Based on: https://git.bingo-ev.de/freifunk/ansible-ffin/-/tree/master
- Network: 10.22.8.0/21 (10.22.8.1 - 10.0.15.254 / 255.255.248.0)
- Gateway IP: 10.22.8.1
- Domain: "90"
- chapek-9 (chapek-9.srv.0xef.de)
- IPv4, IPv6 (only one /64)
- hoster: Netcup
- OS: Ubuntu 22.04 LTS
- 2 CPUs (Cores)
- 8GB RAM
- sshd on port 2424, fingerprints:
ED25519 SHA256:As2kvkR5hf+h4mMZx7kJT0OMmH05m5vG4vZ28t/Bk74 RSA SHA256:gkHMQMD5I4aKMCyz6y7WL3E6cC9lDby1FO/tmFG2eCM ECDSA SHA256:VxjYhGMB4Bx2Tbkc+4qmUrSpWo8KWvQnXK3MvSb8jPo
The architecture as far as I understand it:
- interface:
fastd90
- ingress for clients/APs
- port: udp/10090
- interface:
tunneldigger90
- ingress for clients/APs
- l2tp
- interface:
bat90
- B.A.T.M.A.N batadv interface (server)
- interface: br90
- interface to bridge:
- tunnels
fastd90
andtunneldigger90
(ingress) - B.A.T.M.A.N server side
bat90
- tunnels
- services:
- dhcp for clients, IPv4 and IPv6
- optional:
- bind for clients/APs name resolution and resolver
- ntp for clients/APs
- interface to bridge:
-
testing subnets, one per domain:
- 10.22.8.0/21
- 10.22.16.0/21
- 10.22.24.0/21
-
values picked without further thinking
-
"90"
- subnet: 10.22.8.0/21
- gw ffp ip: 10.22.8.1
- dhcp range: 10.22.9.0 10.22.10.255
- clone repository
- change into repository
- create a venv:
python3 -m venv .venv
- activate venv:
source .venv/bin/activate
- install poetry:
pip install poetry
- install dependencies:
poetry install
- install ansible dependencies:
ansible-galaxy install -r requirements.yml
- run playbook
ansible-playbook -i hosts.yml cygnus-5.yml
- hacked down playbook
ansible.builtin.copy
should be replaced withansible.builtin.template
- most tasks should use roles
batctl
(B.A.T.M.A.N)bridge-utils
(brctl
command)fastd
(fastd legacy tunnel/vpn service), client/ap inhaveged
(Entropy harvesting daemon, used byfastd
?)
batadv
interface- gw mode
server
/etc/systemd/network/50-bat90.netdev
:
[NetDev]
Description="BATMAN device for domain '90'"
Name=bat90
Kind=batadv
[BatmanAdvanced]
GatewayMode=server
GatewayBandwidthDown=100M
GatewayBandwidthUp=100M
RoutingAlgorithm=batman-iv
/etc/systemd/network/50-bat90.network
:
[Match]
Name=bat90
[Network]
Bridge=br90
BatmanAdvanced=br90
- bridge interface where interfaces of domain 90 attach to
bat90
- tunnel interfaces
/etc/systemd/network/50-br90.netdev
:
[NetDev]
; attach batman and client tunnel endpoints her
Description="Bridge interface for domain '90'"
Name=br90
Kind=bridge
/etc/systemd/network/50-br90.network
:
[Match]
Name=br90
[Network]
; 10.22.8.1 - 10.0.15.254
; 255.255.248.0
Address=10.22.8.1/21
Address=fd28:a735:685c::3c0e:ecff:fe29:4b62/64
- clients (APs) connect to it
- create keypair
fastd --generate-key
- write to files
secret.key
andpublic.key
(for example to/etc/fastd/90/
) - content:
secret "<secret-key-here>";
/key "<public-key-here";
, note the;
90
is the domain or name, so multiple instances can run
- write to files
- create a dummy peer (or it won't start)
/etc/fastd/peers/dummy
with content:key "THIS-IS-A-DUMMY";
- create Configuration file (
/etc/fastd/90/fastd.conf
):# Bind to a fixed address and port, IPv4 and IPv6 bind <public-ipv4>:10090 interface "eth0"; bind [<public-ipv6>]:10090 interface "eth0"; # Set the user, fastd will work as user "nobody"; # Set the interface name interface "fastd90"; # Set the mode, the interface will work as mode tap; # Set the mtu of the interface mtu 1320; # fine tuning needed, 1406 # Set the methods (aes128-gcm preferred, salsa2012+umac preferred for nodes) method "aes128-gcm"; method "salsa2012+umac"; method "salsa2012+gmac"; method "null"; # Secret key generated by `fastd --generate-key` include "/etc/fastd/90/keys/secret.key"; # Log everything to syslog #log to syslog level warn; log to stderr level info; # Hide IP addresses in log output #hide ip addresses yes; # Include peers (dummy only) include peers from "/etc/fastd/90/peers/"; # Status Socket status socket "/run/fastd-90/fastd.sock"; # accept any host on verify " exit 0 "; # Configure a shell command that is run when fastd comes up on up " # Add fastd interface to bridge, then enable it ip link set dev $INTERFACE master br90 && ip link set dev $INTERFACE up ";
- enable and start
systemctl enable fastd@90
,systemctl start fastd@90
TODO
- create
/etc/dhcpd.conf
default-lease-time 1800; max-lease-time 43200; authoritative; subnet 10.22.8.0 netmask 255.255.248.0 { interface br90; range 10.22.9.0 10.22.10.255; option routers 10.22.8.1; option domain-name-servers 85.214.20.141, 80.67.169.40, 194.150.168.168; }
- check for leasfile:
- ls
/var/lib/dhcp/dhcpd.leases
- if not exists:
touch /var/lib/dhcp/dhcpd.leases && chown dhcp:dhcp /var/lib/dhcp/dhcpd.leases
- ls
- copy service file:
cp /usr/lib/systemd/system/dhcpd4.service /etc/systemd/system/dhcpd4@.service
- adjust service file
/etc/systemd/system/dhcpd4@.service
:... [Service] ... ExecStart=/usr/bin/dhcpd -4 -q -cf /etc/dhcpd.conf -pf /run/dhcpd4/dhcpd.pid %I ...
- start dhcpd:
systemctl start dhcpd4@br90
References:
- Fix dhcp
- adjust nftables
- allow traffic on internal interfaces
- nat for IPv4 traffic
- L2TP
- IPv6 (ULA?)
- more services… (dns, ntp, gre, bird…)