Difference between revisions of "Freifunk:VPN1"

From CCCHHWiki
Jump to: navigation, search
m (added erfurt1)
Line 146: Line 146:
 
  ConnectTo = berlin1
 
  ConnectTo = berlin1
 
  ConnectTo = ffhallevpn1
 
  ConnectTo = ffhallevpn1
 +
ConnectTo = erfurt1
  
 
===== ffvpn/tinc-up =====
 
===== ffvpn/tinc-up =====
Line 181: Line 182:
  
 
===== ffvpn/hosts/ffhallevpn1 =====
 
===== ffvpn/hosts/ffhallevpn1 =====
  Address = vpn1.freifunk-halle.de
+
  address = vpn1.freifunk-halle.de
  Address = 88.198.51.136
+
  address = 88.198.51.136
 
  Port = 655
 
  Port = 655
 
  -----BEGIN RSA PUBLIC KEY-----
 
  -----BEGIN RSA PUBLIC KEY-----
Line 188: Line 189:
 
  XMkifjDjSDnHPa1l1LwWFXkTKVQLH4lUrDuadXMU+BSEJWO36vg/A9E3AjbzoTA7
 
  XMkifjDjSDnHPa1l1LwWFXkTKVQLH4lUrDuadXMU+BSEJWO36vg/A9E3AjbzoTA7
 
  RY6Gzx+FOXqTGOtqzEPMLkBGTrslerpw9JzfCgLlxLLCXg8Tri8ZAgMBAAE=
 
  RY6Gzx+FOXqTGOtqzEPMLkBGTrslerpw9JzfCgLlxLLCXg8Tri8ZAgMBAAE=
 +
-----END RSA PUBLIC KEY-----
 +
 +
===== ffvpn/hosts/erfurt1 =====
 +
address = t35thr.dyndns.org
 +
-----BEGIN RSA PUBLIC KEY-----
 +
MIGJAoGBAMB63H0OfUEUPoWPbM3tCCHQm+N9f8z0GDc7+fk+/8x09CuW6xmpfdm6
 +
vYrR6ceUsjRUhT/cIO6PhF3bUnaI7otAXHDSK4idvq99Z0miEvHWpJ9W0ZnbuUa4
 +
UeBJP0yCZLL4su7IPpdBWToPrgBHy43CAEnwdEHkp5iKE7zFscaPAgMBAAE=
 
  -----END RSA PUBLIC KEY-----
 
  -----END RSA PUBLIC KEY-----
  
Line 210: Line 219:
 
  !
 
  !
 
  !debug bgp events
 
  !debug bgp events
 +
!
 +
bgp multiple-instance
 
  !
 
  !
 
  router bgp 65044
 
  router bgp 65044
 
   bgp router-id 10.207.0.9
 
   bgp router-id 10.207.0.9
 
   bgp log-neighbor-changes
 
   bgp log-neighbor-changes
 +
  bgp bestpath as-path confed
 
   network 10.112.0.0/13
 
   network 10.112.0.0/13
 
   network 10.120.0.0/14
 
   network 10.120.0.0/14
Line 220: Line 232:
 
   neighbor ff-peers peer-group
 
   neighbor ff-peers peer-group
 
   neighbor ff-peers update-source 10.207.0.9
 
   neighbor ff-peers update-source 10.207.0.9
 +
  neighbor ff-peers soft-reconfiguration inbound
 
   neighbor ff-peers distribute-list hamburg-out out
 
   neighbor ff-peers distribute-list hamburg-out out
 
    
 
    
  neighbor 10.207.0.1 remote-as 65041
+
! neighbor 10.207.0.1 remote-as 65041
  neighbor 10.207.0.1 peer-group ff-peers
+
! neighbor 10.207.0.1 peer-group ff-peers
  neighbor 10.207.0.1 description leipzig1
+
! neighbor 10.207.0.1 description leipzig1
 
    
 
    
 
   neighbor 10.207.0.2 remote-as 65041
 
   neighbor 10.207.0.2 remote-as 65041
Line 230: Line 243:
 
   neighbor 10.207.0.2 peer-group ff-peers
 
   neighbor 10.207.0.2 peer-group ff-peers
 
    
 
    
  neighbor 10.207.0.3 remote-as 65042
+
! neighbor 10.207.0.3 remote-as 65042
  neighbor 10.207.0.3 description weimar1
+
! neighbor 10.207.0.3 description weimar1
  neighbor 10.207.0.3 peer-group ff-peers
+
! neighbor 10.207.0.3 peer-group ff-peers
 
