Repeater linking: Difference between revisions

From Wildsong
Jump to navigationJump to search
Brian Wilson (talk | contribs)
mNo edit summary
Brian Wilson (talk | contribs)
mNo edit summary
Line 8: Line 8:
distributed for Allstar is ArchLinux.
distributed for Allstar is ArchLinux.


Wireguard would be one approach but
I spent too much time researching ipip and gre tunnels and gave up and came back to Wireguard.
my current thought is to keep it as simple as possible by using only tunnels.
There might or might not be firewalls and NAT on some nodes, and certainly that is the case
here at home.


So far the best doc I have found is https://wiki.buyvm.net/doku.php/ipip_tunnel
Regarding IPIP and GRE though the best doc I have found is https://wiki.buyvm.net/doku.php/ipip_tunnel I got a tunnel running between two VPSs,
tarra and w6gkd but I don't need a setup like that.


== Test setup #1 ==
So Wireguard it is.


I am using a Pi4 and a Pi3 for testing right now, using the official image based on Debian.


'''Violet''' is the pi3, connected over Wifi so I can ssh into it
Instructions and download are available from
https://upcloud.com/community/tutorials/get-started-wireguard-vpn/


'''Tenrec''' is the pi4, connected by a 10BT patch cable to violet. Tenrec has a 7" screen and kbd.
For the ERX router,  
https://github.com/WireGuard/wireguard-vyatta-ubnt/wiki/EdgeOS-and-Unifi-Gateway


Tools you will be be needing.
== Test setup ==


apt install tcpdump
I am using a Pi3 and a VPS for testing right now, using the official image based on Debian.


=== IPIP tunnels ===
'''Violet''' is the pi3, on my Spectrum broadband behind a Ubiquiti router.


cat /etc/modules-load.d
'''TARRA''' is the VPS, at VULTR.
cat > ip_tunnel.conf
tunnel4
ipip
reboot


Now you have an unconfigured interface called tunl0. I add a new one, tun0
/etc/wireguard/wg0.conf is the config at each end


On violet,
Bring up connection
ip tunnel add tun0 mode ipip remote 192.168.1.2
ip addr add 44.127.9.2/24 dev tun0
ip link set tun0 up


On tenrec,
  wg-quick up wg0
  ip tunnel add tun0 mode ipip remote 192.168.1.1
ip addr add 44.127.9.1/24 dev tun0
ip link set tun0 up


ping 44.127.9.1
Test connection


== Test setup #2 ==
Shut down connection
 
Two virtual machines are used. This simulates a Pi deployed someplace on a Comcast link. (Or any other ISP, or even a wifi link, really.)
 
'''Tarra''' will be the router in deployment.
 
'''W6gkd''' will be the "repeater"; in reality it's a virtual machine at a different service provider.
 
 
I set up tunnels and tested them. Some notes on that, similar to the above. I created the module load file, it required one more module on tarra.
cat /etc/modules-load.d
cat > ip_tunnel.conf
tunnel4
ip_tunnel
ipip
I did not reboot, I just used insmod to load them, trusting that the conf file will actually work on next reboot.


Then I did create a script (and run it) like this. It's called "ipip.sh" and it's in the root folder to remind me to sudo first. The 108.x IP is for w6gkd.
wg-quick down wg0


ip tunnel add tun0 mode ipip remote 108.161.129.155
ip addr add 44.127.9.2/24 dev tun0
ip link set tun0 up
route


With a similar set up on w6gkd I can ping from tarra to w6gkd with "ping 44.127.9.2" but
== AMPR ==
no echo comes back presumably because of routing issues. I can see packets pop out
of the tunnel with tcpdump at the far end.


In test or deployment, at this point I need the [https://wiki.ampr.org/wiki/Ampr-ripd AMPR router daemon] installed.
In test or deployment, at this point I need the [https://wiki.ampr.org/wiki/Ampr-ripd AMPR router daemon] installed.
Line 136: Line 105:
  sudo cp startup_example.sh /usr/local/bin/amprd_start.sh
  sudo cp startup_example.sh /usr/local/bin/amprd_start.sh


