Last active
May 5, 2024 03:08
-
-
Save paigeadelethompson/8b535c0d9f969ba8f020a081c7ff3a68 to your computer and use it in GitHub Desktop.
OpenBSD router
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
option domain-name "mydomain.tld"; | |
option domain-name-servers 192.0.2.14; | |
subnet 198.18.0.0 netmask 255.255.254.0 { | |
option routers 198.18.1.0; | |
range 198.18.0.1 198.18.1.254; | |
host mc { | |
hardware ethernet 52:54:00:ed:7a:b6; | |
fixed-address 198.18.0.1; | |
} | |
host docker-1-1 { | |
hardware ethernet 52:54:00:66:12:12; | |
fixed-address 198.18.0.2; | |
} | |
host docker-1-2 { | |
hardware ethernet 52:54:00:04:4b:22; | |
fixed-address 198.18.0.3; | |
} | |
host docker-1-3 { | |
hardware ethernet 52:54:00:ac:c6:4c; | |
fixed-address 198.18.0.4; | |
} | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rdomain 4 | |
add tap0 | |
add mpw0 | |
add vio3 | |
description "MPLS EVPN" | |
up |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rdomain 12 | |
inet 10.0.0.0 255.255.255.254 | |
!route -T12 add -host -inet 78.41.207.245 10.0.0.1 | |
description "IPSEC IKEv2 VPN test" | |
up |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rdomain 2 | |
!ifconfig gif0 tunnel 206.125.168.65 216.66.84.46 tunneldomain 1 | |
!ifconfig gif0 inet6 alias 2001:470:0:aaa::2 2001:470:0:aaa::1 prefixlen 128 | |
!route -T2 -qn add -inet6 2000::/3 2001:470:0:aaa::1 | |
description "tunnelaaaa.tunnel.tserv11.loc1.ipv6.he.net" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rdomain 1 | |
inet 127.0.0.1 255.0.0.0 | |
description "WAN (1) loopback" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rdomain 2 | |
inet 127.0.0.1 255.0.0.0 | |
description "HE (2) domain loopback" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rdomain 4 | |
inet 127.0.0.1 255.0.0.0 | |
description "MPLS EVPN (4) loopback" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rdomain 3 | |
description "MPLS (4) EVPN pseudowire interface" | |
up |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rdomain 3 | |
inet 192.0.2.0/31 | |
inet6 fc00:3:1::3:1/64 | |
!route -T3 -qn add default 192.0.2.1 | |
description "VM network (3) to WAN (1)" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rdomain 1 | |
inet 192.0.2.1/31 | |
inet6 fc00:3:1::1:3/64 | |
!route -T1 -qn add -inet 198.18.0.0/23 192.0.2.0 | |
patch pair0 | |
description "WAN (1) to VM network (3)" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rdomain 10 | |
inet 192.0.2.14/31 | |
inet6 fc00:10:1::10:1/64 | |
!route -T10 -qn add default 192.0.2.15 | |
description "unbound (10) to WAN (1)" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rdomain 1 | |
inet 192.0.2.15/31 | |
inet6 fc00:10:1::1:10/64 | |
patch pair10 | |
description "WAN (1) to unbound (10)" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rdomain 2 | |
inet6 fc00:10:2::2:10/64 | |
!route -T2 -qn add fc00::53/128 fc00:10:2::10:2 | |
description "HE (2) to unbound (10)" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rdomain 10 | |
inet6 fc00:10:2::10:2/64 | |
!ifconfig pair15 inet6 alias fc00::53/128 | |
