Open Infrastructure

h1. The ungleich VPN infrastructure

{{toc}}

h2. Status

This document is *IN PRODUCTION*.

h2. Security of IPv6 vs. NAT

A quick reminder: whether you are using private RFC1918 IPv4 addresses or IPv6 addresses, if you don't want people to access your network, you need to configure a firewall.

h2. Wireguard VPN on vpn-2a0ae5c1.ungleich.ch

* Server: vpn-2a0ae5c1.ungleich.ch

* Port: 51820

* Requires a public key

* Client network: 2a0a:e5c1:100::/40

* Client network size: /48

h3. How to add a new customer connection

* Get the public key of the customer

* Edit dot-cdist/type/__ungleich_wireguard/manifest and add the new network definition at the end of the file

* Let the customer know their network

h3. Sample clustomer client configuration

* "Install wireguard":https://www.wireguard.com/install/

* Create your private key: @umask 077; wg genkey > privkey@

* Get your public key: @wg pubkey < privkey@

** You need to send this pubkey to ungleich

* You will get your network definition after we have received your public key

* Create /etc/wireguard/wg0.conf

<pre>

[Interface]

PrivateKey = YOURKEYHERE

Address = YOURIPv6IPADDRESSHERE/48

ListenPort = 51280

[Peer]

PublicKey = hi60lGP+xEUQ+kVnqA7PlJAO1SVqTS1W36g0LhFP0xQ=

Endpoint = vpn-2a0ae5c1.ungleich.ch:51820

AllowedIPs = ::/0

</pre>

h3. How to setup the VPN (the easy way)

Once you have created the configuration, you can simply call

<pre>

wg-quick up wg0

</pre>

And to stop the VPN, you can use

<pre>

wg-quick down wg0

</pre>

h3. How to setup the VPN (the manual way)

Commands for setting it up

<pre>

MY_NET=2a0a:e5c1:XXXX::1/48

ip link add dev wg0 type wireguard

# Replace with your range

ip addr add $MY_NET dev wg0

# Add routing

ip route add 2a0a:e5c1::/32 dev wg0

ip route add ::/0 via 2a0a:e5c1:100::1

# Configure the interface

wg setconf wg0 /etc/wireguard/wg0.conf

# Bring it up

ip link set wg0 up

</pre>

h3. How to debug

* wg show # Show configuration

* ping 2a0a:e5c1:100::1 # Try to ping the gateway

h3. Sample server configuration

This is just for reference - as a client you don't need this configuration

/etc/wireguard/wg0.conf:

<pre>

[Interface]

ListenPort = 51820

PrivateKey = SERVERKEYHERE

# Nico, 2019-01-23

[Peer]

PublicKey = kL1S/Ipq6NkFf1MAsNRou4b9VoUsnnb4ZxgiBrH0zA8=

AllowedIPs = 2a0a:e5c1:101::/48

# Customer networks below

# ...

</pre>

Sample server rc.local:

<pre>

ip link add dev wg0 type wireguard

ip addr add 2a0a:e5c1:100::1/40 dev wg0

wg setconf wg0 /etc/wireguard/wg0.conf

ip link set wg0 up

</pre>

h2. OpenVPN on openvpn.ungleich.ch

* Server: openvpn.ungleich.ch

* Port: 1195

* Requires a certificate

* Address range: 2a0a:e5c0:3::/48

** Client networks are /64