warning
文章中可能会存在不严谨内容/小白理解/低级错误,若发现存在问题,请联系我,我会第一时间修改文章
安装必要服务#
apt install wireguard
隧道配置#
配置文件:vi /etc/wireguard/dn42-name.conf
[Interface]#替换成你自己节点的私钥PrivateKey = {privatekey}#开放给对端连接的端口,一般是2+ASN后4位ListenPort = 20298Table = off#你自己的IPV6 LLA地址PostUp = ip addr add fe80::3777/64 dev %i#从你的DN42授权的IP中,拿出一个V6地址给你的节点PostUp = ip addr add fdbb:aee:d9bd::3/128 dev %i#从你的DN42授权的IP中,拿出一个V6地址给你的节点,peer后面的IP是对端的DN42地址PostUp = ip addr add 172.22.107.3 peer 172.22.144.66 dev %iPostUp = sysctl -w net.ipv6.conf.%i.autoconf=0
[Peer]#对端的公钥PublicKey = VEb26+sQAoP8+90rSwgS9AoaINyB/82OgBKVTeQB4C8=#对端的预共享密钥,用于进一步加密会话# PresharedKey = JIeYOWxCP7cEVyHSaFgacs1anESdkawXFCIJcbEHGRc=#对端的公网接入点Endpoint = xxx.xxx.com:23777AllowedIPs = 10.0.0.0/8, 172.20.0.0/14, 172.31.0.0/16, fd00::/8, fe80::/64配置完成后启用隧道
- 启动隧道:
wg-quick up dn42-name - 关闭隧道:
wg-quick down dn42-name - 开机启动隧道:
systemctl enable wg-quick@dn42-name - 停用开机启动:
systemctl disable wg-quick@dn42-name
bird配置#
建议使用BIRD V2配置你的隧道,V2与V1不兼容,DN42 WIKI上也有相关配置示例,可以直接复制粘贴
Debian中可以使用以下命令添加bird官方软件源安装
wget -O - http://bird.network.cz/debian/apt.key | apt-key add -apt-get install lsb-releaseecho "deb http://bird.network.cz/debian/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/bird.listapt-get updateapt-get install bird2bird.conf#
vi /etc/bird/bird.conf
define OWNAS = 4242423777; #你的ASNdefine OWNIP = 172.22.107.3; #分配给这个节点的V4地址,在你的DN42地址段中摘出来一个,不要使用地址段中第一个地址define OWNIPv6 = fdbb:aee:d9bd::3; #V4地址,描述同上define OWNNET = 172.22.107.0/27; #你的DN42 V4地址段define OWNNETv6 = fdbb:aee:d9bd::/48; ##你的DN42 V6地址段define OWNNETSET = [ 172.22.107.0/27+ ]; #同上上define OWNNETSETv6 = [ fdbb:aee:d9bd::/48+ ]; #同上上
router id OWNIP;
protocol device { scan time 10;}
function is_self_net() { return net ~ OWNNETSET;}
function is_self_net_v6() { return net ~ OWNNETSETv6;}
function is_valid_network() { return net ~ [ 172.20.0.0/14{21,29}, # dn42 172.20.0.0/24{28,32}, # dn42 Anycast 172.21.0.0/24{28,32}, # dn42 Anycast 172.22.0.0/24{28,32}, # dn42 Anycast 172.23.0.0/24{28,32}, # dn42 Anycast 172.31.0.0/16+, # ChaosVPN 10.100.0.0/14+, # ChaosVPN 10.127.0.0/16{16,32}, # neonetwork 10.0.0.0/8{15,24} # Freifunk.net ];}
function is_valid_network_v6() { return net ~ [ fd00::/8{44,64} # ULA address space as per RFC 4193 ];}
protocol kernel { scan time 20;
ipv6 { import none; export filter { if source = RTS_STATIC then reject; krt_prefsrc = OWNIPv6; accept; }; };};
protocol kernel { scan time 20;
ipv4 { import none; export filter { if source = RTS_STATIC then reject; krt_prefsrc = OWNIP; accept; }; };}
protocol static { route OWNNET reject;
ipv4 { import all; export none; };}
protocol static { route OWNNETv6 reject;
ipv6 { import all; export none; };}
include "rpki.conf";include "ebgp.conf";include "ospf.conf";include "ibgp.conf";
rpki.conf#
vi /etc/bird/rpki.conf
roa4 table dn42_roa;roa6 table dn42_roa_v6;
protocol rpki dn42_rpki_akix { roa4 { table dn42_roa; }; roa6 { table dn42_roa_v6; }; remote "rpki.akae.re" port 8082; #这里是DN42在互联网中开放的RPKI服务,感谢分享 refresh 30; retry 5; expire 600;}ebgp.conf#
vi /etc/bird/ebgp.conf
template bgp dnpeersmp6 { local as OWNAS; path metric 1;
