howto/EdgeOS Config

  • Search
  • Home
  • All
  • Files
  • History
  • Latest Changes
  • Home

    • Getting Started
    • Registry Authentication
    • Address Space
    • BGP communities
    • FAQ
  • How-To

    • Wireguard
    • Openvpn
    • IPsec With Public Keys
    • Tinc
    • GRE on FreeBSD
    • GRE on OpenBSD
    • IPv6 Multicast (PIM-SM)
    • SSM Multicast
    • MPLS
    • Bird2
    • FRRouting
    • OpenBGPD
    • Mikrotik RouterOS
    • EdgeRouter
    • Static routes on Windows
    • Universal Network Requirements
    • VyOS
    • NixOS
  • Services

    • IRC
    • Whois registry
    • DNS
    • IX Collection
    • Public DNS
    • Looking Glasses
    • Automatic Peering
    • Repository Mirrors
    • Distributed Wiki
    • Certificate Authority
    • Route Collector
    • Registry
  • Internal

    • Internal services
    • Interconnections
    • APIs
    • Show and Tell
    • Historical services
  • Historical

    • Bird 1
    • Quagga
  • External Tools

    • Paste Board
    • Git Repositories

dn42

EdgeOS

This document describes some possibilities for connecting to dn42 using an Ubiquiti EdgeRouter:

  • IPv4/IPv6 tunnel via:
    • OpenVPN - support built into EdgeOS already - covered below
    • IPsec/IKEv2 - support built into EdgeOS already - not covered here
    • QuickTun - see vyatta-quicktun package - not covered here
  • Route exchange using BGP
  • DNS resolution for the .dn42 TLD

First Steps

  1. Create the required objects in the Registry - see Getting Started
  2. Find a peer - ask nicely in IRC!
  3. Get the following details:
    • Tunnel configuration (OpenVPN, IPsec, QuickTun)
    • AS numbers

Tunnel Configuration

OpenVPN

Using the below as examples:

Own ASN: AS111111
Own IPv4 Space: 172.AA.AA.64/27
Own IPv6 Space: fdBB:BBBB:CCCC::/48
Own IPv4 If-Address: 172.AA.AA.65
Own IPv6 If-Address: fdBB:BBBB:CCCC::1

Peer OpenVPN Remote Address: 172.X.X.X  //that's the peers OpenVPN IF IP
Peer OpenVPN Remote Host: X.X.X.Y  //that's the peers clearnet IP
Peer OpenVPN IP for you: fdAA::BBB/64
Peer OpenVPN IP: fdAA::CC
Peer OpenVPN Port: 1194
Peer OpenVPN encryption: aes256
Peer ASN: AS222222
Peer BGP Neighbour IPv4: Z.Z.Z.Z
Peer BGP Neighbour IPv6: fdAA::CC

Copy OpenVPN key to the EdgeRouter

Copy the VPN key to /config/auth/SomeSharedKey.key:

sudo cat > /config/auth/SomeSharedKey.key

Paste the key in the terminal window, hit return once and kill cat with CTRL+C. Then type exit.

Create IPv4 OpenVPN Interface

Create the OpenVPN virtual interface, i.e. using vtun0:

configure
set interfaces openvpn vtun0
set interfaces openvpn vtun0 mode site-to-site
set interfaces openvpn vtun0 local-port 1194
set interfaces openvpn vtun0 remote-port 1194
set interfaces openvpn vtun0 local-address 172.AA.AA.65
set interfaces openvpn vtun0 remote-address 172.X.X.X
set interfaces openvpn vtun0 remote-host X.X.X.Y
set interfaces openvpn vtun0 shared-secret-key-file /config/auth/SomeSharedKey.key
set interfaces openvpn vtun0 encryption aes256

set interfaces openvpn vtun0 openvpn-option "--comp-lzo"  //if your peer support compression

commit
save
exit

The OpenVPN tunnel should now be up and running.

Check it with:

show interfaces openvpn
show interfaces openvpn detail
show openvpn status site-to-site

Create BGP Session

Open Firewall

You need to open the firewall to local for the tunnel Interface on port 179/tcp

Configure the BGP Neighbor

When entering AS numbers, do not include the "AS" prefix, i.e. enter AS111111 as just 111111.

Build the BGP session with your peer:

configure
set protocols bgp 111111 neighbor Z.Z.Z.Z remote-as 222222
set protocols bgp 111111 neighbor Z.Z.Z.Z soft-reconfiguration inbound
set protocols bgp 111111 neighbor Z.Z.Z.Z update-source 172.AA.AA.65
commit
save

Check that the BGP session has come up:

show ip bgp summary

Create Blackhole Route

so bgp can announce the route

set protocols static route 172.AA.AA.64/27 blackhole
commit
save

Announce Route to BGP

set protocols bgp 111111 network 172.A.A.64/27
commit
save
exit

You should now be able to see networks being advertised to your peer:

show ip bgp neighbors Z.Z.Z.Z advertised-routes

Set DNS Forwarding

Try to ping 172.23.0.53 (anycast DNS resolver). If you get a response then you are good to continue.

Add the DNS forwarder:

configure
set service dns forwarding options server=/23.172.in-addr.arpa/172.23.0.53
set service dns forwarding options server=/22.172.in-addr.arpa/172.23.0.53
set service dns forwarding options server=/dn42/172.23.0.53
commit
save
exit

Create NAT rule

set service nat rule 5013 outbound-interface vtun0
set service nat rule 5013 type masquerade
set service nat rule 5013 description "Masquerade for dn42"

You should now be able to access .dn42 domains.

Hosted by: BURBLE-MNT, GRMML-MNT, XUU-MNT, JAN-MNT, LARE-MNT, SARU-MNT, ANDROW-MNT, MARK22K-MNT | Accessible via: dn42, dn42.dev, dn42.eu, wiki.dn42.us, dn42.de (IPv6-only), dn42.cc (wiki-ng), dn42.wiki, dn42.pp.ua, dn42.obl.ong

Last edited by lare wiki-sync, 2023-04-28 22:58:11