Freifunk:Mesh-VPN Gateway-Server einrichten: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
| Zeile 355: | Zeile 355: | ||
== To be continued... == | == To be continued... == | ||
| + | * DNSmasq statt radvd, bind, isc-dhcp-server | ||
| + | * iptables NAT | ||
Version vom 21. Februar 2015, 04:26 Uhr
Unsere Gateways laufen auf Debian 7 Wheezy. Diese Anleitungen orientieren sich an anderen Freifunk-Communities, aber einen sehr nennenswerten Einfluss hat die geniale Dokumentation von Freifunk Mainz, Wiesbaden und Umgebung (http://gluon-gateway-doku.readthedocs.org/de/latest/) gehabt.
Installation
Größtenteils egal, wichtig ist folgendes: Root bekommt kein Passwort, dadurch wird der Root-Login gesperrt und man muss sudo benutzen. Als zu installierende Paketgruppen nutzen wir Debian-Standardutilities und SSH-Server.
SSH einrichten
- Einloggen:
ssh user@gwX.saar.freifunk.de
mkdir .sshecho "dein_ssh_key" > .ssh/authorized_keysnano /etc/ssh/sshd_config- Folgende Änderungen vornehmen:
... PermitRootLogin no ... PasswordAuthentication no ...
- Alte Session aktiv lassen, in neuem Terminal versuchen mit Public Key einzuloggen. Wenn nicht erfolgreich debuggen.
sudo service ssh restart
Überflüssige Pakete deinstallieren
Da wir eben etwas großzügig waren mit der Installation von Paketgruppen müssen wir jetzt exim und nfs-Kram deinstallieren:
sudo apt-get remove exim4* nfs-common rpcbind
Als Resultat sollte bei Ausführung von "sudo netstat -tulpn" keine Programme außer sshd und vielleicht dhclient angezeigt werden.
APT Sources hinzufügen
Wir benötigen die Sources für fastd und batman-adv:
nano /etc/apt/sources.list
deb http://security.debian.org/ wheezy/updates main contrib non-free deb-src http://security.debian.org/ wheezy/updates main contrib non-free # fastd deb http://ftp.de.debian.org/debian wheezy-backports main deb http://repo.universe-factory.net/debian/ sid main # alfred deb http://debian.draic.info/ wheezy main deb-src http://debian.draic.info/ wheezy main
- Schlüssel für repo importieren:
gpg --keyserver pgpkeys.mit.edu --recv-key B89033D8gpg -a --export B89033D8 | apt-key add -gpg --keyserver pgpkeys.mit.edu --recv-key 16EF3F64CB201D9Cgpg -a --export 16EF3F64CB201D9C | apt-key add -
Pakete installieren
apt-get updateapt-get install batctl batman-adv-dkms fastd bridge-utilsecho "batman-adv" >> /etc/modules
Netzwerk Grundkonfiguration
Sysctl Einstellungen
- /etc/sysctl.conf
# Freifunk specific settings net.ipv4.ip_forward=1 net.bridge.bridge-nf-call-arptables = 0 net.bridge.bridge-nf-call-ip6tables = 0 net.bridge.bridge-nf-call-iptables = 0 net.ipv6.conf.all.forwarding=1 net.ipv6.conf.all.autoconf = 0 net.ipv6.conf.default.autoconf = 0 net.ipv6.conf.eth0.autoconf = 0 net.ipv6.conf.all.accept_ra = 0 net.ipv6.conf.default.accept_ra = 0 net.ipv6.conf.eth0.accept_ra = 0
- Danach neu laden:
sysctl -p /etc/sysctl.conf
Routing Tables erstellen
- /etc/iproute2/rt_tables (bisherige Einstellungen beibehalten und folgende hinzufügen)
# freifunk 32 saar 33 lux 42 icvpn
Netzwerkinterafaces einstellen
