703b6469e40f7dfd5d4580a6f57a3cac25c855ef
howto/EdgeOS-Config.md
... | ... | @@ -1,66 +1,55 @@ |
1 | -#EdgeRouter config example |
|
1 | +# EdgeOS |
|
2 | 2 | |
3 | -After a lot of searching and trying I [Phil/ALS7] finnaly got a working config |
|
3 | +This document describes some possibilities for connecting to dn42 using an Ubiquiti EdgeRouter: |
|
4 | 4 | |
5 | -I used for this example V1.9.0 on an ErPro-8 |
|
5 | +* IPv4/IPv6 tunnel via: |
|
6 | + * OpenVPN - support built into EdgeOS already |
|
7 | + * IPsec/IKEv2 - support built into EdgeOS already |
|
8 | + * QuickTun - see [vyatta-quicktun package](https://github.com/neilalexander/vyatta-quicktun) |
|
9 | +* Route exchange using BGP |
|
10 | +* DNS resolution for the .dn42 TLD |
|
6 | 11 | |
7 | -Also thanx to drathir for his patience and support |
|
12 | +## First Steps |
|
8 | 13 | |
9 | -##Features |
|
14 | +1. Create the required objects in the Registry - see [[Getting started]] |
|
15 | +2. Find a peer - ask nicely in [[IRC]]! |
|
16 | +3. Get the following details: |
|
17 | + * Tunnel configuration (OpenVPN, IPsec, QuickTun) |
|
18 | + * AS numbers |
|
10 | 19 | |
11 | -* IPv4/IPv6 Tunnel via OpenVPN |
|
12 | -* dn42 DNS |
|
20 | +### Tunnel Configuration |
|
13 | 21 | |
14 | -##How-To |
|
22 | +### OpenVPN |
|
15 | 23 | |
16 | ---> still work in Progress |
|
24 | +Using the below as examples: |
|
17 | 25 | |
18 | -* Basic EdgeOS knowledge is required |
|
19 | -* If you are using LoadBalancing make shure 172.20.0.0/14 is under 'PRIVATE NETS' |
|
26 | + Own ASN: AS111111 |
|
27 | + Own IPv4 Space: 172.AA.AA.64/27 |
|
28 | + Own IPv6 Space: fdBB:BBBB:CCCC::/48 |
|
29 | + Own IPv4 If-Address: 172.AA.AA.65 |
|
30 | + Own IPv6 If-Address: fdBB:BBBB:CCCC::1 |
|
20 | 31 | |
21 | -1) you need to create all required fields in the registry --> look at [[Getting started]] |
|
32 | + Peer OpenVPN Remote Address: 172.X.X.X //that's the peers OpenVPN IF IP |
|
33 | + Peer OpenVPN Remote Host: X.X.X.Y //that's the peers clearnet IP |
|
34 | + Peer OpenVPN IP for you: fdAA::BBB/64 |
|
35 | + Peer OpenVPN IP: fdAA::CC |
|
36 | + Peer OpenVPN Port: 1194 |
|
37 | + Peer OpenVPN encryption: aes256 |
|
38 | + Peer ASN: AS222222 |
|
39 | + Peer BGP Neighbour IPv4: Z.Z.Z.Z |
|
40 | + Peer BGP Neighbour IPv6: fdAA::CC |
|
22 | 41 | |
23 | -2) get a peer --> ask nice @ [[IRC]] |
|
42 | +#### Copy OpenVPN key to the EdgeRouter |
|
24 | 43 | |
25 | -3) You need following data from the peer |
|
44 | +Copy the VPN key to `/config/auth/SomeSharedKey.key`: |
|
45 | + |
|
46 | + sudo cat > /config/auth/giveITaName |
|
26 | 47 | |
27 | ---tunnel options, secret key --ASN from the peer --ip's |
|
48 | +Paste the key in the terminal window, hit return once and kill `cat` with CTRL+C. Then type `exit`. |
|
28 | 49 | |
29 | -... |
|
50 | +#### Create IPv4 OpenVPN Interface |
|
30 | 51 | |
31 | -The data i used are the following: |
|
32 | - |
|
33 | -Own ASN: AS111111 |
|
34 | -Own IPv4 Space: 172.AA.AA.64/27 |
|
35 | -Own IPv6 Space: fdBB:BBBB:CCCC::/48 |
|
36 | -Own IPv4 If-Address: 172.AA.AA.65 |
|
37 | -Own IPv6 If-Address: fdBB:BBBB:CCCC::1 |
|
38 | - |
|
39 | - |
|
40 | -Peer OpenVPN Remote Address: 172.X.X.X //that's the peers OpenVPN IF IP |
|
41 | -Peer OpenVPN Remote Host: X.X.X.Y //that's the peers clearnet IP |
|
42 | -Peer OpenVPN IP for you: fdAA::BBB/64 |
|
43 | -Peer OpenVPN IP: fdAA::CC |
|
44 | -Peer OpenVPN Port: 1194 |
|
45 | -Peer OpenVPN encryption: aes256 |
|
46 | -Peer ASN: AS222222 |
|
47 | -Peer BGP Neighbour IPv4: Z.Z.Z.Z |
|
48 | -Peer BGP Neighbour IPv6: fdAA::CC |
|
49 | - |
|
50 | -###Copy OpenVPN key to the ErPro |
|
51 | - |
|
52 | -copy vpn key to /config/auth/giveITaName |
|
53 | - |
|
54 | - sudo su |
|
55 | - cd /config/auth |
|
56 | - cat > giveITaName |
|
57 | - |
|
58 | -now paste the key in the terminal window, hit return once and kill cat with CTRL+C |
|
59 | -last thing to do is type exit |
|
60 | - |
|
61 | -###Create IPv4 OpenVPN Interface |
|
62 | - |
|
63 | -Set up Interface vtunX -- i used vtun0 |
|
52 | +Create the OpenVPN virtual interface, i.e. using `vtun0`: |
|
64 | 53 | |
65 | 54 | configure |
66 | 55 | set interfaces openvpn vtun0 |
... | ... | @@ -70,7 +59,7 @@ Set up Interface vtunX -- i used vtun0 |
70 | 59 | set interfaces openvpn vtun0 local-address 172.AA.AA.65 |
