summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNiklas Yann Wettengel <niyawe@niyawe.de>2021-07-26 18:02:03 +0200
committerNiklas Yann Wettengel <niyawe@niyawe.de>2021-07-26 18:02:03 +0200
commitf394fd81667a44e267e83d3c453101598a21c58c (patch)
treed7bbafdd26b9bebdb23e5546a2d0e97c9ffe360b
parent0391e95103590bf6a5ff9c8d425420de2d44141b (diff)
new group wg
-rw-r--r--inventory.ini3
-rw-r--r--roles/configure_iptables/templates/ip6tables.rules27
-rw-r--r--roles/configure_iptables/templates/iptables.rules17
-rw-r--r--roles/configure_static_routes/tasks/main.yml3
-rw-r--r--roles/configure_static_routes/tasks/wg_tasks.yml14
-rw-r--r--roles/install_babeld/templates/babeld.conf.j27
-rw-r--r--roles/install_monitoring/tasks/install_munin.yml4
-rw-r--r--roles/install_wireguard_backbone/tasks/main.yml3
-rw-r--r--roles/install_wireguard_backbone/tasks/uplink_tasks.yml16
-rw-r--r--roles/install_wireguard_backbone/tasks/wg_tasks.yml33
-rw-r--r--roles/setup_ffrl_tunnel/templates/bird.conf2
-rw-r--r--setup_fastd.yml19
12 files changed, 125 insertions, 23 deletions
diff --git a/inventory.ini b/inventory.ini
index 98fbaa1..ae445cb 100644
--- a/inventory.ini
+++ b/inventory.ini
@@ -15,6 +15,9 @@ fastd-aw2
fastd-ko2
fastd-my2
+[wg]
+ff-wg-niyawe1
+
[icvpn]
ff-icvpn
diff --git a/roles/configure_iptables/templates/ip6tables.rules b/roles/configure_iptables/templates/ip6tables.rules
index 0f8c50f..2a4f9d1 100644
--- a/roles/configure_iptables/templates/ip6tables.rules
+++ b/roles/configure_iptables/templates/ip6tables.rules
@@ -4,13 +4,13 @@
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-{% if 'fastd' in group_names %}
+{% if 'fastd' in group_names or 'wg' in group_names %}
{% for site in sites %}
-A PREROUTING -i bat{{ site.name }} -j MARK --set-xmark 0x1/0xffffffff
{% endfor %}
{% endif %}
-{% if 'fastd' in group_names %}
+{% if 'fastd' in group_names or 'wg' in group_names %}
{% for peer in groups['uplink'] %}
-A PREROUTING -i bb{{ hostvars[peer]['wireguard_bb_name'] }} ! -s fe80::/64 ! -d fe80::/64 -j MARK --set-xmark 0x1/0xffffffff
{% endfor %}
@@ -19,6 +19,9 @@
{% for peer in groups['fastd'] %}
-A PREROUTING -i bb{{ hostvars[peer]['wireguard_bb_name'] }} ! -s fe80::/64 ! -d fe80::/64 -j MARK --set-xmark 0x1/0xffffffff
{% endfor %}
+{% for peer in groups['wg'] %}
+-A PREROUTING -i bb{{ hostvars[peer]['wireguard_bb_name'] }} ! -s fe80::/64 ! -d fe80::/64 -j MARK --set-xmark 0x1/0xffffffff
+{% endfor %}
{% for peer in groups['uplink'] | difference([inventory_hostname]) %}
-A PREROUTING -i bb{{ hostvars[peer]['wireguard_bb_name'] }} ! -s fe80::/64 ! -d fe80::/64 -j MARK --set-xmark 0x1/0xffffffff
{% endfor %}
@@ -42,15 +45,24 @@ COMMIT
# iperf3
-A INPUT -p tcp -m tcp -s 2a03:2260:1016::/48 --dport 5201 -j ACCEPT
