111 lines
2.7 KiB
Markdown
111 lines
2.7 KiB
Markdown
# Experimenta VPN via Tailscale/Headscale
|
|
|
|
**Ziel:** Zugang zum Experimenta-Firmennetz von zu Hause — ohne F5 VPN Client.
|
|
|
|
## Setup
|
|
|
|
- **Router:** GL-MT3000 (OpenWRT)
|
|
- **Modus:** Client-Mode im Firmen-WLAN
|
|
- **Headscale:** hs.noxware.net
|
|
|
|
## Routen (aus F5 VPN extrahiert)
|
|
|
|
| Netz | Beschreibung |
|
|
|------|--------------|
|
|
| 10.10.0.0/16 | Haupt-Firmennetz |
|
|
| 10.20.0.0/16 | Weiteres internes Netz |
|
|
| 172.31.1.0/24 | - |
|
|
| 172.31.2.1/32 | Einzelhost |
|
|
| 192.168.1.0/24 | - |
|
|
| 192.168.2.0/24 | - |
|
|
| 192.168.4.0/24 | - |
|
|
| 192.168.5.2/32 | Einzelhost |
|
|
| 192.168.5.3/32 | Einzelhost |
|
|
| 192.168.5.5/32 | Einzelhost |
|
|
| 192.168.5.11/32 | Einzelhost |
|
|
| 192.168.6.0/24 | - |
|
|
|
|
**DNS-Server:** 10.10.32.1, 10.10.32.2
|
|
|
|
---
|
|
|
|
## Schritt 0: MAC-Adresse spoofen (Firmen-Firewall)
|
|
|
|
Die Firmen-Firewall kennt nur die MAC-Adressen deines MacBooks (WLAN + Ethernet).
|
|
Der Router muss die WLAN-MAC deines Macs übernehmen.
|
|
|
|
```bash
|
|
# Auf dem Mac — WLAN-MAC rausfinden:
|
|
networksetup -getmacaddress Wi-Fi
|
|
# oder: ifconfig en0 | grep ether
|
|
|
|
# Auf dem Router — MAC persistent setzen:
|
|
uci set wireless.@wifi-iface[0].macaddr='XX:XX:XX:XX:XX:XX'
|
|
uci commit wireless
|
|
wifi reload
|
|
```
|
|
|
|
**Alternativ via LuCI:** Network → Wireless → Client-Interface → Advanced Settings → *Override MAC address*
|
|
|
|
⚠️ **Wichtig:** Mac danach nicht mehr direkt ins Firmen-WLAN — nur noch über Tailscale durch den Router!
|
|
|
|
---
|
|
|
|
## Schritt 1: GL-MT3000 konfigurieren
|
|
|
|
```bash
|
|
# IP Forwarding aktivieren
|
|
sysctl -w net.ipv4.ip_forward=1
|
|
echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
|
|
|
|
# Tailscale starten mit Routen
|
|
tailscale up --login-server=https://hs.noxware.net \
|
|
--advertise-routes=10.10.0.0/16,10.20.0.0/16,172.31.1.0/24,172.31.2.1/32,192.168.1.0/24,192.168.2.0/24,192.168.4.0/24,192.168.5.2/32,192.168.5.3/32,192.168.5.5/32,192.168.5.11/32,192.168.6.0/24 \
|
|
--accept-dns=false
|
|
```
|
|
|
|
## Schritt 2: Firewall (OpenWRT)
|
|
|
|
```bash
|
|
# Zone für Tailscale
|
|
uci add firewall zone
|
|
uci set firewall.@zone[-1].name='tailscale'
|
|
uci set firewall.@zone[-1].input='ACCEPT'
|
|
uci set firewall.@zone[-1].output='ACCEPT'
|
|
uci set firewall.@zone[-1].forward='ACCEPT'
|
|
uci set firewall.@zone[-1].network='tailscale'
|
|
|
|
# Forwarding Tailscale → WAN
|
|
uci add firewall forwarding
|
|
uci set firewall.@forwarding[-1].src='tailscale'
|
|
uci set firewall.@forwarding[-1].dest='wan'
|
|
|
|
uci commit firewall
|
|
/etc/init.d/firewall restart
|
|
```
|
|
|
|
## Schritt 3: Headscale — Routen freigeben
|
|
|
|
```bash
|
|
headscale routes list
|
|
headscale routes enable -r <ROUTE_ID>
|
|
```
|
|
|
|
## Schritt 4: Client zu Hause
|
|
|
|
```bash
|
|
tailscale up --accept-routes
|
|
```
|
|
|
|
---
|
|
|
|
## Hinweise
|
|
|
|
- **Heimnetz:** 192.168.222.0/24 — kollidiert nicht ✅
|
|
- **Exit-Node:** Nicht nötig, da nur Split-Tunnel gewünscht
|
|
- Router muss im Firmen-WLAN eingeloggt sein (Client-Mode)
|
|
|
|
---
|
|
|
|
*Erstellt: 2026-01-31*
|