    
 
    
  neighbor 10.207.0.4 remote-as 65042
+
! neighbor 10.207.0.4 remote-as 65042
  neighbor 10.207.0.4 description weimar2
+
! neighbor 10.207.0.4 description weimar2
  neighbor 10.207.0.4 peer-group ff-peers
+
! neighbor 10.207.0.4 peer-group ff-peers
 
    
 
    
 
   neighbor 10.207.0.5 remote-as 65040
 
   neighbor 10.207.0.5 remote-as 65040
Line 242: Line 255:
 
   neighbor 10.207.0.5 peer-group ff-peers
 
   neighbor 10.207.0.5 peer-group ff-peers
 
    
 
    
  neighbor 10.207.0.6 remote-as 65040
+
! neighbor 10.207.0.6 remote-as 65040
  neighbor 10.207.0.6 description berlin2
+
! neighbor 10.207.0.6 description berlin2
  neighbor 10.207.0.6 peer-group ff-peers
+
! neighbor 10.207.0.6 peer-group ff-peers
 
    
 
    
 
   neighbor 10.207.0.7 remote-as 65043
 
   neighbor 10.207.0.7 remote-as 65043
Line 250: Line 263:
 
   neighbor 10.207.0.7 peer-group ff-peers
 
   neighbor 10.207.0.7 peer-group ff-peers
 
    
 
    
  neighbor 10.207.0.8 remote-as 65043
+
! neighbor 10.207.0.8 remote-as 65043
  neighbor 10.207.0.8 description erfurt2
+
! neighbor 10.207.0.8 description erfurt2
  neighbor 10.207.0.8 peer-group ff-peers
+
! neighbor 10.207.0.8 peer-group ff-peers
 
    
 
    
  neighbor 10.207.0.11 remote-as 65045
+
! neighbor 10.207.0.11 remote-as 65045
  neighbor 10.207.0.11 description stuttgart1
+
! neighbor 10.207.0.11 description stuttgart1
  neighbor 10.207.0.11 peer-group ff-peers
+
! neighbor 10.207.0.11 peer-group ff-peers
 
    
 
    
  neighbor 10.207.0.12 remote-as 65045
+
! neighbor 10.207.0.12 remote-as 65045
  neighbor 10.207.0.12 description stuttgart2
+
! neighbor 10.207.0.12 description stuttgart2
  neighbor 10.207.0.12 peer-group ff-peers
+
! neighbor 10.207.0.12 peer-group ff-peers
 
    
 
    
 
   neighbor 10.207.0.13 remote-as 65046
 
   neighbor 10.207.0.13 remote-as 65046
Line 266: Line 279:
 
   neighbor 10.207.0.13 description halle1
 
   neighbor 10.207.0.13 description halle1
 
    
 
    
  neighbor 10.207.0.14 remote-as 65046
+
! neighbor 10.207.0.14 remote-as 65046
  neighbor 10.207.0.14 peer-group ff-peers
+
! neighbor 10.207.0.14 peer-group ff-peers
  neighbor 10.207.0.14 description halle2
+
! neighbor 10.207.0.14 description halle2
 
    
 
    
 
   neighbor 10.207.1.1 remote-as 35492
 
   neighbor 10.207.1.1 remote-as 35492
Line 274: Line 287:
 
   neighbor 10.207.1.1 peer-group ff-peers
 
   neighbor 10.207.1.1 peer-group ff-peers
 
    
 
    
  neighbor 10.207.1.2 remote-as 35492
+
! neighbor 10.207.1.2 remote-as 35492
  neighbor 10.207.1.2 description wien2
+
! neighbor 10.207.1.2 description wien2
  neighbor 10.207.1.2 peer-group ff-peers
+
! neighbor 10.207.1.2 peer-group ff-peers
 
    
 
    
 
   distance bgp 150 150 150
 
   distance bgp 150 150 150
Line 282: Line 295:
 
  access-list access permit 127.0.0.1/32
 
  access-list access permit 127.0.0.1/32
 
  access-list access deny any
 
  access-list access deny any
   
+
  !
 
  access-list all deny 192.168.0.0/16
 
  access-list all deny 192.168.0.0/16
 
  access-list all deny 10.112.0.0/12
 
  access-list all deny 10.112.0.0/12
 
  access-list all permit any
 
  access-list all permit any
   
+
  !
 
