wallenstein/algo
1
0
Fork 0
mirror of https://github.com/trailofbits/algo.git synced 2025-09-03 10:33:13 +02:00
Code Issues Projects Releases Wiki Activity

Merge b7a7fd6b4f into 95cb34b8ba

Browse source
This commit is contained in:
Kirat Pandya 2017-07-15 12:34:39 +00:00 committed by GitHub
commit 6bb4ccdc09
5 changed files with 145 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
config.cfg
View file

@ -44,6 +44,12 @@ CA_PayloadIdentifier: "{{ 700000 | random | to_uuid | upper }}"
# Block traffic between connected clients
BetweenClients_DROP: Y
# ALPHA feature: Uncomment below to build EdgeMaxclient configuration. Note that this will break connectivity from other clients
# We recommend that you deploy a sepearate Algo server for each Edgerouter with only one client user defined.
# Set the lan subnet to the IP CIDR notation for the lan behind the router. This MUST not interest with the vpn_network set above
#edgemax_support: True
#edgemax_lan_subnet: 10.0.0.0/16
congrats:
common: |
"# Congratulations! #"

109
docs/client-edgemax.md Normal file
View file

@ -0,0 +1,109 @@
# Setting up an EdgeMax Client
Steps
1) Set up config.cfg
* one single user
* Uncomment ```edgemax_support``` and ```edgemax_lan_subnet``` and make sure the LAN subnet is correct and does not overlapt with ```vpn_network```
*
2) Copy over files to router and place them as follows. This will preserve the files if you upgrade the router image
* config/<ALGO_IP>/ipsec_<USER>.* /config/user-data
* config/<ALGO_IP>/pki/cacert.pem /config/auth/algo/cacerts/
* config/<ALGO_IP>/pki/certs/*.crt /config/auth/algo/certs/
* config/<ALGO_IP>/pki/private/<USER>.key /config/auth/algo/private/
3) SSH into the router and copy files from the config folder to the ipsec.d configuration folders. You will have to do this step every time you upgrade the router image.
* /config/auth/algo/cacerts/cacert.pem /etc/ipsec.d/cacerts
* /config/auth/algo/certs/* /etc/ipsec.d/certs
* /config/auth/algo/private/* /etc/ipsec.d/private (needs sudo)
4) Still on the router, edit /config/config.boot and add the following:
```
vpn {
ipsec {
auto-update 3600
auto-firewall-nat-exclude disable
include-ipsec-conf /config/user-data/ipsec_home.conf
include-ipsec-secrets /config/user-data/ipsec_home.secrets
logging {
log-level 2
log-modes net
}
}
}
```
5) ```sudo ipsec restart```
6) ```sudo ipsec statusall``` - At this point you should see a shunted connection in the output. If not, stop and verify the above steps. Proceeding without the shunted connection will break local routing if the tunnel fails to come up
```
Listening IP addresses:
<CLIENT_ISP_PUBLIC_IP>
<LAN_SUBNET_1>
<LAN_SUBNET_2>
Connections:
ikev2-<ALGO_IP>: %any...<ALGO_IP> IKEv2, dpddelay=35s
ikev2-<ALGO_IP>: local: [CN=home] uses public key authentication
ikev2-<ALGO_IP>: cert: "CN=home"
ikev2-<ALGO_IP>: remote: [<ALGO_IP>] uses public key authentication
ikev2-<ALGO_IP>: child: 10.0.0.0/16 === 0.0.0.0/0 TUNNEL, dpdaction=clear
lanbypass: %any...%any IKEv1
lanbypass: local: uses public key authentication
lanbypass: remote: uses public key authentication
lanbypass: child: 10.0.0.0/16 === 10.0.0.0/16 PASS
Shunted Connections:
lanbypass: 10.0.0.0/16 === 10.0.0.0/16 PASS
Security Associations (0 up, 0 connecting):
none
```
7) ```sudo ipsec up ikev2-<ALGO_IP>``` - the tunnel should come up
```
@ubnt:/$ sudo ipsec status
Shunted Connections:
lanbypass: 10.0.0.0/16 === 10.0.0.0/16 PASS
Security Associations (1 up, 0 connecting):
ikev2-<ALGO_IP>[1]: ESTABLISHED 11 minutes ago, 24.18.46.13[CN=home]...<ALGO_IP>[<ALGO_IP>]
ikev2-<ALGO_IP>{1}: INSTALLED, TUNNEL, ESP in UDP SPIs: c5fbcf80_i cdffe66d_o
ikev2-<ALGO_IP>{1}: 10.0.0.0/16 === 0.0.0.0/0
```
8) Now, we need to make sure that packets meant to go into the tunnel are not modified by SNAT rules. Go to the web inteface and under Firewall/Nat > NAT, update the masquarade rule to only filter for Destination = ALGO_IP. Below it what it looks like in the config.boot file/UI tree. THe second rule below is an example of how you can exclude a client's traffic comeletely from the tunnel.
```
nat {
rule 5003 {
description "masquerade for WAN"
destination {
address <ALGO_IP>
}
log disable
outbound-interface eth0
protocol all
type masquerade
}
rule 5005 {
description "Masquerade for WAN - Xbox One"
destination {
}
log disable
outbound-interface eth0
protocol tcp
source {
address 10.0.0.35
}
type masquerade
}
}
```
9) You can try enabling ipsec hardware offload in the UI config tree under system. This seemsto be buggy and in some cases results in throughput lower than when offload is disabled - YMMV
```
offload {
hwnat disable
ipsec enable
ipv4 {
forwarding enable
gre disable
vlan enable
}
ipv6 {
forwarding enable
vlan enable
}
}
```

