Blog

sha256: 2b87a252a3d912530dd8c20df6bee7f6cbc4ede0074fdf217e318aab39d9736c

Multicast

/etc/mrouted.conf

name LOCAL 239.255.0.0/16
phyint em1 disable

forward multicast

sysctl.conf
net.inet.ip.mforwarding=1

enable and start Service

rcctl enable multicast
rcctl start multicast
rcctl enable mrouted
rcctl start mrouted

useful commands

netstat -g
map-mbone
mrinfo
mtrace

https://felix-kling.de/blog/2019/sonos-dedicated-vlan.html


Any Comments ?

sha256: 8f43d20c9f3186346dfab5fb16a3de63b780d414c608ce12f0d096089fbf9642

Dualstack

DualStack & Prefix Delegation with OpenBSD

OS: OpenBSD 6.5

Hint: wide-dhcpv6-20080615p9 was not working fine. So, i gave a try with dhcpcd

Install Package

pkg_add dhcpcd-7.1.1p4

Configure dhcpcd

/etc/dhcpcd.conf
ipv6only
noipv6rs
duid
persistent
option rapid_commit
require dhcp_server_identifier

# disable running any hooks; not typically required for simple DHCPv6-PD setup
script ""

# List interfaces explicitly so that dhcpcd doesn't touch others
allowinterfaces em1 vlan108 vlan110 vlan112

interface em1
    # the following two lines tell dhcpcd to do router solicitation
    # itself. don't use them if using "inet6 autoconf" (slaacd)
    ipv6rs
    ia_na 1

    # request prefixes from the provider to use for downstream networks
    ia_pd 2 vlan108/1 vlan110/2 vlan112/3

Enable and Start Service

rcctl enable dhcpcd
rcctl restart dhcpcd

You sould now get a ip address on your public interface. adjust the pf.conf accordingly for ipv6 !

Netbox

How to Install Netbox on Debian 10.1

URL: https://github.com/netbox-community/netbox

install postgresql

apt-get install -y postgresql libpq-dev sudo
pg_ctlcluster 11 main start

create database

# sudo -u postgres psql
psql (9.4.5)
Type "help" for help.

postgres=# CREATE DATABASE netbox;
CREATE DATABASE
postgres=# CREATE USER netbox WITH PASSWORD 'streng-geheim-und-so';
CREATE ROLE
postgres=# GRANT ALL PRIVILEGES ON DATABASE netbox TO netbox;
GRANT
postgres=# \q

psql -U netbox -W -h localhost netbox
streng-geheim-und-so
netbox=> quit

install application

apt-get install -y python3 python3-pip python3-dev build-essential libxml2-dev libxslt1-dev libffi-dev graphviz libpq-dev libssl-dev redis-server zlib1g-dev git

install a release (we skip that)

# wget https://github.com/netbox-community/netbox/archive/vX.Y.Z.tar.gz
# tar -xzf vX.Y.Z.tar.gz -C /opt
# cd /opt/
# ln -s netbox-X.Y.Z/ netbox
# cd /opt/netbox/

install via github

mkdir -p /opt/netbox/ && cd /opt/netbox/
git clone -b master https://github.com/netbox-community/netbox.git .

set permission

chown -R netbox:netbox /opt/netbox/netbox/media/

install python packages

pip3 install -r requirements.txt
pip3 install napalm

configure netbox

cd netbox/netbox/
cp configuration.example.py configuration.py

vim configuration.py
#ALLOWED_HOSTS = ['netbox.example.com', '192.0.2.123']
ALLOWED_HOSTS = ['*']

DATABASE = {
    'NAME': 'netbox',                   # Database name
    'USER': 'netbox',                   # PostgreSQL username
    'PASSWORD': 'streng-geheim-und-so', # PostgreSQL password
    'HOST': 'localhost',                # Database server
    'PORT': '',                         # Database port (leave blank for default)
}

SECRET_KEY = 'a+V4_H@O0U9GYz#E(IB5csp8CJNide^lMyZgj)1rqRLf*&WSQ$'

generate secret key

netbox/generate_secret_key.py

database migration

cd /opt/netbox/netbox/
python3 manage.py migrate
Operations to perform:
  Apply all migrations: dcim, sessions, admin, ipam, utilities, auth, circuits, contenttypes, extras, secrets, users
Running migrations:
  Rendering model states... DONE
  Applying contenttypes.0001_initial... OK
  Applying auth.0001_initial... OK
  Applying admin.0001_initial... OK
  ...

create superuser

# python3 manage.py createsuperuser
Username: admin
Email address: mail@gott.welt
Password: 12345678
Password (again): 12345678
Superuser created successfully.

