Use China Telecom TR069 internal network to set up WireGuard tunnel for remote networking
Preamble
TR069 intranet is the intranet used by the operator to deliver the optical cat management network. All optical cats in the same province of the same operator can communicate with each other and run to the link speed. TR069 intranet is used to set up remote network tunnels without occupying broadband bandwidth, which is a better choice for the same carrier and province to establish remote network. Although Tmall only has one gigabit network port, even if it is set up with the 100 gigabit port of Tmall, it can reach the speed of 100 Mbps and enjoy the same treatment as the leased line. In this article, WireGuard is used as a remote networking solution because WireGuard supports configuring the FwMark parameter at the kernel point of view to directly mark the data traffic of WireGuard to simplify the configuration of related Lu Youbiao.
Demand
Each node needs:
- Telecom Gigabit optical cat (100 gigabit cat may also be implemented, but it has not been tested)
- A Linux server with dual NICs in the internal network (tested systems include CentOS 7 & 8,Debian 10, and Ubuntu 18.04)
- Broadband of the same province as the same carrier (tested with China Telecom and China Unicom broadband)
- The domain name used to configure DDNS. Use Cloudflare or Alibaba Cloud DNS
- Broadband dial-up address can use public network or CGN intranet IP address
Build tutorial
The general configuration of this solution is as follows. The next step is the specific procedure.
- Configure the bridge between the TR069 internal network and the network port in Tmall.
- Use the network cable to connect the bridged optical cat network port to the intranet server, use DHCP to obtain the IP address, and block the acquisition of DHCP default gateway and DNS server.
- Configure DDNS to read the NIC IP address used by the server to connect to TR069 and update the DNS settings of Cloudflare or Alibaba Cloud.
- You can call this operation to dynamically update the default gateway of a Lu Youbiao.
- Configure WireGuard and use the Fwmark option to mark the traffic as a policy route so that the traffic sent by WireGuard to other nodes is routed from the intranet Nic of TR069.
Optical cat configuration
First, obtain the Super Administrator password of China Telecom optical cat. The username and password of the super administrator of China Telecom optical cat in most regions are: Username telecomadmin Password telecomadmin . If the password is unavailable or the broadband of other operators, please search for the Super Administrator password on the internet. This article will not describe it here. If the previous optical cat is in the routing mode, enter directly in the browser http://192.168.1.1 You can access the optical cat background. If the optical cat is in the bridge mode (that is, using a router for PPPoE dialing), you need to use a computer, plug the network cable into any network port of the optical cat, and set the IP address 192.168.1.0/24 The IP address in the CIDR block.
After entering the optical cat background interface, go to the network-connection interface and find the connection name contains TR069 The connection. Record the VLAN ID and 802.1p value here, and create a new connection. The settings are as follows:
- Encapsulation type: IPoE
- Business type: Other
- Connection mode: Bridge
- Enable VLAN: Yes
- VLAN ID: The VLAN ID recorded above
- 802.1p priority policy: Use the specified value
- 802.1p: The value recorded above
- LAN port binding: select an unused port instead of an IPTV port. If no options are available, check whether the dialed connection occupies all ports. If yes, cancel one
After the configuration is complete, save it. Then use a device to connect the selected network port with a network cable for testing, and use DHCP to automatically obtain the IP address. If you can get 10.0.0.0/7 The IP address of the range, which can start with 10 or 11.
Server network configuration
After the optical cat configuration is completed, connect the new network port bound to the optical cat and one network port of the server with a network cable. Then configure the network. The key point here is to use DHCP to obtain the IP address, but do not use the default DHCP gateway and DNS server. The following sections will be discussed based on different operating systems. In this example, the NIC connected to the optical cat TR069 intranet is
eth1 , please according to the actual situation changes.
UBUNTU 18.04
This operating system is the simplest, Edit /etc/netplan/50-cloud-init.yaml Add the following configurations.
eth1:
dhcp4: true
dhcp4-overrides:
use-routes: false
use-dns: false
use-hostname: false
After editing, sudo netplan try Press 2 and press enter to confirm.