- /etc/network/interfaces (andere Interfaces nach der entsprechenden Konfiguration belassen)
#
# FREIFUNK SAAR
#
auto saarBR
iface saarBR inet static
bridge_ports none
bridge_fd 0
bridge_maxwait 0
address 10.24.192.XXX
netmask 255.255.192.0
# be sure all incoming traffic is handled by the appropriate rt_table
post-up /sbin/ip rule add iif $IFACE table saar priority 3200
pre-down /sbin/ip rule del iif $IFACE table saar priority 3200
# default route is unreachable
post-up /sbin/ip route add unreachable default table saar
post-down /sbin/ip route del unreachable default table saar
# local reachable subnet saar for rt_table lux
post-up /sbin/ip route add 10.24.128.0/18 proto static dev $IFACE table lux
post-down /sbin/ip route del 10.24.128.0/18 proto static dev $IFACE table lux
iface saarBR inet6 static
address fd4e:f2d7:88d2:ffff::XXX
netmask 64
# be sure all incoming traffic is handled by the appropriate rt_table
post-up /sbin/ip -6 rule add iif $IFACE table saar priority 3200
pre-down /sbin/ip -6 rule del iif $IFACE table saar priority 3200
post-up /sbin/ip -6 route add fe80::/64 proto static dev $IFACE table saar
post-down /sbin/ip -6 route del fe80::/64 proto static dev $IFACE table saar
post-up /sbin/ip -6 route add fd4e:f2d7:88d2:ffff::/64 proto static dev $IFACE table saar
post-down /sbin/ip -6 route del fd4e:f2d7:88d2:ffff::/64 proto static dev $IFACE table saar
# ULA route mz for rt_table saar
post-up /sbin/ip -6 route add fd4e:f2d7:88d2:fffe::/64 proto static dev $IFACE table lux
post-down /sbin/ip -6 route del fd4e:f2d7:88d2:fffe::/64 proto static dev $IFACE table lux
allow-hotplug saarMESH
iface saarMESH inet6 manual
hwaddress ca:fe:ba:be:00:XXX
pre-up /sbin/modprobe batman_adv
post-up /usr/sbin/batctl -m saarBAT if add $IFACE
post-up /sbin/ip link set dev saarBAT up
allow-hotplug saarBAT
iface saarBAT inet6 manual
pre-up /sbin/modprobe batman-adv
post-up /sbin/brctl addif saarBR $IFACE
post-up /usr/sbin/batctl -m $IFACE it 10000
post-up /usr/sbin/batctl -m $IFACE vm server
post-up /usr/sbin/batctl -m $IFACE gw server 6mbit/6mbit
pre-down /sbin/brctl delif saarBR $IFACE || true
#
# FREIFUNK LUX
#
auto luxBR
iface luxBR inet static
bridge_ports none
bridge_fd 0
bridge_maxwait 0
address 10.24.128.XXX
netmask 255.255.192.0
# be sure all incoming traffic is handled by the appropriate rt_table
post-up /sbin/ip rule add iif $IFACE table lux priority 3300
pre-down /sbin/ip rule del iif $IFACE table lux priority 3300
# default route is unreachable
post-up /sbin/ip route add unreachable default table lux
post-down /sbin/ip route del unreachable default table lux
# local reachable subnet lux for rt_table saar
post-up /sbin/ip route add 10.24.192.0/18 proto static dev $IFACE table saar
post-down /sbin/ip route del 10.24.192.0/18 proto static dev $IFACE table saar
iface luxBR inet6 static
address fd4e:f2d7:88d2:fffe::XXX
netmask 64
# be sure all incoming traffic is handled by the appropriate rt_table
post-up /sbin/ip -6 rule add iif $IFACE table lux priority 3300
