Project

General

Profile

The ungleich VPN infrastructure » History » Version 28

Nico Schottelius, 12/11/2019 03:05 PM

1 1 Nico Schottelius
h1. The ungleich VPN infrastructure
2
3 5 Nico Schottelius
{{toc}}
4
5 11 Nico Schottelius
h2. Status
6
7 24 Sanghee Kim
This document is *IN PRODUCTION*.
8 11 Nico Schottelius
9 27 Nico Schottelius
h2. How to get VPN
10
11
* If you are a VM users of DataCenterLight, you get it for free
12
* Otherwise you can book it at https://IPv6VPN.ch
13 28 Nico Schottelius
* In both cases, send a request to support at ungleich.ch
14
15
Technically, the following steps are necessary:
16
17
<pre>
18
1. Install Wireguard
19
 https://www.wireguard.com/install/
20
21
2. Create your private key:
22
 umask 077; wg genkey > privkey
23
24
3. Get your public key
25
  wg pubkey < privkey
26
27
4. Send us the pubkey
28
</pre>
29
30
If you want to be fast, you can already take these steps before contacting support.
31 27 Nico Schottelius
32
33 13 Nico Schottelius
h2. Security of IPv6 vs. NAT
34
35
A quick reminder: whether you are using private RFC1918 IPv4 addresses or IPv6 addresses, if you don't want people to access your network, you need to configure a firewall.
36
37 14 Nico Schottelius
h2. Wireguard VPN on vpn-2a0ae5c1.ungleich.ch
38 1 Nico Schottelius
39
* Server: vpn-2a0ae5c1.ungleich.ch
40
* Port: 51820
41
* Requires a public key
42 7 Nico Schottelius
* Client network: 2a0a:e5c1:100::/40
43 1 Nico Schottelius
* Client network size: /48
44
45 9 Nico Schottelius
h3. How to add a new customer connection
46 1 Nico Schottelius
47 9 Nico Schottelius
* Get the public key of the customer
48
* Edit dot-cdist/type/__ungleich_wireguard/manifest and add the new network definition at the end of the file
49
* Let the customer know their network
50 1 Nico Schottelius
51 9 Nico Schottelius
h3. Sample clustomer client configuration
52
53
* "Install wireguard":https://www.wireguard.com/install/
54
* Create your private key: @umask 077; wg genkey > privkey@
55
* Get your public key: @wg pubkey < privkey@
56
** You need to send this pubkey to ungleich
57
* You will get your network definition after we have received your public key
58
* Create /etc/wireguard/wg0.conf
59
60 1 Nico Schottelius
<pre>
61
[Interface]
62
PrivateKey = YOURKEYHERE
63 12 Nico Schottelius
Address = YOURIPv6IPADDRESSHERE/48
64 1 Nico Schottelius
ListenPort = 51280
65
66
[Peer]
67 9 Nico Schottelius
PublicKey = hi60lGP+xEUQ+kVnqA7PlJAO1SVqTS1W36g0LhFP0xQ=
68 1 Nico Schottelius
Endpoint = vpn-2a0ae5c1.ungleich.ch:51820
69
AllowedIPs = ::/0
70
</pre>
71
72 19 Nico Schottelius
* *ONLY change* the PrivateKey and the Address entries.
73
* *ALL other entries* (especially PublicKey, Endpoint and AllowedIPs) need to *stay as is*
74
75 14 Nico Schottelius
h3. How to setup the VPN (the easy way)
76
77
Once you have created the configuration, you can simply call
78
79
<pre>
80
wg-quick up wg0
81
</pre>
82
83
And to stop the VPN, you can use
84
85
<pre>
86
wg-quick down wg0
87
</pre>
88
89
90
h3. How to setup the VPN (the manual way)
91
92
93 1 Nico Schottelius
Commands for setting it up
94
95
<pre>
96
MY_NET=2a0a:e5c1:XXXX::1/48
97
98
ip link add dev wg0 type wireguard
99
100
# Replace with your range
101
ip addr add $MY_NET dev wg0
102
103 12 Nico Schottelius
# Add routing
104 14 Nico Schottelius
ip route add 2a0a:e5c1::/32 dev wg0
105 1 Nico Schottelius
ip route add ::/0 via 2a0a:e5c1:100::1
106
107 12 Nico Schottelius
# Configure the interface
108
wg setconf wg0 /etc/wireguard/wg0.conf
109 1 Nico Schottelius
110 12 Nico Schottelius
