Dieses Wiki ist ein Archiv bis 2023. Das aktuelle Wiki findet sich unter https://wiki.hamburg.ccc.de/
Difference between revisions of "Freifunk:VPN1"
m |
m |
||
Line 204: | Line 204: | ||
===== ffvpn/hosts/leipzig1 ===== | ===== ffvpn/hosts/leipzig1 ===== | ||
− | Address = vpn1.leipzig.freifunk.net | + | Address = vpn1.leipzig.freifunk.net |
− | -----BEGIN RSA PUBLIC KEY----- | + | -----BEGIN RSA PUBLIC KEY----- |
− | MIGJAoGBAKL7eWHmD2Rn6IP7JlSWtkphokN785g8nccBmfcjbwEwiZv+EFaVoid/ | + | MIGJAoGBAKL7eWHmD2Rn6IP7JlSWtkphokN785g8nccBmfcjbwEwiZv+EFaVoid/ |
− | 0dPfvHaX0GaQGOhpef3PVHEbIMuU8dD9+7WbXO3+hUSIAfHoIdGK7n8qFtzTpzqn | + | 0dPfvHaX0GaQGOhpef3PVHEbIMuU8dD9+7WbXO3+hUSIAfHoIdGK7n8qFtzTpzqn |
− | HAWcgneIE+sZVZRKC0B3VyQ8XujHuLCrQYkjRmVzvbb4cSzE+YhxAgMBAAE= | + | HAWcgneIE+sZVZRKC0B3VyQ8XujHuLCrQYkjRmVzvbb4cSzE+YhxAgMBAAE= |
− | -----END RSA PUBLIC KEY----- | + | -----END RSA PUBLIC KEY----- |
===== ffvpn/hosts/leipzig2 ===== | ===== ffvpn/hosts/leipzig2 ===== | ||
− | Address = vpn2.leipzig.freifunk.net | + | Address = vpn2.leipzig.freifunk.net |
− | -----BEGIN RSA PUBLIC KEY----- | + | -----BEGIN RSA PUBLIC KEY----- |
− | MIGJAoGBALf6n7zN7GDf50k4F1+JbOde/7WGKc8HtaCNyIV93PeSFz1IiGpf8Vnn | + | MIGJAoGBALf6n7zN7GDf50k4F1+JbOde/7WGKc8HtaCNyIV93PeSFz1IiGpf8Vnn |
− | 9xGl64X+5i07gH9l81Cx2/cgSqY3XYSTCVrCCaAJN5jnoQbubfQTojx/e0ZKDXeO | + | 9xGl64X+5i07gH9l81Cx2/cgSqY3XYSTCVrCCaAJN5jnoQbubfQTojx/e0ZKDXeO |
− | WVtjm6Y+TcqBLJ2TRAxmtyc3VX5VBfU3N3yaYZv3G+RzKNFI1VX7AgMBAAE= | + | WVtjm6Y+TcqBLJ2TRAxmtyc3VX5VBfU3N3yaYZv3G+RzKNFI1VX7AgMBAAE= |
− | -----END RSA PUBLIC KEY----- | + | -----END RSA PUBLIC KEY----- |
Line 248: | Line 248: | ||
bgp log-neighbor-changes | bgp log-neighbor-changes | ||
bgp bestpath as-path confed | bgp bestpath as-path confed | ||
+ | network 10.4.2.0/24 | ||
network 10.112.0.0/13 | network 10.112.0.0/13 | ||
network 10.120.0.0/14 | network 10.120.0.0/14 | ||
Line 255: | Line 256: | ||
neighbor ff-peers update-source 10.207.0.9 | neighbor ff-peers update-source 10.207.0.9 | ||
neighbor ff-peers soft-reconfiguration inbound | neighbor ff-peers soft-reconfiguration inbound | ||
− | neighbor ff-peers distribute-list | + | neighbor ff-peers distribute-list hamburg4out out |
− | + | neighbor ff-peers prefix-list bgp4in in | |
+ | |||
neighbor 10.207.0.1 remote-as 65041 | neighbor 10.207.0.1 remote-as 65041 | ||
neighbor 10.207.0.1 peer-group ff-peers | neighbor 10.207.0.1 peer-group ff-peers | ||
− | neighbor 10.207.0.1 description | + | neighbor 10.207.0.1 description Leipzig1 |
neighbor 10.207.0.2 remote-as 65041 | neighbor 10.207.0.2 remote-as 65041 | ||
neighbor 10.207.0.2 peer-group ff-peers | neighbor 10.207.0.2 peer-group ff-peers | ||
− | neighbor 10.207.0.2 description | + | neighbor 10.207.0.2 description Leipzig2 |
neighbor 10.207.0.3 remote-as 65042 | neighbor 10.207.0.3 remote-as 65042 | ||
Line 299: | Line 301: | ||
neighbor 10.207.0.13 remote-as 65046 | neighbor 10.207.0.13 remote-as 65046 | ||
neighbor 10.207.0.13 peer-group ff-peers | neighbor 10.207.0.13 peer-group ff-peers | ||
− | neighbor 10.207.0.13 description | + | neighbor 10.207.0.13 description Halle1 |
neighbor 10.207.0.14 remote-as 65046 | neighbor 10.207.0.14 remote-as 65046 | ||
neighbor 10.207.0.14 peer-group ff-peers | neighbor 10.207.0.14 peer-group ff-peers | ||
− | neighbor 10.207.0.14 description | + | neighbor 10.207.0.14 description Halle2 |
neighbor 10.207.1.1 remote-as 35492 | neighbor 10.207.1.1 remote-as 35492 | ||
Line 317: | Line 319: | ||
address-family ipv6 | address-family ipv6 | ||
network 2001:6f8:982::/48 | network 2001:6f8:982::/48 | ||
− | |||
network 2001:6f8:1300::/48 | network 2001:6f8:1300::/48 | ||
+ | neighbor ff-peers activate | ||
+ | neighbor ff-peers soft-reconfiguration inbound | ||
+ | neighbor ff-peers distribute-list hamburg6out out | ||
+ | neighbor ff-peers prefix-list bgp6in in | ||
exit-address-family | exit-address-family | ||
! | ! | ||
− | access-list | + | access-list access4 permit 127.0.0.1/32 |
− | access-list access deny any | + | access-list access4 deny any |
+ | ! | ||
+ | access-list hamburg4in deny 10.207.0.0/16 | ||
+ | access-list hamburg4in deny 6.0.0.0/8 | ||
+ | access-list hamburg4in permit any | ||
! | ! | ||
− | access-list | + | access-list hamburg4out permit 10.112.0.0/13 |
− | access-list | + | access-list hamburg4out permit 10.120.0.0/14 |
− | access-list | + | access-list hamburg4out permit 10.124.0.0/15 |
+ | access-list hamburg4out permit 10.126.0.0/16 | ||
+ | access-list hamburg4out permit 10.4.2.0/24 | ||
+ | access-list hamburg4out deny any | ||
! | ! | ||
− | + | ip prefix-list bgp4in description BGP IPv4 import filter | |
− | + | ip prefix-list bgp4in seq 5 deny 0.0.0.0/8 le 32 | |
+ | ip prefix-list bgp4in seq 10 deny 6.0.0.0/8 le 32 | ||
+ | ip prefix-list bgp4in seq 100 permit any | ||
! | ! | ||
− | access-list | + | ipv6 access-list access6 permit ::1/128 |
− | + | ipv6 access-list access6 permit 2001:6f8:982::/48 | |
− | access-list | + | ipv6 access-list access6 permit 2001:6f8:1300::/48 |
− | access-list | + | ipv6 access-list access6 deny any |
− | access-list | ||
! | ! | ||
− | ipv6 access-list | + | ipv6 access-list hamburg6in deny 2001:6f8:982::/48 |
− | + | ipv6 access-list hamburg6in deny 2001:6f8:1300::/48 | |
− | ipv6 access-list | + | ipv6 access-list hamburg6in permit any |
− | ipv6 access-list | ||
! | ! | ||
