Last modified 6 weeks ago
How To Peer
Preliminary
What you will need
- A computer that runs 24/7 and wants to be, or is, a router.
- a computer can act as a router if it has access to the internet and is a gateway for clients
- OpenVPN, Tinc, GRE or SIT for tunnel
- quagga (preferably 0.99.x) or OpenBGPD as routingsuite for BGP
- An internet connection
- Netnumber
- We have the AS Numbers: 64..
- Your AS number is: 64600+n
- Your own network is: 172.22.n.0/25
- one or two first tunnel peers
Global steps
- Choose a network and an AS number
- Set up a tunnel to a peer
- Install openvpn
- Join the irc channel and make some peers/friends ;-)
- Configure the tunnel to your peer
- Setup BGP
- Setup your AS
- Configure your neighbor(s)
- Set up filters
- Set up as-path prepend (only for small uplink connections to prevent being an transit)
1/ Choose network and AS number
- Go to the Topology page and pick a network that has the free status or fill up free range.
- The AS number is 64600+n where n =172.22.n.0/24
- Example: network 172.22.32.0/24 has AS 64632
- Subscribe to the mailinglist so if needed global changes can be communicated.
2/ Set up a tunnel
- Here are detailed installation steps for Linux (Debian + OpenVPN).
- Here are detailed installation steps for FreeBSD (FreeBSD 8.0 + OpenVPN).
- <add your platform here ;-)>
- Here are the general configuration steps for OpenVPN:Config.
3/ Set up BGP
- Here are detailed installation steps for Linux (Debian + Quagga).
- Here are detailed installation steps for FreeBSD (FreeBSD 8.0 + Quagga).
- <add your platform here ;-)>
- Here are the general configuration steps for Quagga.
Tunnels
If two participants are not directly connected, then you have to use a virtual network via the tunnel. Please, use GRE or OpenVPN.
tinc
A howto for tinc is provided at the Tinc page.
OpenVPN P2P
Creating keys
One of the participants creates a OpenVPN key for the Tunnel, between 16 and 104. For example:
openvpn --genkey --secret dc16-dc104.key
This one has to be given to the other peer.
Config
example:
mode p2p # Peer-to-peer-Mode remote shnifti.dyndns.org # Peer-Address, could be (Dyn)DNS if it's not a static IP lport 2399 # local port rport 2301 # remote port proto udp # ...via UDP dev-type tun dev tun # interfacename, just individual in linux. else: tun tun-ipv6 # we want to use ipv6 comp-lzo # compression cd /usr/local/etc/openvpn # here lays the key secret dc16-dc104.key # the filename of the key user nobody # username under which openvpn runs group nobody # ...group persist-key # on interruption, please keep the key persist-tun # on interruption, please keep the interface name status /var/log/openvpn-status-dc104.log log-append /var/log/openvpn-dc104.log verb 1 # Verbose! ifconfig 172.22.16.1 172.22.104.1 # addressing: 'ifconfig localip remoteip'
Peer configuration
mode p2p # Peer-to-peer mode lport 2300 # local port rport 2304 # remote port dev-type tun dev tun tun-ipv6 # we want to use ipv6 comp-lzo # compression cd /etc/openvpn # here lays the key secret dc16-dc104.key # the filename of the key user guest # username under which openvpn runs group guest # ...group persist-key # on interruption, please keep the key persist-tun # on interruption, please keep the interface name status /var/log/openvp0n_status_dc16-dc104.log log-append /var/log/openvpn_dc16-dc104.log verb 1 # Verbose! ifconfig 172.22.104.1 172.22.16.1 # addressing: 'ifconfig localip remoteip' (_in_ the tunnel!)
Now you have a working vpn tunnel. Now, head up to the BGP configuration.
OpenVPN SSL-Server
An example configuration can be found here: https://wiki.c3d2.de/C3D2VPN/Cthulhu (german)
using IPv6
Using *BSD, everything works out of the box. Using Linux, you have to do this yourself. Important: you want to use a constant address, because it's configured in your bgpd.
