Repeater linking

From Wildsong
Revision as of 06:25, 12 March 2022 by Brian Wilson (talk | contribs)
Jump to navigationJump to search

I am testing network configurations for TARRA, the Teton Amateur Radio Repeater Association in Wyoming.

Goal here is to route our 44 subnet to the repeaters. The repeaters can be on any service provider so we need to accommodate that.

I spent too much time researching ipip and gre tunnels and gave up and came back to Wireguard. There might or might not be firewalls and NAT on some nodes, and certainly that is the case here at home.

Regarding IPIP and GRE though the best doc I have found is https://wiki.buyvm.net/doku.php/ipip_tunnel I got a tunnel running between two VPSs, tarra and w6gkd but I don't need a setup like that.

So Wireguard it is.

Instructions for setting up a Raspberry Pi as a client Wireguard client set up

Install it,

sudo apt-get install wireguard -y

Instructions and download are available from https://upcloud.com/community/tutorials/get-started-wireguard-vpn/

For the ERX router, https://github.com/WireGuard/wireguard-vyatta-ubnt/wiki/EdgeOS-and-Unifi-Gateway

Test setup

I am using a Pi3 and a VPS for testing right now, using the official image based on Debian.

Violet is the pi3, on my Spectrum broadband behind a Ubiquiti router.

TARRA is the VPS, at VULTR.

/etc/wireguard/wg0.conf is the config at each end

Bring up connection

wg-quick up wg0

Test connection

Shut down connection

wg-quick down wg0

Subnets https://www.calculator.net/ip-subnet-calculator.html?cclass=any&csubnet=28&cip=44.127.9.0&ctype=ipv4&printit=0&x=66&y=16

Show me the INPUT rules, verbosely

iptables -L INPUT -v

"ACCEPT" in this case says, "nothing interesting here", don't log.

On violet, you can log traffic to monitor it, or just use tcpdump

iptables -F INPUT
iptables -A INPUT -i wg0 -j LOG
iptables -F OUTPUT
iptables -A OUTPUT -i wg0 -j LOG
tail -f /var/log/messages

or

tcpdump -i wg0 -n


On tarra

tcpdump -i wg0 -n
# Make packets coming in from the Internet get written to the right subnet
iptables -t nat -A POSTROUTING -o wg0 -j DNAT -d 44.127.9.2

I think wireguard does this automatically

ip route add 44.127.9.0/28 via 44.127.9.1

AMPR

In test or deployment, at this point I need the AMPR router daemon installed. See these set up instructions.

apt-get install tcpdump dnsutils iptables-persistent ipset fail2ban lynx git

I had fail2ban installed already on both machines, which means that iptables was also installed already and could be the whole problem. My iptables skills are rusty.

Firewall settings

"iptables -L" shows me that about 100 sites have been ssh banned. It also told me that FORWARD was DROP on w6gkd hmmm.

iptables -A INPUT -p 4 -j ACCEPT
iptables -A INPUT -p udp --dport 520 -j ACCEPT
iptables -P FORWARD ACCEPT

# Drop various services we don't want running over the tunnel, mostly Microsoft stuff
iptables -A OUTPUT -o tun0 -p udp --dport 10001 -j DROP
iptables -A OUTPUT -o tun0 -p udp --dport 137:139 -j DROP
iptables -A OUTPUT -o tun0 -p udp --dport 5678 -j DROP 
# Drops destination unreachable replies to various probe responses saving bandwidth
iptables -A OUTPUT -o tun0 -p icmp --icmp-type destination-unreachable -j DROP

# This prevents nested ipencap see https://ohiopacket.org/xrpi/docs/ipencap.htm
iptables -t raw -I PREROUTING -p 4 -i tun0 -j DROP
# This prevents a general loop
iptables -I FORWARD -i tun0 -o tun0 -j DROP
# Drops outbound unassigned IPs from looping though tunl0 via ipencap
# You must add accept rules under this line to make exceptions
# Drop traffic that does not have one of our 44 addresses on it.
iptables -I FORWARD ! -s 44.127.9.0/24 -o tunl0 -j DROP
# I don't think this will hurt anything but might no longer matter with current amprd 3.0
iptables -A OUTPUT -o ens3 -p icmp --icmp-type destination-unreachable -m state --state RELATED -j DROP