diff options
| author | Niklas Yann Wettengel <niyawe@niyawe.de> | 2021-07-26 18:02:03 +0200 |
|---|---|---|
| committer | Niklas Yann Wettengel <niyawe@niyawe.de> | 2021-07-26 18:02:03 +0200 |
| commit | f394fd81667a44e267e83d3c453101598a21c58c (patch) | |
| tree | d7bbafdd26b9bebdb23e5546a2d0e97c9ffe360b | |
| parent | 0391e95103590bf6a5ff9c8d425420de2d44141b (diff) | |
new group wg
| -rw-r--r-- | inventory.ini | 3 | ||||
| -rw-r--r-- | roles/configure_iptables/templates/ip6tables.rules | 27 | ||||
| -rw-r--r-- | roles/configure_iptables/templates/iptables.rules | 17 | ||||
| -rw-r--r-- | roles/configure_static_routes/tasks/main.yml | 3 | ||||
| -rw-r--r-- | roles/configure_static_routes/tasks/wg_tasks.yml | 14 | ||||
| -rw-r--r-- | roles/install_babeld/templates/babeld.conf.j2 | 7 | ||||
| -rw-r--r-- | roles/install_monitoring/tasks/install_munin.yml | 4 | ||||
| -rw-r--r-- | roles/install_wireguard_backbone/tasks/main.yml | 3 | ||||
| -rw-r--r-- | roles/install_wireguard_backbone/tasks/uplink_tasks.yml | 16 | ||||
| -rw-r--r-- | roles/install_wireguard_backbone/tasks/wg_tasks.yml | 33 | ||||
| -rw-r--r-- | roles/setup_ffrl_tunnel/templates/bird.conf | 2 | ||||
| -rw-r--r-- | setup_fastd.yml | 19 |
12 files changed, 125 insertions, 23 deletions
diff --git a/inventory.ini b/inventory.ini index 98fbaa1..ae445cb 100644 --- a/inventory.ini +++ b/inventory.ini @@ -15,6 +15,9 @@ fastd-aw2 fastd-ko2 fastd-my2 +[wg] +ff-wg-niyawe1 + [icvpn] ff-icvpn diff --git a/roles/configure_iptables/templates/ip6tables.rules b/roles/configure_iptables/templates/ip6tables.rules index 0f8c50f..2a4f9d1 100644 --- a/roles/configure_iptables/templates/ip6tables.rules +++ b/roles/configure_iptables/templates/ip6tables.rules @@ -4,13 +4,13 @@ :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -{% if 'fastd' in group_names %} +{% if 'fastd' in group_names or 'wg' in group_names %} {% for site in sites %} -A PREROUTING -i bat{{ site.name }} -j MARK --set-xmark 0x1/0xffffffff {% endfor %} {% endif %} -{% if 'fastd' in group_names %} +{% if 'fastd' in group_names or 'wg' in group_names %} {% for peer in groups['uplink'] %} -A PREROUTING -i bb{{ hostvars[peer]['wireguard_bb_name'] }} ! -s fe80::/64 ! -d fe80::/64 -j MARK --set-xmark 0x1/0xffffffff {% endfor %} @@ -19,6 +19,9 @@ {% for peer in groups['fastd'] %} -A PREROUTING -i bb{{ hostvars[peer]['wireguard_bb_name'] }} ! -s fe80::/64 ! -d fe80::/64 -j MARK --set-xmark 0x1/0xffffffff {% endfor %} +{% for peer in groups['wg'] %} +-A PREROUTING -i bb{{ hostvars[peer]['wireguard_bb_name'] }} ! -s fe80::/64 ! -d fe80::/64 -j MARK --set-xmark 0x1/0xffffffff +{% endfor %} {% for peer in groups['uplink'] | difference([inventory_hostname]) %} -A PREROUTING -i bb{{ hostvars[peer]['wireguard_bb_name'] }} ! -s fe80::/64 ! -d fe80::/64 -j MARK --set-xmark 0x1/0xffffffff {% endfor %} @@ -42,15 +45,24 @@ COMMIT # iperf3 -A INPUT -p tcp -m tcp -s 2a03:2260:1016::/48 --dport 5201 -j ACCEPT -{% if 'fastd' in group_names %} +{% if 'fastd' in group_names or 'wg' in group_names %} # dns -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT -A INPUT -p udp -m udp --dport 53 -j ACCEPT # ntp -A INPUT -p udp -m udp --dport 123 -j ACCEPT +{% endif %} +{% if 'fastd' in group_names %} # fastd -A INPUT -s 2a03:2260:1016::/48 -p udp -m udp --dport 10010:10023 -j DROP -A INPUT -p udp -m udp --dport 10010:10023 -j ACCEPT +{% endif %} +{% if 'wg' in group_names %} +# wg +-A INPUT -s 2a03:2260:1016::/48 -p udp -m udp --dport 10000 -j DROP +-A INPUT -p udp -m udp --dport 10000 -j ACCEPT +{% endif %} +{% if 'fastd' in group_names or 'wg' in group_names %} # respondd -A INPUT -i bat+ -p