Dies ist eine alte Version des Dokuments!
vpn1.erfurt.freifunk.net
Dies ist ein VPN-Server.
HINWEISE
- DNS-Name noch nicht angepasst: Für IPv6 funktioniert SSH-Login also nicht über DNS-Namen!
- Port 1234 für fastd und 10000 für fastd-Backbone zeigen bereits auf die VM
- Port 10001 zeigt weiterhin auf die VM gluon-ffef, diese hat noch die Karte und darf im Backbone nicht aus dem VPN entfernt werden
Serverinformationen
Administratoren
IP/DNS
- vpn1.erfurt.freifunk.net
- 144.76.76.98
- 2a01:4f8:191:9461:13::1
Dienste
- SSH (Port 1035)
- fastd (Port 1234)
Software
- Debian 8 (Jessie)
- Installation-Optionen: SSH-Server, Standard-Systemutilities
Installation
Installierte Pakete (System)
- mc
- screen
- vim
- sudo
Netzwerk
Pakete
- bridge-utils
Konfiguration Routing
- IPv6-Forwarding generell aktivieren
- kann nicht Interface-bezogen aktiviert werden
- IPv4-Forwarding wird von fastd Interface-bezogen aktiviert
/etc/sysctl.conf
net.ipv6.conf.all.forwarding = 1
Konfiguration Routingtabellen
- gesonderte Routingtabelle für Freifunk-internen Datenverkehr
/etc/iproute2/rt_tables
23 ffef
Konfiguration Bridge (Freifunk-Netz)
/etc/network/interfaces.d/brffef
# Bridge (Freifunk) iface brffef inet static bridge_ports none address 10.99.1.1 broadcast 10.99.1.255 netmask 255.255.128.0 post-up /sbin/ip route add 10.99.0.0/17 dev $IFACE table ffef post-up /sbin/ip rule add iif $IFACE table ffef priority 200 post-up /sbin/ip rule add oif $IFACE table ffef priority 201 post-up echo 1 > /proc/sys/net/ipv4/conf/$IFACE/forwarding pre-down echo 0 > /proc/sys/net/ipv4/conf/$IFACE/forwarding pre-down /sbin/ip route del 10.99.0.0/17 dev $IFACE table ffef pre-down /sbin/ip rule del oif $IFACE table ffef priority 201 pre-down /sbin/ip rule del iif $IFACE table ffef priority 200 iface brffef inet6 static address fd0a:d928:b30d:94f7:1::1 netmask 64
fastd
Repository
- Jessie-Backports verwenden
/etc/apt/sources.list.d/backports.list
deb http://ftp.debian.org/debian jessie-backports main
Pakete
- fastd
- apt-get -t jessie-backports install fastd
Workaround für fehlerhafte Startskripte
- cp /lib/systemd/system/fastd.service /etc/systemd/system/fastd@.service
- systemctl daemon-reload
Quelle: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=823801
Backbone-Verbindung
- mkdir -p /etc/fastd/backbone/peers
- fastd --generate-key
fastd --generate-key
2016-05-23 18:40:15 +0000 --- Info: Reading 32 bytes from /dev/random... Secret: XXX Public: YYY
- /etc/fastd/backbone/secret.conf mit Secret-Key befüllen
/etc/fastd/backbone/secret.conf
secret "XXX";
- Public-Key auf anderen Backbone-VPN-Servern einrichten
/etc/fastd/backbone/peers/vpn1.erfurt.freifunk.net.conf
# VPN-Server vpn1.erfurt.freifunk.net key "YYY"; remote "vpn1.erfurt.freifunk.net" port 10000;
- Fastd-Konfiguration
- IP-Adresse des VPN-Servers im Backbone setzen
- Policy-Routing für ffef-Routingtabelle setzen
- IPv4-Forwarding für fastd-Interface aktivieren
- Keepalived starten/beenden (Floating IP für statische)
/etc/fastd/backbone/fastd.conf
