Fastd - Fast and Secure Tunneling Daemon¶
Installation¶
apt install fastd
Schlüssel generieren¶
Hinweis
Der Schlüssel kann auch Lokal generiert werden.
apt install haveged
Den Schlüssel generieren.
fastd --generate-key
Den privaten Schlüssel (Secret) speichern wir in die Datei /etc/fastd/{{ grains['id'] }}/secret.conf, dass sollte dann so ausssehen.
secret "{{ secret }}";
Den öffentlichen Schlüssel (Public) speichern wir dann unter /etc/fastd/{{ grains['id'] }}/peers/{{ grains['id'] }}, dass sollte dann so aussehen.
remote {{ protocol }} "{{ fqdn }}" port {{ port }};
key "{{ key }}";
Entropie=Wahnsinn=haveged wozu?
„neoraider“ hat mich auf #gluon gebrieft.
haveged wird nur fuer den ersten Boot bzw. im Configmode fuer die Generierung der Keys fuer fastd und ssh benoetigt.
haveged braucht im Betrieb ca. 800kB RAM und es ist im Moment kein RAM-Mangel bekannt, auch beim Meshen nicht.“
—Gmon
Konfiguration¶
Inhalt von fastd.conf.
# This file is managed by Salt, do not edit.
log level debug;
#log level fatal;
hide ip addresses yes;
hide mac addresses yes;
interface "{{ interface }}";
method "salsa2012+umac";
bind {{ address }}:{{ port }};
include "secret.conf";
mtu 1426;
include peers from "peers";
on verify "true";
status socket "{{ socket }}";
# Nicht in syslog loggen
log to syslog level debug;
Peers¶
Die Peers sollten mit den anderen Gateways syncronisiert werden, so dass alle Peers dann in dem Verzeichnis /etc/fastd/{{ grains['id'] }}/peers verfügbar sind.
Salt State File¶
fastd.sls
# Fastd - Fast and Secure Tunneling Daemon
{% set fastd = salt['grains.filter_by']({
'Debian': {'pkg': 'fastd', 'srv': 'fastd'}
}, default='Debian') %}
{% if pillar['fastd']['secret'] is defined %}
{{ fastd.pkg }}:
pkg.installed:
- name: {{ fastd.pkg }}
- refresh: True
service.running:
- name: {{ fastd.srv }}
- init_delay: 120
- enable: True
# - watch:
# - file: /etc/fastd/{{ grains['id'] }}/fastd.conf
# - file: /etc/fastd/{{ grains['id'] }}/secret.conf
# - file: /etc/fastd/{{ grains['id'] }}/peers/{{ grains['id'] }}
- require:
- file: /etc/fastd/{{ grains['id'] }}/fastd.conf
- file: /etc/fastd/{{ grains['id'] }}/secret.conf
- file: /etc/fastd/{{ grains['id'] }}/peers/{{ grains['id'] }}
- require:
- pkg: {{ fastd.pkg }}
{% set pattern = '^(|#)AUTOSTART="(.*)"$' %}
{% set repl = 'AUTOSTART="%s"' % grains['id'] %}
/etc/default/fastd:
file.replace:
- name: /etc/default/fastd
- pattern: {{ pattern }}
- repl: {{ repl }}
- append_if_not_found: True
- require:
- pkg: {{ fastd.pkg }}
- listen_in:
- service: {{ fastd.srv }}
/etc/fastd/{{ grains['id'] }}/fastd.conf:
file.managed:
- name: /etc/fastd/{{ grains['id'] }}/fastd.conf
- source: salt://gateway/etc/fastd/gw/fastd.conf
- template: jinja
- defaults:
port: {{ pillar['fastd']['port'] }}
socket: {{ pillar['fastd']['socket'] }}
interface: {{ pillar['network']['mesh']['interface'] }}
address: {{ pillar['network']['primary']['address'] }}
- makedirs: True
- listen_in:
- service: {{ fastd.srv }}
/etc/fastd/{{ grains['id'] }}/secret.conf:
file.managed:
- name: /etc/fastd/{{ grains['id'] }}/secret.conf
- source: salt://gateway/etc/fastd/gw/secret.conf
- template: jinja
- defaults:
secret: {{ pillar['fastd']['secret'] }}
- makedirs: True
- listen_in:
- service: {{ fastd.srv }}
{% for peer, data in pillar['peers'].items() %}
{% if peer != grains['id'] %}
/etc/fastd/{{ grains['id'] }}/peers/{{ peer }}:
file.managed:
- name: /etc/fastd/{{ grains['id'] }}/peers/{{ peer }}
- source: salt://gateway/etc/fastd/gw/peers/peer
- template: jinja
- defaults:
protocol: {{ pillar['fastd']['protocol'] }}
fqdn: {{ data.fqdn }}
port: {{ pillar['fastd']['port'] }}
key: {{ data.key }}
- makedirs: True
- listen_in:
- service: {{ fastd.srv }}
{% endif %}
{% endfor %}
/etc/fastd/{{ grains['id'] }}/peers/{{ grains['id'] }}-absent:
file.absent:
- name: /etc/fastd/{{ grains['id'] }}/peers/{{ grains['id'] }}
{% endif %}