initial commit

aio.sh

@@ -0,0 +1,80 @@
+echo Installing bird and wireguard
+
+apt install wireguard-tools bird2
+systemctl stop bird
+
+###########################################
+
+echo Generating WG keypair
+
+wg genkey > /etc/wireguard/privkey
+cat /etc/wireguard/privkey | wg pubkey > /etc/wireguard/pubkey
+
+cat <<EOF > /etc/wireguard/template.conf
+[Interface]
+ListenPort = 42401
+PrivateKey = [...]
+PostUp = /sbin/ip addr add dev %i fe80::129:3/128 peer fe80::129:1/128
+Table = off
+
+[Peer]
+Endpoint = pl1.420129.xyz:42403
+PublicKey = [...]
+PresharedKey = [...]
+AllowedIPs = ::/0
+EOF
+
+###########################################
+
+echo Now installing sysctl
+
+cat <<EOF > /etc/sysctl.d/99-dn42.conf
+net.ipv6.conf.all.forwarding=1
+EOF
+
+sysctl --system
+
+###########################################
+
+echo Now installing ROA updater
+
+cat <<EOF > /etc/systemd/system/dn42-roa.service
+[Unit]
+Description=Update DN42 ROA
+
+[Service]
+Type=oneshot
+ExecStart=curl -sfSLR -o /etc/bird/roa_dn42_v6.conf -z /etc/bird/roa_dn42_v6.conf https://dn42.burble.com/roa/dn42_roa_bird2_6.conf
+ExecStart=birdc configure
+EOF
+
+cat <<EOF > /etc/systemd/system/dn42-roa.timer
+[Unit]
+Description=Update DN42 ROA periodically
+
+[Timer]
+OnBootSec=2m
+OnUnitActiveSec=15m
+AccuracySec=1m
+
+[Install]
+WantedBy=timers.target
+EOF
+
+systemctl enable --now dn42-roa.timer
+
+###########################################
+
+echo Now installing bird configs
+
+mkdir /etc/bird/peers
+curl -Lo /etc/bird/bird.conf https://git.m724.eu/Minecon724/dn42-configs/raw/branch/master/bird/bird.conf
+curl -Lo /etc/bird/community_filters.conf https://git.m724.eu/Minecon724/dn42-configs/raw/branch/master/bird/community_filters.conf
+curl -Lo /etc/bird/babel.conf https://git.m724.eu/Minecon724/dn42-configs/raw/branch/master/bird/babel.conf
+
+###########################################
+
+echo Don\'t forget to create an igp-dummy0
+echo After done configuring, do:
+echo systemctl start bird
+echo

bird/babel.conf

@@ -0,0 +1,23 @@
+protocol direct {
+    ipv6;
+    interface "igp-dummy*";
+};
+
+protocol babel int_babel {
+    ipv6 {
+        import where source != RTS_BGP && is_self_net_v6();
+        export where source != RTS_BGP && is_self_net_v6();
+    };
+
+    interface "igp-pl1" {
+        rxcost 23;
+    };
+
+    interface "igp-it1" {
+        rxcost 25;
+    };
+
+    interface "igp-de1" {
+        rxcost 10;
+    };
+};

bird/bird.conf

@@ -0,0 +1,108 @@
+################################################
+#               Variable header                #
+################################################
+
+define ROUTERID =    1;
+define OWNAS =       4242420129;
+define OWNIPv6 =     fdfe:8d0:7450:100::;
+define OWNNETv6 =    fdfe:8d0:7450::/48;
+define OWNNETSETv6 = [fdfe:8d0:7450::/48+];
+
+################################################
+#                 Header end                   #
+################################################
+
+router id ROUTERID;
+
+protocol device {
+    scan time 10;
+}
+
+/*
+ *  Utility functions
+ */
+
+
+function is_self_net_v6() {
+  return net ~ OWNNETSETv6;
+}
+
+roa6 table dn42_roa_v6;
+
+protocol static {
+    roa6 { table dn42_roa_v6; };
+    include "/etc/bird/roa_dn42_v6.conf";
+}
+
+function is_valid_network_v6() {
+  return net ~ [
+    fd00::/8{44,64} # ULA address space as per RFC 4193
+  ];
+}
+
+protocol kernel {
+    scan time 20;
+
+    ipv6 {
+        import none;
+        export filter {
+            if source = RTS_STATIC then reject;
+            krt_prefsrc = OWNIPv6;
+            accept;
+        };
+    };
+}
+
+protocol static {
+    route OWNNETv6 reject;
+
+    ipv6 {
+        import all;
+        export none;
+    };
+}
+
+function import_filter() {
+    if !is_valid_network_v6() then {
+        print "[dn42] Rejected invalid route ", net, " ASN ", bgp_path.last;
+        reject;
+    }
+
+    if is_self_net_v6() then {
+        print "[dn42] Rejected internal route ", net, " ASN ", bgp_path.last;
+        reject;
+    }
+
+    if (roa_check(dn42_roa_v6, net, bgp_path.last) != ROA_VALID) then {
+        print "[dn42] ROA check failed for ", net, " ASN ", bgp_path.last;
+        reject;
+    }
+
+    if (bgp_path.len > 20) then {
+        print "[dn42] Rejected long route ", net, " ASN ", bgp_path.last;
+        reject;
+    }
+
+    accept;
+}
+
+function export_filter() {
+    if is_valid_network_v6() && source ~ [RTS_STATIC, RTS_BGP] then accept; else reject;
+}
+
+template bgp dnpeers {
+    local as OWNAS;
+    path metric 1;
+    graceful restart on;
+
+    ipv6 {
+        import where import_filter();
+        export where export_filter();
+        import limit 9000 action block;
+    };
+}
+
+
+include "/etc/bird/community_filters.conf";
+include "/etc/bird/babel.conf";
+include "/etc/bird/peers/*";