FreeBSD:
ifconfig tun16 inet6 fe80::dead:beef add
Linux:
ip -6 addr add fe80::dead:beef dev tun16
IMPORTANT: every peer needs a unique address!
fe80::-addresses are by the way link-local-addresses.
BGP-Peering
configuring zebra
zebra is the main interface between the routing daemons like bgpd, ospfd, ripd.. furthermore, you can do all IP address configuration stuff via the zebra. Some people prefer the OS way instead of quagga.
A minimal /usr/local/etc/quagga/zebra.conf
hostname mycoolhostname password secret
testing
starting the daemon:
zebra -df /usr/local/etc/quagga/zebra.conf
The daemon listens on configuration tcp port. Maybe you want to block connections to it. Now you can test:
% telnet localhost 2601
Trying ::1...
Connected to localhost.
Escape character is '^]'.
Hello, this is Quagga (version 0.98.4).
Copyright 1996-2005 Kunihiro Ishiguro, et al.
User Access Verification
Password:
ISP> sh
ISP> show int
ISP> show interface tun99
Interface tun99 is up, line protocol detection is disabled
index 12 metric 1 mtu 1500 <UP,POINTOPOINT,RUNNING,MULTICAST>
inet6 fe80::250:bfff:fe41:5e57/64 pointopoint ::
inet 172.22.16.1/32 pointopoint 172.22.99.1
input packets 371, bytes 59096, dropped 0, multicast packets 0
input errors 0
output packets 448, bytes 38804, multicast packets 4
output errors 0
collisions 0
ISP>
bgpd configuration
bgpd will serve us to exchange routes with our neighboors.
A minimal /usr/local/etc/quagga/bgpd.conf
like in zebra:
hostname mycoolhostname-BGP password secret
configuration
starting the daemon:
bgpd -df /usr/local/etc/quagga/bgpd.conf
This daemon listens on 2605.
% telnet ::1 2605 Trying ::1... Connected to localhost. Escape character is '^]'. Hello, this is Quagga (version 0.98.4). Copyright 1996-2005 Kunihiro Ishiguro, et al. User Access Verification Password: ISP-bgp>
bgpd configuration
To change settings, you have to enter the enable mode:
hostname-bgp# enable
Now the configuration:
hostname-bgp# configure terminal
Now, creating a bgp router, using _YOUR_ ASN (in this example 64704! Please change adjust the example!
hostname-bgp(config)# router bgp 64704
Every router needs a unique router-id. Please use your private IP Number.
hostname-bgp(config-router)# bgp router-id 172.22.104.1
Advertising our network:
hostname-bgp(config-router)# network 172.22.104.0/24
Configuring the ASN for our peer:
hostname-bgp(config-router)# neighbor 172.22.168.1 remote-as 64768
A custom description for this connection:
hostname-bgp(config-router)# neighbor 172.22.168.1 description <name of peer>
Another option for inbound connections:
hostname-bgp(config-router)# neighbor 172.22.168.1 soft-reconfiguration inbound
Add the prefix 'dn42', to use for filters later on:
hostname-bgp(config-router)# neighbor 172.22.168.1 prefix-list dn42 in
Leave the configure terminal:
hostname-bgp(config-router)# end
Save the config:
hostname-bgp# write file
IPv6: Configuring the ASN for our IPv6 peering:
hostname-bgp(config-router)# neighbor fe80::cafe:babe remote-as 64616
IPv6: Configuring the interface:
hostname-bgp(config-router)# neighbor fe80::cafe:babe interface tun16
IPv6: Another option for inbound connections:
hostname-bgp(config-router)# neighbor fe80::cafe:babe soft-reconfiguration inbound
IPv6: A custom description for this connection:
hostname-bgp(config-router)# neighbor fe80::cafe:babe description Astro
IPv6: Now, enable the ipv6 tunnel.