CENTOS
Editing /etc/sysconfig/network-scripts/ifcfg-eth1 , and modify the following entries. If the file does not exist, create it yourself.
BOOTPROTO="dhcp" ONBOOT="yes" DEFROUTE="no" PEERDNS="no"
After that, use ifup eth1 Start the NIC.
DEBIAN or UBUNTU 16.04
Edit first /etc/network/interfaces Add the following entries.
auto eth1 iface eth1 inet dhcp
Edit later /etc/dhcp/dhclient.conf Add the following entries to enable the DHCP client to obtain only the address and CIDR block, and do not obtain other information.
interface "eth1" {
request subnet-mask, broadcast-address;
}
After editing, run the command ifup eth1 Start the NIC.
Configure DDNS
Because the IP address obtained from the TR069 intranet is not fixed, we need DDNS to continuously update the domain name resolution to obtain the peer address for connection. Unlike traditional DDNS that call APIs to obtain IP addresses, we need to obtain the IP addresses of Enis for reporting. Run the following command to install the Python environment and all packages required in this solution, and download the DDNS main program code.
CENTOS
yum -y install epel-release yum copr enable jdoss/wireguard yum -y install python3 git wireguard-dkms wireguard-tools subnetcalc git clone https://github.com/NewFuture/DDNS /usr/src/DDNS
UBUNTU
add-apt-repository ppa:wireguard/wireguard apt update apt -y install python3 git wireguard resolvconf subnetcalc git clone https://github.com/NewFuture/DDNS /usr/src/DDNS
DEBIAN
echo "deb http://mirrors.163.com/debian/ unstable main" > /etc/apt/sources.list.d/unstable.list printf 'Package: *nPin: release a=unstablenPin-Priority: 90n' > /etc/apt/preferences.d/limit-unstable apt update apt -y install python3 git wireguard resolvconf subnetcalc git clone https://github.com/NewFuture/DDNS /usr/src/DDNS
We need to use a script to obtain the IP address of an NIC. Create /usr/bin/get-interface-ip File.
#!/bin/bash
ifconfig $1 | grep -oP 'inet ((2(5[0-5]|[0-4]d))|[0-1]?d{1,2})(.((2(5[0-5]|[0-4]d))|[0-1]?d{1,2})){3}' | sed 's/inet //g'
Then run the command chmod +x /usr/bin/get-interface-ip Grant the script executable permission. Next, create a DDNS configuration file. This topic uses Cloudflare as an example. If you use AliDDNS or other supported DDNS, you can configure them by referring to the project documentation. Create a file /usr/src/DDNS/config.json As follows.
{
"$schema": "https://ddns.newfuture.cc/schema.json",
"debug": false,
"dns": "cloudflare",
"id": "Cloudflare 邮箱地址",
"index4": "shell:/usr/bin/get-interface-ip eth1",
"index6": "default",
"ipv4": [
"example1.example.com"
],
"ipv6": [],
"proxy": null,
"token": "Cloudflare 的 API KEY"
}
After the creation is complete, run the command /usr/bin/python3 /usr/src/DDNS/run.py -c /usr/src/DDNS/config.json Test whether DDNS can be reported normally. If successful /etc/crontab Add the following entry to add the scheduled DDNS task.
* * * * * /usr/bin/python3 /usr/src/DDNS/run.py -c /usr/src/DDNS/config.json
Configure Lu Youbiao daemon
The DHCP CIDR block of TR069 internal network is not fixed, and the default gateway is also not connected to the public network. Therefore, in the preceding steps, DHCP is not allowed to obtain the default gateway to avoid interrupting the connection between the server and the public network due to system Lu Youbiao damage. The gateway of TR069 intranet is the first available address of the DHCP CIDR block. We use the subnetcalc tool to calculate the first available address of the CIDR block as the default gateway and configure it as the default gateway Lu Youbiao table 305, which is used when configuring WireGuard. Create a script /usr/bin/set-tr069-gateway , the content is as follows. And use the command chmod +x /usr/bin/set-tr069-gateway Grant the executable permission.