udp -m udp --dport 1001 -j ACCEPT # wireguard_mesh @@ -60,7 +72,7 @@ COMMIT {% endfor %} {% endif %} # wireguard_backbone -{% if 'fastd' in group_names %} +{% if 'fastd' in group_names or 'wg' in group_names %} {% for peer in groups['uplink'] %} -A INPUT -i bb{{ hostvars[peer]['wireguard_bb_name'] }} -p udp --dport 6696 -j ACCEPT -A INPUT -p udp --dport {{ hostvars[peer]['wireguard_bb_port'] }} -j ACCEPT @@ -71,6 +83,10 @@ COMMIT -A INPUT -i bb{{ hostvars[peer]['wireguard_bb_name'] }} -p udp --dport 6696 -j ACCEPT -A INPUT -p udp --dport {{ hostvars[peer]['wireguard_bb_port'] }} -j ACCEPT {% endfor %} +{% for peer in groups['wg'] %} +-A INPUT -i bb{{ hostvars[peer]['wireguard_bb_name'] }} -p udp --dport 6696 -j ACCEPT +-A INPUT -p udp --dport {{ hostvars[peer]['wireguard_bb_port'] }} -j ACCEPT +{% endfor %} {% for peer in groups['uplink'] | difference([inventory_hostname]) %} -A INPUT -i bb{{ hostvars[peer]['wireguard_bb_name'] }} -p udp --dport 6696 -j ACCEPT -A INPUT -p udp --dport {{ hostvars[peer]['wireguard_bb_port'] }} -j ACCEPT @@ -92,8 +108,9 @@ COMMIT # LOG -A INPUT -m limit --limit 2/min -j LOG --log-prefix "IP6Tables-Dropped input: " --log-level 4 -{% if 'fastd' in group_names %} +{% if 'fastd' in group_names or 'wg' in group_names %} {% for site in sites %} +-A FORWARD -i bat{{ site.name }} -p udp --dport 10000 -j REJECT -A FORWARD -i bat{{ site.name }} -p udp --dport 10010:10021 -j REJECT {% endfor %} {% endif %} diff --git a/roles/configure_iptables/templates/iptables.rules b/roles/configure_iptables/templates/iptables.rules index 6f40af8..704d519 100644 --- a/roles/configure_iptables/templates/iptables.rules +++ b/roles/configure_iptables/templates/iptables.rules @@ -10,7 +10,7 @@ {% endfor %} {% endif %} -{% if 'fastd' in group_names %} +{% if 'fastd' in group_names or 'wg' in group_names %} {% for peer in groups['uplink'] %} -A PREROUTING -i bb{{ hostvars[peer]['wireguard_bb_name'] }} -j MARK --set-xmark 0x1/0xffffffff {% endfor %} @@ -19,6 +19,9 @@ {% for peer in groups['fastd'] %} -A PREROUTING -i bb{{ hostvars[peer]['wireguard_bb_name'] }} -j MARK --set-xmark 0x1/0xffffffff {% endfor %} +{% for peer in groups['wg'] %} +-A PREROUTING -i bb{{ hostvars[peer]['wireguard_bb_name'] }} -j MARK --set-xmark 0x1/0xffffffff +{% endfor %} {% for peer in groups['uplink'] | difference([inventory_hostname]) %} -A PREROUTING -i bb{{ hostvars[peer]['wireguard_bb_name'] }} -j MARK --set-xmark 0x1/0xffffffff {% endfor %} @@ -41,7 +44,7 @@ COMMIT -A INPUT -p tcp -m tcp -s 10.30.0.0/18 --dport 5201 -j ACCEPT -A INPUT -p tcp -m tcp -s 10.222.0.0/16 --dport 5201 -j ACCEPT -{% if 'fastd' in group_names %} +{% if 'fastd' in group_names or 'wg' in group_names %} # dns -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT -A INPUT -p udp -m udp --dport 53 -j ACCEPT @@ -51,11 +54,19 @@ COMMIT {% endfor %} # ntp -A INPUT -p udp -m udp --dport 123 -j ACCEPT +{% endif %} +{% if 'fastd' in group_names %} # fastd -A INPUT -s 10.30.0.0/18 -p udp -m udp --dport 10010:10023 -j DROP -A INPUT -s 10.222.0.0/16 -p udp -m udp --dport 10010:10023 -j DROP -A INPUT -p udp -m udp --dport 10010:10023 -j ACCEPT {% endif %} +{% if 'wg' in group_names %} +# wg +-A INPUT -s 10.30.0.0/18 -p udp -m udp --dport 10000 -j DROP +-A INPUT -s 10.222.0.0/16 -p udp -m udp --dport 10000 -j DROP +-A INPUT -p udp -m udp --dport 10000 -j ACCEPT +{% endif %} # MOSH -A INPUT -p udp -m udp --dport 60000:61000 -j ACCEPT @@ -72,7 +83,7 @@ COMMIT -A INPUT -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped input: " --log-level 4 -{% if 'fastd' in group_names %} +{% if 'fastd' in group_names or 'wg' in group_names %} {% for site in sites %} -A FORWARD -i bat{{ site.name }} -p udp --dport 10010:10021 -j REJECT {% endfor %} diff --git a/roles/configure_static_routes/tasks/main.yml b/roles/configure_static_routes/tasks/main.yml index c98825f..b1d90b7 100644 --- a/roles/configure_static_routes/tasks/main.yml +++ b/roles/configure_static_routes/tasks/main.yml @@ -13,6 +13,9 @@ - include_tasks: fastd_tasks.yml when: "'fastd' in group_names" +- include_tasks: wg_tasks.yml + when: "'wg' in group_names" + - name: copy ffmyk iproute systemd service copy: src: ffmyk-iproute.service diff --git a/roles/configure_static_routes/tasks/wg_tasks.yml b/roles/configure_static_routes/tasks/wg_tasks.yml new file mode 100644 index 0000000..4cd1583 --- /dev/null +++ b/roles/configure_static_routes/tasks/wg_tasks.yml @@ -0,0 +1,14 @@ +--- +- name: copy site specific iproute up config script + template: + src: ffmyk-iproute-up.j2 + dest: /usr/local/bin/ffmyk-iproute{{ item.name }}-up.sh + mode: 0744 + with_items: "{{ sites }}" + +- name: copy site specific iproute down config script + template: + src: ffmyk-iproute-down.j2 + dest: /usr/local/bin/ffmyk-iproute{{ item.name }}-down.sh + mode: 0744 + with_items: "{{ sites }}" diff --git a/roles/install_babeld/templates/babeld.conf.j2 b/roles/install_babeld/templates/babeld.conf.j2 index d714158..9dcaa87 100644 --- a/roles/install_babeld/templates/babeld.conf.j2 +++ b/roles/install_babeld/templates/babeld.conf.j2 @@ -5,7 +5,7 @@ ipv6-subtrees true # You must provide at least one interface for babeld to operate on. -{% if ('fastd' in group_names) %} +{% if ('fastd' in group_names or 'wg' in group_names) %} {% for peer in groups['uplink'] %} interface bb{{ hostvars[peer]['wireguard_bb_name'] }} {% endfor %} @@ -14,6 +14,9 @@ interface bb{{ hostvars[peer]['wireguard_bb_name'] }} {% for peer in groups['fastd'] %} interface bb{{ hostvars[peer]['wireguard_bb_name'] }} {% endfor %} +{% for peer in groups['wg'] %} +interface bb{{ hostvars[peer]['wireguard_bb_name'] }} +{% endfor %} {% for peer in groups['uplink'] | difference([inventory_hostname]) %} interface bb{{ hostvars[peer]['wireguard_bb_name'] }} {% endfor %} @@ -63,7 +66,7 @@ redistribute ip 64:ff9b::/96 allow redistribute ip fd62:44e1:da::/48 allow redistribute local deny -{% if ('fastd' in group_names) and preferred_uplink is defined %} +{% if ('fastd' in group_names or 'wg' in group_names) and preferred_uplink is defined %} {% for peer in groups['uplink'] %} {% if not hostvars[peer]['wireguard_bb_name'] == preferred_uplink %} in if bb{{ hostvars[peer]['wireguard_bb_name'] }} metric 64 diff --git a/roles/install_monitoring/tasks/install_munin.yml b/roles/install_monitoring/tasks/install_munin.yml index 1a35928..8d01c9d 100644 --- a/roles/install_monitoring/tasks/install_munin.yml +++ b/roles/install_monitoring/tasks/install_munin.yml @@ -143,7 +143,9 @@ src: /usr/lib/munin/plugins/if_ state: link notify: restart munin-node - with_items: "{{ groups['fastd'] }}" + with_items: + - "{{ groups['fastd'] }}" + - "{{ groups['wg'] }}" when: "'uplink' in group_names" - name: enable munin plugins for network monitoring (6/9) diff --git a/roles/install_wireguard_backbone/tasks/main.yml b/roles/install_wireguard_backbone/tasks/main.yml index 630e82c..82c024d 100644 --- a/roles/install_wireguard_backbone/tasks/main.yml +++ b/roles/install_wireguard_backbone/tasks/main.yml @@ -7,5 +7,8 @@ - include_tasks: fastd_tasks.yml when: "('fastd' in group_names)" +- include_tasks: wg_tasks.yml + when: "('wg' in group_names)" + - include_tasks: uplink_tasks.yml when: "'uplink' in group_names" diff --git a/roles/install_wireguard_backbone/tasks/uplink_tasks.yml