The ungleich VPN infrastructure » History » Revision 14
Revision 13 (Nico Schottelius, 01/25/2019 11:03 PM) → Revision 14/31 (Nico Schottelius, 02/02/2019 08:27 AM)
h1. The ungleich VPN infrastructure {{toc}} h2. Status This document is *IN PRODUCTION*. h2. Security of IPv6 vs. NAT A quick reminder: whether you are using private RFC1918 IPv4 addresses or IPv6 addresses, if you don't want people to access your network, you need to configure a firewall. h2. Wireguard VPN on vpn-2a0ae5c1.ungleich.ch * Server: vpn-2a0ae5c1.ungleich.ch * Port: 51820 * Requires a public key * Client network: 2a0a:e5c1:100::/40 * Client network size: /48 h3. How to add a new customer connection * Get the public key of the customer * Edit dot-cdist/type/__ungleich_wireguard/manifest and add the new network definition at the end of the file * Let the customer know their network h3. Sample clustomer client configuration * "Install wireguard":https://www.wireguard.com/install/ * Create your private key: @umask 077; wg genkey > privkey@ * Get your public key: @wg pubkey < privkey@ ** You need to send this pubkey to ungleich * You will get your network definition after we have received your public key * Create /etc/wireguard/wg0.conf <pre> [Interface] PrivateKey = YOURKEYHERE Address = YOURIPv6IPADDRESSHERE/48 ListenPort = 51280 [Peer] PublicKey = hi60lGP+xEUQ+kVnqA7PlJAO1SVqTS1W36g0LhFP0xQ= Endpoint = vpn-2a0ae5c1.ungleich.ch:51820 AllowedIPs = ::/0 </pre> h3. How to setup the VPN (the easy way) Once you have created the configuration, you can simply call <pre> wg-quick up wg0 </pre> And to stop the VPN, you can use <pre> wg-quick down wg0 </pre> h3. How to setup the VPN (the manual way) Commands for setting it up <pre> MY_NET=2a0a:e5c1:XXXX::1/48 ip link add dev wg0 type wireguard # Replace with your range ip addr add $MY_NET dev wg0 # Add routing ip route add 2a0a:e5c1::/32 2a0a:e5c1:100::/40 dev wg0 ip route add ::/0 via 2a0a:e5c1:100::1 # Configure the interface wg setconf wg0 /etc/wireguard/wg0.conf # Bring it up ip link set wg0 up </pre> h3. How Once it runs, you can also use @wg-quick@ to debug get it up faster: <pre> wg-quick up wg0 </pre> (this just requires a configuration file named /etc/wireguard/wg0.conf to be existing) Debugging * wg show # Show configuration * ping 2a0a:e5c1:100::1 # Try to ping the gateway h3. Sample server configuration This is just for reference - as a client you don't need this configuration /etc/wireguard/wg0.conf: <pre> [Interface] ListenPort = 51820 PrivateKey = SERVERKEYHERE # Nico, 2019-01-23 [Peer] PublicKey = kL1S/Ipq6NkFf1MAsNRou4b9VoUsnnb4ZxgiBrH0zA8= AllowedIPs = 2a0a:e5c1:101::/48 # Customer networks below # ... </pre> Sample server rc.local: <pre> ip link add dev wg0 type wireguard ip addr add 2a0a:e5c1:100::1/40 dev wg0 wg setconf wg0 /etc/wireguard/wg0.conf ip link set wg0 up </pre> h2. OpenVPN on openvpn.ungleich.ch * Server: openvpn.ungleich.ch * Port: 1195 * Requires a certificate * Address range: 2a0a:e5c0:3::/48 ** Client networks are /64