mlvpn Documentation Release HEAD-44f8293
Contents
1. E build area base images for pbuilder amd64 do der config pbuilderre creat distribution wheezy architecture Sarch bas der config pbuilderre updat distribution wheezy architecture Sarch bas 11 mlvpn Documentation Release HEAD 44f8293 dirty 2 3 Build packages 2 3 1 libsodium13 for wheezy dget x http ftp fr debian org debian pool main libs libsodium libsodium_1 0 0 1 dsc cd libsodium_1 0 0 for dist in wheezy do for arch in amd64 i386 do DIST dist ARCH Sarch pdebuild debbuildopts b done done 2 3 2 mivpn git clone git github com zehome MLVPN git mlvpn cd mlvpn git checkout debian unstable for dist in wheezy do for arch in amd64 i386 do DIST dist ARCH Sarch git buildpackag git builder pdebuild debbuildopts b done done 12 Chapter 2 Building debian packages for mlvpn CHAPTER 3 Building mlvpn on OpenBSD 3 1 Installing requirements pkg_add git autoconf automake libev libsodium 3 2 Building mlvpn export export export export make AU AU TOCONF_VERSION 2 69 TOMAKE_VERSION 1 14 CPPFLAGS I usr local include CPPFLAGS LDFLAGS L usr local lib LDFLAGS git clone https github com zehome MLVPN mlvpn cd mlvpn autogen sh configure 3 3 Configuration Example configuration files for OpenBSD are located in examples mlvpn_updown_openbsd sh 13 mlvpn Documentation Release HEAD 44f8293 dirty 12. you should be able to ping 192 168 2 You should be able to access the internet using both links You can test it using standard routing Before we do anything Note you may require installing iproute2 root mlvpnclient ip route show default via 192 168 1 1 dev eth0 192 168 0 0 24 dev ethO proto kernel scope link src 192 168 1 0 24 dev ethO proto kernel scope link src 192 168 2 0 24 dev eth0 proto kernel scope link src 1 and 192 168 1 1 192 168 0 1 192 168 1 2 192 168 2 2 This routing table means every packet to the internet will go thru 192 168 1 1 We can test it root mlvpnclient ping n c2 1192 168 1 2 ping ovh net PING ping ovh net 213 186 33 13 56 84 bytes of data 64 bytes from 213 186 33 13 icmp_req 1 ttl 51 time 42 64 bytes from 213 186 33 13 icmp_req 2 ttl 51 time 41 1 ms 7 ms Ok I started to use 1192 168 1 2 here That s not mandatory in this example but this will become handy later IT means we tell the ping command to use 192 168 1 2 as source ping ovh net Now we know our ADSL1 link is working properly Testing the second link will need us to modify the routing table root mlvpnclient ip route add 213 186 33 13 via 192 root mlvpnclient ip route show default via 192 168 1 1 dev eth0 213 186 33 13 via 192 168 2 2 dev eth0 192 168 0 0 24 dev eth0 proto kernel scope link src 192 168 1 0 24 dev eth0 proto kernel scope link src 192 168 2 0 24 dev eth
3. mlvpn0 conf Pve made the configuration file as small as possible to have a good overview 1 5 Configuring MLVPN 7 mlvpn Documentation Release HEAD 44f8293 dirty Take a look at example config files for more details man mlvpn conf can be usefull etc mlvpn mlvpn0 conf general statuscommand etc mlvpn mlvpn0_updown sh tuntap tun loglevel 1 mode client interface_name mlvpno timeout 30 password pleasechangeme ads11 bindhost 192 168 1 2 remotehost 128 128 128 128 remoteport 5080 bandwidth_upload 61440 ads12 bindhost 192 168 4252 remotehost 128 128 128 128 remoteport 5081 bandwidth_upload 61440 Little note we are adding 10 ms of latency on adsl1 to match the latency of adsl2 This is a little trick to help mlvpn aggregation Latency must be matched mivpn0_updown sh This file MUST be chmod 700 rwx owned by root chmod 700 etc mlvpn mlvpn0O_updown sh chown root root etc mlvpn mlvpn0_updown sh Again I stripped the script to the minimum etc mlvpn mlvpn0_updown sh bin bash error 0 trap error error 1 ERR tuntap_intf 1 newstatus 2 rtun 3 z Snewstatus amp amp exit 1 if Snewstatus tuntap_up J then echo Stuntap_intf setup sbin ip link set dev Stuntap_intf mtu 1400 up sbin ip addr add 10 42 42 2 30 dev Stuntap_intf sbin route add proof ovh net gw 10 42 42 2 elif Sne