!route -T10 -qn add 2001:470:aaaa:1::/64 fc00:10:2::2:10 | |
!route -T10 -qn add fc00:3:2::3:2/64 fc00:10:2::2:10 | |
!route -T10 -qn add fc00:3:f::/48 fc00:10:2::2:10 | |
patch pair14 | |
description "unbound (10) to HE (2)" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rdomain 12 | |
inet 192.0.2.18/31 | |
inet6 fc00:12:1::12:1/64 | |
description "NSD (12) to WAN (1)" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rdomain 1 | |
inet 192.0.2.19/31 | |
inet6 fc00:12:1::1:12/64 | |
description "WAN (1) to NSD (12)" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rdomain 2 | |
inet 192.0.2.4/31 | |
inet6 fc00:3:2::2:3/64 | |
!route -T2 -qn add 2001:470:aaaa:1::/64 fc00:3:2::3:2 | |
!route -T2 -qn add fc00:470:aaaa:1::/64 fc00:3:2::3:2 | |
!route -T2 -qn add fc00:3:f::/48 fc00:3:2::3:2 | |
description "HE (2) to VM (3)" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rdomain 1 | |
inet 192.0.2.20/31 | |
inet6 fc00:5:1::1:5/64 | |
description "WAN (1) to NSD (5)" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rdomain 5 | |
inet 192.0.2.21/31 | |
inet fc00:5:1::5:1/64 | |
!ifconfig pair25 inet alias 206.125.168.70/32 | |
!route -T5 -qn add default 192.0.2.20 | |
patch pair24 | |
description "NSD(5) to WAN (1)" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rdomain 2 | |
inet6 fc00:5:2::2:5/64 | |
!route -T2 -qn add 2001:470:1111:aaa::/64 fc00:5:2::5:2 | |
description "HE (1) to NSD (5)" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rdomain 5 | |
inet6 fc00:5:2::5:2/64 | |
!ifconfig pair27 inet6 alias 2001:470:1111:aaa::0/64 | |
!ifconfig pair27 inet6 alias 2001:470:1111:aaa::1/64 | |
!ifconfig pair27 inet6 alias 2001:470:1111:aaa::2/64 | |
!ifconfig pair27 inet6 alias 2001:470:1111:aaa::3/64 | |
!route -T5 -qn add -inet6 2000::/3 fc00:5:2::2:5 | |
patch pair26 | |
description "NSD(5) to HE (2)" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rdomain 3 | |
inet 192.0.2.5/31 | |
inet6 fc00:3:2::3:2/64 | |
!route -T3 -qn add 2000::/3 fc00:3:2::2:3 | |
!route -T3 -qn add fc00::53/128 fc00:3:2::2:3 | |
patch pair2 | |
description "VM (3) to HE (2)" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rdomain 4 | |
inet 192.0.2.8/31 | |
inet6 fc00:4:1::4:1/64 | |
!route -T4 -qn add default 192.0.2.9 | |
description "MPLS VPN (4) to WAN (1)" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rdomain 1 | |
inet 192.0.2.9/31 | |
inet6 fc00:4:1::1:4/64 | |
patch pair4 | |
description "WAN (1) to MPLS VPN (4)" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rdomain 5 | |
inet 192.0.2.10/31 | |
inet6 fc00:5:10::5:10/64 | |
description "NSD (5) to Unbound (10)" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rdomain 10 | |
inet 192.0.2.11/31 | |
inet6 fc00:5:10::10:5/64 | |
patch pair6 | |
description "Unbound (10) to NSD (5)" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rdomain 2 | |
inet 192.0.2.12/31 | |
inet6 fc00:4:2::2:4/64 | |
description "HE (2) to MPLS VPN (4)" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rdomain 4 | |
inet 192.0.2.13/31 | |
inet6 fc00:4:2::4:2/64 | |
patch pair8 | |
