summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNiklas Yann Wettengel <niyawe@niyawe.de>2022-01-22 19:59:11 +0100
committerNiklas Yann Wettengel <niyawe@niyawe.de>2022-01-22 19:59:11 +0100
commitfb0dbf28a0e7979050858256d2040d734b282afe (patch)
tree153ac6d83de80fd39a6724e72a3beb6a56992300
parentb53a8cf2283b2d6debb94cd399a72d25da0d7c82 (diff)
new net with nat64
-rw-r--r--group_vars/fastd1
-rw-r--r--host_vars/ff-niyawe113
-rw-r--r--host_vars/ff-niyawe213
-rw-r--r--roles/configure_aurto_repo/tasks/main.yml19
-rw-r--r--roles/configure_iptables/templates/ip6tables.rules2
-rwxr-xr-xroles/configure_static_routes/files/ffmyk-iproute.sh7
-rw-r--r--roles/install_babeld/tasks/main.yml2
-rw-r--r--roles/install_bind/tasks/main.yml10
-rw-r--r--roles/install_bind/templates/ipv6.conf.j22
-rw-r--r--roles/install_bind/templates/named.conf.j21
-rw-r--r--roles/install_monitoring/files/munin/munin_fastd_peers73
-rwxr-xr-xroles/install_monitoring/files/munin/munin_fastd_plugin124
-rw-r--r--roles/install_monitoring/files/munin/munin_fastd_traffic79
-rw-r--r--roles/install_monitoring/tasks/install_munin.yml36
-rw-r--r--roles/install_respondd_poller/files/requirements.txt2
-rw-r--r--roles/install_respondd_poller/files/respondd_poller.py147
-rw-r--r--roles/install_respondd_poller/files/respondd_poller.service12
-rw-r--r--roles/install_respondd_poller/tasks/main.yml48
-rw-r--r--roles/install_respondd_poller/templates/respondd_poller.json.j27
-rw-r--r--roles/install_tayga/handlers/main.yml5
-rw-r--r--roles/install_tayga/tasks/main.yml25
-rw-r--r--roles/install_tayga/templates/systemd_override.conf.j210
-rw-r--r--roles/install_tayga/templates/tayga.conf.j26
-rw-r--r--roles/install_wg_add_vpn/tasks/main.yml30
-rw-r--r--roles/install_wg_add_vpn/templates/wg_add_vpn.service.j210
-rw-r--r--roles/install_wg_prefix_provider/tasks/main.yml29
-rw-r--r--roles/install_wg_prefix_provider/templates/wg_prefix_provider.service.j210
-rw-r--r--roles/install_wireguard_vpn/tasks/main.yml24
-rw-r--r--roles/install_wireguard_vpn/templates/down.sh.j26
-rw-r--r--roles/install_wireguard_vpn/templates/up.sh.j29
-rw-r--r--roles/install_wireguard_vpn/templates/wg.conf.j27
-rw-r--r--roles/setup_ffrl_tunnel/templates/bird.conf1
-rw-r--r--setup_fastd.yml7
33 files changed, 463 insertions, 314 deletions
diff --git a/group_vars/fastd b/group_vars/fastd
index 21708ae..518834d 100644
--- a/group_vars/fastd
+++ b/group_vars/fastd
@@ -7,3 +7,4 @@ wireguard_bb_peers:
pub_key: 'LobyJ67+/rGkTcFSchnJMz76MGVBAz5FrFypYq9GnzQ='
ipv4: '10.222.0.212'
port: 10151
+dns_ip: '2a03:2260:1016::53'
diff --git a/host_vars/ff-niyawe1 b/host_vars/ff-niyawe1
index c3d4942..df9ad3f 100644
--- a/host_vars/ff-niyawe1
+++ b/host_vars/ff-niyawe1
@@ -244,6 +244,19 @@ wireguard_bb_pub_key: 'zGubrJd9Wfa1Yo9I5xyJArdvX1bj7OS2VFth289PdlU='
wireguard_bb_ipv4: '10.222.0.11'
wireguard_bb_ipv6: 'fe80::ffbb:ffbb:11'
wireguard_bb_port: 10111
+wireguard_vpn_port: 10010
+wireguard_vpn_priv_key: !vault |
+ $ANSIBLE_VAULT;1.1;AES256
+ 34313130643739316461343031626565323930303465623238356636636531656630396433383036
+ 6337386336633165636633353139323366323563333464380a393438343365363661633331356438
