GatewayEinrichten

Doku von Freifunk Mainz/Wiesbaden/Umgebung

Kurzanleitung für Ubuntu 14.04

Freifunk Repo zufügen und benötigte Pakete installieren

   aptitude install software-properties-common 
   add-apt-repository ppa:freifunk-mwu/freifunk-ppa
   echo "deb http://repo.universe-factory.net/debian/ sid main" >
/etc/apt/sources.list.d/freifunk.list
   apt-key adv --keyserver keyserver.ubuntu.com --recv 16EF3F64CB201D9C
   aptitude update
   aptitude remove bind9
   aptitude install dnsmasq build-essential bridge-utils git batctl fastd
batman-adv-dkms alfred alfred-json batadv-vis openvpn tinc vnstat vnstati
   aptitude install software-properties-common 
   add-apt-repository ppa:freifunk-mwu/freifunk-ppa
   echo "deb http://repo.universe-factory.net/debian/ sid main" > /etc/apt/sources.list.d/freifunk.list
   apt-key adv --keyserver keyserver.ubuntu.com --recv 16EF3F64CB201D9C
   aptitude update
   aptitude remove bind9
   aptitude install dnsmasq build-essential bridge-utils git batctl fastd batman-adv-dkms alfred alfred-json batadv-vis openvpn tinc vnstat vnstati

Test ob **modprobe batman-adv** eine Fehler ergibt, dann gibt es Probleme mit dem Kernel.

Routing aktivieren

/etc/sysctl.conf

   net.ipv4.ip_forward=1
   net.ipv6.conf.all.forwarding=1
   net.ipv4.ip_forward=1
   net.ipv6.conf.all.forwarding=1

sysctl -p /etc/sysctl.conf

Policyrouting vorbereiten

/etc/iproute2/rt_tables

   70	stuttgart
   42	icvpn
   70	stuttgart
   42	icvpn

Interfaces einrichten (IPs anpassen!!!)

/etc/network/interfaces

   auto ffs-br
   iface ffs-br inet static
      bridge_ports none
      bridge_fd 0
      bridge_maxwait 0
      address 172.21.32.1
      netmask 255.255.192.0
      # be sure all incoming traffic is handled by the appropriate rt_table
      post-up         /sbin/ip rule add iif $IFACE table stuttgart priority
7000
      pre-down        /sbin/ip rule del iif $IFACE table stuttgart priority
7000
      # default route is unreachable
      post-up         /sbin/ip route add unreachable default table
stuttgart
      post-down       /sbin/ip route del unreachable default table
stuttgart

   iface ffs-br inet6 static
      address fd21:b4dc:4b1e::a38:8
      netmask 64
      # ULA route mz for rt_table stuttgart
      post-up         /sbin/ip -6 route add fd21:b4dc:4b1e::/64 proto
static dev $IFACE table stuttgart
      post-down       /sbin/ip -6 route del fd21:b4dc:4b1e::/64 proto
static dev $IFACE table stuttgart

   allow-hotplug ffs-vpn
   iface ffs-vpn inet6 manual
      hwaddress 02:00:0a:38:00:8
      pre-up          /sbin/modprobe batman-adv
      post-up         /usr/sbin/batctl -m bat0 if add $IFACE
      post-up         /sbin/ip link set dev bat0 up

   allow-hotplug bat0
   iface bat0 inet6 manual
      pre-up          /sbin/modprobe batman-adv
      post-up         /sbin/brctl addif ffs-br $IFACE
      post-up         /usr/sbin/batctl -m $IFACE it 10000
      post-up         /usr/sbin/batctl -m $IFACE vm server
      post-up         /usr/sbin/batctl -m $IFACE gw server  96mbit/96mbit
      pre-down        /sbin/brctl delif ffs-br $IFACE || true
   auto ffs-br
   iface ffs-br inet static
      bridge_ports none
      bridge_fd 0
      bridge_maxwait 0
      address 172.21.32.1
      netmask 255.255.192.0
      # be sure all incoming traffic is handled by the appropriate rt_table
      post-up         /sbin/ip rule add iif $IFACE table stuttgart priority 7000
      pre-down        /sbin/ip rule del iif $IFACE table stuttgart priority 7000
      # default route is unreachable
      post-up         /sbin/ip route add unreachable default table stuttgart
      post-down       /sbin/ip route del unreachable default table stuttgart

   iface ffs-br inet6 static
      address fd21:b4dc:4b1e::a38:8
      netmask 64
      # ULA route mz for rt_table stuttgart
      post-up         /sbin/ip -6 route add fd21:b4dc:4b1e::/64 proto static dev $IFACE table stuttgart
      post-down       /sbin/ip -6 route del fd21:b4dc:4b1e::/64 proto static dev $IFACE table stuttgart

   allow-hotplug ffs-vpn
   iface ffs-vpn inet6 manual
      hwaddress 02:00:0a:38:00:8
      pre-up          /sbin/modprobe batman-adv
      post-up         /usr/sbin/batctl -m bat0 if add $IFACE
      post-up         /sbin/ip link set dev bat0 up

   allow-hotplug bat0
   iface bat0 inet6 manual
      pre-up          /sbin/modprobe batman-adv
      post-up         /sbin/brctl addif ffs-br $IFACE
      post-up         /usr/sbin/batctl -m $IFACE it 10000
      post-up         /usr/sbin/batctl -m $IFACE vm server
      post-up         /usr/sbin/batctl -m $IFACE gw server  96mbit/96mbit
      pre-down        /sbin/brctl delif ffs-br $IFACE || true