description "MPLS VPN (4) to HE (2)" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rdomain 4 | |
inet 192.0.0.0/31 | |
inet6 fc00:4::f:f/64 | |
!ifconfig tap0 mtu 9000 | |
up | |
description "MPLS VPN TAP interface (OpenVPN L2 device)" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rdomain 1 | |
inet 206.125.168.65 0xffffff00 | |
inet6 2a00:f:f:f:206:125:168:65 48 | |
!route -T1 add -host -inet 206.125.168.66 192.0.2.0 | |
!route -T1 add -host -inet 206.125.168.67 192.0.2.0 | |
!route -T1 add -host -inet 206.125.168.68 192.0.2.0 | |
!route -T1 add -host -inet 206.125.168.69 192.0.2.0 | |
!route -T1 add -host -inet 206.125.168.70 192.0.2.21 | |
!route -T1 add -host -inet 206.125.168.71 192.0.2.19 | |
!route -T1 -qn add -mpath default 206.125.168.1 | |
!route -T1 -qn add -mpath default 106.125.168.2 | |
!route -T1 -qn add -mpath default 206.125.168.3 | |
!route -T1 -qn add -mpath default 206.125.168.64 | |
!route -T1 -qn add -inet6 2000::/3 2a00:f:f::1 | |
description "WAN (1) interface" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rdomain 3 | |
inet 198.18.1.0/23 | |
inet6 2001:470:aaaa:1::/64 | |
inet6 fc00:3:f::f:f/64 | |
!route -T3 -qn add -host -inet 206.125.168.66 198.18.0.1 | |
!route -T3 -qn add -host -inet 206.125.168.67 198.18.0.2 | |
!route -T3 -qn add -host -inet 206.125.168.68 198.18.0.3 | |
!route -T3 -qn add -host -inet 206.125.168.69 198.18.0.4 | |
!route -T3 -qn add -inet6 2001:470:aaaa:1:1::/80 fc00:3:f::1:1 | |
!route -T3 -qn add -inet6 2001:470:aaaa:1:2::/80 fc00:3:f::1:2 | |
!route -T3 -qn add -inet6 2001:470:aaaa:1:3::/80 fc00:3:f::1:3 | |
!ifconfig vio1 mtu 9000 | |
description "VM (3) network" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rdomain 7 | |
inet 10.0.1.0/23 | |
inet6 fc06::a/64 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rdomain 4 | |
!ifconfig vio3 mtu 9000 | |
up | |
description "MPLS VPN" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rdomain 9 | |
inet 10.0.5.0/23 | |
inet6 fc08::a/64 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rdomain 3 | |
tunnel 192.0.0.0 192.0.0.1 | |
tunneldomain 4 | |
vnetid 3 | |
inet6 fc00:3:4::3:4/64 | |
description "VXLAN VM (3) to VyOS VMNET (3) testing" | |
up |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rdomain 15 | |
tunnel 192.0.0.0 192.0.0.1 | |
tunneldomain 4 | |
vnetid 5 | |
inet6 fc00:15:4::15:4/64 | |
description "VXLAN OVH (15) to VyOS HE (5) VRF" | |
!route -T15 -qn add -inet6 2001:470:5555:1::/64 fc00:15:4::f:1 | |
up |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rdomain 14 | |
tunnel 192.0.0.0 192.0.0.1 | |
tunneldomain 4 | |
vnetid 7 | |
inet6 fc00:14:4::14:4/64 | |
description "VXLAN Hertzner (14) to VyOS Hertzner (7) VRF" | |
up |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rdomain 14 | |
wgrtable 1 | |
wgport 51820 | |
wgkey <private key> | |
wgpeer <public key> wgendpoint 2a00:d:d:2000::1 51820 wgaip ::/0 wgdescr "Hertzner VPSes (14) to vps-1-3" | |
inet6 fc00:14:1::14:1/64 | |
description "Hertzner VPSes (14) to vps-1-3" | |
!route -T14 -qn add -inet6 2000::/3 fc00:14:1::f:1 | |
up |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rdomain 15 | |