+ 62326531336666326662323535366463333265313130343430653162646461383230363064366264
+ 6431663833633537660a343830623735633330643935363232366532346664353834623636326462
+ 33393133363464313665623963393534306235653239636438343537366533306166623535663336
+ 3864646261313135386563613637613330343935333636633434
+wireguard_vpn_address: 'fe80::7e:adff:fefc:0b8c'
+wireguard_vpn_client_range: '2a03:2260:1016:1000::/52'
+tayga_ipv4: 10.1.0.1
+tayga_pool: 10.1.0.0/16
ffrl_ip4: '185.66.194.56'
ffrl_peers:
- name: 'bbaakber'
diff --git a/host_vars/ff-niyawe2 b/host_vars/ff-niyawe2
index 99f2c8f..2c639dc 100644
--- a/host_vars/ff-niyawe2
+++ b/host_vars/ff-niyawe2
@@ -244,6 +244,19 @@ wireguard_bb_pub_key: 'ctSz9JjaPWM4Se39rSsbr39wXWfA1LJDF1OwwBui0VY='
wireguard_bb_ipv4: '10.222.0.12'
wireguard_bb_ipv6: 'fe80::ffbb:ffbb:12'
wireguard_bb_port: 10112
+wireguard_vpn_port: 10010
+wireguard_vpn_priv_key: !vault |
+ $ANSIBLE_VAULT;1.1;AES256
+ 36623962663931636165643834636338373230623438306431316338633765333434626462626636
+ 6330346538316361376531353932666363303431313737640a333931366638326164333937656566
+ 32393639376561396161313365343563383132663338363437376563653930643835303230613336
+ 6232616639643564360a613333666165623036613866383236323335383233376439386463333535
+ 32616431393965313839613264326137633063366530336461643534623833306466653330373666
+ 6364666534323361663937613837313031356262363338386563
+wireguard_vpn_address: 'fe80::ce:30ff:fe37:94da'
+wireguard_vpn_client_range: '2a03:2260:1016:2000::/52'
+tayga_ipv4: 10.2.0.1
+tayga_pool: 10.2.0.0/16
ffrl_ip4: '185.66.194.57'
ffrl_peers:
- name: 'bbafra2fra'
diff --git a/roles/configure_aurto_repo/tasks/main.yml b/roles/configure_aurto_repo/tasks/main.yml
new file mode 100644
index 0000000..e8ab37e
--- /dev/null
+++ b/roles/configure_aurto_repo/tasks/main.yml
@@ -0,0 +1,19 @@
+---
+- name: add aurto repo (1/3)
+ ansible.builtin.lineinfile:
+ path: /etc/pacman.conf
+ line: "[aurto]"
+
+- name: add aurto repo (2/3)
+ ansible.builtin.lineinfile:
+ path: /etc/pacman.conf
+ line: "SigLevel = Optional TrustAll"
+
+- name: add aurto repo (3/3)
+ ansible.builtin.lineinfile:
+ path: /etc/pacman.conf
+ line: "Server = https://aur.niyawe.de/"
+
+- name: update pacman cache
+ pacman:
+ update_cache: yes
diff --git a/roles/configure_iptables/templates/ip6tables.rules b/roles/configure_iptables/templates/ip6tables.rules
index 80e8b30..51287c0 100644
--- a/roles/configure_iptables/templates/ip6tables.rules
+++ b/roles/configure_iptables/templates/ip6tables.rules
@@ -52,6 +52,8 @@ COMMIT
-A INPUT -p udp -m udp --dport 10010:10023 -j ACCEPT
# respondd
-A INPUT -i bat+ -p udp -m udp --dport 1001 -j ACCEPT
+# wg_prefix_provider
+-A INPUT -i wgmyk -s fe80::/64 -p tcp -m tcp --dport 9999 -j ACCEPT
# wireguard_mesh
{% for site in sites %}
-A INPUT -s 2a03:2260:1016::/48 -p udp -m udp --dport {{ site.wireguard_mesh_port }} -j DROP
diff --git a/roles/configure_static_routes/files/ffmyk-iproute.sh b/roles/configure_static_routes/files/ffmyk-iproute.sh
index 831d30d..83cb5aa 100755
--- a/roles/configure_static_routes/files/ffmyk-iproute.sh
+++ b/roles/configure_static_routes/files/ffmyk-iproute.sh
@@ -2,7 +2,11 @@
