Dies ist eine alte Version des Dokuments!
Meine (lqb) Notizen zum wireguard offloader
- Danke an awlnx und kromebl für die Bereitstellung und die hervorragende Unterstützung der Test Setups
Ubiquiti EdgeRouter X (ER-X)
- eth0: PoE IN
- eth4: PoE OUT (Passive 24V Passthrough)
- Wireguard Debian Package (Github Projekt): e50-v2-v1.0.20200506-v1.0.20200319.deb
Ubiquiti EdgePoint R6 (EP‑R6)
- eth0: PoE IN
- eth1-4: PoE OUT (Passive 24V! Achtung! Grillt Hardware, die damit nicht umgehen kann!)
- eth5: SFP Port
- Wireguard Debian Package (Github Projekt): e50-v2-v1.0.20200506-v1.0.20200319.deb
Create /config/config.boot
#!/bin/bash
#USERNMAE/PASSWORD: ubnt/ubnt
HOST_NAME="nam-segm11"
HOST_IPV4="172.20.X.1/24"
HOST_IPV6="2001:608:a01:X::1/64"
HOST_IPV6_PREFIX="2001:608:a01:X::/64"
DHCP_SUBNET="172.20.X.0/24"
DHCP_START="172.20.X.10"
DHCP_STOP="172.20.X.254"
DHCP_DEFAULT_ROUTER="172.20.X.1"
DHCP_DNS="$DHCP_DEFAULT_ROUTER"
WG0_IPV4="172.17.0.X/31"
WG0_IPV6="2001:608:a01:fffe::X/127"
WG0_ENDPOINT="vpn01.ext.ffmuc.net:X"
WG0_PRIVATE_KEY="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
WG1_IPV4="172.18.0.X/31"
WG1_IPV6="2001:608:a01:fffd::X/127"
WG1_ENDPOINT="vpn02.ext.ffmuc.net:X"
WG1_PRIVATE_KEY="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
BGP_AS="64522"
BGP_NEIGHBOR1_IPV4="172.17.0.X"
BGP_NEIGHBOR1_IPv6="2001:608:a01:fffd::X"
BGP_NEIGHBOR2_IPv4="172.18.0.X"
BGP_NEIGHBOR2_IPv6="2001:608:a01:fffe::X"
BGP_NEXTHOP_IPV4="$BGP_NEIGHBOR1_IPV4"
BGP_NEXTHOP_IPV6="$BGP_NEIGHBOR2_IPv6"
SNMP_COMMUNITY="XXXXXXXXXXXXXXX"
SNMP_CONTACT="name"
SNMP_DESCRIPTION="nam-epr"
SNMP_LOCATION="ORT"
CLIENT1_IPV4="172.20.X.X"
CLIENT1_IPV6="2001:608:a01:X:X:X:X:X"
mk_config.boot.sh:
cat<<EOF
firewall {
all-ping enable
broadcast-ping disable
ipv6-name VPN6_IN {
default-action drop
rule 10 {
action accept
description "Accept related and established IPv6 connections"
log disable
protocol all
state {
established enable
invalid disable
new disable
related enable
}
}
rule 20 {
action accept
description "Accept ICMP (aka Ping)"
log disable
protocol icmpv6
}
rule 30 {
action accept
description "Accept inbound SSH"
destination {
port 22
}
disable
log disable
protocol tcp
}
rule 40 {
action accept
description "Accept inbound HTTP"
destination {
port 80
}
disable
log disable
protocol tcp
}
rule 50 {
action accept
description "Accept inbound HTTPS"
destination {
port 443
}
disable
log disable
protocol tcp
}
rule 1010 {
action accept
description "Accept inbound SSH to host1"
destination {
address $CLIENT1_IPV6 #VAR
port 22
}
log disable
protocol tcp
}
rule 9000 {
action accept
description "Accept anything"
disable
protocol all
}
rule 9090 {
action drop
description "Ensure that unaccepted IPv6 packages are denied at end of chain"
protocol all
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name VPN_IN {
default-action reject
description "VPN to internal"
rule 10 {
action accept
description "Accept related and established IPv4 connections"
log disable
protocol all
state {
established enable
invalid disable
new disable
related enable
}
}
rule 20 {
action accept
description "Accept ICMP (aka Ping)"
log disable
protocol icmp
}
rule 30 {
action accept
description "Accept inbound SSH"
destination {
port 22
}
disable
log disable
protocol tcp
}
rule 40 {
action accept
description "Accept inbound HTTP"
destination {
port 80
}
log disable
protocol tcp
}
rule 50 {
action accept
description "Accept inbount HTTPS"
destination {
port 443
}
log disable
protocol tcp
}
rule 1010 {
action accept
description "Accept inbound SSH to host1"
destination {
address $CLIENT1_IPV4 #VAR
port 22
}
disable
log disable
protocol tcp
}
rule 9000 {
action accept
description "Accept anything"
disable
protocol all
}
rule 9090 {
action drop
description "Ensure that unaccepted IPv4 packages are denied at end of chain"
log disable
protocol all
}
}
options {
mss-clamp {
interface-type wg
mss 1366
}
mss-clamp6 {
interface-type wg
mss 1366
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address dhcp
duplex auto
speed auto
}
ethernet eth1 {
duplex auto
poe {
output off
