Librehosting » Historique » Révision 37
Révision 36 (sacha, 02/08/2018 10:49) → Révision 37/44 (xavier, 03/08/2018 01:23)
# Configuration of a Libre Hosting aka Announcing Anouncing our public IPs to the Internets Internet from an indifferent place In technical terms: resume: IPSec between OPNSense and OpenBSD to announce our ASN IP from an indifferent ISP place. ## General presentation ### Who we are [Aquilenet](https://www.aquilenet.fr) is a non profit organization since 2010 and a "do it yourself ISP", member of a Federation of similar ISP in France called [FFDN](https://www.ffdn.org). We are netneutrality builders, helping for more freedom and building networks using and participating to Libre Software. We provide xDSL, VPN and we hope soon Fiber access, accesses, and a lot of services to for our members (mail, nextcloud, hosting, VPS...) and for others [searx](https://searx.aquilenet.fr), [Etherpad](https://pad.aquilenet.fr), [Pastebin](https://pastebin.aquilenet.fr), [Peertube](https://tube.aquilenet.fr), ... ### The need: to create a Libre format hosting at in our cool place, local called "la mezzanine". To allow our the members of our non-profit organization to locate connect the hardware they want (like Nuc, Raspberry pi, towers, tower, etc...) at in our Libre hosting space called "la mezzanine" with a Public IPv6 and IPv4 and from our [ASN](https://en.wikipedia.org/wiki/Autonomous_system_(Internet)), we need to announce our IPs from another place than our data center. Datacenter. ### How we do it We have to tunnel all of our the network from the Libre Hosting networks to the Internets, Internet and vice versa. We have tried first with OpenVPN but the userland application use to much resources for needed bandwidth (200Mbps). This IP range, assigned range will be routed by IPSec to our [ASN](https://en.wikipedia.org/wiki/Autonomous_system_(Internet)), is routed from our [ASN](https://en.wikipedia.org/wiki/Autonomous_system_(Internet)) point of [BGP](https://en.wikipedia.org/wiki/Border_Gateway_Protocol) announce in our data center, datacenter, then they will route them to the Libre Hosting. We first tried OpenVPN but its userland application consumed too much resources for the required bandwidth (200Mbps). We use IPSec. From our Libre Hosting we have an a [OPNSense](https://opnsense.org/) Firewall and in our data center, Datacenter two clustered [OpenBSD](https://www.openbsd.org/). A diagram to explain this:  Diagram explanation: * (1) [ASN](https://en.wikipedia.org/wiki/Autonomous_system_(Internet)) & [BGP](https://en.wikipedia.org/wiki/Border_Gateway_Protocol) With our [ASN](https://en.wikipedia.org/wiki/Autonomous_system_(Internet)) with can do BGP to announce our IP addresses adresses in our data center. Datacenter. * (2) Firewalls in the data center Datacenter The job is done with a cluster of firewalls using the ®magic power© magic power of [OpenBSD](https://www.openbsd.org/) and [OpenBGPD](http://www.openbgpd.org/). For firewall redundancy we use [CARP and pfsync](https://www.openbsd.org/faq/pf/carp.html) * (3) La Mezzanine La Mezzanine is Is our cool place where we can meet up with other our members and friends. It has This place use green power, thanks to the folks at power with a supplier called [Enercoop](https://en.wikipedia.org/wiki/Enercoop), it's a French electric utility cooperative company, [Enercoop](https://en.wikipedia.org/wiki/Enercoop), who supplies which only uses renewable energy. Here, the firewall is a dedicated special hardware running [OPNSense](https://opnsense.org/), than can to afford filters filter & IPSec on 500Mbps. We chose 500Mbps [OPNSense](https://opnsense.org/), we choose an appliance hardware with [AES-NI](https://en.wikipedia.org/wiki/AES_instruction_set) support, and here we have a Qotom-Q355G4 Fanless X86 with an Intel® Core™ i5-5250U processor, X86Intel ® Core ™i5-5250Uprocessor coming from Shenzen. It also deals with He is doing the PPPoE PPPOE connection on a general public fiber provider (yes--we (Yes we had to hack a little to remove this ISP blackbox). * (4) Public IPv6 and v4 from the Mezzanine to Internet This firewall is routing, through routing threw an IPSec tunnel (for each OpenBSD firewall), firewall) our public dedicated IP address range, dedicated to for this place. These IP addresses allow for our friends friend's to locate put there their servers / Arduino's & co right here, on the to Internet within with our network <3 --- ## Technical information, let's rock ! We configure IPSec tunnels with **2** × Phase-2 tunnels: one for IPv4, another for IPv6: * Phase-1: Phase 1: IKEv1 AES (192 bits) + SHA1 + DH Group 14 (2048 bits) * Phase-2: Phase 2: ESP IPv4 tunnel AES (256 bits) SHA512 Group 18 (8192 bits) * Phase-2: Phase 2: ESP IPv6 tunnel AES (256 bits) SHA512 Group 18 (8192 bits) ### [OpenBSD](https://www.openbsd.org/) configuration We define configure the [OpenBSD](https://www.openbsd.org/)'s IPSec configuration file: file for 2 Phase 2 tunnels one for IPv4 another on for IPv6 **/etc/ipsec.conf** ~~~ ike passive esp from any to $LIBRE_HOSTING_PUB_IP_V4/26 \ peer $OPSense_Public_IP\ main group modp2048\ psk "My super secret shared key" flow esp from any to $LIBRE_HOSTING_PUB_IP_V4/26 peer $OPSense_Public_IP flow esp from any to $LIBRE_HOSTING_PUB_IP_V6/48 peer $OPSense_Public_IP ~~~ ~~~ chmod 500 /etc/ipsec.conf ~~~ **Launch the tunnel:** ~~~ isakmpd -K ipsecctl -f /etc/ipsec.conf ~~~ To make it permanent add this to /etc/rc.conf.local: ~~~ isakmpd_flags="-K" ipsec_rules=/etc/ipsec.conf ipsec=YES ~~~ To verify check the configuration: ~~~ ipsecctl -sa ~~~ Enable some logging logs on Isakmpd: ~~~ sh -c "echo S \> /var/run/isakmpd.fifo" less /var/run/isakmpd.result ~~~ and: ~~~ isakmpd -d -DA=70 -K ~~~ Check IPSec flows: Flows: ~~~ ipsecctl -F ~~~ ## [OPNSense](https://opnsense.org/) configuration * **IPSec Phase-1** Phase 1**  * **IPSec Phase-2, Phase 2 IPv4**  * **IPSec Phase-2, Phase 2 IPv6** To get have an IPv6 Phase-2 working phase 2 with a IPv4 Phase-1 phase on Opnsense, better make sure Opnsense ensure you got [this patch](https://github.com/opnsense/core/commit/a79b20c12759007f2079ffd6e0cad26d04b00808)  * **IPSec Advanced Settings** **Important!** On the LAN side, Important exclude the traffic targeted at the routed network from the tunnel, so *all* of its hosts may keep talking and responding to each other (example: allow it to talk to itself (exemple ARP/ICMP request to the gateway)! Otherwise that traffic will go die at the other end of the IPSec tunnel (and the whole Planet could be endangered, too. Who knows?). gateway)  ## Hosted server settings IP: The public IP/Mask Gateway: OPNSense OPNSense's IP mtu 1378 ---