diff options
| author | Niklas Yann Wettengel <niyawe@niyawe.de> | 2021-07-28 01:12:10 +0200 |
|---|---|---|
| committer | Niklas Yann Wettengel <niyawe@niyawe.de> | 2021-07-28 01:12:10 +0200 |
| commit | 9ec1670a262597356c24bff27d473eccceb45b61 (patch) | |
| tree | 8d94c1ab62fef270ea45a103be179609272b3f82 | |
| parent | f394fd81667a44e267e83d3c453101598a21c58c (diff) | |
wg
30 files changed, 380 insertions, 319 deletions
diff --git a/host_vars/fastd-aw2 b/host_vars/fastd-aw2 index 9d8211a..351a5c9 100644 --- a/host_vars/fastd-aw2 +++ b/host_vars/fastd-aw2 @@ -19,7 +19,6 @@ sites: 63613666333161366366 fastd_mesh_mac: '02:ff:41:57:00:20' fastd_port1: 10014 - fastd_port2: 10015 bat_ipv6: '2a03:2260:1016:0202::1' bat_ipv4: '10.222.88.1' bat_ipv4_cidr: 21 @@ -27,22 +26,23 @@ sites: dhcp_netmask: '255.255.248.0' dhcp_start: '10.222.88.50' dhcp_end: '10.222.95.250' + vxlan_id: 11443185 wireguard_mesh_number: 2 wireguard_mesh_priv_key: !vault | $ANSIBLE_VAULT;1.1;AES256 - 38353835623539326161353437613231636465353366663537313433363263636339346230663736 - 3735616161383765343434356665633461623664383566370a313365666265313164643361653831 - 64383938633332343366316338313838633638333264663334353363316335303831303738656366 - 6438633936636563620a656231313465643330626333393163653435303135376233623434326566 - 64343864353865373062313263623133353366633639343933623466633365386366343839343936 - 3433656635626533373562633462633439366562316136363936 - wireguard_mesh_pub_key: 'jdboIn8RrZWcSNEoZKKaulhy/7qTcy5z5WM6xOOc0jg=' - wireguard_mesh_port: 10052 - wireguard_mesh_address: 'fdff:4157:bb::2' - wireguard_mesh_endpoint: '2a01:4f8:1c0c:51f8::1' - wireguard_mesh_mac_prefix: '02:ff:41:57:00:2' + 63616334663237313761666462326564376439633631633839373434393636366363666139653239 + 3361623733653863613637616439616266393039316332380a373031626239383537316536353862 + 66616563356131333439303665303039393965383939383038646236643063613231616330363938 + 6536333561353564620a353634613666383430656639313231363431313662386138396236313364 + 61653766653462343937396636643132323137636331346132313763313135633263613230366336 + 6461376335353964343564383335346366633438383566653066 + wireguard_mesh_pub_key: 'm3JXl4RCr9xNeWo9L2GXiGVCpPvRX3maaLUw6qPse1I=' + wireguard_mesh_port: 10015 + wireguard_mesh_address: 'fe80::00ff:41ff:fe57:2' + wireguard_mesh_endpoint: '{{ ansible_host }}' + wireguard_mesh_mac: '02:ff:41:57:00:02' wireguard_bb_name: 'fastd-aw2' -wireguard_bb_endpoint: '2a01:4f8:1c0c:51f8::1' +wireguard_bb_endpoint: '{{ ansible_host }}' wireguard_bb_priv_key: !vault | $ANSIBLE_VAULT;1.1;AES256 36623563623837633836333132656663613264633233666563343464333234643761643534373939 @@ -56,3 +56,13 @@ wireguard_bb_ipv4: '10.222.0.22' wireguard_bb_ipv6: 'fe80::ffbb:ffbb:22' wireguard_bb_port: 10122 preferred_uplink: 'uplink2' +wgkex_host: 'vpn.freifunk-myk.de' +wgkex_port: 18883 +wgkex_username: fastd-aw2 +wgkex_password: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 64666261663332636331613262383063353234646633393261653239333137373339656235306531 + 3865643538633738666330326664663866633138353938370a616134363036353233353365363935 + 39656435303966353230396230613164653838633335623365396537303164633965356539633765 + 3633346564303162630a373962336437356638346265346137643736316135343636633431323665 + 38396434663337366233343831393163653061623532346431323265643537626532 diff --git a/host_vars/fastd-ko2 b/host_vars/fastd-ko2 index c72d7a8..735f184 100644 --- a/host_vars/fastd-ko2 +++ b/host_vars/fastd-ko2 @@ -19,7 +19,6 @@ sites: 39633866633130373430 fastd_mesh_mac: '02:ff:4b:4f:00:20' fastd_port1: 10010 - fastd_port2: 10011 bat_ipv6: '2a03:2260:1016:0002::1' bat_ipv4: '10.222.24.1' bat_ipv4_cidr: 21 @@ -27,22 +26,23 @@ sites: dhcp_netmask: '255.255.248.0' dhcp_start: '10.222.24.50' dhcp_end: '10.222.31.250' + vxlan_id: 10891866 wireguard_mesh_number: 2 wireguard_mesh_priv_key: !vault | $ANSIBLE_VAULT;1.1;AES256 - 32633166363930323130333238333439363735316434353562613737643130653164616161346564 - 3232313464343664613563663932393036653839343735390a363162383131303864613564376335 - 34633361353363646234633437383663613366343165336566656561373430666366366230663961 - 3439646436626135620a653431313938653634643337326430316131393261383938663333393535 - 61393535366561306662313933616163626230343361363962643862346332646438303830393362 - 3763343234653738333933313339356539613561326363313932 - wireguard_mesh_pub_key: 'faw8PD5cehdnu2zGUlwCLyC14l5vdjim8jl7VELktR8=' - wireguard_mesh_port: 10050 - wireguard_mesh_address: 'fdff:4b4f:bb::2' - wireguard_mesh_endpoint: '2a01:4f8:1c0c:5a31::1' - wireguard_mesh_mac_prefix: '02:ff:4b:4f:00:2' + 63313939383639656138636261363033336636303837303565623733663038646637363261386666 + 3562656362636434653131623133396134646666633338320a303435636432363333376130626265 + 66306336363565303433353731646336353764353333383339303865346334636334343231343266 + 3732316335656636630a623364343866633765653232336363653335613065663639626439656533 + 65313464663534626566613238666237623562383763316331306463643339636138623166623964 + 3438626431373233666532623433313337356530346563323838 + wireguard_mesh_pub_key: 'Nv+aZ3cD6a9qvsrXipMbVG7kGiXV3e7tb92MTbyXDl4=' + wireguard_mesh_port: 10011 + wireguard_mesh_address: 'fe80::00ff:4bff:fe4f:2' + wireguard_mesh_endpoint: '{{ ansible_host }}' + wireguard_mesh_mac: '02:ff:4b:4f:00:02' wireguard_bb_name: 'fastd-ko2' -wireguard_bb_endpoint: '2a01:4f8:1c0c:5a31::1' +wireguard_bb_endpoint: '{{ ansible_host }}' wireguard_bb_priv_key: !vault | $ANSIBLE_VAULT;1.1;AES256 31626338356431653462646438666437656665303438626335323664353134643332393566393064 @@ -56,3 +56,13 @@ wireguard_bb_ipv4: '10.222.0.24' wireguard_bb_ipv6: 'fe80::ffbb:ffbb:24' wireguard_bb_port: 10124 preferred_uplink: 'uplink2' +wgkex_host: 'vpn.freifunk-myk.de' +wgkex_port: 18883 +wgkex_username: fastd-ko2 +wgkex_password: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 34643130343634366435323131373837303930313232636536386464363831326530623561393031 + 3431653039363730643661333131343066363261623461370a376136616131666138626133666439 + 34633765336366386532373436353763663337306633363532363332356163363938376335346135 + 6266366561383638360a636261383661363039323162336639303338373133613437326165666335 + 35633734383037343934383032313336376437656138333832393234616439316338 diff --git a/host_vars/fastd-my2 b/host_vars/fastd-my2 index 1111381..dd7b457 100644 --- a/host_vars/fastd-my2 +++ b/host_vars/fastd-my2 @@ -19,7 +19,6 @@ sites: 36396363306537636164 fastd_mesh_mac: '02:ff:4d:59:00:20' fastd_port1: 10016 - fastd_port2: 10017 bat_ipv6: '2a03:2260:1016:0302::1' bat_ipv4: '10.222.72.1' bat_ipv4_cidr: 21 @@ -27,22 +26,23 @@ sites: dhcp_netmask: '255.255.248.0' dhcp_start: '10.222.72.50' dhcp_end: '10.222.79.250' + vxlan_id: 6118532 wireguard_mesh_number: 2 wireguard_mesh_priv_key: !vault | $ANSIBLE_VAULT;1.1;AES256 - 35303465666162646130373132376638383738653865313335353931366634343535653464383639 - 3861656231343863336130386665303630336236343663380a626636653830326363363435303639 - 39643666363832343735383832306538383465643836393838333333343665353039623966623137 - 6531316631373164620a363339353538646436666430613039356531326465613161386165336532 - 64373438623331656132346566363262313865356132313236393633633432383635356531363162 - 3232386130343565633238326232623437373265363639613632 - wireguard_mesh_pub_key: 'acExsplIs2rSEk0NpYTREWxH2FsTR79Lpb3J3BzGWDM=' - wireguard_mesh_port: 10053 - wireguard_mesh_address: 'fdff:4d59:bb::2' - wireguard_mesh_endpoint: '2a01:4f8:1c17:4584::1' - wireguard_mesh_mac_prefix: '02:ff:4d:59:00:2' + 30353832633365613063633862383665666263393331323435393138643030393231643438353366 + 3039393736333564666530346630346130653138316436370a613763333334663731326363653863 + 39653139326462636531376136306666313537336265636334393831633035613337383464383838 + 3564356534323262370a393434353238383535363135393734636261633533323462623932366436 + 64613834363539303233356262373630373264623337356131623939646365653061663831343262 + 6464393331633661356232323338653137333635396137373636 + wireguard_mesh_pub_key: 'pwwP7VxQsVyi/GUSLvyenhHgf71SNKaGwItThTWGHDg=' + wireguard_mesh_port: 10017 + wireguard_mesh_address: 'fe80::00ff:4dff:fe59:2' + wireguard_mesh_endpoint: '{{ ansible_host }}' + wireguard_mesh_mac: '02:ff:4d:59:00:02' wireguard_bb_name: 'fastd-my2' -wireguard_bb_endpoint: '2a01:4f8:1c17:4584::1' +wireguard_bb_endpoint: '{{ ansible_host }}' wireguard_bb_priv_key: !vault | $ANSIBLE_VAULT;1.1;AES256 31323234396564386130646230326533323530633565643963346464366536363735346336363239 @@ -56,3 +56,13 @@ wireguard_bb_ipv4: '10.222.0.32' wireguard_bb_ipv6: 'fe80::ffbb:ffbb:32' wireguard_bb_port: 10132 preferred_uplink: 'uplink1' +wgkex_host: 'vpn.freifunk-myk.de' +wgkex_port: 18883 +wgkex_username: fastd-my2 +wgkex_password: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 39393164393433366239363561663166663734643333656562633536623538313334366331393132 + 3964333964613465343433306431656662663863393935380a313835396238333239373938633739 + 35616265643332333434323962323935346137313138623964643464383838653532613732313037 + 3962376161346262350a316332333734373338666333666564373537383633313364346263306361 + 32303065396339623566373134306665316430663332656364643633656132633031 diff --git a/host_vars/ff-kraftimion1 b/host_vars/ff-kraftimion1 index 6ee8511..d839b30 100644 --- a/host_vars/ff-kraftimion1 +++ b/host_vars/ff-kraftimion1 @@ -17,7 +17,6 @@ sites: 36323138306465396135 fastd_mesh_mac: '02:ff:57:57:00:20' fastd_port1: 10022 - fastd_port2: 10023 bat_ipv6: '2a03:2260:1016:0702::1' bat_ipv4: '10.30.24.1' bat_ipv4_cidr: 21 @@ -25,6 +24,7 @@ sites: dhcp_netmask: '255.255.248.0' dhcp_start: '10.30.24.50' dhcp_end: '10.30.31.250' + vxlan_id: 1234 wireguard_mesh_number: 2 wireguard_mesh_priv_key: !vault | $ANSIBLE_VAULT;1.1;AES256 @@ -35,12 +35,12 @@ sites: 36383535333332653337393330663032396631306236633866376263303033373030313831306363 6332633533326431316338616233333263306662363837386263 wireguard_mesh_pub_key: '49N466A3ADnn56V84asWGAyrTGRHGv5YrkoXfZz58h8=' - wireguard_mesh_port: 10057 + wireguard_mesh_port: 10023 wireguard_mesh_address: 'fdff:5757:bb::2' - wireguard_mesh_endpoint: '2a01:4f8:161:122c:3:1:0:1' - wireguard_mesh_mac_prefix: '02:ff:57:57:00:1' + wireguard_mesh_endpoint: '{{ ansible_host }}' + wireguard_mesh_mac: '02:ff:57:57:00:02' wireguard_bb_name: 'kraftimion1' -wireguard_bb_endpoint: '2a01:4f8:161:122c:3:1:0:1' +wireguard_bb_endpoint: '{{ ansible_host }}' wireguard_bb_priv_key: !vault | $ANSIBLE_VAULT;1.1;AES256 38376538313338636336346565626462623438333361303138633537666132633561383234306630 diff --git a/host_vars/ff-loppermann1 b/host_vars/ff-loppermann1 index ccf98ac..ebb00a8 100644 --- a/host_vars/ff-loppermann1 +++ b/host_vars/ff-loppermann1 @@ -17,7 +17,6 @@ sites: 35396461636664396633 fastd_mesh_mac: '02:ff:41:57:00:10' fastd_port1: 10014 - fastd_port2: 10015 bat_ipv6: '2a03:2260:1016:0201::1' bat_ipv4: '10.222.80.1' bat_ipv4_cidr: 21 @@ -25,20 +24,21 @@ sites: dhcp_netmask: '255.255.248.0' dhcp_start: '10.222.80.50' dhcp_end: '10.222.87.250' + vxlan_id: 11443185 wireguard_mesh_number: 1 wireguard_mesh_priv_key: !vault | $ANSIBLE_VAULT;1.1;AES256 - 63383761663434323865396664393839333861303233393666396462363662633238613963656164 - 3066633135353637356331393639353366393061373564320a343462396239636565366364643236 - 37643666333939626136316563363332323638323462373133656531643439363336326561623064 - 3735343534363736380a333238306136323465366662333861316237646334643332633566366634 - 62616135303462313262626335626331396366653238343637383931323563336162393334396437 - 3639383962636464636233353933613730366262666533626431 - wireguard_mesh_pub_key: '65M3xfawqfiCB6OZ2boH4rxZyC2jZnG5yqerurbVV10=' - wireguard_mesh_port: 10052 - wireguard_mesh_address: 'fdff:4157:bb::1' - wireguard_mesh_endpoint: '2a01:4f8:140:1242:ff::2' - wireguard_mesh_mac_prefix: '02:ff:41:57:00:1' + 35303461376637356232386239353362353333383966613030646361313338663839646666306237 + 3433636237396630623830303938663735376337666337640a346635616337306235376434643265 + 66396465393962326635313966653533313638646361383638373836313063346361343364306636 + 3033393631306137630a333763386666623835623635633839616165616362633836626135323530 + 35393363646161333062396139626563383334383262333066636663663634353635626334383935 + 3437616563363566613736623361633934643962643662366338 + wireguard_mesh_pub_key: 'tf/eNi+WOlsoXTmtAvQEwRv64YME0SIE+rlQysLd/Dc=' + wireguard_mesh_port: 10015 + wireguard_mesh_address: 'fe80::00ff:41ff:fe57:1' + wireguard_mesh_endpoint: '{{ ansible_host }}' + wireguard_mesh_mac: '02:ff:41:57:00:01' - name: 'sim' net4: '10.222.184.0/21' net6: '2a03:2260:1016:0402::/64' @@ -55,7 +55,6 @@ sites: 34303934616666633764 fastd_mesh_mac: '02:ff:53:49:4d:20' fastd_port1: 10018 - fastd_port2: 10019 bat_ipv6: '2a03:2260:1016:0402::1' bat_ipv4: '10.222.184.1' bat_ipv4_cidr: 21 @@ -63,22 +62,23 @@ sites: dhcp_netmask: '255.255.248.0' dhcp_start: '10.222.184.50' dhcp_end: '10.222.191.250' + vxlan_id: 10908477 wireguard_mesh_number: 2 wireguard_mesh_priv_key: !vault | $ANSIBLE_VAULT;1.1;AES256 - 61356134643033316531313738343064633137373632356130336564636463396232326538363932 - 3262343039376663306662306235666163633337396564630a613263353762326532393434373664 - 32366461356635353563313335353761376137363638616137356261333236306461383638336262 - 6333626663646665660a313230326661663466323764323163623236663363356366363330303865 - 39383134396137343638376438376531343662353761336361303166313537346231333563393838 - 3563613064366234373639626134333862323832636461653931 - wireguard_mesh_pub_key: 'wi+IyKglGh9fZ+C4sGHa5RYCN334dryHROuDx5p2AxE=' - wireguard_mesh_port: 10054 - wireguard_mesh_address: 'fdff:5349:4dbb::2' - wireguard_mesh_endpoint: '2a01:4f8:140:1242:ff::2' - wireguard_mesh_mac_prefix: '02:ff:53:49:4d:2' + 31343338643330396338336365636336363537633939396265336639666464643563353362613863 + 3234616436313331303433613837663033653437323839340a663838646136323265653861636539 + 63373462646430376265356533363932393861626133356536306237373730303132313366306538 + 3034653565386462640a666361653236373562653464643562636232303965663437376535646363 + 63333662333630383162326166323239333966323537303238353164373939343735366230313031 + 3731663830326363323062363637663730313736383139353732 + wireguard_mesh_pub_key: 'hDx+zhY9WgabV3Sgp7fsfRRqNIzOP5z0Tl2t7wZjzBw=' + wireguard_mesh_port: 10019 + wireguard_mesh_address: 'fe80::00ff:53ff:fe49:4d02' + wireguard_mesh_endpoint: '{{ ansible_host }}' + wireguard_mesh_mac: '02:ff:53:49:4d:02' wireguard_bb_name: 'loppermann1' -wireguard_bb_endpoint: '2a01:4f8:140:1242:ff::2' +wireguard_bb_endpoint: '{{ ansible_host }}' wireguard_bb_priv_key: !vault | $ANSIBLE_VAULT;1.1;AES256 34613832343432386134316533323739613464396461396463303535393937353233363534346362 @@ -92,3 +92,13 @@ wireguard_bb_ipv4: '10.222.0.16' wireguard_bb_ipv6: 'fe80::ffbb:ffbb:16' wireguard_bb_port: 10116 preferred_uplink: 'uplink1' +wgkex_host: 'vpn.freifunk-myk.de' +wgkex_port: 18883 +wgkex_username: ff-loppermann1 +wgkex_password: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 34346166646261616633633164303864613233366165653866636437386164316335376639623066 + 3935323336386461373463353964633562636631643134340a643463373766383864376636663438 + 62336333386162663236613165393162316262333362633438623239633933643830663964373161 + 3365666263623435350a363661656362643738653662316539316535373064393933633637386638 + 63336462333631343838343634343162336436313262336432313233393235393765 diff --git a/host_vars/ff-niyawe1 b/host_vars/ff-niyawe1 index c3b8a58..30ea966 100644 --- a/host_vars/ff-niyawe1 +++ b/host_vars/ff-niyawe1 @@ -18,7 +18,6 @@ sites: 36656539623732333130 fastd_mesh_mac: '02:ff:4b:4f:00:10' fastd_port1: 10010 - fastd_port2: 10011 bat_ipv6: '2a03:2260:1016:0001::1' bat_ipv4: '10.222.16.1' bat_ipv4_cidr: 21 @@ -26,22 +25,23 @@ sites: dhcp_netmask: '255.255.248.0' dhcp_start: '10.222.16.50' dhcp_end: '10.222.23.250' + vxlan_id: 10891866 wireguard_mesh_number: 1 wireguard_mesh_priv_key: !vault | $ANSIBLE_VAULT;1.1;AES256 - 66336261633234613038313339626461653936393933666139386463366632666661353432623638 - 3665643537616631393130343730616366356232363735340a653365326533656261383636386432 - 39393664653937373562363466343261376265336564323938313734613538376465326466313861 - 3365346464666634380a666630366630353862663737363033353432393837303133643161326634 - 35326433356537333335313766663232313735336133633339356337613737393936343338323830 - 3732386237396637383433323465613461373362663965353533 - wireguard_mesh_pub_key: 'mbYqSr9Rurg2jbyVP3HMAaKXpV/nDugxNyl43V1eRS0=' - wireguard_mesh_port: 10050 - wireguard_mesh_address: 'fdff:4b4f:bb::1' - wireguard_mesh_endpoint: '2a01:4f8:151:13cd:2::3' - wireguard_mesh_mac_prefix: '02:ff:4b:4f:00:1' + 34656161316639303136656263333135366332393530646366373463356164326466316239303936 + 3932353863383437636630613562303662326232663131640a393833386164666634633964626138 + 33336365373833316266353865633930346664613363633235346432326430326233396336316265 + 3230373439313932360a653139636530383331666265393135653239363936663430623436663566 + 66333332363636343865663234396134346531633066626138663533333735323837373532636531 + 3966323936353934633637633965656663333366363634636165 + wireguard_mesh_pub_key: 'jEPb55U0LjcVb+3ekAIW2Tmn07AmrBwU9DwJHwWO7i4=' + wireguard_mesh_port: 10011 + wireguard_mesh_address: 'fe80::00ff:4bff:fe4f:1' + wireguard_mesh_endpoint: '{{ ansible_host }}' + wireguard_mesh_mac: '02:ff:4b:4f:00:01' wireguard_bb_name: 'niyawe1' -wireguard_bb_endpoint: '2a01:4f8:151:13cd:2::3' +wireguard_bb_endpoint: '{{ ansible_host }}' wireguard_bb_priv_key: !vault | $ANSIBLE_VAULT;1.1;AES256 62623537663537643532356163613166336165323463663033303431613136353936383439383036 @@ -55,3 +55,13 @@ wireguard_bb_ipv4: '10.222.0.11' wireguard_bb_ipv6: 'fe80::ffbb:ffbb:11' wireguard_bb_port: 10111 preferred_uplink: 'uplink1' +wgkex_host: 'vpn.freifunk-myk.de' +wgkex_port: 18883 +wgkex_username: niyawe1 +wgkex_password: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 36663866376238393738383262353531363531653134383962346166643661626361626431373334 + 3062653736326232646239653733303165666433653864370a363031396136313335366239633665 + 64656434323338346666393334656535616237313639316536303431343036653335626231633933 + 3730643362666330630a616333613961636534306235313365353064383337343366353735663639 + 34336138333864373262396434356265373162356161666235666436366562666264 diff --git a/host_vars/ff-niyawe2 b/host_vars/ff-niyawe2 index 25553a7..c57d17d 100644 --- a/host_vars/ff-niyawe2 +++ b/host_vars/ff-niyawe2 @@ -18,7 +18,6 @@ sites: 63646437393532356338 fastd_mesh_mac: '02:ff:45:4d:53:10' fastd_port1: 10020 - fastd_port2: 10021 bat_ipv6: '2a03:2260:1016:0501::1' bat_ipv4: '10.222.192.1' bat_ipv4_cidr: 21 @@ -26,20 +25,21 @@ sites: dhcp_netmask: '255.255.248.0' dhcp_start: '10.222.192.50' dhcp_end: '10.222.199.250' + vxlan_id: 337565 wireguard_mesh_number: 1 wireguard_mesh_priv_key: !vault | $ANSIBLE_VAULT;1.1;AES256 - 63623465313439373532643831653635646236616234373836353866656566363561323863373839 - 3338303064653766633231633361656535666134343261650a626362346535313561376238623837 - 39393238386266626663323830333664396331343431626436363533356633396565656437353262 - 6461633864323038380a306336663536633231346533313936303765663736313933323964336232 - 32653462343239373734623330303766333261383837353963623766363138626634656165343033 - 3532373331656561613832613134613965336532663839363266 - wireguard_mesh_pub_key: 'SOXPYthzuHKPDTWJRJ391jmL4aOXKVif+La4zXYSbR0=' - wireguard_mesh_port: 10055 - wireguard_mesh_address: 'fdff:454d:53bb::1' - wireguard_mesh_endpoint: '2a01:4f8:a0:826b:2::4' - wireguard_mesh_mac_prefix: '02:ff:45:4d:53:1' + 32383031666464633861313732653264663463383036366539366431383066323438663738613265 + 6339636531646365336462353065633937373836323431610a343432616361646334636338306331 + 38663662373334653931656633373064613866336231613463303261646261323831623339616537 + 3933663036616664390a373965633838353535386239343864633435646566393334373637636561 + 38663566373433356165616535343366623562623464653034653963653235643935346632643533 + 6665633237376664613030373236396663383461366433303631 + wireguard_mesh_pub_key: '97Ih/Gvgwj6W3Dcf0iMFm+DtLlkNEiSwIEwnUwlmMUI=' + wireguard_mesh_port: 10021 + wireguard_mesh_address: 'fe80::00ff:45ff:fe4d:5301' + wireguard_mesh_endpoint: '{{ ansible_host }}' + wireguard_mesh_mac: '02:ff:45:4d:53:01' - name: 'my' net4: '10.222.64.0/21' net6: '2a03:2260:1016:0301::/64' @@ -56,7 +56,6 @@ sites: 36303333346530376134 fastd_mesh_mac: '02:ff:4d:59:00:10' fastd_port1: 10016 - fastd_port2: 10017 bat_ipv6: '2a03:2260:1016:0301::1' bat_ipv4: '10.222.64.1' bat_ipv4_cidr: 21 @@ -64,22 +63,23 @@ sites: dhcp_netmask: '255.255.248.0' dhcp_start: '10.222.64.50' dhcp_end: '10.222.71.250' + vxlan_id: 6118532 wireguard_mesh_number: 1 wireguard_mesh_priv_key: !vault | $ANSIBLE_VAULT;1.1;AES256 - 30373738613931353235333135323137626661663530656237343031653938653763373937333339 - 6131386232633866633038643230393433653764633830380a333532323531653863333163373463 - 62356638366134336134633333393630313763353262393564613038646266393733343831333439 - 6635373035343836340a663530383865653037396530613434376637633136353163366239633266 - 37646337366630653632623432323162383965666330316337383962363761323162303534303032 - 3561326432633130653332306236643637343736646163333732 - wireguard_mesh_pub_key: 'savF0Td3FRi8HcffTG+Hv/k/djVcbzGkQhTNYTAMtRg=' - wireguard_mesh_port: 10053 - wireguard_mesh_address: 'fdff:4d59:bb::1' - wireguard_mesh_endpoint: '2a01:4f8:a0:826b:2::4' - wireguard_mesh_mac_prefix: '02:ff:4d:59:00:1' + 63656233363539313336616565373830326235316135656535326364386339323762663433336266 + 6133336162323639663332343466666263653462376533620a623731663765646462663438653762 + 39376330613036353638356462376165393630393034343265383334616331643632323235376661 + 3632613063343461340a613637366461663134323738313566386432313233613862376335393732 + 61616262613936396661623735343131613835643431663935386134643062626430306430346130 + 6339373236313865653265636463373236316333646565313939 + wireguard_mesh_pub_key: '+7I9fQugmzYpTssYZwQaLGwC2PfIElHyPY2iPZ7+NEs=' + wireguard_mesh_port: 10017 + wireguard_mesh_address: 'fe80::00ff:4dff:fe59:1' + wireguard_mesh_endpoint: '{{ ansible_host }}' + wireguard_mesh_mac: '02:ff:4d:59:00:01' wireguard_bb_name: 'niyawe2' -wireguard_bb_endpoint: '2a01:4f8:a0:826b:2::4' +wireguard_bb_endpoint: '{{ ansible_host }}' wireguard_bb_priv_key: !vault | $ANSIBLE_VAULT;1.1;AES256 35363033353438343934353931643434386239316435326139643133366438646261643261653430 @@ -93,3 +93,13 @@ wireguard_bb_ipv4: '10.222.0.12' wireguard_bb_ipv6: 'fe80::ffbb:ffbb:12' wireguard_bb_port: 10112 preferred_uplink: 'uplink2' +wgkex_host: 'vpn.freifunk-myk.de' +wgkex_port: 18883 +wgkex_username: ff-niyawe2 +wgkex_password: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 65656636353639633062316439333865636537373337646162613265333537653037643264363366 + 3565336561613065303661666335383465346364356365320a353037353034666338646138646631 + 61356138343238323464393238646261363965363034373138333832323762633433376139376265 + 3930346161666561380a333433333064386364363735666535386165353466303964393362656431 + 31373135666239633437363030666533646262353565636638616632303735313666 diff --git a/host_vars/ff-niyawe3 b/host_vars/ff-niyawe3 index 8301103..6fa9d4a 100644 --- a/host_vars/ff-niyawe3 +++ b/host_vars/ff-niyawe3 @@ -17,7 +17,6 @@ sites: 61303232626638303231 fastd_mesh_mac: '02:ff:43:4f:43:10' fastd_port1: 10012 - fastd_port2: 10013 bat_ipv6: '2a03:2260:1016:0101::1' bat_ipv4: '10.222.48.1' bat_ipv4_cidr: 21 @@ -25,20 +24,21 @@ sites: dhcp_netmask: '255.255.248.0' dhcp_start: '10.222.48.50' dhcp_end: '10.222.55.250' + vxlan_id: 10540244 wireguard_mesh_number: 1 wireguard_mesh_priv_key: !vault | $ANSIBLE_VAULT;1.1;AES256 - 65393166666534346265306137336538623436363861653665616334313539643935633538366532 - 3237313434633365353936643261343930346266663032350a356464363739333961636462336138 - 34323637643834333635633366336132373034353865653864343335363139643066383536653362 - 3564393430333862650a333364343162613362633461383063323031343661303139343036623332 - 61656335373662653163393363633366643138383335653639343663613262323837623062373035 - 3431353931643661633362623166643763643039343862326664 - wireguard_mesh_pub_key: '1l8yIMvXfhtP+pKEB5ivOFDK99VtL++L5Z8hdnScHEg=' - wireguard_mesh_port: 10051 - wireguard_mesh_address: 'fdff:434f:43bb::1' - wireguard_mesh_endpoint: '2a01:4f8:160:33c1:2::3' - wireguard_mesh_mac_prefix: '02:ff:43:4f:43:1' + 37346162323035633263653630353265333838376165636664363434666263636230383339336535 + 3666316438633539313137666461353133376532386434650a306262643965636431303138326436 + 62306233303134653232663233343134393833643866396466663664656638663864656266386336 + 3630343163393334390a303632663962316365626330613464353263616364366533316566633730 + 32366232336331653366656237323561323939356235323864393463616133373035323763363261 + 3937633731373231316433373866643365316637323134363931 + wireguard_mesh_pub_key: 'dqyoKKWYSfaov1zc1SpKbtVJPsoCDui5NsFzTCoqkBs=' + wireguard_mesh_port: 10013 + wireguard_mesh_address: 'fe80::00ff:43ff:fe4f:4301' + wireguard_mesh_endpoint: '{{ ansible_host }}' + wireguard_mesh_mac: '02:ff:43:4f:43:01' - name: 'ems' net4: '10.222.200.0/21' net6: '2a03:2260:1016:0502::/64' @@ -55,7 +55,6 @@ sites: 33396464306363333965 fastd_mesh_mac: '02:ff:45:4d:53:20' fastd_port1: 10020 - fastd_port2: 10021 bat_ipv6: '2a03:2260:1016:0502::1' bat_ipv4: '10.222.200.1' bat_ipv4_cidr: 21 @@ -63,22 +62,23 @@ sites: dhcp_netmask: '255.255.248.0' dhcp_start: '10.222.200.50' dhcp_end: '10.222.207.250' + vxlan_id: 337565 wireguard_mesh_number: 2 wireguard_mesh_priv_key: !vault | $ANSIBLE_VAULT;1.1;AES256 - 65323566376335353033303561663336343266383032343333323564653162333136646130326436 - 3337643031616531346332383639396533623032356332390a393563373133643465613230356561 - 31393461396531373436316639653138306337633831376164373434616262323830396532353937 - 6230333938303038340a383664373762316363626664636639363736343836376637366362346231 - 39343462316361653932306438313537396536663830626137656565373363663161343463326637 - 3035626464626263316634373161396135363261336236613063 - wireguard_mesh_pub_key: '2RULJYV2+K8ZCmab91dqeCBDGSEJkJ5lPC3iJg0w3R8=' - wireguard_mesh_port: 10055 - wireguard_mesh_address: 'fdff:454d:53bb::2' - wireguard_mesh_endpoint: '2a01:4f8:160:33c1:2::3' - wireguard_mesh_mac_prefix: '02:ff:45:4d:53:2' + 64643165393762323161656536383934313365353664373636663937353531383333326164623434 + 3063356664313437353465346430303233303233343965320a373733326437616163616464356436 + 36323839353437656539383937333032353233316639363130666238303238623565363664613735 + 3037313661383930640a346235346661353435633362373861633134396466376631336637663534 + 34623365386161333230616339326665623535366333373436616633623634636139653766643165 + 3334653163353965383235356266623566666136663832396461 + wireguard_mesh_pub_key: 'bOg54QrGq1DjyVQ13DKNkRYXKSy2bwhy3UM+HfCJPE8=' + wireguard_mesh_port: 10021 + wireguard_mesh_address: 'fe80::00ff:45ff:fe4d:5302' + wireguard_mesh_endpoint: '{{ ansible_host }}' + wireguard_mesh_mac: '02:ff:45:4d:53:02' wireguard_bb_name: 'niyawe3' -wireguard_bb_endpoint: '2a01:4f8:160:33c1:2::3' +wireguard_bb_endpoint: '{{ ansible_host }}' wireguard_bb_priv_key: !vault | $ANSIBLE_VAULT;1.1;AES256 36646461356165306461613362613937343861353538646234656230313937386263663435366432 @@ -92,3 +92,13 @@ wireguard_bb_ipv4: '10.222.0.13' wireguard_bb_ipv6: 'fe80::ffbb:ffbb:13' wireguard_bb_port: 10113 preferred_uplink: 'uplink1' +wgkex_host: 'vpn.freifunk-myk.de' +wgkex_port: 18883 +wgkex_username: ff-niyawe3 +wgkex_password: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 62363231646533343134353534343233626435633966303235666436613634396663633137616566 + 6339333737616234633435373634613235303464346131370a353564623762306133363534393864 + 30323935373061386137316435313931616662336539396136613935623562303662613237376538 + 3865643262306433380a656339303865376530353862336532313466393132396239626531303665 + 30646361336632316334396432303330633837373237353836393166373965613762 diff --git a/host_vars/ff-niyawe4 b/host_vars/ff-niyawe4 index 641243b..427cb93 100644 --- a/host_vars/ff-niyawe4 +++ b/host_vars/ff-niyawe4 @@ -17,7 +17,6 @@ sites: 63613861373562663734 fastd_mesh_mac: '02:ff:57:57:00:10' fastd_port1: 10022 - fastd_port2: 10023 bat_ipv6: '2a03:2260:1016:0701::1' bat_ipv4: '10.30.16.1' bat_ipv4_cidr: 21 @@ -25,6 +24,7 @@ sites: dhcp_netmask: '255.255.248.0' dhcp_start: '10.30.16.50' dhcp_end: '10.30.23.250' + vxlan_id: 1234 wireguard_mesh_number: 1 wireguard_mesh_priv_key: !vault | $ANSIBLE_VAULT;1.1;AES256 @@ -35,10 +35,10 @@ sites: 32663837656534656163353539363539333266633239636662663061626337393232326235313731 6636626434626435646462663762613138366336316465656532 wireguard_mesh_pub_key: 'Uv5i4M/lo/abi9b7gsNbc+PE+bEhpz3jQR8jFfQY7mU=' - wireguard_mesh_port: 10057 + wireguard_mesh_port: 10023 wireguard_mesh_address: 'fdff:5757:bb::1' - wireguard_mesh_endpoint: '2a01:4f8:a0:9395:2::4' - wireguard_mesh_mac_prefix: '02:ff:57:57:00:1' + wireguard_mesh_endpoint: '{{ ansible_host }}' + wireguard_mesh_mac: '02:ff:57:57:00:01' - name: 'sim' net4: '10.222.176.0/21' net6: '2a03:2260:1016:0401::/64' @@ -55,7 +55,6 @@ sites: 34343163616561343163 fastd_mesh_mac: '02:ff:53:49:4d:10' fastd_port1: 10018 - fastd_port2: 10019 bat_ipv6: '2a03:2260:1016:0401::1' bat_ipv4: '10.222.176.1' bat_ipv4_cidr: 21 @@ -63,20 +62,21 @@ sites: dhcp_netmask: '255.255.240.0' dhcp_start: '10.222.176.50' dhcp_end: '10.222.183.250' + vxlan_id: 10908477 wireguard_mesh_number: 1 wireguard_mesh_priv_key: !vault | $ANSIBLE_VAULT;1.1;AES256 - 30613965636361353637353963636263363931616566643364326162323765616266633033336538 - 3038653965303234356665646166623766616163353764300a303033323935376261303161366133 - 66306431323365626366383265303438643964343232383939616134303239633333363638333137 - 3936663331336261620a346263663935643962326663356639613531323735636164396461393936 - 66386466333833393635666431326664383830343765323438613364656631383338373163376537 - 6630303832313539383664366338383333633163633139366338 - wireguard_mesh_pub_key: 'leFz1AeyMu884CRWkET9epW3jGksyopaANNiskvAkmc=' - wireguard_mesh_port: 10054 - wireguard_mesh_address: 'fdff:5349:4dbb::1' - wireguard_mesh_endpoint: '2a01:4f8:a0:9395:2::4' - wireguard_mesh_mac_prefix: '02:ff:53:49:4d:1' + 61663530636333343161656664313464306533343934306335653137303463663663386663366463 + 6538396238616663336633326564386663343531653831650a633230653464636337653431663238 + 61363635616139643237626462306530313636383962653533626637666162643263323566373439 + 6632366462303033370a396638303765323939343335383165643739313738366363396566376337 + 65333237343631613636303639636231363331393262353566623564306330353038343562663464 + 6335616665613065393164383332633162306137396133343030 + wireguard_mesh_pub_key: '3587KYreUmBTyARprP+gRKlM7Uo6HH1JJYR5v9JcMkE=' + wireguard_mesh_port: 10019 + wireguard_mesh_address: 'fe80::00ff:53ff:fe49:4d01' + wireguard_mesh_endpoint: '{{ ansible_host }}' + wireguard_mesh_mac: '02:ff:53:49:4d:01' - name: 'coc' net4: '10.222.56.0/21' net6: '2a03:2260:1016:0102::/64' @@ -93,7 +93,6 @@ sites: 35346363653832386138 fastd_mesh_mac: '02:ff:43:4f:43:20' fastd_port1: 10012 - fastd_port2: 10013 bat_ipv6: '2a03:2260:1016:0102::1' bat_ipv4: '10.222.56.1' bat_ipv4_cidr: 21 @@ -101,22 +100,23 @@ sites: dhcp_netmask: '255.255.248.0' dhcp_start: '10.222.56.50' dhcp_end: '10.222.63.250' + vxlan_id: 10540244 wireguard_mesh_number: 2 wireguard_mesh_priv_key: !vault | $ANSIBLE_VAULT;1.1;AES256 - 30616336326166366137353934323334356336353933643561333432303134303766313664666265 - 3834626539666264366566343161636234313036613337340a663937353336333938656362373631 - 36633136386165636362643764306432353632626330386464316639646435323032313262313363 - 3861353234373533310a323166666232613861616637386262356266316336323263656336663366 - 35616566656538373633326531323766303532613861623765653839353933383732613761333230 - 6461633533373466346138656462346532303430653465306334 - wireguard_mesh_pub_key: 'gQH/0cJAwFzmUyoqQ/zkQt5Ez3r+UL+ZSbWcovJMCCw=' - wireguard_mesh_port: 10051 - wireguard_mesh_address: 'fdff:434f:43bb::2' - wireguard_mesh_endpoint: '2a01:4f8:a0:9395:2::4' - wireguard_mesh_mac_prefix: '02:ff:43:4f:43:2' + 36326163616362316539366532373738393861343162346362346165323431306133663066616632 + 3333633636643530393030353930396165343134313531620a346361656539383935653061643633 + 36613038613336313137656264663661646233396333396563643664346339356530666231633130 + 6662326532323239300a653662653264636462353961383437623637636161363430643935326439 + 37366265376637653531613537346663343364626332343931613462666366643231356335626631 + 6238633631656139383733333739373733356430343132353330 + wireguard_mesh_pub_key: 'qshyUBm3WTO0u+InjrJ5+oTv9xVzRGoOIuZOlC5/e2A=' + wireguard_mesh_port: 10013 + wireguard_mesh_address: 'fe80::00ff:43ff:fe4f:4302' + wireguard_mesh_endpoint: '{{ ansible_host }}' + wireguard_mesh_mac: '02:ff:43:4f:43:02' wireguard_bb_name: 'niyawe4' -wireguard_bb_endpoint: '2a01:4f8:a0:9395:2::4' +wireguard_bb_endpoint: '{{ ansible_host }}' wireguard_bb_priv_key: !vault | $ANSIBLE_VAULT;1.1;AES256 38383133393039323737656234336237336566363034316339373835336665356332363635353261 @@ -130,3 +130,13 @@ wireguard_bb_ipv4: '10.222.0.17' wireguard_bb_ipv6: 'fe80::ffbb:ffbb:17' wireguard_bb_port: 10117 preferred_uplink: 'uplink2' +wgkex_host: 'vpn.freifunk-myk.de' +wgkex_port: 18883 +wgkex_username: ff-niyawe4 +wgkex_password: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 62323766636136336331366539613065353562633734343362313330663637666636643132323564 + 3039663063666264343665363030666230336230663637380a303432356537326436383665333533 + 65363333323330373031363065666432303338303736373061383361396638663165383531643537 + 6461373638343637640a646164353261326265663733633636313161346638313134616234633361 + 65663365376233643562616132636565376334366336393836623335633530623037 diff --git a/inventory.ini b/inventory.ini index ae445cb..98fbaa1 100644 --- a/inventory.ini +++ b/inventory.ini @@ -15,9 +15,6 @@ fastd-aw2 fastd-ko2 fastd-my2 -[wg] -ff-wg-niyawe1 - [icvpn] ff-icvpn diff --git a/roles/configure_iptables/templates/ip6tables.rules b/roles/configure_iptables/templates/ip6tables.rules index 2a4f9d1..79d9f86 100644 --- a/roles/configure_iptables/templates/ip6tables.rules +++ b/roles/configure_iptables/templates/ip6tables.rules @@ -4,13 +4,13 @@ :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -{% if 'fastd' in group_names or 'wg' in group_names %} +{% if 'fastd' in group_names %} {% for site in sites %} -A PREROUTING -i bat{{ site.name }} -j MARK --set-xmark 0x1/0xffffffff {% endfor %} {% endif %} -{% if 'fastd' in group_names or 'wg' in group_names %} +{% if 'fastd' in group_names %} {% for peer in groups['uplink'] %} -A PREROUTING -i bb{{ hostvars[peer]['wireguard_bb_name'] }} ! -s fe80::/64 ! -d fe80::/64 -j MARK --set-xmark 0x1/0xffffffff {% endfor %} @@ -19,9 +19,6 @@ {% for peer in groups['fastd'] %} -A PREROUTING -i bb{{ hostvars[peer]['wireguard_bb_name'] }} ! -s fe80::/64 ! -d fe80::/64 -j MARK --set-xmark 0x1/0xffffffff {% endfor %} -{% for peer in groups['wg'] %} --A PREROUTING -i bb{{ hostvars[peer]['wireguard_bb_name'] }} ! -s fe80::/64 ! -d fe80::/64 -j MARK --set-xmark 0x1/0xffffffff -{% endfor %} {% for peer in groups['uplink'] | difference([inventory_hostname]) %} -A PREROUTING -i bb{{ hostvars[peer]['wireguard_bb_name'] }} ! -s fe80::/64 ! -d fe80::/64 -j MARK --set-xmark 0x1/0xffffffff {% endfor %} @@ -45,34 +42,25 @@ COMMIT # iperf3 -A INPUT -p tcp -m tcp -s 2a03:2260:1016::/48 --dport 5201 -j ACCEPT -{% if 'fastd' in group_names or 'wg' in group_names %} +{% if 'fastd' in group_names %} # dns -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT -A INPUT -p udp -m udp --dport 53 -j ACCEPT # ntp -A INPUT -p udp -m udp --dport 123 -j ACCEPT -{% endif %} -{% if 'fastd' in group_names %} -# fastd +# fastd / wg -A INPUT -s 2a03:2260:1016::/48 -p udp -m udp --dport 10010:10023 -j DROP -A INPUT -p udp -m udp --dport 10010:10023 -j ACCEPT -{% endif %} -{% if 'wg' in group_names %} -# wg --A INPUT -s 2a03:2260:1016::/48 -p udp -m udp --dport 10000 -j DROP --A INPUT -p udp -m udp --dport 10000 -j ACCEPT -{% endif %} -{% if 'fastd' in group_names or 'wg' in group_names %} # respondd -A INPUT -i bat+ -p udp -m udp --dport 1001 -j ACCEPT # wireguard_mesh {% for site in sites %} -A INPUT -p udp -m udp --dport {{ site.wireguard_mesh_port }} -j ACCEPT --A INPUT -s {{ site.wireguard_mesh_address }}/48 -p gre -j ACCEPT +-A INPUT -i wg{{ site.name }} -p udp --dport 8472 -j ACCEPT {% endfor %} {% endif %} # wireguard_backbone -{% if 'fastd' in group_names or 'wg' in group_names %} +{% if 'fastd' in group_names %} {% for peer in groups['uplink'] %} -A INPUT -i bb{{ hostvars[peer]['wireguard_bb_name'] }} -p udp --dport 6696 -j ACCEPT -A INPUT -p udp --dport {{ hostvars[peer]['wireguard_bb_port'] }} -j ACCEPT @@ -83,10 +71,6 @@ COMMIT -A INPUT -i bb{{ hostvars[peer]['wireguard_bb_name'] }} -p udp --dport 6696 -j ACCEPT -A INPUT -p udp --dport {{ hostvars[peer]['wireguard_bb_port'] }} -j ACCEPT {% endfor %} -{% for peer in groups['wg'] %} --A INPUT -i bb{{ hostvars[peer]['wireguard_bb_name'] }} -p udp --dport 6696 -j ACCEPT --A INPUT -p udp --dport {{ hostvars[peer]['wireguard_bb_port'] }} -j ACCEPT -{% endfor %} {% for peer in groups['uplink'] | difference([inventory_hostname]) %} -A INPUT -i bb{{ hostvars[peer]['wireguard_bb_name'] }} -p udp --dport 6696 -j ACCEPT -A INPUT -p udp --dport {{ hostvars[peer]['wireguard_bb_port'] }} -j ACCEPT @@ -108,9 +92,8 @@ COMMIT # LOG -A INPUT -m limit --limit 2/min -j LOG --log-prefix "IP6Tables-Dropped input: " --log-level 4 -{% if 'fastd' in group_names or 'wg' in group_names %} +{% if 'fastd' in group_names %} {% for site in sites %} --A FORWARD -i bat{{ site.name }} -p udp --dport 10000 -j REJECT -A FORWARD -i bat{{ site.name }} -p udp --dport 10010:10021 -j REJECT {% endfor %} {% endif %} diff --git a/roles/configure_iptables/templates/iptables.rules b/roles/configure_iptables/templates/iptables.rules index 704d519..2508445 100644 --- a/roles/configure_iptables/templates/iptables.rules +++ b/roles/configure_iptables/templates/iptables.rules @@ -10,7 +10,7 @@ {% endfor %} {% endif %} -{% if 'fastd' in group_names or 'wg' in group_names %} +{% if 'fastd' in group_names %} {% for peer in groups['uplink'] %} -A PREROUTING -i bb{{ hostvars[peer]['wireguard_bb_name'] }} -j MARK --set-xmark 0x1/0xffffffff {% endfor %} @@ -19,9 +19,6 @@ {% for peer in groups['fastd'] %} -A PREROUTING -i bb{{ hostvars[peer]['wireguard_bb_name'] }} -j MARK --set-xmark 0x1/0xffffffff {% endfor %} -{% for peer in groups['wg'] %} --A PREROUTING -i bb{{ hostvars[peer]['wireguard_bb_name'] }} -j MARK --set-xmark 0x1/0xffffffff -{% endfor %} {% for peer in groups['uplink'] | difference([inventory_hostname]) %} -A PREROUTING -i bb{{ hostvars[peer]['wireguard_bb_name'] }} -j MARK --set-xmark 0x1/0xffffffff {% endfor %} @@ -44,7 +41,7 @@ COMMIT -A INPUT -p tcp -m tcp -s 10.30.0.0/18 --dport 5201 -j ACCEPT -A INPUT -p tcp -m tcp -s 10.222.0.0/16 --dport 5201 -j ACCEPT -{% if 'fastd' in group_names or 'wg' in group_names %} +{% if 'fastd' in group_names %} # dns -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT -A INPUT -p udp -m udp --dport 53 -j ACCEPT @@ -54,18 +51,14 @@ COMMIT {% endfor %} # ntp -A INPUT -p udp -m udp --dport 123 -j ACCEPT -{% endif %} -{% if 'fastd' in group_names %} -# fastd +# fastd / wg -A INPUT -s 10.30.0.0/18 -p udp -m udp --dport 10010:10023 -j DROP -A INPUT -s 10.222.0.0/16 -p udp -m udp --dport 10010:10023 -j DROP -A INPUT -p udp -m udp --dport 10010:10023 -j ACCEPT -{% endif %} -{% if 'wg' in group_names %} -# wg --A INPUT -s 10.30.0.0/18 -p udp -m udp --dport 10000 -j DROP --A INPUT -s 10.222.0.0/16 -p udp -m udp --dport 10000 -j DROP --A INPUT -p udp -m udp --dport 10000 -j ACCEPT +# wireguard_mesh +{% for site in sites %} +-A INPUT -p udp -m udp --dport {{ site.wireguard_mesh_port }} -j ACCEPT +{% endfor %} {% endif %} # MOSH -A INPUT -p udp -m udp --dport 60000:61000 -j ACCEPT @@ -83,9 +76,9 @@ COMMIT -A INPUT -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped input: " --log-level 4 -{% if 'fastd' in group_names or 'wg' in group_names %} +{% if 'fastd' in group_names %} {% for site in sites %} --A FORWARD -i bat{{ site.name }} -p udp --dport 10010:10021 -j REJECT +-A FORWARD -i bat{{ site.name }} -p udp --dport 10010:10023 -j REJECT {% endfor %} {% endif %} -A FORWARD -o {{ ansible_default_ipv4.interface }} -j REJECT diff --git a/roles/configure_static_routes/tasks/main.yml b/roles/configure_static_routes/tasks/main.yml index b1d90b7..c98825f 100644 --- a/roles/configure_static_routes/tasks/main.yml +++ b/roles/configure_static_routes/tasks/main.yml @@ -13,9 +13,6 @@ - include_tasks: fastd_tasks.yml when: "'fastd' in group_names" -- include_tasks: wg_tasks.yml - when: "'wg' in group_names" - - name: copy ffmyk iproute systemd service copy: src: ffmyk-iproute.service diff --git a/roles/configure_static_routes/tasks/wg_tasks.yml b/roles/configure_static_routes/tasks/wg_tasks.yml deleted file mode 100644 index 4cd1583..0000000 --- a/roles/configure_static_routes/tasks/wg_tasks.yml +++ /dev/null @@ -1,14 +0,0 @@ ---- -- name: copy site specific iproute up config script - template: - src: ffmyk-iproute-up.j2 - dest: /usr/local/bin/ffmyk-iproute{{ item.name }}-up.sh - mode: 0744 - with_items: "{{ sites }}" - -- name: copy site specific iproute down config script - template: - src: ffmyk-iproute-down.j2 - dest: /usr/local/bin/ffmyk-iproute{{ item.name }}-down.sh - mode: 0744 - with_items: "{{ sites }}" diff --git a/roles/configure_static_routes/templates/ffmyk-iproute-down.j2 b/roles/configure_static_routes/templates/ffmyk-iproute-down.j2 index d551203..fe4334d 100644 --- a/roles/configure_static_routes/templates/ffmyk-iproute-down.j2 +++ b/roles/configure_static_routes/templates/ffmyk-iproute-down.j2 @@ -1,10 +1,20 @@ #!