#Alles, was mit 0x1 markiert wird gehört zu Tabelle ffmyk
ip -4 rule add from all fwmark 0x1 table ffmyk priority 10
ip -6 rule add from all fwmark 0x1 table ffmyk priority 10
+ip -4 rule add iif nat64 table ffmyk priority 10
+ip -6 rule add iif nat64 table ffmyk priority 10
+ip -4 rule add to 10.1.0.0/16 table ffmyk priority 10
+ip -4 rule add to 10.2.0.0/16 table ffmyk priority 10
#Alles mit Freifunk-IP - woher auch immer - gehört zu Tabelle ffmyk
ip -4 rule add to 10.222.1.0/24 table ffmyk priority 10
ip -4 rule add to 10.222.2.0/23 table ffmyk priority 10
@@ -16,3 +20,6 @@ ip -6 rule add to 2001:470:cd45:ff00::/56 table ffmyk priority 10
ip -6 rule add to 2a03:2260:1016::/48 table ffmyk priority 10
ip -6 rule add to 64:ff9b::/96 table ffmyk priority 10
ip -6 rule add to fd62:44e1:da::/48 table ffmyk priority 10
+
+ip -4 rule add from all iif nat64 type unreachable priority 200
+ip -6 rule add from all iif nat64 type unreachable priority 200
diff --git a/roles/install_babeld/tasks/main.yml b/roles/install_babeld/tasks/main.yml
index a8299da..94b3ce5 100644
--- a/roles/install_babeld/tasks/main.yml
+++ b/roles/install_babeld/tasks/main.yml
@@ -1,5 +1,5 @@
---
-- name: install fastd
+- name: install babeld
pacman:
name: babeld
state: present
diff --git a/roles/install_bind/tasks/main.yml b/roles/install_bind/tasks/main.yml
index a7391e5..a11d247 100644
--- a/roles/install_bind/tasks/main.yml
+++ b/roles/install_bind/tasks/main.yml
@@ -11,6 +11,16 @@
owner: named
group: named
+- name: create systemd-folder
+ file:
+ path: /etc/systemd/system/named.service.d
+ state: directory
+
+- name: bind ip override
+ template:
+ src: ipv6.conf.j2
+ dest: /etc/systemd/system/named.service.d/ipv6.conf
+
- name: bind config
template:
src: named.conf.j2
diff --git a/roles/install_bind/templates/ipv6.conf.j2 b/roles/install_bind/templates/ipv6.conf.j2
new file mode 100644
index 0000000..0bc8416
--- /dev/null
+++ b/roles/install_bind/templates/ipv6.conf.j2
@@ -0,0 +1,2 @@
+[Service]
+ExecStartPre=/usr/bin/ip addr replace {{ dns_ip }}/128 dev lo
diff --git a/roles/install_bind/templates/named.conf.j2 b/roles/install_bind/templates/named.conf.j2
index 25d3470..352c1fa 100644
--- a/roles/install_bind/templates/named.conf.j2
+++ b/roles/install_bind/templates/named.conf.j2
@@ -10,6 +10,7 @@ options {
auth-nxdomain no; # conform to RFC1035
listen-on-v6 {
+ 2a03:2260:1016::53;
{% for site in sites %}
{{ site.bat_ipv6 }};
{% endfor %}
diff --git a/roles/install_monitoring/files/munin/munin_fastd_peers b/roles/install_monitoring/files/munin/munin_fastd_peers
deleted file mode 100644
index 17a0084..0000000
--- a/roles/install_monitoring/files/munin/munin_fastd_peers
+++ /dev/null
@@ -1,73 +0,0 @@
-#!/usr/bin/perl -w
-# -*- perl -*-
-
-=head1 NAME
-
-fastd_peers_ - Plugin to monitor fastd peers
-
-=head1 CONFIGURATION
-
-Set user and group to have access to the socket
-Set path to socketfile if not /tmp/fastd.sock
-
- [fastd_peers_*]
- user fastd
- group fastd
- env.socketfile /tmp/fastd.sock
-
-=head1 USAGE
-
-Link this plugin to /etc/munin/plugins/
-
-After creating the links, restart munin-node. Don't forget to configure the plugin!
