[Ffhh-aggw] gateway mitschrift

Hallo Zusammen, Anbei die Mitschrift. Das muss man sicherlich noch ausformulieren und detaillieren, aber bevor wir das ins Wiki giessen, schaut doch mal bitte drüber, ob das soweit keine groben Fehler oder Auslassungen enthält. Hat mir viel Spass gemacht und habe einiges gelernt. Danke Euch, Andre PS: Bin bis nächsten Sonntag unterwegs und wahrscheinlich nur sporadisch erreichbar. Voraussetzung: Hardware: CPU: 1x (64Bit) RAM: 1GB HDD: 5-8GB NIC: 1x Software: OS: Debian Wheezy (7) 64Bit Kernel - Benutzer sind angelegt - DNS ist auf einem der gateways gesetzt Es muss die Möglichkeit bestehen Kernelmodule nachladen zu koennen, andernfalls kann B.A.T.M.A.N nicht geladen werden. Daher sind erfahrungsgemäß shared-kernel container Virtualisierungen weniger gut geeignet, es sei denn es besteht Vollzugriff auf das host-System. config items: I. - sources list - package list - config interfaces - config fastd - key file repo - key update script - cornjob script - gatway fastd private key II. initscripte: - dhcp.conf - radvd.conf - openvpn.conf - iptables examples I. DIAL IN (nodes können sich einwählen) - Sources list (fastd, B.A.T.M.A.N.); http://repo.universe-factory.net/debian/ - Install (fastd, B.A.T.M.A.N., bridge-utils) - Config $networkinterfaces (B.A.T.M.A.N.) - install git - clone key repo - config fastd (key generation) - Import fastd key of nodes (cronjob for autoupdate_fastd_keys; http://freifunk.in-kiel.de/debian/fastd-update) II. EXIT NODE GATEWAY [ENG] - Install software IPv4: dhcpd rooting daemon für IPv6: radvd VPN: openvpn firewall: IPtables - Config dhcp.conf radvd.conf openvpn.conf iptables (NAT 44) fastd sources definieren $ vim /etc/apt/sources.list 6 deb http://security.debian.org/ wheezy/updates main contrib non-free 7 deb-src http://security.debian.org/ wheezy/updates main contrib non-free 8 9 # squeeze-updates, previously known as 'volatile' 10 deb http://46.165.198.1/debian wheezy-updates main contrib non-free 11 deb-src http://46.165.198.1/debian wheezy-updates main contrib non-free 12 13 deb http://repo.universe-factory.net/debian/ sid main Schlüssel für repo importieren: $ gpg -a --export AB7A88C5B89033D8 | apt-key add - aktualisieren: $ apt-get update installieren: $ ainstall batctl batman-adv-dkms fastd bridge-utils $ mkdir /etc/fastd/ffhh-mesh-vpn $ mkdir /etc/fastd/ffhh-mesh-vpn/peers $ vim /etc/fastd/ffhh-mesh-vpn/fastd.conf MAC ausdenken 1 log to syslog level debug; 2 interface "ffhh-mesh-vpn"; 3 method "xsalsa20-poly1305"; 4 bind 0.0.0.0:10000; 5 include "secret.conf"; 6 mtu 1426; # 1492 - IPv4 Header - fastd Header ... 7 8 include peers from "peers"; 9 10 on up " 11 ifup bat0 12 ip link set address AUSGEDACHTE-MAC dev $INTERFACE 13 "; fastd Schlüsselpaar erzeugen $ fastd --generate-key geheimen Schlüssel eintragen $ vim /etc/fastd/ffhh-mesh-vpn/secret.conf secret " SECRET KEY "; Autostart des batman moduls $ vim /etc/modprobe.d/batman-adv 1 batman-adv bridge interface anlegen; Verwendete IP Adressen (v4 & v6) müssen dokumentiert werden $ cd /etc/network $ vim interfaces 20 auto br-ffhh 21 iface br-ffhh inet6 static 22 bridge-ports none 23 address fd51:2bb2:fd0d:0::c01 24 netmask 64 25 iface br-ffhh inet static 26 address 10.112.12.1 27 netmask 255.255.240.0 28 29 allow-hotplug bat0 30 iface bat0 inet6 manual 31 pre-up batctl if add ffhh-mesh-vpn 32 up ip link set $IFACE up 33 post-up brctl addif br-ffhh $IFACE 34 post-up batctl it 10000 35 pre-down brctl delif br-ffhh $IFACE || true 36 down ip link set $IFACE down git installieren $ ainstall git SSH-Schlüsselpaar erzeugen zur Verbindung des gateways mit dem geschlossenen git repo, welches die fastd Schlüssel der nodes enthält $ ssh-keygen * Öffentlichen Schlüssel an gateway-AG senden * autoupdate_fastd_keys.sh: shell script, welches sich die fastd-Schlüssel von github holt: $ mkdir bin $ cd bin $ vim autoupdate_fastd_keys.sh 1 #!/bin/bash 2 # Simple script to update fastd peers from git upstream 3 # and only send HUP to fastd when changes happend. 4 5 # CONFIGURE THIS TO YOUR PEER DIRECTORY 6 FASTD_PEERS=/etc/fastd/ffhh-mesh-vpn/peers 7 8 function getCurrentVersion() { 9 # Get hash from latest revision 10 git log --format=format:%H -1 11 } 12 13 cd $FASTD_PEERS 14 15 # Get current version hash 16 GIT_REVISION=$(getCurrentVersion) 17 18 # Automagically commit local changes 19 # This preserves local changes 20 git commit -m "CRON: auto commit" 21 22 # Pull latest changes from upstream 23 git fetch 24 git merge origin/master -m "Auto Merge" 25 26 # Get new version hash 27 GIT_NEW_REVISION=$(getCurrentVersion) 28 29 if [ $GIT_REVISION != $GIT_NEW_REVISION ] 30 then 31 # Version has changed we need to update 32 echo "Reload fastd peers" 33 kill -HUP $(pidof fastd) 34 fi $ cd /etc/fastd/ffhh-mesh-vpn/peers $ git clone git@freifunk-gw01.hamburg.ccc.de:fastdkeys peers Cronjob erstellen der autoupdate_fastd_keys.sh alle 5min ausführt $ crontab -e 25 5 * * * * /root/bin/autoupdate_fastd_keys.sh bridge interface hochfahren $ brctl addbr br-ffhh $ ifup br-ffhh batman kernel modul laden $ modprobe batman fastd starten $ service fastd start II. EXIT NODE GATEWAY Installieren: $ ainstall isc-dhcp-server radvd openvpn iptables-persistent --without-recommends IPv4 DHCP konfigurieren. Dabei wird pro gateway ein /18er-Netz in der ffhh-IP-range 10.112.x.x vergeben. 6 # The ddns-updates-style parameter controls whether or not the server will 7 # attempt to do a DNS update when a lease is confirmed. We default to the 8 # behavior of the version 2 packages ('none', since DHCP v2 didn't 9 # have support for DDNS.) 10 ddns-update-style none; 11 12 # option definitions common to all supported networks... 13 option domain-name ".ffhh"; 14 15 default-lease-time 600; 16 max-lease-time 7200; 17 18 default-lease-time 1800; 19 20 subnet 10.112.0.0 netmask 255.255.192.0 { 21 authoritative; 22 range 10.112.10.2 10.112.11.254; 23 # DNS: GW01, Muehlentor 24 option domain-name-servers 10.112.14.1, 10.112.16.1; 25 option routers 10.112.10.1; 26 } IPv6 radvd konfigurieren $ vim /etc/radvd.conf interface br-ffhh { AdvSendAdvert on; MaxRtrAdvInterval 200; prefix fd51:2bb2:fd0d::/64 { }; RDNSS fd51:2bb2:fd0d::c01 { }; }; # vim: noai:ts=4:sw=4:ff=unix:ft=text:fdm=marker IPv6 forwarding aktivieren. Dazu folgende Zeile in der sysctl.conf hinzufügen $ vim /etc/sysctl.conf 27 # Uncomment the next line to enable packet forwarding for IPv4 28 net.ipv4.ip_forward=1 29 30 # Uncomment the next line to enable packet forwarding for IPv6 31 # Enabling this option disables Stateless Address Autoconfiguration 32 # based on Router Advertisements for this host 33 #net.ipv6.conf.all.forwarding=1 34 net.ipv6.conf.all.forwarding = 1 VPN konfigurieren mullvad Dateien bekommt Thomas oder Kantorkel kopieren nach cp -r *KUNDENNUMMER* /etc/openvpn/mullvad Dann mullvad up skript editieren $vim /etc/openvpn/mullvad/mullvad-up 1 #!/bin/sh 2 ip route replace 0.0.0.0/1 via $5 table 42 3 ip route replace 128.0.0.0/1 via $5 table 42 4 exit 0 $vim /etc/openvpn/mullvad.conf 9 client 10 11 dev-type tun 12 dev mullvad 13 14 proto udp 15 #proto tcp 16 17 remote openvpn.mullvad.net 1194 18 #remote openvpn.mullvad.net 443 19 #remote openvpn.mullvad.net 53 20 #remote se.mullvad.net # Servers in Sweden 21 #remote nl.mullvad.net # Servers in the Netherlands 22 23 # Keep trying indefinitely to resolve the 24 # host name of the OpenVPN server. Very useful 25 # on machines which are not permanently connected 26 # to the internet such as laptops. 27 resolv-retry infinite 28 29 # Most clients don't need to bind to 30 # a specific local port number. 31 nobind 32 33 # Try to preserve some state across restarts. 34 persist-key 35 persist-tun 36 37 # Enable compression on the VPN link. 38 comp-lzo 39 40 # Set log file verbosity. 41 verb 3 42 43 remote-cert-tls server 44 45 ping-restart 60 46 47 # Allow calling of built-in executables and user-defined scripts. 48 script-security 2 49 50 # Parses DHCP options from openvpn to update resolv.conf 51 route-noexec 52 up /etc/openvpn/mullvad/mullvad-up 53 54 ping 10 55 56 ca /etc/openvpn/mullvad/master.mullvad.net.crt 57 cert /etc/openvpn/mullvad/mullvad.crt 58 key /etc/openvpn/mullvad/mullvad.key iptables anpassen $ vim /etc/iptables/rules.v4 1 # Generated by iptables-save v1.4.14 on Sun Mar 24 14:14:50 2013 2 *filter 3 :INPUT ACCEPT [0:0] 4 :FORWARD ACCEPT [0:0] 5 :OUTPUT ACCEPT [0:0] 6 COMMIT 7 *mangle 8 :PREROUTING ACCEPT [0:0] 9 :INPUT ACCEPT [0:0] 10 :FORWARD ACCEPT [0:0] 11 :OUTPUT ACCEPT [0:0] 12 :POSTROUTING ACCEPT [0:0] 13 -A PREROUTING -i br-ffhh -j MARK --set-xmark 0x1/0xffffffff 14 COMMIT 15 *nat 16 :PREROUTING ACCEPT [0:0] 17 :INPUT ACCEPT [0:0] 18 :OUTPUT ACCEPT [0:0] 19 :POSTROUTING ACCEPT [0:0] 20 -A POSTROUTING -o mullvad -j MASQUERADE 21 COMMIT rc.local editieren. Alle 0x1 makierten Pakete nach Regel 42 behandeln $ vim /etc/rc.local 1 #!/bin/sh -e 2 # 3 # rc.local 4 # 5 # This script is executed at the end of each multiuser runlevel. 6 # Make sure that the script will "exit 0" on success or any other 7 # value on error. 8 # 9 # In order to enable or disable this script just change the execution 10 # bits. 11 # 12 # By default this script does nothing. 13 14 /sbin/ip route add unreachable default table 42 15 /sbin/ip rule add from all fwmark 0x1 table 42 16 exit 0