Projet

Général

Profil

Librehosting » Historique » Version 42

sacha, 25/08/2018 13:24

1 41 sacha
2 39 sacha
3 38 sacha
# Configuration of a Libre Hosting aka Announcing our public IPs to the Internets from an any place place
4 1 sacha
5 38 sacha
In technical terms: IPSec between OPNSense and OpenBSD to announce our ASN IP from an any place  ISP place.
6 1 sacha
7 13 sacha
## General presentation
8 1 sacha
9 13 sacha
### Who we are
10
11 37 xavier
[Aquilenet](https://www.aquilenet.fr) is a non profit organization since 2010 and a "do it yourself ISP", member of a Federation of similar ISP in France called [FFDN](https://www.ffdn.org). We are netneutrality builders, helping for more freedom and building networks using and participating to Libre Software.
12
We provide xDSL, VPN and we hope soon Fiber access, and a lot of services to our members (mail, nextcloud, hosting, VPS...) and others [searx](https://searx.aquilenet.fr), [Etherpad](https://pad.aquilenet.fr), [Pastebin](https://pastebin.aquilenet.fr), [Peertube](https://tube.aquilenet.fr), ...
13 1 sacha
14 37 xavier
### The need: to create a Libre format hosting at our cool place, "la mezzanine".
15 1 sacha
16 37 xavier
To allow members of our non-profit organization to locate the hardware they want (like Nuc, Raspberry pi, towers, etc...) at our Libre hosting space called "la mezzanine" with a Public IPv6 and IPv4 from our [ASN](https://en.wikipedia.org/wiki/Autonomous_system_(Internet)), we need to announce our IPs from another place than our data center.
17 12 sacha
18 37 xavier
### How we do it
19 13 sacha
20 37 xavier
We have to tunnel all of our Libre Hosting networks to the Internets, and vice versa. This IP range, assigned to our [ASN](https://en.wikipedia.org/wiki/Autonomous_system_(Internet)), is routed from our point of [BGP](https://en.wikipedia.org/wiki/Border_Gateway_Protocol) announce in our data center, to the Libre Hosting.
21 12 sacha
22 37 xavier
We first tried OpenVPN but its userland application consumed too much resources for the required bandwidth (200Mbps). We use IPSec.
23 1 sacha
24 37 xavier
From our Libre Hosting we have an [OPNSense](https://opnsense.org/) Firewall and in our data center, two clustered [OpenBSD](https://www.openbsd.org/).
25
26 38 sacha
A diagram to illustrate this:
27 1 sacha
28
![](https://atelier.aquilenet.fr/attachments/download/550/Aquilenet-IPSec-Logical_Scheme.png)
29
30 27 openbeelab
Diagram explanation:
31 1 sacha
32
* (1) [ASN](https://en.wikipedia.org/wiki/Autonomous_system_(Internet)) & [BGP](https://en.wikipedia.org/wiki/Border_Gateway_Protocol)
33
34 37 xavier
With our [ASN](https://en.wikipedia.org/wiki/Autonomous_system_(Internet)) with can do BGP to announce our IP addresses in our data center.
35 12 sacha
36 37 xavier
* (2) Firewalls in the data center
37 1 sacha
38 37 xavier
The job is done with a cluster of firewalls using the ®magic power© of [OpenBSD](https://www.openbsd.org/) and [OpenBGPD](http://www.openbgpd.org/).
39 38 sacha
For firewall redundancy we use [CARP and pfsync](https://www.openbsd.org/faq/pf/carp.html).
40 12 sacha
41 1 sacha
* (3) La Mezzanine
42 12 sacha
43 37 xavier
La Mezzanine is our cool place where we meet up with other members and friends.
44
It has green power, thanks to the folks at a French electric utility cooperative company, [Enercoop](https://en.wikipedia.org/wiki/Enercoop), who supplies only renewable energy.
45
Here, the firewall is a dedicated hardware running [OPNSense](https://opnsense.org/), than can afford filters & IPSec on 500Mbps. We chose an appliance with [AES-NI](https://en.wikipedia.org/wiki/AES_instruction_set) support, a Qotom-Q355G4 Fanless X86 with an Intel® Core™ i5-5250U processor, coming from Shenzen. It also deals with the PPPoE connection on a general public fiber provider (yes--we had to hack a little to remove this ISP blackbox).
46 1 sacha
47
* (4) Public IPv6 and v4 from the Mezzanine to Internet
48 12 sacha
49 37 xavier
This firewall is routing, through an IPSec tunnel (for each OpenBSD firewall), our public IP address range, dedicated to this place. These IP addresses allow for our friends to locate their servers / Arduino's & co right here, on the Internet within our network <3