-{% if 'fastd' in group_names %}
+{% if 'fastd' in group_names or 'wg' in group_names %}
# dns
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
# ntp
-A INPUT -p udp -m udp --dport 123 -j ACCEPT
+{% endif %}
+{% if 'fastd' in group_names %}
# fastd
-A INPUT -s 2a03:2260:1016::/48 -p udp -m udp --dport 10010:10023 -j DROP
-A INPUT -p udp -m udp --dport 10010:10023 -j ACCEPT
+{% endif %}
+{% if 'wg' in group_names %}
+# wg
+-A INPUT -s 2a03:2260:1016::/48 -p udp -m udp --dport 10000 -j DROP
+-A INPUT -p udp -m udp --dport 10000 -j ACCEPT
+{% endif %}
+{% if 'fastd' in group_names or 'wg' in group_names %}
# respondd
-A INPUT -i bat+ -p udp -m udp --dport 1001 -j ACCEPT
# wireguard_mesh
@@ -60,7 +72,7 @@ COMMIT
{% endfor %}
{% endif %}
# wireguard_backbone
-{% if 'fastd' in group_names %}
+{% if 'fastd' in group_names or 'wg' in group_names %}
{% for peer in groups['uplink'] %}
-A INPUT -i bb{{ hostvars[peer]['wireguard_bb_name'] }} -p udp --dport 6696 -j ACCEPT
-A INPUT -p udp --dport {{ hostvars[peer]['wireguard_bb_port'] }} -j ACCEPT
@@ -71,6 +83,10 @@ COMMIT
-A INPUT -i bb{{ hostvars[peer]['wireguard_bb_name'] }} -p udp --dport 6696 -j ACCEPT
-A INPUT -p udp --dport {{ hostvars[peer]['wireguard_bb_port'] }} -j ACCEPT
{% endfor %}
+{% for peer in groups['wg'] %}
+-A INPUT -i bb{{ hostvars[peer]['wireguard_bb_name'] }} -p udp --dport 6696 -j ACCEPT
+-A INPUT -p udp --dport {{ hostvars[peer]['wireguard_bb_port'] }} -j ACCEPT
+{% endfor %}
{% for peer in groups['uplink'] | difference([inventory_hostname]) %}
-A INPUT -i bb{{ hostvars[peer]['wireguard_bb_name'] }} -p udp --dport 6696 -j ACCEPT
-A INPUT -p udp --dport {{ hostvars[peer]['wireguard_bb_port'] }} -j ACCEPT
@@ -92,8 +108,9 @@ COMMIT
# LOG
-A INPUT -m limit --limit 2/min -j LOG --log-prefix "IP6Tables-Dropped input: " --log-level 4
-{% if 'fastd' in group_names %}
+{% if 'fastd' in group_names or 'wg' in group_names %}
{% for site in sites %}
+-A FORWARD -i bat{{ site.name }} -p udp --dport 10000 -j REJECT
-A FORWARD -i bat{{ site.name }} -p udp --dport 10010:10021 -j REJECT
{% endfor %}
{% endif %}
diff --git a/roles/configure_iptables/templates/iptables.rules b/roles/configure_iptables/templates/iptables.rules
index 6f40af8..704d519 100644
--- a/roles/configure_iptables/templates/iptables.rules
+++ b/roles/configure_iptables/templates/iptables.rules
@@ -10,7 +10,7 @@
{% endfor %}
{% endif %}
-{% if 'fastd' in group_names %}
+{% if 'fastd' in group_names or 'wg' in group_names %}
{% for peer in groups['uplink'] %}
-A PREROUTING -i bb{{ hostvars[peer]['wireguard_bb_name'] }} -j MARK --set-xmark 0x1/0xffffffff
{% endfor %}
@@ -19,6 +19,9 @@
{% for peer in groups['fastd'] %}
-A PREROUTING -i bb{{ hostvars[peer]['wireguard_bb_name'] }} -j MARK --set-xmark 0x1/0xffffffff