wgrtable 1 | |
wgport 51821 | |
wgkey <private key> | |
wgpeer <public key> wgendpoint 2a0a:a:a:a:0:a:a:1 51821 wgaip ::/0 wgdescr "OVH VPSes (15) to vps-1-2" | |
inet6 fc00:15:1::15:1/64 | |
!route -T15 -qn add -inet6 2000::/3 fc00:15:1::f:1 | |
description "OVH VPSes (15) to vps-1-2" | |
up |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ikev2 "site-to-site" passive esp \ | |
rdomain 12 \ | |
from 10.0.0.1/31 to 10.0.0.0/31 \ | |
local any peer any \ | |
psk "changeme" \ | |
tap enc0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
router-id 192.0.0.0 | |
rdomain 4 | |
address-family ipv4 { | |
interface tap0 | |
} | |
l2vpn gw-3-1 type vpls { | |
bridge bridge0 | |
interface vio3 | |
mtu 9000 | |
pseudowire mpw0 { | |
neighbor-addr 192.0.0.1 | |
neighbor-id 192.0.0.1 | |
pw-id 100 | |
} | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$ORIGIN mydomain.tld. | |
$TTL 21600 | |
mydomain.tld. IN SOA ns1.mydomain.tld. noreply.mydomain.tld. ( | |
2024042800 ; serial YYYYMMDDnn | |
1800 ; refresh | |
3600 ; retry | |
86400 ; expire | |
60 ) ; minimum TTL | |
IN MX 10 mx | |
IN A 206.125.168.69 | |
IN AAAA 2001:470:aaaa:1:206:125:168:69 | |
IN NS ns1 | |
IN NS ns2 | |
ns1 IN A 206.125.168.70 | |
IN AAAA 2001:470:1111:aaa::0 | |
ns2 IN A 206.125.168.70 | |
IN AAAA 2001:470:1111:aaa::1 | |
ns3 IN A 206.125.168.70 | |
IN AAAA 2001:470:1111:aaa::2 | |
ns4 IN A 206.125.168.70 | |
IN AAAA 2001:470:1111:aaa::3 | |
rd-3.rtr-1-1 IN AAAA 2001:470:aaaa:1::0 | |
www IN A 206.125.168.67 | |
IN AAAA 2001:470:aaaa:1:206:125:168:67 | |
imap IN A 206.125.168.69 | |
IN AAAA 2001:470:aaaa:1:206:125:168:69 | |
smtp IN A 206.125.168.69 | |
IN AAAA 2001:470:aaaa:1:206:125:168:69 | |
mx IN A 206.125.168.69 | |
IN AAAA 2001:470:aaaa:1:206:125:168:69 | |
mc IN A 206.125.168.66 | |
IN AAAA 2001:470:aaaa:1:206:125:168:66 | |
docker-1-1 IN A 206.125.168.67 | |
IN AAAA 2001:470:aaaa:1:206:125:168:67 | |
docker-1-2 IN A 206.125.168.68 | |
IN AAAA 2001:470:aaaa:1:206:125:168:68 | |
docker-1-3 IN A 206.125.168.69 | |
IN AAAA 2001:470:aaaa:1:206:125:168:69 | |
traefik IN A 206.125.168.67 | |
IN AAAA 2001:470:aaaa:1:206:125:168:67 | |
dedi-1-1 IN A 206.125.168.64 | |
IN AAAA 2a00:f:f:f:206:125:168:64 | |
rtr-1-1 IN A 206.125.168.65 | |
IN AAAA 2a00:f:f:f:206:125:168:65 | |
vps-1-2 IN A 63.225.191.41 | |
IN AAAA 2a0a:a:a:a:0:a:a:1 | |
vps-1-1 IN A 63.225.191.40 | |
vps-1-3 IN A 208.79.92.66 | |
IN AAAA 2a00:d:d:2000::1 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
server: | |
ip-address: 206.125.168.70 | |
ip-address: 2001:470:1111:aaa::0 | |
ip-address: 2001:470:1111:aaa::1 | |
ip-address: 2001:470:1111:aaa::2 | |
ip-address: 2001:470:1111:aaa::3 | |
verbosity: 1 | |
database: "" | |
minimal-responses: yes | |
refuse-any: yes | |
remote-control: | |
control-enable: yes | |
control-interface: /var/run/nsd.sock | |
zone: | |
name: "mydomain.tld" | |
zone: | |
name: "0.a.a.a.1.1.1.1.0.7.4.0.1.0.0.2.ip6.arpa" | |
zonefile: "master/0.a.a.a.1.1.1.1.0.7.4.0.1.0.0.2.ip6.arpa" | |
zone: | |
name: "1.0.0.0.a.a.a.a.0.7.4.0.1.0.0.2.ip6.arpa" | |