# Bring it up
111
ip link set wg0 up
112
</pre>
113
114 15 Nico Schottelius
h3. About usable IPv6 addresses
115 1 Nico Schottelius
116 15 Nico Schottelius
We route a /48 to everyone. Even though technically possible, you should not use the *zero address* of your network, as it is reserved for reaching all routers.
117
I.e. if your IPv6 network was 2a0a:e5c1:101::/48, don't use 2a0a:e5c1:101::. The reason for this is that all routers (devices that have ip forwarding enabled) for this network
118
are supposed to answer on this address.
119
120
In other words, in your wg0.conf use:
121
122
<pre>
123
[Interface]
124
...
125
Address = 2a0a:e5c1:101::42/48
126
</pre>
127
128
Do *NOT* use:
129
130
<pre>
131
[Interface]
132
...
133
# Don't use this
134
Address = 2a0a:e5c1:101::/48
135
</pre>
136
137
138 14 Nico Schottelius
h3. How to debug
139 1 Nico Schottelius
140 14 Nico Schottelius
* wg show # Show configuration
141
* ping 2a0a:e5c1:100::1 # Try to ping the gateway
142 15 Nico Schottelius
143 16 Nico Schottelius
If you want to send us your configuration, you should remove your private key from wg0.conf.
144
Under Linux/BSD/MacOS you can do that as follows:
145
146
<pre>
147
cat /etc/wireguard/wg0.conf  | sed 's/\(PrivateKey =\).*/\1 MYPRIVATEKEY/'
148
</pre>
149
150
The result could look as follows:
151
152
<pre>
153
root@line:~# cat /etc/wireguard/wg0.conf  | sed 's/\(PrivateKey =\).*/\1 MYPRIVATEKEY/'
154
[Interface]
155
PrivateKey = MYPRIVATEKEY
156
ListenPort = 51280
157
Address = 2a0a:e5c1:101::42/48
158
#DNS = 2a0a:e5c0::3, 2a0a:e5c0::4
159
160
[Peer]
161
PublicKey = hi60lGP+xEUQ+kVnqA7PlJAO1SVqTS1W36g0LhFP0xQ=
162
Endpoint = vpn-2a0ae5c1.ungleich.ch:51820
163
AllowedIPs = ::/0
164
</pre>
165
166 15 Nico Schottelius
167 6 Nico Schottelius
168
h3. Sample server configuration
169 1 Nico Schottelius
170 10 Nico Schottelius
This is just for reference - as a client you don't need this configuration
171
172 6 Nico Schottelius
/etc/wireguard/wg0.conf:
173
174
<pre>
175
[Interface]
176
ListenPort = 51820
177 7 Nico Schottelius
PrivateKey = SERVERKEYHERE
178 6 Nico Schottelius
179
# Nico, 2019-01-23
180
[Peer]
181
PublicKey = kL1S/Ipq6NkFf1MAsNRou4b9VoUsnnb4ZxgiBrH0zA8=
182
AllowedIPs = 2a0a:e5c1:101::/48
183
184
# Customer networks below
185
# ...
186
</pre>
187
188
Sample server rc.local:
189
190
<pre>
191
ip link add dev wg0 type wireguard
192
ip addr add 2a0a:e5c1:100::1/40 dev wg0
193
wg setconf wg0 /etc/wireguard/wg0.conf
194
ip link set wg0 up
195
196 1 Nico Schottelius
</pre>
197
198 20 Jin-Guk Kwon
h3. How to config wireguard on mobile phone(android / ios)
199
200
<pre>
201
You should fill out DNS field.
202 22 Jin-Guk Kwon
ex) for ipv6 DNS ==> 2a0a:e5c0::3 or 2a0a:e5c0::4
203 20 Jin-Guk Kwon
and you should assgin phone own IP.
204
ex) laptop Address = 2a0a:e5c1:101::42/48
205 21 Jin-Guk Kwon
    phone Address = 2a0a:e5c1:101::43/48
206
another things are same as client's configutaion.
207 20 Jin-Guk Kwon
</pre>
208
209 26 Jin-Guk Kwon
h3. How to config IPv6 DNS on wireguard(if it can't find DNS)
210 25 Jin-Guk Kwon
211
<pre>
212
You should fill out DNS field.
213 1 Nico Schottelius
ex) for ipv6 DNS ==> 2a0a:e5c0::3 or 2a0a:e5c0::4
214 26 Jin-Guk Kwon
DNS = 2a0a:e5c0::3
215 25 Jin-Guk Kwon
</pre>
216
217 1 Nico Schottelius
h2. OpenVPN on openvpn.ungleich.ch
218
219
* Server: openvpn.ungleich.ch
220
* Port: 1195
221
* Requires a certificate
222
* Address range: 2a0a:e5c0:3::/48
223
** Client networks are /64
224 17 Nico Schottelius
225 18 Nico Schottelius
*END OF LIFE by 2019-06-30*