Go to file
2022-05-20 19:23:03 +02:00
host_vars Changed wireguard key 2022-05-20 19:17:43 +02:00
roles Add Link-Local Adresses to GRE 2022-05-20 19:23:03 +02:00
.DS_Store Changed to Wireguard VPN 2022-05-08 21:32:16 +02:00
.gitignore Add Gitignore 2022-05-20 19:14:22 +02:00
hosts.yml Changed to Wireguard VPN 2022-05-08 21:32:16 +02:00
readme.md Changed Router Config 2022-05-20 19:14:30 +02:00
system-setup.yml Changed to Wireguard VPN 2022-05-08 21:32:16 +02:00

Supernode mit direkter VPN Ausleitung

Ausleitung über das FFRL Backbone. Supernode Config:

  • GRE-Tunnel zum FFRL Backbone
  • VPN per Wireguard
  • NAT auf VPN Routern

Adressbereiche:

Supernode: 10.255.1.1/32

VPN01: 10.255.1.2/32, Client: 10.1.0.0/16 VPN02: 10.255.1.3/32, Client: 10.2.0.0/16 VPN03: 10.255.1.4/32, Client: 10.3.0.0/16 etc.

ER-X Stock Firmware Config:

Vor der Installation:

  • eth0 als DHCP Client
  • eth1-4 auf den Switch
  • Switch mit DHCP Server einrichten. Adressbereich aus Tabelle beachten!

Install Wireguard

cd /tmp curl -OL https://github.com/WireGuard/wireguard-vyatta-ubnt/releases/download/1.0.20211208-1/e50-v2-v1.0.20211208-v1.0.20210914.deb sudo dpkg -i e50-v2-v1.0.20211208-v1.0.20210914.deb

Generate Keys

cd /config/auth
wg genkey | tee /config/auth/wg.key | wg pubkey >  wg.public
cat wg.public
cat wg.key

Config ER-X

configure

Wireguard

set interfaces wireguard wg0 address 10.255.1.2/24
set interfaces wireguard wg0 address fd80:3ea2:e399:203a::2/64
set interfaces wireguard wg0 listen-port 51821
set interfaces wireguard wg0 route-allowed-ips false
set interfaces wireguard wg0 persistent-keepalive 25
set interfaces wireguard wg0 peer 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= endpoint 7.fftdf.de:42001
set interfaces wireguard wg0 peer 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= allowed-ips 0.0.0.0/0
set interfaces wireguard wg0 peer 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= allowed-ips ::0/0
set interfaces wireguard wg0 private-key /config/auth/wg.key

Firewall for Wireguard

set firewall name WAN_LOCAL rule 20 action accept
set firewall name WAN_LOCAL rule 20 protocol udp
set firewall name WAN_LOCAL rule 20 description 'WireGuard'
set firewall name WAN_LOCAL rule 20 destination port 51821
set firewall group network-group LAN-VPN description 'Networks on LAN destined to go out VPN by default'
set firewall group network-group LAN-VPN network 10.1.0.0/16
set firewall group ipv6-network-group IPv6-VPN ipv6-network 2a03:2260:121:7001::/64
set firewall group network-group RFC1918 network 10.0.0.0/8
set firewall group network-group RFC1918 network 172.16.0.0/12
set firewall group network-group RFC1918 network 192.168.0.0/16
set firewall group network-group RFC1918 network 169.254.0.0/16
set protocols static table 2 route 0.0.0.0/0 next-hop 10.255.1.1
set protocols static table 2 route6 ::/0 next-hop fd80:3ea2:e399:203a::1
set firewall modify VPN_TDF7 rule 100 action modify
set firewall modify VPN_TDF7 rule 100 description 'Route traffic from group LAN-VPN through VPN-TDF7 table'
set firewall modify VPN_TDF7 rule 100 modify table 2
set firewall modify VPN_TDF7 rule 100 source group network-group LAN-VPN
set firewall ipv6-modify IPv6-VPN_TDF7 rule 100 action modify
set firewall ipv6-modify IPv6-VPN_TDF7 rule 100 description 'Route traffic from group IPv6-VPN through IPv6-VPN-TDF7 table'
set firewall ipv6-modify IPv6-VPN_TDF7 rule 100 modify table 2
set firewall ipv6-modify IPv6-VPN_TDF7 rule 100 source group ipv6-network-group IPv6-VPN
set interfaces switch switch0 firewall in modify VPN_TDF7
set interfaces switch switch0 firewall in modify IPv6-VPN_TDF7

NAT einrichten

set service nat rule 5010 description 'masquerade for VPN'
set service nat rule 5010 outbound-interface wg0
set service nat rule 5010 type masquerade
set service nat rule 5010 protocol all

Speichern

commit ; save