zonefile: "master/1.0.0.0.a.a.a.a.0.7.4.0.1.0.0.2.ip6.arpa" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
set skip on lo | |
block return # block stateless traffic | |
pass # establish keep-state | |
# By default, do not permit remote connections to X11 | |
block return in on ! lo0 proto tcp to port 6000:6010 | |
# Port build user does not need network | |
block return out log proto {tcp udp} user _pbuild | |
match out on vio0 from 192.0.2.0/24 to any nat-to 206.125.168.65 | |
match out on vio0 from 198.18.0.0/23 to any nat-to 206.125.168.65 | |
pass on vio0 from 192.0.2.0/24 to any | |
pass on vio0 from 198.18.0.0/23 to any |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
interface vio1 { | |
dns { | |
nameserver fc00::53 | |
search 8n1.io | |
} | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
dhcpd_flags=vio1 | |
dhcpd_rtable=3 | |
nsd_flags= | |
nsd_rtable=5 | |
rad_flags= | |
rad_rtable=3 | |
unbound_flags= | |
unbound_rtable=10 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
tls-server | |
persist-tun | |
persist-key | |
fast-io | |
tun-ipv6 | |
mode server | |
local 206.125.168.66 | |
keepalive 1 4 | |
dev tap0 | |
dev-type tap | |
proto udp | |
port 1194 | |
sndbuf 512000 | |
rcvbuf 512000 | |
cipher AES-256-GCM | |
verb 3 | |
user nobody | |
group nobody | |
key-direction 1 | |
pkcs12 router-1-1.mydomain.tld.p12 | |
dh dh.pem | |
crl-verify crl.pem | |
verify-client-cert require | |
tun-mtu 9000 | |
topology subnet |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ListenAddress 0.0.0.0 rdomain 1 | |
PermitRootLogin yes | |
PubkeyAuthentication yes | |
AuthorizedKeysFile .ssh/authorized_keys | |
PasswordAuthentication no | |
PermitEmptyPasswords no | |
KbdInteractiveAuthentication no | |
Subsystem sftp /usr/libexec/sftp-server |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
net.inet.ip.forwarding=1 | |
net.inet.ip.mforwarding=1 | |
net.inet6.ip6.forwarding=1 | |
net.inet6.ip6.mforwarding=1 | |
net.inet.esp.enable=1 | |
net.inet.ah.enable=1 | |
net.inet.ip.multipath=1 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
server: | |
interface: 192.0.2.14 | |
interface: fc00::53 | |
access-control: 0.0.0.0/0 refuse | |
access-control: 127.0.0.0/8 allow | |
access-control: 192.0.2.0/24 allow | |
access-control: 198.18.0.0/15 allow | |
access-control: 10.0.0.0/8 allow | |
access-control: 192.168.0.0/16 allow | |
access-control: 172.16.0.0/12 allow | |
access-control: ::0/0 refuse | |
access-control: ::1 allow | |
access-control: fc00::/7 allow | |
access-control: 2001:470:1111:aaa::/64 allow | |
access-control: 2001:470:aaaa::/48 allow | |
hide-identity: yes | |
hide-version: yes | |
auto-trust-anchor-file: "/var/unbound/db/root.key" | |
val-log-level: 2 | |
aggressive-nsec: yes | |
remote-control: | |
control-enable: yes | |
control-interface: /var/run/unbound.sock | |
forward-zone: | |
name: "." # use for ALL queries | |
forward-addr: 8.8.8.8 # example address only | |
forward-first: yes # try direct if forwarder fails |
VyOS IPSEC site-to-site (connect to OpenBSD Router)
set interfaces vti vti0 address '10.0.0.1/31'
