howto/EdgeOS-Config.md
... ...
@@ -1,66 +1,55 @@
1
-#EdgeRouter config example
1
+# EdgeOS
2 2
3
-After a lot of searching and trying I [Phil/ALS7] finnaly got a working config
3
+This document describes some possibilities for connecting to dn42 using an Ubiquiti EdgeRouter:
4 4
5
-I used for this example V1.9.0 on an ErPro-8
5
+* IPv4/IPv6 tunnel via:
6
+ * OpenVPN - support built into EdgeOS already
7
+ * IPsec/IKEv2 - support built into EdgeOS already
8
+ * QuickTun - see [vyatta-quicktun package](https://github.com/neilalexander/vyatta-quicktun)
9
+* Route exchange using BGP
10
+* DNS resolution for the .dn42 TLD
6 11
7
-Also thanx to drathir for his patience and support
12
+## First Steps
8 13
9
-##Features
14
+1. Create the required objects in the Registry - see [[Getting started]]
15
+2. Find a peer - ask nicely in [[IRC]]!
16
+3. Get the following details:
17
+ * Tunnel configuration (OpenVPN, IPsec, QuickTun)
18
+ * AS numbers
10 19
11
-* IPv4/IPv6 Tunnel via OpenVPN
12
-* dn42 DNS
20
+### Tunnel Configuration
13 21
14
-##How-To
22
+### OpenVPN
15 23
16
---> still work in Progress
24
+Using the below as examples:
17 25
18
-* Basic EdgeOS knowledge is required
19
-* If you are using LoadBalancing make shure 172.20.0.0/14 is under 'PRIVATE NETS'
26
+ Own ASN: AS111111
27
+ Own IPv4 Space: 172.AA.AA.64/27
28
+ Own IPv6 Space: fdBB:BBBB:CCCC::/48
29
+ Own IPv4 If-Address: 172.AA.AA.65
30
+ Own IPv6 If-Address: fdBB:BBBB:CCCC::1
20 31
21
-1) you need to create all required fields in the registry --> look at [[Getting started]]
32
+ Peer OpenVPN Remote Address: 172.X.X.X //that's the peers OpenVPN IF IP
33
+ Peer OpenVPN Remote Host: X.X.X.Y //that's the peers clearnet IP
34
+ Peer OpenVPN IP for you: fdAA::BBB/64
35
+ Peer OpenVPN IP: fdAA::CC
36
+ Peer OpenVPN Port: 1194
37
+ Peer OpenVPN encryption: aes256
38
+ Peer ASN: AS222222
39
+ Peer BGP Neighbour IPv4: Z.Z.Z.Z
40
+ Peer BGP Neighbour IPv6: fdAA::CC
22 41
23
-2) get a peer --> ask nice @ [[IRC]]
42
+#### Copy OpenVPN key to the EdgeRouter
24 43
25
-3) You need following data from the peer
44
+Copy the VPN key to `/config/auth/SomeSharedKey.key`:
45
+
46
+ sudo cat > /config/auth/giveITaName
26 47
27
---tunnel options, secret key --ASN from the peer --ip's
48
+Paste the key in the terminal window, hit return once and kill `cat` with CTRL+C. Then type `exit`.
28 49
29
-...
50
+#### Create IPv4 OpenVPN Interface
30 51
31
-The data i used are the following:
32
-
33
-Own ASN: AS111111
34
-Own IPv4 Space: 172.AA.AA.64/27
35
-Own IPv6 Space: fdBB:BBBB:CCCC::/48
36
-Own IPv4 If-Address: 172.AA.AA.65
37
-Own IPv6 If-Address: fdBB:BBBB:CCCC::1
38
-
39
-
40
-Peer OpenVPN Remote Address: 172.X.X.X //that's the peers OpenVPN IF IP
41
-Peer OpenVPN Remote Host: X.X.X.Y //that's the peers clearnet IP
42
-Peer OpenVPN IP for you: fdAA::BBB/64
43
-Peer OpenVPN IP: fdAA::CC
44
-Peer OpenVPN Port: 1194
45
-Peer OpenVPN encryption: aes256
46
-Peer ASN: AS222222
47
-Peer BGP Neighbour IPv4: Z.Z.Z.Z
48
-Peer BGP Neighbour IPv6: fdAA::CC
49
-
50
-###Copy OpenVPN key to the ErPro
51
-
52
-copy vpn key to /config/auth/giveITaName
53
-
54
- sudo su
55
- cd /config/auth
56
- cat > giveITaName
57
-
58
-now paste the key in the terminal window, hit return once and kill cat with CTRL+C
59
-last thing to do is type exit
60
-
61
-###Create IPv4 OpenVPN Interface
62
-
63
-Set up Interface vtunX -- i used vtun0
52
+Create the OpenVPN virtual interface, i.e. using `vtun0`:
64 53
65 54
configure
66 55
set interfaces openvpn vtun0
... ...
