Project

General

Profile

Actions

The ungleich VPN infrastructure » History » Revision 13

« Previous | Revision 13/31 (diff) | Next »
Nico Schottelius, 01/25/2019 11:03 PM


The ungleich VPN infrastructure

Status

This document is IN PRODUCTION.

Security of IPv6 vs. NAT

A quick reminder: whether you are using private RFC1918 IPv4 addresses or IPv6 addresses, if you don't want people to access your network, you need to configure a firewall.

Wireguard on vpn-2a0ae5c1.ungleich.ch

  • Server: vpn-2a0ae5c1.ungleich.ch
  • Port: 51820
  • Requires a public key
  • Client network: 2a0a:e5c1:100::/40
  • Client network size: /48

How to add a new customer connection

  • Get the public key of the customer
  • Edit dot-cdist/type/__ungleich_wireguard/manifest and add the new network definition at the end of the file
  • Let the customer know their network

Sample clustomer client configuration

  • Install wireguard
  • Create your private key: umask 077; wg genkey > privkey
  • Get your public key: wg pubkey < privkey
    • You need to send this pubkey to ungleich
  • You will get your network definition after we have received your public key
  • Create /etc/wireguard/wg0.conf
[Interface]
PrivateKey = YOURKEYHERE
Address = YOURIPv6IPADDRESSHERE/48
ListenPort = 51280

[Peer]
PublicKey = hi60lGP+xEUQ+kVnqA7PlJAO1SVqTS1W36g0LhFP0xQ=
Endpoint = vpn-2a0ae5c1.ungleich.ch:51820
AllowedIPs = ::/0

Commands for setting it up

MY_NET=2a0a:e5c1:XXXX::1/48

ip link add dev wg0 type wireguard

# Replace with your range
ip addr add $MY_NET dev wg0

# Add routing
ip route add 2a0a:e5c1:100::/40 dev wg0
ip route add ::/0 via 2a0a:e5c1:100::1

# Configure the interface
wg setconf wg0 /etc/wireguard/wg0.conf

# Bring it up
ip link set wg0 up

Once it runs, you can also use wg-quick to get it up faster:

wg-quick up wg0

(this just requires a configuration file named /etc/wireguard/wg0.conf to be existing)

Debugging

  • wg show
  • ping 2a0a:e5c1:100::1

Sample server configuration

This is just for reference - as a client you don't need this configuration

/etc/wireguard/wg0.conf:

[Interface]
ListenPort = 51820
PrivateKey = SERVERKEYHERE

# Nico, 2019-01-23
[Peer]
PublicKey = kL1S/Ipq6NkFf1MAsNRou4b9VoUsnnb4ZxgiBrH0zA8=
AllowedIPs = 2a0a:e5c1:101::/48

# Customer networks below
# ...

Sample server rc.local:

ip link add dev wg0 type wireguard
ip addr add 2a0a:e5c1:100::1/40 dev wg0
wg setconf wg0 /etc/wireguard/wg0.conf
ip link set wg0 up

OpenVPN on openvpn.ungleich.ch

  • Server: openvpn.ungleich.ch
  • Port: 1195
  • Requires a certificate
  • Address range: 2a0a:e5c0:3::/48
    • Client networks are /64

Updated by Nico Schottelius about 5 years ago · 13 revisions