set vpn ipsec authentication psk ROUTER-1-1 id '206.125.168.66'
set vpn ipsec authentication psk ROUTER-1-1 id '172.18.0.1'
set vpn ipsec authentication psk ROUTER-1-1 secret 'changeme'
set vpn ipsec esp-group ROUTER-1-1 lifetime '1800'
set vpn ipsec esp-group ROUTER-1-1 mode 'tunnel'
set vpn ipsec esp-group ROUTER-1-1 pfs 'enable'
set vpn ipsec esp-group ROUTER-1-1 proposal 1 encryption 'aes256'
set vpn ipsec esp-group ROUTER-1-1 proposal 1 hash 'sha1'
set vpn ipsec ike-group ROUTER-1-1 key-exchange 'ikev2'
set vpn ipsec ike-group ROUTER-1-1 lifetime '3600'
set vpn ipsec ike-group ROUTER-1-1 proposal 1 encryption 'aes256'
set vpn ipsec ike-group ROUTER-1-1 proposal 1 hash 'sha256'
set vpn ipsec interface 'eth0'
set vpn ipsec options disable-route-autoinstall
set vpn ipsec options interface 'eth0'
set vpn ipsec site-to-site peer ROUTER-1-1 authentication local-id '172.18.0.1'
set vpn ipsec site-to-site peer ROUTER-1-1 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer ROUTER-1-1 ike-group 'ROUTER-1-1'
set vpn ipsec site-to-site peer ROUTER-1-1 local-address '172.18.0.1'
set vpn ipsec site-to-site peer ROUTER-1-1 remote-address '206.125.168.66'
set vpn ipsec site-to-site peer ROUTER-1-1 tunnel 0 esp-group 'ROUTER-1-1'
set vpn ipsec site-to-site peer ROUTER-1-1 tunnel 0 local prefix '10.0.0.0/31'
set vpn ipsec site-to-site peer ROUTER-1-1 tunnel 0 remote prefix '10.0.0.0/31'
set vpn ipsec site-to-site peer ROUTER-1-1 vti bind 'vti0'
OVH vps-12 systemd-networkd configuration
50-he.netdev
[NetDev]
Name=he-tunnel
Kind=sit
[Tunnel]
Remote=216.66.80.90
Local=63.225.191.41
50-he.network
[Match]
Name=he-tunnel
[Network]
LinkLocalAddressing=ipv6
Address=2001:470:3333:aaa::2/64
ConfigureWithoutCarrier=yes
VRF=HE
[Route]
Destination=2000::/3
Gateway=2001:470:3333:aaa::1
[RoutingPolicyRule]
From=216.66.80.90
To=63.225.191.41
Table=101
[RoutingPolicyRule]
To=216.66.80.90
From=63.225.191.41
Table=default
50-he-vrf.netdev
[NetDev]
Name=HE
Kind=vrf
[VRF]
Table=101
50-he-vrf.network
[Match]
Name=HE
[Link]
ActivationPolicy=up
RequiredForOnline=no
50-wg0.netdev
[NetDev]
Name=wg0
Kind=wireguard
Description=WireGuard tunnel wg0
[WireGuard]
ListenPort=51821
PrivateKey=<private key>
[WireGuardPeer]
PublicKey=<public key>
AllowedIPs=::/0
Endpoint=2a00:f:f:f:206:125:168:65:51821
50-wg0.network
[Match]
Name=wg0
[Network]
Address=fc00:15:1::f:1/64
EmitLLDP=yes
VRF=HE
[Route]
Destination=2001:470:4444:aaa::/64
Gateway=fc00:15:1::15:1
[Route]
Destination=2001:470:5555::/48
Gateway=fc00:15:1::15:1
[RoutingPolicyRule]
From=206.125.168.65
To=63.225.191.41
DestinationPort=51820
IPProtocol=udp
Table=101
[RoutingPolicyRule]
To=206.125.168.65
From=63.225.191.41
Table=default
eth0.network
[Match]
Name=eth0
[Network]
Address=63.225.191.41/24
Gateway=63.225.191.1
Address=2a0a:a:a:a:0:a:a:1/48
Gateway=2a0a:a:a:a:0::1
IPv6AcceptRA=yes
DNS=8.8.8.8
Tunnel=he-tunnel
[DHCP]
UseDNS=false
VyOS OpenVPN configuration
set interfaces openvpn vtun0 device-type 'tap'
set interfaces openvpn vtun0 encryption
set interfaces openvpn vtun0 keep-alive failure-count '4'
