====== Intercity-VPN ====== Mit dem IC-VPN vernetzen sich die verschiedenen Freifunker aus Deutschland und auch anderen Ländern untereinander. Technisch geschieht dies mit Tinc, per [[https://de.wikipedia.org/wiki/BGP|BGP]] werden dann die eigenen Subnetze bekannt gegeben. Damit es zu keinen Überschneidungen bei den Subnetzen kommt, existieren im Freifunkwiki mehrere Seiten: * [[http://wiki.freifunk.net/IP-Netze|IP-Netze]] * Bielefeld IPv4: 10.29.0.0/16 * Transfernetz-IP vpn1: 10.207.0.59 * Transfernetz-IP vpn2: 10.207.0.67 * Bielefeld IPv6: fdef:17a0:ffb1::/48 * Transfernetz-IP vpn1: fec0::a:cf:0:59/96 * Transfernetz-IP vpn2: fec0::a:cf:0:60/96 * [[http://wiki.freifunk.net/AS-Nummern|AS-Nummern]] * Bielefeld AS: 65529 * [[http://wiki.freifunk.net/IC-VPN|Anleitung]] ===== Stand 07.02.14 ===== * Auf vpn1 läuft ein LookingGlass für IPv4 und IPv6, leider hakt das noch etwas, weil der User vom Apache Zugriff auf den bird-Prozess braucht * [[http://vpn1.freifunk-bielefeld.de/ulg/ulg.py | IPv4]] * [[http://vpn1.freifunk-bielefeld.de/ulgv6/ulg.py | IPv6]] * Peering mit * Lübeck1 * Augsburg1 * Gronau1 * noch ein paar andere Städte * DN42, siehe unten ===== Einrichten ===== === Pakete === * bird * bird6 * tinc ==== tinc ==== * tinc.conf Name = bielefeld1 PrivateKeyFile = /etc/tinc/icvpn/rsa_key.priv Mode = Switch PingTimeout = 30 Port = 655 Hostname = yes ConnectTo = augsburg1 ConnectTo = luebeck1 ConnectTo = gronau1 * tinc-up !/bin/sh ip link set dev icvpn up ip addr add dev icvpn 10.207.0.59/16 broadcast 10.207.255.255 ip -6 addr add dev icvpn fec0::a:cf:0:59/96 ip rule add dev br-mesh table icvpn prio 32764 ip -6 rule add dev br-mesh table icvpn prio 32764 * tinc-down #!/bin/sh ip del dev icvpn 10.207.0.59/16 broadcast 10.207.255.255 ip -6 addr del dev icvpn fec0::a:cf:0:59/96 ip link set dev icvpn down ip rule del prio 32764 ip -6 rule del prio 32764 * /etc/iproute2/rt_tables zusätzliche Zeile mit 200 icvpn ==== bird ==== * bird.conf ### config for vpn1 ### log "/var/log/bird.log" all; log syslog all; router id 10.29.131.187; define myas = 65529; table ebgp; table ibgp; #table internal_ospf; table internal; ### functions ### function net_martian() { return net ~ [ 169.254.0.0/16+, 127.0.0.0/8+, 224.0.0.0/4+, 240.0.0.0/4+, 0.0.0.0/0{0,7}, 192.168.0.0/16+ ]; } function net_local() { return net ~ [ 10.29.0.0/16+ ]; } function dn42() { return net ~ [ 172.22.0.0/15+, 195.160.168.0/23+, 91.204.4.0/22+, 193.43.220.0/23+, 83.133.178.0/23+, 87.106.29.254/32, 85.25.246.16/28+, 46.4.248.192/27+, 94.45.224.0/19+, 195.191.196.0/23+, 80.244.241.224/27+, 46.19.90.48/28+, 46.19.90.96/28+, 178.63.170.40/32, 188.40.34.241/32, 195.16.84.40/29+, 37.1.89.160/29+, 178.33.32.123/32+, 37.1.89.160/29+, 185.28.77.16/29+, 185.28.77.192/27+, 192.175.48.0/24+ ]; } function chaosvpn() { return net ~ [ 10.4.0.0/16+, 10.32.0.0/16+, 10.100.0.0/14+, 10.104.0.0/14+, 172.31.0.0/16+ ]; } function freifunk() { return net ~ [ 10.0.0.0/8+, 104.0.0.0/8+ ]; } function net_hackint() { return net ~ [ 172.22.24.0/28+ ]; } function accept_all() { if net_martian() || net_local() then return false; return true; } ### kernel ### protocol kernel { scan time 10; table internal; kernel table 200; import none; export filter { krt_prefsrc = 10.29.131.187; # edit: own ip accept; }; }; protocol device { scan time 10; } ### static routes for bgp ### protocol static { route 10.29.0.0/16 reject; table ebgp; } ### static routes for ospf ### protocol static { route 10.29.0.0/16 via "br-mesh"; table internal; }; ### sync ebgp with ibgp ### protocol pipe { table ebgp; peer table ibgp; import all; export where !net_local(); } ### sync ibgp with internal ### protocol pipe { table ibgp; peer table internal; import