knb:wireguard-offloader

Meine (lqb) Notizen zum wireguard offloader

  • Danke an awlnx und kromebl für die Bereitstellung und die hervorragende Unterstützung der Test Setups

Daten müssen bei FFMUC erfragt und in die Variablen eingepflegt werden.

mk_config.boot.sh:

#!/bin/bash
 
#USERNAME/PASSWORD: ubnt/ubnt
 
HOST_NAME="nam-segm11"
HOST_IPV4="172.20.X.1/24"
HOST_IPV6="2001:608:a01:X::1/64"
HOST_IPV6_PREFIX="2001:608:a01:X::/64"
 
DHCP_SUBNET="172.20.X.0/24"
DHCP_START="172.20.X.10"
DHCP_STOP="172.20.X.254"
DHCP_DEFAULT_ROUTER="172.20.X.1"
DHCP_DNS="$DHCP_DEFAULT_ROUTER"
 
WG0_IPV4="172.17.0.X/31"
WG0_IPV6="2001:608:a01:fffe::X/127"
WG0_ENDPOINT="vpn01.ext.ffmuc.net:X"
WG0_PRIVATE_KEY="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
 
WG1_IPV4="172.18.0.X/31"
WG1_IPV6="2001:608:a01:fffd::X/127"
WG1_ENDPOINT="vpn02.ext.ffmuc.net:X"
WG1_PRIVATE_KEY="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
 
BGP_AS="64522"
BGP_NEIGHBOR1_IPV4="172.17.0.X"
BGP_NEIGHBOR1_IPv6="2001:608:a01:fffd::X"
BGP_NEIGHBOR2_IPv4="172.18.0.X"
BGP_NEIGHBOR2_IPv6="2001:608:a01:fffe::X"
BGP_NEXTHOP_IPV4="$BGP_NEIGHBOR1_IPV4"
BGP_NEXTHOP_IPV6="$BGP_NEIGHBOR2_IPv6"
 
SNMP_COMMUNITY="XXXXXXXXXXXXXXX"
SNMP_CONTACT="name"
SNMP_DESCRIPTION="nam-epr"
SNMP_LOCATION="ORT"
 
CLIENT1_IPV4="172.20.X.X"
CLIENT1_IPV6="2001:608:a01:X:X:X:X:X"
 
 
 
 
 