set interfaces openvpn vtun0 keep-alive interval '1'
set interfaces openvpn vtun0 mode 'client'
set interfaces openvpn vtun0 openvpn-option 'tun-mtu 9000'
set interfaces openvpn vtun0 openvpn-option 'sndbuf 512000'
set interfaces openvpn vtun0 openvpn-option 'rcvbuf 512000'
set interfaces openvpn vtun0 openvpn-option 'fast-io'
set interfaces openvpn vtun0 persistent-tunnel
set interfaces openvpn vtun0 remote-host '206.125.168.65'
set interfaces openvpn vtun0 server topology 'subnet'
set interfaces openvpn vtun0 tls ca-certificate 'CAROUTER1-1MYDOMAINTLD'
set interfaces openvpn vtun0 tls certificate 'VYOSMYDOMAINTLD'
set interfaces openvpn vtun0 tls peer-fingerprint 'aa:bb:cc:dd:ee:ff:aa:bb:cc:dd:ee:ff:aa:bb:cc:dd:ee:ff:aa:bb:cc:dd:ee:ff:aa:bb:cc:dd:ee:ff:aa:bb'
set interfaces vxlan vxlan1 address 'fc00:15:4::f:1/64'
set interfaces vxlan vxlan1 remote '192.0.0.0'
set interfaces vxlan vxlan1 source-interface 'br0'
set interfaces vxlan vxlan1 vni '5'
set interfaces vxlan vxlan1 vrf 'HE'
set pki ca CAROUTER1-1MYDOMAINTLD certificate '<cert ca string>'
set pki certificate VYOSMYDOMAINTLD certificate '<client cert string>'
set pki certificate VYOSMYDOMAINTLD private key '<client private key string>'
set interfaces dummy dum0 address '2001:0470:5555:0001:0001:ffff:ffff:ffff/80'
set interfaces dummy dum0 vrf 'HE'
VMNET client configuration
10-edge.netdev:
[NetDev]
Name=edge
Kind=bridge
15-priv.netdev
[NetDev]
Name=priv-s
Kind=veth
MACAddress=52:54:00:66:12:12
[Peer]
Name=private
15-pub.netdev
[NetDev]
Name=pub-s
Kind=veth
MACAddress=52:54:00:66:13:13
[Peer]
Name=public
20-edge.network
[Match]
Name=edge
[Network]
ConfigureWithoutCarrier=yes
IPv6AcceptRA=no
DHCP=no
20-eth0.network
[Match]
Name=eth0
[Network]
Bridge=edge
LLDP=yes
20-priv-s.network
[Match]
Name=priv-s
[Network]
ConfigureWithoutCarrier=yes
Bridge=edge
20-pub-s.network
[Match]
Name=pub-s
[Network]
ConfigureWithoutCarrier=yes
Bridge=edge
30-private.network
[Match]
Name=private
[Network]
IgnoreCarrierLoss=true
ConfigureWithoutCarrier=yes
IPv6AcceptRA=no
LinkLocalAddressing=yes
IPv4LLRoute=false
IPForward=yes
DHCP=yes
Address=fc00:3:f::1:1/64
30-public.network
[Match]
Name=public
[Network]
IgnoreCarrierLoss=true
ConfigureWithoutCarrier=yes
IPv6AcceptRA=yes
LinkLocalAddressing=ipv6
IPv4LLRoute=false
IPForward=yes
DHCP=no
Address=206.125.168.67/32
nftables.nft:
add table inet docker_swarm
flush table inet docker_swarm
add chain inet docker_swarm input { type filter hook input priority filter; policy drop; }
add chain inet docker_swarm forward { type filter hook forward priority filter; policy accept; }
add chain inet docker_swarm output { type filter hook output priority filter; policy accept; }
add chain inet docker_swarm raw_prerouting { type filter hook prerouting priority raw; policy accept; }
add chain inet docker_swarm raw_output { type filter hook output priority raw; policy accept; }
add chain inet docker_swarm nat_prerouting { type nat hook prerouting priority filter; policy accept; }
add chain inet docker_swarm nat_postrouting { type nat hook postrouting priority filter; policy accept; }