bird/community_filters.conf

@@ -0,0 +1,54 @@
+function update_latency(int link_latency) {
+  bgp_community.add((64511, link_latency));
+       if (64511, 9) ~ bgp_community then { bgp_community.delete([(64511, 1..8)]); return 9; }
+  else if (64511, 8) ~ bgp_community then { bgp_community.delete([(64511, 1..7)]); return 8; }
+  else if (64511, 7) ~ bgp_community then { bgp_community.delete([(64511, 1..6)]); return 7; }
+  else if (64511, 6) ~ bgp_community then { bgp_community.delete([(64511, 1..5)]); return 6; }
+  else if (64511, 5) ~ bgp_community then { bgp_community.delete([(64511, 1..4)]); return 5; }
+  else if (64511, 4) ~ bgp_community then { bgp_community.delete([(64511, 1..3)]); return 4; }
+  else if (64511, 3) ~ bgp_community then { bgp_community.delete([(64511, 1..2)]); return 3; }
+  else if (64511, 2) ~ bgp_community then { bgp_community.delete([(64511, 1..1)]); return 2; }
+  else return 1;
+}
+
+function update_bandwidth(int link_bandwidth) {
+  bgp_community.add((64511, link_bandwidth));
+       if (64511, 21) ~ bgp_community then { bgp_community.delete([(64511, 22..29)]); return 21; }
+  else if (64511, 22) ~ bgp_community then { bgp_community.delete([(64511, 23..29)]); return 22; }
+  else if (64511, 23) ~ bgp_community then { bgp_community.delete([(64511, 24..29)]); return 23; }
+  else if (64511, 24) ~ bgp_community then { bgp_community.delete([(64511, 25..29)]); return 24; }
+  else if (64511, 25) ~ bgp_community then { bgp_community.delete([(64511, 26..29)]); return 25; }
+  else if (64511, 26) ~ bgp_community then { bgp_community.delete([(64511, 27..29)]); return 26; }
+  else if (64511, 27) ~ bgp_community then { bgp_community.delete([(64511, 28..29)]); return 27; }
+  else if (64511, 28) ~ bgp_community then { bgp_community.delete([(64511, 29..29)]); return 28; }
+  else return 29;
+}
+
+function update_crypto(int link_crypto) {
+  bgp_community.add((64511, link_crypto));
+       if (64511, 31) ~ bgp_community then { bgp_community.delete([(64511, 32..34)]); return 31; }
+  else if (64511, 32) ~ bgp_community then { bgp_community.delete([(64511, 33..34)]); return 32; }
+  else if (64511, 33) ~ bgp_community then { bgp_community.delete([(64511, 34..34)]); return 33; }
+  else return 34;
+}
+
+function update_flags(int link_latency; int link_bandwidth; int link_crypto)
+int dn42_latency;
+int dn42_bandwidth;
+int dn42_crypto;
+{
+  dn42_latency = update_latency(link_latency);
+  dn42_bandwidth = update_bandwidth(link_bandwidth) - 20;
+  dn42_crypto = update_crypto(link_crypto) - 30;
+  return true;
+}
+
+function import_community(int link_latency; int link_bandwidth; int link_crypto) {
+  update_flags(link_latency, link_bandwidth, link_crypto);
+  import_filter();
+}
+
+function export_community(int link_latency; int link_bandwidth; int link_crypto) {
+  update_flags(link_latency, link_bandwidth, link_crypto);
+  export_filter();
+}

networkd/igp-dummy0.netdev

@@ -0,0 +1,3 @@
+[NetDev]
+Name=igp-dummy0
+Kind=dummy

networkd/igp-dummy0.network

@@ -0,0 +1,5 @@
+[Match]
+Name=igp-dummy0
+
+[Network]
+Address = fdfe:8d0:7450:100::/56