Freifunk:Mesh-VPN Gateway-Server einrichten

2015-02-14T20:30:27Z

Tobi042:

Unsere Gateways laufen auf Debian 7 Wheezy.

== Installation ==

Größtenteils egal, wichtig ist folgendes: Root bekommt kein Passwort, dadurch wird der Root-Login gesperrt und man muss sudo benutzen. Als zu installierende Paketgruppen nutzen wir Debian-Standardutilities und SSH-Server.

== SSH einrichten ==

* Einloggen:
*: <code>ssh user@gwX.saar.freifunk.de</code>
* <code>mkdir .ssh</code>
* <code>echo "dein_ssh_key" > .ssh/authorized_keys</code>
* <code>nano /etc/ssh/sshd_config</code>
*: Folgende Änderungen vornehmen:

<pre>...
PermitRootLogin no
...
PasswordAuthentication no
...</pre>

* Alte Session aktiv lassen, in neuem Terminal versuchen mit Public Key einzuloggen. Wenn nicht erfolgreich debuggen.
* <code>sudo service ssh restart</code>

== Überflüssige Pakete deinstallieren ==

Da wir eben etwas großzügig waren mit der Installation von Paketgruppen müssen wir jetzt exim und nfs-Kram deinstallieren:

* <code>sudo apt-get remove exim4* nfs-common rpcbind</code>

Als Resultat sollte bei Ausführung von "sudo netstat -tulpn" keine Programme außer sshd und vielleicht dhclient angezeigt werden.

== APT Sources hinzufügen ==

Wir benötigen die Sources für fastd und batman-adv:

* <code>nano /etc/apt/sources.list</code>
<pre>
deb http://security.debian.org/ wheezy/updates main contrib non-free
deb-src http://security.debian.org/ wheezy/updates main contrib non-free

# fastd
deb http://ftp.de.debian.org/debian wheezy-backports main
deb http://repo.universe-factory.net/debian/ sid main

# alfred
deb http://debian.draic.info/ wheezy main
deb-src http://debian.draic.info/ wheezy main

</pre>

* Schlüssel für repo importieren:
* <code>gpg --keyserver pgpkeys.mit.edu --recv-key B89033D8</code>
* <code>gpg -a --export B89033D8 | apt-key add -</code>
* <code>gpg --keyserver pgpkeys.mit.edu --recv-key 16EF3F64CB201D9C</code>
* <code>gpg -a --export 16EF3F64CB201D9C | apt-key add -</code>

== Pakete installieren ==
* <code>apt-get update</code>
* <code>apt-get install batctl batman-adv-dkms fastd bridge-utils</code>
* <code>echo "batman-adv" >> /etc/modules</code>

== Netzwerk Grundkonfiguration ==
=== Sysctl Einstellungen ===
* /etc/sysctl.conf
<pre>
# Freifunk specific settings
net.ipv4.ip_forward=1

net.bridge.bridge-nf-call-arptables = 0
net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0

net.ipv6.conf.all.forwarding=1

net.ipv6.conf.all.autoconf = 0
net.ipv6.conf.default.autoconf = 0
net.ipv6.conf.eth0.autoconf = 0

net.ipv6.conf.all.accept_ra = 0
net.ipv6.conf.default.accept_ra = 0
net.ipv6.conf.eth0.accept_ra = 0
</pre>
* Danach neu laden: <code>sysctl -p /etc/sysctl.conf</code>

=== Routing Tables erstellen ===
* /etc/iproute2/rt_tables (bisherige Einstellungen beibehalten und folgende hinzufügen)
<pre>
# freifunk
32 saar
33 lux
42 icvpn
</pre>

