | ||
+ | ip route add default via 10.99.254.1 table ffef | ||
+ | echo 1 > / | ||
+ | | ||
+ | "; | ||
+ | |||
+ | on down " | ||
+ | | ||
+ | echo 0 > / | ||
+ | ip route del default via 10.99.254.1 table ffef | ||
+ | ip rule del iif mesh-vpn-bb table ffef priority 300 | ||
+ | ip rule del from 10.99.254.7 table ffef priority 301 | ||
+ | ip route del 10.99.254.0/ | ||
+ | ip address del 10.99.254.7/ | ||
+ | ip link set down dev $INTERFACE | ||
+ | "; | ||
+ | </ | ||
+ | |||
+ | | ||
+ | | ||
+ | |||
+ | === Node-Verbindung === | ||
+ | |||
+ | | ||
+ | * < | ||
+ | |||
+ | < | ||
+ | 2016-05-23 23:07:46 +0000 --- Info: Reading 32 bytes from /dev/random... | ||
+ | Secret: XXX | ||
+ | Public: YYY | ||
+ | </ | ||
+ | |||
+ | | ||
+ | |||
+ | < | ||
+ | secret " | ||
+ | </ | ||
+ | |||
+ | | ||
+ | |||
+ | * Fastd-Konfiguration | ||
+ | * IP-/MAC-Adressen der Nodes nicht loggen | ||
+ | * IPv4-Forwarding für fastd-Interface aktivieren | ||
+ | |||
+ | <file|/etc/ | ||
+ | log level info; | ||
+ | interface " | ||
+ | mode tap; | ||
+ | method " | ||
+ | method " | ||
+ | hide ip addresses yes; | ||
+ | hide mac addresses yes; | ||
+ | include " | ||
+ | |||
+ | bind any:1234; | ||
+ | mtu 1426; | ||
+ | include peers from " | ||
+ | |||
+ | on up " | ||
+ | ip link set address de: | ||
+ | ip link set up dev $INTERFACE | ||
+ | echo 1 > / | ||
+ | "; | ||
+ | |||
+ | on down " | ||
+ | echo 0 > / | ||
+ | ip link set down dev $INTERFACE | ||
+ | "; | ||
+ | </ | ||
+ | |||
+ | * Netzwerkeinstellungen für Batman über Distribution vornehmen | ||
+ | |||
+ | <file|/etc/network/ | ||
+ | # Fastd-Interface (Nodes) | ||
+ | allow-hotplug mesh-vpn | ||
+ | iface mesh-vpn inet6 manual | ||
+ | post-up | ||
+ | post-up | ||
+ | </ | ||
+ | |||
+ | | ||
+ | * FIXME: Synchronisierbar gestalten oder aus zentralem Repository beziehen | ||
+ | |||
+ | === Cronjob zum Syncen der Node-VPN-Keys === | ||
+ | |||
+ | < | ||
+ | # Get vpn keys for nodes | ||
+ | * * * * * root [[ $(rsync -ai --delete 10.99.254.10:: | ||
+ | </ | ||
+ | |||
+ | === Starten und zum Runlevel hinzufügen === | ||
+ | |||
+ | | ||
+ | * systemctl enable fastd@backbone | ||
+ | * systemctl start fastd@nodes | ||
+ | * systemctl enable fastd@nodes | ||
+ | |||
+ | ==== Batman ==== | ||
+ | |||
+ | Wir verwenden noch Batman adv 2013.4.0 (compat level 14). Deshalb müssen wir die Kernel-Pakete und batctl selbst bauen | ||
+ | |||
+ | === Pakete === | ||
+ | |||
+ | | ||
+ | | ||
+ | * linux-headers-amd64 | ||
+ | * git | ||
+ | * gnupg-curl | ||
+ | |||
+ | === Kernelmodul bauen === | ||
+ | |||
+ | * mkdir ~/build | ||
+ | * cd ~/build | ||
+ | * git clone https:// | ||
+ | * cd batman-adv-legacy | ||
+ | * make | ||
+ | * make install | ||
+ | |||
+ | * modprobe batman-adv | ||
+ | * dmesg | ||
+ | < | ||
+ | [42600.480585] batman_adv: B.A.T.M.A.N. advanced 2013.4.0-23-g91eab38-dirty (compatibility version 14) loaded | ||
+ | </ | ||
+ | |||
+ | < | ||
+ | batman-adv | ||
+ | </ | ||
+ | |||
+ | === batctl === | ||
+ | |||
+ | * mkdir ~/build | ||
+ | * cd ~/build | ||
+ | * wget http:// | ||
