docs(tutorials): add dae-with-opnsense(en/zh) (#438)

Co-authored-by: Sumire (菫) <151038614+sumire88@users.noreply.github.com>
This commit is contained in:
Nicolas 2024-01-23 21:06:24 +08:00 committed by GitHub
parent 883437b6a3
commit c26169d3a4
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 186 additions and 0 deletions

View File

@ -0,0 +1,93 @@
# dae with OPNsense: Best Practices
This tutorial shows how to use dae with OPNsense in a bypass way. dae is installed on another Linux system and is connected to OPNsense via Ethernet (physical connection, Linux bridge, or SR-IOV).
## Interfaces
You should assign an address for the interface between dae and OPN that is in a different subnet from OPN's LAN. If we call this interface wan_proxy, the configuration is as follows:
```
OPN LAN: 192.168.1.1/24
OPN wan_proxy: 192.168.2.2 Gateway Auto Detect
dae enp1s0: 192.168.2.1 Gateway 192.168.2.2
```
## Traffic Splitting
1. Configure the GeoIP list
> Add it in `Firewall: Aliases: GeoIP Settings`, refer to the [OPN documentation](https://docs.opnsense.org/manual/how-tos/maxmind_geo_ip.html).
2. Configure GeoIP alias
> Add an alias named proxyip in `Firewall: Aliases: Aliases`, select GeoIP type, and choose China in the displayed region Asia(or your own country).
3. Add additional IP address list (optional)
> Add an alias named proxyip_ex in `Firewall: Aliases: Aliases`, select URL Table type, you can add a link to an IP list maintained by others, the file content is an IP address represented by CIDR per line.
4. Configure reserved address alias
> Add an alias named \_\_private_network in `Firewall: Aliases: Aliases`, select Network type, add all reserved addresses (or only add the reserved addresses used in your network), refer to [Reserved IP Addresses](https://www.wikiwand.com/zh-hant/保留IP地址).
5. Aggregate the above aliases
> Add an alias named proxyroute in `Firewall: Aliases: Aliases`, select Network group type, select proxyip, proxyip_ex (if any), \_\_private_network and the system built-in \_\_lo0_network alias, and aggregate them.
6. Add gateway
> Add a gateway named proxy in `System: Gateways: Single`, select the interface wan_proxy between dae, the IP is the IP of dae, according to the interface example above, fill in 192.168.2.1 here, the priority must be lower than the default gateway, such as the default gateway set to 254, set this to 255.
7. Traffic splitting rules
> Add a rule in `Firewall: Rules: Floating`, configure as follows:
| Item | Configuration |
| - | - |
| Action | Pass |
| Quick | √ |
| Interface | LAN |
| Direction | in |
| TCP/IP Version | IPv4 |
| Protocol | TCP/UDP |
| Destination/Invert | √ |
| Destination | proxyroute |
| Gateway | Enable |
> In addition, you can exclude LAN devices through Source/Invert, so their traffic will not be passed to dae.
8. Allow dae traffic to enter OPN
> Create a new rule in `Firewall: Rules: wan_proxy`, keep all defaults and save.
9. OPN's own proxy (optional)
> If you need to route some of OPN's own traffic through the proxy, such as using Google Drive to backup configurations, it is recommended to add a static route rule in `System: Routes: Configuration`, set the gateway for the IP segment that needs to be proxied to proxy. It is not recommended to handle WAN traffic in floating rules, which may cause loops.
