Open Infrastructure

h1. The ungleich VPN infrastructure

{{toc}}

h2. Status

This document is *IN PRODUCTION*.

h2. Security of IPv6 vs. NAT

A quick reminder: whether you are using private RFC1918 IPv4 addresses or IPv6 addresses, if you don't want people to access your network, you need to configure a firewall.

h2. Wireguard VPN on vpn-2a0ae5c1.ungleich.ch

* Server: vpn-2a0ae5c1.ungleich.ch

* Port: 51820

* Requires a public key

* Client network: 2a0a:e5c1:100::/40

* Client network size: /48

h3. How to add a new customer connection

* Get the public key of the customer

* Edit dot-cdist/type/__ungleich_wireguard/manifest and add the new network definition at the end of the file

* Let the customer know their network

h3. Sample clustomer client configuration

* "Install wireguard":https://www.wireguard.com/install/

* Create your private key: @umask 077; wg genkey > privkey@

* Get your public key: @wg pubkey < privkey@

** You need to send this pubkey to ungleich

* You will get your network definition after we have received your public key

* Create /etc/wireguard/wg0.conf

<pre>

[Interface]

PrivateKey = YOURKEYHERE

Address = YOURIPv6IPADDRESSHERE/48

ListenPort = 51280

[Peer]

PublicKey = hi60lGP+xEUQ+kVnqA7PlJAO1SVqTS1W36g0LhFP0xQ=

Endpoint = vpn-2a0ae5c1.ungleich.ch:51820

AllowedIPs = ::/0

</pre>

h3. How to setup the VPN (the easy way)

Once you have created the configuration, you can simply call

<pre>

wg-quick up wg0

</pre>

And to stop the VPN, you can use

<pre>

wg-quick down wg0

</pre>

h3. How to setup the VPN (the manual way)

Commands for setting it up

<pre>

MY_NET=2a0a:e5c1:XXXX::1/48

ip link add dev wg0 type wireguard

# Replace with your range

ip addr add $MY_NET dev wg0

# Add routing

ip route add 2a0a:e5c1::/32 dev wg0

ip route add ::/0 via 2a0a:e5c1:100::1

# Configure the interface

wg setconf wg0 /etc/wireguard/wg0.conf

# Bring it up

ip link set wg0 up

</pre>

h3. About usable IPv6 addresses

We route a /48 to everyone. Even though technically possible, you should not use the *zero address* of your network, as it is reserved for reaching all routers.

I.e. if your IPv6 network was 2a0a:e5c1:101::/48, don't use 2a0a:e5c1:101::. The reason for this is that all routers (devices that have ip forwarding enabled) for this network

are supposed to answer on this address.

In other words, in your wg0.conf use:

<pre>

[Interface]

...

Address = 2a0a:e5c1:101::42/48

</pre>

Do *NOT* use:

<pre>

[Interface]

...

# Don't use this

Address = 2a0a:e5c1:101::/48

</pre>

h3. How to debug

* wg show # Show configuration

* ping 2a0a:e5c1:100::1 # Try to ping the gateway

If you want to send us your configuration, you should remove your private key from wg0.conf.

Under Linux/BSD/MacOS you can do that as follows:

<pre>

cat /etc/wireguard/wg0.conf  | sed 's/\(PrivateKey =\).*/\1 MYPRIVATEKEY/'

</pre>

The result could look as follows:

<pre>

root@line:~# cat /etc/wireguard/wg0.conf  | sed 's/\(PrivateKey =\).*/\1 MYPRIVATEKEY/'

[Interface]

PrivateKey = MYPRIVATEKEY

ListenPort = 51280

Address = 2a0a:e5c1:101::42/48

#DNS = 2a0a:e5c0::3, 2a0a:e5c0::4

[Peer]

PublicKey = hi60lGP+xEUQ+kVnqA7PlJAO1SVqTS1W36g0LhFP0xQ=

Endpoint = vpn-2a0ae5c1.ungleich.ch:51820

AllowedIPs = ::/0

</pre>

h3. Sample server configuration

This is just for reference - as a client you don't need this configuration

/etc/wireguard/wg0.conf:

<pre>

[Interface]

ListenPort = 51820

PrivateKey = SERVERKEYHERE

# Nico, 2019-01-23

[Peer]

PublicKey = kL1S/Ipq6NkFf1MAsNRou4b9VoUsnnb4ZxgiBrH0zA8=

AllowedIPs = 2a0a:e5c1:101::/48

# Customer networks below

# ...

</pre>

Sample server rc.local:

<pre>

ip link add dev wg0 type wireguard

ip addr add 2a0a:e5c1:100::1/40 dev wg0

wg setconf wg0 /etc/wireguard/wg0.conf

ip link set wg0 up

</pre>

h2. OpenVPN on openvpn.ungleich.ch

* Server: openvpn.ungleich.ch

* Port: 1195

* Requires a certificate

* Address range: 2a0a:e5c0:3::/48

** Client networks are /64

*END OF LIFE by 2019-06-30*