1 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
2 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
3 <html xmlns="http://www.w3.org/1999/xhtml">
6 <meta name="generator" content="HTML::TextToHTML v2.51"/>
7 <link rel="stylesheet" type="text/css" href="../files/style.css"/>
10 <h1><a name="section_1">Redirecting traffic using FastD</a></h1>
12 <p>FastD is a VPN daemon that has many features of OpenVPN and Tinc and is optimized for small code size and small number of dependencies. Fastd became popular on small devices like routers. In this tutorial we will configure a listening peer (alpha) and a connecting peer (anyremote). On a side note, with fastD you can setup mesh networks (n:n), as opposed to classical clients server networks (1:n). This configuration can be seen as a simple (1:1) setup between the listening <em>alpha</em> peer and our connecting client <em>anyremote</em>. All traffic from anyremote is redirected to alpha, making alpha the default gateway. This configuration has a lot of similarities with the tinc tutorial (that you can find here: <a href="http://www.robinkrens.nl/tutorials/tinc.html">http://www.robinkrens.nl/tutorials/tinc.html</a>). Documentation and manual pages of fastd can be found here <a href="http://fastd.readthedocs.io">http://fastd.readthedocs.io</a>
16 <h2><a name="section_1_1">Alpha peer</a></h2>
18 <p>To run the daemon you only need one configuration file. You can place it in fastd's defualt directory <u>/etc/fastd/fastd.conf</u>. Here we show a standard configuration of <u>fastd.conf</u> with some minor changes:
21 # Log warnings and errors to stderr
24 # Log everything to syslog
25 log to syslog level debug;
27 # tunnel mode (default is tap).
28 # We use tunneling mode, since we are dealing with routing
31 # Set the interface name
32 # you can use any name you like
33 # this is the name to configure your interface wit
34 interface "vpngateway";
36 # encryption method to use
37 falls back to null if salsa is not chosen.
38 method "salsa2012+umac";
41 # Bind to a fixed port, IPv4 only
42 # If your remote ip is 1.2.3.4, make sure 1.2.3.4:10000 is accesible
45 # Secret key generated by `fastd --generate-key`
46 # --generate-key outputs a file with a secret and public key
47 # secret key goes in here. Public keys is distributed amongst other peers
48 # read about PKI infrastructures if you don't know about this.
49 secret "supersecretkey";
51 # (see MTU selection documentation)
52 # base MTU is 1500 and you want to use TUN mode over IPv4 with any
53 # crypto method: Choose 1500 - 52 = 1448 bytes.
56 # on up: shell script to configure the tun interface on daemon start
57 on up "./interface-up";
59 # on down: shell script when daemon is terminated
60 on down "./interface-down";
62 # Include peers from the directory 'peers'
63 # anyremote is a peer trying to connect to alpha
64 include peer "peers/anyremote";
66 <p>Keys can be generate by running --generate-key (written to stdout):
69 root@alpha:~$ fastd --generate-key > keys
70 root@alpha:~$ cat keys
71 2018-04-30 19:25:57 +0800 --- Info: Reading 32 bytes from /dev/random...
72 Secret: 5035de5b4ea448b74e9a373765207095057a9485fd9dca5fadb9c1b86347bd75
73 Public: 8cb5e8d70d34f52716b6c4de518af2edfd6794e68ef1b3f0608cf05dd6a2ef42
75 <p>The secret key needs to be added to the above <u>fastd.conf</u> file. The public needs to be spread amongst peers (as we explain later).
76 on up "./interface-up" will run a simple shell script and configures our network interface vpngateway (make sure this script is executable).
77 This is our <u>interface.up</u> script: We create a virtual IP: 172.16.16.1.
81 ip link set $INTERFACE up
82 ip addr add 172.16.16.1/24 dev $INTERFACE
84 <p>If we terminate fastd, we run a similar script as defined in interface-down
88 ip addr del 172.16.16.1/24 dev $INTERFACE
89 ip link set $INTERFACE down
91 <p>We will create the <u>peer/anyremote</u> file after we finished configuring anyremote and its public key
93 <h2><a name="section_1_2">Anyremote peer</a></h2>
95 <p>Similar to alpha, we create <u>/etc/fastd/fastd.conf</u>. Since we only need to connect to alpha we don't need to bind to a fixed port.
98 # log arnings and errors to stderr
101 # Log everything to syslog
102 log to syslog level debug;
104 # tunnel mode (default is tap)
107 # Set the interface name
108 interface "vpngateway";
110 # Support salsa2012+umac and null methods, prefer salsa2012+umac
111 method "salsa2012+umac";
114 # Secret key generated by `fastd --generate-key`
115 secret "supersecretkey";
117 # (see MTU selection documentation)
121 on up "./interface-up";
124 on down "./interface-down";
126 # if a connection is established set up the gateway
127 on establish "./set-gateway";
129 # if the connection is lost restore the default gateway
130 on disestablish "./restore-gateway";
132 # Include peers from the directory 'peers'
133 include peer "peers/alpha";
135 <p>For anyremote we also need to generate a key pair and replace the "supersecretkey" with the secret key value. The public key will be given to alpha (explained in a little while)
138 root@anyremote~ $ fastd --generate-keys > anyremote-keypair
139 root@anyremote~ $ cat anyremote-keypair
140 2018-05-01 19:48:49 +0800 --- Info: Reading 32 bytes from /dev/random...