-
-=head1 AUTHORS
-
-Dominique Goersch <mail@dgoersch.info>
-Niklas Yann Wettengel <niyawe@niyawe.de>
-
-=head1 LICENSE
-
-GPLv2
-
-=head1 MAGIC MARKERS
-
- #%# family=manual
-
-=cut
-
-
-use strict;
-use warnings;
-use File::Basename;
-use IO::Socket::UNIX qw( SOCK_STREAM );
-use JSON;
-
-if ($ARGV[0] and $ARGV[0] eq "config") { #config graph
- print "graph_title fastd peers\n";
- print "graph_info This graph shows the peers of the fastd on this supernode\n";
- print "graph_args -l 0\n";
- print "graph_scale no\n";
- print "graph_vlabel peers count\n";
- print "graph_category fastd\n";
- print "peers.label peers\n";
- print "peers.draw AREA\n";
- exit 0;
-}
-
-
-my $statusfile = exists $ENV{'socketfile'} ? $ENV{'socketfile'} : "/tmp/fastd.sock"; #get path to socket from environment or use default
-my $socket = IO::Socket::UNIX->new(Type => SOCK_STREAM,Peer => $statusfile) #open socket
- or die("Can't connect to server: $!\n");
-
-my $fastdstatus = "";
-foreach my $line (<$socket>) {$fastdstatus .= $line;} #read contents from socket
-my $json = decode_json($fastdstatus); #decode json
-
-#my $fastd_peers = scalar(keys(%{$json->{peers}})); #get number of peers from json
-my $fastd_peers = 0;
-for my $key (keys(%{$json->{peers}})) {
- $fastd_peers = $fastd_peers + ($json->{peers}{$key}{connection}? 1 : 0);
-}
-
-print "peers.value $fastd_peers\n"; #return number of peers
diff --git a/roles/install_monitoring/files/munin/munin_fastd_plugin b/roles/install_monitoring/files/munin/munin_fastd_plugin
deleted file mode 100755
index 35ad65d..0000000
--- a/roles/install_monitoring/files/munin/munin_fastd_plugin
+++ /dev/null
@@ -1,124 +0,0 @@
-#!/usr/bin/perl -w
-# -*- perl -*-
-
-=head1 NAME
-
-fastd_ - Plugin to monitor fastd uptime, peers and traffic
-
-=head1 CONFIGURATION
-
-Set user and group to have access to the socket
-Set path to socketfile if not /tmp/fastd.sock
-
- [fastd_*]
- user fastd
- group fastd
- env.socketfile /tmp/fastd.sock
-
-=head1 USAGE
-
-Link this plugin to /etc/munin/plugins/ with the type of graph (uptime, peers, traffic)
-append to the linkname, ie: /etc/munin/plugins/fastd_peers
-
-After creating the links, restart munin-node. Don't forget to configure the plugin!