=== Netzwerkinterafaces einstellen ===
* /etc/network/interfaces (andere Interfaces nach der entsprechenden Konfiguration belassen)
<pre>
#
# FREIFUNK SAAR
#
auto saarBR
iface saarBR inet static
bridge_ports none
bridge_fd 0
bridge_maxwait 0
address 10.24.192.XXX
netmask 255.255.192.0
# be sure all incoming traffic is handled by the appropriate rt_table
post-up /sbin/ip rule add iif $IFACE table saar priority 3200
pre-down /sbin/ip rule del iif $IFACE table saar priority 3200
# default route is unreachable
post-up /sbin/ip route add unreachable default table saar
post-down /sbin/ip route del unreachable default table saar
# local reachable subnet saar for rt_table lux
post-up /sbin/ip route add 10.24.128.0/18 proto static dev $IFACE table lux
post-down /sbin/ip route del 10.24.128.0/18 proto static dev $IFACE table lux

iface saarBR inet6 static
address fd4e:f2d7:88d2:ffff::XXX
netmask 64
# be sure all incoming traffic is handled by the appropriate rt_table
post-up /sbin/ip -6 rule add iif $IFACE table saar priority 3200
pre-down /sbin/ip -6 rule del iif $IFACE table saar priority 3200
post-up /sbin/ip -6 route add fe80::/64 proto static dev $IFACE table saar
post-down /sbin/ip -6 route del fe80::/64 proto static dev $IFACE table saar
post-up /sbin/ip -6 route add fd4e:f2d7:88d2:ffff::/64 proto static dev $IFACE table saar
post-down /sbin/ip -6 route del fd4e:f2d7:88d2:ffff::/64 proto static dev $IFACE table saar
# ULA route mz for rt_table saar
post-up /sbin/ip -6 route add fd4e:f2d7:88d2:fffe::/64 proto static dev $IFACE table lux
post-down /sbin/ip -6 route del fd4e:f2d7:88d2:fffe::/64 proto static dev $IFACE table lux

allow-hotplug saarMESH
iface saarMESH inet6 manual
hwaddress ca:fe:ba:be:00:XXX
pre-up /sbin/modprobe batman_adv
post-up /usr/sbin/batctl -m saarBAT if add $IFACE
post-up /sbin/ip link set dev saarBAT up

allow-hotplug saarBAT
iface saarBAT inet6 manual
pre-up /sbin/modprobe batman-adv
post-up /sbin/brctl addif saarBR $IFACE
post-up /usr/sbin/batctl -m $IFACE it 10000
post-up /usr/sbin/batctl -m $IFACE vm server
post-up /usr/sbin/batctl -m $IFACE gw server 6mbit/6mbit
pre-down /sbin/brctl delif saarBR $IFACE || true

#
# FREIFUNK LUX
#
auto luxBR
iface luxBR inet static
bridge_ports none
bridge_fd 0
bridge_maxwait 0
address 10.24.128.XXX
netmask 255.255.192.0
# be sure all incoming traffic is handled by the appropriate rt_table
post-up /sbin/ip rule add iif $IFACE table lux priority 3300
pre-down /sbin/ip rule del iif $IFACE table lux priority 3300
# default route is unreachable
post-up /sbin/ip route add unreachable default table lux
post-down /sbin/ip route del unreachable default table lux
# local reachable subnet lux for rt_table saar
post-up /sbin/ip route add 10.24.192.0/18 proto static dev $IFACE table saar
post-down /sbin/ip route del 10.24.192.0/18 proto static dev $IFACE table saar

iface luxBR inet6 static
address fd4e:f2d7:88d2:fffe::XXX
netmask 64
# be sure all incoming traffic is handled by the appropriate rt_table
post-up /sbin/ip -6 rule add iif $IFACE table lux priority 3300
pre-down /sbin/ip -6 rule del iif $IFACE table lux priority 3300
post-up /sbin/ip -6 route add fe80::/64 proto static dev $IFACE table lux
post-down /sbin/ip -6 route del fe80::/64 proto static dev $IFACE table lux
post-up /sbin/ip -6 route add fd4e:f2d7:88d2:fffe::/64 proto static dev $IFACE table lux
post-down /sbin/ip -6 route del fd4e:f2d7:88d2:fffe::/64 proto static dev $IFACE table lux
# ULA route saar for rt_table lux
post-up /sbin/ip -6 route add fd4e:f2d7:88d2:ffff::/64 proto static dev $IFACE table saar
post-down /sbin/ip -6 route del fd4e:f2d7:88d2:ffff::/64 proto static dev $IFACE table saar

