Skip to content

Installation

Jump to bottom
Samuele Musiani edited this page Dec 1, 2025 · 19 revisions

To install sasso a number of steps must be performed.

  1. An LDAP server must be installed. Sasso only has an admin user and all the other users are taken from external realms (for now only ldap is supported). A simple ldap server to install could be lldap. We now assume the lldap server is ready and could be reached at ldap://ldap.example.com.

  2. Sasso is potentially written to be deployed in a generic context, but it has been tested only with a specific deploy. In particular a Proxmox Cluster where the server, the router and the vpn are all separated VMs.

  3. Before creating the VMs a token must be issued to enable sasso to access the Proxmox APIs. Go to Datacenter->Permissions->API Tokens and issue a new token with all the required permissions (for now I suggest giving all the permissions possible)

  4. Create a dedicated SDN Zone for sasso in Datacenter->SDN->Zones. The zone must be of type VXLAN. You can leave almost all fields as default, but the Peer address list must be a list of all the IPs of your PVE nodes. We suggest the name sasso for the zone.

Important

If the Proxmox firewall is enable the VXLAN traffic must be enable in all the nodes. To do this create a new IPSet under Cluster->Firewall-IPSet and add all the IPs of the PVEs in the cluster. Then add new firewall rule in Datacenter->Firewall from the IPSet to the IPSet where the action is ACCEPT, the protocol UDP and the destination port is 4789.

  1. You must have a template VM to clone in order for sasso to create VMs. This template must not have any network interface. It's also possible to add a TAG so it becomes easier to distinguish sasso VMs from the others.

  2. Sasso has a fronted, we suggest to use a reverse proxy to handle SSL/TSL certificates.

Service communication

In order to make the server communicate with the router and vpn services, we advice to create a separate VNet in the VXLAN zone to keep traffic separated.

Server

  1. Deploy a new VM for the Sasso server. 1G or RAM, 8GB of disk and 2 cores should be enough (if the compilation is done outside the VM).

  2. The VM must be able to reach the Proxmox APIs in some way. Sasso server will check if it's able to reach proxmox, the gateway and the VPN, so look at the logs.

  3. Install PostgreSQL on the VM. Create a user and a DB:

create user sasso with encrypted PASSWORD 'random-string';
create database sasso;
grant all privileges on database sasso to sasso;
\c sasso;
grant all on schema public to sasso;
  1. Copy the server binary and the config file.
  2. Start the server with systemd:
[Unit]
Description=Sasso Server
Documentation=https://github.com/samuelemusiani/sasso

After=network.target
After=postgresql.service

[Service]
User=sasso
Group=sasso
Environment=GOTRACEBACK=crash
Environment=LOG_LEVEL=DEBUG
ExecStart=/opt/sasso/server /opt/sasso/config.toml
WorkingDirectory=/opt/sasso
ReadWriteDirectories=/opt/sasso
Restart=always

[Install]
WantedBy=multi-user.target

Router

  1. Deploy a VM for the router.
  2. Install postgresql and configure a database.
  3. Check that the server's VM and router's VM can communicate in a private network. Add a route for the VPN: ip r add 10.253.0.0/24 via 172.31.255.3 dev eth1 or use the routes shorewall file in the following example.
  4. Install shorewall
  5. Configure shorewall: Shorewall becomes really slow when dealing with a lot of interfaces. Sasso was designed to avoid change the firewall if the right set of rules are provided. In particular, the main server will create all the nets with the name sas*, this means that we can use wildcards on shorewall:
# /etc/shorewall/zones
fw	firewall
out	ip
vpn	ip
internal	ip
sasso	ip
# /etc/shorewall/interfaces
?FORMAT 2
out	eth0
internal	eth1
sasso	sas+ routeback
# /etc/shorewall/hosts
vpn	ens19:10.253.0.0/24
# /etc/shorewall/policy
fw all ACCEPT
out all DROP

vpn	out,fw	DROP
vpn	all	ACCEPT
all	vpn	ACCEPT

internal fw ACCEPT
internal all DROP

sasso	out	ACCEPT	
sasso	all+	DROP	
# /etc/shorewall/rules
Ping(ACCEPT) out fw
ACCEPT out fw tcp ssh

# The following only if using the Linux gateway implementation
# ACCEPT out:<pve1>,<pve2>,... fw udp 4789
# /etc/shorewall/snat
MASQUERADE 10.250.0.0/16 eth0 # Should match the usable_subnet in config.toml
# /etc/shorewall/shorewall.conf
...
IP_FORWARDING=Yes
...
# /etc/shorewall/routes
main 10.253.0.0/24 172.31.255.3
  1. Chose a gateway implementation:
  • Linux: Recommended implementation where the VXLAN interfaces are created inside the host (or the VM). You must add the VM/Host IP to the Peers in the Proxmox VXLAN Zone.
  • Proxmox: Old implementation where the interfaces are added on the VM with Proxmox. Limited to 32 by Proxmox itself.
  1. Use systemd to start the service. You can set the log level. To user shorewall the executable must be run as root.
[Unit]
Description=Sasso Router
Documentation=https://github.com/samuelemusiani/sasso

After=network.target
After=postgresql.service

[Service]
Environment=GOTRACEBACK=crash
Environment=LOG_LEVEL=INFO
ExecStart=/opt/sasso/router /opt/sasso/config.toml
WorkingDirectory=/opt/sasso
ReadWriteDirectories=/opt/sasso
Restart=always

[Install]
WantedBy=multi-user.target

VPN

  1. Deploy a VM for the VPN
  2. Check that the VPN's VM, server's VM and router's VM can all communicate in a private network.
  3. Make sure the vpn interface can communicate with the VMs. The communication should cross the router, so add a static route on the vpn:
ip r a 10.250.0.0/16 via 172.31.255.2 dev eth1
  1. Install postgresql and configure a database (same as the server)
  2. Install Wireguard. Generate a private key with:
wg genkey
  1. Create a Wireguard config file for the sasso interface in /etc/wireguard/sasso.conf:
[Interface]
Address = 10.253.0.254/24 # This is your choice
ListenPort = 51820 # Standard port
PrivateKey = <private key>
  1. Bring the interface up with wg-quick up sasso and copy the public key printed with the wg command in the sasso config file.
  2. Install Shorewall and configure it:
# /etc/shorewall/zones
fw firewall
out ip
vms ip
internal ip
vpn ip
# /etc/shorewall/interfaces
out eth0
internal eth1
vpn sasso
# /etc/shorewall/hosts
vms eth1:10.250.0.0/16
# /etc/shorewall/policy
fw all ACCEPT
internal all DROP
out all DROP
vpn all DROP
vms all DROP
# /etc/shorewall/rules
Ping(ACCEPT) all fw
ACCEPT out fw tcp ssh
ACCEPT out fw udp 51820
# /etc/shorewall/shorewall.conf
...
IP_FORWARDING=Yes
...
# /etc/shorewall/routes
main 10.250.0.0/16 172.31.255.2

Clone this wiki locally