address-family ipv6 network 2001:6f8:13db:doof::/64 neighbor fe80::250:bfff:fe41:5e57 activate neighbor fe80::250:bfff:fe41:5e57 soft-reconfiguration inbound
Save the configuration:
hostname-bgp# write file
Testing
Oversight for neighbors:
blackhole# show bgp neighbors
BGP neighbor is fe80::1337, remote AS 64708, local AS 64699, external link
Description: nulli
BGP version 4, remote router ID 172.22.108.1
BGP state = Established, up for 00:04:48
Last read 00:00:48, hold time is 180, keepalive interval is 60 seconds
Neighbor capabilities:
Route refresh: advertised and received(old & new)
Address family IPv4 Unicast: advertised and received
Address family IPv6 Unicast: advertised and received
Received 26 messages, 1 notifications, 0 in queue
Sent 436 messages, 1 notifications, 0 in queue
Route refresh request: received 1, sent 0
Minimum time between advertisement runs is 30 seconds
For address family: IPv4 Unicast
Inbound soft reconfiguration allowed
NEXT_HOP is always this router
Community attribute sent to this neighbor(both)
Inbound path policy configured
Incoming update prefix filter list is *diac
0 accepted prefixes
For address family: IPv6 Unicast
Inbound soft reconfiguration allowed
Community attribute sent to this neighbor(both)
0 accepted prefixes
Connections established 3; dropped 2
Last reset 00:05:07, due to BGP Notification received
Local host: fe80::2c0:26ff:fe88:3705, Local port: 63242
Foreign host: fe80::1337, Foreign port: 179
Nexthop: 172.22.99.1
Nexthop global: fe80::2c0:26ff:fe88:3705
Nexthop local: ::
BGP connection: shared network
Read thread: on Write thread: off
Displaying the accepted IPv4 prefixes:
blackhole# show ip bgp BGP table version is 0, local router ID is 172.22.99.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path *> 172.22.2.0/25 172.22.12.1 0 64612 64624 64602 i *> 172.22.12.0/24 172.22.12.1 0 0 64612 i *> 172.22.13.0/24 172.22.12.1 0 64612 64613 i *> 172.22.16.0/23 172.22.12.1 0 64612 64624 64616 i *> 172.22.20.0/23 172.22.12.1 0 64612 64624 64620 i *> 172.22.24.0/23 172.22.12.1 0 64612 64624 i *> 172.22.64.0/28 172.22.12.1 0 64612 64664 i *> 172.22.99.0/24 0.0.0.0 0 32768 i [...]
Displaying the accepted IPv6 prefixes:
blackhole# show ipv6 bgp
BGP table version is 0, local router ID is 172.22.99.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 2001:6f8:13db::/64
2001:6f8:13db::1
0 0 64612 i
*> 2001:6f8:13db:2342::/64
2001:6f8:13db::1
0 64612 64664 i
*> 2001:6f8:13db:686d::/64
2001:6f8:13db::1
0 64612 64613 i
*> 2001:6f8:13db:686e::/64
2001:6f8:13db::1
0 64612 64613 i
*> 2001:6f8:13db:6f76::/64
2001:6f8:13db::1
0 0 64612 i
*> 2001:6f8:13db:a587::/64
2001:6f8:13db::1
0 0 64612 i
*> 2001:6f8:13db:c3d2::/64
:: 0 32768 i
[...]
Save the configuration
write file
Testing
listing routes in Linux
IPv4
$ /sbin/ip r 217.160.179.1 dev eth0 scope link 172.23.32.1 dev dc32 proto kernel scope link src 172.22.24.1 172.22.12.1 dev dc12 proto kernel scope link src 172.22.24.1 172.22.16.1 via 172.22.25.1 dev sbz0 proto zebra metric 10 equalize 172.22.20.1 dev dc20 proto kernel scope link src 172.22.24.1 172.22.26.2 dev dc26 proto kernel scope link src 172.22.24.1 172.22.2.22 dev dc2b proto kernel scope link src 172.22.24.1 [...]
