不知道从哪看到的这么一个项目, 还挺好玩, 开个系列文章记录一下
Application
开始之前, 你需要根据如下地址的 WIKI, Fork 仓库并注册你的信息, 以下是我的申请, 仅供参考
MNT
mntner: JERRITA-MNT
admin-c: JERRITA-DN42
tech-c: JERRITA-DN42
mnt-by: JERRITA-MNT
auth: pgp-fingerprint E358F19374E51CF327A411AA1849997FACD8B4B6
source: DN42ASN
aut-num: AS4242421107
as-name: MISAKI-NET
descr: Jerrita's Main Network
admin-c: JERRITA-DN42
tech-c: JERRITA-DN42
mnt-by: JERRITA-MNT
source: DN42DNS
domain: saki.dn42
admin-c: JERRITA-DN42
tech-c: JERRITA-DN42
mnt-by: JERRITA-MNT
nserver: ns1.saki.dn42 172.22.183.98
nserver: ns1.saki.dn42 fd93:b89c:b538:53::1
nserver: ns2.saki.dn42 172.22.183.99
nserver: ns2.saki.dn42 fd93:b89c:b538:53::2
source: DN42IPv4
inetnum: 172.22.183.96 - 172.22.183.127
cidr: 172.22.183.96/27
netname: MISAKI-NET-IPV4
descr: MISAKI-NET-IPV4
country: CN
admin-c: JERRITA-DN42
tech-c: JERRITA-DN42
mnt-by: JERRITA-MNT
nserver: ns1.saki.dn42
nserver: ns2.saki.dn42
status: ASSIGNED
source: DN42IPv6
inet6num: fd93:b89c:b538:0000:0000:0000:0000:0000 - fd93:b89c:b538:ffff:ffff:ffff:ffff:ffff
cidr: fd93:b89c:b538::/48
netname: MISAKI-NET-IPV6
descr: MISAKI-NET-IPV6
country: CN
admin-c: JERRITA-DN42
tech-c: JERRITA-DN42
mnt-by: JERRITA-MNT
nserver: ns1.saki.dn42
nserver: ns2.saki.dn42
status: ASSIGNED
source: DN42申请完之后 PR (记得 Squash ), 等合并后你就可以快乐开趴了
开始配置
首先你接入网络的机子要打开以下选项
echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
echo "net.ipv6.conf.default.forwarding=1" >> /etc/sysctl.conf
echo "net.ipv6.conf.all.forwarding=1" >> /etc/sysctl.conf
sysctl -p
echo "net.ipv4.conf.default.rp_filter=0" >> /etc/sysctl.conf
echo "net.ipv4.conf.all.rp_filter=0" >> /etc/sysctl.conf
sysctl -p如果你不止一台机子, 可能要做一下自己路由的规划, 记录方式随便, 固定好你路由的 ip 就行
JP-AWS 172.22.183.98 fd93:b89c:b538:2::1
US-CC 172.22.183.99 fd93:b89c:b538:3::1
SG-DO 172.22.183.100 fd93:b89c:b538:4::1
# CN Area
SH-TX 172.22.183.110 fd93:b89c:b538:1::1
# Endpoint
DHCP xxxxx xxxxAS 内互联方案
在你的AS内, 你需要做一个内网, 你可以采用 RIP, OSPF 等方案, 也可以用一些其他工具组网
由于目前博主在考研, 时间不足, 就先用组网工具搭起来再说了, 下面提供两种参考
RIP 和 OSPF 等以后有精力了再补上
Nebula
这是我以前一直用的一种方案, 但还是有些麻烦
后面暂时换回了 Zerotier, 点点点真不错
等有空了把集群搞起来, 直接 kilo 一把梭
./nebula-cert ca \
-groups server,edge,ix,client,dude \
-ips 172.22.183.96/27 \
-name "Misaki Network CA, DN42"./nebula-cert sign -groups server,edge -ip 172.22.183.98/27 -name jp01.edge.saki
./nebula-cert sign -groups server,edge -ip 172.22.183.99/27 -name us01.edge.saki
./nebula-cert sign -groups server,edge -ip 172.22.183.100/27 -name sg01.edge.saki
./nebula-cert sign -groups server,edge -ip 172.22.183.110/27 -name sh01.edge.saki
./nebula-cert sign -groups server,client -ip 172.22.183.120/27 -name mac.cli.edge.saki# Template Configure
pki:
ca: /opt/dn42/nebula/ca.crt
cert: /opt/dn42/conf/nebula/SVNAME.edge.saki
key: /opt/dn42/conf/nebula/SVNAME.edge.saki
listen:
host: 0.0.0.0
port: 4242
static_host_map:
"172.22.183.98": ["xxxx:4242"]
lighthouse:
am_lighthouse: false
interval: 60
hosts:
- "172.22.183.98"
punchy: true
punch_back: true
cipher: chachapoly
tun:
dev: saki0
drop_local_broadcast: false
drop_multicast: false
tx_queue: 500
mtu: 1300
routes:
#- mtu: 8800
# route: 10.0.0.0/16
unsafe_routes:
#- route: 172.20.0.0/14
# via: 172.22.183.98
# mtu: 1300
# metric: 100
firewall:
conntrack:
tcp_timeout: 12m
udp_timeout: 3m
default_timeout: 10m
max_connections: 100000
outbound:
- port: any
proto: any
host: any
inbound:
- port: any
proto: any
host: anyZerotier
# Install
curl -s https://install.zerotier.com | sudo bash
# Moon 建立
cd /var/lib/zerotier-one
zerotier-idtool initmoon identity.public >> moon.json
# 填入你机器 IP 之后
zerotier-idtool genmoon moon.jsonzerotier-cli join yournet
zerotier-cli orbit urorbit urorbit
zerotier-cli listpeersPeer
好了, 现在你的内网已经整顿完成, 可以开始和别人 Peer 了, 在这里介绍用 WG Peer 的方式
- Gen key
wg genkey | tee privatekey | wg pubkey > publickey- 和你的 Peer 协商好需要数据
- 一般情况配置模板如下
[Interface]
PrivateKey = <ur_privkey>
ListenPort = <ur_asn[:-5]>
Table = off
PostUp = ip addr add fe80::<ur_asn[:-4]>/64 dev %i
PostUp = ip addr add <ur_dn42_ip> peer <peer_dn42_ip> dev %i # [1]
PostUp = sysctl -w net.ipv6.conf.%i.autoconf=0
[Peer]
PublicKey = <ur_peers_pubkey>
Endpoint = <ur_peers_endpoint>
AllowedIPs = 10.0.0.0/8, 172.20.0.0/14, 172.31.0.0/16, fd00::/8, fe80::/64- 1: 对方不支持 Multiprotocol BGP 则你需要 IPv4
- 提供一个模板, 一键 up
#!/bin/bash
filename="$(basename -- $1 .conf)"
systemctl enable wg-quick@$filename.service
service wg-quick@$filename startBGP
好了现在你有了 Peer, 可以加入网络了, 但是需要先准备一些东西
- ROA Crontab
加就完事了, 以后解释
# crontab -e
*/15 * * * * curl -sfSLR -o /etc/bird/roa_dn42.conf https://dn42.burble.com/roa/dn42_roa_bird2_4.conf && curl -sfSLR -o /etc/bird/roa_dn42_v6.conf https://dn42.burble.com/roa/dn42_roa_bird2_6.conf && /usr/sbin/birdc configure 1> /dev/null- bird v2.0.8+
注意 ubuntu 直接 apt install bird2 的是 2.0.7, 没有 Extended next hop 选项
因此需要自己编译一次安装, 截止到写稿, 最新版是 2.0.10
wget https://bird.network.cz/download/bird-2.0.10.tar.gz
# configure make and install之后去下面网址抄配置, 然后记得在默认模板里的如下位置插入 extended next hop on;
-----
template bgp dnpeers {
local as OWNAS;
path metric 1;
ipv4 {
extended next hop on;
import filter {
if is_valid_network() && !is_self_net() then {
if (roa_check(dn42_roa, net, bgp_path.last) != ROA_VALID) then {
print "[dn42] ROA check failed for ", net, " ASN ", bgp_path.last;
reject;
} else accept;
} else reject;
};
------ 在
/etc/bird/peers里新建与你 peer 的 BGP Session
protocol bgp dn42_424242xxxx_v6 from dnpeers {
neighbor fe80::xxxx % 'wg_424242xxxx' as 424242xxxx;
direct;
}- 基础命令
birdc c # 重载配置
birdc s p a # show protocol all
birdc s r for 172.22.0.53 # show route for后记
好了, 如果前面几步都没出啥事的话, 现在你大概已经入网成功了
想和我 Peer? => Click
如果想有更好的体验, 你可以
- 将CA加入系统证书: https://dn42.eu/services/Certificate-Authority
- Dnsmasq:
/dn42/172.20.0.53#53 - 和更多的人 Peer
然后一些大佬的公共服务