log level info; interface "mesh-vpn-bb"; mode tap; method "null+salsa2012+umac"; method "null"; include "secret.conf"; bind any:10000; mtu 1426; include peers from "peers"; on up " ip link set up dev $INTERFACE ip address add 10.99.254.7/24 broadcast 10.99.254.255 dev $INTERFACE ip route add 10.99.254.0/24 dev $INTERFACE table ffef ip rule add iif mesh-vpn-bb table ffef priority 300 ip rule add from 10.99.254.7 table ffef priority 301 ip route add default via 10.99.254.1 table ffef echo 1 > /proc/sys/net/ipv4/conf/$INTERFACE/forwarding systemctl start keepalived "; on down " systemctl stop keepalived echo 0 > /proc/sys/net/ipv4/conf/$INTERFACE/forwarding ip route del default via 10.99.254.1 table ffef ip rule del iif mesh-vpn-bb table ffef priority 300 ip rule del from 10.99.254.7 table ffef priority 301 ip route del 10.99.254.0/24 dev $INTERFACE table ffef ip address del 10.99.254.7/24 broadcast 10.99.254.255 dev $INTERFACE ip link set down dev $INTERFACE ";
- Dateien aus /etc/fastd/backbone/peers/ von anderen VPN-Servern übernehmen
: Synchronisierbar gestalten oder aus zentralem Repository beziehen
Node-Verbindung
- mkdir -p /etc/fastd/nodes/peers
- fastd --generate-key
fastd --generate-key
2016-05-23 23:07:46 +0000 --- Info: Reading 32 bytes from /dev/random... Secret: XXX Public: YYY
- /etc/fastd/nodes/secret.conf mit Secret-Key befüllen
/etc/fastd/nodes/secret.conf
secret "XXX";
- Public-Key ins Wiki und die Firmware übernehmen
- Fastd-Konfiguration
- IP-/MAC-Adressen der Nodes nicht loggen
- IPv4-Forwarding für fastd-Interface aktivieren
/etc/fastd/nodes/fastd.conf
log level info; interface "mesh-vpn"; mode tap; method "null+salsa2012+umac"; method "salsa2012+gmac"; hide ip addresses yes; hide mac addresses yes; include "secret.conf"; bind any:1234; mtu 1426; include peers from "peers"; on up " ip link set address de:ff:ef:ff:ef:01 up dev $INTERFACE ip link set up dev $INTERFACE echo 1 > /proc/sys/net/ipv4/conf/$INTERFACE/forwarding "; on down " echo 0 > /proc/sys/net/ipv4/conf/$INTERFACE/forwarding ip link set down dev $INTERFACE ";
- Netzwerkeinstellungen für Batman über Distribution vornehmen
/etc/network/interfaces.d/mesh-vpn
# Fastd-Interface (Nodes) allow-hotplug mesh-vpn iface mesh-vpn inet6 manual post-up /usr/local/sbin/batctl -m bat0 if add $IFACE post-up /sbin/ip link set dev bat0 up
- Dateien für Nodes nach /etc/fastd/nodes/peers/ kopieren
- : Synchronisierbar gestalten oder aus zentralem Repository beziehen
Cronjob zum Syncen der Node-VPN-Keys
/etc/crontab
# Get vpn keys for nodes * * * * * root [[ $(rsync -ai --delete 10.99.254.43::peers/ /etc/fastd/nodes/peers/) ]] && killall -SIGHUP fastd
Starten und zum Runlevel hinzufügen
- systemctl start fastd@backbone
- systemctl enable fastd@backbone
- systemctl start fastd@nodes
- systemctl enable fastd@nodes
Batman
Wir verwenden noch Batman adv 2013.4.0 (compat level 14). Deshalb müssen wir die Kernel-Pakete und batctl selbst bauen
Pakete
- install
- build-essential
- linux-headers-amd64
- git
- gnupg-curl
Kernelmodul bauen
- mkdir ~/build
- cd ~/build
- cd batman-adv-legacy
- make
- make install
- modprobe batman-adv
- dmesg
dmesg