− | ipv6 access-list | + | ipv6 access-list hamburg6out permit 2001:6f8:982::/48 |
− | ipv6 access-list | + | ipv6 access-list hamburg6out permit 2001:6f8:1300::/48 |
− | ipv6 access-list | + | ipv6 access-list hamburg6out deny any |
! | ! | ||
− | ipv6 | + | ipv6 prefix-list bgp6in description BGP IPv6 import filter |
− | ipv6 | + | ipv6 prefix-list bgp6in seq 5 deny ::/0 le 128 |
− | |||
! | ! | ||
line vty | line vty | ||
− | access-class | + | access-class access4 |
− | ipv6 access-class | + | ipv6 access-class access6 |
! | ! | ||
+ | end | ||
+ | |||
=== Sonstiges === | === Sonstiges === |
Revision as of 17:38, 9 July 2007
Dieser Node besteht momentan aus einem Soekris 4501 Board und soll die Verbindung zwischen den einzelnen Funkwolken in Hamburg und Freifunk Initiativen in anderen Staedten herstellen. Als VPN Software wird Tinc-VPN eingesetzt, wobei allerdings in Zukunft vermutlich auch andere VPN Protokolle unterstuetzt werden koennen. Eine kleine Hilfestellung auf Basis von OpenWRT kann man hier finden: Freifunk:IP:VPN_Connect
Leipzig hat fuer das IC-VPN ein Looking-Glass installiert, damit man das BGP aus der Leipziger Sicht anschauen kann.
Contents
Interfaces
Hier eine kurze Uebersicht ueber die verschiedenen Netzwerk-Interfaces.
eth0
Das eth0 Interface ist momentan noch ungenutzt.
Interface Name: eth0 IP Adresse : none Hostname : none Description : not used yet Bandwidth : 0bit
eth1
Das eth1 Interface ist zwar up, wird aber in der Regel ebenfalls nicht genutzt.
Interface Name: eth1 IP adresse : 193.158.228.140 Hostname : none Description : secondary uplink Bandwidth : 1500kbit/s
eth2
Ueber das eth2 Interface wird momentan die ganze VPN Geschichte abgewickelt. Es ist moeglich per SSH sich einzuloggen, sofern man den dafuer noetigen Account, oder Exploit hat. Das Tinc-VPN lauscht hier auf den Ports 655 und 656.
Interface Name: eth2 IP adresse : 62.206.27.20 Hostname : vpn1.hamburg.freifunk.net Description : primary uplink Bandwidth : 4000kbit/s
ffhh
Dieses Interface ist fuer das Hamburger Freifunk Netz eingerichtet. Tinc-VPN setzt dieses Interface in den TAP-Modus, damit Pakete zwischen den einzelnen VPN Clients wie bei einem Switch verschickt werden koennen. Der OLSR Daemon sendet seine Pakete an die Broadcast-Adresse (10.127.255.255) ueber dieses Interface.
Interface Name: ffhh IP Adresse : 10.112.1.1/12 Hostname : none Description : Freifunk Hamburg Software : tinc-vpn, olsrd Tinc-Port : 656
ffvpn
Fuer das InterCity-VPN wurde dieses Interface eingerichtet. Tinc-VPN setzt auch dieses Interface in den TAP-Modus und die Quagga Routing Suite kuendigt den Hamburger Freifunk IP-Bereich an entfernte BGP-Router. Wir verwenden die interne AS-Nummer 65044 fuer das BGP-Peering.