none; export where (freifunk() || dn42()); } ### templates ### template bgp PEERS { table ebgp; local as myas; #import filter bgp_in; export all; route limit 10000; } template bgp bgp_ibgp { table ibgp; local as myas; import filter { preference = 99; accept; }; export where source = RTS_BGP; gateway direct; next hop self; } ### iBGP ### protocol bgp vpn2 from bgp_ibgp { neighbor 10.29.132.192 as 65529; } ### eBGP ### ### Leipzig1 ### #protocol bgp Leipzig1 from PEERS { # description "Leipzig1"; # neighbor 10.207.0.1 as 65041; #} ### Leipzig2 ### protocol bgp Leipzig2 from PEERS { description "import: freifunk; export: freifunk, dn42"; import where (freifunk() && !net_local()); export where (freifunk() || dn42()); neighbor 10.207.0.2 as 65041; } ### Leipzig-DB ### #protocol bgp Leipzig_DB from PEERS { # description "Leipzig-DB"; # neighbor 10.207.255.1 as 65041; #} ### Weimar1 ### protocol bgp Weimar1 from PEERS { description "import: freifunk; export: freifunk, dn42"; import where (freifunk() && !net_local()); export where (freifunk() || dn42()); neighbor 10.207.0.3 as 65042; } ### Weimar2 ### protocol bgp Weimar2 from PEERS { description "import: freifunk; export: freifunk, dn42"; import where (freifunk() && !net_local()); export where (freifunk() || dn42()); neighbor 10.207.0.4 as 65042; } ### Berlin1 ### protocol bgp Berlin1 from PEERS { description "import: freifunk; export: freifunk, dn42"; import where (freifunk() && !net_local()); export where (freifunk() || dn42()); neighbor 10.207.0.5 as 44194; } ### Berlin2 ### #protocol bgp Berlin2 from PEERS { # description "Berlin2"; # neighbor 10.207.0.6 as 44194; #} ### Wermelskirchen 1 ### protocol bgp Wermelskirchen1 from PEERS { description "import: freifunk; export: freifunk, dn42"; import where (freifunk() && !net_local()); export where (freifunk() || dn42()); neighbor 10.207.0.7 as 65530; } ### Wermelskirchen2 ### protocol bgp Wermelskirchen2 from PEERS { description "Wermelskirchen2"; import where (freifunk() && !net_local()); export where (freifunk() || dn42()); neighbor 10.207.0.8 as 65530; } ### Stuttgart1 ### #protocol bgp Stuttgart1 from PEERS { # description "Stuttgart1"; # neighbor 10.207.0.11 as 65045; #} ### Stuttgart2 ### #protocol bgp Stuttgart2 from PEERS { # description "Stuttgart2"; # neighbor 10.207.0.12 as 65045; #} ### Halle1 ### protocol bgp Halle1 from PEERS { description "import: freifunk; export: freifunk, dn42"; import where (freifunk() && !net_local()); export where (freifunk() || dn42()); neighbor 10.207.0.13 as 65046; } ### Halle2 ### protocol bgp Halle2 from PEERS { description "import: freifunk; export: freifunk, dn42"; import where (freifunk() && !net_local()); export where (freifunk() || dn42()); neighbor 10.207.0.14 as 65046; } ### Aurich1 ### #protocol bgp Aurich1 from PEERS { # description "Aurich1"; # neighbor 10.207.0.15 as 65047; #} ### Augsburg1 ### protocol bgp Augsburg1 from PEERS { description "import: freifunk, dn42; export: freifunk, dn42"; import where ((freifunk() || dn42()) && !net_local()); export where (freifunk() || dn42()); neighbor 10.207.0.17 as 65050; } ### Augsburg2 ### protocol bgp Augsburg2 from PEERS { description "import: freifunk, dn42; export: freifunk, dn42"; import where ((freifunk() || dn42()) && !net_local()); export where (freifunk() || dn42()); neighbor 10.207.0.68 as 65050; } ### Dresden1 ### protocol bgp Dresden1 from PEERS { description "import: freifunk; export: freifunk, dn42"; import where (freifunk() && !net_local()); export where (freifunk() || dn42()); neighbor 10.207.0.19 as 65051; } ### Hannover 1 ### #protocol bgp Hannover1 from PEERS { # description "Hannover1"; # neighbor 10.207.0.22 as 