  access-list hamburg-in deny 10.4.0.0/14
 
  access-list hamburg-in deny 10.4.0.0/14
 
  access-list hamburg-in deny 10.32.0.0/12
 
  access-list hamburg-in deny 10.32.0.0/12
Line 292: Line 305:
 
  access-list hamburg-in deny 192.168.0.0/16
 
  access-list hamburg-in deny 192.168.0.0/16
 
  access-list hamburg-in permit any
 
  access-list hamburg-in permit any
   
+
  !
 
  access-list hamburg-out permit 10.112.0.0/13
 
  access-list hamburg-out permit 10.112.0.0/13
 
  access-list hamburg-out permit 10.120.0.0/14
 
  access-list hamburg-out permit 10.120.0.0/14

Revision as of 22:13, 10 June 2007

Dieser Node besteht momentan aus einem Soekris 4501 Board und soll die Verbindung zwischen den einzelnen Funkwolken in Hamburg und Freifunk Initiativen in anderen Staedten herstellen. Als VPN Software wird Tinc-VPN eingesetzt, wobei allerdings in Zukunft vermutlich auch andere VPN Protokolle unterstuetzt werden koennen. Eine kleine Hilfestellung auf Basis von OpenWRT kann man hier finden: Freifunk:IP:VPN_Connect


Interfaces

Hier eine kurze Uebersicht ueber die verschiedenen Netzwerk-Interfaces.

eth0

Das eth0 Interface ist momentan noch ungenutzt.

Interface Name: eth0
IP Adresse    : none
Hostname      : none
Description   : not used yet
Bandwidth     : 0bit

eth1

Das eth1 Interface ist zwar up, wird aber in der Regel ebenfalls nicht genutzt.

Interface Name: eth1
IP adresse    : 193.158.228.140
Hostname      : none
Description   : secondary uplink
Bandwidth     : 1500kbit/s

eth2

Ueber das eth2 Interface wird momentan die ganze VPN Geschichte abgewickelt. Es ist moeglich per SSH sich einzuloggen, sofern man den dafuer noetigen Account, oder Exploit hat. Das Tinc-VPN lauscht hier auf den Ports 655 und 656.

Interface Name: eth2
IP adresse    : 62.206.27.20
Hostname      : vpn1.hamburg.freifunk.net
Description   : primary uplink
Bandwidth     : 4000kbit/s


ffhh

Dieses Interface ist fuer das Hamburger Freifunk Netz eingerichtet. Tinc-VPN setzt dieses Interface in den TAP-Modus, damit Pakete zwischen den einzelnen VPN Clients wie bei einem Switch verschickt werden koennen. Der OLSR Daemon sendet seine Pakete an die Broadcast-Adresse (10.127.255.255) ueber dieses Interface.

Interface Name: ffhh
IP Adresse    : 10.112.1.1/12
Hostname      : none
Description   : Freifunk Hamburg
Software      : tinc-vpn, olsrd
Tinc-Port     : 656

ffvpn

Fuer das InterCity-VPN wurde dieses Interface eingerichtet. Tinc-VPN setzt auch dieses Interface in den TAP-Modus und die Quagga Routing Suite kuendigt den Hamburger Freifunk IP-Bereich an entfernte BGP-Router. Wir verwenden die interne AS-Nummer 65044 fuer das BGP-Peering.

Interface Name: ffvpn
IP Adresse    : 10.207.0.9/16
Hostname      : hamburg-r1.hamburg.freifunk.net
Description   : tunnel staedtekopplung
Software      : tinc-vpn, quagga(bgpd)
Tinc-Port     : 655
AS-Number     : 65044


Konfigurationen

Tinc-VPN

Hamburger Freifunk VPN (ffhh)

ffhh/tinc.conf
AddressFamily=ipv4
Name = vpn1
PrivateKeyFile = /etc/tinc/ffhh/rsa_key.priv
Mode = Switch
PingTimeout = 30
Port = 656
BindToAddress = 62.206.27.20
Hostnames=yes
#ConnectTo = vpn2

