vpn

WireGuard

Server

sudo apt install -y wireguard
 
cd /etc/wireguard
umask 077;
wg genkey | tee privatekey | wg pubkey > publickey
 
/etc/wireguard/wg0.conf
[Interface]
Address = 192.168.6.1/24
ListenPort = 1194
PrivateKey = qz3LQkTEA8tOJEORyUxT2w2SIwdXwCLcO7joKq58tUs=
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE     
 
[Peer]
PublicKey = wL+h2EqxaQpcWgwO8SIXPGqhHgssvj9xqjHAPjYLJ28=
AllowedIPs = 192.168.6.2/32
 
sudo ufw allow 1194/udp
sudo ufw status
 
sudo systemctl enable wg-quick@wg0
sudo systemctl start wg-quick@wg0
sudo systemctl status wg-quick@wg0
 
# watch connections
watch -n1 wg

Client

Side2Side VPN connection between OpenStack VPNaaS and AVM Fritz!Box

FRITZBOX_WAN_IP=111.1.2.3
FRITZBOX_CIDR=192.168.178.0/24
PSK=PASS1234
 
openstack vpn ike policy create ikepolicy \
  --encryption-algorithm aes-256 \
  --auth-algorithm sha512 \
  --pfs group2
 
openstack vpn ipsec policy create ipsecpolicy \
  --encryption-algorithm aes-256 \
  --auth-algorithm sha512 \
  --pfs group2
 
ROUTER_ID=$(openstack router list -c ID -f value)
openstack vpn service create vpn \
  --router ${ROUTER_ID}
 
SUBNET_ID=$(openstack subnet list -c ID -f value)
openstack vpn endpoint group create ep_subnet \
  --type subnet \
  --value ${SUBNET_ID}
 
openstack vpn endpoint group create ep_cidr \
  --type cidr \
  --value ${FRITZBOX_CIDR}
 
openstack vpn ipsec site connection create conn \
  --vpnservice vpn \
  --ikepolicy ikepolicy \
  --ipsecpolicy ipsecpolicy \
  --peer-address ${FRITZBOX_WAN_IP} \
  --peer-id ${FRITZBOX_WAN_IP} \
  --psk ${PSK} \
  --local-endpoint-group ep_subnet \
  --peer-endpoint-group ep_cidr

Add ingress ssh security rule

openstack security group rule create default \
  --protocol tcp \
  --dst-port 22 \
  --remote-ip 192.168.178.0/24

Create S2S VPN connection on Fritz!Box

Site to Site IPSec VPN with strongSwan and OpenStack VPNaaS (IPsec)

Setup

# Left (Ubuntu client, behind NAT)
Ubuntu Client IP: 212.8.9.10
Ubuntu net: 192.168.178.0/24
 
# Right (OpenStack VPNaaS)
VPN_SERVICE_ID=$(openstack vpn service list -c ID -f value)
VPN_SERVICE_IP=$(openstack vpn service show ${VPN_SERVICE_ID} -c external_v4_ip -f value)
echo ${VPN_SERVICE_IP}
 
OpenStack VPN IP: 217.50.60.70
OpenStack Net: 10.0.1.0/24

Create OpenStack VPN endpoint
http://www.panticz.de/openstack/vpnaas

/etc/ipsec.secrets

217.50.60.70 : PSK "PASS1234"

/etc/ipsec.conf

config setup
 
conn vpn1
 keyexchange=ikev1
 left=%defaultroute
 leftid=212.8.9.10
 leftsubnet=192.168.178.0/24
 leftauth=psk
 leftfirewall=yes
 authby=psk
 auto=start
 ike=aes256-sha512-modp1024
 esp=aes256-sha512
 right=217.50.60.70
 rightsubnet=10.0.1.0/24
 rightauth=psk
 ikelifetime=3600s
 keylife=3600s
 type=tunnel