65511; #} ### Franken 1 ### protocol bgp Franken1 from PEERS { description "import: freifunk; export: freifunk, dn42"; import where (freifunk() && !net_local()); export where (freifunk() || dn42()); neighbor 10.207.0.23 as 65024; } ### Franken 2 ### #protocol bgp Franken2 from PEERS { # description "Franken2"; # neighbor 10.207.0.24 as 65024; #} ### Grossdraxdorf ### #protocol bgp Grossdraxdorf from PEERS { # description "Großraxdorf"; # neighbor 10.207.0.25 as 65025; #} ### Bad Zwischenahn 1 ### #protocol bgp Bad_Zwischenahn1 from PEERS { # description "BadZwischenahn1"; # neighbor 10.207.0.26 as 65512; #} ### Oldenburg 1 ### protocol bgp Oldenburg1 from PEERS { description "import: freifunk; export: freifunk, dn42"; import where (freifunk() && !net_local()); export where (freifunk() || dn42()); neighbor 10.207.0.27 as 65513; } ### Bayreuth 1 ### protocol bgp Bayreuth1 from PEERS { description "Bayreuth1"; import where (freifunk() && !net_local()); export where (freifunk() || dn42()); neighbor 10.207.0.28 as 65025; } ### diac24.net ### #protocol bgp diac24_net from PEERS { # description "diac24.net"; # neighbor 10.207.2.0 as 64600; #} ### kiberpipa.net ### #protocol bgp kiberpipa_net from PEERS { # description "kiberpipa.net"; # neighbor 10.207.3.23 as 65023; #} ### Franken 3 ### #protocol bgp Franken3 from PEERS { # description "Franken3"; # neighbor 10.207.0.31 as 65024; #} ### Koblenz ### #protocol bgp Koblenz from PEERS { # description "Koblenz"; # neighbor 10.207.0.32 as 65032; #} ### Mainz 1 ### protocol bgp Mainz1 from PEERS { description "import: freifunk; export: freifunk, dn42"; import where (freifunk() && !net_local()); export where (freifunk() || dn42()); neighbor 10.207.0.37 as 65037; } ### Luebeck 1 ### protocol bgp Luebeck1 from PEERS { import where ((freifunk() && !net_local())); export where (freifunk() || dn42()); description "import: freifunk, dn42; export: freifunk, dn42"; neighbor 10.207.0.130 as 65052; } ### Luebeck 2 ### protocol bgp Luebeck2 from PEERS { import where ((freifunk() && !net_local())); export where (freifunk() || dn42()); description "import: freifunk, dn42; export: freifunk, dn42"; neighbor 10.207.0.131 as 65052; } ### Frankfurt 1 ### protocol bgp Frankfurt1 from PEERS { import where (freifunk() && !net_local()); export where (freifunk() || dn42()); description "import: freifunk; export: freifunk, dn42"; neighbor 10.207.0.35 as 65026; } ### Chemnitz 1 ### protocol bgp Chemnitz1 from PEERS { import where (freifunk() && !net_local()); export where (freifunk() || dn42()); description "Chemnitz1"; neighbor 10.207.0.36 as 65053; } ### Schilcher 1 ### #protocol bgp Schilcher1 from PEERS { # description "Schilcher1"; # neighbor 10.207.0.51 as 65054; #} ### Gronau 1 ### protocol bgp Gronau1 from PEERS { import where (freifunk() && !net_local()); export where (freifunk() || dn42()); description "import: freifunk; export: freifunk, dn42"; neighbor 10.207.0.55 as 65526; } ### Gronau 2 ### protocol bgp Gronau2 from PEERS { import where (freifunk() && !net_local()); export where (freifunk() || dn42()); description "import: freifunk; export: freifunk, dn42"; neighbor 10.207.0.60 as 65526; } ### Schwarzach 1 ### protocol bgp Schwarzach1 from PEERS { import where (freifunk() && !net_local()); export where (freifunk() || dn42()); description "import: freifunk; export: freifunk, dn42"; neighbor 10.207.0.56 as 65527; } ### Hamburg 01 ### protocol bgp Hamburg01 from PEERS { import where (freifunk() && !net_local()); export where (freifunk() || dn42()); description "import: freifunk; export: freifunk, dn42"; neighbor 10.207.0.62 as 65112; } ### Kiel4 ### protocol bgp Kiel4 from PEERS { import where (freifunk() && !net_local()); export