nigger/lixonet-ee
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

update documentation and configure BIRD better for WG

Browse Source
This commit is contained in:
Manevolent 2021-09-21 17:59:41 -06:00
parent 12ce80e381
commit 3fabf8c73e
No known key found for this signature in database
GPG Key ID: 2E9B7592DFA4F344
2 changed files with 24 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
README.md
View File

@ -174,7 +174,7 @@ For options we expose here, for information see: https://bird.network.cz/?get_do
* `bgp_rpki_expire`: How long to keep any records locally cached before they are deleted. Defaults to `172800` (2 days).
* `bgp_rpki_known_hosts`: The file path for the SSH key `known_hosts` file to use when validating remote RPKI hosts. Defaults to `/etc/bird/rpki/known_hosts` (provided by Lixonet; don't change this unless you need to!).
* `bgp_passwd_*`: The password for a specific BGP peer (i.e. `bgp_passwd_denco_mane_lixo`). If not specified, no password is used for the host.
* `bgp_routes`: A comma-delimited list of routes to advertise over BGP. If not specified, no routes are propagated.
* `bgp_routes`: A comma-delimited list of route prefixes (CIDR) to advertise to other BGP peers. If not specified, no routes are propagated.
#### BIND options
@ -186,10 +186,11 @@ These settings are optional, and are already defaulted to general network common
#### Wireguard options
Keep in mind that Wireguard is presently an auxilliary satellite connection point. Because of this, you shouldn't re-use any IP addresses related to WG. Consider planning a piece (/32, see `wg_prefix`) of your network (i.e. 172.31.y.z) where `y` is your first network number, i.e. `8` or `16` and `z` is an unused address and setting that to `wg_address`. This is generally only desired on "master" or globally-reachable/hosted nodes to construct an overlay VPN.
Keep in mind that Wireguard is presently an auxilliary satellite connection point. Because of this, you shouldn't re-use any IP addresses related to WG. Consider planning a piece (/32, see `wg_prefix`) of your network (i.e. 172.31.1.z) where `z` is an unused address (or your ASN number, like 8, 16, so on) and setting that to `wg_address`. This is generally only desired on "master" or globally-reachable/hosted nodes to construct an overlay VPN. If a node is hosting WireGuard clients, they can send traffic into other nodes but likely won't receive any traffic back unless `wg_routes` is set correctly so BIRD can export peer addresses into the BGP routing framework.
* `wg_enabled`: Set to 1 to enable WireGuard. Defaults to 0/disabled.
* `wg_key`: Required. The private key to use for the Wireguard peering point.
* `wg_address`: Required. The address to assign to the Wireguard interface. Should be unique.
* `wg_key`: Required if `wg_enabled`=1. The private key to use for the Wireguard peering point.
* `wg_address`: Required if `wg_enabled`=1. The address to assign to the Wireguard interface. Should be unique.
* `wg_prefix`: The prefix to assign to Wireguard, defaults to 32.
* `wg_port`: Port for WireGuard to listen to connections on (UDP). Defaults to 51820.
* `wg_routes`: A comma-delimited list of WireGuard route prefixes (CIDR) to advertise to other BGP peers. If not specified, no routes are propagated. If specified, only specific connected WireGuard peers added to the kernel routing table are advertised.

20
bird/bird.conf.tmpl
View File

@ -91,6 +91,13 @@ function is_own_route_v4()
return false;
}
function is_wireguard_route_v4()
{
{{ if len "${wg_routes:-}" }}{{ range "$wg_routes" | split "," }}if net ~ [ {{.}}+ ] then return true;
{{ end }}{{ end }}
return false;
}
filter bgp_import_filter_v4
{
if source ~ [RTS_STATIC] then reject; # Reject our own routes
@ -109,6 +116,17 @@ filter bgp_export_filter_v4
reject; # Reject anything else (non-Lixonet)
}
# In some cases, like WireGuard, we can be a peer to a client which is
# available over another "adjacent" VPN layer. In these cases, allow
# importing routes that are added to the kernel which fall under the
# Wireguard layer
filter kernel_import_filter_v4
{
if is_own_route_v4() then reject; # Reject unexpected routes
if is_wireguard_route_v4() then accept; # Accept WireGuard routes
reject; # Reject anything else
}
filter kernel_export_filter_v4
{
#if is_own_route_v4() then reject; # Reject poisons
@ -163,7 +181,7 @@ protocol kernel { # Primary routing table
scan time 10; # Scan kernel routing table every 10 seconds
ipv4 {
table ${netname:-lixonet}_v4;
import none; # Don't try to import any routes from the kernel
import filter kernel_import_filter_v4; # Import anything we allow from the kernel
export filter kernel_export_filter_v4; # Export everything we are told to the kernel
};
};