User Tools

Site Tools


user:nbrimme1:portfolio:tunnels

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Last revision Both sides next revision
user:nbrimme1:portfolio:tunnels [2018/06/14 17:37]
nbrimme1 [WireGuard]
user:nbrimme1:portfolio:tunnels [2018/07/19 18:56]
nbrimme1 [Procedure]
Line 35: Line 35:
  
 =====Procedure===== =====Procedure=====
-The actual steps taken to accomplish the project. Include images, ​code snippets, command-line excerpts; whatever is useful ​for intuitively communicating important information for accomplishing the project.+    - Add interfaces (if needed)<code:bash>## TAP interface 
 +shyguy@openwrt:​$ ip tuntap add dev tap0 mode tap user shyguy 
 +## TUN interface 
 +shyguy@openwrt:​$ ip tuntap add dev tun0 mode tun user shyguy</​code>​ 
 +    ​Setup tunnel 
 +    - Test tunnel throughput:<​code:​bash>​ 
 +## Restart networking: ## 
 +shyguy@openwrt:​$ /​etc/​init.d/​network restart 
 +shyguy@openwrt:​$ /​etc/​init.d/​firewall restart 
 +## Perform a uni-directional TCP transmission ​for 120 seconds## 
 +# Test with maximum possible MSS size 
 +shyguy@openwrt:​$ iperf -c $ShyGals_TUNNEL_IP -t 120 
 +# Test with reduced MSS value measurements:​ 
 +shyguy@openwrt:​$ for i in 1300 1100 900 700 500 300 100; do \ 
 + iperf -c $ShyGals_TUNNEL_IP -t 120 -M $i -m; \ 
 + done</​code>​ 
 +    - Remove interfaces (if needed)<​code:​bash>##​ TAP interface 
 +shyguy@openwrt:​$ ip tuntap del dev tap0 mode tap user shyguy 
 +## TUN interface 
 +shyguy@openwrt:​$ ip tuntap del dev tun0 mode tun user shyguy</​code>​
  
