How-To
Services
Internal
External Tools
This document describes some possibilities for connecting to dn42 using an Ubiquiti EdgeRouter:
Using the below as examples:
Own ASN: AS111111
Own IPv4 Space: 172.AA.AA.64/27
Own IPv6 Space: fdBB:BBBB:CCCC::/48
Own IPv4 If-Address: 172.AA.AA.65
Own IPv6 If-Address: fdBB:BBBB:CCCC::1
Peer OpenVPN Remote Address: 172.X.X.X //that's the peers OpenVPN IF IP
Peer OpenVPN Remote Host: X.X.X.Y //that's the peers clearnet IP
Peer OpenVPN IP for you: fdAA::BBB/64
Peer OpenVPN IP: fdAA::CC
Peer OpenVPN Port: 1194
Peer OpenVPN encryption: aes256
Peer ASN: AS222222
Peer BGP Neighbour IPv4: Z.Z.Z.Z
Peer BGP Neighbour IPv6: fdAA::CC
Copy the VPN key to /config/auth/SomeSharedKey.key
:
sudo cat > /config/auth/SomeSharedKey.key
Paste the key in the terminal window, hit return once and kill cat
with CTRL+C. Then type exit
.
Create the OpenVPN virtual interface, i.e. using vtun0
:
configure
set interfaces openvpn vtun0
set interfaces openvpn vtun0 mode site-to-site
set interfaces openvpn vtun0 local-port 1194
set interfaces openvpn vtun0 remote-port 1194
set interfaces openvpn vtun0 local-address 172.AA.AA.65
set interfaces openvpn vtun0 remote-address 172.X.X.X
set interfaces openvpn vtun0 remote-host X.X.X.Y
set interfaces openvpn vtun0 shared-secret-key-file /config/auth/SomeSharedKey.key
set interfaces openvpn vtun0 encryption aes256
set interfaces openvpn vtun0 openvpn-option "--comp-lzo" //if your peer support compression
commit
save
exit
The OpenVPN tunnel should now be up and running.
Check it with:
show interfaces openvpn
show interfaces openvpn detail
show openvpn status site-to-site
You need to open the firewall to local for the tunnel Interface on port 179/tcp
When entering AS numbers, do not include the "AS" prefix, i.e. enter AS111111 as just 111111.
Build the BGP session with your peer:
configure
set protocols bgp 111111 neighbor Z.Z.Z.Z remote-as 222222
set protocols bgp 111111 neighbor Z.Z.Z.Z soft-reconfiguration inbound
set protocols bgp 111111 neighbor Z.Z.Z.Z update-source 172.AA.AA.65
commit
save
Check that the BGP session has come up:
show ip bgp summary
so bgp can announce the route
set protocols static route 172.AA.AA.64/27 blackhole
commit
save
set protocols bgp 111111 network 172.A.A.64/27
commit
save
exit
You should now be able to see networks being advertised to your peer:
show ip bgp neighbors Z.Z.Z.Z advertised-routes
Try to ping 172.23.0.53
(anycast DNS resolver). If you get a response then you are good to continue.
Add the DNS forwarder:
configure
set service dns forwarding options server=/23.172.in-addr.arpa/172.23.0.53
set service dns forwarding options server=/22.172.in-addr.arpa/172.23.0.53
set service dns forwarding options server=/dn42/172.23.0.53
commit
save
exit
set service nat rule 5013 outbound-interface vtun0
set service nat rule 5013 type masquerade
set service nat rule 5013 description "Masquerade for dn42"
You should now be able to access .dn42 domains.
Last edited by lare wiki-sync, 2023-04-28 22:58:11