Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

docs(tutorials): add dae-with-opnsense(en/zh) #438

Merged
merged 2 commits into from
Jan 23, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
93 changes: 93 additions & 0 deletions docs/en/tutorials/dae-with-opnsense.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,93 @@
# dae with OPNsense: Best Practices

This tutorial shows how to use dae with OPNsense in a bypass way. dae is installed on another Linux system and is connected to OPNsense via Ethernet (physical connection, Linux bridge, or SR-IOV).

## Interfaces

You should assign an address for the interface between dae and OPN that is in a different subnet from OPN's LAN. If we call this interface wan_proxy, the configuration is as follows:

```
OPN LAN: 192.168.1.1/24
OPN wan_proxy: 192.168.2.2 Gateway Auto Detect
dae enp1s0: 192.168.2.1 Gateway 192.168.2.2
```

## Traffic Splitting

1. Configure the GeoIP list

> Add it in `Firewall: Aliases: GeoIP Settings`, refer to the [OPN documentation](https://docs.opnsense.org/manual/how-tos/maxmind_geo_ip.html).

2. Configure GeoIP alias

> Add an alias named proxyip in `Firewall: Aliases: Aliases`, select GeoIP type, and choose China in the displayed region Asia(or your own country).

3. Add additional IP address list (optional)

> Add an alias named proxyip_ex in `Firewall: Aliases: Aliases`, select URL Table type, you can add a link to an IP list maintained by others, the file content is an IP address represented by CIDR per line.

4. Configure reserved address alias

> Add an alias named \_\_private_network in `Firewall: Aliases: Aliases`, select Network type, add all reserved addresses (or only add the reserved addresses used in your network), refer to [Reserved IP Addresses](https://www.wikiwand.com/zh-hant/保留IP地址).

5. Aggregate the above aliases

> Add an alias named proxyroute in `Firewall: Aliases: Aliases`, select Network group type, select proxyip, proxyip_ex (if any), \_\_private_network and the system built-in \_\_lo0_network alias, and aggregate them.

6. Add gateway

> Add a gateway named proxy in `System: Gateways: Single`, select the interface wan_proxy between dae, the IP is the IP of dae, according to the interface example above, fill in 192.168.2.1 here, the priority must be lower than the default gateway, such as the default gateway set to 254, set this to 255.

7. Traffic splitting rules

> Add a rule in `Firewall: Rules: Floating`, configure as follows:

| Item | Configuration |
| - | - |
| Action | Pass |
| Quick | √ |
| Interface | LAN |
| Direction | in |
| TCP/IP Version | IPv4 |
| Protocol | TCP/UDP |
| Destination/Invert | √ |
| Destination | proxyroute |
| Gateway | Enable |

> In addition, you can exclude LAN devices through Source/Invert, so their traffic will not be passed to dae.

8. Allow dae traffic to enter OPN

> Create a new rule in `Firewall: Rules: wan_proxy`, keep all defaults and save.

9. OPN's own proxy (optional)

> If you need to route some of OPN's own traffic through the proxy, such as using Google Drive to backup configurations, it is recommended to add a static route rule in `System: Routes: Configuration`, set the gateway for the IP segment that needs to be proxied to proxy. It is not recommended to handle WAN traffic in floating rules, which may cause loops.

## dae related configuration

This section does not involve the content of the dae configuration file, but only gives how to configure DNS requests to pass through dae, and solutions to the common problem that the proxy is normal and the direct connection is not working. For the `domain` and `ip` modes mentioned below and how to configure dae's `dns` and `routing` rules, please refer to the dae documentation.

To use dae for transparent proxy, to make the domain name based traffic splitting rules work normally, DNS requests need to pass through dae in the `domain` and `domain+` modes (note that the DNS server is not set to the dae address, dae does not listen to port 53). If DNS requests do not pass through dae, you need to use dae's `domain++` mode (match the traffic splitting rules again based on the sniffed domain name, which is not as performant as the domain mode). If you use the `domain++` mode, or do not need to split traffic based on the domain name and use the `ip` mode, the following configuration can be ignored.