@@ -70,7 +59,7 @@ Set up Interface vtunX -- i used vtun0
70 59
set interfaces openvpn vtun0 local-address 172.AA.AA.65
71 60
set interfaces openvpn vtun0 remote-address 172.X.X.X
72 61
set interfaces openvpn vtun0 remote-host X.X.X.Y
73
- set interfaces openvpn vtun0 shared-secret-key-file /config/auth/giveITaName
62
+ set interfaces openvpn vtun0 shared-secret-key-file /config/auth/SomeSharedKey.key
74 63
set interfaces openvpn vtun0 encryption aes256
75 64
76 65
set interfaces openvpn vtun0 openvpn-option "--comp-lzo" //if your peer support compression
... ...
@@ -79,7 +68,7 @@ Set up Interface vtunX -- i used vtun0
79 68
save
80 69
exit
81 70
82
-Now the ipv4 tunnel should be up&running
71
+The OpenVPN tunnel should now be up and running.
83 72
84 73
Check it with:
85 74
... ...
@@ -87,17 +76,17 @@ Check it with:
87 76
show interfaces openvpn detail
88 77
show openvpn status site-to-site
89 78
90
-###Create IPv4 BGP Session
79
+### Create BGP Session
91 80
92
-####Open Firewall
81
+#### Open Firewall
93 82
94
-* You need to open the firewall to local for the tunnel Interface on port 179/tcp
83
+You need to open the firewall to local for the tunnel Interface on port 179/tcp
95 84
96
-####Configure the BGP Neighbor
85
+#### Configure the BGP Neighbor
97 86
98
-* You must not use AS before the as numbers !!
87
+When entering AS numbers, do not include the "AS" prefix, i.e. enter AS111111 as just 111111.
99 88
100
-With this step you create the basic bgp session
89
+Build the BGP session with your peer:
101 90
102 91
configure
103 92
set protocols bgp 111111 neighbor Z.Z.Z.Z remote-as 222222
... ...
@@ -106,12 +95,11 @@ With this step you create the basic bgp session
106 95
commit
107 96
save
108 97
109
-When commit this configuration you should be able to see a BGP neighbor session start and come up.
110
-You can check this with:
98
+Check that the BGP session has come up:
111 99
112 100
show ip bgp summary
113 101
114
-####Set route to blackhole
102
+#### Create Blackhole Route
115 103
116 104
so bgp can announce the route
117 105
... ...
@@ -119,38 +107,35 @@ so bgp can announce the route
119 107
commit
120 108
save
121 109
122
-####Announce prefix to BGP
110
+#### Announce Route to BGP
123 111
124 112
set protocols bgp 111111 network 172.A.A.64/27
125 113
commit
126 114
save
127 115
exit
128 116
129
-You should now be able to see networks being advertised via
117
+You should now be able to see networks being advertised to your peer:
130 118
131 119
show ip bgp neighbors Z.Z.Z.Z advertised-routes
132 120
133
-###Define Nameservers
134
-
135
-Now ping to 172.23.0.53 ... thats the nameserver we are using
136
-If everything is allright it should work
121
+### Set DNS Forwarding
137 122
138
-####NS & NAT Config
123
+Try to ping `172.23.0.53` (anycast DNS resolver). If you get a response then you are good to continue.
139 124
140
-Enter the configure mode
125
+Add the DNS forwarder:
141 126
142 127
configure
143
- set service dns forwarding name-server 8.8.8.8
144
- set service dns forwarding name-server 8.8.4.4
145
- set service dns forwarding options rebind-domain-ok=/dn42/
146 128
set service dns forwarding options server=/23.172.in-addr.arpa/172.23.0.53
147 129
set service dns forwarding options server=/22.172.in-addr.arpa/172.23.0.53
148 130
set service dns forwarding options server=/dn42/172.23.0.53
149
- set service nat rule 5013 outbound-interface vtun0
150
- set service nat rule 5013 type masquerade
151
- set service nat rule 5013 description "masquerade for dn42"
152 131
commit
153 132
save
154 133
exit
155 134
156
-Now try to access any .dn42 tld
135
+### Create NAT rule
136
+
137
+ set service nat rule 5013 outbound-interface vtun0
138
+ set service nat rule 5013 type masquerade
139
+ set service nat rule 5013 description "Masquerade for dn42"
140
+
141
+You should now be able to access .dn42 domains.