 ====GRE: Generic Routing Encapsulation==== ====GRE: Generic Routing Encapsulation====
 +  * **OpenWRT:​**<​code:​bash>​$ ip tunnel add ipip1 mode gre remote <​VM-IP>​ local <​OPENWRT-IP>​
 +$ ip link set ipip1 up
 +$ ip addr add 10.3.3.1/24 dev ipip1</​code>​
 +  * **Ubuntu:​**<​code:​bash>​$ ip tunnel add ipip1 mode gre remote <​OPENWRT-IP>​ local <​VM-IP>​
 +$ ip link set ipip1 up
 +$ ip addr add 10.3.3.2/24 dev ipip1</​code>​
 ====IPIP: IP in IPv4/​IPv6==== ====IPIP: IP in IPv4/​IPv6====
 +  * **OpenWRT:​**<​code:​bash>​$ ip tunnel add ipip0 mode ipip remote <​VM-IP>​ local <​OPENWRT-IP>​
 +$ ip link set ipip0 up
 +$ ip addr add 10.2.2.1/24 dev ipip0</​code>​
 +  * **Ubuntu:​**<​code:​bash>​$ ip tunnel add ipip0 mode ipip remote <​OPENWRT-IP>​ local <​VM-IP>​
 +$ ip link set ipip0 up
 +$ ip addr add 10.2.2.2/24 dev ipip0</​code>​
 ====IPSec: Internet Protocol Security==== ====IPSec: Internet Protocol Security====
 ====L2TP: Layer 2 Tunneling Protocol==== ====L2TP: Layer 2 Tunneling Protocol====
 +L2TPv3 Ethernet "​pseudowire"​ setup with UDP encapsulation
 +  * **OpenWRT:​**<​code:​bash>​$ opkg update
 +$ opkg install kmod-l2tp-eth
 +$ opkg install ip-full
 +$ ip l2tp add tunnel tunnel_id 1 peer_tunnel_id 1 \
 + udp_sport 5000 udp_dport 5000 encap udp \
 + local <​OPENWRT-IP>​ remote <​VM-IP>​
 +$ ip l2tp add session tunnel_id 1 session_id 1 peer_session_id 1
 +$ ip link set l2tpeth0 up mtu 1428
 +$ ip addr add 10.6.6.1/24 dev l2tpeth0</​code>​
 +  * **Ubuntu:​**<​code:​bash>​$ modprobe l2tp_eth
 +$ ip l2tp add tunnel tunnel_id 1 peer_tunnel_id 1 \
 + udp_sport 5000 udp_dport 5000 encap udp \
 + local <​VM-IP>​ remote <​OPENWRT-IP>​
 +$ ip l2tp add session tunnel_id 1 session_id 1 peer_session_id 1
 +$ ip link set l2tpeth0 up mtu 1428
 +$ ip addr add 10.6.6.2/24 dev l2tpeth0</​code>​
 ====Netcat==== ====Netcat====
 ====OpenVPN:​ Openvpn Tunneling Protocol==== ====OpenVPN:​ Openvpn Tunneling Protocol====
 +  * **OpenWRT:​**<​code:​bash>​$ opkg update
 +$ opkg install openvpn-nossl
 +$ openvpn --dev tun --remote <​VM-IP>​ \
 +   --proto udp --mssfix 1472 \
 +   --comp-lzo no --ifconfig 10.5.5.1 10.5.5.2</​code>​
 +  * **Ubuntu:​**<​code:​bash>​$ openvpn --dev tun --proto udp \
 +   --mssfix 1472 --comp-lzo no \
 +   --fast-io --ifconfig 10.5.5.2 10.5.5.1</​code>​
 ====PPTP: Point-to-Point Tunneling Protocol==== ====PPTP: Point-to-Point Tunneling Protocol====
 +  * **OpenWRT:​**<​code:​bash>​$ vi /​etc/​config/​network:​
 +[...]
 +config interface '​vpn'​
 +  option proto '​pptp'​
 +  option server '<​VM-IP>'​
 +  option username '​vpn'​
 +  option password '​vpn'​
 +  option auto '​0'​
 +  option delegate '​0'​
 +  option defaultroute '​0'​
 +  option peerdns '​0'​
 +  option mtu '​1462'</​code>​
 +
 +  * **Ubuntu:​**<​code:​bash>​$ apt-get install pptpd
 +$ vi /​etc/​pptpd.conf
 +option /​etc/​ppp/​pptpd-options
 +localip 10.4.4.1
 +remoteip 10.4.4.10-15
 +
 +$ vi /​etc/​ppp/​pptpd-options
 +name pptpd
 +nodefaultroute
 +lock
 +nobsdcomp
 +nologfd
 +mtu 1462
 +
 +$ vi /​etc/​ppp/​chap-secrets
 +vpn * vpn *</​code>​
 ====SIT: IPv6 in IPv4/​IPv6==== ====SIT: IPv6 in IPv4/​IPv6====
 ====SSH: Secure Shell==== ====SSH: Secure Shell====
 +**Forwarding a local TCP port to a remote TCP port:​**<​code:​bash>​$ ssh -L 127.0.0.1:​2022:​10.150.35.74:​22 tunneluser@remotehost.example.com
 +$ ssh -L 8080:​localhost:​80 tunneluser@remotehost.example.com
 +$ ssh -L 192.168.3.45:​8080:​web01.example.com:​80 tunneluser@remotehost.example.com
 +</​code>​
 +
 +**Forwarding a remote TCP port to a local TCP port:​**<​code:​bash>​$ ssh -R localhost:​2022:​localhost:​22 tunneluser@bastionhost.example.com
 +$ sudo ssh -R web99.example.com:​80:​localhost:​80 root@web99.example.com
 +</​code>​
 +
 +**Establishing a Layer-2 SSH VPN using "​tap"​ devices:**
 +  * **Local Host:​**<​code:​bash>#​ create a "​tap0"​ virtual network interface
 +$ sudo tunctl -t tap0
 +## or ##
 +$ sudo ip tuntap add dev tap0 mode tap
 +# configure the "​tap0"​ interface
 +$ sudo ifconfig tap0 192.168.1.101 netmask 255.255.255.0
 +# start the SSH Layer-2 VPN tunnel
 +$ ssh -o Tunnel=ethernet -f -w 0:0 root@remotehost.example.com true</​code>​
 +  * **Remote Host:​**<​code:​bash>#​ create a "​tap0"​ virtual network interface
 +$ sudo tunctl -t tap0
 +## or ##
 +$ sudo ip tuntap add dev tap0 mode tap
 +# configure the "​tap0"​ interface
 +$ sudo ifconfig tap0 192.168.1.102 netmask 255.255.255.0</​code>​
 +
 +**Establishing a Layer-3 SSH VPN using "​tun"​ devices:**
 +  * **Local Host:​**<​code:​bash>​$ sudo ssh -f -w 0:0 root@remotehost.example.com true
 +$ sudo ifconfig tun0 192.168.1.101 netmask 255.255.255.0</​code>​
 +  * **Remote Host:​**<​code:​bash>​$ sudo ifconfig tun0 192.168.1.102 netmask 255.255.255.0</​code>​
 +
 ====SSTP: Secure Socket Tunneling Protocol==== ====SSTP: Secure Socket Tunneling Protocol====
 +
 ====VXLAN: Virtual Extensible Local Area Network==== ====VXLAN: Virtual Extensible Local Area Network====
 +
 ====WireGuard==== ====WireGuard====
 WireGuard is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPSec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN. WireGuard is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPSec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN.
 +  * **OpenWRT:​**<​code:​bash>​$ opkg update
 +$ opkg install wireguard
 +## Generate Public/​Private Keypair
 +$ umask 077
 +$ wg genkey > server.privatekey
 +$ wg pubkey < server.privatekey > server.publickey
 +## Can also be done with a single command:
 +$ wg genkey | tee server.privatekey | wg server.pubkey > server.publickey
  