4. you need to create multiple routing tables in the kernel That s better to name them so yo do it by modifing etc iproute2 rt_tables root mlvpnclient echo 101 adsll gt gt etc iproute2 rt_tables root mlvpnclient echo 102 adsl2 gt gt etc iproute2 rt_tables Your configuration file should now look like this root mlvpnclient cat etc iproute2 rt_tables reserved values 255 local 254 main 253 default 0 unspec local 1 inr ruhep 101 ads11 102 ads12 1 4 Configuring the source routing 5 mlvpn Documentation Release HEAD 44f8293 dirty We have named two new routing tables but we did not create them etc iproute2 rt_tables file is optional We must add some routes to each table to activate them Inserting routes in the adsll table ip route add 192 168 1 0 24 dev eth0 scope link table adsll ip route add default via 192 168 1 1 dev eth0 table ads11 Inserting routes in the adsl2 table ip route add 192 168 2 0 24 dev eth0 scope link table ads12 ip route add default via 192 168 2 1 dev eth0 table ads12 ip rule is the source routing magic This will redirect packets coming from source X to table adsl1 ads12 or default ip rule add from 192 168 1 0 24 table adsll ip rule add from 192 168 2 0 24 table ads12 I ve stripped root machine for you so you can copy paste 1 4 3 Testing First show me your configuration The first thing you should always do is d
5. mlvpn Documentation Release HEAD 44f8293 dirty Hey that s working fine 1 4 4 Scripting for startup On Debian GNU Linux that s pretty easy just copy this script to usr local sbin source_routing bin sh Inserting routes in the adsll1 table sbin ip route add 192 168 1 0 24 dev eth0 scope link table adsll sbin ip route add default via 192 168 1 1 dev eth0 table ads11 Inserting routes in the adsl2 table sbin ip route add 192 168 2 0 24 dev eth0 scope link table ads12 sbin ip route add default via 192 168 2 1 dev eth0 table ads12 ip rule is the source routing magic This will redirect packets coming from source X to table adsl1 ads12 or default sbin ip rule add from 192 168 1 0 24 table ads11 sbin ip rule add from 192 168 2 0 24 table ads12 Verify permissions chmod x usr local sbin source_routing You can use post up scripts of etc network interfaces to run this script etc network interfaces auto eth0 iface eth0 inet static address 192 168 0 1 netmask 255 255 255 0 post up usr local sbin source_routing auto eth0 ads11 iface ethO adsll inet static address 192 168 1 2 netmask 255 255 255 0 gateway 192 168 1 1 auto eth0 ads12 iface eth0 ads12 inet static address 192 168 2 2 netmask 255 255 255 0 Don t forget to execute the script once by hand or thru service networking restart 1 5 Configuring MLVPN MLVPN have two configuration files on each side 1 5 1 Client side
6. 0 proto kernel scope link src address of the packets we are sending to 168 2 1 192 168 0 1 19216812 192 168 242 4 Chapter 1 Configuring Linux routing for use with multi link MLVPN mlvpn Documentation Release HEAD 44f8293 dirty Notice the new 213 186 33 13 ping ovh net added to the routing table Again we can test the link root mlvpnclient ping n c2 1192 168 2 2 ping ovh net PING ping ovh net 213 186 33 13 56 84 bytes of data 64 bytes from 213 186 33 13 icmp_req 1 tt1 51 time 62 4 ms 64 bytes from 213 186 33 13 icmp_req 2 ttl 51 time 61 1 ms Noticed we changed the source address and the latency is higher on ADSL2 by 20ms Everything is fine let s cleanup the routing table root mlvpnclient ip route del 213 186 33 13 1 4 Configuring the source routing 1 4 1 Concepts Now you have two internet access one fast internet access on the server side but you have only one IP address on this server How can you use your multiple ADSL links at the same time That s fairly simple but a bit complicated to setup It s called source routing Source routing means the kernel will take the decision to route a packet not only based on it s destination like we have done just before but also from where it came In our example we want a packet coming from 192 168 2 2 to go thru ADSL 2 and a packet from 192 168 1 2 to go thru ADSL1 Simple yah 1 4 2 Let s configure it First