allow-hotplug luxMESH
iface luxMESH inet6 manual
hwaddress ca:fe:ba:be:01:XXX
pre-up /sbin/modprobe batman_adv
post-up /usr/sbin/batctl -m luxBAT if add $IFACE
post-up /sbin/ip link set dev luxBAT up

allow-hotplug luxBAT
iface luxBAT inet6 manual
pre-up /sbin/modprobe batman-adv
post-up /sbin/brctl addif luxBR $IFACE
post-up /usr/sbin/batctl -m $IFACE it 10000
post-up /usr/sbin/batctl -m $IFACE vm server
post-up /usr/sbin/batctl -m $IFACE gw server 6mbit/6mbit
pre-down /sbin/brctl delif luxBR $IFACE || true
</pre>
* Jedes Vorkommnis von XXX durch einen entsprechenden Wert aus dem Netzplan ersetzen, im Zweifel TobiT fragen

== Helfer-Skripte ==
Es gibt 2 Helferskripte, die eingerichtet werden müssen. check_gateway.sh prüft minütlich, ob das ExitVPN noch steht. autoupdate_fastd_peers updatet die fastd-peers alle 5 Minuten per git.
=== check_gateway.sh ===
* /usr/bin/check_gateway.sh:
<pre>
root@gw2:/etc/fastd/freifunk-lux# less /usr/bin/check_gateway.sh
#!/bin/bash
INTERFACE=tun0 # Set to name of VPN interface
DHCPSERVICE=dnsmasq # Name of DHCP service
BANDWIDTH=XXX # Server bandwidth
shopt -s nullglob

# Test whether gateway is connected to the outer world via VPN
ping -q -I $INTERFACE 8.8.8.8 -c 4 -i 1 -W 5 >/dev/null 2>&1

if test $? -eq 0; then
NEW_STATE=server
else
NEW_STATE=off
fi

# Iterate through network interfaces in sys file system
for MESH in /sys/class/net/*/mesh; do
# Check whether gateway modus needs to be changed
OLD_STATE="$(cat $MESH/gw_mode)"
[ "$OLD_STATE" == "$NEW_STATE" ] && continue
echo $NEW_STATE > $MESH/gw_mode
echo ${BANDWIDTH}MBit/${BANDWIDTH}MBit > $MESH/gw_bandwidth
logger "batman gateway mode changed to $NEW_STATE"

# Check whether gateway modus has been deactivated
if [ "$NEW_STATE" == "off" ]; then
# Shutdown DHCP server to prevent renewal of leases
/usr/sbin/service $DHCPSERVICE stop
fi

# Check whether gateway modus has been activated
if [ "$NEW_STATE" == "server" ]; then
# Restart DHCP server
/usr/sbin/service $DHCPSERVICE start
fi
exit 0
done

if [ "$NEW_STATE" == "server" ]; then
/usr/sbin/service $DHCPSERVICE status 2>&1> /dev/null
if [[ $? -ne 0 ]]
then
/usr/sbin/service $DHCPSERVICE restart
fi
fi
if [ "$NEW_STATE" == "off" ]; then
/usr/sbin/service $DHCPSERVICE status 2>&1> /dev/null
if [[ $? -eq 0 ]]
then
/usr/sbin/service $DHCPSERVICE stop
fi
fi
</pre>
* Ganz oben bei BANDWIDTH die Serverbandbreite in MBit/s einstellen, damit diese ordentlich via Batman announced werden kann.
* Speichern und mit <code>chmod +x /usr/bin/check_gateway.sh</code> ausführbar machen
=== autoupdate_fastd_keys.sh ===
* /usr/bin/autoupate_fastd_keys.sh:
<pre>

#!/bin/bash
# Simple script to update fastd peers from git upstream
# and only send HUP to fastd when changes happend.

