不知道从哪看到的这么一个项目, 还挺好玩, 开个系列文章记录一下

Application

开始之前, 你需要根据如下地址的 WIKI, Fork 仓库并注册你的信息, 以下是我的申请, 仅供参考

MNT

mntner:             JERRITA-MNT
admin-c:            JERRITA-DN42
tech-c:             JERRITA-DN42
mnt-by:             JERRITA-MNT
auth:               pgp-fingerprint E358F19374E51CF327A411AA1849997FACD8B4B6
source:             DN42
Txt

ASN

aut-num:            AS4242421107
as-name:            MISAKI-NET
descr:              Jerrita's Main Network
admin-c:            JERRITA-DN42
tech-c:             JERRITA-DN42
mnt-by:             JERRITA-MNT
source:             DN42
Txt

DNS

domain:             saki.dn42
admin-c:            JERRITA-DN42
tech-c:             JERRITA-DN42
mnt-by:             JERRITA-MNT
nserver:            ns1.saki.dn42 172.22.183.98
nserver:            ns1.saki.dn42 fd93:b89c:b538:53::1
nserver:            ns2.saki.dn42 172.22.183.99
nserver:            ns2.saki.dn42 fd93:b89c:b538:53::2
source:             DN42
Txt

IPv4

inetnum:            172.22.183.96 - 172.22.183.127
cidr:               172.22.183.96/27
netname:            MISAKI-NET-IPV4
descr:              MISAKI-NET-IPV4
country:            CN
admin-c:            JERRITA-DN42
tech-c:             JERRITA-DN42
mnt-by:             JERRITA-MNT
nserver:            ns1.saki.dn42
nserver:            ns2.saki.dn42
status:             ASSIGNED
source:             DN42
Txt

IPv6

inet6num:           fd93:b89c:b538:0000:0000:0000:0000:0000 - fd93:b89c:b538:ffff:ffff:ffff:ffff:ffff
cidr:               fd93:b89c:b538::/48
netname:            MISAKI-NET-IPV6
descr:              MISAKI-NET-IPV6
country:            CN
admin-c:            JERRITA-DN42
tech-c:             JERRITA-DN42
mnt-by:             JERRITA-MNT
nserver:            ns1.saki.dn42
nserver:            ns2.saki.dn42
status:             ASSIGNED
source:             DN42
Txt

申请完之后 PR (记得 Squash ), 等合并后你就可以快乐开趴了

开始配置

首先你接入网络的机子要打开以下选项

echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
echo "net.ipv6.conf.default.forwarding=1" >> /etc/sysctl.conf
echo "net.ipv6.conf.all.forwarding=1" >> /etc/sysctl.conf
sysctl -p

echo "net.ipv4.conf.default.rp_filter=0" >> /etc/sysctl.conf
echo "net.ipv4.conf.all.rp_filter=0" >> /etc/sysctl.conf
sysctl -p
Bash

如果你不止一台机子, 可能要做一下自己路由的规划, 记录方式随便, 固定好你路由的 ip 就行

JP-AWS         172.22.183.98   fd93:b89c:b538:2::1
US-CC          172.22.183.99   fd93:b89c:b538:3::1
SG-DO          172.22.183.100  fd93:b89c:b538:4::1

# CN Area
SH-TX          172.22.183.110  fd93:b89c:b538:1::1

# Endpoint
DHCP           xxxxx           xxxx
Txt

AS 内互联方案

在你的AS内, 你需要做一个内网, 你可以采用 RIP, OSPF 等方案, 也可以用一些其他工具组网

由于目前博主在考研, 时间不足, 就先用组网工具搭起来再说了, 下面提供两种参考

RIP 和 OSPF 等以后有精力了再补上

Nebula

这是我以前一直用的一种方案, 但还是有些麻烦

后面暂时换回了 Zerotier, 点点点真不错

等有空了把集群搞起来, 直接 kilo 一把梭

./nebula-cert ca \
    -groups server,edge,ix,client,dude \
    -ips 172.22.183.96/27 \
    -name "Misaki Network CA, DN42"
Bash
./nebula-cert sign -groups server,edge -ip 172.22.183.98/27 -name jp01.edge.saki
./nebula-cert sign -groups server,edge -ip 172.22.183.99/27 -name us01.edge.saki
./nebula-cert sign -groups server,edge -ip 172.22.183.100/27 -name sg01.edge.saki