CLI

sudo ipsec status
sudo ipsec statusall
sudo ipsec restart
 
sudo ipsec up vpn1
sudo ipsec down vpn1
 
sudo ipsec listalgs

List

OpenStack Debug VPN connection

PROJECT_ID=9eaecf3b-0972-4166-806a-295f4e69fd3c
 
ROUTER_ID=$(openstack vpn service list --long -f json | jq -r ".[] | select(.Project == \"${PROJECT_ID}\").Router")
echo ${ROUTER_ID}
 
openstack port list --router ${ROUTER_ID} --device-owner network:ha_router_replicated_interface -c binding_host_id  -f value | sort -u
 
CONTROL_NODE=ewos1-ctl1-prod
ssh -t ${CONTROL_NODE} docker exec -u root -ti neutron_l3_agent bash
 
apt update
apt install -y vim
vi /var/lib/neutron/ipsec/${ROUTER_ID}/etc/strongswan.d/charon-logging.conf
 
charon {
    ...
    filelog {
        /var/log/vpn-debug-${ROUTER_ID}.log {
            append = no
            default = 2
            ike_name = yes
            time_add_ms = yes
            time_format = %b %e %T
        }
    }
    ...
}
 
 
ip netns exec qrouter-${ROUTER_ID} neutron-vpn-netns-wrapper \

OpenStack: VPNaaS (VPN)

openstack vpn service list
openstack vpn service list -c ID -f value | xargs -i openstack vpn service show {}
openstack vpn ipsec site connection list -c ID -f value | xargs -L1 openstack vpn ipsec site connection show

Check VPN peer address

PRIVATE_PEER_ADDRESSES=$(openstack vpn ipsec site connection list -c "Peer Address" -f value | egrep "^10.|^172.|^192.")
for PRIVATE_PEER_ADDRESSE in ${PRIVATE_PEER_ADDRESSES}; do
    echo "PRIVATE_PEER_ADDRESSES: ${PRIVATE_PEER_ADDRESSE}"
 
    CONNECTION_ID=$(openstack vpn ipsec site connection list | grep ${PRIVATE_PEER_ADDRESSE} | cut -d" " -f2)
    openstack vpn ipsec site connection show ${CONNECTION_ID}
 
    VPN_SERVICE_ID=$(openstack vpn ipsec site connection show ${CONNECTION_ID} -c "VPN Service" -f value)
    openstack vpn service show ${VPN_SERVICE_ID}
 
    PROJECT_ID=$(openstack vpn service show ${VPN_SERVICE_ID} -c project_id -f value)
    openstack project show ${PROJECT_ID}
done

Links
https://docs.openstack.org/neutron/rocky/admin/vpnaas-scenario.html

openconnect

echo pass1234 | openconnect --no-cert-check vpn.example.com --user foo

start-stop-daemon --start --make-pidfile --pidfile "${VPNPID}" \
--stderr "${VPNERRFILE}" --stdout "${VPNLOGFILE}" \
--background --exec /bin/bash \
-- -c "exec /usr/sbin/openconnect --pid-file=\"${VPNPID}\" ${!VPNOPTS} ${!SERVER} <<< \`echo \"${!PASSWORD}\"\`"

# Custom script
# cat /etc/vpnc/post-connect.d/route
#!/bin/bash

ip route del default
ip route add default via 10.0.17.254
ip route add 120.1.0.0/16 dev tun0 scope link

Install SSH VPN server

export CONTAINER=vpn

# create container
# TODO: configure MAC on create container
wget -q --no-check-certificate https://raw.githubusercontent.com/panticz/lxc/master/create.jessie.sh -O - | bash -s -- -f

# configure container MAC address
sed -i 's|lxc.network.hwaddr = .*|lxc.network.hwaddr = 00:11:22:33:44:5e|' /var/lib/lxc/${CONTAINER}/config

# enable autostart
echo "lxc.start.auto = 1" | tee -a /var/lib/lxc/${CONTAINER}/config

# configure container
##echo "lxc.hook.autodev=/var/lib/lxc/vpn/autodev" >> /var/lib/lxc/${CONTAINER}/config