{% endfor %}
+{% for peer in groups['wg'] %}
+-A PREROUTING -i bb{{ hostvars[peer]['wireguard_bb_name'] }} -j MARK --set-xmark 0x1/0xffffffff
+{% endfor %}
{% for peer in groups['uplink'] | difference([inventory_hostname]) %}
-A PREROUTING -i bb{{ hostvars[peer]['wireguard_bb_name'] }} -j MARK --set-xmark 0x1/0xffffffff
{% endfor %}
@@ -41,7 +44,7 @@ COMMIT
-A INPUT -p tcp -m tcp -s 10.30.0.0/18 --dport 5201 -j ACCEPT
-A INPUT -p tcp -m tcp -s 10.222.0.0/16 --dport 5201 -j ACCEPT
-{% if 'fastd' in group_names %}
+{% if 'fastd' in group_names or 'wg' in group_names %}
# dns
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
@@ -51,11 +54,19 @@ COMMIT
{% endfor %}
# ntp
-A INPUT -p udp -m udp --dport 123 -j ACCEPT
+{% endif %}
+{% if 'fastd' in group_names %}
# fastd
-A INPUT -s 10.30.0.0/18 -p udp -m udp --dport 10010:10023 -j DROP
-A INPUT -s 10.222.0.0/16 -p udp -m udp --dport 10010:10023 -j DROP
-A INPUT -p udp -m udp --dport 10010:10023 -j ACCEPT
{% endif %}
+{% if 'wg' in group_names %}
+# wg
+-A INPUT -s 10.30.0.0/18 -p udp -m udp --dport 10000 -j DROP
+-A INPUT -s 10.222.0.0/16 -p udp -m udp --dport 10000 -j DROP
+-A INPUT -p udp -m udp --dport 10000 -j ACCEPT
+{% endif %}
# MOSH
-A INPUT -p udp -m udp --dport 60000:61000 -j ACCEPT
@@ -72,7 +83,7 @@ COMMIT
-A INPUT -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped input: " --log-level 4
-{% if 'fastd' in group_names %}
+{% if 'fastd' in group_names or 'wg' in group_names %}
{% for site in sites %}
-A FORWARD -i bat{{ site.name }} -p udp --dport 10010:10021 -j REJECT
{% endfor %}
diff --git a/roles/configure_static_routes/tasks/main.yml b/roles/configure_static_routes/tasks/main.yml
index c98825f..b1d90b7 100644
--- a/roles/configure_static_routes/tasks/main.yml
+++ b/roles/configure_static_routes/tasks/main.yml
@@ -13,6 +13,9 @@
- include_tasks: fastd_tasks.yml
when: "'fastd' in group_names"
+- include_tasks: wg_tasks.yml
+ when: "'wg' in group_names"
+
- name: copy ffmyk iproute systemd service
copy:
src: ffmyk-iproute.service
diff --git a/roles/configure_static_routes/tasks/wg_tasks.yml b/roles/configure_static_routes/tasks/wg_tasks.yml
new file mode 100644
index 0000000..4cd1583
--- /dev/null
+++ b/roles/configure_static_routes/tasks/wg_tasks.yml
@@ -0,0 +1,14 @@
+---
+- name: copy site specific iproute up config script
+ template:
+ src: ffmyk-iproute-up.j2
+ dest: /usr/local/bin/ffmyk-iproute{{ item.name }}-up.sh
+ mode: 0744
+ with_items: "{{ sites }}"
+
+- name: copy site specific iproute down config script
+ template:
+ src: ffmyk-iproute-down.j2
+ dest: /usr/local/bin/ffmyk-iproute{{ item.name }}-down.sh
+ mode: 0744
+ with_items: "{{ sites }}"
diff --git a/roles/install_babeld/templates/babeld.conf.j2 b/roles/install_babeld/templates/babeld.conf.j2
