2017-03-14 21:32:33 +01:00
|
|
|
# EdgeOS
|
2016-11-15 19:44:03 +00:00
|
|
|
|
2017-03-14 21:32:33 +01:00
|
|
|
This document describes some possibilities for connecting to dn42 using an Ubiquiti EdgeRouter:
|
2016-11-15 19:44:03 +00:00
|
|
|
|
2017-03-14 21:32:33 +01:00
|
|
|
* IPv4/IPv6 tunnel via:
|
2017-03-14 21:32:56 +01:00
|
|
|
* OpenVPN - support built into EdgeOS already - covered below
|
|
|
|
* IPsec/IKEv2 - support built into EdgeOS already - not covered here
|
|
|
|
* QuickTun - see [vyatta-quicktun package](https://github.com/neilalexander/vyatta-quicktun) - not covered here
|
2017-03-14 21:32:33 +01:00
|
|
|
* Route exchange using BGP
|
|
|
|
* DNS resolution for the .dn42 TLD
|
2016-11-15 19:39:04 +00:00
|
|
|
|
2017-03-14 21:32:33 +01:00
|
|
|
## First Steps
|
2016-11-15 19:39:04 +00:00
|
|
|
|
2017-03-14 21:32:33 +01:00
|
|
|
1. Create the required objects in the Registry - see [[Getting started]]
|
|
|
|
2. Find a peer - ask nicely in [[IRC]]!
|
|
|
|
3. Get the following details:
|
|
|
|
* Tunnel configuration (OpenVPN, IPsec, QuickTun)
|
|
|
|
* AS numbers
|
2016-11-15 19:39:04 +00:00
|
|
|
|
2017-03-14 21:32:33 +01:00
|
|
|
### Tunnel Configuration
|
2016-11-15 19:39:04 +00:00
|
|
|
|
2017-03-14 21:32:33 +01:00
|
|
|
### OpenVPN
|
2016-11-15 19:39:04 +00:00
|
|
|
|
2017-03-14 21:32:33 +01:00
|
|
|
Using the below as examples:
|
2016-11-15 19:39:04 +00:00
|
|
|
|
2017-03-14 21:32:33 +01:00
|
|
|
Own ASN: AS111111
|
|
|
|
Own IPv4 Space: 172.AA.AA.64/27
|
|
|
|
Own IPv6 Space: fdBB:BBBB:CCCC::/48
|
|
|
|
Own IPv4 If-Address: 172.AA.AA.65
|
|
|
|
Own IPv6 If-Address: fdBB:BBBB:CCCC::1
|
2016-11-15 19:39:04 +00:00
|
|
|
|
2017-03-14 21:32:33 +01:00
|
|
|
Peer OpenVPN Remote Address: 172.X.X.X //that's the peers OpenVPN IF IP
|
|
|
|
Peer OpenVPN Remote Host: X.X.X.Y //that's the peers clearnet IP
|
|
|
|
Peer OpenVPN IP for you: fdAA::BBB/64
|
|
|
|
Peer OpenVPN IP: fdAA::CC
|
|
|
|
Peer OpenVPN Port: 1194
|
|
|
|
Peer OpenVPN encryption: aes256
|
|
|
|
Peer ASN: AS222222
|
|
|
|
Peer BGP Neighbour IPv4: Z.Z.Z.Z
|
|
|
|
Peer BGP Neighbour IPv6: fdAA::CC
|
2016-11-15 19:39:04 +00:00
|
|
|
|
2017-03-14 21:32:33 +01:00
|
|
|
#### Copy OpenVPN key to the EdgeRouter
|
2016-11-15 19:39:04 +00:00
|
|
|
|
2017-03-14 21:32:33 +01:00
|
|
|
Copy the VPN key to `/config/auth/SomeSharedKey.key`:
|
|
|
|
|
|
|
|
sudo cat > /config/auth/giveITaName
|
2016-11-15 19:39:04 +00:00
|
|
|
|
2017-03-14 21:32:33 +01:00
|
|
|
Paste the key in the terminal window, hit return once and kill `cat` with CTRL+C. Then type `exit`.
|
2016-11-15 19:39:04 +00:00
|
|
|
|
2017-03-14 21:32:33 +01:00
|
|
|
#### Create IPv4 OpenVPN Interface
|
2016-11-15 19:39:04 +00:00
|
|
|
|
2017-03-14 21:32:33 +01:00
|
|
|
Create the OpenVPN virtual interface, i.e. using `vtun0`:
|
2016-11-15 19:39:04 +00:00
|
|
|
|
|
|
|
configure
|
2016-11-17 20:32:36 +00:00
|
|
|
set interfaces openvpn vtun0
|
2016-11-15 19:39:04 +00:00
|
|
|
set interfaces openvpn vtun0 mode site-to-site
|
|
|
|
set interfaces openvpn vtun0 local-port 1194
|
|
|
|
set interfaces openvpn vtun0 remote-port 1194
|
2016-11-16 07:31:21 +00:00
|
|
|
set interfaces openvpn vtun0 local-address 172.AA.AA.65
|
2016-11-16 07:41:39 +00:00
|
|
|
set interfaces openvpn vtun0 remote-address 172.X.X.X
|
2016-11-15 19:39:04 +00:00
|
|
|
set interfaces openvpn vtun0 remote-host X.X.X.Y
|
2017-03-14 21:32:33 +01:00
|
|
|
set interfaces openvpn vtun0 shared-secret-key-file /config/auth/SomeSharedKey.key
|
2016-11-15 19:39:04 +00:00
|
|
|
set interfaces openvpn vtun0 encryption aes256
|
|
|
|
|
|
|
|
set interfaces openvpn vtun0 openvpn-option "--comp-lzo" //if your peer support compression
|
|
|
|
|
|
|
|
commit
|
|
|
|
save
|
|
|
|
exit
|
|
|
|
|
2017-03-14 21:32:33 +01:00
|
|
|
The OpenVPN tunnel should now be up and running.
|
2016-11-15 19:39:04 +00:00
|
|
|
|
|
|
|
Check it with:
|
|
|
|
|
|
|
|
show interfaces openvpn
|
|
|
|
show interfaces openvpn detail
|
|
|
|
show openvpn status site-to-site
|
|
|
|
|
2017-03-14 21:32:33 +01:00
|
|
|
### Create BGP Session
|
2016-11-15 19:39:04 +00:00
|
|
|
|
2017-03-14 21:32:33 +01:00
|
|
|
#### Open Firewall
|
2016-11-15 19:39:04 +00:00
|
|
|
|
2017-03-14 21:32:33 +01:00
|
|
|
You need to open the firewall to local for the tunnel Interface on port 179/tcp
|
2016-11-15 19:39:04 +00:00
|
|
|
|
2017-03-14 21:32:33 +01:00
|
|
|
#### Configure the BGP Neighbor
|
2016-11-15 19:39:04 +00:00
|
|
|
|
2017-03-14 21:32:33 +01:00
|
|
|
When entering AS numbers, do not include the "AS" prefix, i.e. enter AS111111 as just 111111.
|
2016-11-15 19:39:04 +00:00
|
|
|
|
2017-03-14 21:32:33 +01:00
|
|
|
Build the BGP session with your peer:
|
2016-11-15 19:39:04 +00:00
|
|
|
|
|
|
|
configure
|
|
|
|
set protocols bgp 111111 neighbor Z.Z.Z.Z remote-as 222222
|
|
|
|
set protocols bgp 111111 neighbor Z.Z.Z.Z soft-reconfiguration inbound
|
2016-11-17 13:19:07 +00:00
|
|
|
set protocols bgp 111111 neighbor Z.Z.Z.Z update-source 172.AA.AA.65
|
2016-11-15 19:39:04 +00:00
|
|
|
commit
|
|
|
|
save
|
|
|
|
|
2017-03-14 21:32:33 +01:00
|
|
|
Check that the BGP session has come up:
|
2016-11-15 19:39:04 +00:00
|
|
|
|
|
|
|
show ip bgp summary
|
|
|
|
|
2017-03-14 21:32:33 +01:00
|
|
|
#### Create Blackhole Route
|
2016-11-15 19:39:04 +00:00
|
|
|
|
|
|
|
so bgp can announce the route
|
|
|
|
|
|
|
|
set protocols static route 172.AA.AA.64/27 blackhole
|
|
|
|
commit
|
|
|
|
save
|
|
|
|
|
2017-03-14 21:32:33 +01:00
|
|
|
#### Announce Route to BGP
|
2016-11-15 19:39:04 +00:00
|
|
|
|
|
|
|
set protocols bgp 111111 network 172.A.A.64/27
|
|
|
|
commit
|
|
|
|
save
|
|
|
|
exit
|
|
|
|
|
2017-03-14 21:32:33 +01:00
|
|
|
You should now be able to see networks being advertised to your peer:
|
2016-11-15 19:39:04 +00:00
|
|
|
|
|
|
|
show ip bgp neighbors Z.Z.Z.Z advertised-routes
|
|
|
|
|
2017-03-14 21:32:33 +01:00
|
|
|
### Set DNS Forwarding
|
2016-11-15 19:39:04 +00:00
|
|
|
|
2017-03-14 21:32:33 +01:00
|
|
|
Try to ping `172.23.0.53` (anycast DNS resolver). If you get a response then you are good to continue.
|
2016-11-15 19:39:04 +00:00
|
|
|
|
2017-03-14 21:32:33 +01:00
|
|
|
Add the DNS forwarder:
|
2016-11-15 19:39:04 +00:00
|
|
|
|
|
|
|
configure
|
|
|
|
set service dns forwarding options server=/23.172.in-addr.arpa/172.23.0.53
|
|
|
|
set service dns forwarding options server=/22.172.in-addr.arpa/172.23.0.53
|
|
|
|
set service dns forwarding options server=/dn42/172.23.0.53
|
|
|
|
commit
|
|
|
|
save
|
|
|
|
exit
|
|
|
|
|
2017-03-14 21:32:33 +01:00
|
|
|
### Create NAT rule
|
|
|
|
|
|
|
|
set service nat rule 5013 outbound-interface vtun0
|
|
|
|
set service nat rule 5013 type masquerade
|
|
|
|
set service nat rule 5013 description "Masquerade for dn42"
|
|
|
|
|
|
|
|
You should now be able to access .dn42 domains.
|