1. DNS forwarding configuration
> Set in `Services: Unbound DNS: Query Forwarding`, forward DNS requests to the specified server, such as configuring OpenDNS's 208.67.222.222. The next step requires setting a static route rule, setting the gateway of this address to dae, so do not use the DNS issued by your upstream, so that you can normally use dig or nslookup to query the DNS server issued by the upstream for testing when troubleshooting DNS problems.

2. Static route configuration
> Add a static route rule in `System: Routes: Configuration`, set the network to 208.67.222.222/32, and set the gateway to proxy.

After the above configuration, DNS requests can pass through dae and be hijacked by dae for processing. The DNS server set here is not the final query server. The target server of the DNS query will be rewritten by dae according to the dns rules in the dae configuration, and then the DNS query request will be sent.

It should be noted that Unbound will append EDNS related parameters when forwarding client's DNS requests, which may result in oversized (occasionally larger than 2000) DNS responses from the upstream server, causing dae's buffer for processing udp DNS to overflow (for performance considerations, dae does not use a larger buffer, tcp's DNS will not overflow), and the final result is that the client cannot get the DNS response, or even cause dae to crash. To solve this problem, you can switch to Dnsmasq or disable EDNSSEC support in `Services: Unbound DNS: General` and write the following Unbound configuration, which can effectively reduce the size of the returned DNS response.

``` yaml
# saved as /usr/local/etc/unbound.opnsense.d/disableedns.conf
server:
disable-edns-do: yes
```

In addition, since dae does not perform snat, if the proxy is normal and the direct connection is not working [here refers to the direct in dae's `routing`, not the traffic that OPN does not split to dae and directly goes out of the WAN port. For example, according to the traffic splitting rules configured in the previous section, OPN will split the steam's traffic to pass through dae, dae has configured domain(geosite:steam@cn) -> direct in `routing`, steam cannot log in or download normally], configure nat in the system where dae is installed.

## Performance Optimization

Changing the MTU value between OPN and dae from the default 1500 to 9000 (requires modifying both interfaces and the intermediate link) can achieve lower load.
93 changes: 93 additions & 0 deletions docs/zh/tutorials/dae-with-opnsense.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,93 @@
# dae与OPNsense: 最佳实践

本教程展示了如何以旁挂的方式将dae和OPNsense一起使用。dae安装在另一个Linux系统中,和OPNsense通过以太网连接(物理连接、Linux网桥或SR-IOV)。

## 接口

你应该为dae和OPN之间的接口分配和OPN的LAN不同网段的地址。如果把这个接口称为wan_proxy,配置如下:

```
OPN LAN: 192.168.1.1/24
OPN wan_proxy: 192.168.2.2 网关 自动检测
dae enp1s0:192.168.2.1 网关 192.168.2.2
```

## 分流

1.配置geoip列表

> 在`防火墙:别名:GeoIP设置`中添加,参考[OPN文档](https://docs.opnsense.org/manual/how-tos/maxmind_geo_ip.html)。

2.配置geoip别名

> 在`防火墙:别名:别名`处添加别名proxyip,选择GeoIP类型,在显示的区域Asia中选择China(或你所在的其他国家)。

3.添加额外IP地址列表(可选)

> 在`防火墙:别名:别名`处添加别名proxyip_ex,选择URL Table类型,可添加其他人维护的IP列表链接,文件内容为每行一个CIDR表示的IP地址。

4.配置保留地址别名

> 在`防火墙:别名:别名`处添加别名\_\_private_network,选择Network类型,添加所有保留地址(或仅添加自己网络中使用到的保留地址),参考[保留IP地址](ttps://www.wikiwand.com/zh-hant/保留IP地址)。

5.聚合以上别名

> 在`防火墙:别名:别名`处添加别名proxyroute,选择Network group类型,内容选择proxyip、proxyip_ex(如果有)、\_\_private_network以及系统内置的\_\_lo0_network别名,对其进行聚合。

