Alex/ff/logbuch: Unterschied zwischen den Versionen
Alex (Diskussion | Beiträge) Keine Bearbeitungszusammenfassung |
Alex (Diskussion | Beiträge) Keine Bearbeitungszusammenfassung |
||
| Zeile 121: | Zeile 121: | ||
iptables-restore < /etc/iptables.up.rules | iptables-restore < /etc/iptables.up.rules | ||
--MULLVAD-VPN einrichten-- | |||
xxxxxx | |||
--Einrichtung des Mesh-VPNs-- | |||
mkdir -p /etc/fastd/vpn/peers | |||
fastd --generate-key | |||
dieser Befehl zeigt dir die Schlüssel lediglich an. Heißt du musst sie dir aus dem Terminal kopieren, um sie im nächsten Schritt verwenden zu können. | |||
'''/etc/fastd/vpn/fastd.conf''' | |||
<highlightSyntax language="txt"> | |||
# Bind to a fixed address and port, IPv4 and IPv6 | |||
bind EXTERNE-IPv4-ADRESSE:14242 interface "eth0"; ## Anpassen | |||
bind [EXTERNE-IPv6-ADRESSE]:14242 interface "eth0"; ## Anpassen | |||
# Set the user, fastd will work as | |||
user "nobody"; | |||
# Set the interface name | |||
interface "mesh-vpn"; | |||
# Set the mode, the interface will work as | |||
mode tap; | |||
# Set the mtu of the interface (salsa2012 with ipv6 will need 1406) | |||
mtu 1406; | |||
# Set the methods (aes128-gcm preferred, salsa2012+umac preferred for nodes) | |||
method "aes128-gcm"; | |||
method "salsa2012+umac"; | |||
method "salsa2012+gmac"; | |||
# Secret key generated by `fastd --generate-key` | |||
secret "SERVER-SECRET-KEY"; ## Anpassen | |||
# Log everything to syslog | |||
log to syslog level debug; | |||
# Include peers from our git-repos | |||
include peers from "/var/gateway-ffgoe/nodes/"; | |||
include peers from "/var/gateway-ffgoe/backbone/"; | |||
# Configure a shell command that is run on connection attempts by unknown peers (true means, all attempts are accepted) | |||
# on verify "true"; | |||
# Configure a shell command that is run when fastd comes up | |||
on up " | |||
ip link set dev $INTERFACE address de:ad:be:ef:43:XX ## Anpassen | |||
ip link set dev $INTERFACE up | |||
ifup bat0 | |||
batctl if add $INTERFACE | |||
batctl gw server 1024Mbit/1024Mbit ## DOWNSTREAM/UPSTREAM | |||
batctl vm server | |||
"; | |||
</highlightSyntax> | |||
Version vom 1. Dezember 2014, 00:09 Uhr
Logbuch 20141130
root@vm04:~# cat /etc/debian_version 7.7
stolen from freifunk-muenster.de
deb http://repo.universe-factory.net/debian/ sid main deb http://download.opensuse.org/repositories/home:/fusselkater:/ffms/Debian_7.0/ / deb http://http.debian.net/debian wheezy-backports main gpg --keyserver pgpkeys.mit.edu --recv-key 16EF3F64CB201D9C gpg -a --export 16EF3F64CB201D9C | apt-key add - wget http://download.opensuse.org/repositories/home:fusselkater:ffms/Debian_7.0/Release.key apt-key add - < Release.key aptitude update
aptitude install sudo bridge-utils batctl=2013.4.0-1 openvpn haveged fastd radvd isc-dhcp-server bind9 git alfred alfred-json batman-adv-dkms nagios-nrpe-server ntp
IP Forwarding aktivieren
/etc/sysctl.d/forwarding.conf <highlightSyntax language="txt">
- IPv4 Forwarding
net.ipv4.ip_forward=1
- IPv6 Forwarding
net.ipv6.conf.all.forwarding = 1 </highlightSyntax>
Als erstes brauchen wir eine Netzwerkbrücke, als Schnittstelle zwischen dem Mesh-Netz und dem MULLVAD-VPN.
