update documentation and configure BIRD better for WG
This commit is contained in:
parent
12ce80e381
commit
3fabf8c73e
@ -174,7 +174,7 @@ For options we expose here, for information see: https://bird.network.cz/?get_do
|
||||
* `bgp_rpki_expire`: How long to keep any records locally cached before they are deleted. Defaults to `172800` (2 days).
|
||||
* `bgp_rpki_known_hosts`: The file path for the SSH key `known_hosts` file to use when validating remote RPKI hosts. Defaults to `/etc/bird/rpki/known_hosts` (provided by Lixonet; don't change this unless you need to!).
|
||||
* `bgp_passwd_*`: The password for a specific BGP peer (i.e. `bgp_passwd_denco_mane_lixo`). If not specified, no password is used for the host.
|
||||
* `bgp_routes`: A comma-delimited list of routes to advertise over BGP. If not specified, no routes are propagated.
|
||||
* `bgp_routes`: A comma-delimited list of route prefixes (CIDR) to advertise to other BGP peers. If not specified, no routes are propagated.
|
||||
|
||||
#### BIND options
|
||||
|
||||
@ -186,10 +186,11 @@ These settings are optional, and are already defaulted to general network common
|
||||
|
||||
#### Wireguard options
|
||||
|
||||
Keep in mind that Wireguard is presently an auxilliary satellite connection point. Because of this, you shouldn't re-use any IP addresses related to WG. Consider planning a piece (/32, see `wg_prefix`) of your network (i.e. 172.31.y.z) where `y` is your first network number, i.e. `8` or `16` and `z` is an unused address and setting that to `wg_address`. This is generally only desired on "master" or globally-reachable/hosted nodes to construct an overlay VPN.
|
||||
Keep in mind that Wireguard is presently an auxilliary satellite connection point. Because of this, you shouldn't re-use any IP addresses related to WG. Consider planning a piece (/32, see `wg_prefix`) of your network (i.e. 172.31.1.z) where `z` is an unused address (or your ASN number, like 8, 16, so on) and setting that to `wg_address`. This is generally only desired on "master" or globally-reachable/hosted nodes to construct an overlay VPN. If a node is hosting WireGuard clients, they can send traffic into other nodes but likely won't receive any traffic back unless `wg_routes` is set correctly so BIRD can export peer addresses into the BGP routing framework.
|
||||
|
||||
* `wg_enabled`: Set to 1 to enable WireGuard. Defaults to 0/disabled.
|
||||
* `wg_key`: Required. The private key to use for the Wireguard peering point.
|
||||
* `wg_address`: Required. The address to assign to the Wireguard interface. Should be unique.
|
||||
* `wg_key`: Required if `wg_enabled`=1. The private key to use for the Wireguard peering point.
|
||||
* `wg_address`: Required if `wg_enabled`=1. The address to assign to the Wireguard interface. Should be unique.
|
||||
* `wg_prefix`: The prefix to assign to Wireguard, defaults to 32.
|
||||
* `wg_port`: Port for WireGuard to listen to connections on (UDP). Defaults to 51820.
|
||||
* `wg_routes`: A comma-delimited list of WireGuard route prefixes (CIDR) to advertise to other BGP peers. If not specified, no routes are propagated. If specified, only specific connected WireGuard peers added to the kernel routing table are advertised.
|
||||
|
@ -91,6 +91,13 @@ function is_own_route_v4()
|
||||
return false;
|
||||
}
|
||||
|
||||
function is_wireguard_route_v4()
|
||||
{
|
||||
{{ if len "${wg_routes:-}" }}{{ range "$wg_routes" | split "," }}if net ~ [ {{.}}+ ] then return true;
|
||||
{{ end }}{{ end }}
|
||||
return false;
|
||||
}
|
||||
|
||||
filter bgp_import_filter_v4
|
||||
{
|
||||
if source ~ [RTS_STATIC] then reject; # Reject our own routes
|
||||
@ -109,6 +116,17 @@ filter bgp_export_filter_v4
|
||||
reject; # Reject anything else (non-Lixonet)
|
||||
}
|
||||
|
||||
# In some cases, like WireGuard, we can be a peer to a client which is
|
||||
# available over another "adjacent" VPN layer. In these cases, allow
|
||||
# importing routes that are added to the kernel which fall under the
|
||||
# Wireguard layer
|
||||
filter kernel_import_filter_v4
|
||||
{
|
||||
if is_own_route_v4() then reject; # Reject unexpected routes
|
||||
if is_wireguard_route_v4() then accept; # Accept WireGuard routes
|
||||
reject; # Reject anything else
|
||||
}
|
||||
|
||||
filter kernel_export_filter_v4
|
||||
{
|
||||
#if is_own_route_v4() then reject; # Reject poisons
|
||||
@ -163,7 +181,7 @@ protocol kernel { # Primary routing table
|
||||
scan time 10; # Scan kernel routing table every 10 seconds
|
||||
ipv4 {
|
||||
table ${netname:-lixonet}_v4;
|
||||
import none; # Don't try to import any routes from the kernel
|
||||
import filter kernel_import_filter_v4; # Import anything we allow from the kernel
|
||||
export filter kernel_export_filter_v4; # Export everything we are told to the kernel
|
||||
};
|
||||
};
|
||||
|
Loading…
x
Reference in New Issue
Block a user