b/roles/install_wireguard_backbone/tasks/uplink_tasks.yml index ea906e5..dd68c76 100644 --- a/roles/install_wireguard_backbone/tasks/uplink_tasks.yml +++ b/roles/install_wireguard_backbone/tasks/uplink_tasks.yml @@ -4,7 +4,9 @@ src: wg.conf.j2 dest: /etc/wireguard/wgbb{{ hostvars[item]['wireguard_bb_name'] }}.conf mode: 0400 - with_items: "{{ groups['fastd'] }}" + with_items: + - "{{ groups['fastd'] }}" + - "{{ groups['wg'] }}" - name: create wireguard config for uplinks template: @@ -25,7 +27,9 @@ src: up.sh.j2 dest: /etc/wireguard/upbb{{ hostvars[item]['wireguard_bb_name'] }}.sh mode: 0744 - with_items: "{{ groups['fastd'] }}" + with_items: + - "{{ groups['fastd'] }}" + - "{{ groups['wg'] }}" - name: create wireguard up scripts for uplinks template: @@ -46,7 +50,9 @@ src: down.sh.j2 dest: /etc/wireguard/downbb{{ hostvars[item]['wireguard_bb_name'] }}.sh mode: 0744 - with_items: "{{ groups['fastd'] }}" + with_items: + - "{{ groups['fastd'] }}" + - "{{ groups['wg'] }}" - name: create wireguard down scripts for uplinks template: @@ -68,7 +74,9 @@ enabled: yes state: started daemon_reload: yes - with_items: "{{ groups['fastd'] }}" + with_items: + - "{{ groups['fastd'] }}" + - "{{ groups['wg'] }}" - name: start and enable wireguard mesh for uplinks systemd: diff --git a/roles/install_wireguard_backbone/tasks/wg_tasks.yml b/roles/install_wireguard_backbone/tasks/wg_tasks.yml new file mode 100644 index 0000000..d1d9974 --- /dev/null +++ b/roles/install_wireguard_backbone/tasks/wg_tasks.yml @@ -0,0 +1,33 @@ +--- +- name: create wireguard config for peers + template: + src: wg.conf.j2 + dest: /etc/wireguard/wgbb{{ hostvars[item]['wireguard_bb_name'] }}.conf + mode: 0400 + with_items: + - "{{ groups['uplink'] }}" + +- name: create wireguard up scripts for peers + template: + src: up.sh.j2 + dest: /etc/wireguard/upbb{{ hostvars[item]['wireguard_bb_name'] }}.sh + mode: 0744 + with_items: + - "{{ groups['uplink'] }}" + +- name: create wireguard down scripts for peers + template: + src: down.sh.j2 + dest: /etc/wireguard/downbb{{ hostvars[item]['wireguard_bb_name'] }}.sh + mode: 0744 + with_items: + - "{{ groups['uplink'] }}" + +- name: start and enable wireguard mesh + systemd: + name: wgbackbone@{{ hostvars[item]['wireguard_bb_name'] }}.service + enabled: yes + state: started + daemon_reload: yes + with_items: + - "{{ groups['uplink'] }}" diff --git a/roles/setup_ffrl_tunnel/templates/bird.conf b/roles/setup_ffrl_tunnel/templates/bird.conf index df242a6..2ba27c7 100644 --- a/roles/setup_ffrl_tunnel/templates/bird.conf +++ b/roles/setup_ffrl_tunnel/templates/bird.conf @@ -1,6 +1,6 @@ timeformat protocol iso long; -log "bird.log" all; +#log "bird.log" all; # debug protocols all; define ffrl_nat_address = {{ ffrl_ip4 }}; diff --git a/setup_fastd.yml b/setup_fastd.yml index b6798e5..1c28fc4 100644 --- a/setup_fastd.yml +++ b/setup_fastd.yml @@ -27,25 +27,30 @@ - install_iperf3 - update_ssh_keys - install_admin_packages -- name: setup icvpn - hosts: icvpn +- name: setup wg gw + hosts: wg user: root roles: - configure_journald - configure_sysctl - #- configure_iptables - #- configure_static_routes + - configure_iptables + - configure_static_routes #- install_ssmtp - install_cronie #- install_php #- install_nginx - install_ntp - install_haveged - #- setup_batman + - setup_batman + #- install_dhcp + #- install_radvd #- install_bind - install_wireguard - #- install_wireguard_backbone - #- install_babeld + #- install_wireguard_mesh + - install_wireguard_backbone + - install_babeld + #- install_fastd + #- install_mesh-announce #- install_monitoring - install_iperf3 - update_ssh_keys |