== "Other" ==
I also have tried GRE tunnels and Wireguard. Wireguard is actually deployed
on tarra but not used for the repeater links.
=== GRE tunnels ===
Not working the way I expect,
Basics
* https://david-waiting.medium.com/a-beginners-guide-to-generic-routing-encapsulation-fb2b4fb63abb
* https://www.xmodulo.com/create-gre-tunnel-linux.html
Types and basic commands
On Raspbian I had to create a file to load the modules at boot, in this order.
cd /etc/modules-load.d
cat > gre_tunnel.conf
gre
ip_tunnel
ip_gre
I reboot at this point and make sure the modules are loading, with
lsmod | grep gre
'''TUN interface''' - encapsulates ether header
The "gre0" interface exists so if I try to use the first command with gre0
I get an 'exists' error,
I could follow the first example above and use "tun0" instead of "gre0"?
On violet,
ip tunnel add tun0 mode gre remote 172.16.123.1 local 172.16.123.2 ttl 255
ip addr add 10.10.10.1/24 dev tun0
ip link set tun0 up
On tenrec, the other way round,
ip tunnel add tun0 mode gre remote 172.16.123.2 local 172.16.123.1 ttl 255
ip addr add 10.10.10.2/24 dev tun0
ip link set tun0 up
To shutdown simply use, then press on and test TAP.
ip link set tun0 down
'''TAP interface''' - no ether header
On violet,
ip link add tun1 type gretap remote 172.16.123.1 local 172.16.123.2 dev eth0
ip addr add 10.10.10.1/24 dev tun1
ip link set tun1 up
ip -d link show tun1
On tenrec, going the other direction,
ip link add tun1 type gretap remote 172.16.123.2 local 172.16.123.1 dev eth0
ip addr add 10.10.10.2/24 dev tun1
ip link set tun1 up
ip -d link show tun1
I need some sample commands here to confirm the links actually work.
ping 10.10.10.1
ping 172.16.123.1
tcpdump -i tun0
== Wireguard ==
Wireguard is an encrypted tunnel that is easy to set up.
Instructions and download are available from
https://github.com/WireGuard/wireguard-vyatta-ubnt/wiki/EdgeOS-and-Unifi-Gateway





Revision as of 05:09, 5 March 2022

I am testing network configurations for TARRA, the Teton Amateur Radio Repeater Association in Wyoming.

Goal here is to route our 44 subnet to the repeaters. The repeaters can be on any service provider so we need to accommodate that.

I have to keep in mind that the bigger picture is to control and link the repeaters, so that might mean changing out the operating system. For example, the Pi image distributed for Allstar is ArchLinux.

I spent too much time researching ipip and gre tunnels and gave up and came back to Wireguard. There might or might not be firewalls and NAT on some nodes, and certainly that is the case here at home.

Regarding IPIP and GRE though the best doc I have found is https://wiki.buyvm.net/doku.php/ipip_tunnel I got a tunnel running between two VPSs, tarra and w6gkd but I don't need a setup like that.

So Wireguard it is.


Instructions and download are available from https://upcloud.com/community/tutorials/get-started-wireguard-vpn/

For the ERX router, https://github.com/WireGuard/wireguard-vyatta-ubnt/wiki/EdgeOS-and-Unifi-Gateway

Test setup

I am using a Pi3 and a VPS for testing right now, using the official image based on Debian.

Violet is the pi3, on my Spectrum broadband behind a Ubiquiti router.

TARRA is the VPS, at VULTR.

/etc/wireguard/wg0.conf is the config at each end

Bring up connection

wg-quick up wg0

Test connection

Shut down connection

wg-quick down wg0


AMPR

In test or deployment, at this point I need the AMPR router daemon installed. See these set up instructions.

apt-get install tcpdump dnsutils iptables-persistent ipset fail2ban lynx git

I had fail2ban installed already on both machines, which means that iptables was also installed already and could be the whole problem. My iptables skills are rusty.

Firewall settings

"iptables -L" shows me that about 100 sites have been ssh banned. It also told me that FORWARD was DROP on w6gkd hmmm.

iptables -A INPUT -p 4 -j ACCEPT
iptables -A INPUT -p udp --dport 520 -j ACCEPT
iptables -P FORWARD ACCEPT

# Drop various services we don't want running over the tunnel, mostly Microsoft stuff
iptables -A OUTPUT -o tun0 -p udp --dport 10001 -j DROP
iptables -A OUTPUT -o tun0 -p udp --dport 137:139 -j DROP
iptables -A OUTPUT -o tun0 -p udp --dport 5678 -j DROP 
# Drops destination unreachable replies to various probe responses saving bandwidth
iptables -A OUTPUT -o tun0 -p icmp --icmp-type destination-unreachable -j DROP

# This prevents nested ipencap see https://ohiopacket.org/xrpi/docs/ipencap.htm
iptables -t raw -I PREROUTING -p 4 -i tun0 -j DROP
# This prevents a general loop
iptables -I FORWARD -i tun0 -o tun0 -j DROP
# Drops outbound unassigned IPs from looping though tunl0 via ipencap
# You must add accept rules under this line to make exceptions
# Drop traffic that does not have one of our 44 addresses on it.
iptables -I FORWARD ! -s 44.127.9.0/24 -o tunl0 -j DROP
# I don't think this will hurt anything but might no longer matter with current amprd 3.0
iptables -A OUTPUT -o ens3 -p icmp --icmp-type destination-unreachable -m state --state RELATED -j DROP

Build and configure and install AMPRD

Now for the routing daemon,,,

git clone https://git.ampr.org/yo2loj/amprd.git
cd amprd
make install
sudo make install

This installs 3 files,

/var/lib/amprd
/etc/amprd.conf.example
/usr/sbin/amprd

Therefore you have to

cd /etc
cp amprd.conf.example amprd.conf

I installed and edited

sudo cp startup_example.sh /usr/local/bin/amprd_start.sh