-
-=head1 AUTHORS
-
-Dominique Goersch <mail@dgoersch.info>
-
-=head1 LICENSE
-
-GPLv2
-
-=head1 MAGIC MARKERS
-
- #%# family=manual
- #%# capabilities=suggest
-
-=cut
-
-
-use strict;
-use warnings;
-use File::Basename;
-use IO::Socket::UNIX qw( SOCK_STREAM );
-use JSON;
-
-my $mode = basename($0); #get basename
-$mode =~ s/fastd_//; #and strip 'fastd_' to get the mode
-
-if ($ARGV[0] and $ARGV[0] eq "config") { #config graph
- if ($mode eq 'uptime') { #for uptime
- print "graph_title fastd Uptime\n";
- print "graph_info This graph shows the uptime of the fastd on this supernode\n";
- print "graph_args -l 0\n";
- print "graph_scale no\n";
- print "graph_vlabel uptime in days\n";
- print "graph_category fastd\n";
- print "uptime.label uptime\n";
- print "uptime.draw AREA\n";
- }
- elsif ($mode eq 'peers') { #for peers
- print "graph_title fastd peers\n";
- print "graph_info This graph shows the peers of the fastd on this supernode\n";
- print "graph_args -l 0\n";
- print "graph_scale no\n";
- print "graph_vlabel peers count\n";
- print "graph_category fastd\n";
- print "peers.label peers\n";
- print "peers.draw AREA\n";
- }
- elsif ($mode eq 'traffic') { #for traffic
- print "graph_order down up\n";
- print "graph_title fastd traffic\n";
- print "graph_args --base 1000\n";
- print "graph_vlabel bits in (-) / out (+) per second\n";
- print "graph_category fastd\n";
- print "graph_info This graph shows the traffic of fast.\n";
- print "down.label received\n";
- print "down.type DERIVE\n";
- print "down.graph no\n";
- print "down.cdef down,8,*\n";
- print "down.min 0\n";
- print "up.label bps\n";
- print "up.type DERIVE\n";
- print "up.negative down\n";
- print "up.cdef up,8,*\n";
- print "up.min 0\n";
- }
- exit 0;
-}
-
-if ($ARGV[0] and $ARGV[0] eq "suggest") { #tell munin about our graphs
- print "uptime\n";
- print "peers\n";
- print "traffic\n";
-}
-
-
-
-my $statusfile = exists $ENV{'socketfile'} ? $ENV{'socketfile'} : "/tmp/fastd.sock"; #get path to socket from environment or use default
-my $socket = IO::Socket::UNIX->new(Type => SOCK_STREAM,Peer => $statusfile) #open socket
- or die("Can't connect to server: $!\n");
-
-my $fastdstatus = "";
-foreach my $line (<$socket>) {$fastdstatus .= $line;} #read contents from socket
-my $json = decode_json($fastdstatus); #decode json
-
-my $fastd_uptime = $json->{uptime}; #get the uptime from json
-#my $fastd_peers = scalar(keys(%{$json->{peers}})); #get number of peers from json
-my $fastd_peers = 0;
-for my $key (keys(%{$json->{peers}})) {
- $fastd_peers = $fastd_peers + ($json->{peers}{$key}{connection}? 1 : 0);
-}
-my $fastd_rx_bytes = $json->{statistics}->{rx}->{bytes}; #get recieved bytes from json
-my $fastd_tx_bytes = $json->{statistics}->{tx}->{bytes}; #get transmittetd bytes from json
-
-if ( $mode eq 'uptime' ) {
- printf "uptime.value %.0f\n",$fastd_uptime/86400000; #return uptime in seconds
-} elsif ($mode eq 'peers') {
- print "peers.value $fastd_peers\n"; #return number of peers
-} elsif ($mode eq 'traffic') {
- print "up.value $fastd_tx_bytes\n"; #return transmitted bytes
- print "down.value $fastd_rx_bytes\n"; #and recieved bytes
-}
diff --git a/roles/install_monitoring/files/munin/munin_fastd_traffic b/roles/install_monitoring/files/munin/munin_fastd_traffic
deleted file mode 100644
index 6b60a94..0000000
--- a/roles/install_monitoring/files/munin/munin_fastd_traffic
+++ /dev/null
@@ -1,79 +0,0 @@
-#!/usr/bin/perl -w
-# -*- perl -*-
-
-=head1 NAME
-
-fastd_traffic_ - Plugin to monitor fastd traffic
-
-=head1 CONFIGURATION
-
-Set user and group to have access to the socket
-Set path to socketfile if not /tmp/fastd.sock
-
- [fastd_traffic_*]
- user fastd
- group fastd
- env.socketfile /tmp/fastd.sock
-
-=head1 USAGE
-
-Link this plugin to /etc/munin/plugins/
-
-After creating the links, restart munin-node. Don't forget to configure the plugin!
