Projet

Général

Profil

Librehosting » Historique » Version 12

sacha, 02/08/2018 00:34

1 1 sacha
# Configuration of a Libre Hosting
2
3 12 sacha
aka IPSec between OPNSense and OpenBSD to announce our ASN IP from an indifferent ISP place. 
4 1 sacha
5
## Who we are
6
7 12 sacha
Aquilenet is a non profit organization since 2010 and a "do it yourself ISP", member of a Federation of similar ISP in France called [FFDN](https://www.ffdn.org). We are netneutrality builders, helping for more freedom and building networks using and participating Libre Software.
8 1 sacha
We provide xDSL, VPN and we hope soon Fiber accesses, and a lot of services for our members (mail, nextcloud, hosting, VPS...) and for others [searx](https://searx.aquilenet.fr), [Etherpad](https://pad.aquilenet.fr), [Pastebin](https://pastebin.aquilenet.fr), [Peertube](https://tube.aquilenet.fr), ...
9
10
## The need: create a Libre format hosting in our cool local called "la mezzanine".
11
12 12 sacha
To allow our the members of our non-profit organization to connect the hardware they want (like Nuc, Raspberry pi, tower, etc...) in our Libre hosting space called "la mezzanine" with a Public IPv6 and IPv4 and from our [ASN](https://en.wikipedia.org/wiki/Autonomous_system_(Internet)), we need to announce our IPs from another place than our Datacenter.
13 1 sacha
14
## How we do
15
16 12 sacha
We have to tunnel all the network from the Libre Hosting to Internet and vice versa. We have tried first with OpenVPN but the userland application use to much resources for needed bandwidth (200Mbps).
17
This IP range will be routed by IPSec to our ASN point of BGP announce in our datacenter, then they will route them to the Libre Hosting.
18 1 sacha
19 12 sacha
From our Libre Hosting we have a OPNSense Firewall and in our Datacenter two clustered [OpenBSD](https://www.openbsd.org/).
20 1 sacha
21
A scheme to explain this:
22
23
![](https://atelier.aquilenet.fr/attachments/download/550/Aquilenet-IPSec-Logical_Scheme.png)
24
25 12 sacha
Scheme explanation:
26 1 sacha
27 12 sacha
* (1) ASN & BGP
28
29
With our ASN with can do BGP to announces our IP adresses in our Datacenter.
30
31
* (2) Firewalls in the Datacenter
32
33
The job is done with a cluster of firewalls using the magic power of [OpenBSD](https://www.openbsd.org/) and [OpenBGPD](http://www.openbgpd.org/).
34
35
* (3) La Mezzanine
36
37
Is our cool place where we can meet our members and friends.
38
This place use green power with an alternate electricity supplier, called [Enercoop](https://en.wikipedia.org/wiki/Enercoop) is a French electric utility cooperative company, which only uses renewable energy.
39
Here, the firewall is [OPNSense](https://opnsense.org/) doing the PPPOE connection on a general public fiber provider (Yes we had to hack a little to remove this ISP baclkbox).
40
41
* (4) Public IPv6 and v4 from the Mezzanine to Internet
42
43
This firewall is routing threw an IPSec tunnel (for each OpenBSD firewall) our public dedicated IP for this place. These IP allow our friend's to put there their servers servers / Arduino's & co to Internet with our network <3