pre-down /sbin/ip -6 rule del iif $IFACE table lux priority 3300
post-up /sbin/ip -6 route add fe80::/64 proto static dev $IFACE table lux
post-down /sbin/ip -6 route del fe80::/64 proto static dev $IFACE table lux
post-up /sbin/ip -6 route add fd4e:f2d7:88d2:fffe::/64 proto static dev $IFACE table lux
post-down /sbin/ip -6 route del fd4e:f2d7:88d2:fffe::/64 proto static dev $IFACE table lux
# ULA route saar for rt_table lux
post-up /sbin/ip -6 route add fd4e:f2d7:88d2:ffff::/64 proto static dev $IFACE table saar
post-down /sbin/ip -6 route del fd4e:f2d7:88d2:ffff::/64 proto static dev $IFACE table saar
allow-hotplug luxMESH
iface luxMESH inet6 manual
hwaddress ca:fe:ba:be:01:XXX
pre-up /sbin/modprobe batman_adv
post-up /usr/sbin/batctl -m luxBAT if add $IFACE
post-up /sbin/ip link set dev luxBAT up
allow-hotplug luxBAT
iface luxBAT inet6 manual
pre-up /sbin/modprobe batman-adv
post-up /sbin/brctl addif luxBR $IFACE
post-up /usr/sbin/batctl -m $IFACE it 10000
post-up /usr/sbin/batctl -m $IFACE vm server
post-up /usr/sbin/batctl -m $IFACE gw server 6mbit/6mbit
pre-down /sbin/brctl delif luxBR $IFACE || true
- Jedes Vorkommnis von XXX durch einen entsprechenden Wert aus dem Netzplan ersetzen, im Zweifel TobiT fragen
Helfer-Skripte
Es gibt 2 Helferskripte, die eingerichtet werden müssen. check_gateway.sh prüft minütlich, ob das ExitVPN noch steht. autoupdate_fastd_peers updatet die fastd-peers alle 5 Minuten per git.
check_gateway.sh
- /usr/bin/check_gateway.sh:
root@gw2:/etc/fastd/freifunk-lux# less /usr/bin/check_gateway.sh
#!/bin/bash
INTERFACE=tun0 # Set to name of VPN interface
DHCPSERVICE=dnsmasq # Name of DHCP service
BANDWIDTH=XXX # Server bandwidth
shopt -s nullglob
# Test whether gateway is connected to the outer world via VPN
ping -q -I $INTERFACE 8.8.8.8 -c 4 -i 1 -W 5 >/dev/null 2>&1
if test $? -eq 0; then
NEW_STATE=server
else
NEW_STATE=off
fi
# Iterate through network interfaces in sys file system
for MESH in /sys/class/net/*/mesh; do
# Check whether gateway modus needs to be changed
OLD_STATE="$(cat $MESH/gw_mode)"
[ "$OLD_STATE" == "$NEW_STATE" ] && continue
echo $NEW_STATE > $MESH/gw_mode
echo ${BANDWIDTH}MBit/${BANDWIDTH}MBit > $MESH/gw_bandwidth
logger "batman gateway mode changed to $NEW_STATE"
# Check whether gateway modus has been deactivated
if [ "$NEW_STATE" == "off" ]; then
# Shutdown DHCP server to prevent renewal of leases
/usr/sbin/service $DHCPSERVICE stop
fi
# Check whether gateway modus has been activated
if [ "$NEW_STATE" == "server" ]; then
# Restart DHCP server
/usr/sbin/service $DHCPSERVICE start
fi
exit 0
done
if [ "$NEW_STATE" == "server" ]; then
/usr/sbin/service $DHCPSERVICE status 2>&1> /dev/null
if [[ $? -ne 0 ]]
then
/usr/sbin/service $DHCPSERVICE restart
fi
fi
if [ "$NEW_STATE" == "off" ]; then
/usr/sbin/service $DHCPSERVICE status 2>&1> /dev/null
if [[ $? -eq 0 ]]
then
/usr/sbin/service $DHCPSERVICE stop
fi
fi
- Ganz oben bei BANDWIDTH die Serverbandbreite in MBit/s einstellen, damit diese ordentlich via Batman announced werden kann.
