Project

General

Profile

The ungleich VPN infrastructure » History » Version 18

Nico Schottelius, 04/19/2019 06:42 PM

1 1 Nico Schottelius
h1. The ungleich VPN infrastructure
2
3 5 Nico Schottelius
{{toc}}
4
5 11 Nico Schottelius
h2. Status
6
7
This document is *IN PRODUCTION*.
8
9 13 Nico Schottelius
h2. Security of IPv6 vs. NAT
10
11
A quick reminder: whether you are using private RFC1918 IPv4 addresses or IPv6 addresses, if you don't want people to access your network, you need to configure a firewall.
12
13 14 Nico Schottelius
h2. Wireguard VPN on vpn-2a0ae5c1.ungleich.ch
14 1 Nico Schottelius
15
* Server: vpn-2a0ae5c1.ungleich.ch
16
* Port: 51820
17
* Requires a public key
18 7 Nico Schottelius
* Client network: 2a0a:e5c1:100::/40
19 1 Nico Schottelius
* Client network size: /48
20
21 9 Nico Schottelius
h3. How to add a new customer connection
22 1 Nico Schottelius
23 9 Nico Schottelius
* Get the public key of the customer
24
* Edit dot-cdist/type/__ungleich_wireguard/manifest and add the new network definition at the end of the file
25
* Let the customer know their network
26 1 Nico Schottelius
27 9 Nico Schottelius
h3. Sample clustomer client configuration
28
29
* "Install wireguard":https://www.wireguard.com/install/
30
* Create your private key: @umask 077; wg genkey > privkey@
31
* Get your public key: @wg pubkey < privkey@
32
** You need to send this pubkey to ungleich
33
* You will get your network definition after we have received your public key
34
* Create /etc/wireguard/wg0.conf
35
36 1 Nico Schottelius
<pre>
37
[Interface]
38
PrivateKey = YOURKEYHERE
39 12 Nico Schottelius
Address = YOURIPv6IPADDRESSHERE/48
40 1 Nico Schottelius
ListenPort = 51280
41
42
[Peer]
43 9 Nico Schottelius
PublicKey = hi60lGP+xEUQ+kVnqA7PlJAO1SVqTS1W36g0LhFP0xQ=
44 1 Nico Schottelius
Endpoint = vpn-2a0ae5c1.ungleich.ch:51820
45
AllowedIPs = ::/0
46
</pre>
47
48 14 Nico Schottelius
h3. How to setup the VPN (the easy way)
49
50
Once you have created the configuration, you can simply call
51
52
<pre>
53
wg-quick up wg0
54
</pre>
55
56
And to stop the VPN, you can use
57
58
<pre>
59
wg-quick down wg0
60
</pre>
61
62
63
h3. How to setup the VPN (the manual way)
64
65
66 1 Nico Schottelius
Commands for setting it up
67
68
<pre>
69
MY_NET=2a0a:e5c1:XXXX::1/48
70
71
ip link add dev wg0 type wireguard
72
73
# Replace with your range
74
ip addr add $MY_NET dev wg0
75
76 12 Nico Schottelius
# Add routing
77 14 Nico Schottelius
ip route add 2a0a:e5c1::/32 dev wg0
78 1 Nico Schottelius
ip route add ::/0 via 2a0a:e5c1:100::1
79
80 12 Nico Schottelius
# Configure the interface
81
wg setconf wg0 /etc/wireguard/wg0.conf
82 1 Nico Schottelius
83 12 Nico Schottelius
# Bring it up
84
ip link set wg0 up
85
</pre>
86
87 15 Nico Schottelius
h3. About usable IPv6 addresses
88 1 Nico Schottelius
89 15 Nico Schottelius
We route a /48 to everyone. Even though technically possible, you should not use the *zero address* of your network, as it is reserved for reaching all routers.
90
I.e. if your IPv6 network was 2a0a:e5c1:101::/48, don't use 2a0a:e5c1:101::. The reason for this is that all routers (devices that have ip forwarding enabled) for this network
91
are supposed to answer on this address.
92
93
In other words, in your wg0.conf use:
94
95
<pre>
96
[Interface]
97
...
98
Address = 2a0a:e5c1:101::42/48
99
</pre>
100
101
Do *NOT* use:
102
103
<pre>
104
[Interface]
105
...
106
# Don't use this
107
Address = 2a0a:e5c1:101::/48
108
</pre>
109
110
111 14 Nico Schottelius
h3. How to debug
112 1 Nico Schottelius
113 14 Nico Schottelius
* wg show # Show configuration
114
* ping 2a0a:e5c1:100::1 # Try to ping the gateway
115 15 Nico Schottelius
116 16 Nico Schottelius
If you want to send us your configuration, you should remove your private key from wg0.conf.
117
Under Linux/BSD/MacOS you can do that as follows:
118
119
<pre>
120
cat /etc/wireguard/wg0.conf  | sed 's/\(PrivateKey =\).*/\1 MYPRIVATEKEY/'
121
</pre>
122
123
The result could look as follows:
124
125
<pre>
126
root@line:~# cat /etc/wireguard/wg0.conf  | sed 's/\(PrivateKey =\).*/\1 MYPRIVATEKEY/'
127
[Interface]
128
PrivateKey = MYPRIVATEKEY
129
ListenPort = 51280
130
Address = 2a0a:e5c1:101::42/48
131
#DNS = 2a0a:e5c0::3, 2a0a:e5c0::4
132
133
[Peer]
134
PublicKey = hi60lGP+xEUQ+kVnqA7PlJAO1SVqTS1W36g0LhFP0xQ=
135
Endpoint = vpn-2a0ae5c1.ungleich.ch:51820
136
AllowedIPs = ::/0
137
</pre>
138
139 15 Nico Schottelius
140 6 Nico Schottelius
141
h3. Sample server configuration
142 1 Nico Schottelius
143 10 Nico Schottelius
This is just for reference - as a client you don't need this configuration
144
145 6 Nico Schottelius
/etc/wireguard/wg0.conf:
146
147
<pre>
148
[Interface]
149
ListenPort = 51820
150 7 Nico Schottelius
PrivateKey = SERVERKEYHERE
151 6 Nico Schottelius
152
# Nico, 2019-01-23
153
[Peer]
154
PublicKey = kL1S/Ipq6NkFf1MAsNRou4b9VoUsnnb4ZxgiBrH0zA8=
155
AllowedIPs = 2a0a:e5c1:101::/48
156
157
# Customer networks below
158
# ...
159
</pre>
160
161
Sample server rc.local:
162
163
<pre>
164
ip link add dev wg0 type wireguard
165
ip addr add 2a0a:e5c1:100::1/40 dev wg0
166
wg setconf wg0 /etc/wireguard/wg0.conf
167
ip link set wg0 up
168
169 1 Nico Schottelius
</pre>
170
171
h2. OpenVPN on openvpn.ungleich.ch
172
173
* Server: openvpn.ungleich.ch
174
* Port: 1195
175
* Requires a certificate
176
* Address range: 2a0a:e5c0:3::/48
177
** Client networks are /64
178 17 Nico Schottelius
179 18 Nico Schottelius
*END OF LIFE by 2019-06-30*