Dazu füge in die Konfigurationsdatei /etc/network/interfaces folgendes hinzu: /etc/network/interfaces <highlightSyntax language="txt">
- Netwerkbruecke fuer Freifunk
- - Hier laeuft der Traffic von den einzelnen Routern und dem externen VPN
- - zusammen
- - Unter der hier konfigurierten IP ist der Server selber im Freifunk Netz
- - erreichbar
- - bridge_ports none sorgt dafuer, dass die Bruecke auch ohne Interface
- - erstellt wird
auto br0
iface br0 inet static
address 10.109.0.1 # die 1 für mein Gateway
netmask 255.255.0.0
bridge_ports none
iface br0 inet6 static
address fde6:36fc:c985::1 # die 1 für mein Gateway
netmask 48
</highlightSyntax>
Als nächstes muss das bat0-Interface konfiguriert werden. Dazu bearbeitest du wieder die
/etc/network/interfaces
<highlightSyntax language="txt">
- Batman Interface
- - Erstellt das virtuelle Inteface fuer das Batman-Modul und bindet dieses an die Netzwerkbruecke
- - Die unten angelegte Routing-Tabelle wird spaeter fuer das Routing innerhalb von Freifunk (Router/VPN) verwendet
allow-hotplug bat0
iface bat0 inet6 manual
pre-up modprobe batman-adv
post-up ip link set dev bat0 up
post-up brctl addif br0 bat0
post-up batctl it 10000
post-up ip rule add from all fwmark 0x1 table 42
post-up start-stop-daemon -b --start --exec /usr/sbin/alfred -- -i br0 -b bat0 -m;
post-up start-stop-daemon -b --start --exec /usr/sbin/batadv-vis -- -i bat0 -s;
</highlightSyntax>
IPtables-Regeln
/etc/iptables.up.rules <highlightSyntax language="txt">
- filter # in wie weit ist das notwendig?
- INPUT ACCEPT [0:0]
- FORWARD ACCEPT [0:0]
- OUTPUT ACCEPT [0:0]
COMMIT
- Regeln zum markieren eingehender Pakete
- mangle
- PREROUTING ACCEPT [0:0]
- INPUT ACCEPT [0:0]
- FORWARD ACCEPT [0:0]
- OUTPUT ACCEPT [0:0]
- POSTROUTING ACCEPT [0:0]
-A PREROUTING -i br0 -j MARK --set-xmark 0x1/0xffffffff -A OUTPUT -o eth0 -p udp --dport 53 -j MARK --set-xmark 0x1/0xffffffff -A OUTPUT -o eth0 -p tcp --dport 53 -j MARK --set-xmark 0x1/0xffffffff COMMIT </highlightSyntax>
/etc/iptables.up.rules <highlightSyntax language="txt">
- Route an VPN per nat.
- nat
- PREROUTING ACCEPT [0:0]
- INPUT ACCEPT [0:0]
- OUTPUT ACCEPT [0:0]
- POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o tun0 -j MASQUERADE COMMIT </highlightSyntax>
Als letztes musst du dafür sorgen, dass die IPtables-Regeln auch geladen werden. dazu erzeuge die Datei
/etc/network/if-pre-up.d/iptables <highlightSyntax language="bash">
- !/bin/sh
/sbin/iptables-restore < /etc/iptables.up.rules </highlightSyntax>
chmod +x /etc/network/if-pre-up.d/iptables
iptables-restore < /etc/iptables.up.rules
--MULLVAD-VPN einrichten--
xxxxxx
--Einrichtung des Mesh-VPNs--
mkdir -p /etc/fastd/vpn/peers
fastd --generate-key
dieser Befehl zeigt dir die Schlüssel lediglich an. Heißt du musst sie dir aus dem Terminal kopieren, um sie im nächsten Schritt verwenden zu können.
/etc/fastd/vpn/fastd.conf <highlightSyntax language="txt">
- Bind to a fixed address and port, IPv4 and IPv6
bind EXTERNE-IPv4-ADRESSE:14242 interface "eth0"; ## Anpassen bind [EXTERNE-IPv6-ADRESSE]:14242 interface "eth0"; ## Anpassen
- Set the user, fastd will work as
user "nobody";
- Set the interface name
interface "mesh-vpn";
- Set the mode, the interface will work as
mode tap;
- Set the mtu of the interface (salsa2012 with ipv6 will need 1406)
mtu 1406;
- Set the methods (aes128-gcm preferred, salsa2012+umac preferred for nodes)
method "aes128-gcm"; method "salsa2012+umac"; method "salsa2012+gmac";
- Secret key generated by `fastd --generate-key`
secret "SERVER-SECRET-KEY"; ## Anpassen
- Log everything to syslog
log to syslog level debug;
- Include peers from our git-repos
include peers from "/var/gateway-ffgoe/nodes/"; include peers from "/var/gateway-ffgoe/backbone/";
- Configure a shell command that is run on connection attempts by unknown peers (true means, all attempts are accepted)
- on verify "true";
- Configure a shell command that is run when fastd comes up
on up "
ip link set dev $INTERFACE address de:ad:be:ef:43:XX ## Anpassen ip link set dev $INTERFACE up ifup bat0 batctl if add $INTERFACE batctl gw server 1024Mbit/1024Mbit ## DOWNSTREAM/UPSTREAM batctl vm server
"; </highlightSyntax>