# CONFIGURE THIS TO YOUR PEER DIRECTORY
FASTD_PEERS_ARRAY=( "freifunk-saar" "freifunk-lux")

function getCurrentVersion() {
# Get hash from latest revision
git log --format=format:%H -1
}

for FASTD_PEERS in "${FASTD_PEERS_ARRAY[@]}"
do
cd /etc/fastd/$FASTD_PEERS/peers

# Get current version hash
GIT_REVISION=$(getCurrentVersion)

# Automagically commit local changes
# This preserves local changes
git commit -m "CRON: auto commit"

# Pull latest changes from upstream
git fetch
git merge origin/master -m "Auto Merge"

# Get new version hash
GIT_NEW_REVISION=$(getCurrentVersion)

if [ $GIT_REVISION != $GIT_NEW_REVISION ]
then
# Version has changed we need to update
echo "Reload fastd peers"
kill -HUP $(cat /var/run/fastd.$FASTD_PEERS.pid)
fi
done
</pre>
* Auch dieses Skript ausführbar machen: <code>chmod +x /usr/bin/autoupdate_fastd_keys.sh</code>
=== Skripte in crontab eintragen ===
* In <code>sudo crontab -e</code> folgende Zeilen anhängen
<pre>
*/5 * * * * /usr/bin/autoupdate_fastd_keys.sh > /dev/null 2>&1
* * * * * /usr/bin/check_gateway.sh > /dev/null 2>&1
</pre>
== Fastd-Config ==
* <code>mkdir /etc/fastd/freifunk-{saar,lux}/</code>
* Config-Dateien anlegen und entsprechenden Inhalt reinkopieren: TODO Link zu Config-Repo einfügen
* Secret Keys aus den Repos besorgen und in secret.conf schreiben
* Neuen SSH-Key anlegen, als Deploy Key in die Gitlab-Projekte https://git.hacksaar.de/FreifunkSaar/mesh-vpn-peers und https://git.hacksaar.de/FreifunkSaar/mesh-vpn-peers-lux eintragen.
* Mesh-VPN-Peers-Verzeichnis als "peers" klonen: <code>git clone git@hacksaar.de:FreifunkSaar/mesh-vpn-peers.git peers</code> bzw <code>git clone git@hacksaar.de:FreifunkSaar/mesh-vpn-peers-lux.git peers</code> jeweils im entsprechende Verzeichnis
* Feuer!: <code>sudo service fastd start</code>

== DNS, DHCP und RA-Server ==
* Installieren: <code>apt-get install isc-dhcp-server bind9 radvd</code>
=== Domain Name Server ===
=== IPv4 Dynamic Host Configuration Protocol ===
* /etc/dhcp/dhcpd.conf: (Komplett ersetzen)
<pre>
ddns-update-style none;
default-lease-time 300;
max-lease-time 300;
authoritative;

log-facility local6;

subnet 10.24.192.0 netmask 255.255.192.0 {
range 10.24.XXX.0 10.24.XXX+3.255;
option routers 10.24.192.ZZZ;
option domain-name-servers 10.24.192.2, 10.24.192.3, 10.24.192.4;
option domain-search "ffsaar";
option ntp-servers 10.24.192.2, 10.24.192.3, 10.24.192.4;
}

subnet 10.24.128.0 netmask 255.255.192.0 {
range 10.24.YYY.0 10.24.YYY+3.255;
option routers 10.24.128.ZZZ;
option domain-name-servers 10.24.128.2, 10.24.128.3, 10.24.128.4;
option domain-search "fflux";
option ntp-servers 10.24.128.2, 10.24.128.3, 10.24.128.4;
}
</pre>
* XXX, XXX+3, YYY, YYY+3, ZZZ durch richtige Werte ersetzen
* /etc/default/isc-dhcp-server (Zeile INTERFACES ersetzen)
<pre>
INTERFACES="saarBR luxBR"
</pre>
* Neu starten: <code>service isc-dhcp-server restart</code>

=== IPv6 Router Advertisements ===

== To be continued... ==