Project

General

Profile

The ungleich VPN infrastructure » History » Revision 18

Revision 17 (Nico Schottelius, 04/17/2019 04:12 PM) → Revision 18/31 (Nico Schottelius, 04/19/2019 06:42 PM)

h1. The ungleich VPN infrastructure 

 {{toc}} 

 h2. Status 

 This document is *IN PRODUCTION*. 

 h2. Security of IPv6 vs. NAT 

 A quick reminder: whether you are using private RFC1918 IPv4 addresses or IPv6 addresses, if you don't want people to access your network, you need to configure a firewall. 

 h2. Wireguard VPN on vpn-2a0ae5c1.ungleich.ch 

 * Server: vpn-2a0ae5c1.ungleich.ch 
 * Port: 51820 
 * Requires a public key 
 * Client network: 2a0a:e5c1:100::/40 
 * Client network size: /48 

 h3. How to add a new customer connection 

 * Get the public key of the customer 
 * Edit dot-cdist/type/__ungleich_wireguard/manifest and add the new network definition at the end of the file 
 * Let the customer know their network 

 h3. Sample clustomer client configuration 

 * "Install wireguard":https://www.wireguard.com/install/ 
 * Create your private key: @umask 077; wg genkey > privkey@ 
 * Get your public key: @wg pubkey < privkey@ 
 ** You need to send this pubkey to ungleich 
 * You will get your network definition after we have received your public key 
 * Create /etc/wireguard/wg0.conf 

 <pre> 
 [Interface] 
 PrivateKey = YOURKEYHERE 
 Address = YOURIPv6IPADDRESSHERE/48 
 ListenPort = 51280 

 [Peer] 
 PublicKey = hi60lGP+xEUQ+kVnqA7PlJAO1SVqTS1W36g0LhFP0xQ= 
 Endpoint = vpn-2a0ae5c1.ungleich.ch:51820 
 AllowedIPs = ::/0 
 </pre> 

 h3. How to setup the VPN (the easy way) 

 Once you have created the configuration, you can simply call 

 <pre> 
 wg-quick up wg0 
 </pre> 

 And to stop the VPN, you can use 

 <pre> 
 wg-quick down wg0 
 </pre> 


 h3. How to setup the VPN (the manual way) 


 Commands for setting it up 

 <pre> 
 MY_NET=2a0a:e5c1:XXXX::1/48 

 ip link add dev wg0 type wireguard 

 # Replace with your range 
 ip addr add $MY_NET dev wg0 

 # Add routing 
 ip route add 2a0a:e5c1::/32 dev wg0 
 ip route add ::/0 via 2a0a:e5c1:100::1 

 # Configure the interface 
 wg setconf wg0 /etc/wireguard/wg0.conf 

 # Bring it up 
 ip link set wg0 up 
 </pre> 

 h3. About usable IPv6 addresses 

 We route a /48 to everyone. Even though technically possible, you should not use the *zero address* of your network, as it is reserved for reaching all routers. 
 I.e. if your IPv6 network was 2a0a:e5c1:101::/48, don't use 2a0a:e5c1:101::. The reason for this is that all routers (devices that have ip forwarding enabled) for this network 
 are supposed to answer on this address. 

 In other words, in your wg0.conf use: 

 <pre> 
 [Interface] 
 ... 
 Address = 2a0a:e5c1:101::42/48 
 </pre> 

 Do *NOT* use: 

 <pre> 
 [Interface] 
 ... 
 # Don't use this 
 Address = 2a0a:e5c1:101::/48 
 </pre> 


 h3. How to debug 

 * wg show # Show configuration 
 * ping 2a0a:e5c1:100::1 # Try to ping the gateway 

 If you want to send us your configuration, you should remove your private key from wg0.conf. 
 Under Linux/BSD/MacOS you can do that as follows: 

 <pre> 
 cat /etc/wireguard/wg0.conf    | sed 's/\(PrivateKey =\).*/\1 MYPRIVATEKEY/' 
 </pre> 

 The result could look as follows: 

 <pre> 
 root@line:~# cat /etc/wireguard/wg0.conf    | sed 's/\(PrivateKey =\).*/\1 MYPRIVATEKEY/' 
 [Interface] 
 PrivateKey = MYPRIVATEKEY 
 ListenPort = 51280 
 Address = 2a0a:e5c1:101::42/48 
 #DNS = 2a0a:e5c0::3, 2a0a:e5c0::4 

 [Peer] 
 PublicKey = hi60lGP+xEUQ+kVnqA7PlJAO1SVqTS1W36g0LhFP0xQ= 
 Endpoint = vpn-2a0ae5c1.ungleich.ch:51820 
 AllowedIPs = ::/0 
 </pre> 



 h3. Sample server configuration 

 This is just for reference - as a client you don't need this configuration 

 /etc/wireguard/wg0.conf: 

 <pre> 
 [Interface] 
 ListenPort = 51820 
 PrivateKey = SERVERKEYHERE 

 # Nico, 2019-01-23 
 [Peer] 
 PublicKey = kL1S/Ipq6NkFf1MAsNRou4b9VoUsnnb4ZxgiBrH0zA8= 
 AllowedIPs = 2a0a:e5c1:101::/48 

 # Customer networks below 
 # ... 
 </pre> 

 Sample server rc.local: 

 <pre> 
 ip link add dev wg0 type wireguard 
 ip addr add 2a0a:e5c1:100::1/40 dev wg0 
 wg setconf wg0 /etc/wireguard/wg0.conf 
 ip link set wg0 up 

 </pre> 

 h2. OpenVPN on openvpn.ungleich.ch 

 * Server: openvpn.ungleich.ch 
 * Port: 1195 
 * Requires a certificate 
 * Address range: 2a0a:e5c0:3::/48 
 ** Client networks are /64 

 *END OF LIFE *To be retired by 2019-06-30*