You are here: Archiv » Gateway04

Gateway04

/etc/apt/sources.list

   1. fastd repo 
deb http://repo.universe-factory.net/debian/ sid main
   1. wheezy backports
deb http://ftp.de.debian.org/debian/ wheezy-backports main contrib non-free

 gpg --keyserver pgpkeys.mit.edu --recv-key 16EF3F64CB201D9C
 gpg -a --export 16EF3F64CB201D9C | apt-key add -

apt-get update && apt-get upgrade
apt-get install git batctl batman-adv-dkms fastd bridge-utils isc-dhcp-server radvd openvpn iptables-persistent dnsmasq

/etc/modules

 batman-adv
 mkdir /etc/fastd/ffh-mesh-vpn

/etc/fastd/ffh-mesh-vpn/fastd.conf

log to syslog level debug;
interface "ffh-mesh-vpn";
method "salsa2012+umac"; 
bind 0.0.0.0:10000;
hide ip addresses yes;
hide mac addresses yes;
include "secret.conf";
mtu 1426;
include peers from "backbone";
on up "
 ifup bat0
 ip link set address 88:E6:40:20:28:01 up dev $INTERFACE
";

/etc/fastd/ffh-mesh-vpn/secret.conf

/etc/network/interfaces

Replace XX!

   1. ffh interfaces

   1. it's important that we do not have "auto br-ffh"
iface br-ffh inet6 static
    bridge-ports none
    address fdca:ffee:8::XX01
1. add bat0 to the bridge before the interface is taken up to set the right mac. 1. the mac address has to be set before the interface is taken "up" since the ll addr wont change 1. when the interface is taken up. (prevents mismatch off ipv6-ll-addr and mac)
    pre-up brctl addbr $IFACE
    pre-up brctl addif $IFACE bat0
    netmask 64
iface br-ffh inet static
    address 10.2.XX.1
    netmask 255.255.0.0
allow-hotplug bat0 iface bat0 inet6 manual
    pre-up modprobe batman-adv
    pre-up batctl if add ffh-mesh-vpn
    up ip link set $IFACE up
    post-up ip link set $IFACE addr 88:e6:40:21:XX:01
    post-up ifup br-ffh
    post-up batctl it 10000
    post-up /sbin/ip rule add from all fwmark 0x1 table 42
    post-up ip route add 10.0.0.0/8 via 10.2.207.1 dev br-ffh table 42 # icvpn
    post-up ip route add 172.16.0.0/12 via 10.2.207.1 dev br-ffh table 42 # icvpn
    post-up ip -6 route add default via fdca:ffee:8:0:5054:ff:fe21:2fff dev br-ffh # icvpn
    pre-down ip route del 10.0.0.0/8 via 10.2.207.1 dev br-ffh table 42 # icvpn
    pre-down ip route del 172.16.0.0/12 via 10.2.207.1 dev br-ffh table 42 # icvpn
    pre-down ip -6 route del default via fdca:ffee:8:0:5054:ff:fe21:2fff dev br-ffh # icvpn
    pre-down brctl delif br-ffh $IFACE || true
    pre-down /sbin/ip rule del from all fwmark 0x1 table 42
    down ip link set $IFACE down

cd /etc/fastd/ffh-mesh-vpn/
git clone git@217.14.119.158:backbone.git backbone
git clone git@217.14.119.158:peers.git peers

 git clone git@217.14.119.158:bin.git /root/bin
 chmod +x /root/bin/*

crontab -e
 */5 * * * * /root/bin/autoupdate_peers.sh > /dev/null 2>&1
 */5 * * * * /root/bin/autoupdate_backbone.sh > /dev/null 2>&1
 * * * * * /root/bin/check_gateway > /dev/null 2>&1

bridge-Schnittstelle hochfahren

 $ brctl addbr br-ffh

 $ ifup br-ffh

B.A.T.M.A.N. kernel-Modul laden

 $ modprobe batman-adv

fastd starten

 $ service fastd start

/etc/dhcp/dhcpd.conf

   1. The ddns-updates-style parameter controls whether or not the server will
   1. attempt to do a DNS update when a lease is confirmed. We default to the
   1. behavior of the version 2 packages ('none', since DHCP v2 didn't
   1. have support for DDNS.)
ddns-update-style none;