-**Installation:** +## Command line configuration 
-<code:bash+# Add new interface with ip-link(8) 
-opkg update +$ ip link add dev wg0 type wireguard 
-opkg install ​wireguard +# Assign an IP address and peer with ifconfig(8) or ip-address(8) 
-</code>+$ ip addr add dev wg0 10.0.0.1/​24 
 +## Example with only 2 peers 
 +#$ ip address add dev wg0 10.0.0.1/24 peer 10.0.0.2/​24 
 +# Configure interface with keys and peer endpoints with wg 
 +$ wg setconf wg0 myconfig.conf 
 +## or ##  
 +$ wg set wg0 listen-port 51820 \ 
 + private-key ./​server.privatekey \ 
 + peer <​client.publickey>​ \ 
 + allowed-ips 10.0.0.2/32 \ 
 + endpoint 192.168.1.2:51820 
 +# Activate interface with ifconfig(8) or ip-link(8):​ 
 +$ ip link set wg0 up 
 +# check: 
 +$ ip addr 
 +# Add peer: 
 +$ wg 
 +  public key: <server.publickey>​ 
 +  private key<​server.privatekey> 
 +  listening port: 51820 
 +$ wg set wg0 peer <​client.publickey>​ \ 
 + allowed-ips 10.0.0.2/32 \ 
 + endpoint 192.168.1.2:​51820 
 +Test connectivity 
 +ping 10.0.0.2 
 + 
 +## Static configuration 
 +$ vi /​etc/​config/​network 
 +config interface '​wg0' ​                 
 + option proto 'wireguard' 
 + option listen_port '​51820'​ 
 + list addresses '​10.0.0.1/32' 
 + option private_key '<​server.privatekey>' ​   ​
  
-**Configuration:​** +config wireguard_wg0 
-  - Generate Keys<code:bash+ option public_key '<client.publickey>' 
-  # wg genkey > privatekey + option route_allowed_ips '​1'​ 
-  # wg pubkey < privatekey > publickey + list allowed_ips '​10.0.0.0/​24'​</​code>​ 
-  ​</​code>​ +  ​* **Ubuntu:**<​code:​bash>​$ sudo add-apt-repository ppa:​wireguard/wireguard 
-  ​- Network Configuration +$ sudo apt get update 
-    - Server:<​code:​bash>​ +$ sudo apt get install ​wireguard 
-      # vi /etc/​config/​network +## Generate Public/​Private Keypair 
-      ​config interface '​wg0' ​                 +$ umask 077 
-          ​option proto 'wireguard' +$ wg genkey > client.privatekey 
-          ​option listen_port '​55555'​ +$ wg pubkey < client.privatekey > client.publickey 
-          list addresses '10.0.0.1/32' +## Can also be done with a single command: 
-          ​option private_key '......' ​ # The private key generated by itself just now    ​+$ wg genkey | tee client.privatekey | wg client.pubkey > client.publickey
  
-      config wireguard_wg0 +## Command line configuration 
-          ​option public_key '......' ​Client'​s public ​key +# Add new interface with ip-link(8) 
-          ​option route_allowed_ips '​1'​ +$ ip link add dev wg0 type wireguard 
-          list allowed_ips '10.0.0.0/​24'<​/code> +# Assign an IP address and peer with ifconfig(8) or ip-address(8) 
-    Client:<code:bash> +$ ip addr add dev wg0 10.0.0.2/24 
-      vi /​etc/​config/​network +## Example with only 2 peers 
-      ​config interface '​wg0'​ +#$ ip address add dev wg0 10.0.0.2/24 peer 10.0.0.1/​24 
-          ​option proto '​wireguard'​ +Configure interface with keys and peer endpoints with wg 
-          ​option listen_port '​55555'​ +$ wg setconf wg0 myconfig.conf 
-          list addresses '10.0.0.2/32' +## or ##  
-          ​option private_key '......' ​ # The private key generated by itself just now+$ wg set wg0 listen-port 51820 \ 
 + private-key ./​client.privatekey \ 
 + peer <​server.publickey>​ \ 
 + allowed-ips ​10.0.0.1/32 \ 
 + endpoint 192.168.1.1:​51820 
 +# Activate interface with ifconfig(8) or ip-link(8): 
 +$ ip link set wg0 up 
 +# check
 +$ ip addr 
 +Add peer: 
 +$ wg 
 +  ​public key: <​client.publickey>​ 
 +  ​private key: <​client.privatekey>​ 
 +  ​listening port: 51820 
 +$ wg set wg0 peer <​server.publickey>​ \ 
 + allowed-ips ​10.0.0.1/32 \ 
 + endpoint 192.168.1.1:51820 
 +# Test connectivity 
 +ping 10.0.0.1
  