Interface Name: ffvpn IP Adresse : 10.207.0.9/16 Hostname : hamburg-r1.hamburg.freifunk.net Description : tunnel staedtekopplung Software : tinc-vpn, quagga(bgpd) Tinc-Port : 655 AS-Number : 65044
Konfigurationen
Tinc-VPN
Hamburger Freifunk VPN (ffhh)
ffhh/tinc.conf
AddressFamily=ipv4 Name = vpn1 PrivateKeyFile = /etc/tinc/ffhh/rsa_key.priv Mode = Switch PingTimeout = 30 Port = 656 BindToAddress = 62.206.27.20 Hostnames=yes #ConnectTo = vpn2 # CCCHH ConnectTo = lok72 # Dennis ConnectTo = elan # Cnud #ConnectTo = cgre # JensM #ConnectTo = Stockholm
ffhh/tinc-up
#!/bin/sh ip addr add dev $INTERFACE 10.112.1.1/12 broadcast 10.127.255.255 ip link set dev $INTERFACE up
ffhh/tinc-down
#!/bin/sh ip link set dev $INTERFACE down ip addr del 10.112.1.1 dev $INTERFACE
ffhh/hosts/vpn1
Address = vpn1.hamburg.freifunk.net Cipher=blowfish Compression=0 Digest=sha1 IndirectData=no Port = 656 -----BEGIN RSA PUBLIC KEY----- MIGJAoGBAKVI9lNEiJ3JVDuXhsLKdqhE+k14bCM8cYaAReNrzBSDODxuLm+pPKwo +7SgYW2/vAdnbFX689yKIs9inbQGNrakQQS/84pQ4TyN+H1dkhmxn5hweF/Ci3Qp UxzfjeVmeH2L+ecVOgWK10aoUhfVGvCVB3UpoCT6GrQwOa8gB5vfAgMBAAE= -----END RSA PUBLIC KEY-----
ffhh/hosts/elan
Address = elan.ainex.net Port = 656 -----BEGIN RSA PUBLIC KEY----- MIGJAoGBALHyO9nsCFXUSlvaBRHZX4DMFTg2xvVPx2Vhtv0NPKIFeSMRNJ1tfuTN ZhFGT0yUpl2QdCf6Xm6k6gMyEIMgeRSNDTRmm/rgli7EnCA1wEIc30BFP7MHkzx7 1oYD/jQxJIWCyjW3kH1Ui3WkZHws8rvpALcicFSBgvCk7QzYq09nAgMBAAE= -----END RSA PUBLIC KEY-----
InterCity VPN (ffvpn)
ffvpn/tinc.conf
Name = hhvpn1 PrivateKeyFile = /etc/tinc/ffvpn/rsa_key.priv Mode = Switch PingTimeout = 30 #TCPOnly = yes Port = 655 Hostnames=yes BindToAddress = 62.206.27.20 ConnectTo = hhvpn2 ConnectTo = berlin1 ConnectTo = ffhallevpn1 ConnectTo = erfurt1 ConnectTo = leipzig1 ConnectTo = leipzig2
ffvpn/tinc-up
#!/bin/sh ip addr add dev $INTERFACE 10.207.0.9/16 broadcast 10.207.255.255 ip link set dev $INTERFACE up iptables -A FORWARD -i ffhh -s 10.112.0.0/12 -o ffvpn -j ACCEPT # FF Hamburg -> FF Global
ffvpn/tinc-down
#!/bin/sh ip link set dev $INTERFACE down ip addr del 10.207.0.9 dev $INTERFACE iptables -D FORWARD -i ffhh -s 10.112.0.0/12 -o ffvpn -j ACCEPT
ffvpn/hosts/hhvpn1
Address = vpn1.hamburg.freifunk.net Port = 655 -----BEGIN RSA PUBLIC KEY----- MIGJAoGBAL5ld4OnWv52XD8q0MbfW+DLUe2lCaHLyf4XacwqOhjvS5RH+iAyPgIc BZJEtmKjW+FrPRLTtJVeptlLWGJr+EE2/G3fq0/AbQDhzIT7OnqCNGrMC1YzNOZm C8CVyiPwELdvBL+Z7j6Jq545/1zZ/H+z1EK6xuucjhwITFqMQrdxAgMBAAE= -----END RSA PUBLIC KEY-----
ffvpn/hosts/berlin1
address = vpn-ic1.berlin.freifunk.net -----BEGIN RSA PUBLIC KEY----- MIGJAoGBALfEgQh1Po7B5/IP57pZT0iRjY+8GVfGgkYB7dFIANk/iSWjThe9pERm x4GGx2NNoiNoDVdUtSz41oIc65bd651G01e2A1bnFQ9qRc9rZ/S91SqpO0+KheYw judU2Mc81XkKQ38e9rgtU/OvWOF1Hq2EOOork2cePsC8QRa9oAa5AgMBAAE= -----END RSA PUBLIC KEY-----
ffvpn/hosts/ffhallevpn1