71 | 60 | set interfaces openvpn vtun0 remote-address 172.X.X.X |
72 | 61 | set interfaces openvpn vtun0 remote-host X.X.X.Y |
73 | - set interfaces openvpn vtun0 shared-secret-key-file /config/auth/giveITaName |
|
62 | + set interfaces openvpn vtun0 shared-secret-key-file /config/auth/SomeSharedKey.key |
|
74 | 63 | set interfaces openvpn vtun0 encryption aes256 |
75 | 64 | |
76 | 65 | set interfaces openvpn vtun0 openvpn-option "--comp-lzo" //if your peer support compression |
... | ... | @@ -79,7 +68,7 @@ Set up Interface vtunX -- i used vtun0 |
79 | 68 | save |
80 | 69 | exit |
81 | 70 | |
82 | -Now the ipv4 tunnel should be up&running |
|
71 | +The OpenVPN tunnel should now be up and running. |
|
83 | 72 | |
84 | 73 | Check it with: |
85 | 74 | |
... | ... | @@ -87,17 +76,17 @@ Check it with: |
87 | 76 | show interfaces openvpn detail |
88 | 77 | show openvpn status site-to-site |
89 | 78 | |
90 | -###Create IPv4 BGP Session |
|
79 | +### Create BGP Session |
|
91 | 80 | |
92 | -####Open Firewall |
|
81 | +#### Open Firewall |
|
93 | 82 | |
94 | -* You need to open the firewall to local for the tunnel Interface on port 179/tcp |
|
83 | +You need to open the firewall to local for the tunnel Interface on port 179/tcp |
|
95 | 84 | |
96 | -####Configure the BGP Neighbor |
|
85 | +#### Configure the BGP Neighbor |
|
97 | 86 | |
98 | -* You must not use AS before the as numbers !! |
|
87 | +When entering AS numbers, do not include the "AS" prefix, i.e. enter AS111111 as just 111111. |
|
99 | 88 | |
100 | -With this step you create the basic bgp session |
|
89 | +Build the BGP session with your peer: |
|
101 | 90 | |
102 | 91 | configure |
103 | 92 | set protocols bgp 111111 neighbor Z.Z.Z.Z remote-as 222222 |
... | ... | @@ -106,12 +95,11 @@ With this step you create the basic bgp session |
106 | 95 | commit |
107 | 96 | save |
108 | 97 | |
109 | -When commit this configuration you should be able to see a BGP neighbor session start and come up. |
|
110 | -You can check this with: |
|
98 | +Check that the BGP session has come up: |
|
111 | 99 | |
112 | 100 | show ip bgp summary |
113 | 101 | |
114 | -####Set route to blackhole |
|
102 | +#### Create Blackhole Route |
|
115 | 103 | |
116 | 104 | so bgp can announce the route |
117 | 105 | |
... | ... | @@ -119,38 +107,35 @@ so bgp can announce the route |
119 | 107 | commit |
120 | 108 | save |
121 | 109 | |
122 | -####Announce prefix to BGP |
|
110 | +#### Announce Route to BGP |
|
123 | 111 | |
124 | 112 | set protocols bgp 111111 network 172.A.A.64/27 |
125 | 113 | commit |
126 | 114 | save |
127 | 115 | exit |
128 | 116 | |
129 | -You should now be able to see networks being advertised via |
|
117 | +You should now be able to see networks being advertised to your peer: |
|
130 | 118 | |
131 | 119 | show ip bgp neighbors Z.Z.Z.Z advertised-routes |
132 | 120 | |
133 | -###Define Nameservers |
|
134 | - |
|
135 | -Now ping to 172.23.0.53 ... thats the nameserver we are using |
|
136 | -If everything is allright it should work |
|
121 | +### Set DNS Forwarding |
|
137 | 122 | |
138 | -####NS & NAT Config |
|
123 | +Try to ping `172.23.0.53` (anycast DNS resolver). If you get a response then you are good to continue. |
|
139 | 124 | |
140 | -Enter the configure mode |
|
125 | +Add the DNS forwarder: |
|
141 | 126 | |
142 | 127 | configure |
143 | - set service dns forwarding name-server 8.8.8.8 |
|
144 | - set service dns forwarding name-server 8.8.4.4 |
|
145 | - set service dns forwarding options rebind-domain-ok=/dn42/ |
|
146 | 128 | set service dns forwarding options server=/23.172.in-addr.arpa/172.23.0.53 |
147 | 129 | set service dns forwarding options server=/22.172.in-addr.arpa/172.23.0.53 |
148 | 130 | set service dns forwarding options server=/dn42/172.23.0.53 |
149 | - set service nat rule 5013 outbound-interface vtun0 |
|
150 | - set service nat rule 5013 type masquerade |
|
151 | - set service nat rule 5013 description "masquerade for dn42" |
|
152 | 131 | commit |
153 | 132 | save |
154 | 133 | exit |
155 | 134 | |
156 | -Now try to access any .dn42 tld |
|
135 | +### Create NAT rule |
|
136 | + |
|
137 | + set service nat rule 5013 outbound-interface vtun0 |
|
138 | + set service nat rule 5013 type masquerade |
|
139 | + set service nat rule 5013 description "Masquerade for dn42" |
|
140 | + |
|
141 | +You should now be able to access .dn42 domains. |