[42600.480585] batman_adv: B.A.T.M.A.N. advanced 2013.4.0-23-g91eab38-dirty (compatibility version 14) loaded
/etc/modules
batman-adv
batctl
- mkdir ~/build
- cd ~/build
- tar xzf batctl-2013.4.0.tar.gz
- cd batctl-2013.4.0
- make
- make install
Netzwerkkonfiguration
/etc/network/interfaces.d/bat0
# Batman-Interface allow-hotplug bat0 iface bat0 inet6 manual post-up /sbin/brctl addif brffef $IFACE post-up /usr/local/sbin/batctl -m $IFACE it 10000 post-up /usr/local/sbin/batctl -m $IFACE gw server 96mbit/96mbit pre-down /sbin/brctl delif bat0 $IFACE || true
Quagga
* : Generell überprüfen, ICVPN1 Konfiganpassung
Pakete
- quagga
- telnet
/etc/quagga/daemons
zebra=yes bgpd=yes
/etc/quagga/zebra.conf
! -*- zebra -*- ! ! zebra sample configuration file ! ! $Id: zebra.conf.sample,v 1.1 2002/12/13 20:15:30 paul Exp $ ! hostname vpn1.erfurt.freifunk.net password xxxx enable password xxxx ! ! Interface's description. ! !interface lo ! description test of desc. ! !interface sit0 ! multicast ! ! Static default route sample. ! !ip route 0.0.0.0/0 203.181.89.241 ! log file /var/log/quagga/zebra.log ! use src ip for local connection route-map RM_SET_SOURCE permit 10 set src 10.99.254.7 ip protocol bgp route-map RM_SET_SOURCE table 23
/etc/quagga/bgp.conf
hostname vpn1 password [PASSWORD] ! ! enable debug log ! debug bgp updates ! ! router bgp 65099002 bgp router-id 10.99.254.7 bgp confederation identifier 65099 bgp confederation peers 65099001 network 10.99.8.0/22 neighbor ffef-backbone peer-group neighbor ffef-backbone soft-reconfiguration inbound neighbor ffef-backbone prefix-list ffef-backbone-in in neighbor ffef-backbone prefix-list ffef-backbone-out out ! neighbor 10.99.254.1 remote-as 65099001 ! neighbor 10.99.254.1 description icvpn2_suicider ! neighbor 10.99.254.1 prefix-list ffef-backbone-in in ! neighbor 10.99.254.1 prefix-list ffef-backbone-out out neighbor 10.99.254.10 remote-as 65099001 neighbor 10.99.254.10 description icvpn2_hipposen neighbor 10.99.254.10 prefix-list ffef-backbone-in in neighbor 10.99.254.10 prefix-list ffef-backbone-out out ! neighbor 10.99.254.8 remote-as 65099002 ! neighbor 10.99.254.8 description vpn3_ichirou ! neighbor 10.99.254.8 peer-group ffef-backbone neighbor 10.99.254.9 remote-as 65099002 neighbor 10.99.254.9 description vpn2_bt909 neighbor 10.99.254.9 peer-group ffef-backbone ip prefix-list ffef-backbone-in description *** Backbone IP-Filter eingehend *** ip prefix-list ffef-backbone-in seq 10 permit 0.0.0.0/0 ip prefix-list ffef-backbone-in seq 19 deny 10.99.16.0/22 ip prefix-list ffef-backbone-in seq 20 permit 10.99.0.0/16 le 32 ip prefix-list ffef-backbone-in seq 21 permit 10.0.0.0/8 le 32 ip prefix-list ffef-backbone-in seq 30 permit 172.16.0.0/12 le 32 ip prefix-list ffef-backbone-in seq 99 deny 0.0.0.0/0 le 32 ip prefix-list ffef-backbone-out description *** Backbone IP-Filter ausgehend *** ip prefix-list ffef-backbone-out seq 10 deny 0.0.0.0/0 ip prefix-list ffef-backbone-out seq 20 permit 10.99.0.0/16 le 32 ip prefix-list ffef-backbone-out seq 99 deny 0.0.0.0/0 le 32 ! ! log file /var/log/quagga/bgpd.log ! !log stdout