50 12 sacha
51 13 sacha
---
52
53 14 sacha
## Technical information, let's rock !
54 12 sacha
55 37 xavier
We configure IPSec with **2** × Phase-2 tunnels: one for IPv4, another for IPv6:
56 35 sacha
57 37 xavier
* Phase-1: IKEv1 AES (192 bits) + SHA1 + DH Group 14 (2048 bits)
58
* Phase-2: ESP IPv4 tunnel AES (256 bits) SHA512 Group 18 (8192 bits)
59
* Phase-2: ESP IPv6 tunnel AES (256 bits) SHA512 Group 18 (8192 bits) 
60 35 sacha
61 12 sacha
### [OpenBSD](https://www.openbsd.org/) configuration
62
63 37 xavier
We define [OpenBSD](https://www.openbsd.org/)'s IPSec configuration file:
64 3 sacha
65 15 sacha
**/etc/ipsec.conf**
66 1 sacha
67
~~~
68 3 sacha
ike passive esp from any to $LIBRE_HOSTING_PUB_IP_V4/26 \
69
    peer $OPSense_Public_IP\
70 1 sacha
    main group modp2048\
71 17 sacha
    psk "My super secret shared key"
72 1 sacha
73
flow esp from any to $LIBRE_HOSTING_PUB_IP_V4/26 peer $OPSense_Public_IP
74 3 sacha
flow esp from any to $LIBRE_HOSTING_PUB_IP_V6/48 peer $OPSense_Public_IP
75 1 sacha
~~~
76
77 7 sacha
~~~
78 1 sacha
chmod 500 /etc/ipsec.conf
79 7 sacha
~~~
80 1 sacha
81 15 sacha
**Launch the tunnel:**
82 1 sacha
83 7 sacha
~~~
84
isakmpd -K  
85
ipsecctl -f /etc/ipsec.conf
86
~~~
87 1 sacha
88 9 sacha
To make it permanent add this to /etc/rc.conf.local:
89 4 sacha
90 1 sacha
~~~
91
isakmpd_flags="-K"
92
ipsec_rules=/etc/ipsec.conf
93
ipsec=YES
94
~~~
95
96 37 xavier
To verify the configuration:
97 1 sacha
98 7 sacha
~~~
99
ipsecctl -sa 
100 1 sacha
~~~
101 7 sacha
102 37 xavier
Enable some logging on Isakmpd:
103 1 sacha
104
~~~
105 5 sacha
sh -c "echo S \> /var/run/isakmpd.fifo"  
106 1 sacha
less /var/run/isakmpd.result
107
~~~
108 8 sacha
109 1 sacha
and:
110 8 sacha
111 1 sacha
~~~
112 8 sacha
isakmpd -d -DA=70 -K
113 1 sacha
~~~
114 8 sacha
115 37 xavier
Check IPSec flows:
116 8 sacha
117 1 sacha
~~~
118 8 sacha
ipsecctl -F
119
~~~
120 29 sacha
121 1 sacha
## [OPNSense](https://opnsense.org/) configuration
122 20 sacha
123 37 xavier
* **IPSec Phase-1**
124 34 sacha
125 19 sacha
![](https://atelier.aquilenet.fr/attachments/download/556/OPNSense-Tunnel_Settings_IPsec_VPN-Phase1.png)
126 20 sacha
127 37 xavier
* **IPSec Phase-2, IPv4**
128 18 sacha
129 19 sacha
![](https://atelier.aquilenet.fr/attachments/download/553/OPNSense-Tunnel_Settings_IPsec-Phase2-IPv4.png)
130 20 sacha
131 37 xavier
* **IPSec Phase-2, IPv6**
132 23 sacha
133 37 xavier
To get an IPv6 Phase-2 working with a IPv4 Phase-1 on Opnsense, better make sure you got [this patch](https://github.com/opnsense/core/commit/a79b20c12759007f2079ffd6e0cad26d04b00808)
134 21 sacha
![](https://atelier.aquilenet.fr/attachments/download/554/OPNSense-Tunnel_Settings_IPsec-Phase2-IPv6.png)
135
136
* **IPSec Advanced Settings**
137 30 sacha
138 37 xavier
**Important!** On the LAN side, exclude the traffic targeted at the routed network from the tunnel, so *all* of its hosts may keep talking and responding to each other (example: ARP/ICMP request to the gateway)! Otherwise that traffic will go die at the other end of the IPSec tunnel (and the whole Planet could be endangered, too. Who knows?).![](https://atelier.aquilenet.fr/attachments/download/555/OPNSense-Tunnel_Settings_IPsec-Advanced_Settings.png)
139 25 sacha
140 26 sacha
## Hosted server settings
141 25 sacha
142
IP: The public IP/Mask
143 37 xavier
Gateway: OPNSense IP
144 1 sacha
mtu 1378
145 26 sacha
146
---
147 42 sacha
148
## ADUM 20180825: FAILOVER IPSEC Between OpenBSD with SASyncd
149
150
https://www.packetmischief.ca/openbsd-ipsec-tunnel-guide/
151
152
OpenBSD has built-in support for deploying redundant IPsec gateways. Synchronization of SAs and flows is handled by the sasyncd(8) daemon.
153
154
* sasyncd.conf:
155
156
~~~
157
# track the external carp interface
158
interface carp100
159
# address of gateway #1b
160
peer 192.168.0.2
161
# 256 bit shared key (openssl rand -hex 32)
162
sharedkey da23169c9f49bb1fcdfab7d5565889754331b3f831b3723d273a06e9d780f2cc
163
~~~