Collect Static Files

python3 manage.py collectstatic --no-input

You have requested to collect static files at the destination
location as specified in your settings:

    /opt/netbox/netbox/static

This will overwrite existing files!
Are you sure you want to do this?

Type 'yes' to continue, or 'no' to cancel: yes

Load Initial Data (Optional)

python3 manage.py loaddata initial_data

Test the Application

python3 manage.py runserver 0.0.0.0:8000 --insecure
Performing system checks...

System check identified no issues (0 silenced).
November 28, 2018 - 09:33:45
Django version 2.0.9, using settings 'netbox.settings'
Starting development server at http://0.0.0.0:8000/
Quit the server with CONTROL-C.

install nginx

apt-get install -y nginx

vim /etc/nginx/sites-available/netbox
server {
    listen 80;
    listen [::]:80;

    server_name netbox.example.com;

    client_max_body_size 25m;

    location /static/ {
        alias /opt/netbox/netbox/static/;
    }

    location / {
        proxy_pass http://127.0.0.1:8001;
        proxy_set_header X-Forwarded-Host $server_name;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-Proto $scheme;
        add_header P3P 'CP="ALL DSP COR PSAa PSDa OUR NOR ONL UNI COM NAV"';
    }
}

cd /etc/nginx/sites-enabled/
rm default
ln -s /etc/nginx/sites-available/netbox

service nginx restart

Install gunicorn

pip3 install gunicorn

vim /opt/netbox/gunicorn_config.py
command = '/usr/bin/gunicorn'
pythonpath = '/opt/netbox/netbox'
bind = '127.0.0.1:8001'
workers = 3
user = 'www-data'

install supervision

apt-get install -y supervisor

vim /etc/supervisor/conf.d/netbox.conf
[program:netbox]
command = gunicorn -c /opt/netbox/gunicorn_config.py netbox.wsgi
directory = /opt/netbox/netbox/
user = www-data

[program:netbox-rqworker]
command = python3 /opt/netbox/netbox/manage.py rqworker
directory = /opt/netbox/netbox/
user = www-data

restart server and test

http://ip.addr.of.server

Wireguard

WireGuard Stuff, 2019-09-18

Resourcen

Also Check my new Post about Wireguard on Current …

Using wireguard on OpenBSD

OpenBSD Router: VPN

Wireguard Server

Packages

pkg_add wireguard-go \
  wireguard-tools \
  libqrencode

Config & Enable WG

rcctl enable wireguard_go
rcctl set wireguard_go flags tun2

Prepare Environment

mkdir -p /etc/wireguard/{keys,config}
cd /etc/wireguard

Generate Keys

wg genkey | tee keys/server-private.key    | wg pubkey > keys/server-public.key
wg genkey | tee keys/client001-private.key | wg pubkey > keys/client001-public.key
wg genkey | tee keys/client002-private.key | wg pubkey > keys/client002-public.key
wg genkey | tee keys/client003-private.key | wg pubkey > keys/client003-public.key

chmod 600 keys/*private.key

Config Interface

cat << 'EOF' > /etc/hostname.tun2
10.0.0.1 10.0.0.2 netmask 255.255.255.0
inet6 alias 2001:db8::1 128
dest 2001:db8::2
!/bin/sleep 10 && /usr/local/bin/wg setconf tun2 /etc/wireguard/server.conf &
EOF