}
speed auto
}
ethernet eth2 {
duplex auto
poe {
output off
}
speed auto
}
ethernet eth3 {
duplex auto
poe {
output off
}
speed auto
}
ethernet eth4 {
duplex auto
poe {
output 24v
}
speed auto
}
loopback lo {
}
switch switch0 {
address $HOST_IPV4 #VAR
address $HOST_IPV6 #VAR
firewall {
out {
ipv6-name VPN6_IN
name VPN_IN
}
}
ipv6 {
dup-addr-detect-transmits 1
router-advert {
cur-hop-limit 64
link-mtu 0
managed-flag false
max-interval 600
other-config-flag false
prefix $HOST_IPV6_PREFIX { #VAR
autonomous-flag true
on-link-flag true
valid-lifetime 2592000
}
reachable-time 0
retrans-timer 0
send-advert true
}
}
mtu 1500
switch-port {
interface eth1 {
}
interface eth2 {
}
interface eth3 {
}
interface eth4 {
}
vlan-aware disable
}
}
wireguard wg0 {
address $WG0_IPV4 #VAR
address $WG0_IPV6 #VAR
listen-port 51822
mtu 1406
peer 3maAGagRC6if+yZdRj8FoT80TP/KdEmIlcRs1+oHWgI= {
allowed-ips 0.0.0.0/0
allowed-ips ::/0
endpoint $WG0_ENDPOINT #VAR
persistent-keepalive 25
}
private-key $WG0_PRIVATE_KEY #VAR
route-allowed-ips false
}
wireguard wg1 {
address $WG1_IPV4 #VAR
address $WG1_IPV6 #VAR
listen-port 51823
mtu 1406
peer VRHnZKr3T5/CeOD4THfHdhp0lLoNVhD19uevSGyC4Ck= {
allowed-ips 0.0.0.0/0
allowed-ips ::/0
endpoint $WG1_ENDPOINT #VAR
persistent-keepalive 25
}
private-key $WG1_PRIVATE_KEY #VAR
route-allowed-ips false
}
}
protocols {
bgp $BGP_AS { #VAR
address-family {
ipv6-unicast {
redistribute {
connected {
}
}
}
}
maximum-paths {
ebgp 4
}
neighbor $BGP_NEIGHBOR1_IPV4 { #VAR
remote-as 65132
soft-reconfiguration {
inbound
}
}
neighbor $BGP_NEIGHBOR2_IPv4 { #VAR
remote-as 65132
soft-reconfiguration {
inbound
}
}
neighbor $BGP_NEIGHBOR1_IPv6 { #VAR
address-family {
ipv6-unicast {
}
}
remote-as 65132
soft-reconfiguration {
inbound
}
}
neighbor $BGP_NEIGHBOR2_IPv6 { #VAR
address-family {
ipv6-unicast {
}
}
remote-as 65132
soft-reconfiguration {
inbound
}
}
redistribute {
connected {
}
}
}
static {
route 172.22.0.0/16 {
next-hop 192.168.179.1 {
description LAN
}
}
route 195.30.94.26/32 {
next-hop 192.168.179.1 {
description "vpn02.ext.ffmuc.net - v4"
}
}
route 195.30.193.34/32 {
next-hop 192.168.179.1 {
description "vpn01.ext.ffmuc.net - v4"
}
}
route6 2001:608:a01::44/128 {
blackhole {
}
}
route6 2001:608:a01::45/128 {
blackhole {
}
}
table 11 {
route 0.0.0.0/0 {
next-hop $BGP_NEXTHOP_IPV4 { #VAR
}
}
route6 ::/0 {
next-hop $BGP_NEXTHOP_IPV6 { #VAR
}
}
}
}
}
service {
dhcp-server {
disabled false
hostfile-update disable
shared-network-name internal {
authoritative disable
subnet $DHCP_SUBNET { #VAR
default-router $DHCP_DEFAULT_ROUTER #VAR
dns-server $DHCP_DNS #VAR
lease 600
start $DHCP_START { #VAR
stop $DHCP_STOP #VAR
}
unifi-controller 195.30.94.28
}
}
static-arp disable
use-dnsmasq disable
}
dns {
forwarding {
cache-size 10000
listen-on switch0
}
}
gui {
http-port 80
https-port 443
older-ciphers enable
}
snmp {
community $SNMP_COMMUNITY { #VAR
authorization ro
}
contact $SNMP_CONTACT #VAR
description $SNMP_DESCRIPTION #VAR
location $SNMP_LOCATION #VAR
}
ssh {
port 22
protocol-version v2
}
unms {
disable
}
}
system {
flow-accounting {
disable-memory-table
ingress-capture post-dnat
interface eth0
netflow {
enable-egress {
engine-id 51
}
engine-id 50
mode daemon
server 167.71.92.38 {
port 2055
}
timeout {
expiry-interval 60
flow-generic 60
icmp 60
max-active-life 60
tcp-fin 10
tcp-generic 60
tcp-rst 10
udp 60
}
version 9
}
syslog-facility daemon
}
host-name $HOST_NAME #VAR
login {
user ubnt {
authentication {
encrypted-password \$5\$trVYj6jdWHatLKF6\$BruP2qvNOWNQ2BcoY4EscxECQdHxNWeHrTA1chhzYe0
plaintext-password ""
}
full-name ""
level admin
}
}
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone UTC
traffic-analysis {
custom-category XBOX {
name XBOX
}
dpi enable
export enable
}
}
traffic-control {
optimized-queue {
policy global
policy queues
}
}
/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@5:nat@3:qos@1:quagga@2:suspend@1:system@4:ubnt-pptp@1:ubnt-udapi-server@1:ubnt-unms@1:ubnt-util@1:vrrp@1:vyatta-netflow@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v2.0.8-hotfix.1.5278088.200305.1641 */
EOF
lqb