commit 4f93deea55c2986aec91b8c183837a4042c313b2 Author: Jack Date: Thu Aug 31 19:27:52 2023 +0100 First Push diff --git a/Monitoring VPS/docker-compose.yml b/Monitoring VPS/docker-compose.yml new file mode 100644 index 0000000..05dfc92 --- /dev/null +++ b/Monitoring VPS/docker-compose.yml @@ -0,0 +1,58 @@ +version: '3' +networks: + default: + enable_ipv6: true + driver: bridge + driver_opts: + com.docker.network.enable_ipv6: "true" + ipam: + driver: default + config: + - subnet: fd00:0:0:1:3::/64 + gateway: fd00:0:0:1:3::1 + - subnet: 172.18.0.0/16 + gateway: 172.18.0.1 +services: + ipv6nat: + container_name: ipv6nat + restart: unless-stopped + image: robbertkl/ipv6nat + privileged: true + network_mode: host + volumes: + - /var/run/docker.sock:/var/run/docker.sock:ro + - /lib/modules:/lib/modules:ro + + nginx-proxy-manager: + image: 'jc21/nginx-proxy-manager:latest' + restart: unless-stopped + container_name: mainstack-nginxproxymanager + ports: + - '80:80' + - '443:443' + volumes: + - ./nginx-proxy-manager/data:/data + - ./nginx-proxy-manager/letsencrypt:/etc/letsencrypt + networks: + default: + ipv6_address: "fd00:0:0:1:3::2" + depends_on: + - uptime-kuma + - boris-uptime-koom + + uptime-kuma: + image: louislam/uptime-kuma:latest + container_name: uptime-kuma + restart: unless-stopped + volumes: + - ./uptime-kuma:/app/data + networks: + default: + ipv6_address: "fd00:0:0:1:3::3" + + telegraf: + restart: unless-stopped + image: telegraf:latest + container_name: telegraf + volumes: + - ./telegraf.conf:/etc/telegraf/telegraf.conf \ No newline at end of file diff --git a/Monitoring VPS/homeaccesswg.conf b/Monitoring VPS/homeaccesswg.conf new file mode 100644 index 0000000..a79b16e --- /dev/null +++ b/Monitoring VPS/homeaccesswg.conf @@ -0,0 +1,10 @@ +[Interface] +PrivateKey = +Address = 172.16.16.6/32 +#DNS = 172.16.16.1 + +[Peer] +PublicKey = +AllowedIPs = 172.16.16.0/24, 192.168.5.0/24, 192.168.6.0/24, 192.168.11.0/30, 192.168.10.0/30 +PersistentKeepalive = 25 +Endpoint = router.internal.tgj.services:51830 \ No newline at end of file diff --git a/Monitoring VPS/readme.md b/Monitoring VPS/readme.md new file mode 100644 index 0000000..d499591 --- /dev/null +++ b/Monitoring VPS/readme.md @@ -0,0 +1,3 @@ +* Configs from vps.tgj.services runs uptime kuma (https://status.tgj.services)[https://status.tgj.services] and telegraf to collect ping data (https://tgj.services/graph/goto/hnhB7DkIR?orgId=1)[https://tgj.services/graph/goto/hnhB7DkIR?orgId=1] + +** Server is a small one core system provided by a friend who runs a hosting provider Gets IPV6 from a huricane electric runnel, Also contains a wireguard tunnel to my house for internal service monitoring \ No newline at end of file diff --git a/Monitoring VPS/telegraf.conf b/Monitoring VPS/telegraf.conf new file mode 100644 index 0000000..8d011cd --- /dev/null +++ b/Monitoring VPS/telegraf.conf @@ -0,0 +1,30 @@ +# Configuration for telegraf agent +[agent] + interval = "10s" + round_interval = true + metric_batch_size = 1000 + metric_buffer_limit = 10000 + collection_jitter = "0s" + flush_interval = "10s" + flush_jitter = "0s" + precision = "" + hostname = "TGJ-UK" + omit_hostname = false + +[[outputs.influxdb_v2]] + + urls = ["https://influx.db.tgj.services"] + + token = "" + + organization = "TGJ " + bucket = "pings" + +[[inputs.ping]] + interval = '5s' +# urls = ['router.internal.tgj.services','thatguyjack.co.uk','google.com','mail.uk.tgj.services','borishub.co.uk','luke.tgj.services','1.1.1.1','router.internal.borishub.co.uk','router.internal.swittcorp.net','router.internal.iwouldntdownloadacar.co.uk','2a12:bec0:210::1','2a12:bec0:212::1','2a12:bec0:213::1','2a12:bec0:214::1','2a12:bec0:215::1','2a12:bec0:216::1','2a12:bec0:21d::1','2a12:bec0:219::1','2a12:bec0:218::1','2a12:bec0:210:2::2', '2a12:bec0:210:3::2', '2a12:bec0:210:5::2', '2a12:bec0:210:4::2','149.18.80.30','149.18.80.31','149.18.80.32','149.18.80.33','149.18.80.35','149.18.80.36','149.18.80.37','149.18.80.38','149.18.80.39'] + urls = ['router.internal.tgj.services','thatguyjack.co.uk','google.com','mail.uk.tgj.services','borishub.co.uk','luke.tgj.services','1.1.1.1','router.internal.borishub.co.uk','router.internal.swittcorp.net','router.internal.iwouldntdownloadacar.co.uk','2a12:bec0:210::1','2a12:bec0:212::1','2a12:bec0:213::1','2a12:bec0:214::1','2a12:bec0:215::1','2a12:bec0:216::1','2a12:bec0:21d::1','2a12:bec0:219::1','2a12:bec0:218::1','2a12:bec0:210:2::2', '2a12:bec0:210:3::2', '2a12:bec0:210:5::2', '2a12:bec0:210:4::2','149.18.80.30','149.18.80.31','149.18.80.32','149.18.80.33','149.18.80.35','149.18.80.36','149.18.80.37','149.18.80.38','149.18.80.39','45.61.173.144','45.61.173.145','45.61.173.146','45.61.173.147','45.61.173.148','45.61.173.149','45.61.173.150','45.61.173.151','45.61.173.152','45.61.173.153'] + count = 1 + ping_interval = 1.0 + timeout = 3.0 + deadline = 3 \ No newline at end of file diff --git a/VDS/bird.conf b/VDS/bird.conf new file mode 100644 index 0000000..70c3a77 --- /dev/null +++ b/VDS/bird.conf @@ -0,0 +1,310 @@ +router id 45.61.173.144; + +log syslog all; +log "/var/log/bird/bird.log" { debug, trace, info, remote, warning, error, auth, fatal, bug }; + +protocol kernel { + ipv6; + scan time 15; +# learn; +} + +protocol kernel { + ipv4; + scan time 15; +# learn; +} + +protocol device { + scan time 10; +} + +protocol static announcev6 { + ipv6; + description "Static v6 Routes"; + route 2a12:bec0:210::/44 blackhole; #default Blackhole for subnet + + route 2a12:bec0:210:4::/64 via 2a12:bec0:210:4::1; #Pete-tunnel + route 2a12:bec0:218::/48 via 2a12:bec0:210:4::2; #Pete-range + + route 2a12:bec0:210:2::/64 via 2a12:bec0:210:2::1; #TGJ-tunnel + route 2a12:bec0:214::/48 via 2a12:bec0:210:2::2; #TGJ-range + + route 2a12:bec0:210:5::/64 via 2a12:bec0:210:5::1; #Hugo-tunnel + route 2a12:bec0:21d::/48 via 2a12:bec0:210:5::2; #Hugo-range + + route 2a12:bec0:210:3::/64 via 2a12:bec0:210:3::1; #Boris-tunnel + route 2a12:bec0:219::/48 via 2a12:bec0:210:3::2; #Boris-Range + + route 2a12:bec0:210:6::/64 