Doku von Freifunk Mainz/Wiesbaden/Umgebung
Kurzanleitung für Ubuntu 14.04
Freifunk Repo zufügen und benötigte Pakete installieren
aptitude install software-properties-common add-apt-repository ppa:freifunk-mwu/freifunk-ppa echo "deb http://repo.universe-factory.net/debian/ sid main" > /etc/apt/sources.list.d/freifunk.list apt-key adv --keyserver keyserver.ubuntu.com --recv 16EF3F64CB201D9C aptitude update aptitude remove bind9 aptitude install dnsmasq build-essential bridge-utils git batctl fastd batman-adv-dkms alfred alfred-json batadv-vis openvpn tinc vnstat vnstati |
aptitude install software-properties-common add-apt-repository ppa:freifunk-mwu/freifunk-ppa echo "deb http://repo.universe-factory.net/debian/ sid main" > /etc/apt/sources.list.d/freifunk.list apt-key adv --keyserver keyserver.ubuntu.com --recv 16EF3F64CB201D9C aptitude update aptitude remove bind9 aptitude install dnsmasq build-essential bridge-utils git batctl fastd batman-adv-dkms alfred alfred-json batadv-vis openvpn tinc vnstat vnstati |
Test ob **modprobe batman-adv** eine Fehler ergibt, dann gibt es Probleme mit dem Kernel.
Routing aktivieren
/etc/sysctl.conf
net.ipv4.ip_forward=1 net.ipv6.conf.all.forwarding=1 |
net.ipv4.ip_forward=1 net.ipv6.conf.all.forwarding=1 |
sysctl -p /etc/sysctl.conf
Policyrouting vorbereiten
/etc/iproute2/rt_tables
70 stuttgart 42 icvpn |
70 stuttgart 42 icvpn |
Interfaces einrichten (IPs anpassen!!!)
/etc/network/interfaces
auto ffs-br
iface ffs-br inet static
bridge_ports none
bridge_fd 0
bridge_maxwait 0
address 172.21.32.1
netmask 255.255.192.0
# be sure all incoming traffic is handled by the appropriate rt_table
post-up /sbin/ip rule add iif $IFACE table stuttgart priority 7000
pre-down /sbin/ip rule del iif $IFACE table stuttgart priority 7000
# default route is unreachable
post-up /sbin/ip route add unreachable default table stuttgart
post-down /sbin/ip route del unreachable default table stuttgart
iface ffs-br inet6 static
address fd21:b4dc:4b1e::a38:8
netmask 64
# ULA route mz for rt_table stuttgart
post-up /sbin/ip -6 route add fd21:b4dc:4b1e::/64 proto static dev $IFACE table stuttgart
post-down /sbin/ip -6 route del fd21:b4dc:4b1e::/64 proto static dev $IFACE table stuttgart
allow-hotplug ffs-vpn
iface ffs-vpn inet6 manual
hwaddress 02:00:0a:38:00:8
pre-up /sbin/modprobe batman-adv
post-up /usr/sbin/batctl -m bat0 if add $IFACE
post-up /sbin/ip link set dev bat0 up
allow-hotplug bat0
iface bat0 inet6 manual
pre-up /sbin/modprobe batman-adv
post-up /sbin/brctl addif ffs-br $IFACE
post-up /usr/sbin/batctl -m $IFACE it 10000
post-up /usr/sbin/batctl -m $IFACE vm server
post-up /usr/sbin/batctl -m $IFACE gw server 96mbit/96mbit
pre-down /sbin/brctl delif ffs-br $IFACE || true
|
auto ffs-br
iface ffs-br inet static
bridge_ports none
bridge_fd 0
bridge_maxwait 0
address 172.21.32.1
netmask 255.255.192.0
# be sure all incoming traffic is handled by the appropriate rt_table
post-up /sbin/ip rule add iif $IFACE table stuttgart priority 7000
pre-down /sbin/ip rule del iif $IFACE table stuttgart priority 7000
# default route is unreachable
post-up /sbin/ip route add unreachable default table stuttgart
post-down /sbin/ip route del unreachable default table stuttgart
iface ffs-br inet6 static
address fd21:b4dc:4b1e::a38:8
netmask 64
# ULA route mz for rt_table stuttgart
post-up /sbin/ip -6 route add fd21:b4dc:4b1e::/64 proto static dev $IFACE table stuttgart
post-down /sbin/ip -6 route del fd21:b4dc:4b1e::/64 proto static dev $IFACE table stuttgart
allow-hotplug ffs-vpn
iface ffs-vpn inet6 manual
hwaddress 02:00:0a:38:00:8
pre-up /sbin/modprobe batman-adv
post-up /usr/sbin/batctl -m bat0 if add $IFACE
post-up /sbin/ip link set dev bat0 up
allow-hotplug bat0
iface bat0 inet6 manual
pre-up /sbin/modprobe batman-adv
post-up /sbin/brctl addif ffs-br $IFACE
post-up /usr/sbin/batctl -m $IFACE it 10000