=== VPN/Fastd einrichten (IPs anpassen!!!) ===

   mkdir /etc/fastd/ffs-vpn
   git clone https://github.com/freifunk-stuttgart/peers-ffs /etc/fastd/ffs-vpn/peers

/etc/fastd/ffs-vpn/fastd.conf

   # error|warn|info|verbose|debug|debug2
   log level info;
   hide ip addresses yes;
   hide mac addresses yes;
   interface "ffs-vpn";
   method "salsa2012+umac";    # new method (faster)
   method "salsa2012+gmac";
   # Bind von v4 and v6 interfaces
   bind 1.2.3.4:10037;
   bind [2001:1111:2222:3333::1]:10037;
   include "secret.conf";
   mtu 1406; # 1492 - IPv4/IPv6 Header - fastd Header...
   include peers from "peers";
   status socket "/var/run/fastd-ffs.status";

=== Key generieren, alternativ vorhandenen nehmen ===

   fastd --generate-key > /etc/fastd/ffs-vpn/gateway.key
   echo -n "secret" >/etc/fastd/ffs-vpn/secret.conf
   cat /etc/fastd/ffs-vpn/gateway.key | head -1 | awk '{print " \""$2"\";"}' >>/etc/fastd/ffs-vpn/secret.conf 
   cat /etc/fastd/ffs-vpn/secret.conf 

Ergebis sollte eine Zeile sein die so aussieht:

   secret "1234567890123456789012345678901234567890123456789012345678901234";

=== Alfred einrichten === /etc/default/alfred

   INTERFACE=ffs-br
   BATMANIF=bat0
   DAEMON_ARGS="--master"

=== dnsmasq konfigurieren === /etc/dnsmasq.d/allgemein

   interface=ffs-br
   interface=bat0
   interface=ffs-vpn
   bind-interfaces
   log-facility=/var/log/dnsmasq.log

/etc/dnsmasq.d/dhcp (IPs anpassen!!!)

   dhcp-authoritative
   #log-dhcp
   domain=freifunk-stuttgart.de
   dhcp-range=set:ffs,172.21.32.21,172.21.33.253,255.255.192.0,5m
   dhcp-option=tag:ffs,3,172.21.32.1
   dhcp-option=tag:ffs,option:dns-server,172.21.32.1,8.8.8.8
   dhcp-option=tag:ffs,option:ntp-server,172.21.32.1
   dhcp-range=set:ffsv6,::,constructor:ffs-br,slaac,ra-only,5m
   dhcp-option=tag:ffsv6,option6:dns-server,fd21:b4dc:4b1e::a38:8
   enable-ra
   ra-param=ffs-br,low,0,0

/etc/dnsmasq.d/dns

   no-resolv
   no-hosts
   cache-size=4096
   #log-queries
   # Forward DNS requests via wan-vpn
   server=85.214.20.141 #@tun0 # FoeBud
   server=213.73.91.35 #@tun0  # dnscache.berlin.ccc.de
   server=141.1.1.1 #@tun0  # 
   server=8.8.8.8 #@tun0  # Google
   server=8.8.4.4 #@tun0  # Google

=== Openvpn Berlin (anderer Anbieter wie CyberGhost) === /etc/openvpn/freifunk.conf

   # Datei von Berlin (xxxxxxx-udp.ovpn) rein kopieren oder umbenennen
   # folgende Zeilen am Anfang hinzufügen
   route-noexec
   script-security 2
   up "openvpn-up"
   down "openvpn-down"

/etc/openvpn/openvpn-up

   #!/bin/sh
   ip rule add from $ifconfig_local table stuttgart priority 9970
   ip route add 0.0.0.0/1 via $route_vpn_gateway dev $dev table stuttgart
   ip route add 128.0.0.0/1 via $route_vpn_gateway dev $dev table stuttgart
   # NAT aktivieren, wird benötigt wenn NICHT Berlin
   #iptables -t nat -A POSTROUTING -o $dev -j MASQUERADE
   exit 0

/etc/openvpn/openvpn-down

   #!/bin/sh
   ip rule del from $ifconfig_local table stuttgart priority 9970
   # NAT deaktivieren, wird benötigt wenn NICHT Berlin
   #iptables -t nat -D POSTROUTING -o $dev -j MASQUERADE
   exit 0

chmod +x /etc/openvpn/openvpn-*

reboot

=== Funktionstest kann beginnen ===

=== Freifunk Aktualisierungen ===

/etc/crontab

   _ */3 * * * *     root    update-freifunk

/usr/local/bin/update-freifunk

   #!/bin/sh
   # Peers aktualisieren
   cd /etc/fastd/ffs-vpn/peers
   git pull -q
   # fastd Config reload
   killall -SIGHUP fastd
   # VPN Status
   connections.py >/var/www/html/fastd.html

====== Gateway sicher vom Netz nehmen ======

Wenn ein Gateway aus dem Netz raus soll, bitte wiefolgt vorgehen, damit es keine Ausfälle bei den Nodes und Clients gibt

  * batctl gw off
  * 1 Minute warten
  * DHCP Server deaktivieren, bei Dnsmasq die Datei /etc/dnsmasq.d/dhcp entfernen und dnsmasq neu starten
  * 10 Minuten warten, damit die Clients eine IP vom Alternativ-DHCP Server bekommen
  * fastd beenden

{{tag>gw setup howto}}

Page last modified on 26 Mai 2015 12:50 Uhr