Dies ist eine alte Version des Dokuments!
Gatewaykonfiguration
Achtung - Nicht benutzen, noch in Arbeit! — Florian Knodt 2015/03/10 22:30
Dieser Guide beschreibt die Einrichtung eines Supernodes für das FF-MYK-Netz mit optionalem Internet-Uplink unter Arch Linux. Die Informationen sollten sich mit geringen Änderungen auch auf anderen Distributionen nutzen lassen.
Achtung: Supernodes nutzen komplexe Routingmethoden - es werden fundierte Linux und Netzwerkkenntnisse vorausgesetzt.
Todo:
- ICVPN
- BGP (bird/bird6)
- fastd
- dhcpd
- radvd
- named
- OpenVPN (mullvad)
- haveged (Entropie)
ref https://wiki.luebeck.freifunk.net/gatewayconfig
- init.sh
ip link set up dev eth0 ip addr add 10.9.0.10/24 dev eth0 ip route add default via 10.9.0.1 screen -AmSd fastd fastd -c /etc/fastd/vpn/config --log-level debug sleep 5 ip link set down address 02:FF:4D:59:4B:10 dev ffmyk-mesh-vpn ip link set up dev ffmyk-mesh-vpn batctl if add ffmyk-mesh-vpn batctl gw server batctl it 10000 ip link set up dev bat0 brctl addbr br-ffmyk brctl addif br-ffmyk bat0 ip link set up dev br-ffmyk ip addr add 10.222.100.1/16 dev br-ffmyk ip addr add 2a01:198:70a:ff::100:1/64 dev br-ffmyk #Nur Stat-Server screen -AmSd alfred alfred -i br-ffmyk -b bat0 -m screen -AmSd batadv-vis batadv-vis -i bat0 -s echo 128 > /sys/class/net/bat0/mesh/hop_penalty sysctl -w net.ipv4.ip_forward=1 systemctl start openvpn@mullvad iptables -t mangle -A PREROUTING -i br-ffmyk -j MARK --set-xmark 0x1/0xffffffff iptables -t nat -A POSTROUTING -o mullvad -j MASQUERADE ip route add unreachable default table 42 ip rule add from all fwmark 0x1 table 42 ip rule add from 10.222.0.0/16 table 42 ip route add 10.222.0.0/16 dev br-ffmyk table 42 systemctl restart dhcpd4
- mullvad.conf
client dev mullvad dev-type tun proto udp #proto tcp #remote openvpn.mullvad.net 1194 #remote openvpn.mullvad.net 443 #remote openvpn.mullvad.net 53 #remote se.mullvad.net # Servers in Sweden #remote nl.mullvad.net # Servers in the Netherlands #remote de.mullvad.net 1194 # Servers in Germany #remote us.mullvad.net # Servers in the USA # Tunnel IPv6 traffic as well as IPv4 tun-ipv6 # Keep trying indefinitely to resolve the # host name of the OpenVPN server. Very useful # on machines which are not permanently connected # to the internet such as laptops. resolv-retry infinite # Most clients don't need to bind to # a specific local port number. nobind # Try to preserve some state across restarts. persist-key persist-tun # Enable compression on the VPN link. comp-lzo # Set log file verbosity. verb 3 remote-cert-tls server ping-restart 60 # Allow calling of built-in executables and user-defined scripts. script-security 2 # Parses DHCP options from openvpn to update resolv.conf #up /etc/openvpn/update-resolv-conf #down /etc/openvpn/update-resolv-conf ping 10 ca /etc/openvpn/mullvad/ca.crt cert /etc/openvpn/mullvad/mullvad.crt key /etc/openvpn/mullvad/mullvad.key crl-verify /etc/openvpn/mullvad/crl.pem # Update routing information. # Do not use standard configuration pushed via DHCP! route-noexec up /etc/openvpn/mullvad/mullvad-up
- mullvad-up
#!/bin/bash sleep 3 echo Reroute via $4 ip route replace 0.0.0.0/1 via $4 table 42 ip route replace 128.0.0.0/1 via $4 table 42 exit 0
- fastd.conf
log to syslog level info; interface "ffmyk-mesh-vpn"; method "salsa2012+gmac"; method "salsa2012+umac"; secure handshakes yes; bind 0.0.0.0:5000; hide ip addresses yes; hide mac addresses yes; mtu 1426; include peers from "peers"; secret "lamepassword";
- fastd-api.php
<?php $url = '***APIURL***'; $out = '/etc/fastd/vpn/peers/'; if(!is_dir($out)) die('Output Dir missing'); if(!is_writable($out)) die('Output Dir perms'); $data = file_get_contents($url); $data = unserialize($data); foreach($data as $router) { if(!preg_match('/^[A-F0-9]{2}:[A-F0-9]{2}:[A-F0-9]{2}:[A-F0-9]{2}:[A-F0-9]{2}:[A-F0-9]{2}$/', $router['MAC'])) { trigger_error('Router mit falscher MAC?!', E_USER_WARNING); }elseif(!preg_match('/^[A-F0-9]{64}$/', $router['PublicKey'])) { trigger_error('Router mit falschem Key?!', E_USER_WARNING); }else{ $filename='client_'.str_replace(':', '-', $router['MAC']); $fp=fopen($out.$filename, 'w'); fwrite($fp, 'key "'.$router['PublicKey'].'";'."\n"); fclose($fp); $active[] = $filename; } } $dh = opendir($out); while(($file = readdir($dh)) !== false) { if($file != '.' && $file != '..') { if(!in_array($file, $active) && (strpos($file, 'client_') !== false)) { unlink($out.$file); } } } exec('killall -SIGHUP fastd'); ?>
gatewaykonfiguration.1426023952.txt.gz · Zuletzt geändert: 2020/10/17 20:04 (Externe Bearbeitung)