## dae related configuration
This section does not involve the content of the dae configuration file, but only gives how to configure DNS requests to pass through dae, and solutions to the common problem that the proxy is normal and the direct connection is not working. For the `domain` and `ip` modes mentioned below and how to configure dae's `dns` and `routing` rules, please refer to the dae documentation.
To use dae for transparent proxy, to make the domain name based traffic splitting rules work normally, DNS requests need to pass through dae in the `domain` and `domain+` modes (note that the DNS server is not set to the dae address, dae does not listen to port 53). If DNS requests do not pass through dae, you need to use dae's `domain++` mode (match the traffic splitting rules again based on the sniffed domain name, which is not as performant as the domain mode). If you use the `domain++` mode, or do not need to split traffic based on the domain name and use the `ip` mode, the following configuration can be ignored.
1. DNS forwarding configuration
> Set in `Services: Unbound DNS: Query Forwarding`, forward DNS requests to the specified server, such as configuring OpenDNS's 208.67.222.222. The next step requires setting a static route rule, setting the gateway of this address to dae, so do not use the DNS issued by your upstream, so that you can normally use dig or nslookup to query the DNS server issued by the upstream for testing when troubleshooting DNS problems.
2. Static route configuration
> Add a static route rule in `System: Routes: Configuration`, set the network to 208.67.222.222/32, and set the gateway to proxy.
After the above configuration, DNS requests can pass through dae and be hijacked by dae for processing. The DNS server set here is not the final query server. The target server of the DNS query will be rewritten by dae according to the dns rules in the dae configuration, and then the DNS query request will be sent.
It should be noted that Unbound will append EDNS related parameters when forwarding client's DNS requests, which may result in oversized (occasionally larger than 2000) DNS responses from the upstream server, causing dae's buffer for processing udp DNS to overflow (for performance considerations, dae does not use a larger buffer, tcp's DNS will not overflow), and the final result is that the client cannot get the DNS response, or even cause dae to crash. To solve this problem, you can switch to Dnsmasq or disable EDNSSEC support in `Services: Unbound DNS: General` and write the following Unbound configuration, which can effectively reduce the size of the returned DNS response.
``` yaml
# saved as /usr/local/etc/unbound.opnsense.d/disableedns.conf
server:
disable-edns-do: yes
```
In addition, since dae does not perform snat, if the proxy is normal and the direct connection is not working [here refers to the direct in dae's `routing`, not the traffic that OPN does not split to dae and directly goes out of the WAN port. For example, according to the traffic splitting rules configured in the previous section, OPN will split the steam's traffic to pass through dae, dae has configured domain(geosite:steam@cn) -> direct in `routing`, steam cannot log in or download normally], configure nat in the system where dae is installed.
## Performance Optimization
Changing the MTU value between OPN and dae from the default 1500 to 9000 (requires modifying both interfaces and the intermediate link) can achieve lower load.

