incident 009: document traffic laundering
This commit is contained in:
Gregor Michels
parent
5349baa100
commit
b5698a6c90
|
|
@ -274,7 +274,64 @@ root@gw-core01:~# /etc/init.d/dnsmasq reload
|
|||
009: 2022.08.23 ~03:00 | (maintenance) launder public wifi traffic through vpn
|
||||
------------------------------------------------------------------------------
|
||||
|
||||
_This is already implemented, documentation will follow_
|
||||
To help the refugee camp not get into legal trouble for providing free internet access (gotta love germany)
|
||||
we've put a vpn inplace that launders the traffic from the public wifi through a vpn provider.
|
||||
|
||||
Only the `clients` network gets laundered.
|
||||
This is accomplished by using policy-based routing.
|
||||
|
||||
The vpn interface is put into its own routing table (`20 - launder`).
|
||||
Two `ip rule`s steer the traffic from the `clients` network into the tunnel with a failsafe.
|
||||
If the vpn connection dies no traffic leaks through the normal wan interface.
|
||||
|
||||
**changes**:
|
||||
```
|
||||
root@gw-core01:~# echo "20 launder" >> /etc/iproute2/rt_tables
|
||||
root@gw-core01:~# cat >> /etc/config/network << EOF
|
||||
config interface 'wg1'
|
||||
option mtu 1350
|
||||
option proto 'wireguard'
|
||||
option private_key '[redacted]'
|
||||
list addresses '[redacted]'
|
||||
option ip4table 'launder'
|
||||
|
||||
config wireguard_wg1 'mullvad_fr'
|
||||
option public_key '[redacted]'
|
||||
option endpoint_host '[redacted]'
|
||||
option endpoint_port '51820'
|
||||
option route_allowed_ips '1'
|
||||
list allowed_ips '0.0.0.0/0'
|
||||
|
||||
config rule
|
||||
option in 'clients'
|
||||
option lookup 'launder'
|
||||
option priority 50
|
||||
|
||||
config rule
|
||||
option in 'clients'
|
||||
option action prohibit
|
||||
option priority 51
|
||||
EOF
|
||||
root@gw-core01:~# cat >> /etc/config/firewall << EOF
|
||||
config zone
|
||||
option name launder
|
||||
list network wg1
|
||||
option input REJECT
|
||||
option output ACCEPT
|
||||
option forward REJECT
|
||||
option masq 1
|
||||
option mtu_fix 1
|
||||
|
||||
config forwarding
|
||||
option src clients
|
||||
option dest launder
|
||||
EOF
|
||||
root@gw-core01:~# /etc/init.d/network restart
|
||||
root@gw-core01:~# /etc/init.d/firewall restart
|
||||
```
|
||||
|
||||
**impact**:
|
||||
* short service interruptions for public wifi clients at around ~03:00 lasting a few minutes
|
||||
|
||||
|
||||
010: 2022.08.28 13:00, 2022.08.29 09:10 - 10:30 | random reboots of gw-core01
|
||||
|
|
|
|||
Reference in New Issue