index d714158..9dcaa87 100644
--- a/roles/install_babeld/templates/babeld.conf.j2
+++ b/roles/install_babeld/templates/babeld.conf.j2
@@ -5,7 +5,7 @@
ipv6-subtrees true
# You must provide at least one interface for babeld to operate on.
-{% if ('fastd' in group_names) %}
+{% if ('fastd' in group_names or 'wg' in group_names) %}
{% for peer in groups['uplink'] %}
interface bb{{ hostvars[peer]['wireguard_bb_name'] }}
{% endfor %}
@@ -14,6 +14,9 @@ interface bb{{ hostvars[peer]['wireguard_bb_name'] }}
{% for peer in groups['fastd'] %}
interface bb{{ hostvars[peer]['wireguard_bb_name'] }}
{% endfor %}
+{% for peer in groups['wg'] %}
+interface bb{{ hostvars[peer]['wireguard_bb_name'] }}
+{% endfor %}
{% for peer in groups['uplink'] | difference([inventory_hostname]) %}
interface bb{{ hostvars[peer]['wireguard_bb_name'] }}
{% endfor %}
@@ -63,7 +66,7 @@ redistribute ip 64:ff9b::/96 allow
redistribute ip fd62:44e1:da::/48 allow
redistribute local deny
-{% if ('fastd' in group_names) and preferred_uplink is defined %}
+{% if ('fastd' in group_names or 'wg' in group_names) and preferred_uplink is defined %}
{% for peer in groups['uplink'] %}
{% if not hostvars[peer]['wireguard_bb_name'] == preferred_uplink %}
in if bb{{ hostvars[peer]['wireguard_bb_name'] }} metric 64
diff --git a/roles/install_monitoring/tasks/install_munin.yml b/roles/install_monitoring/tasks/install_munin.yml
index 1a35928..8d01c9d 100644
--- a/roles/install_monitoring/tasks/install_munin.yml
+++ b/roles/install_monitoring/tasks/install_munin.yml
@@ -143,7 +143,9 @@
src: /usr/lib/munin/plugins/if_
state: link
notify: restart munin-node
- with_items: "{{ groups['fastd'] }}"
+ with_items:
+ - "{{ groups['fastd'] }}"
+ - "{{ groups['wg'] }}"
when: "'uplink' in group_names"
- name: enable munin plugins for network monitoring (6/9)
diff --git a/roles/install_wireguard_backbone/tasks/main.yml b/roles/install_wireguard_backbone/tasks/main.yml
index 630e82c..82c024d 100644
--- a/roles/install_wireguard_backbone/tasks/main.yml
+++ b/roles/install_wireguard_backbone/tasks/main.yml
@@ -7,5 +7,8 @@
- include_tasks: fastd_tasks.yml
when: "('fastd' in group_names)"
+- include_tasks: wg_tasks.yml
+ when: "('wg' in group_names)"
+
- include_tasks: uplink_tasks.yml
when: "'uplink' in group_names"
diff --git a/roles/install_wireguard_backbone/tasks/uplink_tasks.yml b/roles/install_wireguard_backbone/tasks/uplink_tasks.yml
index ea906e5..dd68c76 100644
--- a/roles/install_wireguard_backbone/tasks/uplink_tasks.yml
+++ b/roles/install_wireguard_backbone/tasks/uplink_tasks.yml
@@ -4,7 +4,9 @@
src: wg.conf.j2
dest: /etc/wireguard/wgbb{{ hostvars[item]['wireguard_bb_name'] }}.conf
mode: 0400
- with_items: "{{ groups['fastd'] }}"
+ with_items:
+ - "{{ groups['fastd'] }}"
+ - "{{ groups['wg'] }}"
- name: create wireguard config for uplinks
template:
@@ -25,7 +27,9 @@
src: up.sh.j2
dest: /etc/wireguard/upbb{{ hostvars[item]['wireguard_bb_name'] }}.sh
mode: 0744
- with_items: "{{ groups['fastd'] }}"
