Version 13 - History - The ungleich VPN infrastructure - Open Infrastructure - ungleich redmine

The ungleich VPN infrastructure » History » Version 13

Nico Schottelius, 01/25/2019 11:03 PM

-Nico Schottelius
+h1. The ungleich VPN infrastructure
-Nico Schottelius
+{{toc}}
-Nico Schottelius
+h2. Status
 This document is *IN PRODUCTION*.
-Nico Schottelius
+h2. Security of IPv6 vs. NAT
 A quick reminder: whether you are using private RFC1918 IPv4 addresses or IPv6 addresses, if you don't want people to access your network, you need to configure a firewall.
-Nico Schottelius
+h2. Wireguard on vpn-2a0ae5c1.ungleich.ch
 * Server: vpn-2a0ae5c1.ungleich.ch
 * Port: 51820
 * Requires a public key
-Nico Schottelius
+* Client network: 2a0a:e5c1:100::/40
-Nico Schottelius
+* Client network size: /48
-Nico Schottelius
+h3. How to add a new customer connection
 Nico Schottelius
-Nico Schottelius
+* Get the public key of the customer
 * Edit dot-cdist/type/__ungleich_wireguard/manifest and add the new network definition at the end of the file
 * Let the customer know their network
 Nico Schottelius
-Nico Schottelius
+h3. Sample clustomer client configuration
 * "Install wireguard":https://www.wireguard.com/install/
 * Create your private key: @umask 077; wg genkey > privkey@
 * Get your public key: @wg pubkey < privkey@
 ** You need to send this pubkey to ungleich
 * You will get your network definition after we have received your public key
 * Create /etc/wireguard/wg0.conf
-Nico Schottelius
+<pre>
 [Interface]
 PrivateKey = YOURKEYHERE
-Nico Schottelius
+Address = YOURIPv6IPADDRESSHERE/48
-Nico Schottelius
+ListenPort = 51280
 [Peer]
-Nico Schottelius
+PublicKey = hi60lGP+xEUQ+kVnqA7PlJAO1SVqTS1W36g0LhFP0xQ=
-Nico Schottelius
+Endpoint = vpn-2a0ae5c1.ungleich.ch:51820
 AllowedIPs = ::/0
 </pre>
 Commands for setting it up
 <pre>
 MY_NET=2a0a:e5c1:XXXX::1/48
 ip link add dev wg0 type wireguard
 # Replace with your range
 ip addr add $MY_NET dev wg0
 # Add routing
 ip route add 2a0a:e5c1:100::/40 dev wg0
 ip route add ::/0 via 2a0a:e5c1:100::1
 # Configure the interface
 wg setconf wg0 /etc/wireguard/wg0.conf
 # Bring it up
 ip link set wg0 up
 </pre>
 Nico Schottelius
 Once it runs, you can also use @wg-quick@ to get it up faster:
 <pre>
 wg-quick up wg0
 </pre>
 (this just requires a configuration file named /etc/wireguard/wg0.conf to be existing)
 Nico Schottelius
 Debugging
 * wg show
 * ping 2a0a:e5c1:100::1
 Nico Schottelius
 h3. Sample server configuration
 Nico Schottelius
-Nico Schottelius
+This is just for reference - as a client you don't need this configuration
-Nico Schottelius
+/etc/wireguard/wg0.conf:
 <pre>
 [Interface]
 ListenPort = 51820
-Nico Schottelius
+PrivateKey = SERVERKEYHERE
 Nico Schottelius
 # Nico, 2019-01-23
 [Peer]
 PublicKey = kL1S/Ipq6NkFf1MAsNRou4b9VoUsnnb4ZxgiBrH0zA8=
 AllowedIPs = 2a0a:e5c1:101::/48
 # Customer networks below
 # ...
 </pre>
 Sample server rc.local:
 <pre>
 ip link add dev wg0 type wireguard
 ip addr add 2a0a:e5c1:100::1/40 dev wg0
 wg setconf wg0 /etc/wireguard/wg0.conf
 ip link set wg0 up
-Nico Schottelius
+</pre>
 h2. OpenVPN on openvpn.ungleich.ch
 * Server: openvpn.ungleich.ch
 * Port: 1195
 * Requires a certificate
 * Address range: 2a0a:e5c0:3::/48
 ** Client networks are /64

Project

General

Profile

Open Infrastructure

The ungleich VPN infrastructure » History » Version 13