IPv6
$ /sbin/ip -6 r 2001:6f8:13db::/64 via fe80::51a9:b338:f7b7:3801 dev dc12 proto zebra metric 1024 mtu 1460 advmss 1400 2001:6f8:13db:2342::/64 via fe80::51a9:b338:f7b7:3801 dev dc12 proto zebra metric 1024 mtu 1460 advmss 1400 2001:6f8:13db:686d::/64 via fe80::51a9:b338:f7b7:3801 dev dc12 proto zebra metric 1024 mtu 1460 advmss 1400 2001:6f8:13db:686e::/64 via fe80::51a9:b338:f7b7:3801 dev dc12 proto zebra metric 1024 mtu 1460 advmss 1400 2001:6f8:13db:6f76::/64 via fe80::51a9:b338:f7b7:3801 dev dc12 proto zebra metric 1024 mtu 1460 advmss 1400 2001:6f8:13db:a587::/64 via fe80::51a9:b338:f7b7:3801 dev dc12 proto zebra metric 1024 mtu 1460 advmss 1400 2001:6f8:13db:c3d2::/64 via fe80::51a9:b338:f7b7:3801 dev dc12 proto zebra metric 1024 mtu 1460 advmss 1400 [...]
listing routes in *BSD
%netstat -rn or! %route show Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire default 213.187.72.7 UGS 0 29886839 tun0 10.0.0.1 10.0.0.2 UH 0 17 tun108 127.0.0.1 127.0.0.1 UH 2 18391 lo0 172.16/12 127.0.0.1 UG1B 0 168 lo0 172.22.2/25 172.22.12.1 UG1 0 0 vpndc1 172.22.12/24 172.22.12.1 UG1 0 0 vpndc1 [...] Internet6: Destination Gateway Flags Netif Expire ::/96 ::1 UGRS lo0 ::1 ::1 UH lo0 ::ffff:0.0.0.0/96 ::1 UGRS lo0 2000::/3 vpndc12 U1 vpndc12 2001:6f8:13db::/64 fe80::51a9:b338:f7b7:3801%vpndc12 UG1 vpndc12 2001:6f8:13db:2342::/64 fe80::51a9:b338:f7b7:3801%vpndc12 UG1 vpndc12 2001:6f8:13db:686d::/64 fe80::51a9:b338:f7b7:3801%vpndc12 UG1 vpndc12 2001:6f8:13db:686e::/64 fe80::51a9:b338:f7b7:3801%vpndc12 UG1 vpndc12 2001:6f8:13db:6f76::/64 fe80::51a9:b338:f7b7:3801%vpndc12 UG1 vpndc12 2001:6f8:13db:a587::/64 fe80::51a9:b338:f7b7:3801%vpndc12 UG1 vpndc12 2001:6f8:13db:c3d2::/64 link#1 UC rl0 2001:6f8:13db:c3d2::1 00:c0:26:88:37:05 UHL lo0 [...]
Traceroute
via IPv4 to spaceboyz.net
% traceroute 172.22.24.1 traceroute to 172.22.24.1 (172.22.24.1), 64 hops max, 40 byte packets 1 blackhole.hq.c3d2.de (172.22.99.1) 27.120 ms 27.658 ms 25.498 ms 2 172.22.12.1 (172.22.12.1) 123.404 ms 117.183 ms 119.433 ms 3 172.22.24.1 (172.22.24.1) 130.592 ms 147.204 ms 147.839 ms
via IPv6 to spaceboyz.net
% traceroute6 spaceboyz.net traceroute6 to spaceboyz.net (2001:8d8:81:5c0::1) from 2001:6f8:13db:c3d2:290:4bff:fedc:634, 64 hops max, 12 byte packets 1 2001:6f8:13db:c3d2::1 10.172 ms 4.405 ms 12.979 ms 2 benkstein.net 97.529 ms 103.208 ms 98.485 ms 3 sbz.n24.diac24.net 115.576 ms 151.346 ms 115.855 ms
the final script
openvpn --config .../dc16.conf # starting the tunnel # remove unwanted dynamic IPv6 addresses ifconfig tun16 inet6 fe80::dead:beef add # static IPv6-address zebra -df .../zebra.conf # daemons bgpd -df .../bgpd.conf # starting echo "Here we go!"