address = vpn1.freifunk-halle.de address = 88.198.51.136 Port = 655 -----BEGIN RSA PUBLIC KEY----- MIGJAoGBALF/Wu4pe+f3dHeLYApHxUnOGUBzpNREUet6nDp80uWT/dph7h6Yqtz2 XMkifjDjSDnHPa1l1LwWFXkTKVQLH4lUrDuadXMU+BSEJWO36vg/A9E3AjbzoTA7 RY6Gzx+FOXqTGOtqzEPMLkBGTrslerpw9JzfCgLlxLLCXg8Tri8ZAgMBAAE= -----END RSA PUBLIC KEY-----
ffvpn/hosts/erfurt1
address = t35thr.dyndns.org -----BEGIN RSA PUBLIC KEY----- MIGJAoGBAMB63H0OfUEUPoWPbM3tCCHQm+N9f8z0GDc7+fk+/8x09CuW6xmpfdm6 vYrR6ceUsjRUhT/cIO6PhF3bUnaI7otAXHDSK4idvq99Z0miEvHWpJ9W0ZnbuUa4 UeBJP0yCZLL4su7IPpdBWToPrgBHy43CAEnwdEHkp5iKE7zFscaPAgMBAAE= -----END RSA PUBLIC KEY-----
ffvpn/hosts/leipzig1
Address = vpn1.leipzig.freifunk.net -----BEGIN RSA PUBLIC KEY----- MIGJAoGBAKL7eWHmD2Rn6IP7JlSWtkphokN785g8nccBmfcjbwEwiZv+EFaVoid/ 0dPfvHaX0GaQGOhpef3PVHEbIMuU8dD9+7WbXO3+hUSIAfHoIdGK7n8qFtzTpzqn HAWcgneIE+sZVZRKC0B3VyQ8XujHuLCrQYkjRmVzvbb4cSzE+YhxAgMBAAE= -----END RSA PUBLIC KEY-----
ffvpn/hosts/leipzig2
Address = vpn2.leipzig.freifunk.net -----BEGIN RSA PUBLIC KEY----- MIGJAoGBALf6n7zN7GDf50k4F1+JbOde/7WGKc8HtaCNyIV93PeSFz1IiGpf8Vnn 9xGl64X+5i07gH9l81Cx2/cgSqY3XYSTCVrCCaAJN5jnoQbubfQTojx/e0ZKDXeO WVtjm6Y+TcqBLJ2TRAxmtyc3VX5VBfU3N3yaYZv3G+RzKNFI1VX7AgMBAAE= -----END RSA PUBLIC KEY-----
Quagga
InterCity-VPN
bgpd.conf
! ! Zebra configuration saved from vty ! 2007/04/19 08:19:20 ! hostname bgpd@vpn1.hamburg.freifunk.net password 8 pophase enable password 8 blasehase log file /var/log/bgpd.log informational log syslog informational service advanced-vty service password-encryption banner motd file /etc/issue.net ! !debug bgp events ! bgp multiple-instance ! router bgp 65044 bgp router-id 10.207.0.9 bgp log-neighbor-changes bgp bestpath as-path confed network 10.4.2.0/24 network 10.112.0.0/13 network 10.120.0.0/14 network 10.124.0.0/15 network 10.126.0.0/16 neighbor ff-peers peer-group neighbor ff-peers update-source 10.207.0.9 neighbor ff-peers soft-reconfiguration inbound neighbor ff-peers distribute-list hamburg4out out neighbor ff-peers prefix-list bgp4in in neighbor 10.207.0.1 remote-as 65041 neighbor 10.207.0.1 peer-group ff-peers neighbor 10.207.0.1 description Leipzig1 neighbor 10.207.0.2 remote-as 65041 neighbor 10.207.0.2 peer-group ff-peers neighbor 10.207.0.2 description Leipzig2 neighbor 10.207.0.3 remote-as 65042 neighbor 10.207.0.3 peer-group ff-peers neighbor 10.207.0.3 description Weimar1 neighbor 10.207.0.4 remote-as 65042 neighbor 10.207.0.4 peer-group ff-peers neighbor 10.207.0.4 description Weimar2 neighbor 10.207.0.5 remote-as 65040 neighbor 10.207.0.5 peer-group ff-peers neighbor 10.207.0.5 description Berlin1 neighbor 10.207.0.6 remote-as 65040 neighbor 10.207.0.6 peer-group ff-peers neighbor 10.207.0.6 description Berlin2 neighbor 10.207.0.7 remote-as 65043 neighbor 10.207.0.7 peer-group ff-peers neighbor 10.207.0.7 description Erfurt1 neighbor 10.207.0.8 remote-as 