-      config wireguard_wg0 +## Static configuration 
-          option public_key '​......' ​Server'​s public key +vi /​etc/​config/​network 
-          option route_allowed_ips '​1'​ +config ​interface ​'wg0
-          list allowed_ips '​0.0.0.0/​0'​ + option proto 'wireguard
-          option endpoint_host '​......' ​Server'​s public ip address + option ​listen_port ​'51820
-          ​option endpoint_port '​55555'​ + list addresses ​'10.0.0.2/32
-          option persistent_keepalive '​25'</​code>​ + option ​private_key ​'<​client.privatekey>​'
-  - Firewall Rules<​code:​bash>​ +
-  # vi /​etc/​config/​firewall +
-  config ​rule +
-      option target ​'ACCEPT+
-      ​option src '​wan'​ +
-      ​option proto 'udp' ​    ​ +
-      option ​name 'Wireguard_VPN+
-      ​option family ​'ipv4+
-      option ​dest_port ​'55555'+
  
-  ​config ​zone  +config ​wireguard_wg0 
-      option ​name 'wg-vpn+ option ​public_key ​'<​server.publickey>​
-      option ​input 'ACCEPT' ​  + option ​route_allowed_ips ​'1' 
-      option ​forward ​'​ACCEPT'​ + list allowed_ips '​0.0.0.0/​0'​ 
-      option ​output ​'ACCEPT+ option endpoint_host '​Server'​s public ip address'​ 
-      option ​masq '1' ​  + option endpoint_port '​51820'​ 
-      option ​device ​'wg0'+ option persistent_keepalive '​25'</​code>​ 
 +  * **Firewall Rules:​**<​code:​bash>​$ vi /​etc/​config/​firewall 
 +config rule 
 + option ​target ​'​ACCEPT'​ 
 + option ​src 'wan
 + option ​proto 'udp' ​     
 + option name '​Wireguard_VPN'​ 
 + option family 'ipv4
 + option ​dest_port ​'51820'
  
-  ​config ​forwarding '​wg_wan'​ +config ​zone  
-      option ​src '​wg-vpn'​ + option ​name '​wg-vpn'​ 
-      option ​dest 'wan'+ option ​input '​ACCEPT' ​  
 + option forward '​ACCEPT'​ 
 + option output '​ACCEPT'​ 
 + option masq '​1' ​  
 + option device ​'wg0'
  
-  ​config forwarding 'wg_lan+config forwarding 'wg_wan
-      option src '​wg-vpn'​ + option src '​wg-vpn'​ 
-      option dest 'lan'+ option dest 'wan'
  
-  ​config forwarding ​  +config forwarding ​'​wg_lan'​ 
-      option src 'lan+ option src 'wg-vpn
-      option dest 'wg-vpn'</​code>​ + option dest 'lan'
-  - Restart Networking:<​code:​bash>​ +
-  # /​etc/​init.d/​network restart +
-  # /​etc/​init.d/​firewall restart</​code>​+
  
-**Testing:​**+config forwarding ​  
 + option src '​lan'​ 
 + option dest '​wg-vpn'</​code>​ 
 +  * **Testing:​**<​code:​bash>##​ Restart networking:​ 
 +$ /​etc/​init.d/​network restart 
 +$ /​etc/​init.d/​firewall restart 
 +## Testing throughput:</​code>​
 =====Code===== =====Code=====
 Upon completion of the project, if there is an applicable collection of created code, place a copy of your finished code within <​nowiki><​code>​ </​code></​nowiki>​ blocks here. Upon completion of the project, if there is an applicable collection of created code, place a copy of your finished code within <​nowiki><​code>​ </​code></​nowiki>​ blocks here.
user/nbrimme1/portfolio/tunnels.txt · Last modified: 2018/07/19 18:59 by nbrimme1