technik:gateways:gateway-einrichten-lokal

Kurzanleitung für Ubuntu 14.04 Server

Freifunk Repo zufügen und benötigte Pakete installieren

 aptitude install software-properties-common apt-transport-https
 add-apt-repository ppa:freifunk-mwu/freifunk-ppa
 echo "deb http://repo.universe-factory.net/debian/ sid main" > /etc/apt/sources.list.d/freifunk.list
 apt-key adv --keyserver keyserver.ubuntu.com --recv 16EF3F64CB201D9C
 aptitude update
 aptitude remove bind9
 aptitude install conntrack dnsmasq isc-dhcp-relay bridge-utils batctl fastd batman-adv-dkms openvpn tinc radvd python-psutil python-git jq

Test ob modprobe batman-adv eine Fehler ergibt, dann gibt es Probleme mit dem Kernel.

DHCP Relay (IP des DHCP Servers anpassen!)

/etc/default/isc-dhcp-relay

 SERVERS="10.190.128.5 10.190.128.7 10.190.128.8"
 INTERFACES="br0"
 OPTIONS=""

Routing aktivieren

/etc/sysctl.conf

 net.ipv4.ip_forward=1
 net.ipv6.conf.all.forwarding=1
 net.netfilter.nf_conntrack_max = 500000

sysctl -p /etc/sysctl.conf

Policyrouting vorbereiten

/etc/iproute2/rt_tables

 70	stuttgart
 50	othergw

Interfaces einrichten (IPs und Mac/hwaddress anpassen!!!)

/etc/network/interfaces

 auto eth1
 iface eth1 inet6 manual
  hwaddress 02:00:36:03:08:01
 
 auto br0
 iface br0 inet static
  hwaddress 02:00:39:03:08:01
  address 10.190.128.81
  netmask 255.255.192.0
  pre-up          /sbin/brctl addbr $IFACE
  up              /sbin/ip address add fd21:b4dc:4b03::a38:0801/64 dev $IFACE
  post-down       /sbin/brctl delbr $IFACE
  # be sure all incoming traffic is handled by the appropriate rt_table
  post-up         /sbin/ip rule add iif $IFACE table stuttgart priority 7000
  pre-down        /sbin/ip rule del iif $IFACE table stuttgart priority 7000
  # default route is unreachable
  post-up         /sbin/ip route add unreachable default table stuttgart
  post-down       /sbin/ip route del unreachable default table stuttgart
  # ULA route mz for rt_table stuttgart
  post-up         /sbin/ip -6 route add fd21:b4dc:4b03::/64 proto static dev $IFACE table stuttgar
  post-down       /sbin/ip -6 route del fd21:b4dc:4b03::/64 proto static dev $IFACE table stuttgar
 
 allow-hotplug vpn0
 iface vpn0 inet6 manual
  hwaddress 02:00:38:03:08:01
  pre-up          /sbin/modprobe batman-adv
  post-up         /usr/sbin/batctl -m bat0 if add $IFACE
  post-up         /usr/sbin/batctl -m bat0 if add eth1
  post-up         /sbin/ip link set dev bat0 up
 
 allow-hotplug bat0
 iface bat0 inet6 manual
  pre-up          /sbin/modprobe batman-adv
  post-up         /sbin/brctl addif br0 $IFACE
  post-up         /usr/sbin/batctl -m $IFACE it 10000
  post-up         /usr/sbin/batctl -m $IFACE gw server  50mbit/10mbit
  pre-down        /sbin/brctl delif br0 $IFACE

VPN/Fastd einrichten

 mkdir -p /etc/fastd/vpn0/peers
 cd /etc/fastd/vpn0/peers
 wget https://raw.githubusercontent.com/freifunk-stuttgart/peers-ffs/master/vpn03/peers/gw08
 wget https://raw.githubusercontent.com/freifunk-stuttgart/peers-ffs/master/vpn03/peers/gw07
 wget https://raw.githubusercontent.com/freifunk-stuttgart/peers-ffs/master/vpn03/peers/gw05
 fastd --generate-key > /etc/fastd/vpn0/gateway.key
 echo -n "key" >/etc/fastd/vpn0/gateway.pub
 cat /etc/fastd/vpn0/gateway.key | tail -1 | awk '{print " \""$2"\";"}' >>/etc/fastd/vpn0/gateway.pub 
 echo -n "secret" >/etc/fastd/vpn0/secret.conf
 cat /etc/fastd/vpn0/gateway.key | head -1 | awk '{print " \""$2"\";"}' >>/etc/fastd/vpn0/secret.conf 
 cat /etc/fastd/vpn0/secret.conf 

Ergebis sollte eine Zeile sein die so aussieht:

 secret "1234567890123456789012345678901234567890123456789012345678901234";

gateway.pub zusammen mit Mac Adresse als Fastd Key registrieren lassen, sonst bekommt ihr keine Freifunk Anbindung und es funktioniert NIX!

VPN/Fastd einrichten

/etc/fastd/vpn0/fastd.conf

 interface "vpn0";
 method "salsa2012+umac";    # new method (faster)
 mtu 1406;
 include "secret.conf";
 include peers from "peers";

Openvpn Berlin (anderer Anbieter wie CyberGhost)

/etc/openvpn/freifunk.conf

 # Datei von Berlin (xxxxxxx-udp.ovpn) rein kopieren oder umbenennen
 # folgende Zeilen am Anfang hinzufügen
 route-noexec
 script-security 2
 up "openvpn-up"
 down "openvpn-down"

/etc/openvpn/openvpn-up

 #!/bin/sh
 ip rule add from $ifconfig_local table stuttgart priority 9970
 # Routen kopieren von Tabelle main
 ip route show table main | grep -v ^default | while read ROUTE ; do ip route add table stuttgart $ROUTE ; done
 # default route in table stuttgart
 ip route add 0.0.0.0/1 via $route_vpn_gateway dev $dev table stuttgart
 ip route add 128.0.0.0/1 via $route_vpn_gateway dev $dev table stuttgart
 # NAT aktivieren (2 Moeglichkeiten), wird benötigt wenn NICHT Berlin
 #iptables -t nat -A POSTROUTING -o $dev -j MASQUERADE
 #iptables -t nat -A POSTROUTING -o $dev -j SNAT --to-source $ifconfig_local
 #sysctl -w net.netfilter.nf_conntrack_max=500000
 exit 0
 

/etc/openvpn/openvpn-down

 #!/bin/sh
 ip rule del from $ifconfig_local table stuttgart priority 9970
 # NAT deaktivieren, wird benötigt wenn NICHT Berlin
 #iptables -t nat -D POSTROUTING -o $dev -j MASQUERADE
 #iptables -t nat -D POSTROUTING -o $dev -j SNAT --to-source $ifconfig_local
 exit 0

chmod +x /etc/openvpn/openvpn-*

reboot

Statistiken

 aptitude vnstat vnstati
  • technik/gateways/gateway-einrichten-lokal.txt
  • Zuletzt geändert: vor 17 Monaten
  • (Externe Bearbeitung)