Project

General

Profile

The ungleich VPN infrastructure » History » Revision 11

Revision 10 (Nico Schottelius, 01/23/2019 03:47 PM) → Revision 11/31 (Nico Schottelius, 01/23/2019 04:00 PM)

h1. The ungleich VPN infrastructure 

 {{toc}} 

 h2. Status 

 This document is *IN PRODUCTION*. 

 h2. Wireguard on vpn-2a0ae5c1.ungleich.ch 

 * Server: vpn-2a0ae5c1.ungleich.ch 
 * Port: 51820 
 * Requires a public key 
 * Client network: 2a0a:e5c1:100::/40 
 * Client network size: /48 

 h3. How to add a new customer connection 

 * Get the public key of the customer 
 * Edit dot-cdist/type/__ungleich_wireguard/manifest and add the new network definition at the end of the file 
 * Let the customer know their network 


 h3. Sample clustomer client configuration 

 * "Install wireguard":https://www.wireguard.com/install/ 
 * Create your private key: @umask 077; wg genkey > privkey@ 
 * Get your public key: @wg pubkey < privkey@ 
 ** You need to send this pubkey to ungleich 
 * You will get your network definition after we have received your public key 
 * Create /etc/wireguard/wg0.conf 

 <pre> 
 [Interface] 
 PrivateKey = YOURKEYHERE 
 ListenPort = 51280 

 [Peer] 
 PublicKey = hi60lGP+xEUQ+kVnqA7PlJAO1SVqTS1W36g0LhFP0xQ= 
 Endpoint = vpn-2a0ae5c1.ungleich.ch:51820 
 AllowedIPs = ::/0 
 </pre> 

 Commands for setting it up 

 <pre> 
 MY_NET=2a0a:e5c1:XXXX::1/48 

 ip link add dev wg0 type wireguard 

 # Replace with your range 
 ip addr add $MY_NET dev wg0 

 # Add routing 
 ip route add 2a0a:e5c1:100::/40 dev wg0 
 ip route add ::/0 via 2a0a:e5c1:100::1 

 # Configure the interface 
 wg setconf wg0 /etc/wireguard/wg0.conf 

 # Bring it up 
 ip link set wg0 up 
 </pre> 

 Debugging 

 * wg show 
 * ping 2a0a:e5c1:100::1 

 

 h3. Sample server configuration 

 This is just for reference - as a client you don't need this configuration 

 /etc/wireguard/wg0.conf: 

 <pre> 
 [Interface] 
 ListenPort = 51820 
 PrivateKey = SERVERKEYHERE 

 # Nico, 2019-01-23 
 [Peer] 
 PublicKey = kL1S/Ipq6NkFf1MAsNRou4b9VoUsnnb4ZxgiBrH0zA8= 
 AllowedIPs = 2a0a:e5c1:101::/48 

 # Customer networks below 
 # ... 
 </pre> 

 Sample server rc.local: 

 <pre> 
 ip link add dev wg0 type wireguard 
 ip addr add 2a0a:e5c1:100::1/40 dev wg0 
 wg setconf wg0 /etc/wireguard/wg0.conf 
 ip link set wg0 up 

 </pre> 

 

 h2. OpenVPN on openvpn.ungleich.ch 

 * Server: openvpn.ungleich.ch 
 * Port: 1195 
 * Requires a certificate 
 * Address range: 2a0a:e5c0:3::/48 
 ** Client networks are /64