- Speichern und mit
chmod +x /usr/bin/check_gateway.shausführbar machen
autoupdate_fastd_keys.sh
- /usr/bin/autoupate_fastd_keys.sh:
#!/bin/bash
# Simple script to update fastd peers from git upstream
# and only send HUP to fastd when changes happend.
# CONFIGURE THIS TO YOUR PEER DIRECTORY
FASTD_PEERS_ARRAY=( "freifunk-saar" "freifunk-lux")
function getCurrentVersion() {
# Get hash from latest revision
git log --format=format:%H -1
}
for FASTD_PEERS in "${FASTD_PEERS_ARRAY[@]}"
do
cd /etc/fastd/$FASTD_PEERS/peers
# Get current version hash
GIT_REVISION=$(getCurrentVersion)
# Automagically commit local changes
# This preserves local changes
git commit -m "CRON: auto commit"
# Pull latest changes from upstream
git fetch
git merge origin/master -m "Auto Merge"
# Get new version hash
GIT_NEW_REVISION=$(getCurrentVersion)
if [ $GIT_REVISION != $GIT_NEW_REVISION ]
then
# Version has changed we need to update
echo "Reload fastd peers"
kill -HUP $(cat /var/run/fastd.$FASTD_PEERS.pid)
fi
done
- Auch dieses Skript ausführbar machen:
chmod +x /usr/bin/autoupdate_fastd_keys.sh
Skripte in crontab eintragen
- In
sudo crontab -efolgende Zeilen anhängen
*/5 * * * * /usr/bin/autoupdate_fastd_keys.sh > /dev/null 2>&1 * * * * * /usr/bin/check_gateway.sh > /dev/null 2>&1
Fastd-Config
mkdir /etc/fastd/freifunk-{saar,lux}/- Config-Dateien anlegen und entsprechenden Inhalt reinkopieren: TODO Link zu Config-Repo einfügen
- Secret Keys aus den Repos besorgen und in secret.conf schreiben
- Neuen SSH-Key anlegen, als Deploy Key in die Gitlab-Projekte https://git.hacksaar.de/FreifunkSaar/mesh-vpn-peers und https://git.hacksaar.de/FreifunkSaar/mesh-vpn-peers-lux eintragen.
- Mesh-VPN-Peers-Verzeichnis als "peers" klonen:
git clone git@hacksaar.de:FreifunkSaar/mesh-vpn-peers.git peersbzwgit clone git@hacksaar.de:FreifunkSaar/mesh-vpn-peers-lux.git peersjeweils im entsprechende Verzeichnis - Feuer!:
sudo service fastd start
DNS, DHCP und RA-Server
- Installieren:
apt-get install isc-dhcp-server bind9 radvd
Domain Name Server
IPv4 Dynamic Host Configuration Protocol
- /etc/dhcp/dhcpd.conf: (Komplett ersetzen)
ddns-update-style none;
default-lease-time 300;
max-lease-time 300;
authoritative;
log-facility local6;
subnet 10.24.192.0 netmask 255.255.192.0 {
range 10.24.XXX.0 10.24.XXX+3.255;
option routers 10.24.192.ZZZ;
option domain-name-servers 10.24.192.2, 10.24.192.3, 10.24.192.4;
option domain-search "ffsaar";
option ntp-servers 10.24.192.2, 10.24.192.3, 10.24.192.4;
}
subnet 10.24.128.0 netmask 255.255.192.0 {
range 10.24.YYY.0 10.24.YYY+3.255;
option routers 10.24.128.ZZZ;
option domain-name-servers 10.24.128.2, 10.24.128.3, 10.24.128.4;
option domain-search "fflux";
option ntp-servers 10.24.128.2, 10.24.128.3, 10.24.128.4;
}
- XXX, XXX+3, YYY, YYY+3, ZZZ durch richtige Werte ersetzen
- /etc/default/isc-dhcp-server (Zeile INTERFACES ersetzen)
INTERFACES="saarBR luxBR"
- Neu starten:
service isc-dhcp-server restart
IPv6 Router Advertisements
To be continued...
- DNSmasq statt radvd, bind, isc-dhcp-server
- iptables NAT