post-up /usr/sbin/batctl -m $IFACE vm server
post-up /usr/sbin/batctl -m $IFACE gw server 96mbit/96mbit
pre-down /sbin/brctl delif ffs-br $IFACE || true
|
=== VPN/Fastd einrichten (IPs anpassen!!!) ===
mkdir /etc/fastd/ffs-vpn git clone https://github.com/freifunk-stuttgart/peers-ffs /etc/fastd/ffs-vpn/peers
/etc/fastd/ffs-vpn/fastd.conf
# error|warn|info|verbose|debug|debug2 log level info; hide ip addresses yes; hide mac addresses yes; interface "ffs-vpn"; method "salsa2012+umac"; # new method (faster) method "salsa2012+gmac"; # Bind von v4 and v6 interfaces bind 1.2.3.4:10037; bind [2001:1111:2222:3333::1]:10037; include "secret.conf"; mtu 1406; # 1492 - IPv4/IPv6 Header - fastd Header... include peers from "peers"; status socket "/var/run/fastd-ffs.status";
=== Key generieren, alternativ vorhandenen nehmen ===
fastd --generate-key > /etc/fastd/ffs-vpn/gateway.key
echo -n "secret" >/etc/fastd/ffs-vpn/secret.conf
cat /etc/fastd/ffs-vpn/gateway.key | head -1 | awk '{print " \""$2"\";"}' >>/etc/fastd/ffs-vpn/secret.conf
cat /etc/fastd/ffs-vpn/secret.conf
Ergebis sollte eine Zeile sein die so aussieht:
secret "1234567890123456789012345678901234567890123456789012345678901234";
=== Alfred einrichten === /etc/default/alfred
INTERFACE=ffs-br BATMANIF=bat0 DAEMON_ARGS="--master"
=== dnsmasq konfigurieren === /etc/dnsmasq.d/allgemein
interface=ffs-br interface=bat0 interface=ffs-vpn bind-interfaces log-facility=/var/log/dnsmasq.log
/etc/dnsmasq.d/dhcp (IPs anpassen!!!)
dhcp-authoritative #log-dhcp domain=freifunk-stuttgart.de dhcp-range=set:ffs,172.21.32.21,172.21.33.253,255.255.192.0,5m dhcp-option=tag:ffs,3,172.21.32.1 dhcp-option=tag:ffs,option:dns-server,172.21.32.1,8.8.8.8 dhcp-option=tag:ffs,option:ntp-server,172.21.32.1 dhcp-range=set:ffsv6,::,constructor:ffs-br,slaac,ra-only,5m dhcp-option=tag:ffsv6,option6:dns-server,fd21:b4dc:4b1e::a38:8 enable-ra ra-param=ffs-br,low,0,0
/etc/dnsmasq.d/dns
no-resolv no-hosts cache-size=4096 #log-queries # Forward DNS requests via wan-vpn server=85.214.20.141 #@tun0 # FoeBud server=213.73.91.35 #@tun0 # dnscache.berlin.ccc.de server=141.1.1.1 #@tun0 # server=8.8.8.8 #@tun0 # Google server=8.8.4.4 #@tun0 # Google
=== Openvpn Berlin (anderer Anbieter wie CyberGhost) === /etc/openvpn/freifunk.conf
# Datei von Berlin (xxxxxxx-udp.ovpn) rein kopieren oder umbenennen # folgende Zeilen am Anfang hinzufügen route-noexec script-security 2 up "openvpn-up" down "openvpn-down"
/etc/openvpn/openvpn-up
#!/bin/sh ip rule add from $ifconfig_local table stuttgart priority 9970 ip route add 0.0.0.0/1 via $route_vpn_gateway dev $dev table stuttgart ip route add 128.0.0.0/1 via $route_vpn_gateway dev $dev table stuttgart # NAT aktivieren, wird benötigt wenn NICHT Berlin #iptables -t nat -A POSTROUTING -o $dev -j MASQUERADE exit 0
/etc/openvpn/openvpn-down
#!/bin/sh ip rule del from $ifconfig_local table stuttgart priority 9970 # NAT deaktivieren, wird benötigt wenn NICHT Berlin #iptables -t nat -D POSTROUTING -o $dev -j MASQUERADE exit 0
chmod +x /etc/openvpn/openvpn-*
reboot
=== Funktionstest kann beginnen ===
=== Freifunk Aktualisierungen ===
/etc/crontab
_ */3 * * * * root update-freifunk
/usr/local/bin/update-freifunk
#!/bin/sh # Peers aktualisieren cd /etc/fastd/ffs-vpn/peers git pull -q # fastd Config reload killall -SIGHUP fastd # VPN Status connections.py >/var/www/html/fastd.html
====== Gateway sicher vom Netz nehmen ======
Wenn ein Gateway aus dem Netz raus soll, bitte wiefolgt vorgehen, damit es keine Ausfälle bei den Nodes und Clients gibt
* batctl gw off * 1 Minute warten * DHCP Server deaktivieren, bei Dnsmasq die Datei /etc/dnsmasq.d/dhcp entfernen und dnsmasq neu starten * 10 Minuten warten, damit die Clients eine IP vom Alternativ-DHCP Server bekommen * fastd beenden
{{tag>gw setup howto}}
Page last modified on 26 May 2015 10:50 Uhr