./nebula-cert sign -groups server,edge -ip 172.22.183.110/27 -name sh01.edge.saki
./nebula-cert sign -groups server,client -ip 172.22.183.120/27 -name mac.cli.edge.saki
Bash
# Template Configure
pki:
   ca: /opt/dn42/nebula/ca.crt
   cert: /opt/dn42/conf/nebula/SVNAME.edge.saki
   key: /opt/dn42/conf/nebula/SVNAME.edge.saki
   
listen:
   host: 0.0.0.0
   port: 4242
   
static_host_map:
   "172.22.183.98": ["xxxx:4242"]
   
lighthouse:
   am_lighthouse: false
   interval: 60
   hosts:
     - "172.22.183.98"

punchy: true
punch_back: true
cipher: chachapoly
tun:
   dev: saki0
   drop_local_broadcast: false
   drop_multicast: false
   tx_queue: 500
   mtu: 1300
  routes:
    #- mtu: 8800
    #  route: 10.0.0.0/16
  unsafe_routes:
    #- route: 172.20.0.0/14
    #  via: 172.22.183.98
    #  mtu: 1300
    #  metric: 100
    
firewall:
  conntrack:
    tcp_timeout: 12m
    udp_timeout: 3m
    default_timeout: 10m
    max_connections: 100000
    
  outbound:
    - port: any
      proto: any
      host: any

  inbound:
    - port: any
      proto: any
      host: any
YAML

Zerotier

# Install
curl -s https://install.zerotier.com | sudo bash
# Moon 建立
cd /var/lib/zerotier-one
zerotier-idtool initmoon identity.public >> moon.json
# 填入你机器 IP 之后
zerotier-idtool genmoon moon.json
Bash
zerotier-cli join yournet
zerotier-cli orbit urorbit urorbit
zerotier-cli listpeers
Bash

Peer

好了, 现在你的内网已经整顿完成, 可以开始和别人 Peer 了, 在这里介绍用 WG Peer 的方式

  1. Gen key
wg genkey | tee privatekey | wg pubkey > publickey
Bash
  1. 和你的 Peer 协商好需要数据
  2. 一般情况配置模板如下
[Interface]
PrivateKey = <ur_privkey>
ListenPort = <ur_asn[:-5]>
Table = off
PostUp = ip addr add fe80::<ur_asn[:-4]>/64 dev %i
PostUp = ip addr add <ur_dn42_ip> peer <peer_dn42_ip> dev %i  # [1]
PostUp = sysctl -w net.ipv6.conf.%i.autoconf=0

[Peer]
PublicKey = <ur_peers_pubkey>
Endpoint = <ur_peers_endpoint>
AllowedIPs = 10.0.0.0/8, 172.20.0.0/14, 172.31.0.0/16, fd00::/8, fe80::/64
Bash
  • 1: 对方不支持 Multiprotocol BGP 则你需要 IPv4
  1. 提供一个模板, 一键 up
#!/bin/bash
filename="$(basename -- $1 .conf)"
systemctl enable wg-quick@$filename.service
service wg-quick@$filename start
Bash

BGP

好了现在你有了 Peer, 可以加入网络了, 但是需要先准备一些东西

  1. ROA Crontab
加就完事了, 以后解释
# crontab -e
*/15 * * * * curl -sfSLR -o /etc/bird/roa_dn42.conf https://dn42.burble.com/roa/dn42_roa_bird2_4.conf && curl -sfSLR -o /etc/bird/roa_dn42_v6.conf https://dn42.burble.com/roa/dn42_roa_bird2_6.conf && /usr/sbin/birdc configure 1> /dev/null
Bash
  1. bird v2.0.8+

注意 ubuntu 直接 apt install bird2 的是 2.0.7, 没有 Extended next hop 选项

因此需要自己编译一次安装, 截止到写稿, 最新版是 2.0.10

wget https://bird.network.cz/download/bird-2.0.10.tar.gz
# configure make and install
Bash

之后去下面网址抄配置, 然后记得在默认模板里的如下位置插入 extended next hop on;

-----
template bgp dnpeers {
    local as OWNAS;
    path metric 1;

    ipv4 {
        extended next hop on;
        import filter {
          if is_valid_network() && !is_self_net() then {
            if (roa_check(dn42_roa, net, bgp_path.last) != ROA_VALID) then {
              print "[dn42] ROA check failed for ", net, " ASN ", bgp_path.last;
              reject;
            } else accept;
          } else reject;
        };
-----
Bash
  1. /etc/bird/peers 里新建与你 peer 的 BGP Session
protocol bgp dn42_424242xxxx_v6 from dnpeers {
    neighbor fe80::xxxx % 'wg_424242xxxx' as 424242xxxx;
    direct;
}
Txt
  1. 基础命令
birdc c                     # 重载配置
birdc s p a                 # show protocol all
birdc s r for 172.22.0.53   # show route for
Bash

后记

好了, 如果前面几步都没出啥事的话, 现在你大概已经入网成功了

想和我 Peer? => Click

如果想有更好的体验, 你可以

  1. 将CA加入系统证书: https://dn42.eu/services/Certificate-Authority
  2. Dnsmasq: /dn42/172.20.0.53#53
  3. 和更多的人 Peer

然后一些大佬的公共服务

Reference

Last modification:December 16, 2022
© Allow specification reprint
如果觉得我的文章对你有用,请随意赞赏