Dn42

From Hackerspace Brussels
Jump to: navigation, search

Contents

[edit] Joining HSB to dn42

[edit] Connecting

Reserved AS: as64634
Reserved range: 172.22.33.0/24 Machine: 'appelblauwzeegroen' Freebsd 8.0

[edit] Connect from within HSB

  • Ad-hoc setup for now, pick and document your ip here:
- 172.22.33.101 -> tazo
- 172.22.33.102 -> sandb
- 172.22.33.103 -> prototype
- 172.22.33.104 -> ptr_here
- 172.22.33.105 -> free
- 172.22.33.106 -> free
- 172.22.33.107 -> free
- 172.22.33.108 -> free
- 172.22.33.109 -> free
- 172.22.33.110 -> free
  • Configure an alias ip on your active interface, add a route and set your dns:
# ifconfig eth0:1 172.22.33.<yourip>/24
# route add -net 172.22.0.0 netmask 255.254.0.0 gw 172.22.33.5
# vi /etc/resolv.conf
nameserver 172.22.0.53

[edit] OpenVPN config (FreeBSD)

Example of steps to add a peer, here the steps of peering with "dn42mtveurope".

  • Install OpenVPN:
[root@ ~]# pkg_add -r openvpn
  • Add a conf file + key per peer. Must be in this format for init scripts to work: openvpn_$PEERNAME.conf
[root@ ~]# ls -l /usr/local/etc/openvpn/
-rw-r-----  1 root  wheel  1276 May 24 15:44 openvpn_dn420x20.conf
-r--------  1 root  wheel   636 May 24 15:43 openvpn_dn420x20.key
-rw-r-----  1 root  wheel  1284 May 24 15:42 openvpn_dn42mtveurope.conf
-r--------  1 root  wheel   636 May 24 15:39 openvpn_dn42mtveurope.key
  • Create the key file and share with your peer:
[root@ /usr/local/etc/openvpn]# openvpn --genkey --secret openvpn_dn42mtveurope.key
  • Edit the config file:
[root@ ~]# cat /usr/local/etc/openvpn/openvpn_dn42mtveurope.conf
mode p2p                                       # Peer-to-peer-Mode
remote gnewsense.mtveurope.org                 # Peer-Address(Dyn)DNS if it's not a static IP
lport 50001                                    # local port
rport 22200                                    # remote port
proto udp                                      # ...via UDP
#dev-type tun
dev tun1                                       # interfacename, just individual in linux. else: tun
#tun-ipv6                                      # we want to use ipv6
comp-lzo                                       # compression
#cd /usr/local/etc/openvpn                     # here lays the key
secret openvpn_dn42mtveurope.key               # the filename of the key
user quagga                                    # username under which openvpn runs
group quagga                                   # ...group
persist-key                                    # on interruption, please keep the key
persist-tun                                    # on interruption, please keep the interface name
status /var/log/openvpn-mtveurope-status.log
log-append /var/log/openvpn-mtveurope.log
verb 2                                         # Verbose!
ifconfig 172.22.33.1 172.22.168.1              # addressing: 'ifconfig localip remoteip'
  • Set the right permissions:
[root@ ~]# chmod 640 /usr/local/etc/openvpn/*.conf
[root@ ~]# chmod 400 /usr/local/etc/openvpn/*.key 
[root@ /usr/local/etc/openvpn/dn42mtveurope]# ls -l
-r--------  1 root  wheel   636 May 18 14:55 dn42-mtveurope-HSB.key
-rw-r-----  1 root  wheel  1284 May 24 02:18 dn42mtveurope.conf
  • Create the init-script:
[root@ ~]# cd /usr/local/etc/rc.d/
[root@ /usr/local/etc/rc.d]# ln -s openvpn openvpn_dn42mtveurope
[root@ /usr/local/etc/rc.d]# ls -l
-r-xr-xr-x  1 root  wheel  3977 Feb  7 12:02 openvpn
lrwxr-xr-x  1 root  wheel     7 May 24 02:06 openvpn_dn42mtveurope -> openvpn
  • Enable at boot time:
[root@ ~]# vi /etc/rc.conf
openvpn_dn42mtveurope_enable="YES"
  • Start the vpn tunnel:
[root@ ~]# /usr/local/etc/rc.d/openvpn_dn42mtveurope start
Starting openvpn_dn42mtveurope.
  • Look at the status and test connectivity:
[root@ ~]# ifconfig
tun1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
        inet 172.22.33.1 --> 172.22.168.1 netmask 0xffffffff 
        Opened by PID 4048
[root@ ~]# ping 172.22.168.1
PING 172.22.168.1 (172.22.168.1): 56 data bytes
64 bytes from 172.22.168.1: icmp_seq=0 ttl=64 time=54.649 ms