141 Secret: c0a611e0d4f3075b45cf172d3221c8427008e2c6f541b5b6adda0368cb79f271
142 Public: 2598c5d7e72f171731658ce35734ff7599e1840367422e1a9c5943c327ab5ea9
145 <p><em>on up</em> and <em>on down</em> are similar to alpha (except the ip address). interface-up:
149 ip link set $INTERFACE up
150 ip addr add 172.16.16.2/24 dev $INTERFACE
157 ip addr del 172.16.16.1/24 dev $INTERFACE
158 ip link set $INTERFACE down
160 <p>We need to include some information about how to connect to alpha. We define in a file (<u>/etc/fastd/peers/alpha</u>):
163 root@anyremote:/etc/fastd/peers/ $ cat alpha
165 key "8cb5e8d70d34f52716b6c4de518af2edfd6794e68ef1b3f0608cf05dd6a2ef42";
166 remote 1.2.3.4:10000;
168 <p><em>key</em> means the public key we just created with --generate-keys the alpha section. Here we add a remote ip to which anyremote tries to connect to. Make sure port numbers are the same.
169 Don't forget to also add our our just created public key to our alpha server:
172 root@alpha:/etc/fastd/peers/ $ cat anyremote
174 key "2598c5d7e72f171731658ce35734ff7599e1840367422e1a9c5943c327ab5ea9";
176 <p>This will allow alpha to accept connections from anyremote. Note: you don't need to specify a remote address, this will make it more dynamic and you can connect with anyremote from anywhere as long as you have the private key.
178 <p>After these steps you should be able to run both alpha and anyremote. You can run the daemon as follows:
181 root@alpha:~ $ fastd -c /etc/fastd/fastd.conf &
182 root@anyremote:~ $ fastd -c /etc/fastd/fastd.conf &
184 <p>The interface <em>vpngateway</em> should show up and you should be able to ping to both hosts us.
186 </p><p>Now, in our config file of anyremote we see two additionals values: <em>on establish</em> and <em>on disestablish</em>. Once the connection is (dis)established, fastd will execute these scripts. This brings us two the last step: setting the default gateway of anyremote to point to alpha
188 <h2><a name="section_1_3">Alpha as gateway for anyremote</a></h2>
190 <p>Have a look at the tinc tutorial (gateway section) about the theory of routing and gateways.
191 We add the following scripts in <u>/etc/fastd</u> of anyremote if a connection with alpha is established: (set-gateway)
195 #ip link set $INTERFACE up
196 #ip addr add 172.16.16.2/24 dev $INTERFACE
198 VPN_GATEWAY=172.16.16.1
199 ORIGINAL_GATEWAY=`ip route show | grep ^default | cut -d ' ' -f 2-5`
200 REMOTEADDRESS=1.2.3.4
202 ip route add $REMOTEADDRESS $ORIGINAL_GATEWAY
203 ip route add $VPN_GATEWAY dev $INTERFACE
204 ip route add 0.0.0.0/1 via $VPN_GATEWAY dev $INTERFACE
205 ip route add 128.0.0.0/1 via $VPN_GATEWAY dev $INTERFACE
208 <p>And, similar, if the connecting is lost: (restore-gateway):
212 #ip addr del 172.16.16.2/24 dev $INTERFACE
213 #ip link set $INTERFACE down
215 ORIGINAL_GATEWAY=`ip route show | grep ^default | cut -d ' ' -f 2-5`
216 REMOTEADDRESS=45.76.159.1
218 ip route del $REMOTEADDRESS $ORIGINAL_GATEWAY
219 ip route del $VPN_GATEWAY dev $INTERFACE
220 ip route del 0.0.0.0/1 dev $INTERFACE
221 ip route del 128.0.0.0/1 dev $INTERFACE
223 <h2><a name="section_1_4">Setup firewall</a></h2>
225 <p>Make sure forwarding is enabled on alpha. Make sure you have masquerading or another form of routing set up on alpha. If you don't masquerade outgoing (forwarded anyremote) packets, the source address in in the TCP/UDP package will still remain 172.16.16.2. Please have a look here: <a href="http://www.tldp.org/LDP/nag2/x-087-2-ipmasq.html">http://www.tldp.org/LDP/nag2/x-087-2-ipmasq.html</a> if you don't know about NAT and masquerading.
229 # iptables config line to masquerade
231 echo "Enabling IPv4 forwarding"
232 echo 1 >/proc/sys/net/ipv4/ip_forward
234 echo "Appending Masquerade rule to iptables"
235 iptables -t nat -A POSTROUTING -s 172.16.16.0/255.255.255.0 -o eth0 -j MASQUERADE
237 <p>I use iptables to masquerade the (-s) source address on the (-o) interface eth0.
239 <h2><a name="section_1_5">Test the gateway</a></h2>
241 <p>Restart the daemon on alpha and anyremote. Use route -n to see check your routing tables. Ping both 172.16.16.1 and 1.2.3.4 (external address). In case of problems, trace the connections or analyze the data with tools like wireshark.
243 <h2><a name="section_1_6">Troubleshooting help</a></h2>
246 <li>DNS request are not forwarded through the gateway. Check your resolver config files (/etc/resolv.conf). Debian-based systems might have the following configuration
249 root@anyremote:~$ cat /etc/resolv.conf
254 <li>and in your routing table you might have the following entry. A local / caching DNS server might still send packages to your router. Use wireshark to see if there are any DNS queries, not going to the VPN gateway
259 link-local * 255.255.0.0 U 1000 0 0 wlp7s0
262 <li>A simple fix would to change your resolv.conf and point it to nameserver 8.8.8.8
264 </li><li>Fastd's log to <u>/var/log/syslog</u> You can define these locations in your fast.conf file. You can also change the log level, in case you need more information:
267 --log-level error|warn|info|verbose|debug|debug2
268 Sets the stderr log level; default is info if no alternative log
269 destination is configured.
272 <li>Use tcpdump or wireshark to analyze your network devices