/bin/bash +{% if item.net4 is defined %} ip -4 route del {{item.net4 }} dev bat{{ item.name }} proto static table ffmyk +{% endif %} +{% if item.net6 is defined %} ip -6 route del {{item.net6 }} dev bat{{ item.name }} proto static table ffmyk +{% endif %} +{% if item.site_net6 is defined %} ip -6 route del {{item.site_net6 }} dev bat{{ item.name }} proto static table ffmyk +{% endif %} ip -4 rule del iif bat{{ item.name }} table ffmyk ip -6 rule del iif bat{{ item.name }} table ffmyk +{% if item.net4 is defined %} ip -4 rule del from {{ item.net4 }} table ffmyk +{% endif %} +{% if item.net6 is defined %} ip -6 rule del from {{ item.net6 }} table ffmyk +{% endif %} diff --git a/roles/configure_static_routes/templates/ffmyk-iproute-up.j2 b/roles/configure_static_routes/templates/ffmyk-iproute-up.j2 index 29afdb9..87e63a5 100644 --- a/roles/configure_static_routes/templates/ffmyk-iproute-up.j2 +++ b/roles/configure_static_routes/templates/ffmyk-iproute-up.j2 @@ -2,12 +2,22 @@ ip -4 rule add iif bat{{ item.name }} table ffmyk priority 10 ip -6 rule add iif bat{{ item.name }} table ffmyk priority 10 +{% if item.net4 is defined %} ip -4 rule add from {{ item.net4 }} table ffmyk priority 10 +{% endif %} +{% if item.net6 is defined %} ip -6 rule add from {{ item.net6 }} table ffmyk priority 10 +{% endif %} ip -4 rule add from all iif bat{{ item.name }} type unreachable priority 200 ip -6 rule add from all iif bat{{ item.name }} type unreachable priority 200 +{% if item.net4 is defined %} ip -4 route replace {{item.net4 }} dev bat{{ item.name }} proto static table ffmyk +{% endif %} +{% if item.net6 is defined %} ip -6 route replace {{item.net6 }} dev bat{{ item.name }} proto static table ffmyk +{% endif %} +{% if item.site_net6 is defined %} ip -6 route replace {{item.site_net6 }} dev bat{{ item.name }} proto static table ffmyk +{% endif %} diff --git a/roles/install_babeld/templates/babeld.conf.j2 b/roles/install_babeld/templates/babeld.conf.j2 index 9dcaa87..d714158 100644 --- a/roles/install_babeld/templates/babeld.conf.j2 +++ b/roles/install_babeld/templates/babeld.conf.j2 @@ -5,7 +5,7 @@ ipv6-subtrees true # You must provide at least one interface for babeld to operate on. -{% if ('fastd' in group_names or 'wg' in group_names) %} +{% if ('fastd' in group_names) %} {% for peer in groups['uplink'] %} interface bb{{ hostvars[peer]['wireguard_bb_name'] }} {% endfor %} @@ -14,9 +14,6 @@ interface bb{{ hostvars[peer]['wireguard_bb_name'] }} {% for peer in groups['fastd'] %} interface bb{{ hostvars[peer]['wireguard_bb_name'] }} {% endfor %} -{% for peer in groups['wg'] %} -interface bb{{ hostvars[peer]['wireguard_bb_name'] }} -{% endfor %} {% for peer in groups['uplink'] | difference([inventory_hostname]) %} interface bb{{ hostvars[peer]['wireguard_bb_name'] }} {% endfor %} @@ -66,7 +63,7 @@ redistribute ip 64:ff9b::/96 allow redistribute ip fd62:44e1:da::/48 allow redistribute local deny -{% if ('fastd' in group_names or 'wg' in group_names) and preferred_uplink is defined %} +{% if ('fastd' in group_names) and preferred_uplink is defined %} {% for peer in groups['uplink'] %} {% if not hostvars[peer]['wireguard_bb_name'] == preferred_uplink %} in if bb{{ hostvars[peer]['wireguard_bb_name'] }} metric 64 diff --git a/roles/install_monitoring/tasks/install_munin.yml b/roles/install_monitoring/tasks/install_munin.yml index 8d01c9d..1a35928 100644 --- a/roles/install_monitoring/tasks/install_munin.yml +++ b/roles/install_monitoring/tasks/install_munin.yml @@ -143,9 +143,7 @@ src: /usr/lib/munin/plugins/if_ state: link notify: restart munin-node - with_items: - - "{{ groups['fastd'] }}" - - "{{ groups['wg'] }}" + with_items: "{{ groups['fastd'] }}" when: "'uplink' in group_names" - name: enable munin plugins for network monitoring (6/9) diff --git a/roles/install_wgkex/files/wgkex.service b/roles/install_wgkex/files/wgkex.service new file mode 100644 index 0000000..c549cf3 --- /dev/null +++ b/roles/install_wgkex/files/wgkex.service @@ -0,0 +1,12 @@ +[Unit] +Description=wgkex +After=network.target + +[Service] +ExecStart=/opt/wgkex/.venv/bin/python /opt/wgkex/wgkex/worker/app.py +Restart=always +WorkingDirectory=/opt/wgkex +Environment=PYTHONPATH=/opt/wgkex + +[Install] +WantedBy=multi-user.target diff --git a/roles/install_wgkex/handlers/main.yml b/roles/install_wgkex/handlers/main.yml new file mode 100644 index 0000000..4b2e853 --- /dev/null +++ b/roles/install_wgkex/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: restart wgkex + systemd: + name: wgkex.service + state: restarted diff --git a/roles/install_wgkex/tasks/main.yml b/roles/install_wgkex/tasks/main.yml new file mode 100644 index 0000000..c8b3264 --- /dev/null +++ b/roles/install_wgkex/tasks/main.yml @@ -0,0 +1,42 @@ +--- +- name: install wgkex dependencies + pacman: + name: + - git + - python-virtualenv + - python-setuptools + state: present + +- name: clone wgkex repo + git: + repo: https://github.com/FreifunkMYK/wgkex.git + dest: /opt/wgkex + +- name: create venv + command: + cmd: "python -m venv /opt/wgkex/.venv" + creates: /opt/wgkex/.venv + +- name: install requirements + pip: + requirements: /opt/wgkex/requirements.txt + virtualenv: /opt/wgkex/.venv + +- name: install wgkex config + template: + src: wgkex.yaml.j2 + dest: /etc/wgkex.yaml + mode: 0644 + notify: restart wgkex + +- name: create wgkex service + copy: + src: wgkex.service + dest: /etc/systemd/system/wgkex.service + mode: 0644 + +- name: start and enable wgkex service + systemd: + name: wgkex + state: started + enabled: yes diff --git a/roles/install_wgkex/templates/wgkex.yaml.j2 b/roles/install_wgkex/templates/wgkex.yaml.j2 new file mode 100644 index 0000000..a8aec9c --- /dev/null +++ b/roles/install_wgkex/templates/wgkex.yaml.j2 @@ -0,0 +1,12 @@ +--- +domains: +{% for site in sites %} + - ff{{ site.name }} +{% endfor %} +mqtt: + broker_url: "{{ wgkex_host }}" + broker_port: {{ wgkex_port }} + username: "{{ wgkex_username }}" + password: "{{ wgkex_password }}" + keepalive: 5 + tls: True diff --git a/roles/install_wireguard_backbone/tasks/main.yml b/roles/install_wireguard_backbone/tasks/main.yml index 82c024d..9ccfe05 100644 --- a/roles/install_wireguard_backbone/tasks/main.yml +++ b/roles/install_wireguard_backbone/tasks/main.yml @@ -5,10 +5,7 @@ dest: /etc/systemd/system/wgbackbone@.service - include_tasks: fastd_tasks.yml - when: "('fastd' in group_names)" - -- include_tasks: wg_tasks.yml - when: "('wg' in group_names)" + when: "'fastd' in group_names" - include_tasks: uplink_tasks.yml when: "'uplink' in group_names" diff --git a/roles/install_wireguard_backbone/tasks/uplink_tasks.yml b/roles/install_wireguard_backbone/tasks/uplink_tasks.yml index dd68c76..ea906e5 100644 --- a/roles/install_wireguard_backbone/tasks/uplink_tasks.yml +++ b/roles/install_wireguard_backbone/tasks/uplink_tasks.yml @@ -4,9 +4,7 @@ src: wg.conf.j2 dest: /etc/wireguard/wgbb{{ hostvars[item]['wireguard_bb_name'] }}.conf mode: 0400 - with_items: - - "{{ groups['fastd'] }}" - - "{{ groups['wg'] }}" + with_items: "{{ groups['fastd'] }}" - name: create wireguard config for uplinks template: @@ -27,9 +25,7 @@ src: up.sh.j2 dest: /etc/wireguard/upbb{{ hostvars[item]['wireguard_bb_name'] }}.sh mode: 0744 - with_items: - - "{{ groups['fastd'] }}" - - "{{ groups['wg'] }}" + with_items: "{{ groups['fastd'] }}" - name: create wireguard up scripts for uplinks template: @@ -50,9 +46,7 @@ src: down.sh.j2 dest: /etc/wireguard/downbb{{ hostvars[item]['wireguard_bb_name'] }}.sh mode: 0744 - with_items: - - "{{ groups['fastd'] }}" - - "{{ groups['wg'] }}" + with_items: "{{ groups['fastd'] }}" - name: create wireguard down scripts for uplinks template: @@ -74,9 +68,7 @@ enabled: yes state: started daemon_reload: yes - with_items: - - "{{ groups['fastd'] }}" - - "{{ groups['wg'] }}" + with_items: "{{ groups['fastd'] }}" - name: start and enable wireguard mesh for uplinks systemd: diff --git a/roles/install_wireguard_backbone/tasks/wg_tasks.yml b/roles/install_wireguard_backbone/tasks/wg_tasks.yml deleted file mode 100644 index d1d9974..0000000 --- a/roles/install_wireguard_backbone/tasks/wg_tasks.yml +++ /dev/null @@ -1,33 +0,0 @@ ---- -- name: create wireguard config for peers - template: - src: wg.conf.j2 - dest: /etc/wireguard/wgbb{{ hostvars[item]['wireguard_bb_name'] }}.conf - mode: 0400 - with_items: - - "{{ groups['uplink'] }}" - -- name: create wireguard up scripts for peers - template: - src: up.sh.j2 - dest: /etc/wireguard/upbb{{ hostvars[item]['wireguard_bb_name'] }}.sh - mode: 0744 - with_items: - - "{{ groups['uplink'] }}" - -- name: create wireguard down scripts for peers - template: - src: down.sh.j2 - dest: /etc/wireguard/downbb{{ hostvars[item]['wireguard_bb_name'] }}.sh - mode: 0744 - with_items: - - "{{ groups['uplink'] }}" - -- name: start and enable wireguard mesh - systemd: - name: wgbackbone@{{ hostvars[item]['wireguard_bb_name'] }}.service - enabled: yes - state: started - daemon_reload: yes - with_items: - - "{{ groups['uplink'] }}" diff --git a/roles/install_wireguard_mesh/templates/down.sh.j2 b/roles/install_wireguard_mesh/templates/down.sh.j2 index 85489b5..67d95bd 100644 --- a/roles/install_wireguard_mesh/templates/down.sh.j2 +++ b/roles/install_wireguard_mesh/templates/down.sh.j2 @@ -1,8 +1,4 @@ #!/bin/bash -{% for host in groups['fastd'] %} -{% for site in hostvars[host]['sites'] if site.name == item.name and site.wireguard_mesh_number != item.wireguard_mesh_number %} -batctl meshif bat{{ item.name }} if del mesh{{ item.name }}{{ site.wireguard_mesh_number }} -ip link set down dev mesh{{ item.name }}{{ site.wireguard_mesh_number }} -ip link del mesh{{ item.name }}{{ site.wireguard_mesh_number }} type ip6gretap -{% endfor %} -{% endfor %} +batctl meshif bat{{ item.name }} if del vx{{ item.name }} +ip link set down dev vx{{ item.name }} +ip link del vx{{ item.name }} type vxlan diff --git a/roles/install_wireguard_mesh/templates/up.sh.j2 b/roles/install_wireguard_mesh/templates/up.sh.j2 index 1f0c111..8164f2a 100644 --- a/roles/install_wireguard_mesh/templates/up.sh.j2 +++ b/roles/install_wireguard_mesh/templates/up.sh.j2 @@ -1,13 +1,15 @@ #!/bin/bash +ip -6 link add vx{{ item.name }} type vxlan id {{ item.vxlan_id }} dstport 8472 local {{ item.wireguard_mesh_address }} dev wg{{ item.name }} +ip link set mtu 1280 dev vx{{ item.name }} +ip link set address {{ item.wireguard_mesh_mac }} dev vx{{ item.name }} +ip link set up dev vx{{ item.name }} +batctl meshif bat{{ item.name }} if add vx{{ item.name }} {% for host in groups['fastd'] %} {% for site in hostvars[host]['sites'] if site.name == item.name and site.wireguard_mesh_number != item.wireguard_mesh_number %} -ip link add mesh{{ item.name }}{{ site.wireguard_mesh_number }} type ip6gretap remote {{ site.wireguard_mesh_address }} local {{ item.wireguard_mesh_address }} ttl 255 dev wg{{ item.name }} -ip link set mtu 1280 dev mesh{{ item.name }}{{ site.wireguard_mesh_number }} -ip link set address {{ item.wireguard_mesh_mac_prefix }}{{ site.wireguard_mesh_number }} dev mesh{{ item.name }}{{ site.wireguard_mesh_number }} -ip link set up dev mesh{{ item.name }}{{ site.wireguard_mesh_number }} -batctl meshif bat{{ item.name }} if add mesh{{ item.name }}{{ site.wireguard_mesh_number }} +bridge fdb append 00:00:00:00:00:00 dev vx{{ item.name }} dst {{ site.wireguard_mesh_address }} {% endfor %} {% endfor %} +{% if item.net4 is defined %} batctl meshif bat{{ item.name }} gw server 1000000/1000000 batctl meshif bat{{ item.name }} it 10000 batctl meshif bat{{ item.name }} mm 1 @@ -15,3 +17,10 @@ batctl meshif bat{{ item.name }} hop_penalty 64 netctl start bat{{ item.name }} systemctl restart dhcpd4.service systemctl restart named.service +{% else %} +batctl meshif bat{{ item.name }} gw client +batctl meshif bat{{ item.name }} it 10000 +batctl meshif bat{{ item.name }} mm 1 +batctl meshif bat{{ item.name }} hop_penalty 64 +netctl start bat{{ item.name }} +{% endif %} diff --git a/roles/install_wireguard_mesh/templates/wg.conf.j2 b/roles/install_wireguard_mesh/templates/wg.conf.j2 index 410d591..61bc469 100644 --- a/roles/install_wireguard_mesh/templates/wg.conf.j2 +++ b/roles/install_wireguard_mesh/templates/wg.conf.j2 @@ -1,7 +1,7 @@ [Interface] ListenPort = {{ item.wireguard_mesh_port }} PrivateKey = {{ item.wireguard_mesh_priv_key }} -Address = {{ item.wireguard_mesh_address }}/48 +Address = {{ item.wireguard_mesh_address }}/128 MTU = 1400 PostUp = /etc/wireguard/up{{ item.name }}.sh PreDown = /etc/wireguard/down{{ item.name }}.sh diff --git a/roles/setup_batman/templates/netctl_bat.j2 b/roles/setup_batman/templates/netctl_bat.j2 index 5e11d74..1693775 100644 --- a/roles/setup_batman/templates/netctl_bat.j2 +++ b/roles/setup_batman/templates/netctl_bat.j2 @@ -1,8 +1,13 @@ Connection=ethernet Interface=bat{{ item.name }} +{% if item.net4 is defined %} IP=static IP6=static Address6=({{ item.bat_ipv6 }}/64) Address=({{ item.bat_ipv4 }}/{{ item.bat_ipv4_cidr }}) +{% else %} +IP=no +IP6=no +{% endif %} ExecUpPost=/usr/local/bin/ffmyk-iproute{{ item.name }}-up.sh ExecDownPre=/usr/local/bin/ffmyk-iproute{{ item.name }}-down.sh diff --git a/setup_fastd.yml b/setup_fastd.yml index 1c28fc4..0a991cb 100644 --- a/setup_fastd.yml +++ b/setup_fastd.yml @@ -21,40 +21,13 @@ - install_wireguard_mesh - install_wireguard_backbone - install_babeld + - install_wgkex - install_fastd - install_mesh-announce - install_monitoring - install_iperf3 - update_ssh_keys - install_admin_packages -- name: setup wg gw - hosts: wg - user: root - roles: - - configure_journald - - configure_sysctl - - configure_iptables - - configure_static_routes - #- install_ssmtp - - install_cronie - #- install_php - #- install_nginx - - install_ntp - - install_haveged - - setup_batman - #- install_dhcp - #- install_radvd - #- install_bind - - install_wireguard - #- install_wireguard_mesh - - install_wireguard_backbone - - install_babeld - #- install_fastd - #- install_mesh-announce - #- install_monitoring - - install_iperf3 - - update_ssh_keys - - install_admin_packages - name: basic uplink config hosts: uplink user: root |