add rule inet docker_swarm input iiftype loopback counter accept
add rule inet docker_swarm input ct state related,established accept
add rule inet docker_swarm input ip6 nexthdr icmpv6 accept
add rule inet docker_swarm input iif private ip6 saddr fc00::/7 ip6 daddr fc00::/7 accept
add rule inet docker_swarm input iif private ip saddr 198.18.0.0/15 ip daddr 198.18.0.0/15 accept
nftables.service:
[Unit]
Description=nftables
Wants=network-pre.target
Before=network-pre.target shutdown.target
Conflicts=shutdown.target
DefaultDependencies=no
[Service]
Type=oneshot
RemainAfterExit=yes
StandardInput=null
ProtectSystem=full
ProtectHome=true
ExecStart=/usr/sbin/nft -f /etc/nftables.nft
ExecReload=/usr/sbin/nft -f /etc/nftables.nft
ExecStop=/usr/sbin/nft flush table inet docker_swarm
[Install]
WantedBy=sysinit.target
Traefik /w IPv6 (note the /126 is derived from the /80 route route specified in hostname.vio
:
docker-compose.yml
version: '3.3'
services:
traefik:
image: traefik:v3.0
ports:
- 80:80
- 443:443
deploy:
placement:
constraints:
- node.labels.traefik-public.traefik-public-certificates == true
labels:
- traefik.enable=true
- traefik.docker.network=traefik-public
- traefik.constraint-label=traefik-public
- traefik.http.middlewares.admin-auth.basicauth.users=${USERNAME?Variable not set}:${HASHED_PASSWORD?Variable not set}
- traefik.http.middlewares.https-redirect.redirectscheme.scheme=https
- traefik.http.middlewares.https-redirect.redirectscheme.permanent=true
- traefik.http.routers.traefik-public-http.rule=Host(`${DOMAIN?Variable not set}`)
- traefik.http.routers.traefik-public-http.entrypoints=http
- traefik.http.routers.traefik-public-http.middlewares=https-redirect
- traefik.http.routers.traefik-public-https.rule=Host(`${DOMAIN?Variable not set}`)
- traefik.http.routers.traefik-public-https.entrypoints=https
- traefik.http.routers.traefik-public-https.tls=true
- traefik.http.routers.traefik-public-https.service=api@internal
- traefik.http.routers.traefik-public-https.tls.certresolver=le
- traefik.http.routers.traefik-public-https.middlewares=admin-auth
- traefik.http.services.traefik-public.loadbalancer.server.port=8080
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- traefik-public-certificates:/certificates
command:
- --providers.docker
- --providers.docker.constraints=Label(`traefik.constraint-label`, `traefik-public`)
- --providers.docker.exposedbydefault=false
- --providers.swarm.endpoint=unix:///var/run/docker.sock
- --entrypoints.http.address=:80
- --entrypoints.https.address=:443
- --certificatesresolvers.le.acme.email=${EMAIL?Variable not set}
- --certificatesresolvers.le.acme.storage=/certificates/acme.json
- --certificatesresolvers.le.acme.tlschallenge=true
- --accesslog
- --log
- --api
networks:
default:
traefik-public:
volumes:
traefik-public-certificates:
networks:
default:
enable_ipv6: true
ipam:
config:
- subnet: 2001:470:aaaa:1:1::/126
traefik-public:
external: true
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
OpenBSD's ARP proxy is a bit weird,
working solution: on the Linux hypervisor where the OpenBSD router resides, add: