Meine (lqb) Notizen zum wireguard offloader
Daten müssen bei FFMUC erfragt und in die Variablen eingepflegt werden.
mk_config.boot.sh:
#!/bin/bash #USERNAME/PASSWORD: ubnt/ubnt HOST_NAME="nam-segm11" HOST_IPV4="172.20.X.1/24" HOST_IPV6="2001:608:a01:X::1/64" HOST_IPV6_PREFIX="2001:608:a01:X::/64" DHCP_SUBNET="172.20.X.0/24" DHCP_START="172.20.X.10" DHCP_STOP="172.20.X.254" DHCP_DEFAULT_ROUTER="172.20.X.1" DHCP_DNS="$DHCP_DEFAULT_ROUTER" WG0_IPV4="172.17.0.X/31" WG0_IPV6="2001:608:a01:fffe::X/127" WG0_ENDPOINT="vpn01.ext.ffmuc.net:X" WG0_PRIVATE_KEY="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" WG1_IPV4="172.18.0.X/31" WG1_IPV6="2001:608:a01:fffd::X/127" WG1_ENDPOINT="vpn02.ext.ffmuc.net:X" WG1_PRIVATE_KEY="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" BGP_AS="64522" BGP_NEIGHBOR1_IPV4="172.17.0.X" BGP_NEIGHBOR1_IPv6="2001:608:a01:fffd::X" BGP_NEIGHBOR2_IPv4="172.18.0.X" BGP_NEIGHBOR2_IPv6="2001:608:a01:fffe::X" BGP_NEXTHOP_IPV4="$BGP_NEIGHBOR1_IPV4" BGP_NEXTHOP_IPV6="$BGP_NEIGHBOR2_IPv6" SNMP_COMMUNITY="XXXXXXXXXXXXXXX" SNMP_CONTACT="name" SNMP_DESCRIPTION="nam-epr" SNMP_LOCATION="ORT" CLIENT1_IPV4="172.20.X.X" CLIENT1_IPV6="2001:608:a01:X:X:X:X:X" cat<<EOF firewall { all-ping enable broadcast-ping disable ipv6-name VPN6_IN { default-action drop rule 10 { action accept description "Accept related and established IPv6 connections" log disable protocol all state { established enable invalid disable new disable related enable } } rule 20 { action accept description "Accept ICMP (aka Ping)" log disable protocol icmpv6 } rule 30 { action accept description "Accept inbound SSH" destination { port 22 } disable log disable protocol tcp } rule 40 { action accept description "Accept inbound HTTP" destination { port 80 } disable log disable protocol tcp } rule 50 { action accept description "Accept inbound HTTPS" destination { port 443 } disable log disable protocol tcp } rule 1010 { action accept description "Accept inbound SSH to host1" destination { address $CLIENT1_IPV6 port 22 } log disable protocol tcp } rule 9000 { action accept description "Accept anything" disable protocol all } rule 9090 { action drop description "Ensure that unaccepted IPv6 packages are denied at end of chain" protocol all } } ipv6-receive-redirects disable ipv6-src-route disable ip-src-route disable log-martians enable name VPN_IN { default-action reject description "VPN to internal" rule 10 { action accept description "Accept related and established IPv4 connections" log disable protocol all state { established enable invalid disable new disable related enable } } rule 20 { action accept description "Accept ICMP (aka Ping)" log disable protocol icmp } rule 30 { action accept description "Accept inbound SSH" destination { port 22 } disable log disable protocol tcp } rule 40 { action accept description "Accept inbound HTTP" destination { port 80 } log disable protocol tcp } rule 50 { action accept description "Accept inbount HTTPS" destination { port 443 } log disable protocol tcp } rule 1010 { action accept description "Accept inbound SSH to host1" destination { address $CLIENT1_IPV4 port 22 } disable log disable protocol tcp } rule 9000 { action accept description "Accept anything" disable protocol all } rule 9090 { action drop description "Ensure that unaccepted IPv4 packages are denied at end of chain" log disable protocol all } } options { mss-clamp { interface-type wg mss 1366 } mss-clamp6 { interface-type wg mss 1366 } } receive-redirects disable send-redirects enable source-validation disable syn-cookies enable } interfaces { ethernet eth0 { address dhcp duplex auto speed auto } ethernet eth1 { duplex auto poe { output off } speed auto } ethernet eth2 { duplex auto poe { output off } speed auto } ethernet eth3 { duplex auto poe { output off } speed auto } ethernet eth4 { duplex auto poe { output off } speed auto } loopback lo { } switch switch0 { address $HOST_IPV4 