Freifunk-Troisdorf/ansible.fftdf.supernode
5
0
Fork 0
Code Issues 1 Pull Requests Releases Wiki Activity

Changed Readme

Browse Source
This commit is contained in:
Stefan Hoffmann 2022-05-09 12:27:42 +02:00
parent 150be2ac7c
commit d983feb729
1 changed files with 61 additions and 60 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

57
readme.md
View File

@ -1,19 +1,41 @@
# Supernode mit direkter VPN Ausleitung # Supernode mit direkter VPN Ausleitung
Ausleitung über das FFRL Backbone.
Supernode Config:
- GRE-Tunnel zum FFRL Backbone
- VPN per Wireguard
- NAT auf VPN Routern
## Adressbereiche:
Supernode: 10.255.1.1/32
VPN01: 10.255.1.2/32, Client: 10.1.0.0/16
VPN02: 10.255.1.3/32, Client: 10.2.0.0/16
VPN03: 10.255.1.4/32, Client: 10.3.0.0/16
etc.
## ER-X Stock Firmware Config: ## ER-X Stock Firmware Config:
> Vor der Installation:
> - eth0 als DHCP Client
> - eth1-4 auf den Switch
> - Switch mit DHCP Server einrichten. Adressbereich aus Tabelle beachten!
## Install Wireguard
cd /tmp cd /tmp
curl -OL https://github.com/WireGuard/wireguard-vyatta-ubnt/releases/download/1.0.20211208-1/e50-v2-v1.0.20211208-v1.0.20210914.deb curl -OL https://github.com/WireGuard/wireguard-vyatta-ubnt/releases/download/1.0.20211208-1/e50-v2-v1.0.20211208-v1.0.20210914.deb
sudo dpkg -i e50-v2-v1.0.20211208-v1.0.20210914.deb sudo dpkg -i e50-v2-v1.0.20211208-v1.0.20210914.deb
## Generate Keys
cd /config/auth cd /config/auth
wg genkey | tee /config/auth/wg.key | wg pubkey > wg.public wg genkey | tee /config/auth/wg.key | wg pubkey > wg.public
cat wg.public cat wg.public
cat wg.key cat wg.key
######
## Config ER-X
configure configure
###### ## Wireguard
# Wireguard
set interfaces wireguard wg0 address 10.255.1.2/30 set interfaces wireguard wg0 address 10.255.1.2/30
set interfaces wireguard wg0 listen-port 51821 set interfaces wireguard wg0 listen-port 51821
set interfaces wireguard wg0 route-allowed-ips false set interfaces wireguard wg0 route-allowed-ips false
@ -21,50 +43,29 @@ set interfaces wireguard wg0 persistent-keepalive 25
set interfaces wireguard wg0 peer 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= endpoint 7.fftdf.de:42001 set interfaces wireguard wg0 peer 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= endpoint 7.fftdf.de:42001
set interfaces wireguard wg0 peer 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= allowed-ips 0.0.0.0/0 set interfaces wireguard wg0 peer 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= allowed-ips 0.0.0.0/0
set interfaces wireguard wg0 private-key /config/auth/wg.key set interfaces wireguard wg0 private-key /config/auth/wg.key
# Firewall for Wireguard ## Firewall for Wireguard
set firewall name WAN_LOCAL rule 20 action accept set firewall name WAN_LOCAL rule 20 action accept
set firewall name WAN_LOCAL rule 20 protocol udp set firewall name WAN_LOCAL rule 20 protocol udp
set firewall name WAN_LOCAL rule 20 description 'WireGuard' set firewall name WAN_LOCAL rule 20 description 'WireGuard'
set firewall name WAN_LOCAL rule 20 destination port 51821 set firewall name WAN_LOCAL rule 20 destination port 51821
# Config WAN Interface
# delete interfaces ethernet eth0
# set interfaces ethernet eth0 address dhcp
# Config Client Interface
# set interfaces ethernet eth2 address 10.1.0.1/16
###### NAT Rules & DHCP
# configure
# set service dhcp-server disabled false
# set service dhcp-server shared-network-name Client authoritative enable
# set service dhcp-server shared-network-name Client subnet 10.1.0.0/16 default-router 10.1.0.1
# set service dhcp-server shared-network-name Client subnet 10.1.0.0/16 dns-server 1.1.1.1
# set service dhcp-server shared-network-name Client subnet 10.1.0.0/16 lease 86400
# set service dhcp-server shared-network-name Client subnet 10.1.0.0/16 start 10.1.1.1 stop 10.1.255.254
set firewall group network-group LAN-VPN description 'Networks on LAN destined to go out VPN by default' set firewall group network-group LAN-VPN description 'Networks on LAN destined to go out VPN by default'
set firewall group network-group LAN-VPN network 10.1.0.0/16 set firewall group network-group LAN-VPN network 10.1.0.0/16
set firewall group network-group RFC1918 network 10.0.0.0/8 set firewall group network-group RFC1918 network 10.0.0.0/8
set firewall group network-group RFC1918 network 172.16.0.0/12 set firewall group network-group RFC1918 network 172.16.0.0/12
set firewall group network-group RFC1918 network 192.168.0.0/16 set firewall group network-group RFC1918 network 192.168.0.0/16
set firewall group network-group RFC1918 network 169.254.0.0/16 set firewall group network-group RFC1918 network 169.254.0.0/16
set protocols static table 2 route 0.0.0.0/0 next-hop 10.255.1.1 set protocols static table 2 route 0.0.0.0/0 next-hop 10.255.1.1
set firewall modify VPN_TDF7 rule 100 action modify set firewall modify VPN_TDF7 rule 100 action modify
set firewall modify VPN_TDF7 rule 100 description 'Route traffic from group LAN-VPN through VPN-TDF7 table' set firewall modify VPN_TDF7 rule 100 description 'Route traffic from group LAN-VPN through VPN-TDF7 table'
set firewall modify VPN_TDF7 rule 100 modify table 2 set firewall modify VPN_TDF7 rule 100 modify table 2
set firewall modify VPN_TDF7 rule 100 source group network-group LAN-VPN set firewall modify VPN_TDF7 rule 100 source group network-group LAN-VPN
set interfaces ethernet eth2 firewall in modify VPN_TDF7 set interfaces ethernet eth2 firewall in modify VPN_TDF7
set interfaces ethernet switch0 firewall in modify VPN_TDF7 set interfaces swtich switch0 firewall in modify VPN_TDF7
### nat ## NAT einrichten
set service nat rule 5010 description 'masquerade for VPN' set service nat rule 5010 description 'masquerade for VPN'
set service nat rule 5010 outbound-interface wg0 set service nat rule 5010 outbound-interface wg0
set service nat rule 5010 type masquerade set service nat rule 5010 type masquerade
set service nat rule 5010 protocol all set service nat rule 5010 protocol all
## Speichern
commit ; save commit ; save