via 2a12:bec0:210:6::1; #Khem + route 2a12:bec0:213::/48 via 2a12:bec0:210:6::2; #Khem-Range + + route 2a12:bec0:210:8::/64 via 2a12:bec0:210:8::1; #Jake + route 2a12:bec0:215::/48 via 2a12:bec0:210:8::2; #Jake-Range + +# route 2a12:bec0:210:7::/64 via 2a12:bec0:210:7::1; #Khempi +# route 2a12:bec0:212::/48 via 2a12:bec0:210:7::2; #Khempi-Range +} + +protocol static announcev4 { + ipv4; + description "Static v4 Routes"; +# route 2a12:bec0:215::/48 blackhole; #default Blackhole for subnet +} + +protocol static { + ipv6; +} + +protocol static { + ipv4; +} + +define BOGON_ASNS = [ + 0, # RFC 7607 + 23456, # RFC 4893 AS_TRANS + 64496..64511, # RFC 5398 and documentation/example ASNs + 64512..65534, # RFC 6996 Private ASNs + 65535, # RFC 7300 Last 16 bit ASN + 65536..65551, # RFC 5398 and documentation/example ASNs + 65552..131071, # RFC IANA reserved ASNs + 4200000000..4294967294, # RFC 6996 Private ASNs + 4294967295 # RFC 7300 Last 32 bit ASN +]; + +define V6_BOGON_PREFIXES = [ + #v6 bogon + ::/8+, # RFC 4291 IPv4-compatible, loopback, et al + 0100::/64+, # RFC 6666 Discard-Only + 2001:2::/48+, # RFC 5180 BMWG + 2001:10::/28+, # RFC 4843 ORCHID + 2001:db8::/32+, # RFC 3849 documentation + 2002::/16+, # RFC 7526 6to4 anycast relay + 3ffe::/16+, # RFC 3701 old 6bone + fc00::/7+, # RFC 4193 unique local unicast + fe80::/10+, # RFC 4291 link local unicast + fec0::/10+, # RFC 3879 old site local unicast + ff00::/8+ # RFC 4291 multicast +]; + +define V4_BOGON_PREFIXES = [ + #v4 bogon + 0.0.0.0/8+, # RFC 1122 'this' network + 10.0.0.0/8+, # RFC 1918 private space + 100.64.0.0/10+, # RFC 6598 Carrier grade nat space + 127.0.0.0/8+, # RFC 1122 localhost + 169.254.0.0/16+, # RFC 3927 link local + 172.16.0.0/12+, # RFC 1918 private space + 192.0.2.0/24+, # RFC 5737 TEST-NET-1 + 192.88.99.0/24+, # RFC 7526 6to4 anycast relay + 192.168.0.0/16+, # RFC 1918 private space + 198.18.0.0/15+, # RFC 2544 benchmarking + 198.51.100.0/24+, # RFC 5737 TEST-NET-2 + 203.0.113.0/24+, # RFC 5737 TEST-NET-3 + 224.0.0.0/4+, # multicast + 240.0.0.0/4+ # reserved +]; + +function reject_bogon_asns() { + + if (bgp_path ~ BOGON_ASNS) then + { + print "Reject: bogon AS_PATH: ", net, " ", bgp_path; + reject; + } +} + +function reject_v4_bogon_prefixes() { + if (net ~ V4_BOGON_PREFIXES) then + { + print "Reject: Bogon prefix: ", net, " ", bgp_path; + reject; + } +} + +function reject_v6_bogon_prefixes() { + if (net ~ V6_BOGON_PREFIXES) then + { + print "Reject: Bogon prefix: ", net, " ", bgp_path; + reject; + } +} + +function reject_smallv6_prefixes() { + if (net.len > 64) then + { + print "Reject: Too small prefix: ", net, " ", bgp_path; + reject; + } +} + +function reject_smallv4_prefixes() { + if (net.len > 24) then + { + print "Reject: Too small prefix: ", net, " ", bgp_path; + reject; + } +} + +function reject_long_aspaths() { + if (bgp_path.len > 100) then + { + print "Reject: Too long AS path: ", net, " ", bgp_path; + reject; + } +} + + +filter rt_import { + reject_bogon_asns(); + reject_v4_bogon_prefixes(); + reject_v6_bogon_prefixes(); + reject_smallv6_prefixes(); + reject_smallv4_prefixes(); + reject_long_aspaths(); + accept; +} + +filter rt_export { + if (proto = "announcev4") then + accept; + if (proto = "announcev6") then + accept; + reject; +} + +#EBGP upstream sessions +protocol bgp scaleblade { + local 2a12:bec0:7000:1:149:18:80:30 as 199519; +# local 2a12:bec1:b00b:b00b:b00b:b00b:b00b:b00b as 199519; + neighbor 2a12:bec0:7000::1 as 52041; + multihop 255; + ipv6 { + export limit 20; + import filter rt_import; + export filter rt_export; + graceful restart on; + }; +} + +#protocol bgp R64 { +# local 2a0f:5707:abf8:134::2 as 199519; +# neighbor 2a0f:5707:abf8:134::1 as 212895; +# ipv6 { +# import none; +# export filter rt_export; +# }; +#} + +#IBGP sessions +protocol bgp TGJHOME { + local 2a12:bec0:210:2::1 as 199519; + neighbor 2a12:bec0:210:2::2 as 199519; + multihop 255; + ipv6 { + import limit 20; + import filter rt_import; + export filter rt_export; + }; +} + +protocol bgp hugo { + local 2a12:bec0:210:5::1 as 199519; + neighbor 2a12:bec0:210:5::2 as 199519; + multihop 255; + ipv6 { + import limit 10; + import filter rt_import; + export filter rt_export; + }; +} + +protocol bgp pete { + local 2a12:bec0:210:4::1 as 199519; + neighbor 2a12:bec0:210:4::2 as 199519; + multihop 255; + ipv6 { + import limit 10; + import filter rt_import; + export filter rt_export; + }; +} + +protocol bgp boris { + local 2a12:bec0:210:3::1 as 199519; + neighbor 2a12:bec0:210:3::2 as 199519; + multihop 255; + ipv6 { + import limit 10; + import filter rt_import; + export filter rt_export; + }; +} + +protocol bgp khem { + local 2a12:bec0:210:6::1 as 199519; + neighbor 2a12:bec0:210:6::2 as 199519; + multihop 255; + ipv6 { + import limit 20; + import filter rt_import; + export filter rt_export; + }; +} + +protocol bgp luke { + local 2a12:bec0:210:7::1 as 199519; + neighbor 2a12:bec0:210:7::2 as 199519; + multihop 255; + ipv6 { + import limit 20; + import filter rt_import; + export filter rt_export; + }; +} + +#iBGP Customers + +#protocol bgp mrcool { +# local 2a12:bec0:210:10::1 as 199519; +# neighbor 2a12:bec0:210:10::2 as 199187; +# multihop 255; +# ipv6 { +# import limit 10; +# import filter rt_import; +# export filter rt_export; +# }; +#} + +protocol bgp jake { + local 2a12:bec0:210:8::1 as 199519; + neighbor 2a12:bec0:210:8::2 as 199519; + multihop 255; + ipv6 { + import limit 10; + import filter rt_import; + export filter rt_export; + }; +} + +#Monitoring +protocol bgp QRT { + local 45.61.173.144 as 199519; + neighbor 178.248.237.29 as 197068; + multihop 255; + ipv6 { + import filter rt_import; + export filter rt_export; + }; +} + +# off till full table +#protocol bgp bgptools { +# local 2a12:bec0:7000:1:149:18:80:30 as 199519; +# neighbor 2a0c:2f07:9459::b6 as 212232; +# multihop 255; +# ipv6 { +# import all; +# export all; +# }; +#} \ No newline at end of file diff --git a/VDS/readme.md b/VDS/readme.md new file mode 100644 index 0000000..d7b80f6 --- /dev/null +++ b/VDS/readme.md @@ -0,0 +1 @@ +* Configs from vds.tgj.services diff --git a/VDS/tayga.conf b/VDS/tayga.conf new file mode 100644 index 0000000..edf06fc --- /dev/null +++ b/VDS/tayga.conf @@ -0,0 +1,6 @@ +tun-device nat64 #Virtual Device name +ipv4-addr 192.168.255.1 #Nat64 v4 address range +ipv6-addr 2a12:bec0:210:65::1 #ipv6 address for external access +prefix 2a12:bec0:210:64::/96 #ipv6 subnet for DNS64'd requests +dynamic-pool 192.168.255.0/24 #Dynamic pool for v4 Clients +data-dir /var/spool/tayga \ No newline at end of file diff --git a/VDS/wireguard-example.conf b/VDS/wireguard-example.conf new file mode 100644 index 0000000..9a5252c --- /dev/null +++ b/VDS/wireguard-example.conf @@ -0,0 +1,44 @@ +#ipv6 ibgp wireguard +#Server PrivateKey +#Server Publickey + +[Interface] +PrivateKey = +Address = 2a12:bec0:210:2::1/64,172.23.10.1/30 #Local Interface addresses +ListenPort = 51819 +MTU = 1430 #MTU supported on a standard GPON network + +PreUp = iptables -t nat -A PREROUTING -d -p tcp --dport 1:65000 -j DNAT --to-destination 172.23.10.2 #Forward all TCP ports on external IP to Peers Address +PreUp = iptables -t nat -A PREROUTING -d -p udp --dport 1:65000 -j DNAT --to-destination 172.23.10.2 #Forward all UDP ports on external IP to Peers Address +PreUp = iptables -t nat -A POSTROUTING -s 172.23.10.2/30 -j SNAT --to-source #Add SNAT (source NAT) rule for outgoing traffic +PreUp = ip6tables -A FORWARD -i ens18 -o wg1 -j ACCEPT #allow BGP'd traffic between interfaces +PreUp = ip6tables -A FORWARD -i wg1 -o ens18 -j ACCEPT +PreUp = ip6tables -A FORWARD -i wg1 -o wg2 -j ACCEPT +PreUp = ip6tables -A FORWARD -i wg1 -o wg3 -j ACCEPT +PreUp = ip6tables -A FORWARD -i wg1 -o wg4 -j ACCEPT +PreUp = ip6tables -A FORWARD -i wg1 -o wg5 -j ACCEPT +PreUp = ip6tables -A FORWARD -i wg1 -o wg9 -j ACCEPT +PreUp = ip6tables -A FORWARD -i wg1 -o wg10 -j ACCEPT +PreUp = ip6tables -A FORWARD -i wg1 -o nat64 -j ACCEPT +PreUp = ip6tables -A FORWARD -i nat64 -o wg1 -j ACCEPT + + +#Same as above but removing rules +PostDown = ip6tables -D FORWARD -i nat64 -o wg1 -j ACCEPT +PostDown = ip6tables -D FORWARD -i wg1 -o nat64 -j ACCEPT +PostDown = ip6tables -D FORWARD -i wg1 -o wg2 -j ACCEPT +PostDown = ip6tables -D FORWARD -i wg1 -o wg3 -j ACCEPT +PostDown = ip6tables -D FORWARD -i wg1 -o wg4 -j ACCEPT +PostDown = ip6tables -D FORWARD -i wg1 -o wg5 -j ACCEPT +PostDown = ip6tables -D FORWARD -i wg1 -o wg9 -j ACCEPT +PostDown = ip6tables -D FORWARD -i wg1 -o wg10 -j ACCEPT +PostDown = ip6tables -D FORWARD -i ens18 -o wg1 -j ACCEPT +PostDown = ip6tables -D FORWARD -i wg1 -o ens18 -j ACCEPT +PostDown = iptables -t nat -D PREROUTING -d -p tcp --dport 1:65000 -j DNAT --to-destination 172.23.10.2 +PostDown = iptables -t nat -D PREROUTING -d -p udp --dport 1:65000 -j DNAT --to-destination 172.23.10.2 +PostDown = iptables -t nat -D POSTROUTING -s 172.23.10.2/30 -j SNAT --to-source + +[Peer] +#PublicKey = +PublicKey = +AllowedIPs = 2a12:bec0:210:2::2/64,2a12:bec0:214::/48,172.23.10.2/30 \ No newline at end of file