6.添加网关

> 在`系统:网关:单个`处添加网关proxy,接口选择和dae之间的接口wan_proxy,IP为dae的IP,按上文接口示例这里填写192.168.2.1,优先级须低于默认网关,如默认网关设为254,这里设为255。

7.分流规则

> 在`防火墙: 规则: 浮动`处添加规则,进行如下配置:

| 项目 | 配置 |
| - | - |
| 操作 | 通过 |
| 快速 | √ |
| 接口 | LAN |
| 方向 | in |
| TCP/IP版本 | IPv4 |
| 协议 | TCP/UDP |
| 目标/反转 | √ |
| 目标 | proxyroute |
| 网关 | 启用 |

> 此外可以通过源、源/反转来排除局域网设备,使其流量不会被分流到dae。

8.允许dae流量进入OPN

> 在`防火墙:规则:wan_proxy`新建规则,全部保持默认保存即可。

9.OPN自身代理(可选)

> 如果需要让OPN自己的某些流量走代理,如使用Google Drive备份配置,建议在`系统: 路由: 配置`中添加静态路由规则进行配置,将需要走代理的IP段,网关设为proxy。不建议在浮动规则中对WAN流量进行处理,可能会造成回环。

## dae相关配置

本节不涉及dae的配置文件内容,只给出如何配置使DNS请求经过dae,以及常见的代理正常直连不通问题的解决方法。以下提到的dae的`domain`、`ip`模式以及如何配置dae的`dns`和`routing`规则,请查阅dae文档。

使用dae进行透明代理,要使基于域名的分流规则正常工作,`domain`和`domain+`模式下需要DNS请求经过dae(注意不是将DNS服务器设为dae地址,dae不监听53端口)。若DNS请求不经过dae,需要使用dae的`domain++`模式(根据sniff到的域名再匹配一次分流规则,性能不如`domain`模式)。如使用domain++模式,或不需要根据域名分流而使用`ip`模式,以下配置可忽略。

1.DNS转发配置
> 在`服务: Unbound DNS: 查询转发`中设置,将DNS请求转发到指定服务器,如配置为OpenDNS的208.67.222.222。下面步骤需要设置静态路由规则,将该地址网关设为dae,因此不要使用你的上游下发的DNS,以便在排查DNS问题时,可以正常使用dig或nslookup向上游下发的DNS服务器查询进行测试。

2.静态路由配置
> 在`系统: 路由: 配置`中添加静态路由规则,网络设为208.67.222.222/32,网关设置为proxy。

经过如上配置可以使DNS请求经过dae,并被dae劫持处理,这里设置的DNS服务器并不是最终查询的服务器,DNS查询的目标服务器会被dae根据dae配置中的dns规则改写,然后发送DNS查询请求。

需要注意的是Unbound会在转发客户端发出的DNS请求时,追加EDNS相关参数,这样可能会从上游服务器取得长度超大(偶见大于2000)的DNS响应,从而导致dae处理udp DNS的缓冲区溢出(处于性能考虑,dae没有使用更大的缓冲区,tcp的DNS不会溢出),最终表现是客户端无法拿到DNS响应,甚至导致dae功能崩溃。要解决这个问题,可以改用Dnsmasq或在`服务:Unbound DNS:常规`中关闭EDNSSEC支持并写入如下Unbound配置,该配置可以有效减小返回的DNS响应大小:

``` yaml
# 存为 /usr/local/etc/unbound.opnsense.d/disableedns.conf
server:
disable-edns-do: yes
```

此外,由于dae不会进行snat,如果出现代理正常直连不通[这里指的是dae `routing`中的direct,而不是OPN没有分流给dae直接出wan口的流量。如根据上节配置的分流规则,OPN会将steam的流量分流经过dae,dae在`routing`配置了domain(geosite:steam@cn) -> direct,steam无法正常登录或下载],在安装dae的系统中配置nat即可。

## 性能优化

将OPN和dae之间的MTU值从默认的1500改为9000(需要修改两者接口及中间链路),可以获得更低负载。