Repeater linking: Difference between revisions

From Wildsong
Jump to navigationJump to search
Brian Wilson (talk | contribs)
mNo edit summary
Brian Wilson (talk | contribs)
mNo edit summary
Line 66: Line 66:


  # Make packets coming in from the Internet get written to the right subnet
  # Make packets coming in from the Internet get written to the right subnet
## Blimey I don't need this
  iptables -t nat -A POSTROUTING -o wg0 -j DNAT -d 44.127.9.2
  iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE -d 44.127.9.2


I think wireguard does this automatically
I think wireguard does this automatically

Revision as of 02:13, 7 March 2022

I am testing network configurations for TARRA, the Teton Amateur Radio Repeater Association in Wyoming.

Goal here is to route our 44 subnet to the repeaters. The repeaters can be on any service provider so we need to accommodate that.

I have to keep in mind that the bigger picture is to control and link the repeaters, so that might mean changing out the operating system. For example, the Pi image distributed for Allstar is ArchLinux.

I spent too much time researching ipip and gre tunnels and gave up and came back to Wireguard. There might or might not be firewalls and NAT on some nodes, and certainly that is the case here at home.

Regarding IPIP and GRE though the best doc I have found is https://wiki.buyvm.net/doku.php/ipip_tunnel I got a tunnel running between two VPSs, tarra and w6gkd but I don't need a setup like that.

So Wireguard it is.


Instructions and download are available from https://upcloud.com/community/tutorials/get-started-wireguard-vpn/

For the ERX router, https://github.com/WireGuard/wireguard-vyatta-ubnt/wiki/EdgeOS-and-Unifi-Gateway

Test setup

I am using a Pi3 and a VPS for testing right now, using the official image based on Debian.

Violet is the pi3, on my Spectrum broadband behind a Ubiquiti router.

TARRA is the VPS, at VULTR.

/etc/wireguard/wg0.conf is the config at each end

Bring up connection

wg-quick up wg0

Test connection

Shut down connection

wg-quick down wg0


Subnets https://www.calculator.net/ip-subnet-calculator.html?cclass=any&csubnet=28&cip=44.127.9.0&ctype=ipv4&printit=0&x=66&y=16

Show me the INPUT rules, verbosely

iptables -L INPUT -v

"ACCEPT" in this case says, "nothing interesting here", don't log.

On violet, you can log traffic to monitor it, or just use tcpdump

iptables -F INPUT
iptables -A INPUT -i wg0 -j LOG
iptables -F OUTPUT
iptables -A OUTPUT -i wg0 -j LOG
tail -f /var/log/messages

or

tcpdump -i wg0 -n


On tarra

tcpdump -i wg0 -n
# Make packets coming in from the Internet get written to the right subnet
iptables -t nat -A POSTROUTING -o wg0 -j DNAT -d 44.127.9.2

I think wireguard does this automatically

ip route add 44.127.9.0/28 via 44.127.9.1

AMPR

In test or deployment, at this point I need the AMPR router daemon installed. See these set up instructions.

apt-get install tcpdump dnsutils iptables-persistent ipset fail2ban lynx git

I had fail2ban installed already on both machines, which means that iptables was also installed already and could be the whole problem. My iptables skills are rusty.

Firewall settings

"iptables -L" shows me that about 100 sites have been ssh banned. It also told me that FORWARD was DROP on w6gkd hmmm.

iptables -A INPUT -p 4 -j ACCEPT
iptables -A INPUT -p udp --dport 520 -j ACCEPT
iptables -P FORWARD ACCEPT

# Drop various services we don't want running over the tunnel, mostly Microsoft stuff
iptables -A OUTPUT -o tun0 -p udp --dport 10001 -j DROP
iptables -A OUTPUT -o tun0 -p udp --dport 137:139 -j DROP
iptables -A OUTPUT -o tun0 -p udp --dport 5678 -j DROP 
# Drops destination unreachable replies to various probe responses saving bandwidth
iptables -A OUTPUT -o tun0 -p icmp --icmp-type destination-unreachable -j DROP

# This prevents nested ipencap see https://ohiopacket.org/xrpi/docs/ipencap.htm
iptables -t raw -I PREROUTING -p 4 -i tun0 -j DROP
# This prevents a general loop
iptables -I FORWARD -i tun0 -o tun0 -j DROP
# Drops outbound unassigned IPs from looping though tunl0 via ipencap
# You must add accept rules under this line to make exceptions
# Drop traffic that does not have one of our 44 addresses on it.
iptables -I FORWARD ! -s 44.127.9.0/24 -o tunl0 -j DROP
# I don't think this will hurt anything but might no longer matter with current amprd 3.0
iptables -A OUTPUT -o ens3 -p icmp --icmp-type destination-unreachable -m state --state RELATED -j DROP

Build and configure and install AMPRD

Now for the routing daemon,,,

git clone https://git.ampr.org/yo2loj/amprd.git
cd amprd
make install
sudo make install

This installs 3 files,

/var/lib/amprd
/etc/amprd.conf.example
/usr/sbin/amprd

Therefore you have to

cd /etc
cp amprd.conf.example amprd.conf

I installed and edited

sudo cp startup_example.sh /usr/local/bin/amprd_start.sh