[edit] Quagga config (bgp) (FreeBSD)

  • Install quagga:
[root@ ~]# pkg_add -r quagga
  • Config files:
[root@ ~]# ls -l /usr/local/etc/quagga/
-rw-------  1 quagga  quagga  514 May 24 00:13 bgpd.conf
-rw-------  1 quagga  quagga  110 May 16 21:04 zebra.conf
quagga_enable="YES"
quagga_flags="-d -A localhost"
quagga_daemons="zebra bgpd"
  • Start quagga:
[root@ ~]# /usr/local/etc/rc.d/quagga start
Starting zebra.
Starting bgpd.

[edit] Firewall (NAT)

The goal is to provide nodes in the LAN access to DN42 via NAT.

[root@ ~]# vi /etc/pf.conf
nat on tun1 from 192.168.42.0/24 to any -> tun1
/* Need a better solution for this cause now we only go via 1 peer*/
  • Enable pf:
pf_enable="YES"
pflog_enable="YES"
gateway_enable="YES"
  • Start pf:
[root@ ~]# /etc/rc.d/pf start
  • Add route to the gateway of the LAN:
172.22.0.0      192.168.42.11   255.254.0.0     UG    1      0        0 br0

[edit] Restrict access

Bind management services only to lan and management interface so they are not available to dn42.

  • Check your services, the services listening on *:port must be changed
[root@ ~]# pkg_add -r lsof
[root@ ~]# lsof -i
sshd     1236   root    3u  IPv4 0xc3613000      0t0    TCP *:ssh (LISTEN)
zebra    4862 quagga    8u  IPv6 0xc3614768      0t0    TCP *:zebra (LISTEN)
/* If you followed this guide zebra is already only listening on localhost*/
  • SSH:
[root@ ~]# vi /etc/ssh/sshd_config
ListenAddress 172.16.1.11
ListenAddress 192.168.42.11
  • Quagga (already done if you followed this guide):
[root@ ~]# vi /etc/rc.conf
quagga_flags="-d -A localhost"
  • Wanted result:
[root@ ~]# lsof -i
sshd     1236   root    3u  IPv4 0xc3613000      0t0    TCP 192.168.42.11:ssh (LISTEN)
sshd     1236   root    4u  IPv4 0xc365a4f0      0t0    TCP 172.16.1.11:ssh (LISTEN)
zebra    4862 quagga    9u  IPv4 0xc376a768      0t0    TCP localhost:zebra (LISTEN)
  • Restrict access via firewall (THIS IS WORK IN PROCESS)
[root@ ~]# vi /etc/pf.conf
ext_if="fxp0"
man_if="xl0"
dn42_net="172.22.0.0/15"
set skip on lo
nat on tun1 from 192.168.42.0/24 to any -> tun1
block in log
pass out
pass in on $ext_if all
pass in on $man_if all
pass in inet proto icmp all
pass in from $dn42_net to $dn42_net

[edit] Random toughts

  • join the network, learn how it is working
  • do a workshop for people in the regio who want to join dn42. Maybe invite someone from dn42.org. Goal is that in the end, all participants are connected to dn42.
  • implement Pamela for dn42 visualization. That would be great!
  • Create test network between HSB -> Tazo -> Askarel to learn bgp.

<Askarel> I have a spare server at OVH until end of the year we could use for that.

Contact: tazo