ipv4 { extended next hop on; import filter { if is_valid_network() && !is_self_net() then { if (roa_check(dn42_roa, net, bgp_path.last) != ROA_VALID) then { print "[dn42] ROA check failed for ", net, " ASN ", bgp_path.last; reject; } accept; } reject; };
export filter { if is_valid_network() && source ~ [RTS_STATIC, RTS_BGP] then accept; reject; }; import limit 10000 action block; };
ipv6 { import filter { if is_valid_network_v6() && !is_self_net_v6() then { if (roa_check(dn42_roa_v6, net, bgp_path.last) != ROA_VALID) then { print "[dn42] ROA check failed for ", net, " ASN ", bgp_path.last; reject; } accept; } reject; }; export filter { if is_valid_network_v6() && source ~ [RTS_STATIC, RTS_BGP] then accept; reject; }; import limit 10000 action block; };}
include "peers/*.conf";
ospf.conf#
vi /etc/bird/ospf.conf
protocol ospf v3 dn42_ospf_v4{ ipv4 { import where is_self_net() && source != RTS_BGP; export where is_self_net() && source != RTS_BGP; };
include "/etc/bird/ospf/*";};
protocol ospf v3 dn42_ospf_v6{ ipv6 { import where is_self_net_v6() && source != RTS_BGP; export where is_self_net_v6() && source != RTS_BGP; };
include "/etc/bird/ospf/*";};ibgp.conf#
vi /etc/bird/ibgp.conf
template bgp ibgpeers { local as OWNAS; ipv4 { import where source = RTS_BGP && is_valid_network() && !is_self_net(); export where source = RTS_BGP && is_valid_network() && !is_self_net(); next hop self; extended next hop; }; ipv6 { import where source = RTS_BGP && is_valid_network_v6() && !is_self_net_v6(); export where source = RTS_BGP && is_valid_network_v6() && !is_self_net_v6(); next hop self; };};
include "ibgp/*.conf";ospf/conn.conf#
添加配置文件前,先确认已经创建好了dummy网卡、添加好对应的V4 V6地址,并启用网卡,如何创建看这里
vi /etc/bird/ospf/conn.conf
area 0.0.0.0 { interface "dn42" { stub; }; #DN42 dummy网卡,具体怎么创建,查看Network Config一节 interface "ibgp_jp" { #第一个节点的wg网卡 cost 60; # 按照你的网络情况修改,用于ibgp内部选路,一般是对端到本端的ping值 type ptp; }; interface "ibgp_us" { #第二个节点的wg网卡 cost 181; # 按照你的网络情况修改 type ptp; }; interface "ibgp_sg" { cost 137; type ptp; }; # 以此类推};ibgp/ibgp_jp.conf#
这里是你ibgp中各节点的配置文件,只拿一个来举例。有几个节点就创建几个配置文件
使用IPV4承载bgp无法支持多协议BGP,IPV4无法处理收到的IPV6路由信息。
建议全程使用IPV6来承载bgp协议
vi /etc/bird/ibgp/ibgp_jp.conf
protocol bgp 'dn42_ibgp_jp' from ibgpeers{ #dn42_ibgp_jp是给这条ibgp隧道创建的名字,ibgpeers是在ibgp.conf中配置的模板名称 neighbor fdbb:aee:d9bd::2 as OWNAS; #修改fdbb:aee:d9bd::2为分配给对端节点的DN42 IPV6地址}peers/dn42_ASN10010.conf#
在这里配置你要peer的对端,有几个peer就创建几个配置文件
同样,使用IPV6承载bgp协议。
vi /etc/bird/peers/dn42_4242420298.conf
protocol bgp dn42_ASN10010 from dnpeersmp6 { #dn42_ASN10010是给这条ebgp隧道创建的名字,dnpeersmp6是在ebgp.conf中配置的模板名称 neighbor fe80::298%'dn42-name' as 4242420298; # fe80::298是对端的IPV6 LLA地址,dn42-name是在配置的wg隧道名称,4242420298是对端的ASN编码};测试、启动bird2#
检查配置文件:birdc c check
应用配置文件:birdc c
查看当前的peer信息:birdc s p
peer状态:
Established:iBGP邻居会话正常建立
Active:正在尝试建立连接
Idle:会话未激活
Connect:正在连接中
查看ospf邻居信息:birdc show ospf neighbors
常用命令#
开启wg隧道:wg-quick up <隧道名>
关闭wg隧道:wg-quick down <隧道名>
开机自动启动wg隧道:systemctl enable wg-quick@<隧道名>
添加dummy网卡:ip link add <name> type dummy
在网卡上添加IP地址:ip addr add <IPv4或IPv6> dev <name>
启动网卡:ip link set dev <name> up