cat<<EOF
firewall {
    all-ping enable
    broadcast-ping disable
    ipv6-name VPN6_IN {
        default-action drop
        rule 10 {
            action accept
            description "Accept related and established IPv6 connections"
            log disable
            protocol all
            state {
                established enable
                invalid disable
                new disable
                related enable
            }
        }
        rule 20 {
            action accept
            description "Accept ICMP (aka Ping)"
            log disable
            protocol icmpv6
        }
        rule 30 {
            action accept
            description "Accept inbound SSH"
            destination {
                port 22
            }
            disable
            log disable
            protocol tcp
        }
        rule 40 {
            action accept
            description "Accept inbound HTTP"
            destination {
                port 80
            }
            disable
            log disable
            protocol tcp
        }
        rule 50 {
            action accept
            description "Accept inbound HTTPS"
            destination {
                port 443
            }
            disable
            log disable
            protocol tcp
        }
        rule 1010 {
            action accept
            description "Accept inbound SSH to host1"
            destination {
                address $CLIENT1_IPV6
                port 22
            }
            log disable
            protocol tcp
        }
        rule 9000 {
            action accept
            description "Accept anything"
            disable
            protocol all
        }
        rule 9090 {
            action drop
            description "Ensure that unaccepted IPv6 packages are denied at end of chain"
            protocol all
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name VPN_IN {
        default-action reject
        description "VPN to internal"
        rule 10 {
            action accept
            description "Accept related and established IPv4 connections"
            log disable
            protocol all
            state {
                established enable
                invalid disable
                new disable
                related enable
            }
        }
        rule 20 {
            action accept
            description "Accept ICMP (aka Ping)"
            log disable
            protocol icmp
        }
        rule 30 {
            action accept
            description "Accept inbound SSH"
            destination {
                port 22
            }
            disable
            log disable
            protocol tcp
        }
        rule 40 {
            action accept
            description "Accept inbound HTTP"
            destination {
                port 80
            }
            log disable
            protocol tcp
        }
        rule 50 {
            action accept
            description "Accept inbount HTTPS"
            destination {
                port 443
            }
            log disable
            protocol tcp
        }
        rule 1010 {
            action accept
            description "Accept inbound SSH to host1"
            destination {
                address $CLIENT1_IPV4
                port 22
            }
            disable
            log disable
            protocol tcp
        }
        rule 9000 {
            action accept
            description "Accept anything"
            disable
            protocol all
        }
        rule 9090 {
            action drop
            description "Ensure that unaccepted IPv4 packages are denied at end of chain"
            log disable
            protocol all
        }
    }
    options {
        mss-clamp {
            interface-type wg
            mss 1366
        }
        mss-clamp6 {
            interface-type wg
            mss 1366
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address dhcp
        duplex auto
        speed auto
    }
    ethernet eth1 {
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    ethernet eth2 {
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    ethernet eth3 {
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    ethernet eth4 {
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    loopback lo {
    }
    switch switch0 {
        address $HOST_IPV4
        address $HOST_IPV6
        firewall {
            out {
                ipv6-name VPN6_IN
                name VPN_IN
            }
        }
        ipv6 {
            dup-addr-detect-transmits 1
            router-advert {
                cur-hop-limit 64
                link-mtu 0
                managed-flag false
                max-interval 600
                other-config-flag false
                prefix $HOST_IPV6_PREFIX {
                    autonomous-flag true
                    on-link-flag true
                    valid-lifetime 2592000
                }
                reachable-time 0
                retrans-timer 0
                send-advert true
            }
        }
        mtu 1500
        switch-port {
            interface eth1 {
            }
            interface eth2 {
            }
            interface eth3 {
            }
            interface eth4 {
            }
            vlan-aware disable
        }
    }
    wireguard wg0 {
        address $WG0_IPV4
        address $WG0_IPV6
        listen-port 51822
        mtu 1406
        peer 3maAGagRC6if+yZdRj8FoT80TP/KdEmIlcRs1+oHWgI= {
            allowed-ips 0.0.0.0/0
            allowed-ips ::/0
            endpoint $WG0_ENDPOINT
            persistent-keepalive 25
        }
        private-key $WG0_PRIVATE_KEY
        route-allowed-ips false
    }
    wireguard wg1 {
        address $WG1_IPV4
        address $WG1_IPV6
        listen-port 51823
        mtu 1406
        peer VRHnZKr3T5/CeOD4THfHdhp0lLoNVhD19uevSGyC4Ck= {
            allowed-ips 0.0.0.0/0
            allowed-ips ::/0
            endpoint $WG1_ENDPOINT
            persistent-keepalive 25
        }
        private-key $WG1_PRIVATE_KEY
        route-allowed-ips false
    }
}
protocols {
    bgp $BGP_AS {
        address-family {
            ipv6-unicast {
                redistribute {
                    connected {
                    }
                }
            }
        }
        maximum-paths {
            ebgp 4
        }
        neighbor $BGP_NEIGHBOR1_IPV4 {
            remote-as 65132
            soft-reconfiguration {
                inbound
            }
        }
        neighbor $BGP_NEIGHBOR2_IPv4 {
            remote-as 65132
            soft-reconfiguration {
                inbound
            }
        }
        neighbor $BGP_NEIGHBOR1_IPv6 {
            address-family {
                ipv6-unicast {
                }
            }
            remote-as 65132
            soft-reconfiguration {
                inbound
            }
        }
        neighbor $BGP_NEIGHBOR2_IPv6 {
            address-family {
                ipv6-unicast {
                }
            }
            remote-as 65132
            soft-reconfiguration {
                inbound
            }
        }
        redistribute {
            connected {
            }
        }
    }
    static {
        route 172.22.0.0/16 {
            next-hop 192.168.179.1 {
                description LAN
            }
        }
        route 195.30.94.26/32 {
            next-hop 192.168.179.1 {
                description "vpn02.ext.ffmuc.net - v4"
            }
        }
        route 195.30.193.34/32 {
            next-hop 192.168.179.1 {
                description "vpn01.ext.ffmuc.net - v4"
            }
        }
        route6 2001:608:a01::44/128 {
            blackhole {
            }
        }
        route6 2001:608:a01::45/128 {
            blackhole {
            }
        }
        table 11 {
            route 0.0.0.0/0 {
                next-hop $BGP_NEXTHOP_IPV4 {
                }
            }
            route6 ::/0 {
                next-hop $BGP_NEXTHOP_IPV6 {
                }
            }
        }
    }
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name internal {
            authoritative disable
            subnet $DHCP_SUBNET {
                default-router $DHCP_DEFAULT_ROUTER
                dns-server $DHCP_DNS
                lease 600
                start $DHCP_START {
                    stop $DHCP_STOP
                }
                unifi-controller 195.30.94.28
            }
        }
        static-arp disable
        use-dnsmasq disable
    }
    dns {
        forwarding {
            cache-size 10000
            listen-on switch0
        }
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers enable
    }
    snmp {
        community $SNMP_COMMUNITY {
            authorization ro
        }
        contact $SNMP_CONTACT
        description $SNMP_DESCRIPTION
        location $SNMP_LOCATION
    }
    ssh {
        port 22
        protocol-version v2
    }
    unms {
        disable
    }
}
system {
    flow-accounting {
        disable-memory-table
        ingress-capture post-dnat
        interface eth0
        netflow {
            enable-egress {
                engine-id 51
            }
            engine-id 50
            mode daemon
            server 167.71.92.38 {
                port 2055
            }
            timeout {
                expiry-interval 60
                flow-generic 60
                icmp 60
                max-active-life 60
                tcp-fin 10
                tcp-generic 60
                tcp-rst 10
                udp 60
            }
            version 9
        }
        syslog-facility daemon
    }
    host-name $HOST_NAME
    login {
        user ubnt {
            authentication {
                encrypted-password \$5\$trVYj6jdWHatLKF6\$BruP2qvNOWNQ2BcoY4EscxECQdHxNWeHrTA1chhzYe0
                plaintext-password ""
            }
            full-name ""
            level admin
        }
    }
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone UTC
    traffic-analysis {
        custom-category XBOX {
            name XBOX
        }
        dpi enable
        export enable
    }
}
traffic-control {
    optimized-queue {
        policy global
        policy queues
    }
}
 
 
/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@5:nat@3:qos@1:quagga@2:suspend@1:system@4:ubnt-pptp@1:ubnt-udapi-server@1:ubnt-unms@1:ubnt-util@1:vrrp@1:vyatta-netflow@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v2.0.8-hotfix.1.5278088.200305.1641 */
EOF
  • knb/wireguard-offloader.txt
  • Zuletzt geändert: 2020/07/07 06:04
  • von lqb