address $HOST_IPV6 firewall { out { ipv6-name VPN6_IN name VPN_IN } } ipv6 { dup-addr-detect-transmits 1 router-advert { cur-hop-limit 64 link-mtu 0 managed-flag false max-interval 600 other-config-flag false prefix $HOST_IPV6_PREFIX { autonomous-flag true on-link-flag true valid-lifetime 2592000 } reachable-time 0 retrans-timer 0 send-advert true } } mtu 1500 switch-port { interface eth1 { } interface eth2 { } interface eth3 { } interface eth4 { } vlan-aware disable } } wireguard wg0 { address $WG0_IPV4 address $WG0_IPV6 listen-port 51822 mtu 1406 peer 3maAGagRC6if+yZdRj8FoT80TP/KdEmIlcRs1+oHWgI= { allowed-ips 0.0.0.0/0 allowed-ips ::/0 endpoint $WG0_ENDPOINT persistent-keepalive 25 } private-key $WG0_PRIVATE_KEY route-allowed-ips false } wireguard wg1 { address $WG1_IPV4 address $WG1_IPV6 listen-port 51823 mtu 1406 peer VRHnZKr3T5/CeOD4THfHdhp0lLoNVhD19uevSGyC4Ck= { allowed-ips 0.0.0.0/0 allowed-ips ::/0 endpoint $WG1_ENDPOINT persistent-keepalive 25 } private-key $WG1_PRIVATE_KEY route-allowed-ips false } } protocols { bgp $BGP_AS { address-family { ipv6-unicast { redistribute { connected { } } } } maximum-paths { ebgp 4 } neighbor $BGP_NEIGHBOR1_IPV4 { remote-as 65132 soft-reconfiguration { inbound } } neighbor $BGP_NEIGHBOR2_IPv4 { remote-as 65132 soft-reconfiguration { inbound } } neighbor $BGP_NEIGHBOR1_IPv6 { address-family { ipv6-unicast { } } remote-as 65132 soft-reconfiguration { inbound } } neighbor $BGP_NEIGHBOR2_IPv6 { address-family { ipv6-unicast { } } remote-as 65132 soft-reconfiguration { inbound } } redistribute { connected { } } } static { route 172.22.0.0/16 { next-hop 192.168.179.1 { description LAN } } route 195.30.94.26/32 { next-hop 192.168.179.1 { description "vpn02.ext.ffmuc.net - v4" } } route 195.30.193.34/32 { next-hop 192.168.179.1 { description "vpn01.ext.ffmuc.net - v4" } } route6 2001:608:a01::44/128 { blackhole { } } route6 2001:608:a01::45/128 { blackhole { } } table 11 { route 0.0.0.0/0 { next-hop $BGP_NEXTHOP_IPV4 { } } route6 ::/0 { next-hop $BGP_NEXTHOP_IPV6 { } } } } } service { dhcp-server { disabled false hostfile-update disable shared-network-name internal { authoritative disable subnet $DHCP_SUBNET { default-router $DHCP_DEFAULT_ROUTER dns-server $DHCP_DNS lease 600 start $DHCP_START { stop $DHCP_STOP } unifi-controller 195.30.94.28 } } static-arp disable use-dnsmasq disable } dns { forwarding { cache-size 10000 listen-on switch0 } } gui { http-port 80 https-port 443 older-ciphers enable } snmp { community $SNMP_COMMUNITY { authorization ro } contact $SNMP_CONTACT description $SNMP_DESCRIPTION location $SNMP_LOCATION } ssh { port 22 protocol-version v2 } unms { disable } } system { flow-accounting { disable-memory-table ingress-capture post-dnat interface eth0 netflow { enable-egress { engine-id 51 } engine-id 50 mode daemon server 167.71.92.38 { port 2055 } timeout { expiry-interval 60 flow-generic 60 icmp 60 max-active-life 60 tcp-fin 10 tcp-generic 60 tcp-rst 10 udp 60 } version 9 } syslog-facility daemon } host-name $HOST_NAME login { user ubnt { authentication { encrypted-password \$5\$trVYj6jdWHatLKF6\$BruP2qvNOWNQ2BcoY4EscxECQdHxNWeHrTA1chhzYe0 plaintext-password "" } full-name "" level admin } } ntp { server 0.ubnt.pool.ntp.org { } server 1.ubnt.pool.ntp.org { } server 2.ubnt.pool.ntp.org { } server 3.ubnt.pool.ntp.org { } } syslog { global { facility all { level notice } facility protocols { level debug } } } time-zone UTC traffic-analysis { custom-category XBOX { name XBOX } dpi enable export enable } } traffic-control { optimized-queue { policy global policy queues } } /* Warning: Do not remove the following line. */ /* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@5:nat@3:qos@1:quagga@2:suspend@1:system@4:ubnt-pptp@1:ubnt-udapi-server@1:ubnt-unms@1:ubnt-util@1:vrrp@1:vyatta-netflow@1:webgui@1:webproxy@1:zone-policy@1" === */ /* Release version: v2.0.8-hotfix.1.5278088.200305.1641 */ EOF