Project

General

Profile

The ungleich VPN infrastructure » History » Version 14

Nico Schottelius, 02/02/2019 08:27 AM

1 1 Nico Schottelius
h1. The ungleich VPN infrastructure
2
3 5 Nico Schottelius
{{toc}}
4
5 11 Nico Schottelius
h2. Status
6
7
This document is *IN PRODUCTION*.
8
9 13 Nico Schottelius
h2. Security of IPv6 vs. NAT
10
11
A quick reminder: whether you are using private RFC1918 IPv4 addresses or IPv6 addresses, if you don't want people to access your network, you need to configure a firewall.
12
13 14 Nico Schottelius
h2. Wireguard VPN on vpn-2a0ae5c1.ungleich.ch
14 1 Nico Schottelius
15
* Server: vpn-2a0ae5c1.ungleich.ch
16
* Port: 51820
17
* Requires a public key
18 7 Nico Schottelius
* Client network: 2a0a:e5c1:100::/40
19 1 Nico Schottelius
* Client network size: /48
20
21 9 Nico Schottelius
h3. How to add a new customer connection
22 1 Nico Schottelius
23 9 Nico Schottelius
* Get the public key of the customer
24
* Edit dot-cdist/type/__ungleich_wireguard/manifest and add the new network definition at the end of the file
25
* Let the customer know their network
26 1 Nico Schottelius
27 9 Nico Schottelius
h3. Sample clustomer client configuration
28
29
* "Install wireguard":https://www.wireguard.com/install/
30
* Create your private key: @umask 077; wg genkey > privkey@
31
* Get your public key: @wg pubkey < privkey@
32
** You need to send this pubkey to ungleich
33
* You will get your network definition after we have received your public key
34
* Create /etc/wireguard/wg0.conf
35
36 1 Nico Schottelius
<pre>
37
[Interface]
38
PrivateKey = YOURKEYHERE
39 12 Nico Schottelius
Address = YOURIPv6IPADDRESSHERE/48
40 1 Nico Schottelius
ListenPort = 51280
41
42
[Peer]
43 9 Nico Schottelius
PublicKey = hi60lGP+xEUQ+kVnqA7PlJAO1SVqTS1W36g0LhFP0xQ=
44 1 Nico Schottelius
Endpoint = vpn-2a0ae5c1.ungleich.ch:51820
45
AllowedIPs = ::/0
46
</pre>
47
48 14 Nico Schottelius
h3. How to setup the VPN (the easy way)
49
50
Once you have created the configuration, you can simply call
51
52
<pre>
53
wg-quick up wg0
54
</pre>
55
56
And to stop the VPN, you can use
57
58
<pre>
59
wg-quick down wg0
60
</pre>
61
62
63
h3. How to setup the VPN (the manual way)
64
65
66 1 Nico Schottelius
Commands for setting it up
67
68
<pre>
69
MY_NET=2a0a:e5c1:XXXX::1/48
70
71
ip link add dev wg0 type wireguard
72
73
# Replace with your range
74
ip addr add $MY_NET dev wg0
75
76 12 Nico Schottelius
# Add routing
77 14 Nico Schottelius
ip route add 2a0a:e5c1::/32 dev wg0
78 1 Nico Schottelius
ip route add ::/0 via 2a0a:e5c1:100::1
79
80 12 Nico Schottelius
# Configure the interface
81
wg setconf wg0 /etc/wireguard/wg0.conf
82 1 Nico Schottelius
83 12 Nico Schottelius
# Bring it up
84
ip link set wg0 up
85
</pre>
86
87 1 Nico Schottelius
88 14 Nico Schottelius
h3. How to debug
89 1 Nico Schottelius
90 14 Nico Schottelius
* wg show # Show configuration
91
* ping 2a0a:e5c1:100::1 # Try to ping the gateway
92 6 Nico Schottelius
93
h3. Sample server configuration
94 1 Nico Schottelius
95 10 Nico Schottelius
This is just for reference - as a client you don't need this configuration
96
97 6 Nico Schottelius
/etc/wireguard/wg0.conf:
98
99
<pre>
100
[Interface]
101
ListenPort = 51820
102 7 Nico Schottelius
PrivateKey = SERVERKEYHERE
103 6 Nico Schottelius
104
# Nico, 2019-01-23
105
[Peer]
106
PublicKey = kL1S/Ipq6NkFf1MAsNRou4b9VoUsnnb4ZxgiBrH0zA8=
107
AllowedIPs = 2a0a:e5c1:101::/48
108
109
# Customer networks below
110
# ...
111
</pre>
112
113
Sample server rc.local:
114
115
<pre>
116
ip link add dev wg0 type wireguard
117
ip addr add 2a0a:e5c1:100::1/40 dev wg0
118
wg setconf wg0 /etc/wireguard/wg0.conf
119
ip link set wg0 up
120
121 1 Nico Schottelius
</pre>
122
123
h2. OpenVPN on openvpn.ungleich.ch
124
125
* Server: openvpn.ungleich.ch
126
* Port: 1195
127
* Requires a certificate
128
* Address range: 2a0a:e5c0:3::/48
129
** Client networks are /64