diff --git a/readme.md b/readme.md index 41713ed..e68915f 100644 --- a/readme.md +++ b/readme.md @@ -1,70 +1,71 @@ # Supernode mit direkter VPN Ausleitung +Ausleitung über das FFRL Backbone. +Supernode Config: +- GRE-Tunnel zum FFRL Backbone +- VPN per Wireguard +- NAT auf VPN Routern + +## Adressbereiche: + +Supernode: 10.255.1.1/32 + +VPN01: 10.255.1.2/32, Client: 10.1.0.0/16 +VPN02: 10.255.1.3/32, Client: 10.2.0.0/16 +VPN03: 10.255.1.4/32, Client: 10.3.0.0/16 +etc. + ## ER-X Stock Firmware Config: +> Vor der Installation: +> - eth0 als DHCP Client +> - eth1-4 auf den Switch +> - Switch mit DHCP Server einrichten. Adressbereich aus Tabelle beachten! + +## Install Wireguard cd /tmp curl -OL https://github.com/WireGuard/wireguard-vyatta-ubnt/releases/download/1.0.20211208-1/e50-v2-v1.0.20211208-v1.0.20210914.deb sudo dpkg -i e50-v2-v1.0.20211208-v1.0.20210914.deb -cd /config/auth -wg genkey | tee /config/auth/wg.key | wg pubkey > wg.public -cat wg.public -cat wg.key -###### -configure -###### -# Wireguard -set interfaces wireguard wg0 address 10.255.1.2/30 -set interfaces wireguard wg0 listen-port 51821 -set interfaces wireguard wg0 route-allowed-ips false -set interfaces wireguard wg0 persistent-keepalive 25 -set interfaces wireguard wg0 peer 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= endpoint 7.fftdf.de:42001 -set interfaces wireguard wg0 peer 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= allowed-ips 0.0.0.0/0 -set interfaces wireguard wg0 private-key /config/auth/wg.key -# Firewall for Wireguard -set firewall name WAN_LOCAL rule 20 action accept -set firewall name WAN_LOCAL rule 20 protocol udp -set firewall name WAN_LOCAL rule 20 description 'WireGuard' -set firewall name WAN_LOCAL rule 20 destination port 51821 +## Generate Keys + cd /config/auth + wg genkey | tee /config/auth/wg.key | wg pubkey > wg.public + cat wg.public + cat wg.key -# Config WAN Interface -# delete interfaces ethernet eth0 -# set interfaces ethernet eth0 address dhcp +## Config ER-X + configure +## Wireguard + set interfaces wireguard wg0 address 10.255.1.2/30 + set interfaces wireguard wg0 listen-port 51821 + set interfaces wireguard wg0 route-allowed-ips false + set interfaces wireguard wg0 persistent-keepalive 25 + set interfaces wireguard wg0 peer 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= endpoint 7.fftdf.de:42001 + set interfaces wireguard wg0 peer 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= allowed-ips 0.0.0.0/0 + set interfaces wireguard wg0 private-key /config/auth/wg.key +## Firewall for Wireguard + set firewall name WAN_LOCAL rule 20 action accept + set firewall name WAN_LOCAL rule 20 protocol udp + set firewall name WAN_LOCAL rule 20 description 'WireGuard' + set firewall name WAN_LOCAL rule 20 destination port 51821 + set firewall group network-group LAN-VPN description 'Networks on LAN destined to go out VPN by default' + set firewall group network-group LAN-VPN network 10.1.0.0/16 + set firewall group network-group RFC1918 network 10.0.0.0/8 + set firewall group network-group RFC1918 network 172.16.0.0/12 + set firewall group network-group RFC1918 network 192.168.0.0/16 + set firewall group network-group RFC1918 network 169.254.0.0/16 + set protocols static table 2 route 0.0.0.0/0 next-hop 10.255.1.1 + set firewall modify VPN_TDF7 rule 100 action modify + set firewall modify VPN_TDF7 rule 100 description 'Route traffic from group LAN-VPN through VPN-TDF7 table' + set firewall modify VPN_TDF7 rule 100 modify table 2 + set firewall modify VPN_TDF7 rule 100 source group network-group LAN-VPN + set interfaces ethernet eth2 firewall in modify VPN_TDF7 + set interfaces swtich switch0 firewall in modify VPN_TDF7 +## NAT einrichten + set service nat rule 5010 description 'masquerade for VPN' + set service nat rule 5010 outbound-interface wg0 + set service nat rule 5010 type masquerade + set service nat rule 5010 protocol all -# Config Client Interface -# set interfaces ethernet eth2 address 10.1.0.1/16 -###### NAT Rules & DHCP -# configure -# set service dhcp-server disabled false -# set service dhcp-server shared-network-name Client authoritative enable -# set service dhcp-server shared-network-name Client subnet 10.1.0.0/16 default-router 10.1.0.1 -# set service dhcp-server shared-network-name Client subnet 10.1.0.0/16 dns-server 1.1.1.1 -# set service dhcp-server shared-network-name Client subnet 10.1.0.0/16 lease 86400 -# set service dhcp-server shared-network-name Client subnet 10.1.0.0/16 start 10.1.1.1 stop 10.1.255.254 - - -set firewall group network-group LAN-VPN description 'Networks on LAN destined to go out VPN by default' -set firewall group network-group LAN-VPN network 10.1.0.0/16 - -set firewall group network-group RFC1918 network 10.0.0.0/8 -set firewall group network-group RFC1918 network 172.16.0.0/12 -set firewall group network-group RFC1918 network 192.168.0.0/16 -set firewall group network-group RFC1918 network 169.254.0.0/16 - -set protocols static table 2 route 0.0.0.0/0 next-hop 10.255.1.1 - -set firewall modify VPN_TDF7 rule 100 action modify -set firewall modify VPN_TDF7 rule 100 description 'Route traffic from group LAN-VPN through VPN-TDF7 table' -set firewall modify VPN_TDF7 rule 100 modify table 2 -set firewall modify VPN_TDF7 rule 100 source group network-group LAN-VPN - -set interfaces ethernet eth2 firewall in modify VPN_TDF7 -set interfaces ethernet switch0 firewall in modify VPN_TDF7 -### nat -set service nat rule 5010 description 'masquerade for VPN' -set service nat rule 5010 outbound-interface wg0 -set service nat rule 5010 type masquerade -set service nat rule 5010 protocol all - - -commit ; save +## Speichern + commit ; save