15
roles/vpn/templates/client_ipsec.conf.j2
View file

@ -24,5 +24,18 @@ conn ikev2-{{ IP_subject_alt_name }}
leftcert={{ item }}.crt
leftfirewall=yes
left=%defaultroute
{% if edgemax_support is defined and edgemax_lan_subnet is defined and edgemax_support == True %}
leftsubnet={{ edgemax_lan_subnet }}
auto=route
{% else %}
auto=add
{% endif %}
{% if edgemax_support is defined and edgemax_lan_subnet is defined and edgemax_support == True %}
conn lanbypass
leftsubnet={{ edgemax_lan_subnet }}
rightsubnet={{ edgemax_lan_subnet }}
type=passthrough
auto=route
{% endif %}

4
roles/vpn/templates/ipsec.conf.j2
View file

@ -34,5 +34,9 @@ conn %default
rightdns={% for host in dns_servers.ipv4 %}{{ host }}{% if not loop.last %},{% endif %}{% endfor %}{% if ipv6_support is defined and ipv6_support == "yes" %},{% for host in dns_servers.ipv6 %}{{ host }}{% if not loop.last %},{% endif %}{% endfor %}{% endif %}
{% endif %}
{% if edgemax_support is defined and edgemax_lan_subnet is defined and edgemax_support == True %}
rightsubnet=0.0.0.0/0,::/0
{% endif %}
conn ikev2-pubkey
auto=add

12
roles/vpn/templates/rules.v4.j2
View file

@ -6,12 +6,18 @@
:POSTROUTING ACCEPT [0:0]
{% if max_mss is defined %}
-A FORWARD -s {{ vpn_network }} -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss {{ max_mss }}
{% if edgemax_support is defined and edgemax_lan_subnet is defined and edgemax_support == True %}
-A FORWARD -s {{ edgemax_lan_subnet }} -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss {{ max_mss }}
{% endif %}
{% endif %}
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s {{ vpn_network }} -m policy --pol none --dir out -j MASQUERADE
{% if edgemax_support is defined and edgemax_lan_subnet is defined and edgemax_support == True %}
-A POSTROUTING -s {{ edgemax_lan_subnet }} -m policy --pol none --dir out -j MASQUERADE
{% endif %}
COMMIT
*filter
:INPUT DROP [0:0]
@ -34,10 +40,16 @@ COMMIT
-A INPUT -d {{ local_service_ip }} -p tcp -m multiport --dport 8080,8118 -j ACCEPT
{% if BetweenClients_DROP is defined and BetweenClients_DROP == "Y" %}
-A FORWARD -s {{ vpn_network }} -d {{ vpn_network }} -j DROP
{% if edgemax_support is defined and edgemax_lan_subnet is defined and edgemax_support == True %}
-A FORWARD -s {{ edgemax_lan_subnet }} -d {{ edgemax_lan_subnet }} -j DROP
{% endif %}
{% endif %}
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -p tcp --dport 445 -j DROP
-A FORWARD -p udp -m multiport --ports 137,138 -j DROP
-A FORWARD -p tcp -m multiport --ports 137,139 -j DROP
-A FORWARD -m conntrack --ctstate NEW -s {{ vpn_network }} -m policy --pol ipsec --dir in -j ACCEPT
{% if edgemax_support is defined and edgemax_lan_subnet is defined and edgemax_support == True %}
-A FORWARD -m conntrack --ctstate NEW -s {{ edgemax_lan_subnet }} -m policy --pol ipsec --dir in -j ACCEPT
{% endif %}
COMMIT