# CCCHH
ConnectTo = lok72

# Dennis
ConnectTo = elan

# Cnud
#ConnectTo = cgre

# JensM
#ConnectTo = Stockholm


ffhh/tinc-up
#!/bin/sh
ip addr add dev $INTERFACE 10.112.1.1/12 broadcast 10.127.255.255
ip link set dev $INTERFACE up


ffhh/tinc-down
#!/bin/sh
ip link set dev $INTERFACE down
ip addr del 10.112.1.1 dev $INTERFACE


ffhh/hosts/vpn1
Address = vpn1.hamburg.freifunk.net
Cipher=blowfish
Compression=0
Digest=sha1
IndirectData=no
Port = 656
-----BEGIN RSA PUBLIC KEY-----
MIGJAoGBAKVI9lNEiJ3JVDuXhsLKdqhE+k14bCM8cYaAReNrzBSDODxuLm+pPKwo
+7SgYW2/vAdnbFX689yKIs9inbQGNrakQQS/84pQ4TyN+H1dkhmxn5hweF/Ci3Qp
UxzfjeVmeH2L+ecVOgWK10aoUhfVGvCVB3UpoCT6GrQwOa8gB5vfAgMBAAE=
-----END RSA PUBLIC KEY-----
ffhh/hosts/elan
Address = elan.ainex.net
Port = 656
-----BEGIN RSA PUBLIC KEY-----
MIGJAoGBALHyO9nsCFXUSlvaBRHZX4DMFTg2xvVPx2Vhtv0NPKIFeSMRNJ1tfuTN
ZhFGT0yUpl2QdCf6Xm6k6gMyEIMgeRSNDTRmm/rgli7EnCA1wEIc30BFP7MHkzx7
1oYD/jQxJIWCyjW3kH1Ui3WkZHws8rvpALcicFSBgvCk7QzYq09nAgMBAAE=
-----END RSA PUBLIC KEY-----


InterCity VPN (ffvpn)

ffvpn/tinc.conf
Name = hhvpn1
PrivateKeyFile = /etc/tinc/ffvpn/rsa_key.priv
Mode = Switch
PingTimeout = 30
#TCPOnly = yes
Port = 655
Hostnames=yes
BindToAddress = 62.206.27.20
ConnectTo = hhvpn2
ConnectTo = berlin1
ConnectTo = ffhallevpn1
ConnectTo = erfurt1
ffvpn/tinc-up
#!/bin/sh
ip addr add dev $INTERFACE 10.207.0.9/16 broadcast 10.207.255.255
ip link set dev $INTERFACE up
iptables -A FORWARD -i ffhh -s 10.112.0.0/12   -o ffvpn -j ACCEPT                                               # FF Hamburg -> FF Global
ffvpn/tinc-down
#!/bin/sh
ip link set dev $INTERFACE down
ip addr del 10.207.0.9 dev $INTERFACE
iptables -D FORWARD -i ffhh -s 10.112.0.0/12   -o ffvpn -j ACCEPT


ffvpn/hosts/hhvpn1
Address = vpn1.hamburg.freifunk.net
Port = 655
-----BEGIN RSA PUBLIC KEY-----
MIGJAoGBAL5ld4OnWv52XD8q0MbfW+DLUe2lCaHLyf4XacwqOhjvS5RH+iAyPgIc
BZJEtmKjW+FrPRLTtJVeptlLWGJr+EE2/G3fq0/AbQDhzIT7OnqCNGrMC1YzNOZm
C8CVyiPwELdvBL+Z7j6Jq545/1zZ/H+z1EK6xuucjhwITFqMQrdxAgMBAAE=
-----END RSA PUBLIC KEY-----


ffvpn/hosts/berlin1
address = vpn-ic1.berlin.freifunk.net
-----BEGIN RSA PUBLIC KEY-----
MIGJAoGBALfEgQh1Po7B5/IP57pZT0iRjY+8GVfGgkYB7dFIANk/iSWjThe9pERm
x4GGx2NNoiNoDVdUtSz41oIc65bd651G01e2A1bnFQ9qRc9rZ/S91SqpO0+KheYw
judU2Mc81XkKQ38e9rgtU/OvWOF1Hq2EOOork2cePsC8QRa9oAa5AgMBAAE=
-----END RSA PUBLIC KEY-----


ffvpn/hosts/ffhallevpn1
address = vpn1.freifunk-halle.de
address = 88.198.51.136
Port = 655
-----BEGIN RSA PUBLIC KEY-----
MIGJAoGBALF/Wu4pe+f3dHeLYApHxUnOGUBzpNREUet6nDp80uWT/dph7h6Yqtz2
XMkifjDjSDnHPa1l1LwWFXkTKVQLH4lUrDuadXMU+BSEJWO36vg/A9E3AjbzoTA7
RY6Gzx+FOXqTGOtqzEPMLkBGTrslerpw9JzfCgLlxLLCXg8Tri8ZAgMBAAE=
-----END RSA PUBLIC KEY-----
ffvpn/hosts/erfurt1
address = t35thr.dyndns.org
-----BEGIN RSA PUBLIC KEY-----
MIGJAoGBAMB63H0OfUEUPoWPbM3tCCHQm+N9f8z0GDc7+fk+/8x09CuW6xmpfdm6
vYrR6ceUsjRUhT/cIO6PhF3bUnaI7otAXHDSK4idvq99Z0miEvHWpJ9W0ZnbuUa4
UeBJP0yCZLL4su7IPpdBWToPrgBHy43CAEnwdEHkp5iKE7zFscaPAgMBAAE=
-----END RSA PUBLIC KEY-----