44
45
46
### [OpenBSD](https://www.openbsd.org/) configuration
47
48
We configure the [OpenBSD](https://www.openbsd.org/)'s IPSec configuration file for 2 Phase 2 tunnels one for IPv4 another on for IPv6
49 3 sacha
50 1 sacha
/etc/ipsec.conf
51
52
~~~
53 3 sacha
ike passive esp from any to $LIBRE_HOSTING_PUB_IP_V4/26 \
54
    peer $OPSense_Public_IP\
55 1 sacha
    main group modp2048\
56 3 sacha
    psk "mysupersecurepass"
57 1 sacha
58 3 sacha
flow esp from any to $LIBRE_HOSTING_PUB_IP_V4/26 peer $OPSense_Public_IP
59
flow esp from any to $LIBRE_HOSTING_PUB_IP_V6/48 peer $OPSense_Public_IP
60 1 sacha
~~~
61
62 7 sacha
~~~
63
chmod 500 /etc/ipsec.conf
64
~~~
65 1 sacha
66
Launch the tunnel:
67
68 7 sacha
~~~
69
isakmpd -K  
70
ipsecctl -f /etc/ipsec.conf
71
~~~
72 1 sacha
73 9 sacha
To make it permanent add this to /etc/rc.conf.local:
74 4 sacha
75 3 sacha
~~~
76 1 sacha
isakmpd_flags="-K"
77
ipsec_rules=/etc/ipsec.conf
78
ipsec=YES
79
~~~
80
81 7 sacha
check the configuration:
82 1 sacha
83 7 sacha
~~~
84
ipsecctl -sa 
85
~~~
86
87 8 sacha
Enable some logs on Isakmpd:
88
89 7 sacha
~~~
90 5 sacha
sh -c "echo S \> /var/run/isakmpd.fifo"  
91 1 sacha
less /var/run/isakmpd.result
92
~~~
93
94 8 sacha
and:
95 1 sacha
96 8 sacha
~~~
97 1 sacha
isakmpd -d -DA=70 -K
98 8 sacha
~~~
99 1 sacha
100 8 sacha
Check IPSec Flows:
101 1 sacha
102 8 sacha
~~~
103 1 sacha
ipsecctl -F
104 8 sacha
~~~
105
106 9 sacha
## OPNSense configuration
107 1 sacha
108
![](IPSec-Phase2_Conf1.png) ![](IPSec-Phase1_Conf1.png)
109
110
### \\-\> Configuration1: Performances
111
112
  - AES\_CBC\_256/HMAC\_SHA2\_512\_256/MODP\_8192
113
114
  - Cerbere11
115
116
last pid: 45038; load averages: 0.27, 0.34, 0.31 up 0+00:56:47 19:07:15  
117
49 processes: 1 running, 48 sleeping  
118
CPU 0: 3.9% user, 0.0% nice, 0.8% system, 3.1% interrupt, 92.1% idle  
119
CPU 1: 1.2% user, 0.0% nice, 0.0% system, 6.3% interrupt, 92.5% idle  
120
CPU 2: 0.4% user, 0.0% nice, 0.0% system, 21.3% interrupt, 78.3% idle  
121
CPU 3: 5.9% user, 0.0% nice, 0.0% system, 2.4% interrupt, 91.7% idle  
122
Mem: 109M Active, 145M Inact, 387M Wired, 152M Buf, 7214M Free
123
124
  - Cerbere1
125
126
load averages: 1.18, 0.95, 0.74 cerbere1.aquilenet.fr 19:08:23  
127
43 processes: 1 starting, 40 idle, 1 dead, 1 on processor up 3 days, 18:40 up 3 days, 19:21  
128
CPU0 states: 0.2% user, 0.0% nice, 2.8% system, 7.4% interrupt, 89.6% idle  
129
CPU1 states: 0.0% user, 0.0% nice, 22.4% system, 0.0% interrupt, 77.6% idle  
130
CPU2 states: 0.0% user, 0.0% nice, 20.2% system, 0.0% interrupt, 79.8% idle  
131
CPU3 states: 0.0% user, 0.0% nice, 10.8% system, 0.0% interrupt, 89.2% idle  
132
Memory: Real: 584M/2111M act/tot Free: 5793M Cache: 754M Swap: 0K/8405M
133
134
  - bande passante
135
136
![](IPSec_BW1.png)
137
138
### MTU
139
140
Linux: ping -M do -s 1172 185.233.102.130 =\> OK  
141
Linux: iperf3 -c 185.233.102.130 -M 1160 =\> OK  
142
Linux: ping -M do -s 1173 185.233.102.130 =\> NOK  
143
Linux: iperf3 -c 185.233.102.130 -M 1161 =\> NOK
144
145
  - netcat qui fait un echo  
146
    socat TCP4-LISTEN:4444,fork EXEC:cat