where (freifunk() || dn42()); description "import: freifunk; export: freifunk, dn42"; neighbor 10.207.0.58 as 65525; } ### Hamburg 05 ### protocol bgp Hamburg05 from PEERS { import where (freifunk() && !net_local()); export where (freifunk() || dn42()); description "import: freifunk; export: freifunk, dn42"; neighbor 10.207.0.65 as 65112; } ### Jena 1 ### protocol bgp Jena1 from PEERS { import where (freifunk() && !net_local()); export where (freifunk() || dn42()); description "import: freifunk; export: freifunk, dn42"; neighbor 10.207.0.33 as 65055; } ### Jena 2 ### protocol bgp Jena2 from PEERS { import where (freifunk() && !net_local()); export where (freifunk() || dn42()); description "import: freifunk; export: freifunk, dn42"; neighbor 10.207.0.66 as 65055; } ### Wuppertal 1 ### protocol bgp Wuppertal1 from PEERS { import where (freifunk() && !net_local()); export where (freifunk() || dn42()); description "import: freifunk; export: freifunk, dn42"; neighbor 10.207.0.73 as 65523; } ### barnslig #### protocol bgp dn42_barnslig from PEERS { import where ((dn42() || chaosvpn()) && !net_local() && !net_hackint()); export where (freifunk() || dn42() || chaosvpn()); description "import: dn42, chaosvpn; reject hackint; export: freifunk, dn42"; neighbor 172.22.119.227 as 64753; } ### bodems #### protocol bgp dn42_bodems from PEERS { import where (dn42() && !net_local()); export where (freifunk() || dn42() || chaosvpn()); description "import: dn42; export: freifunk, dn42, chaosvpn"; neighbor 172.23.146.126 as 76124; } ### kiwi-ix ### protocol bgp dn42_kiwi_ix from PEERS { import where ((dn42() || chaosvpn()) && !net_local()); export where (freifunk() ); description "import: dn42, chaosvpn; export: freifunk"; neighbor 172.23.197.1 as 76119; } ### crest ### protocol bgp dn42_crest from PEERS { import where ((dn42() || chaosvpn()) && !net_local()); export where (freifunk() || dn42() || chaosvpn()); neighbor 172.22.254.124 as 64828; } ### thomasdotde ### protocol bgp dn42_thomasdotde from PEERS { import where ((dn42() || chaosvpn()) && !net_local()); export where (freifunk() || dn42() || chaosvpn()); neighbor 172.22.121.18 as 76196; } ### implementation #### protocol bgp dn42_impl from PEERS { import where ((dn42() || chaosvpn()) && !net_local()); export where (freifunk() || dn42() || chaosvpn()); neighbor 172.23.220.17 as 76376; } #### dn42 mare #### protocol bgp dn42_mare from PEERS { import where ((dn42() || chaosvpn()) && !net_local()); export where (freifunk() || dn42() || chaosvpn()); neighbor 172.22.235.254 as 64835; } * bird6.conf ### config for vpn1 ### log "/var/log/bird6.log" all; log syslog all; router id 10.29.131.187; define myas = 65529; table ebgp; table ibgp; #table internal_ospf; table internal; ### functions ### function net_local() { return net ~ [ fdef:17a0:ffb1::/48+]; } function global_unicast(){ return net ~ [ 2000::/3{48,64} ]; } function ula(){ return net ~ [ fc00::/7{48,64} ]; } ### kernel ### protocol kernel { scan time 10; table internal; kernel table 200; import none; export filter { krt_prefsrc = fdef:17a0:ffb1:0:44a:8aff:fea5:adc; # edit: own ip accept; }; }; protocol device { scan time 10; } ### static routes for bgp ### protocol static { route fdef:17a0:ffb1::/48 reject; table ebgp; } ### sync ebgp with ibgp ### protocol pipe { table ebgp; peer table ibgp; import where !net_local(); export where !net_local(); } ### sync ibgp with internal ### protocol pipe { table ibgp; peer table internal; import none; export where (global_unicast() || ula()); } ### templates ### template bgp PEERS { table ebgp; local as myas; import where ((ula() || global_unicast()) && !net_local()); export where ula() || global_unicast(); route