-
-=head1 AUTHORS
-
-Dominique Goersch <mail@dgoersch.info>
-Niklas Yann Wettengel <niyawe@niyawe.de>
-
-=head1 LICENSE
-
-GPLv2
-
-=head1 MAGIC MARKERS
-
- #%# family=manual
-
-=cut
-
-
-use strict;
-use warnings;
-use File::Basename;
-use IO::Socket::UNIX qw( SOCK_STREAM );
-use JSON;
-
-if ($ARGV[0] and $ARGV[0] eq "config") { #config graph
- print "graph_order down up\n";
- print "graph_title fastd traffic\n";
- print "graph_args --base 1000\n";
- print "graph_vlabel bits in (-) / out (+) per second\n";
- print "graph_category fastd\n";
- print "graph_info This graph shows the traffic of fast.\n";
- print "down.label received\n";
- print "down.type DERIVE\n";
- print "down.graph no\n";
- print "down.cdef down,8,*\n";
- print "down.min 0\n";
- print "up.label bps\n";
- print "up.type DERIVE\n";
- print "up.negative down\n";
- print "up.cdef up,8,*\n";
- print "up.min 0\n";
- exit 0;
-}
-
-
-my $statusfile = exists $ENV{'socketfile'} ? $ENV{'socketfile'} : "/tmp/fastd.sock"; #get path to socket from environment or use default
-my $socket = IO::Socket::UNIX->new(Type => SOCK_STREAM,Peer => $statusfile) #open socket
- or die("Can't connect to server: $!\n");
-
-my $fastdstatus = "";
-foreach my $line (<$socket>) {$fastdstatus .= $line;} #read contents from socket
-my $json = decode_json($fastdstatus); #decode json
-
-my $fastd_rx_bytes = $json->{statistics}->{rx}->{bytes}; #get recieved bytes from json
-my $fastd_tx_bytes = $json->{statistics}->{tx}->{bytes}; #get transmittetd bytes from json
-
-print "up.value $fastd_tx_bytes\n"; #return transmitted bytes
-print "down.value $fastd_rx_bytes\n"; #and recieved bytes
diff --git a/roles/install_monitoring/tasks/install_munin.yml b/roles/install_monitoring/tasks/install_munin.yml
index c843bfe..b17b0f9 100644
--- a/roles/install_monitoring/tasks/install_munin.yml
+++ b/roles/install_monitoring/tasks/install_munin.yml
@@ -15,42 +15,6 @@
name: perl-json
state: present
-- name: copy fastd peers plugin
- copy:
- src: munin/munin_fastd_peers
- dest: /usr/lib/munin/plugins/fastd_peers_
- mode: 0755
- notify: restart munin-node
-
-- name: copy fastd traffic plugin
- copy:
- src: munin/munin_fastd_traffic
- dest: /usr/lib/munin/plugins/fastd_traffic_
- mode: 0755
- notify: restart munin-node
-
-- name: enable munin plugins for fastd peers
- file:
- path: /etc/munin/plugins/fastd_peers_ff{{ item.name }}
- src: /usr/lib/munin/plugins/fastd_peers_
- state: link
- with_items: "{{ sites }}"
- notify: restart munin-node
-
-- name: enable munin plugins for fastd traffic
- file:
- path: /etc/munin/plugins/fastd_traffic_ff{{ item.name }}
- src: /usr/lib/munin/plugins/fastd_traffic_
- state: link
- with_items: "{{ sites }}"
- notify: restart munin-node
-
-- name: copy fastd plugin config
- template:
- src: munin_fastd_conf.j2
- dest: /etc/munin/plugin-conf.d/fastd
- notify: restart munin-node
-
- name: copy wg peers plugin
copy:
src: munin/munin_wg_peers
diff --git a/roles/install_respondd_poller/files/requirements.txt b/roles/install_respondd_poller/files/requirements.txt
new file mode 100644
index 0000000..83bb832
--- /dev/null