IP Forwarding

cat << 'EOF' >> /etc/sysctl.conf
net.inet.ip.forwarding=1
net.inet6.ip6.forwarding=1
EOF

sysctl net.inet.ip.forwarding=1
sysctl net.inet6.ip6.forwarding=1

server.conf

cat << 'EOF' > server.conf

[Interface]
PrivateKey  = $(cat keys/server-private.key)
ListenPort  = 51820

# IPv4 only
[Peer]
PublicKey   = $(cat keys/client001-public.key)
AllowedIPs  = 10.0.0.2/32

# IPv6 only
[Peer]
PublicKey   = $(cat keys/client002-public.key)
AllowedIPs  = 2001:db8::3/128

# IPv4 and IPv6
[Peer]
PublicKey   = $(cat keys/client003-public.key)
AllowedIPs  = 2001:db8::4/128, 10.0.0.4/32
EOF

chmod 600 server.conf

Update PF

... snip ...

set skip on { lo0 enc0 tun2 }

# WG Stuff
match out log on egress inet  from (tun2:network) nat-to (egress:0)
match out log on egress inet6 from (tun2:network) nat-to (egress)

... snip ...

# Block all
block log

... snip ...

# Allow Wireguard from any
pass in log quick inet  proto { tcp udp } from any to (self) port { 51820 }
pass in log quick inet6 proto { tcp udp } from any to (self) port { 51820 }

... snip ...

Reboot Server and active all config

reboot

cd /etc/wireguard

Update Config Script

cat << 'EOF' > wg_update_config.sh
# !/bin/sh
wg setconf tun2 server.conf
wg show
exit 0
EOF

chmod 755 wg_update_config.sh

Wireguard Client

IPv4 only

cat << 'EOF' > config/client001.conf
[Interface]
PrivateKey  = $(cat keys/client001-private.key)
Address     = 10.0.0.2/32
DNS         = 8.8.8.8

[Peer]
PublicKey   = $(cat keys/server-public.key)
AllowedIPs  = 8.8.8.8/32
Endpoint    = $(ifconfig egress |awk '/inet / {print $2}'):51820
EOF

IPv6 only

cat << 'EOF' > config/client002.conf
[Interface]
PrivateKey  = $(cat keys/client002-private.key)
Address     = 2001:db8::3/128
DNS         = 2001:4860:4860::8888

[Peer]
PublicKey   = $(cat keys/server-public.key)
AllowedIPs  = 2001:4860:4860::8888/128
Endpoint    = [$(ifconfig egress |awk '/inet6 / {print $2}' |grep -v 'fe80::')]:51820
EOF

IPv4+6 (not yet working …)

cat << 'EOF' > config/client003.conf
[Interface]
PrivateKey  = $(cat keys/client003-private.key)
Address     = 10.0.0.4/32, 2001:db8::4/128
DNS         = 8.8.8.8, 2001:4860:4860::8888

[Peer]
PublicKey   = $(cat keys/server-public.key)
AllowedIPs  = 8.8.8.8/32, 2001:4860:4860::8888/128
Endpoint    = $(ifconfig egress |awk '/inet / {print $2}'):51820, [$(ifconfig egress |awk '/inet6 / {print $2}' |grep -v 'fe80::')]:51820
EOF

Generate QR

cat config/client001.conf | qrencode -t ansiutf8
cat config/client002.conf | qrencode -t ansiutf8
cat config/client003.conf | qrencode -t ansiutf8

Show Commands

puffy66 1 ../wireguard# wg show
interface: tun2
  public key: eBzb9Q+95EQj2C2hRd7RuGH4dES9sjfgjWHHFskJ+SQ=
  private key: (hidden)
  listening port: 51820

peer: 6i2k+s3bgUgRRbVefCNzjQPJZbsIzipNsFOmjFCnLHE=
  endpoint: 192.168.108.125:52565
  allowed ips: 10.0.0.2/32
  latest handshake: 56 seconds ago
  transfer: 13.19 KiB received, 8.07 KiB sent

peer: gRWzWzJIelqez9/lHsL/KsDDKjCoZK6I91hggeNELmc=
  allowed ips: 2001:db8::3/128

peer: pulLKxKk6dwFf6xlb+mEiP4AdS0jbs5hYOvMC7FfNXM=
  allowed ips: 10.0.0.4/32, 2001:db8::4/128

Any Comments ?

sha256: eac4ea99441b96d1bd1b22b00d615ca82cda2d67a6dfada8f9876ba75e6fb4f1