65043 neighbor 10.207.0.8 peer-group ff-peers neighbor 10.207.0.8 description Erfurt2 neighbor 10.207.0.11 remote-as 65045 neighbor 10.207.0.11 peer-group ff-peers neighbor 10.207.0.11 description Stuttgart1 neighbor 10.207.0.12 remote-as 65045 neighbor 10.207.0.12 peer-group ff-peers neighbor 10.207.0.12 description Stuttgart2 neighbor 10.207.0.13 remote-as 65046 neighbor 10.207.0.13 peer-group ff-peers neighbor 10.207.0.13 description Halle1 neighbor 10.207.0.14 remote-as 65046 neighbor 10.207.0.14 peer-group ff-peers neighbor 10.207.0.14 description Halle2 neighbor 10.207.1.1 remote-as 35492 neighbor 10.207.1.1 peer-group ff-peers neighbor 10.207.1.1 description Wien1 neighbor 10.207.1.2 remote-as 35492 neighbor 10.207.1.2 peer-group ff-peers neighbor 10.207.1.2 description Wien2 distance bgp 150 150 150 ! address-family ipv6 network 2001:6f8:982::/48 network 2001:6f8:1300::/48 neighbor ff-peers activate neighbor ff-peers soft-reconfiguration inbound neighbor ff-peers distribute-list hamburg6out out neighbor ff-peers prefix-list bgp6in in exit-address-family ! access-list access4 permit 127.0.0.1/32 access-list access4 deny any ! access-list hamburg4in deny 10.207.0.0/16 access-list hamburg4in deny 6.0.0.0/8 access-list hamburg4in permit any ! access-list hamburg4out permit 10.112.0.0/13 access-list hamburg4out permit 10.120.0.0/14 access-list hamburg4out permit 10.124.0.0/15 access-list hamburg4out permit 10.126.0.0/16 access-list hamburg4out permit 10.4.2.0/24 access-list hamburg4out deny any ! ip prefix-list bgp4in description BGP IPv4 import filter ip prefix-list bgp4in seq 5 deny 0.0.0.0/8 le 32 ip prefix-list bgp4in seq 10 deny 6.0.0.0/8 le 32 ip prefix-list bgp4in seq 100 permit any ! ipv6 access-list access6 permit ::1/128 ipv6 access-list access6 permit 2001:6f8:982::/48 ipv6 access-list access6 permit 2001:6f8:1300::/48 ipv6 access-list access6 deny any ! ipv6 access-list hamburg6in deny 2001:6f8:982::/48 ipv6 access-list hamburg6in deny 2001:6f8:1300::/48 ipv6 access-list hamburg6in permit any ! ipv6 access-list hamburg6out permit 2001:6f8:982::/48 ipv6 access-list hamburg6out permit 2001:6f8:1300::/48 ipv6 access-list hamburg6out deny any ! ipv6 prefix-list bgp6in description BGP IPv6 import filter ipv6 prefix-list bgp6in seq 5 deny ::/0 le 128 ! line vty access-class access4 ipv6 access-class access6 ! end
Sonstiges
/etc/issue.net
,----------------------------------------------------------------------. | | | Unauthorized use of this system is prohibited and may be prosecuted | | to the fullest extent of law. By using this system, you implicitly | | agree to monitoring by system management and law enforcement | | authorities. If you do not agree with these terms, | | DISCONNECT NOW! | | ;-p | `----------------------------------------------------------------------^