Advanced BGP configuration
prefix-lists
We filter incoming routes, because not every peer has to use us as a relay. This config has to be configured, in the router and address-family section.
neighbor fe80::f00 prefix-list vpn-in in
These lists have to be created, too.
ip prefix-list dn42 seq 10 permit 172.22.0.0/15 ge 22 le 28 ip prefix-list dn42 seq 100 deny 0.0.0.0/0 le 32
This allows networks out of 172.22.0.0/15, but the announced (numeric) size must be between (including) /22 and /28, so that on one side too small fragments get ignored, on the other side no-one can announce the whole net and takeover all routes.
ipv6 prefix-list vpn-in seq 10 permit 2000::/3 ge 16 ipv6 prefix-list vpn-in seq 100 deny ::/0 le 128
peer-groups
You can do aliases to various stubs of config lines with peer-groups:
neighbor diac peer-group neighbor diac soft-reconfiguration inbound neighbor diac prefix-list diac-in in neighbor diac prefix-list diac-out out neighbor hq peer-group neighbor hq soft-reconfiguration inbound neighbor hq prefix-list diac-in in neighbor hq prefix-list diac-out out neighbor fe80::ac14:6e01 remote-as 64794 neighbor fe80::ac14:6e01 peer-group diac neighbor fe80::ac14:6e01 interface tun195 neighbor fe80::dead:beef remote-as 64714 neighbor fe80::dead:beef peer-group diac neighbor fe80::dead:beef interface tun114 neighbor fe80::20f:66ff:fec8:6964 remote-as 64699 neighbor fe80::20f:66ff:fec8:6964 peer-group hq neighbor fe80::20f:66ff:fec8:6964 interface rl0 neighbor fe80::280:48ff:fec2:f2b5 remote-as 64699 neighbor fe80::280:48ff:fec2:f2b5 peer-group hq neighbor fe80::280:48ff:fec2:f2b5 interface rl0 address-family ipv6 neighbor diac activate neighbor diac soft-reconfiguration inbound neighbor diac prefix-list diac-in in neighbor diac prefix-list diac-out out neighbor hq activate neighbor hq soft-reconfiguration inbound neighbor hq prefix-list diac-in in neighbor hq prefix-list diac-out out neighbor fe80::ac14:6e01 peer-group diac neighbor fe80::dead:beef peer-group diac neighbor fe80::20f:66ff:fec8:6964 peer-group hq neighbor fe80::280:48ff:fec2:f2b5 peer-group hq
original: https://wiki.c3d2.de/C3D2VPN
Things to know
I´ve run into some trouble getting iBGP running in my AS. The problem was, that the announced routes didn't get the nexthop of my main bgp router. By now, I use quagga 0.99.5 without the dn42 patch. Dont know if this problem occurs with that patch applied.
To solve the problem I added in the bgp config of the main router the following:
neighbor xx.xx.xx.xx next-hop-self neighbor xx.xx.xx.xx update-source xxxx
Hope that helps anybody out there
OpenBGPD
Sample bgpd.conf
AS 64825
router-id 172.22.225.1
network 172.22.225.0/24
dn42="{ 172.22.0.0/15, 195.160.168.0/23, 91.204.4.0/22, 193.43.220.0/23, 78.47.15.192/26, 194.150.169.96/28, 83.133.178.0/23 192.175.48.0/24 85.25.246.16/28 188.40.152.0/24 188.40.227.0/24 }"
freifunk="{ 10.0.0.0/8 }"
chaosvpn="{ 10.100.0.0/14 10.104.0.0/14 172.31.0.0/16 }"
group DN42 {
softreconfig in yes
softreconfig out yes
announce all
neighbor 172.22.78.51 {
remote-as 64677
descr ichdasich
local-address 172.22.78.52
}
}
deny from any
# allow dn42 native networks
allow from group DN42 prefix { $dn42 $chaosvpn } prefixlen 18 - 28
# filter my subnets.
deny from group DN42 prefix 172.22.225.0/24 prefixlen 24 - 28
# allow dns anycast
allow from group DN42 prefix 172.22.0.53/32
# implement dn42 transit-as routing policy
match to group DN42 set prepend-self 6
