Freifunk Potsdam | Wiki

Potsdam-VPN: Unterschied zwischen den Versionen

Seite Diskussion

Potsdam-VPN (Quelltext anzeigen)

Version vom 2. Dezember 2017, 15:01 Uhr

5.680 Bytes entfernt ,  2. Dezember 2017
neue Serverconfig folgt, Struktur geändert
(modus changed to mesh)
(neue Serverconfig folgt, Struktur geändert)
Zeile 43: Zeile 43:
</gallery>
</gallery>


== Server aufsetzen ==
== Keys generieren ==
=== Keys generieren ===
=== Easy-RSA config ===
==== Easy-RSA config ====
* vim vars
* vim vars
  export EASY_RSA="`pwd`"
  export EASY_RSA="`pwd`"
Zeile 75: Zeile 74:
  export KEY_CN=
  export KEY_CN=
  export KEY_NAME=
  export KEY_NAME=
==== CA Zertifikat, CA Key und DH Parameter erzeugen ====
=== CA Zertifikat, CA Key und DH Parameter erzeugen ===
  . vars
  . vars
  ./build-ca
  ./build-ca
  ./build-dh
  ./build-dh
==== Server Zertifikat und Server Key erzeugen ====
=== Server Zertifikat und Server Key erzeugen ===
  . vars
  . vars
  ./build-key-server <span style="color:red">$server name$</span>
  ./build-key-server <span style="color:red">$server name$</span>
==== client Zertifikat und Client Key erzeugen ====
=== client Zertifikat und Client Key erzeugen ===
  . vars
  . vars
  ./build-key <span style="color:red">$client name$</span>
  ./build-key <span style="color:red">$client name$</span>


=== OpenVPN einrichten ===
== Server aufsetzen ==
* apt-get install openvpn
* kopieren von ca.crt, dh2048.pem, <span style="color:red">$server$</span>.crt, <span style="color:red">$server$</span>.key nach /etc/openvpn/freifunk-potsdam/
* vim /etc/openvpn/pdmvpn.conf
port 1195
mode server
proto udp
dev tap0
ca /etc/openvpn/freifunk-potsdam/ca.crt
cert /etc/openvpn/freifunk-potsdam/<span style="color:red">$server$</span>.crt
key /etc/openvpn/freifunk-potsdam/<span style="color:red">$server$</span>.key
dh /etc/openvpn/freifunk-potsdam/dh2048.pem
server 172.22.25<span style="color:red">X</span>.0 255.255.255.0
client-config-dir /etc/openvpn/ccd
topology subnet
keepalive 60 240
comp-lzo no
cipher none
user nobody
group nogroup
persist-key
persist-tun
log        /var/log/openvpn-pdmvpn-1195.log
log-append  /var/log/openvpn-pdmvpn-1195.log
verb 3
* OpenVPN starten / aktivieren
SystemD
systemctl start openvpn@pdmvpn.service
systemctl enable openvpn@pdmvpn.service
SysVinit
/etc/init.d/openvpn start pdmvpn
 
=== N2N für Server-zu-Server Kommunikation ===
mit N2N bilden wir ein P2P-VPN zwischen den verschiedenen Servern
* apt-get install n2n
* eine Supernode wird benötigt, um eine initiale Verbindung zum P2P-VPN herzustellen (monitor.freifunk-potsdam.de)
supernode -l 7654
* Verbindung zum P2P-VPN herstellen
N2N_KEY="***key***" edge -b -r -p 7655 -f -d n2n0 -c pdmvpn -u 99 -g 99 -m CA:FF:EE:BA:BE:0<span style="color:red">X</span> -a 172.22.250.<span style="color:red">X</span> -l vpn.freifunk-potsdam.de:7654
 
=== OLSR kompilieren und installieren ===
# apt-get install git build-essential bison flex libgps-dev
# git clone -b drophna_plugin https://github.com/seth0r/olsrd.git
# cd olsrd/
# make && make libs && make install && make libs_install
# cd lib/drophna/
# make && make install
# vim /etc/olsrd/olsrd.conf
 