7. 4 Chapter 3 Building mlvpn on OpenBSD CHAPTER 4 Copyright MLVPN User Manual by Laurent Coustet Copyright O 2011 2015 Laurent Coustet All rights reserved Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met Redistributions of source code must retain the above copyright notice this list of conditions and the following dis claimer Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following disclaimer in the documentation and or other materials provided with the distribution Neither the name of Laurent COUSTET nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PAR TICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIB UTORS BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSE QUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUD ING NEGLIGENC
8. E OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE 15 mlvpn Documentation Release HEAD 44f8293 dirty 16 Chapter 4 Copyright CHAPTER 5 Indices and tables search 17
9. ING o eth0 s 192 168 0 0 24 j MASQUERADE elif Snewstatus tuntap_down then sbin ip route del 192 168 0 0 24 via 10 42 42 2 sbin iptables t nat D POSTROUTING o eth0 s 10 42 42 0 30 j MASQUERADE sbin iptables t nat D POSTROUTING o eth0 s 192 168 0 0 24 j MASQUERADE fi 1 5 Configuring MLVPN 9 mlvpn Documentation Release HEAD 44f8293 dirty gt gt var log mlvpn_commands log 2 gt 81 exit Serrors 1 6 Testing Double check permissions of etc mlvpn sh chmod 700 owned by root Don t forget to accept UDP 5080 and 5081 on your firewall server side root server iptables I INPUT i eth0 p udp dport 5080 s ADSL1_PUBLICIP root server iptables I INPUT i eth0 p udp dport 5081 s ADSL2_PUBLICIP Start mlvpn on server side manually root server mlvpn user mlvpn c etc mlvpn mlvpn0 conf Start mlvpn on client side manually root client mlvpn user mlvpn c etc mlvpen mlvpn0 conf Check logfiles on client root client cat var log mlvpn_commands log mlvpnO setup rtun adsll is up rtun ads12 is up Seems good Let s test the ICMP echo reply ping Testing connectivity to the server tunnel address space root client ping n c2 110 42 42 2 10 42 42 1 Testing connectivity to the server LAN address space root client ping n c1 1192 168 0 1 10 42 42 1 Testing connectivi
10. ave a way to communicate from one end to the other using multiple links in order to aggregate them 1 2 Example case 128 128 128 128 E gt Fast internet gt OUT mlvpn0 10 42 42 1 Ho gt gt MLVPN server lt Ae A A T A h 4 U G ph 224 ADSL 1 N G ADSL 2 E R S a5 7 7 4 192 168 1 1 24 T E 192 168 2 1 24 A A G A P A T E internet 1 D internet 2 v v MLVPN client mivpnO 10 42 42 2 eth0 192 168 0 1 A pot LAN F 192 168 0 0 24 In this setup we have multiple machines mlvpn Documentation Release HEAD 44f8293 dirty e MLVPN server which has a fast internet connection 100Mbps Public IP Address 128 128 128 128 32 Private mlvpn IP address 10 42 42 1 30 e ADSL 1 router LOCAL IP address 192 168 1 1 24 e ADSL 2 router LOCAL IP address 192 168 2 1 24 e And finally our MLVPN client router Private IP address 192 168 1 2 24 to join ADSL1 Private IP address 192 168 2 2 24 to join ADSL2 Private IP address 192 168 0 1 24 for LAN clients Private IP address 10 42 42 2 30 on mlvpn0 Local AREA network where your standard clients are on 192 168 0 0 24 Yeah seems a bit complicated but that s not that hard after all we just have 4 routers 1 3 Testing the basic configuration At this time from MLVPN client
11. isplaying ip rules Which routing table will be used when Please note rules are applied in order from 0 to 32767 root mlvpnclient ip rule list 0 from all lookup local 32764 from 192 168 1 0 24 lookup ads11 32765 from 192 168 2 0 24 lookup adsl2 32766 from all lookup main 32767 from all lookup default Then the routing tables root mlvpnclient ip route show table ads11 192 168 1 0 24 dev eth0 scope link default via 192 168 1 1 dev eth0 root mlvpnclient ip route show table ads12 192 168 2 0 24 dev eth0 scope link default via 192 168 2 1 dev eth0 root mlvpnclient ip route show table main default via 192 168 1 1 dev etho0 213 186 33 13 via 192 168 2 2 dev eth0 192 168 0 0 24 dev eth0 proto kernel scope link src 192 168 0 1 192 168 1 0 24 dev eth0 proto kernel scope link src 192 168 1 2 192 168 2 0 24 dev eth0 proto kernel scope link src 192 168 2 2 Ping test root mlvpnclient ping c2 n 1192 168 1 1 ping ovh net PING ping ovh net 213 186 33 13 56 84 bytes of data 64 bytes from 213 186 33 13 icmp_req 1 tt1 51 time 40 6 ms 64 bytes from 213 186 33 13 icmp_req 2 ttl 51 time 41 5 ms root mlvpnclient ping c2 n 1192 168 2 1 ping ovh net PING ping ovh net 213 186 33 13 56 84 bytes of data 64 bytes from 213 186 33 13 icmp_req 1 ttl 51 time 62 0 ms 64 bytes from 213 186 33 13 icmp_req 2 ttl 51 time 64 1 ms 6 Chapter 1 Configuring Linux routing for use with multi link MLVPN
