Dies ist eine alte Version des Dokuments!

Gatewaykonfiguration

Achtung - Nicht benutzen, noch in Arbeit! — Florian Knodt 2015/03/10 22:30

Dieser Guide beschreibt die Einrichtung eines Supernodes für das FF-MYK-Netz mit optionalem Internet-Uplink unter Arch Linux. Die Informationen sollten sich mit geringen Änderungen auch auf anderen Distributionen nutzen lassen.

Achtung: Supernodes nutzen komplexe Routingmethoden - es werden fundierte Linux und Netzwerkkenntnisse vorausgesetzt.

Todo:

ICVPN
BGP (bird/bird6)

fastd
dhcpd
radvd
named
OpenVPN (mullvad)
haveged (Entropie)

ref https://wiki.luebeck.freifunk.net/gatewayconfig

init.sh

ip link set up dev eth0
ip addr add 10.9.0.10/24 dev eth0
ip route add default via 10.9.0.1
 
screen -AmSd fastd fastd -c /etc/fastd/vpn/config --log-level debug
sleep 5
ip link set down address 02:FF:4D:59:4B:10 dev ffmyk-mesh-vpn
ip link set up dev ffmyk-mesh-vpn
 
batctl if add ffmyk-mesh-vpn
batctl gw server
batctl it 10000
ip link set up dev bat0
 
brctl addbr br-ffmyk
brctl addif br-ffmyk bat0
 
ip link set up dev br-ffmyk
 
ip addr add 10.222.100.1/16 dev br-ffmyk
ip addr add 2a01:198:70a:ff::100:1/64 dev br-ffmyk
 
#Nur Stat-Server
screen -AmSd alfred alfred -i br-ffmyk -b bat0 -m
screen -AmSd batadv-vis batadv-vis -i bat0 -s
 
echo 128 > /sys/class/net/bat0/mesh/hop_penalty
 
sysctl -w net.ipv4.ip_forward=1
 
systemctl start openvpn@mullvad
 
iptables -t mangle -A PREROUTING -i br-ffmyk -j MARK --set-xmark 0x1/0xffffffff
iptables -t nat -A POSTROUTING -o mullvad -j MASQUERADE
 
ip route add unreachable default table 42
ip rule add from all fwmark 0x1 table 42
ip rule add from 10.222.0.0/16 table 42
ip route add 10.222.0.0/16 dev br-ffmyk table 42
 
systemctl restart dhcpd4

mullvad.conf

client
 
dev mullvad
dev-type tun
 
proto udp
#proto tcp
 
#remote openvpn.mullvad.net 1194
#remote openvpn.mullvad.net 443
#remote openvpn.mullvad.net 53
#remote se.mullvad.net # Servers in Sweden
#remote nl.mullvad.net # Servers in the Netherlands
#remote de.mullvad.net 1194 # Servers in Germany
#remote us.mullvad.net # Servers in the USA
 
# Tunnel IPv6 traffic as well as IPv4
tun-ipv6
 
# Keep trying indefinitely to resolve the
# host name of the OpenVPN server.  Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite
 
# Most clients don't need to bind to
# a specific local port number.
nobind
 
# Try to preserve some state across restarts.
persist-key
persist-tun
 
# Enable compression on the VPN link.
comp-lzo
 
# Set log file verbosity.
verb 3
 
remote-cert-tls server
 
ping-restart 60
 
# Allow calling of built-in executables and user-defined scripts.
script-security 2
 
# Parses DHCP options from openvpn to update resolv.conf
#up /etc/openvpn/update-resolv-conf
#down /etc/openvpn/update-resolv-conf
 
ping 10
 
ca /etc/openvpn/mullvad/ca.crt
cert /etc/openvpn/mullvad/mullvad.crt
key /etc/openvpn/mullvad/mullvad.key
 
crl-verify /etc/openvpn/mullvad/crl.pem
 
# Update routing information.
# Do not use standard configuration pushed via DHCP!
route-noexec
up /etc/openvpn/mullvad/mullvad-up

mullvad-up

#!/bin/bash
sleep 3
echo Reroute via $4
ip route replace 0.0.0.0/1 via $4 table 42
ip route replace 128.0.0.0/1 via $4 table 42
 
exit 0

fastd.conf

log to syslog level info;
interface "ffmyk-mesh-vpn";
method "salsa2012+gmac";
method "salsa2012+umac";
secure handshakes yes;
bind 0.0.0.0:5000;
hide ip addresses yes;
hide mac addresses yes;
mtu 1426;
include peers from "peers";
secret "lamepassword";

fastd-api.php

<?php
$url = '***APIURL***';
$out = '/etc/fastd/vpn/peers/';
 
if(!is_dir($out)) die('Output Dir missing');
if(!is_writable($out)) die('Output Dir perms');
 
$data = file_get_contents($url);
$data = unserialize($data);
 
foreach($data as $router) {
	if(!preg_match('/^[A-F0-9]{2}:[A-F0-9]{2}:[A-F0-9]{2}:[A-F0-9]{2}:[A-F0-9]{2}:[A-F0-9]{2}$/', $router['MAC'])) {
		trigger_error('Router mit falscher MAC?!', E_USER_WARNING);
	}elseif(!preg_match('/^[A-F0-9]{64}$/', $router['PublicKey'])) {
		trigger_error('Router mit falschem Key?!', E_USER_WARNING);
	}else{
		$filename='client_'.str_replace(':', '-', $router['MAC']);
		$fp=fopen($out.$filename, 'w');
		fwrite($fp, 'key "'.$router['PublicKey'].'";'."\n");
		fclose($fp);
		$active[] = $filename;
	}
}
 
$dh = opendir($out);
while(($file = readdir($dh)) !== false) {
	if($file != '.' && $file != '..') {
		if(!in_array($file, $active) && (strpos($file, 'client_') !== false)) {
			unlink($out.$file);
		}
	}
}
 
exec('killall -SIGHUP fastd');
 
?>

Benutzer-Werkzeuge

Seiten-Werkzeuge

Gatewaykonfiguration