Quagga

InterCity-VPN

bgpd.conf
!
! Zebra configuration saved from vty
!   2007/04/19 08:19:20
!
hostname hh-r1
password 8 pophase
enable password 8 blasehase
log file /var/log/bgpd.log informational
log syslog informational
service advanced-vty
service password-encryption
!
!debug bgp events
!
bgp multiple-instance
!
router bgp 65044
 bgp router-id 10.207.0.9
 bgp log-neighbor-changes
 bgp bestpath as-path confed
 network 10.112.0.0/13
 network 10.120.0.0/14
 network 10.124.0.0/15
 network 10.126.0.0/16
 neighbor ff-peers peer-group
 neighbor ff-peers update-source 10.207.0.9
 neighbor ff-peers soft-reconfiguration inbound
 neighbor ff-peers distribute-list hamburg-out out
 
! neighbor 10.207.0.1 remote-as 65041
! neighbor 10.207.0.1 peer-group ff-peers
! neighbor 10.207.0.1 description leipzig1
 
 neighbor 10.207.0.2 remote-as 65041
 neighbor 10.207.0.2 description leipzig2
 neighbor 10.207.0.2 peer-group ff-peers
 
! neighbor 10.207.0.3 remote-as 65042
! neighbor 10.207.0.3 description weimar1
! neighbor 10.207.0.3 peer-group ff-peers
 
! neighbor 10.207.0.4 remote-as 65042
! neighbor 10.207.0.4 description weimar2
! neighbor 10.207.0.4 peer-group ff-peers
 
 neighbor 10.207.0.5 remote-as 65040
 neighbor 10.207.0.5 description berlin1
 neighbor 10.207.0.5 peer-group ff-peers
 
! neighbor 10.207.0.6 remote-as 65040
! neighbor 10.207.0.6 description berlin2
! neighbor 10.207.0.6 peer-group ff-peers
 
 neighbor 10.207.0.7 remote-as 65043
 neighbor 10.207.0.7 description erfurt1
 neighbor 10.207.0.7 peer-group ff-peers
 
! neighbor 10.207.0.8 remote-as 65043
! neighbor 10.207.0.8 description erfurt2
! neighbor 10.207.0.8 peer-group ff-peers
 
! neighbor 10.207.0.11 remote-as 65045
! neighbor 10.207.0.11 description stuttgart1
! neighbor 10.207.0.11 peer-group ff-peers
 
! neighbor 10.207.0.12 remote-as 65045
! neighbor 10.207.0.12 description stuttgart2
! neighbor 10.207.0.12 peer-group ff-peers
 
 neighbor 10.207.0.13 remote-as 65046
 neighbor 10.207.0.13 peer-group ff-peers
 neighbor 10.207.0.13 description halle1
 
! neighbor 10.207.0.14 remote-as 65046
! neighbor 10.207.0.14 peer-group ff-peers
! neighbor 10.207.0.14 description halle2
 
 neighbor 10.207.1.1 remote-as 35492
 neighbor 10.207.1.1 description wien1
 neighbor 10.207.1.1 peer-group ff-peers
 
! neighbor 10.207.1.2 remote-as 35492
! neighbor 10.207.1.2 description wien2
! neighbor 10.207.1.2 peer-group ff-peers
 
 distance bgp 150 150 150
!
access-list access permit 127.0.0.1/32
access-list access deny any
!
access-list all deny 192.168.0.0/16
access-list all deny 10.112.0.0/12
access-list all permit any
!
access-list hamburg-in deny 10.4.0.0/14
access-list hamburg-in deny 10.32.0.0/12
access-list hamburg-in deny 10.112.0.0/12
access-list hamburg-in deny 192.168.0.0/16
access-list hamburg-in permit any
!
access-list hamburg-out permit 10.112.0.0/13
access-list hamburg-out permit 10.120.0.0/14
access-list hamburg-out permit 10.124.0.0/15
access-list hamburg-out permit 10.126.0.0/16
access-list hamburg-out deny any
!
line vty
 access-class access
!