RtTable        111
RtTableDefault  112
#RtTableTunnel  113
#RtTableTunnelPriority 100000
SmartGateway no
SmartGatewayUplink "none"
DebugLevel      0
Interface "tap0"
{
    Mode    "ether"
    Ip4Broadcast                255.255.255.255
    LinkQualityMult            default 0.25
    HelloInterval              3.0
    HelloValidityTime          125.0
    TcInterval                  2.0
    TcValidityTime              500.0
    MidInterval                25.0
    MidValidityTime            500.0
    HnaInterval                10.0
    HnaValidityTime            125.0
}
Interface "n2n0"
{
    Mode    "ether"
    Ip4Broadcast                255.255.255.255
    LinkQualityMult            default 1.0
    HelloInterval              3.0
    HelloValidityTime          125.0
    TcInterval                  2.0
    TcValidityTime              500.0
    MidInterval                25.0
    MidValidityTime            500.0
    HnaInterval                10.0
    HnaValidityTime            125.0
}
Hna4
{
    172.22.250.0    255.255.255.0
    172.22.25<span style="color:red">X</span>.0    255.255.255.0
}
LinkQualityFishEye 1
LinkQualityAlgorithm "etx_ffeth"
IpVersion      4
ClearScreen    yes
AllowNoInt      yes
Willingness    3
UseHysteresis  no
LinkQualityLevel        2
Pollrate        0.1
TcRedundancy    2
MprCoverage    5
LoadPlugin "olsrd_jsoninfo.so.1.1"
{
        PlParam "Port" "8080"
}
LoadPlugin "olsrd_nameservice.so.0.4"
{
    PlParam "name" "pdmvpn<span style="color:red">X</span>"
    PlParam "suffix" ".olsr"
    PlParam "hosts-file" "/tmp/hosts.olsr"
}
LoadPlugin "olsrd_drophna.so.0.0.0"
{
}
 
=== Routing und Firewall ===
* apt-get install iproute iptables-persistent
* vim /etc/iproute2/rt_tables
110    pdmvpn
111    olsr
112    olsr-default
113    olsr-tunnel
* Forwarding aktivieren (wird nach Neustart aktiv)<br>vim /etc/sysctl.conf
net.ipv4.conf.default.rp_filter=1
net.ipv4.conf.all.rp_filter=1
net.ipv4.tcp_syncookies=1
net.ipv4.ip_forward=1
* iptables chains anlegen
iptabels -N INFF
iptables -N FF
* iptables rules einrichten
iptables -A INPUT -i tap0 -j INFF
iptables -A INPUT -i n2n0 -j INFF
iptables -A INFF -p udp -m udp --dport 698 -j ACCEPT
iptables -A INFF -p icmp -j ACCEPT
iptables -A INFF -j LOG
iptables -A INFF -j DROP
iptables -A FORWARD -i tap0 -j FF
iptables -A FORWARD -i n2n0 -j FF
iptables -A FF -o tap0 -j ACCEPT
iptables -A FF -o n2n0 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 1195 -j ACCEPT
#iptables -A INPUT -p udp -m udp --dport 7654 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 7655 -j ACCEPT
* iptables speichern
iptables-save > /etc/iptables/rules.v4
 
=== Autostart script ===
#!/bin/bash
ip rule del prio 32000
ip rule del prio 100000
#killall supernode 2> /dev/null
#supernode -l 7654 > /var/log/supernode.log 2>&1 &
killall edge 2> /dev/null
N2N_KEY="***key***" edge -b -r -p 7655 -f -d n2n0 -c pdmvpn -u 99 -g 99 -m CA:FF:EE:BA:BE:0<span style="color:red">X</span> -a 172.22.250.<span style="color:red">X</span> -l monitor.freifunk-potsdam.de:7654
for dev in tap0 n2n0; do
    for prio in 1000 2000 3000 4000 5000; do
        ip rule del iif $dev prio $prio
    done
    ip rule add iif $dev prio 1000 table olsr
    ip rule add iif $dev prio 2000 table olsr-tunnel
    ip rule add iif $dev prio 3000 table olsr-default
    ip rule add iif $dev prio 4000 table pdmvpn
    ip rule add iif $dev prio 5000 unreachable
done
ip rule add prio 32000 table olsr
ip route flush table pdmvpn
ip route add 172.22.25<span style="color:red">X</span>.0/24 dev tap0 table pdmvpn
ip route add 172.22.250.0/24 dev n2n0 table pdmvpn
killall olsrd 2> /dev/null
/usr/local/sbin/olsrd -f /etc/olsrd/olsrd.conf


[[Kategorie:Technik]]
[[Kategorie:Technik]]
[[Kategorie:Netz]]
[[Kategorie:Netz]]
Seth0r
Orga, Bürokraten, Administratoren
792

Bearbeitungen

Abgerufen von „https://wiki.freifunk-potsdam.de/Spezial:Mobiler_Unterschied/8856