FFP Gluon Test Gateway

Based on: https://git.bingo-ev.de/freifunk/ansible-ffin/-/tree/master

Configuration

• Network: 10.22.8.0/21 (10.22.8.1 - 10.0.15.254 / 255.255.248.0)
• Gateway IP: 10.22.8.1
• Domain: "90"

Servers

• chapek-9 (chapek-9.srv.0xef.de)
  • IPv4, IPv6 (only one /64)
  • hoster: Netcup
  • OS: Ubuntu 22.04 LTS
  • 2 CPUs (Cores)
  • 8GB RAM
  • sshd on port 2424, fingerprints:

    ED25519 SHA256:As2kvkR5hf+h4mMZx7kJT0OMmH05m5vG4vZ28t/Bk74
    RSA     SHA256:gkHMQMD5I4aKMCyz6y7WL3E6cC9lDby1FO/tmFG2eCM
    ECDSA   SHA256:VxjYhGMB4Bx2Tbkc+4qmUrSpWo8KWvQnXK3MvSb8jPo
    

Architecture

The architecture as far as I understand it:

• interface: fastd90
  • ingress for clients/APs
  • port: udp/10090
• interface: tunneldigger90
  • ingress for clients/APs
  • l2tp
• interface: bat90
  • B.A.T.M.A.N batadv interface (server)
• interface: br90
  • interface to bridge:
    • tunnels fastd90 and tunneldigger90 (ingress)
    • B.A.T.M.A.N server side bat90
  • services:
    • dhcp for clients, IPv4 and IPv6
    • optional:
      • bind for clients/APs name resolution and resolver
      • ntp for clients/APs

Domains

• testing subnets, one per domain:

  • 10.22.8.0/21
  • 10.22.16.0/21
  • 10.22.24.0/21

• values picked without further thinking

• "90"

  • subnet: 10.22.8.0/21
  • gw ffp ip: 10.22.8.1
  • dhcp range: 10.22.9.0 10.22.10.255

---

Ansible

Setup

1. clone repository
2. change into repository
3. create a venv: python3 -m venv .venv
4. activate venv: source .venv/bin/activate
5. install poetry: pip install poetry
6. install dependencies: poetry install
7. install ansible dependencies: ansible-galaxy install -r requirements.yml
8. run playbook ansible-playbook -i hosts.yml cygnus-5.yml

Notes

• hacked down playbook
• ansible.builtin.copy should be replaced with ansible.builtin.template
• most tasks should use roles

---

Manual installation

Packages to install

• batctl (B.A.T.M.A.N)
• bridge-utils (brctl command)
• fastd (fastd legacy tunnel/vpn service), client/ap in
• haveged (Entropy harvesting daemon, used by fastd?)

Network Interfaces

bat90

• batadv interface
• gw mode server

/etc/systemd/network/50-bat90.netdev:

[NetDev]
Description="BATMAN device for domain '90'"
Name=bat90
Kind=batadv

[BatmanAdvanced]
GatewayMode=server
GatewayBandwidthDown=100M
GatewayBandwidthUp=100M
RoutingAlgorithm=batman-iv

/etc/systemd/network/50-bat90.network:

[Match]
Name=bat90

[Network]
Bridge=br90
BatmanAdvanced=br90

br90

• bridge interface where interfaces of domain 90 attach to
  • bat90
  • tunnel interfaces

/etc/systemd/network/50-br90.netdev:

[NetDev]
; attach batman and client tunnel endpoints her
Description="Bridge interface for domain '90'"
Name=br90
Kind=bridge

/etc/systemd/network/50-br90.network:

[Match]
Name=br90

[Network]
; 10.22.8.1 - 10.0.15.254
; 255.255.248.0
Address=10.22.8.1/21
Address=fd28:a735:685c::3c0e:ecff:fe29:4b62/64

fastd tunnel/vpn

• clients (APs) connect to it

1. create keypair fastd --generate-key
   • write to files secret.key and public.key (for example to /etc/fastd/90/)
   • content: secret "<secret-key-here>"; / key "<public-key-here";, note the ;
   • 90 is the domain or name, so multiple instances can run
2. create a dummy peer (or it won't start)
   • /etc/fastd/peers/dummy with content: key "THIS-IS-A-DUMMY";
3. create Configuration file (/etc/fastd/90/fastd.conf):

   # Bind to a fixed address and port, IPv4 and IPv6
   bind <public-ipv4>:10090 interface "eth0";
   bind [<public-ipv6>]:10090 interface "eth0";
   
   # Set the user, fastd will work as
   user "nobody";
   
   # Set the interface name
   interface "fastd90";
   
   # Set the mode, the interface will work as
   mode tap;
   
   # Set the mtu of the interface
   mtu 1320;     # fine tuning needed, 1406
   
   # Set the methods (aes128-gcm preferred, salsa2012+umac preferred for nodes)
   method "aes128-gcm";
   method "salsa2012+umac";
   method "salsa2012+gmac";
   method "null";
   
   # Secret key generated by `fastd --generate-key`
   include "/etc/fastd/90/keys/secret.key";
   
   # Log everything to syslog
   #log to syslog level warn;
   log to stderr level info;
   
   # Hide IP addresses in log output
   #hide ip addresses yes;
   
   # Include peers (dummy only)
   include peers from "/etc/fastd/90/peers/";
   
   # Status Socket
   status socket "/run/fastd-90/fastd.sock";
   
   # accept any host
   on verify "
     exit 0
   ";
   
   # Configure a shell command that is run when fastd comes up
   on up "
     # Add fastd interface to bridge, then enable it
     ip link set dev $INTERFACE master br90 && ip link set dev $INTERFACE up
   ";
   

4. enable and start systemctl enable fastd@90, systemctl start fastd@90

L2TP

TODO

dhcpd

1. create /etc/dhcpd.conf

   default-lease-time 1800;
   max-lease-time 43200;
   
   authoritative;
   
   subnet 10.22.8.0 netmask 255.255.248.0 {
     interface br90;
     range 10.22.9.0 10.22.10.255;
   
     option routers 10.22.8.1;
     option domain-name-servers 85.214.20.141, 80.67.169.40, 194.150.168.168;
   }
   

2. check for leasfile:
   • ls /var/lib/dhcp/dhcpd.leases
   • if not exists: touch /var/lib/dhcp/dhcpd.leases && chown dhcp:dhcp /var/lib/dhcp/dhcpd.leases
3. copy service file: cp /usr/lib/systemd/system/dhcpd4.service /etc/systemd/system/[email protected]
4. adjust service file /etc/systemd/system/[email protected]:

   ...
   [Service]
   ...
   ExecStart=/usr/bin/dhcpd -4 -q -cf /etc/dhcpd.conf -pf /run/dhcpd4/dhcpd.pid %I
   ...
   

5. start dhcpd: systemctl start dhcpd4@br90

References:

• https://wiki.archlinux.org/title/Dhcpd#Listening_on_only_one_interface

TODOs

• Fix dhcp
• adjust nftables
  • allow traffic on internal interfaces
  • nat for IPv4 traffic
• L2TP
• IPv6 (ULA?)
• more services… (dns, ntp, gre, bird…)