#!/bin/bash
IP_REGEXP='((2(5[0-5]|[0-4]d))|[0-1]?d{1,2})(.((2(5[0-5]|[0-4]d))|[0-1]?d{1,2})){3}'
LOCAL_IP=$(ifconfig $1 | grep -oP "inet $IP_REGEXP" | sed 's/inet //g')
LOCAL_MASK=$(ifconfig $1 | grep -oP "mask $IP_REGEXP" | sed 's/mask //g')
GATEWAY=$(subnetcalc $LOCAL_IP/$LOCAL_MASK -n | grep 'Host Range' | grep -oP $IP_REGEXP | head -n 1)
ROUTE_TXT="default via $GATEWAY dev $1 table 305"
echo $ROUTE_TXT
bash -c "ip route replace $ROUTE_TXT || ip route add $ROUTE_TXT"
After adding, enter /usr/bin/set-tr069-gateway eth1 Run the script once. After confirmation /etc/crontab Add the following entry to add the scheduled task of the script.
* * * * * root /usr/bin/set-tr069-gateway eth1
Configure WIREGUARD
After completing the basic work above, we can begin to configure WireGuard. First, run the following command to generate a pair of keys for WireGuard.
wg genkey | tee /root/privatekey | wg pubkey > /root/publickey
Then, create the WireGuard configuration file. /etc/wireguard/wg0.conf As follows. In this example, the FwMark parameter is used to enable the kernel to automatically mark the WireGuard traffic with a connection mark. The policy route is used to export the traffic that meets the TR069 CIDR block and is marked with a connection mark from the network interface of the TR069 intranet.
[Interface] Address = 192.168.11.1/24 PrivateKey = <服务器私钥,/root/privatekey 的内容> ListenPort = 22000 FwMark = 0x131 PostUp = ip rule add pref 305 to 10.0.0.0/7 fwmark 0x131 lookup 305 PostDown = ip rule del pref 305 [Peer] PublicKey = <对端公钥,对方服务器的 /root/publickey 的内容> AllowedIPs = 192.168.11.2/32 Endpoint = example2.example.com:22000 PersistentKeepalive = 25
The Address field is the internal IP Address of the server WireGuard. The intranet address of each Peer is written under the corresponding AllowedIPs field. The Endpoint is the DDNS domain name configured for the peer server. If the peer server carries the gateway of the network at the same time, if the CIDR blocks do not conflict with each other, you can write the CIDR block of the peer server in AllowedIPs to make the CIDR blocks interconnect. This topic describes only two nodes. If multiple nodes exist, you can add a Peer in the format. After the configuration is complete, run the following command to start WireGuard to connect to the peer server through the TR069 intranet and enjoy a 100Mbps peering leased line connection.
wg-quick up wg0 systemctl enable wg-quick@wg0
Written final
So far, we have built a WireGuard tunnel by using the internal network of telecom optical cat TR069 to achieve fast and stable communication between servers. The communication speed is actually limited by the link speed of optical cat's 100 m network port. In fact, if you don't care about the downlink speed, you can completely move the broadband to 100 m ports, and use Gigabit ports for TR069 intranet communication to obtain a gigabit peering tunnel. Generally, for servers, the downstream bandwidth is less than the upstream bandwidth. In most cases, the downstream bandwidth does not exceed the upstream bandwidth. Shenzhen Telecom has 50m uplink for 500m broadband. In addition, this solution does not require broadband activation. As long as the broadband has been opened, even if it is stopped, you can still use this solution to set up tunnels to other places where you can surf the Internet. However, DNS issues need to be resolved. In this case, the domain name cannot be resolved normally without broadband. Some other configurations may be required to solve this problem. I hope you will like this article.