12. mivpn Documentation Release HEAD 44f8293 dirty Laurent COUSTET March 01 2015 Contents Configuring Linux routing for use with multi link MLVPN lll CENtrOJUCHON lt lt e an e pna 2S eee eek 4S 1 2 Example case o roots E E A OS 1 3 Testing the basic configuration s secre rea a eee Ree eb ex 14 Configuring the source routine lt p ce rape Ra a 15 Configuring MLVPN se srece tecta 508 be bea woe E L6 Tesine A E is See BE a Building debian packages for mlvpn ZA IREQUITEMENIS ais osea SAS ba Eee EE CR oe 22 Prepare build environments rro die 4 2400 6848 ea ws 23 Build packages o ok Bw see oe SS Sl He eG Aw See ew T Building mlvpn on OpenBSD 3 1 Installing requirements s e ies sema ee eh A ee e a 3 2 Building tilvpni score Be a A a Be Se a 3 3 CONTSULAION eoe ea ei ee aa Se Be ee a ee Copyright Indices and tables 13 Le eo bee 13 ain E pO ae gy BE 13 bth oe ok a a ee SO 13 15 17 mlvpn Documentation Release HEAD 44f8293 dirty The official website is http www mlvpn fr MLVPN is Open Source and licensed under the BSD License Source code is available on github https github com zehome MLVPN Contents Contents 1 mlvpn Documentation Release HEAD 44f8293 dirty 2 Contents CHAPTER 1 Configuring Linux routing for use with multi link MLVPN 1 1 Introduction This short guide will try to help you configure linux for multi link routing MLVPN will need to h
13. ty to the internet root client ping n cl 1192 168 0 1 proof ovh net Download speed testing root client wget O dev null http proof ovh net files 10Gio dat 10 Chapter 1 Configuring Linux routing for use with multi link MLVPN CHAPTER 2 Building debian packages for mlvpn 2 1 Requirements sudo apt get ins tall pbuilder cowbuilder git buildpackage 2 2 Prepare build environments 2 2 1 Configure pbuilder pbuilderrc Template loose do not specify if f debian c z SA z SD i PDEBUILD_PBUILDE DEBBUILDOPTS d ARCHITECTURE S A BUILDRESULT bu IRRORSITE http ly taken from http www kirya net articles build i386 packages on amd64 variables when running cowbuilder create or updat hangelog then RCH 6 ARCH dpkg print architecture IST amp amp DIST dpkg parsechangelog sed n s Distribution p R cowbuilder build basepath var cache pbuilder base S DIST _S ARCH cow S OPTS RCH ild area ftp fr debian org debian EXTRAPACKAGES EXTRAPACKAGES lintian apt utils AUTO_DEBSIGN yes HOOKDIR S HOME pbuilder hooks PKGNAME_LOGFILE Allow a local OTHERMIRROR deb BINDMOUNTS S HO 2 2 2 Generate for arch in i386 sudo cowbuil sudo cowbuil done EXTENTION _ ARCH build repository for external backported dependencies trusted yes file S HOME build area
14. wstatus tuntap_down then echo Stuntap_intf shutdown sbin route del proof ovh net gw 10 42 42 2 elif Snewstatus rtun_up then echo rtun S rtun is up 8 Chapter 1 Configuring Linux routing for use with multi link MLVPN mlvpn Documentation Release HEAD 44f8293 dirty elif Snewstatus rtun_down then echo rtun S rtun is down fi gt gt var log mlvpn_commands log 2 gt amp 1 exit errors Again ensure permissions are correct or mlvpn will NOT execute the script 1 5 2 Server side mlvpn0 conf general statuscommand etc mlvpn mlvpn0_updown sh tuntap tun loglevel 1 mode server interface_name mlvpno timeout 30 password pleasechangeme ads11 bindport 5080 bandwidth_upload 512000 ads12 bindport 5081 bandwidth_upload 512000 mlvpn0_updown sh bin bash error 0 trap error error 1 ERR tuntap_intf 1 newstatus 2 rtun 3 z Snewstatus amp amp exit 1 if Snewstatus tuntap_up then echo Stuntap_intf setup sbin ip link set dev Stuntap_intf mtu 1400 up sbin ip addr add 10 42 42 1 30 dev Stuntap_intf NAT thru our server eth0 is our output interface on the server mlvpnO link sbin iptables t nat A POSTROUTING o eth0 s 10 42 42 0 30 j MASQUERADE LAN 192 168 0 0 24 from client sbin ip route add 192 168 0 0 24 via 10 42 42 2 sbin iptables t nat A POSTROUT
Download Pdf Manuals
Related Search