Dn42
From Hackerspace Brussels
Contents |
[edit] Joining HSB to dn42
- dn42
- Autonomous System (AS)
- http://www.quagga.net/docs/quagga.html
- http://packetlife.net/media/library/1/BGP.pdf
[edit] Connecting
Reserved AS: as64634
Reserved range: 172.22.33.0/24
Machine: 'appelblauwzeegroen' Freebsd 8.0
[edit] Connect from within HSB
- Ad-hoc setup for now, pick and document your ip here:
- 172.22.33.101 -> tazo - 172.22.33.102 -> sandb - 172.22.33.103 -> prototype - 172.22.33.104 -> ptr_here - 172.22.33.105 -> free - 172.22.33.106 -> free - 172.22.33.107 -> free - 172.22.33.108 -> free - 172.22.33.109 -> free - 172.22.33.110 -> free
- Configure an alias ip on your active interface, add a route and set your dns:
# ifconfig eth0:1 172.22.33.<yourip>/24 # route add -net 172.22.0.0 netmask 255.254.0.0 gw 172.22.33.5 # vi /etc/resolv.conf nameserver 172.22.0.53
- A good start is http://wiki.dn42
[edit] OpenVPN config (FreeBSD)
Example of steps to add a peer, here the steps of peering with "dn42mtveurope".
- Install OpenVPN:
[root@ ~]# pkg_add -r openvpn
- Add a conf file + key per peer. Must be in this format for init scripts to work: openvpn_$PEERNAME.conf
[root@ ~]# ls -l /usr/local/etc/openvpn/ -rw-r----- 1 root wheel 1276 May 24 15:44 openvpn_dn420x20.conf -r-------- 1 root wheel 636 May 24 15:43 openvpn_dn420x20.key -rw-r----- 1 root wheel 1284 May 24 15:42 openvpn_dn42mtveurope.conf -r-------- 1 root wheel 636 May 24 15:39 openvpn_dn42mtveurope.key
- Create the key file and share with your peer:
[root@ /usr/local/etc/openvpn]# openvpn --genkey --secret openvpn_dn42mtveurope.key
- Edit the config file:
[root@ ~]# cat /usr/local/etc/openvpn/openvpn_dn42mtveurope.conf mode p2p # Peer-to-peer-Mode remote gnewsense.mtveurope.org # Peer-Address(Dyn)DNS if it's not a static IP lport 50001 # local port rport 22200 # remote port proto udp # ...via UDP #dev-type tun dev tun1 # interfacename, just individual in linux. else: tun #tun-ipv6 # we want to use ipv6 comp-lzo # compression #cd /usr/local/etc/openvpn # here lays the key secret openvpn_dn42mtveurope.key # the filename of the key user quagga # username under which openvpn runs group quagga # ...group persist-key # on interruption, please keep the key persist-tun # on interruption, please keep the interface name status /var/log/openvpn-mtveurope-status.log log-append /var/log/openvpn-mtveurope.log verb 2 # Verbose! ifconfig 172.22.33.1 172.22.168.1 # addressing: 'ifconfig localip remoteip'
- Set the right permissions:
[root@ ~]# chmod 640 /usr/local/etc/openvpn/*.conf [root@ ~]# chmod 400 /usr/local/etc/openvpn/*.key [root@ /usr/local/etc/openvpn/dn42mtveurope]# ls -l -r-------- 1 root wheel 636 May 18 14:55 dn42-mtveurope-HSB.key -rw-r----- 1 root wheel 1284 May 24 02:18 dn42mtveurope.conf
- Create the init-script:
[root@ ~]# cd /usr/local/etc/rc.d/ [root@ /usr/local/etc/rc.d]# ln -s openvpn openvpn_dn42mtveurope [root@ /usr/local/etc/rc.d]# ls -l -r-xr-xr-x 1 root wheel 3977 Feb 7 12:02 openvpn lrwxr-xr-x 1 root wheel 7 May 24 02:06 openvpn_dn42mtveurope -> openvpn
- Enable at boot time:
[root@ ~]# vi /etc/rc.conf openvpn_dn42mtveurope_enable="YES"
- Start the vpn tunnel:
[root@ ~]# /usr/local/etc/rc.d/openvpn_dn42mtveurope start Starting openvpn_dn42mtveurope.