   1. option definitions common to all supported networks…
option domain-name ".ffh";

default-lease-time 600;
max-lease-time 3600;

log-facility local7;

subnet 10.2.0.0 netmask 255.255.0.0 {
   authoritative;
   range 10.2.40.2 10.2.49.254;
   
   # DNS: srv01 (10.112.1.1) & gw01 (10.112.14.1)
   option domain-name-servers 10.2.40.1, 10.2.20.1, 10.2.30.1;
   option routers 10.2.40.1;
} include "/etc/dhcp/static.conf";

$ git clone git@217.14.119.158:dns.git /root/dns
$ cp /root/dns/general /etc/dnsmasq.d/
$ cp /root/dns/rules /etc/dnsmasq.d/

/etc/radvd.conf

interface br-ffh
{    
 AdvSendAdvert on;
 MaxRtrAdvInterval 200;
 prefix fdca:ffee:8::/64 {
 };
 RDNSS fdca:ffee:8::2801 {
 };
};

/etc/sysctl.conf

 net.ipv4.ip_forward=1
 net.ipv6.conf.all.forwarding = 1

sysctl -p /etc/sysctl.conf

/etc/openvpn/mullvad/mullvad-up

   1. !/bin/bash

/usr/sbin/service dnsmasq restart
exit 0

chmod +x /etc/openvpn/mullvad/mullvad-up

/etc/openvpn/mullvad.conf

client 

dev-type tun
dev mullvad

proto udp
   1. proto tcp

remote openvpn.mullvad.net 1194
   1. remote openvpn.mullvad.net 443
   1. remote openvpn.mullvad.net 53
remote se.mullvad.net # Servers in Sweden
remote nl.mullvad.net # Servers in the Netherlands

   1. Keep trying indefinitely to resolve the
   1. host name of the OpenVPN server.  Very useful
   1. on machines which are not permanently connected
   1. to the internet such as laptops.
resolv-retry infinite

   1. Most clients don't need to bind to
   1. a specific local port number.
nobind 
  
   1. Try to preserve some state across restarts.
persist-key 
persist-tun 

   1. Enable compression on the VPN link.
comp-lzo 

   1. Set log file verbosity.
verb 3

remote-cert-tls server

ping-restart 60

   1. Allow calling of built-in executables and user-defined scripts.
script-security 2

   1. Parses DHCP options from openvpn to update resolv.conf
route-noexec
up    /etc/openvpn/mullvad/mullvad-up

ping 10

ca /etc/openvpn/mullvad/ca.crt
cert /etc/openvpn/mullvad/mullvad.crt
key /etc/openvpn/mullvad/mullvad.key

$ vim /etc/rc.local

   1. !/bin/sh -e
   1. 
   1. rc.local
   1. 
   1. This script is executed at the end of each multiuser runlevel.
   1. Make sure that the script will "exit 0" on success or any other
   1. value on error.
   1. 
   1. In order to enable or disable this script just change the execution
   1. bits.
   1. 
   1. By default this script does nothing.

/sbin/ip route add unreachable default table 42
/sbin/ip rule add from all fwmark 0x1 table 42
exit 0

$ vim /etc/iptables/rules.v4

   1. Generated by iptables-save v1.4.14 on Sun Mar 24 14:14:50 2013
   * filter
INPUT ACCEPT [273:40363]
FORWARD ACCEPT [0:0]
OUTPUT ACCEPT [194:28568]
COMMIT 1. Completed on Mon Mar 25 19:41:40 2013 1. Generated by iptables-save v1.4.14 on Mon Mar 25 19:41:40 2013 * mangle
PREROUTING ACCEPT [286:41734]
INPUT ACCEPT [273:40363]
FORWARD ACCEPT [0:0]
OUTPUT ACCEPT [194:28568]
POSTROUTING ACCEPT [194:28568]
-A PREROUTING -i br-ffh -j MARK --set-xmark 0x1/0xffffffff COMMIT 1. Completed on Mon Mar 25 19:41:40 2013 1. Generated by iptables-save v1.4.14 on Mon Mar 25 19:41:40 2013 * nat
PREROUTING ACCEPT [15:1459]
INPUT ACCEPT [2:88]
OUTPUT ACCEPT [1:74]
POSTROUTING ACCEPT [1:74]
-A POSTROUTING -o mullvad -j MASQUERADE -A POSTROUTING -o internetz-me -j MASQUERADE COMMIT 1. Completed on Mon Mar 25 19:41:40 2013

/etc/init.d/iptables-persistent start
Impressum -- Copyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.