commit 4f43cf0a3bd204df9ce2ae7b0fab13a18cb5e2fd Author: Minecon724 Date: Tue Oct 8 17:41:49 2024 +0200 initial commit diff --git a/aio.sh b/aio.sh new file mode 100644 index 0000000..373b0eb --- /dev/null +++ b/aio.sh @@ -0,0 +1,80 @@ +echo Installing bird and wireguard + +apt install wireguard-tools bird2 +systemctl stop bird + +########################################### + +echo Generating WG keypair + +wg genkey > /etc/wireguard/privkey +cat /etc/wireguard/privkey | wg pubkey > /etc/wireguard/pubkey + +cat < /etc/wireguard/template.conf +[Interface] +ListenPort = 42401 +PrivateKey = [...] +PostUp = /sbin/ip addr add dev %i fe80::129:3/128 peer fe80::129:1/128 +Table = off + +[Peer] +Endpoint = pl1.420129.xyz:42403 +PublicKey = [...] +PresharedKey = [...] +AllowedIPs = ::/0 +EOF + +########################################### + +echo Now installing sysctl + +cat < /etc/sysctl.d/99-dn42.conf +net.ipv6.conf.all.forwarding=1 +EOF + +sysctl --system + +########################################### + +echo Now installing ROA updater + +cat < /etc/systemd/system/dn42-roa.service +[Unit] +Description=Update DN42 ROA + +[Service] +Type=oneshot +ExecStart=curl -sfSLR -o /etc/bird/roa_dn42_v6.conf -z /etc/bird/roa_dn42_v6.conf https://dn42.burble.com/roa/dn42_roa_bird2_6.conf +ExecStart=birdc configure +EOF + +cat < /etc/systemd/system/dn42-roa.timer +[Unit] +Description=Update DN42 ROA periodically + +[Timer] +OnBootSec=2m +OnUnitActiveSec=15m +AccuracySec=1m + +[Install] +WantedBy=timers.target +EOF + +systemctl enable --now dn42-roa.timer + +########################################### + +echo Now installing bird configs + +mkdir /etc/bird/peers +curl -Lo /etc/bird/bird.conf https://git.m724.eu/Minecon724/dn42-configs/raw/branch/master/bird/bird.conf +curl -Lo /etc/bird/community_filters.conf https://git.m724.eu/Minecon724/dn42-configs/raw/branch/master/bird/community_filters.conf +curl -Lo /etc/bird/babel.conf https://git.m724.eu/Minecon724/dn42-configs/raw/branch/master/bird/babel.conf + +########################################### + +echo Don\'t forget to create an igp-dummy0 +echo After done configuring, do: +echo systemctl start bird +echo diff --git a/bird/babel.conf b/bird/babel.conf new file mode 100644 index 0000000..1b7b85e --- /dev/null +++ b/bird/babel.conf @@ -0,0 +1,23 @@ +protocol direct { + ipv6; + interface "igp-dummy*"; +}; + +protocol babel int_babel { + ipv6 { + import where source != RTS_BGP && is_self_net_v6(); + export where source != RTS_BGP && is_self_net_v6(); + }; + + interface "igp-pl1" { + rxcost 23; + }; + + interface "igp-it1" { + rxcost 25; + }; + + interface "igp-de1" { + rxcost 10; + }; +}; diff --git a/bird/bird.conf b/bird/bird.conf new file mode 100644 index 0000000..e347f86 --- /dev/null +++ b/bird/bird.conf @@ -0,0 +1,108 @@ +################################################ +# Variable header # +################################################ + +define ROUTERID = 1; +define OWNAS = 4242420129; +define OWNIPv6 = fdfe:8d0:7450:100::; +define OWNNETv6 = fdfe:8d0:7450::/48; +define OWNNETSETv6 = [fdfe:8d0:7450::/48+]; + +################################################ +# Header end # +################################################ + +router id ROUTERID; + +protocol device { + scan time 10; +} + +/* + * Utility functions + */ + + +function is_self_net_v6() { + return net ~ OWNNETSETv6; +} + +roa6 table dn42_roa_v6; + +protocol static { + roa6 { table dn42_roa_v6; }; + include "/etc/bird/roa_dn42_v6.conf"; +} + +function is_valid_network_v6() { + return net ~ [ + fd00::/8{44,64} # ULA address space as per RFC 4193 + ]; +} + +protocol kernel { + scan time 20; + + ipv6 { + import none; + export filter { + if source = RTS_STATIC then reject; + krt_prefsrc = OWNIPv6; + accept; + }; + }; +} + +protocol static { + route OWNNETv6 reject; + + ipv6 { + import all; + export none; + }; +} + +function import_filter() { + if !is_valid_network_v6() then { + print "[dn42] Rejected invalid route ", net, " ASN ", bgp_path.last; + reject; + } + + if is_self_net_v6() then { + print "[dn42] Rejected internal route ", net, " ASN ", bgp_path.last; + reject; + } + + if (roa_check(dn42_roa_v6, net, bgp_path.last) != ROA_VALID) then { + print "[dn42] ROA check failed for ", net, " ASN ", bgp_path.last; + reject; + } + + if (bgp_path.len > 20) then { + print "[dn42] Rejected long route ", net, " ASN ", bgp_path.last; + reject; + } + + accept; +} + +function export_filter() { + if is_valid_network_v6() && source ~ [RTS_STATIC, RTS_BGP] then accept; else reject; +} + +template bgp dnpeers { + local as OWNAS; + path metric 1; + graceful restart on; + + ipv6 { + import where import_filter(); + export where export_filter(); + import limit 9000 action block; + }; +} + + +include "/etc/bird/community_filters.conf"; +include "/etc/bird/babel.conf"; +include "/etc/bird/peers/*"; diff --git a/bird/community_filters.conf b/bird/community_filters.conf new file mode 100644 index 0000000..e6b597a --- /dev/null +++ b/bird/community_filters.conf @@ -0,0 +1,54 @@ +function update_latency(int link_latency) { + bgp_community.add((64511, link_latency)); + if (64511, 9) ~ bgp_community then { bgp_community.delete([(64511, 1..8)]); return 9; } + else if (64511, 8) ~ bgp_community then { bgp_community.delete([(64511, 1..7)]); return 8; } + else if (64511, 7) ~ bgp_community then { bgp_community.delete([(64511, 1..6)]); return 7; } + else if (64511, 6) ~ bgp_community then { bgp_community.delete([(64511, 1..5)]); return 6; } + else if (64511, 5) ~ bgp_community then { bgp_community.delete([(64511, 1..4)]); return 5; } + else if (64511, 4) ~ bgp_community then { bgp_community.delete([(64511, 1..3)]); return 4; } + else if (64511, 3) ~ bgp_community then { bgp_community.delete([(64511, 1..2)]); return 3; } + else if (64511, 2) ~ bgp_community then { bgp_community.delete([(64511, 1..1)]); return 2; } + else return 1; +} + +function update_bandwidth(int link_bandwidth) { + bgp_community.add((64511, link_bandwidth)); + if (64511, 21) ~ bgp_community then { bgp_community.delete([(64511, 22..29)]); return 21; } + else if (64511, 22) ~ bgp_community then { bgp_community.delete([(64511, 23..29)]); return 22; } + else if (64511, 23) ~ bgp_community then { bgp_community.delete([(64511, 24..29)]); return 23; } + else if (64511, 24) ~ bgp_community then { bgp_community.delete([(64511, 25..29)]); return 24; } + else if (64511, 25) ~ bgp_community then { bgp_community.delete([(64511, 26..29)]); return 25; } + else if (64511, 26) ~ bgp_community then { bgp_community.delete([(64511, 27..29)]); return 26; } + else if (64511, 27) ~ bgp_community then { bgp_community.delete([(64511, 28..29)]); return 27; } + else if (64511, 28) ~ bgp_community then { bgp_community.delete([(64511, 29..29)]); return 28; } + else return 29; +} + +function update_crypto(int link_crypto) { + bgp_community.add((64511, link_crypto)); + if (64511, 31) ~ bgp_community then { bgp_community.delete([(64511, 32..34)]); return 31; } + else if (64511, 32) ~ bgp_community then { bgp_community.delete([(64511, 33..34)]); return 32; } + else if (64511, 33) ~ bgp_community then { bgp_community.delete([(64511, 34..34)]); return 33; } + else return 34; +} + +function update_flags(int link_latency; int link_bandwidth; int link_crypto) +int dn42_latency; +int dn42_bandwidth; +int dn42_crypto; +{ + dn42_latency = update_latency(link_latency); + dn42_bandwidth = update_bandwidth(link_bandwidth) - 20; + dn42_crypto = update_crypto(link_crypto) - 30; + return true; +} + +function import_community(int link_latency; int link_bandwidth; int link_crypto) { + update_flags(link_latency, link_bandwidth, link_crypto); + import_filter(); +} + +function export_community(int link_latency; int link_bandwidth; int link_crypto) { + update_flags(link_latency, link_bandwidth, link_crypto); + export_filter(); +} diff --git a/networkd/igp-dummy0.netdev b/networkd/igp-dummy0.netdev new file mode 100644 index 0000000..c282e48 --- /dev/null +++ b/networkd/igp-dummy0.netdev @@ -0,0 +1,3 @@ +[NetDev] +Name=igp-dummy0 +Kind=dummy diff --git a/networkd/igp-dummy0.network b/networkd/igp-dummy0.network new file mode 100644 index 0000000..08162ea --- /dev/null +++ b/networkd/igp-dummy0.network @@ -0,0 +1,5 @@ +[Match] +Name=igp-dummy0 + +[Network] +Address = fdfe:8d0:7450:100::/56