- Look at the status and test connectivity:
[root@ ~]# ifconfig
tun1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
inet 172.22.33.1 --> 172.22.168.1 netmask 0xffffffff
Opened by PID 4048
[root@ ~]# ping 172.22.168.1
PING 172.22.168.1 (172.22.168.1): 56 data bytes
64 bytes from 172.22.168.1: icmp_seq=0 ttl=64 time=54.649 ms
[edit] Quagga config (bgp) (FreeBSD)
- Install quagga:
[root@ ~]# pkg_add -r quagga
- Config files:
[root@ ~]# ls -l /usr/local/etc/quagga/ -rw------- 1 quagga quagga 514 May 24 00:13 bgpd.conf -rw------- 1 quagga quagga 110 May 16 21:04 zebra.conf
- See http://www.dn42.net/trac/wiki/HowToPeer for bgp configuration
- Enable quagga:
quagga_enable="YES" quagga_flags="-d -A localhost" quagga_daemons="zebra bgpd"
- Start quagga:
[root@ ~]# /usr/local/etc/rc.d/quagga start Starting zebra. Starting bgpd.
[edit] Firewall (NAT)
The goal is to provide nodes in the LAN access to DN42 via NAT.
- Enable NAT via pf (http://www.freebsd.org/doc/en/books/handbook/firewalls-pf.html), set the rule:
[root@ ~]# vi /etc/pf.conf nat on tun1 from 192.168.42.0/24 to any -> tun1 /* Need a better solution for this cause now we only go via 1 peer*/
- Enable pf:
pf_enable="YES" pflog_enable="YES" gateway_enable="YES"
- Start pf:
[root@ ~]# /etc/rc.d/pf start
- Add route to the gateway of the LAN:
172.22.0.0 192.168.42.11 255.254.0.0 UG 1 0 0 br0
[edit] Restrict access
Bind management services only to lan and management interface so they are not available to dn42.
- Check your services, the services listening on *:port must be changed
[root@ ~]# pkg_add -r lsof [root@ ~]# lsof -i sshd 1236 root 3u IPv4 0xc3613000 0t0 TCP *:ssh (LISTEN) zebra 4862 quagga 8u IPv6 0xc3614768 0t0 TCP *:zebra (LISTEN) /* If you followed this guide zebra is already only listening on localhost*/
- SSH:
[root@ ~]# vi /etc/ssh/sshd_config ListenAddress 172.16.1.11 ListenAddress 192.168.42.11
- Quagga (already done if you followed this guide):
[root@ ~]# vi /etc/rc.conf quagga_flags="-d -A localhost"
- Wanted result:
[root@ ~]# lsof -i sshd 1236 root 3u IPv4 0xc3613000 0t0 TCP 192.168.42.11:ssh (LISTEN) sshd 1236 root 4u IPv4 0xc365a4f0 0t0 TCP 172.16.1.11:ssh (LISTEN) zebra 4862 quagga 9u IPv4 0xc376a768 0t0 TCP localhost:zebra (LISTEN)
- Restrict access via firewall (THIS IS WORK IN PROCESS)
[root@ ~]# vi /etc/pf.conf ext_if="fxp0" man_if="xl0" dn42_net="172.22.0.0/15" set skip on lo nat on tun1 from 192.168.42.0/24 to any -> tun1 block in log pass out pass in on $ext_if all pass in on $man_if all pass in inet proto icmp all pass in from $dn42_net to $dn42_net
[edit] Random toughts
- join the network, learn how it is working
- do a workshop for people in the regio who want to join dn42. Maybe invite someone from dn42.org. Goal is that in the end, all participants are connected to dn42.
- implement Pamela for dn42 visualization. That would be great!
- Create test network between HSB -> Tazo -> Askarel to learn bgp.
<Askarel> I have a spare server at OVH until end of the year we could use for that.
Contact: tazo
