User Tools

Site Tools


user:nbrimme1:portfolio:tunnels

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
user:nbrimme1:portfolio:tunnels [2018/06/14 17:39]
nbrimme1 [WireGuard]
user:nbrimme1:portfolio:tunnels [2018/06/15 20:56] (current)
nbrimme1 [WireGuard]
Line 38: Line 38:
  
 ====GRE: Generic Routing Encapsulation==== ====GRE: Generic Routing Encapsulation====
 +  * **OpenWRT:​**<​code:​bash>​$ ip tunnel add ipip1 mode gre remote <​VM-IP>​ local <​OPENWRT-IP>​
 +$ ip link set ipip1 up
 +$ ip addr add 10.3.3.1/24 dev ipip1</​code>​
 +  * **Ubuntu:​**<​code:​bash>​$ ip tunnel add ipip1 mode gre remote <​OPENWRT-IP>​ local <​VM-IP>​
 +$ ip link set ipip1 up
 +$ ip addr add 10.3.3.2/24 dev ipip1</​code>​
 ====IPIP: IP in IPv4/​IPv6==== ====IPIP: IP in IPv4/​IPv6====
 +  * **OpenWRT:​**<​code:​bash>​$ ip tunnel add ipip0 mode ipip remote <​VM-IP>​ local <​OPENWRT-IP>​
 +$ ip link set ipip0 up
 +$ ip addr add 10.2.2.1/24 dev ipip0</​code>​
 +  * **Ubuntu:​**<​code:​bash>​$ ip tunnel add ipip0 mode ipip remote <​OPENWRT-IP>​ local <​VM-IP>​
 +$ ip link set ipip0 up
 +$ ip addr add 10.2.2.2/24 dev ipip0</​code>​
 ====IPSec: Internet Protocol Security==== ====IPSec: Internet Protocol Security====
 ====L2TP: Layer 2 Tunneling Protocol==== ====L2TP: Layer 2 Tunneling Protocol====
 +L2TPv3 Ethernet "​pseudowire"​ setup with UDP encapsulation
 +  * **OpenWRT:​**<​code:​bash>​$ opkg update
 +$ opkg install kmod-l2tp-eth
 +$ opkg install ip-full
 +$ ip l2tp add tunnel tunnel_id 1 peer_tunnel_id 1 \
 + udp_sport 5000 udp_dport 5000 encap udp \
 + local <​OPENWRT-IP>​ remote <​VM-IP>​
 +$ ip l2tp add session tunnel_id 1 session_id 1 peer_session_id 1
 +$ ip link set l2tpeth0 up mtu 1428
 +$ ip addr add 10.6.6.1/24 dev l2tpeth0</​code>​
 +  * **Ubuntu:​**<​code:​bash>​$ modprobe l2tp_eth
 +$ ip l2tp add tunnel tunnel_id 1 peer_tunnel_id 1 \
 + udp_sport 5000 udp_dport 5000 encap udp \
 + local <​VM-IP>​ remote <​OPENWRT-IP>​
 +$ ip l2tp add session tunnel_id 1 session_id 1 peer_session_id 1
 +$ ip link set l2tpeth0 up mtu 1428
 +$ ip addr add 10.6.6.2/24 dev l2tpeth0</​code>​
 ====Netcat==== ====Netcat====
 ====OpenVPN:​ Openvpn Tunneling Protocol==== ====OpenVPN:​ Openvpn Tunneling Protocol====
 +  * **OpenWRT:​**<​code:​bash>​$ opkg update
 +$ opkg install openvpn-nossl
 +$ openvpn --dev tun --remote <​VM-IP>​ \
 +   --proto udp --mssfix 1472 \
 +   --comp-lzo no --ifconfig 10.5.5.1 10.5.5.2</​code>​
 +  * **Ubuntu:​**<​code:​bash>​$ openvpn --dev tun --proto udp \
 +   --mssfix 1472 --comp-lzo no \
 +   --fast-io --ifconfig 10.5.5.2 10.5.5.1</​code>​
 ====PPTP: Point-to-Point Tunneling Protocol==== ====PPTP: Point-to-Point Tunneling Protocol====
 +  * **OpenWRT:​**<​code:​bash>​$ vi /​etc/​config/​network:​
 +[...]
 +config interface '​vpn'​
 +  option proto '​pptp'​
 +  option server '<​VM-IP>'​
 +  option username '​vpn'​
 +  option password '​vpn'​
 +  option auto '​0'​
 +  option delegate '​0'​
 +  option defaultroute '​0'​
 +  option peerdns '​0'​
 +  option mtu '​1462'</​code>​
 +
 +  * **Ubuntu:​**<​code:​bash>​$ apt-get install pptpd
 +$ vi /​etc/​pptpd.conf
 +option /​etc/​ppp/​pptpd-options
 +localip 10.4.4.1
 +remoteip 10.4.4.10-15
 +
 +$ vi /​etc/​ppp/​pptpd-options
 +name pptpd
 +nodefaultroute
 +lock
 +nobsdcomp
 +nologfd
 +mtu 1462
 +
 +$ vi /​etc/​ppp/​chap-secrets
 +vpn * vpn *</​code>​
 ====SIT: IPv6 in IPv4/​IPv6==== ====SIT: IPv6 in IPv4/​IPv6====