+++ b/roles/install_respondd_poller/files/requirements.txt
@@ -0,0 +1,2 @@
+wgnlpy
+requests
diff --git a/roles/install_respondd_poller/files/respondd_poller.py b/roles/install_respondd_poller/files/respondd_poller.py
new file mode 100644
index 0000000..1eb98a1
--- /dev/null
+++ b/roles/install_respondd_poller/files/respondd_poller.py
@@ -0,0 +1,147 @@
+#!/usr/bin/env python
+
+import socket
+import ipaddress
+import threading
+import time
+import zlib
+import json
+import os.path
+import sys
+from wgnlpy import WireGuard
+import requests
+from xml.etree import ElementTree
+
+if not os.path.exists("/etc/respondd_poller.json"):
+ print("/etc/respondd_poller.json missing")
+ sys.exit(1)
+
+interface = None
+prefix = None
+yanic_addr = None
+request = None
+
+with open("/etc/respondd_poller.json", "r") as f:
+ config = json.load(f)
+ if "interface" in config:
+ interface = config["interface"]
+ if "prefix" in config:
+ prefix = ipaddress.IPv6Network(config["prefix"])
+ if "yanic_addr" in config and "yanic_port" in config:
+ yanic_addr = (config["yanic_addr"], int(config["yanic_port"]))
+ if "request" in config:
+ request = config["request"].encode("ascii")
+
+wg = WireGuard()
+sock = socket.socket(socket.AF_INET6, socket.SOCK_DGRAM)
+last_request = dict()
+last_response = dict()
+
+def get_wg_peers():
+ wgpeers = wg.get_interface(interface).peers
+ for peer in wgpeers:
+ for ip in wgpeers[peer].allowedips:
+ if ip.subnet_of(prefix):
+ yield ip
+
+def inflate(data):
+ decompress = zlib.decompressobj(-zlib.MAX_WBITS)
+ inflated = decompress.decompress(data)
+ inflated += decompress.flush()
+ return inflated.decode()
+
+def cleanup():
+ while True:
+ time.sleep(60)
+ old = time.monotonic() - 360
+ ips = []
+ macs = []
+ for ip in last_request:
+ if last_response[ip] < old:
+ ips.append(ip)
+ for ip in ips:
+ del last_response[ip]
+ del last_request[ip]
+
+def recv():
+ global sock
+ while True:
+ data, addr = sock.recvfrom(1500)
+ sock.sendto(data, yanic_addr)
+ j = json.loads(inflate(data))
+ last_response[ipaddress.IPv6Address(addr[0])] = time.monotonic()
+
+def send(ip):
+ global request
+ try:
+ sock.sendto(request, (bytearray(str(ip).encode('ascii')), 1001))
+ except:
+ print("failed to send packet to", ip)
+ return
+
+def get_http_nodeinfo(ip):
+ global last_request
+ now = time.monotonic()
+ try:
+ status = requests.get('http://[' + str(ip) + ']/cgi-bin/status')
+ except:
+ return
+ status_tree = ElementTree.fromstring(status.content)
+ mesh_ifs = []
+ interface_list = status_tree.findall(".//*[@data-interface]")
+ for interface in interface_list:
+ mesh_ifs.append(interface.attrib["data-interface"])
+ for mesh_if in mesh_ifs:
+ try:
+ nodeinfo = requests.get('http://[' + str(ip) + ']/cgi-bin/dyn/neighbours-nodeinfo?' + mesh_if)
+ except:
+ return
+ for line in nodeinfo.content.split(b'\n'):
+ if line.startswith(b'data: {'):
+ data = line.split(b': ', maxsplit=1)[1]
+ data = json.loads(data)
+ if "network" in data and "addresses" in data["network"]:
+ for address in data["network"]["addresses"]:
+ if ipaddress.IPv6Network(address).subnet_of(prefix):
+ node_ip = ipaddress.IPv6Address(address)