limit 10000; } template bgp bgp_ibgp { table ibgp; local as myas; import filter { preference = 99; accept; }; export where source = RTS_BGP; gateway direct; next hop self; } ### iBGP ### protocol bgp vpn2 from bgp_ibgp { description "import: any; export: any"; neighbor fdef:17a0:ffb1:0:1cd0:63ff:fe81:1af2 as 65529; } ### eBGP ### ### Wermelskirchen 1 ### protocol bgp Wermelskirchen1 from PEERS { description "import: any; export: any"; neighbor fec0::a:cf:0:7 as 65530; } ### Wermelskirchen 2 ### protocol bgp Wermelskirchen2 from PEERS { description "import: any; export: any"; neighbor fec0::a:cf:0:8 as 65530; } #### diac24.net - offline ### #protocol bgp diac24_net from PEERS { # description "diac24.net"; # neighbor fec0::a:cf:ac:16 as 64600; #} #### kiberpipa.net - offline ### #protocol bgp kiberpipa_net from PEERS { # description "kiberpipa.net"; # neighbor fec0::a:cf:3:23 as 65023; #} ### Bayreuth 1 ### protocol bgp Bayreuth1 from PEERS { description "import: any; export: any"; neighbor fec0::a:cf:0:19 as 65025; } ### Luebeck 1 ### protocol bgp Luebeck1 from PEERS { description "import: any; export: any"; neighbor fec0::a:cf:0:82 as 65052; } ### Luebeck 2 ### protocol bgp Luebeck2 from PEERS { description "import: any; export: any"; neighbor fec0::a:cf:0:83 as 65052; } ### Gronau 1 ### protocol bgp Gronau1 from PEERS { description "import: any; export: any"; neighbor fec0::a:cf:0:50 as 65526; } ### Gronau 2 ### protocol bgp Gronau2 from PEERS { description "import: any; export: any"; neighbor fec0::a:cf:0:51 as 65526; } ### Hamburg 03 ### protocol bgp Hamburg03 from PEERS { description "import: any; export: any"; neighbor fec0::a:cf:0:3d as 65112; } ### Hamburg 01 ### protocol bgp Hamburg01 from PEERS { description "import: any; export: any"; neighbor fec0::a:cf:0:3e as 65112; } ### Hamburg 02 ### protocol bgp Hamburg02 from PEERS { description "import: any; export: any"; neighbor fec0::a:cf:0:3f as 65112; } ### Hamburg 04 ### protocol bgp Hamburg04 from PEERS { description "import: any; export: any"; neighbor fec0::a:cf:0:40 as 65112; } ### Hamburg 05 ### protocol bgp Hamburg05 from PEERS { description "import: any; export: any"; neighbor fec0::a:cf:0:41 as 65112; } #### bodems ### protocol bgp dn42_bodems from PEERS { description "import: any; export: any"; neighbor fdef:17a0:ffb1:0:fad1:11ff:fe4b:3966 as 76124; } #### RheinlandDev #### protocol bgp RheinlandDev from PEERS { description "import: any; export: any"; neighbor fec0::a:cf:0:4e as 65078; } #### Weimar1 #### protocol bgp Weimar1 from PEERS { description "import: any; export: any"; neighbor fec0::a:cf:0:3 as 65042; } #### Weimar2 #### protocol bgp Weimar2 from PEERS { description "import: any; export: any"; neighbor fec0::a:cf:0:4 as 65042; } #### Wuppertal1 #### protocol bgp Wuppertal1 from PEERS { description "import: any; export: any"; neighbor fec0::a:cf:0:71 as 65523; } #### Kiel4 #### protocol bgp Kiel4 from PEERS { description "import: any; export: any"; neighbor fec0::a:cf:0:3a as 65525; } #### Kiel3 #### protocol bgp Kiel3 from PEERS { description "import: any; export: any"; neighbor fec0::a:cf:0:36 as 65525; } #### Leipzig2 #### protocol bgp Leipzig2 from PEERS { description "import: any; export: any"; neighbor fec0::a:cf:0:2 as 65041; } ===== Peerings zum DN42 ===== Neben Peerings im ICVPN, haben wir auch noch Peerings über OpenVPN und GRE+IPsec zum DN42. Derzeit sind das folgende: * barnslig (AS64753) * bodems (AS76124) * kiwi (zu seinem IX, AS76119) * crest (AS64828) * thomasdotde (AS76196) * implementation (AS76376) * mare (AS64835) * siska (AS76103) * firehat (AS64844) Für jeden Peer existiert ein Ordner in /root/dn42 mit der config, Backups hat Bodems