+ with_items:
+ - "{{ groups['fastd'] }}"
+ - "{{ groups['wg'] }}"
- name: create wireguard up scripts for uplinks
template:
@@ -46,7 +50,9 @@
src: down.sh.j2
dest: /etc/wireguard/downbb{{ hostvars[item]['wireguard_bb_name'] }}.sh
mode: 0744
- with_items: "{{ groups['fastd'] }}"
+ with_items:
+ - "{{ groups['fastd'] }}"
+ - "{{ groups['wg'] }}"
- name: create wireguard down scripts for uplinks
template:
@@ -68,7 +74,9 @@
enabled: yes
state: started
daemon_reload: yes
- with_items: "{{ groups['fastd'] }}"
+ with_items:
+ - "{{ groups['fastd'] }}"
+ - "{{ groups['wg'] }}"
- name: start and enable wireguard mesh for uplinks
systemd:
diff --git a/roles/install_wireguard_backbone/tasks/wg_tasks.yml b/roles/install_wireguard_backbone/tasks/wg_tasks.yml
new file mode 100644
index 0000000..d1d9974
--- /dev/null
+++ b/roles/install_wireguard_backbone/tasks/wg_tasks.yml
@@ -0,0 +1,33 @@
+---
+- name: create wireguard config for peers
+ template:
+ src: wg.conf.j2
+ dest: /etc/wireguard/wgbb{{ hostvars[item]['wireguard_bb_name'] }}.conf
+ mode: 0400
+ with_items:
+ - "{{ groups['uplink'] }}"
+
+- name: create wireguard up scripts for peers
+ template:
+ src: up.sh.j2
+ dest: /etc/wireguard/upbb{{ hostvars[item]['wireguard_bb_name'] }}.sh
+ mode: 0744
+ with_items:
+ - "{{ groups['uplink'] }}"
+
+- name: create wireguard down scripts for peers
+ template:
+ src: down.sh.j2
+ dest: /etc/wireguard/downbb{{ hostvars[item]['wireguard_bb_name'] }}.sh
+ mode: 0744
+ with_items:
+ - "{{ groups['uplink'] }}"
+
+- name: start and enable wireguard mesh
+ systemd:
+ name: wgbackbone@{{ hostvars[item]['wireguard_bb_name'] }}.service
+ enabled: yes
+ state: started
+ daemon_reload: yes
+ with_items:
+ - "{{ groups['uplink'] }}"
diff --git a/roles/setup_ffrl_tunnel/templates/bird.conf b/roles/setup_ffrl_tunnel/templates/bird.conf
index df242a6..2ba27c7 100644
--- a/roles/setup_ffrl_tunnel/templates/bird.conf
+++ b/roles/setup_ffrl_tunnel/templates/bird.conf
@@ -1,6 +1,6 @@
timeformat protocol iso long;
-log "bird.log" all;
+#log "bird.log" all;
# debug protocols all;
define ffrl_nat_address = {{ ffrl_ip4 }};
diff --git a/setup_fastd.yml b/setup_fastd.yml
index b6798e5..1c28fc4 100644
--- a/setup_fastd.yml
+++ b/setup_fastd.yml
@@ -27,25 +27,30 @@
- install_iperf3
- update_ssh_keys
- install_admin_packages
-- name: setup icvpn
- hosts: icvpn
+- name: setup wg gw
+ hosts: wg
user: root
roles:
- configure_journald
- configure_sysctl
- #- configure_iptables
- #- configure_static_routes
+ - configure_iptables
+ - configure_static_routes
#- install_ssmtp
- install_cronie
#- install_php
#- install_nginx
- install_ntp
- install_haveged
- #- setup_batman
+ - setup_batman
+ #- install_dhcp
+ #- install_radvd
#- install_bind
- install_wireguard
- #- install_wireguard_backbone
- #- install_babeld
+ #- install_wireguard_mesh
+ - install_wireguard_backbone
+ - install_babeld
+ #- install_fastd
+ #- install_mesh-announce
#- install_monitoring
- install_iperf3
- update_ssh_keys