 ====SSH: Secure Shell==== ====SSH: Secure Shell====
 +**Forwarding a local TCP port to a remote TCP port:​**<​code:​bash>​$ ssh -L 127.0.0.1:​2022:​10.150.35.74:​22 tunneluser@remotehost.example.com
 +$ ssh -L 8080:​localhost:​80 tunneluser@remotehost.example.com
 +$ ssh -L 192.168.3.45:​8080:​web01.example.com:​80 tunneluser@remotehost.example.com
 +</​code>​
 +
 +**Forwarding a remote TCP port to a local TCP port:​**<​code:​bash>​$ ssh -R localhost:​2022:​localhost:​22 tunneluser@bastionhost.example.com
 +$ sudo ssh -R web99.example.com:​80:​localhost:​80 root@web99.example.com
 +</​code>​
 +
 +**Establishing a Layer-2 SSH VPN using "​tap"​ devices:**
 +  * **Local Host:​**<​code:​bash>#​ create a "​tap0"​ virtual network interface
 +$ sudo tunctl -t tap0
 +## or ##
 +$ sudo ip tuntap add dev tap0 mode tap
 +# configure the "​tap0"​ interface
 +$ sudo ifconfig tap0 192.168.1.101 netmask 255.255.255.0
 +# start the SSH Layer-2 VPN tunnel
 +$ ssh -o Tunnel=ethernet -f -w 0:0 root@remotehost.example.com true</​code>​
 +  * **Remote Host:​**<​code:​bash>#​ create a "​tap0"​ virtual network interface
 +$ sudo tunctl -t tap0
 +## or ##
 +$ sudo ip tuntap add dev tap0 mode tap
 +# configure the "​tap0"​ interface
 +$ sudo ifconfig tap0 192.168.1.102 netmask 255.255.255.0</​code>​
 +
 +**Establishing a Layer-3 SSH VPN using "​tun"​ devices:**
 +  * **Local Host:​**<​code:​bash>​$ sudo ssh -f -w 0:0 root@remotehost.example.com true
 +$ sudo ifconfig tun0 192.168.1.101 netmask 255.255.255.0</​code>​
 +  * **Remote Host:​**<​code:​bash>​$ sudo ifconfig tun0 192.168.1.102 netmask 255.255.255.0</​code>​
 +
 ====SSTP: Secure Socket Tunneling Protocol==== ====SSTP: Secure Socket Tunneling Protocol====
 +
 ====VXLAN: Virtual Extensible Local Area Network==== ====VXLAN: Virtual Extensible Local Area Network====
 +
 ====WireGuard==== ====WireGuard====
 +WireGuard is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPSec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN.
 +  * **OpenWRT:​**<​code:​bash>​$ opkg update
 +$ opkg install wireguard
 +## Generate Public/​Private Keypair
 +$ umask 077
 +$ wg genkey > server.privatekey
 +$ wg pubkey < server.privatekey > server.publickey
 +## Can also be done with a single command:
 +$ wg genkey | tee server.privatekey | wg server.pubkey > server.publickey
 +
 +## Command line configuration
 +# Add new interface with ip-link(8)
 +$ ip link add dev wg0 type wireguard
 +# Assign an IP address and peer with ifconfig(8) or ip-address(8)
 +$ ip addr add dev wg0 10.0.0.1/24
 +## Example with only 2 peers
 +#$ ip address add dev wg0 10.0.0.1/24 peer 10.0.0.2/24
 +# Configure interface with keys and peer endpoints with wg
 +$ wg setconf wg0 myconfig.conf
 +## or ## 
 +$ wg set wg0 listen-port 51820 \
 + private-key ./​server.privatekey \
 + peer <​client.publickey>​ \
 + allowed-ips 10.0.0.2/32 \
 + endpoint 192.168.1.2:​51820
 +# Activate interface with ifconfig(8) or ip-link(8):
 +$ ip link set wg0 up
 +# check:
 +$ ip addr
 +# Add peer:
 +$ wg
 +  public key: <​server.publickey>​
 +  private key: <​server.privatekey>​
 +  listening port: 51820
 +$ wg set wg0 peer <​client.publickey>​ \
 + allowed-ips 10.0.0.2/32 \
 + endpoint 192.168.1.2:​51820
 +# Test connectivity
 +ping 10.0.0.2
 +
 +## Static configuration
 +$ vi /​etc/​config/​network
 +config interface '​wg0' ​                
 + option proto '​wireguard'​