+ | * tar xzf batctl-2013.4.0.tar.gz | ||
+ | * cd batctl-2013.4.0 | ||
+ | * make | ||
+ | * make install | ||
+ | |||
+ | === Netzwerkkonfiguration === | ||
+ | |||
+ | < | ||
+ | # Batman-Interface | ||
+ | allow-hotplug bat0 | ||
+ | iface bat0 inet6 manual | ||
+ | post-up | ||
+ | post-up | ||
+ | post-up | ||
+ | pre-down | ||
+ | </ | ||
+ | |||
+ | ====Quagga==== | ||
+ | * FIXME: Generell überprüfen, | ||
+ | === Pakete === | ||
+ | |||
+ | * quagga | ||
+ | * telnet | ||
+ | |||
+ | < | ||
+ | zebra=yes | ||
+ | bgpd=yes | ||
+ | </ | ||
+ | |||
+ | < | ||
+ | ! -*- zebra -*- | ||
+ | ! | ||
+ | ! zebra sample configuration file | ||
+ | ! | ||
+ | ! $Id: zebra.conf.sample, | ||
+ | ! | ||
+ | hostname vpn1.erfurt.freifunk.net | ||
+ | password xxxx | ||
+ | enable password xxxx | ||
+ | ! | ||
+ | ! Interface' | ||
+ | ! | ||
+ | !interface lo | ||
+ | ! description test of desc. | ||
+ | ! | ||
+ | !interface sit0 | ||
+ | ! multicast | ||
+ | |||
+ | ! | ||
+ | ! Static default route sample. | ||
+ | ! | ||
+ | !ip route 0.0.0.0/0 203.181.89.241 | ||
+ | ! | ||
+ | |||
+ | log file / | ||
+ | |||
+ | ! use src ip for local connection | ||
+ | route-map RM_SET_SOURCE permit 10 | ||
+ | set src 10.99.254.7 | ||
+ | ip protocol bgp route-map RM_SET_SOURCE | ||
+ | |||
+ | table 23 | ||
+ | </ | ||
+ | < | ||
+ | hostname vpn1 | ||
+ | password [PASSWORD] | ||
+ | ! | ||
+ | ! enable debug log | ||
+ | ! | ||
+ | debug bgp updates | ||
+ | ! | ||
+ | ! | ||
+ | router bgp 65099002 | ||
+ | bgp router-id 10.99.254.7 | ||
+ | bgp confederation identifier 65099 | ||
+ | bgp confederation peers 65099001 | ||
+ | | ||
+ | |||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | |||
+ | ! neighbor 10.99.254.1 remote-as 65099001 | ||
+ | ! neighbor 10.99.254.1 description icvpn2_suicider | ||
+ | ! neighbor 10.99.254.1 prefix-list ffef-backbone-in in | ||
+ | ! neighbor 10.99.254.1 prefix-list ffef-backbone-out out | ||
+ | |||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | |||
+ | ! neighbor 10.99.254.8 remote-as 65099002 | ||
+ | ! neighbor 10.99.254.8 description vpn3_ichirou | ||
+ | ! neighbor 10.99.254.8 peer-group ffef-backbone | ||
+ | |||
+ | | ||
+ | | ||
+ | | ||
+ | |||
+ | ip prefix-list ffef-backbone-in description *** Backbone IP-Filter eingehend *** | ||
+ | ip prefix-list ffef-backbone-in seq 10 permit 0.0.0.0/0 | ||
+ | ip prefix-list ffef-backbone-in seq 19 deny 10.99.16.0/ | ||
+ | ip prefix-list ffef-backbone-in seq 20 permit 10.99.0.0/ | ||
+ | ip prefix-list ffef-backbone-in seq 21 permit 10.0.0.0/8 le 32 | ||
+ | ip prefix-list ffef-backbone-in seq 30 permit 172.16.0.0/ | ||
+ | ip prefix-list ffef-backbone-in seq 99 deny 0.0.0.0/0 le 32 | ||
+ | |||
+ | ip prefix-list ffef-backbone-out description *** Backbone IP-Filter ausgehend *** | ||
+ | ip prefix-list ffef-backbone-out seq 10 deny 0.0.0.0/0 | ||
+ | ip prefix-list ffef-backbone-out seq 20 permit 10.99.0.0/ | ||
+ | ip prefix-list ffef-backbone-out seq 99 deny 0.0.0.0/0 le 32 | ||
+ | ! | ||
+ | ! | ||
+ | log file / | ||
+ | ! | ||
+ | !log stdout | ||
+ | |||
+ | |||
+ | </file> |