gf4
/
wagon
2
0
Fork 0
Code Issues 3 Pull Requests Projects Releases Wiki Activity

Fixed DNS-KEY and inconsistent networks

master
Keith Irwin 2023-04-12 00:19:06 -06:00
parent 7e76bffa3e
commit 1bb54e15dc
Signed by: ki9
GPG Key ID: DF773B3F4A88DA86
1 changed files with 12 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
INSTALL.md
View File

@ -488,24 +488,24 @@ Now edit the `etc/config` file
```sh ```sh
TLD='mynet' TLD='mynet'
LOCAL_SERVER='hn' LOCAL_SERVER='hn'
IPV4_NET='10.11.0.0/16' IPV4_NET='10.99.0.0/16'
IPV6_NET='fd69:1337:0:420:f4:11::/96' IPV6_NET='fd69:1337:0:420:f4:99::/96'
WG_DNS='DNS=10.11.0.1' WG_DNS='DNS=10.99.0.1'
SSL_CONFIG_DIR="/etc/ssl/private/${TLD}" SSL_CONFIG_DIR="/etc/ssl/private/${TLD}"
SSL_CA_CERT="${SSL_CONFIG_DIR}/_ca.crt" SSL_CA_CERT="${SSL_CONFIG_DIR}/_ca.crt"
SSL_CA_KEY="${SSL_CONFIG_DIR}/_ca.key" SSL_CA_KEY="${SSL_CONFIG_DIR}/_ca.key"
SSL_ORG='My Cool Organization' SSL_ORG='My Cool Organization'
SSL_DAYS='3650' SSL_DAYS='3650'
SSL_CA_PASS='XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' SSL_CA_PASS='XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
DNS_KEY='XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX==' DNS_KEY='hmac-sha512:wagon:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=='
DNS_MASTER='10.3.0.1' DNS_MASTER='10.99.0.1'
DNS_TTL='86400' DNS_TTL='86400'
``` ```
This file should be mostly self-explanitory. "SSL_CA_PASS" is the CA key passphrase created in the last section. The "DNS_KEY" can be found in the "secret" section of the `/etc/bind/keys/wagon.keys` file, which looks like this: This file should be mostly self-explanitory. "SSL_CA_PASS" is the CA key passphrase created in the last section. The "DNS_KEY" string should be created from the `/etc/bind/keys/wagon.keys` file, which looks like this:
```tsig ```tsig
key "wgapi-ksn" { key "wagon" {
algorithm hmac-sha512; algorithm hmac-sha512;
secret "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=="; secret "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX==";
}; };
@ -533,11 +533,11 @@ That's not bad. We could take requests on that port, but let's take secure https
# User API # User API
server { server {
server_name wagon-dashboard-api.hn.mynet; server_name wagon-dashboard-api.hn.mynet;
listen 10.11.0.1:443 ssl http2; listen 10.99.0.1:443 ssl http2;
ssl_certificate /etc/ssl/private/mynet/hn/server.crt; ssl_certificate /etc/ssl/private/mynet/hn/server.crt;
ssl_certificate_key /etc/ssl/private/mynet/hn/server.key; ssl_certificate_key /etc/ssl/private/mynet/hn/server.key;
ssl_stapling off; ssl_stapling off;
allow 10.11.0.0/16; # All users allow 10.99.0.0/16; # All users
deny all; # Everyone else deny all; # Everyone else
location / { location / {
proxy_pass http://localhost:4442; proxy_pass http://localhost:4442;
@ -547,12 +547,12 @@ server {
# Admin API # Admin API
server { server {
server_name wagon-admin-api.hn.mynet; server_name wagon-admin-api.hn.mynet;
listen 10.11.0.1:443 ssl http2; listen 10.99.0.1:443 ssl http2;
ssl_certificate /etc/ssl/private/mynet/hn/server.crt; ssl_certificate /etc/ssl/private/mynet/hn/server.crt;
ssl_certificate_key /etc/ssl/private/mynet/hn/server.key; ssl_certificate_key /etc/ssl/private/mynet/hn/server.key;
ssl_stapling off; ssl_stapling off;
allow 10.11.1.0/24; # One admin allow 10.99.1.0/24; # One admin
allow 10.11.7.0/24; # Another admin allow 10.99.7.0/24; # Another admin
deny all; # Everyone else deny all; # Everyone else
location / { location / {
proxy_pass http://localhost:4441; proxy_pass http://localhost:4441;