 + option listen_port '​51820'​
 + list addresses '​10.0.0.1/​32'​
 + option private_key '<​server.privatekey>' ​   ​
 +
 +config wireguard_wg0
 + option public_key '<​client.publickey>'​
 + option route_allowed_ips '​1'​
 + list allowed_ips '​10.0.0.0/​24'</​code>​
 +  * **Ubuntu:​**<​code:​bash>​$ sudo add-apt-repository ppa:​wireguard/​wireguard
 +$ sudo apt get update
 +$ sudo apt get install wireguard
 +## Generate Public/​Private Keypair
 +$ umask 077
 +$ wg genkey > client.privatekey
 +$ wg pubkey < client.privatekey > client.publickey
 +## Can also be done with a single command:
 +$ wg genkey | tee client.privatekey | wg client.pubkey > client.publickey
 +
 +## Command line configuration
 +# Add new interface with ip-link(8)
 +$ ip link add dev wg0 type wireguard
 +# Assign an IP address and peer with ifconfig(8) or ip-address(8)
 +$ ip addr add dev wg0 10.0.0.2/24
 +## Example with only 2 peers
 +#$ ip address add dev wg0 10.0.0.2/24 peer 10.0.0.1/24
 +# Configure interface with keys and peer endpoints with wg
 +$ wg setconf wg0 myconfig.conf
 +## or ## 
 +$ wg set wg0 listen-port 51820 \
 + private-key ./​client.privatekey \
 + peer <​server.publickey>​ \
 + allowed-ips 10.0.0.1/32 \
 + endpoint 192.168.1.1:​51820
 +# Activate interface with ifconfig(8) or ip-link(8):
 +$ ip link set wg0 up
 +# check:
 +$ ip addr
 +# Add peer:
 +$ wg
 +  public key: <​client.publickey>​
 +  private key: <​client.privatekey>​
 +  listening port: 51820
 +$ wg set wg0 peer <​server.publickey>​ \
 + allowed-ips 10.0.0.1/32 \
 + endpoint 192.168.1.1:​51820
 +# Test connectivity
 +ping 10.0.0.1
 +
 +## Static configuration
 +$ vi /​etc/​config/​network
 +config interface '​wg0'​
 + option proto '​wireguard'​
 + option listen_port '​51820'​
 + list addresses '​10.0.0.2/​32'​
 + option private_key '<​client.privatekey>'​
 +
 +config wireguard_wg0
 + option public_key '<​server.publickey>'​
 + option route_allowed_ips '​1'​
 + list allowed_ips '​0.0.0.0/​0'​
 + option endpoint_host '​Server'​s public ip address'​
 + option endpoint_port '​51820'​
 + option persistent_keepalive '​25'</​code>​
 +  * **Firewall Rules:​**<​code:​bash>​$ vi /​etc/​config/​firewall
 +config rule
 + option target '​ACCEPT'​
 + option src '​wan'​
 + option proto '​udp' ​    
 + option name '​Wireguard_VPN'​
 + option family '​ipv4'​
 + option dest_port '​51820'​
 +
 +config zone 
 + option name '​wg-vpn'​
 + option input '​ACCEPT'  ​
 + option forward '​ACCEPT'​
 + option output '​ACCEPT'​
 + option masq '​1'  ​
 + option device '​wg0'​
 +
 +config forwarding '​wg_wan'​
 + option src '​wg-vpn'​
 + option dest '​wan'​
 +
 +config forwarding '​wg_lan'​
 + option src '​wg-vpn'​
 + option dest '​lan'​
  
 +config forwarding  ​
 + option src '​lan'​
 + option dest '​wg-vpn'</​code>​
 +  * **Testing:​**<​code:​bash>##​ Restart networking:
 +$ /​etc/​init.d/​network restart
 +$ /​etc/​init.d/​firewall restart
 +## Testing throughput:</​code>​
 =====Code===== =====Code=====
 Upon completion of the project, if there is an applicable collection of created code, place a copy of your finished code within <​nowiki><​code>​ </​code></​nowiki>​ blocks here. Upon completion of the project, if there is an applicable collection of created code, place a copy of your finished code within <​nowiki><​code>​ </​code></​nowiki>​ blocks here.
user/nbrimme1/portfolio/tunnels.1529012387.txt.gz · Last modified: 2018/06/14 17:39 by nbrimme1