OPP-WG is a standard for remote peering for routing between AMPRNet allocations and the Internet.
OPP-WG is in alpha and is likely unstable and contains errors. Make sure to look over the example configs before deploying anything in your network.
OPP-WG and OPP-IPSEC both accomplish largely the same result, but have a few key differences. OPP-WG is based Wireguard and OPP-IPSEC is based on IPsec. Wireguard has a lot of potential and was recently merged into the Linux kernel so eventually it should be supported out of the box on most distros. Unfortunately Wireguard doesn't support disabling encryption on the tunnel, so OPP-WG is not FCC Part 97 compliant and therefore cannot be used over RF. If you would like to peer with HamWAN over radio, please use OPP-IPSEC.
This example covers OPP-WG configuration for Debian 10.
You're free to use any BGP daemon you like, but for this example we'll be using BIRD2.
echo "deb http://deb.debian.org/debian sid main" | sudo tee /etc/apt/sources.list.d/sid.list
sudo apt update
sudo apt install -y wireguard bird2
Here we generate a private key, compute the public key, and store them at /etc/wireguard/publickey
and /etc/wireguard/privatekey
respectively.
umask 077; wg genkey | sudo tee /etc/wireguard/privatekey | wg pubkey | sudo tee /etc/wireguard/publickey
Open /etc/wireguard/wg0.conf
with your favorite text editor and edit the following information:
PRIVATE_KEY
is your private key, located in/etc/wireguard/privatekey
Then contact your OPP provider and substitute their information accordingly:
OPP_PUBLIC_KEY
is the OPP-WG provider's public key. (iHpquu78hbgy57i7878wNl8kM=
)PEERING_IP
is the unique IP address assigned to you by your OPP-WG provider. (44.25.XXX.2/24
)OPP_NETWORK
is the OPP-WG provider's peering network. (44.25.XXX.0/24
)OPP_TUNNEL_HOST
should be the OPP-WG provider's tunnel server IP/port. (44.26.XXX.1:51820
)
[Interface]
PrivateKey = PRIVATE_KEY
Address = PEERING_IP
[Peer]
PublicKey = OPP_PUBLIC_KEY
AllowedIPs = OPP_NETWORK
Endpoint = OPP_TUNNEL_HOST
PersistentKeepalive = 20
Open /etc/bird/bird.conf
and delete the example configuration, replacing with the following:
PEERING_IP
is the unique IP address assigned to you by your OPP-WG provider. (44.25.XXX.2
)OPP_PEERING_IP
is the OPP-WG provider's peering address. (44.26.XXX.1
)YOUR_44NET
is your assigned AMPRNet allocation. (44.xxx.xxx.0/24
)
log syslog all;
router id PEERING_IP;
protocol device {};
protocol direct { ipv4; }
protocol kernel {
ipv4;
scan time 10;
}
protocol static LOCAL {
ipv4;
route YOUR_44NET reject;
}
protocol bgp opp {
local PEERING_IP as 65511;
neighbor OPP_PEERING_IP as 65511;
ipv4 {
import all;
export where net ~ (YOUR_44NET);
};
}
Finally, start Wireguard and BIRD and enable on system startup.
sudo systemctl start bird
sudo systemctl enable bird
sudo systemctl start wg-quick@wg0
sudo systemctl enable wg-quick@wg0
The first thing to check is that your Wireguard tunnel is up and traffic is flowing. You can run sudo wg
to show your Wireguard interfaces. If the keypairs look correct then try pinging your OPP_PEERING_IP
. If you can't ping that address, then there's something wrong with the tunnel or your OPP provider's setup. If that address is reachable, then make sure your BGP session has established.
➜ ~ sudo birdc show protocols
BIRD 2.0.7 ready.
Name Proto Table State Since Info
device1 Device --- up 15:51:27.966
direct1 Direct --- up 15:51:27.966
kernel1 Kernel master4 up 15:51:27.966
LOCAL Static master4 up 15:51:27.966
opp BGP --- up 15:51:31.805 Established
If your OPP protocol isn't established, make sure you can connect to OPP_PEERING_IP
over TCP. Try connecting to OPP_PEERING_IP
with port 179 (The BGP port). If not, something might be up with your firewall. If your BGP session is established, check whether you are sending your AMPRNet route(s) by running sudo birdc show route protocol opp
. If you see your AMPRNet routes marked as unicast (not unreachable or something else) then you're likely exporting the routes correctly.
First install Wireguard and BIRD, and generate a Wireguard keypair. Then create /etc/wireguard/wg0.conf
with the following interface config:
[Interface]
Address = YOUR_PEERING_IP/24
SaveConfig = true
ListenPort = 51820
PrivateKey = YOUR_PRIVATE_KEY
Table = off
The BIRD config is fairly straightforward, with route reflector clients and a eBGP session to the upstream router. (Or multiple routers!)
log syslog all;
router id YOUR_PEERING_ADDRESS;
protocol device {};
protocol direct { ipv4; }
protocol kernel {
scan time 10;
ipv4 {
import none;
export all;
};
}
You'll also want to configure an eBGP session to your edge router importing a full table and exporting the peer ranges. The edge router should strip the private AS from the AS_PATH at the beginning of the import filter. (bgp_path.delete(65511);
)
To add a new peer, add a Wireguard peer by appending to the wg0.conf
file:
[Peer]
PublicKey = PEER_PUBLIC_KEY
AllowedIPs = 0.0.0.0/0
The filtering will take place in the BGP import filter, so we'll allow everything here.
And configure the BGP session in BIRD:
protocol bgp PEER_CALLSIGN {
local YOUR_PEERING_ADDRESS as 65511;
neighbor PEER_ADDRESS as 65511;
rr client;
ipv4 {
import where (net ~ [
PEER_44NET_ALLOCATION
]);
export all;
};
}
You can also use this script to simply the update process. Make sure to update YOUR_PEERING_ADDRESS
prior to use:
#!/bin/bash
if [ "$#" -le 3 ]; then
echo "Usage: ./add.sh <Public Key> <Peer IP> <Callsign> <Prefix list>"
echo "Example: ./add.sh Eha7a6ajY^Jhy6JgY= 192.168.10.2 CALL 44.x.x.0/24 44.x.x.0/24"
exit
fi
public_key=$1
peer_ip=$2
callsign=$3
sudo wg set wg0 peer $public_key allowed-ips 0.0.0.0/0
sudo tee -a /etc/bird/bird.conf > /dev/null <<EOT
protocol bgp $callsign {
local YOUR_PEERING_ADDRESS as 65511;
neighbor $peer_ip as 65511;
description "$callsign $public_key";
rr client;
ipv4 {
import limit $(($#-3)) action disable;
import where (net ~ [
$(printf " %s,\n" "${@:4}" | sed '$s/,$//')
]);
export all;
};
}
EOT
sudo birdc configure
echo "Added $callsign@$peer_ip key $public_key"