View File

@ -0,0 +1,93 @@
# dae与OPNsense: 最佳实践
本教程展示了如何以旁挂的方式将dae和OPNsense一起使用。dae安装在另一个Linux系统中和OPNsense通过以太网连接物理连接、Linux网桥或SR-IOV
## 接口
你应该为dae和OPN之间的接口分配和OPN的LAN不同网段的地址。如果把这个接口称为wan_proxy配置如下
```
OPN LAN: 192.168.1.1/24
OPN wan_proxy: 192.168.2.2 网关 自动检测
dae enp1s0192.168.2.1 网关 192.168.2.2
```
## 分流
1.配置geoip列表
> 在`防火墙别名GeoIP设置`中添加,参考[OPN文档](https://docs.opnsense.org/manual/how-tos/maxmind_geo_ip.html)。
2.配置geoip别名
> 在`防火墙:别名:别名`处添加别名proxyip选择GeoIP类型在显示的区域Asia中选择China或你所在的其他国家
3.添加额外IP地址列表可选
> 在`防火墙:别名:别名`处添加别名proxyip_ex选择URL Table类型可添加其他人维护的IP列表链接文件内容为每行一个CIDR表示的IP地址。
4.配置保留地址别名
> 在`防火墙:别名:别名`处添加别名\_\_private_network选择Network类型添加所有保留地址或仅添加自己网络中使用到的保留地址参考[保留IP地址](ttps://www.wikiwand.com/zh-hant/保留IP地址)。
5.聚合以上别名
> 在`防火墙:别名:别名`处添加别名proxyroute选择Network group类型内容选择proxyip、proxyip_ex如果有、\_\_private_network以及系统内置的\_\_lo0_network别名对其进行聚合。
6.添加网关
> 在`系统:网关:单个`处添加网关proxy接口选择和dae之间的接口wan_proxyIP为dae的IP按上文接口示例这里填写192.168.2.1优先级须低于默认网关如默认网关设为254这里设为255。
7.分流规则
> 在`防火墙: 规则: 浮动`处添加规则,进行如下配置:
| 项目 | 配置 |
| - | - |
| 操作 | 通过 |
| 快速 | √ |
| 接口 | LAN |
| 方向 | in |
| TCP/IP版本 | IPv4 |
| 协议 | TCP/UDP |
| 目标/反转 | √ |
| 目标 | proxyroute |
| 网关 | 启用 |
> 此外可以通过源、源/反转来排除局域网设备使其流量不会被分流到dae。
8.允许dae流量进入OPN
> 在`防火墙规则wan_proxy`新建规则,全部保持默认保存即可。
9.OPN自身代理(可选)
> 如果需要让OPN自己的某些流量走代理如使用Google Drive备份配置建议在`系统: 路由: 配置`中添加静态路由规则进行配置将需要走代理的IP段网关设为proxy。不建议在浮动规则中对WAN流量进行处理可能会造成回环。
## dae相关配置
本节不涉及dae的配置文件内容只给出如何配置使DNS请求经过dae以及常见的代理正常直连不通问题的解决方法。以下提到的dae的`domain`、`ip`模式以及如何配置dae的`dns`和`routing`规则请查阅dae文档。
使用dae进行透明代理要使基于域名的分流规则正常工作`domain`和`domain+`模式下需要DNS请求经过dae注意不是将DNS服务器设为dae地址dae不监听53端口。若DNS请求不经过dae需要使用dae的`domain++`模式根据sniff到的域名再匹配一次分流规则性能不如`domain`模式。如使用domain++模式,或不需要根据域名分流而使用`ip`模式,以下配置可忽略。
1.DNS转发配置
> 在`服务: Unbound DNS: 查询转发`中设置将DNS请求转发到指定服务器如配置为OpenDNS的208.67.222.222。下面步骤需要设置静态路由规则将该地址网关设为dae因此不要使用你的上游下发的DNS以便在排查DNS问题时可以正常使用dig或nslookup向上游下发的DNS服务器查询进行测试。
2.静态路由配置
> 在`系统: 路由: 配置`中添加静态路由规则网络设为208.67.222.222/32网关设置为proxy。
经过如上配置可以使DNS请求经过dae并被dae劫持处理这里设置的DNS服务器并不是最终查询的服务器DNS查询的目标服务器会被dae根据dae配置中的dns规则改写然后发送DNS查询请求。
需要注意的是Unbound会在转发客户端发出的DNS请求时追加EDNS相关参数这样可能会从上游服务器取得长度超大偶见大于2000的DNS响应从而导致dae处理udp DNS的缓冲区溢出处于性能考虑dae没有使用更大的缓冲区tcp的DNS不会溢出最终表现是客户端无法拿到DNS响应甚至导致dae功能崩溃。要解决这个问题可以改用Dnsmasq或在`服务Unbound DNS常规`中关闭EDNSSEC支持并写入如下Unbound配置该配置可以有效减小返回的DNS响应大小
``` yaml
# 存为 /usr/local/etc/unbound.opnsense.d/disableedns.conf
server:
disable-edns-do: yes
```
此外由于dae不会进行snat如果出现代理正常直连不通[这里指的是dae `routing`中的direct而不是OPN没有分流给dae直接出wan口的流量。如根据上节配置的分流规则OPN会将steam的流量分流经过daedae在`routing`配置了domain(geosite:steam@cn) -> directsteam无法正常登录或下载]在安装dae的系统中配置nat即可。
## 性能优化
将OPN和dae之间的MTU值从默认的1500改为9000(需要修改两者接口及中间链路),可以获得更低负载。