+ if node_ip not in last_request:
+ last_request[node_ip] = now
+ last_response[node_ip] = now
+
+def scan_wg_peers():
+ global last_request
+ while True:
+ print("scanning wg peers")
+ request_threads = []
+ now = time.monotonic()
+ for net in get_wg_peers():
+ ip = ipaddress.IPv6Address(str(net.network_address) + "1")
+ if ip not in last_request:
+ last_request[ip] = now
+ last_response[ip] = now
+ request_thread = threading.Thread(target=get_http_nodeinfo, args=(ip,))
+ request_thread.start()
+ request_threads.append(request_thread)
+ if len(request_threads) > 10:
+ for thread in request_threads:
+ thread.join()
+ request_threads = []
+ time.sleep(60)
+
+
+listen_thread = threading.Thread(target=recv)
+listen_thread.start()
+cleanup_thread = threading.Thread(target=cleanup)
+cleanup_thread.start()
+scan_thread = threading.Thread(target=scan_wg_peers)
+scan_thread.start()
+
+last_wg_time = 0
+
+while True:
+ now = time.monotonic()
+ for ip in last_request:
+ if now - last_request[ip] > 15:
+ last_request[ip] = now
+ send(ip)
+ time.sleep(1)
diff --git a/roles/install_respondd_poller/files/respondd_poller.service b/roles/install_respondd_poller/files/respondd_poller.service
new file mode 100644
index 0000000..96e309c
--- /dev/null
+++ b/roles/install_respondd_poller/files/respondd_poller.service
@@ -0,0 +1,12 @@
+[Unit]
+Description=respondd_poller
+After=network.target
+
+[Service]
+ExecStart=/opt/respondd_poller/venv/bin/python -u /opt/respondd_poller/respondd_poller.py
+Restart=always
+WorkingDirectory=/opt/respondd_poller
+Environment=PYTHONPATH=/opt/respondd_poller
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/install_respondd_poller/tasks/main.yml b/roles/install_respondd_poller/tasks/main.yml
new file mode 100644
index 0000000..aa03558
--- /dev/null
+++ b/roles/install_respondd_poller/tasks/main.yml
@@ -0,0 +1,48 @@
+---
+- name: install respondd_poller dependencies
+ pacman:
+ name:
+ - git
+ - python-virtualenv
+ - python-setuptools
+ state: present
+
+- name: create venv
+ command:
+ cmd: "python -m venv /opt/respondd_poller/venv"
+ creates: /opt/respondd_poller/venv
+
+- name: install respondd_poller requirements
+ copy:
+ src: requirements.txt
+ dest: /opt/respondd_poller/requirements.txt
+ mode: 0644
+
+- name: install respondd_poller script
+ copy:
+ src: respondd_poller.py
+ dest: /opt/respondd_poller/respondd_poller.py
+ mode: 0644
+
+- name: install requirements
+ pip:
+ requirements: /opt/respondd_poller/requirements.txt
+ virtualenv: /opt/respondd_poller/venv
+
+- name: install respondd_poller config
+ template:
+ src: respondd_poller.json.j2
+ dest: /etc/respondd_poller.json
+ mode: 0644
+
+- name: create respondd_poller service
+ copy:
+ src: respondd_poller.service
+ dest: /etc/systemd/system/respondd_poller.service
+ mode: 0644
+
+- name: start and enable respondd_poller service
+ systemd:
+ name: respondd_poller
+ state: started
+ enabled: yes
diff --git a/roles/install_respondd_poller/templates/respondd_poller.json.j2 b/roles/install_respondd_poller/templates/respondd_poller.json.j2
new file mode 100644
index 0000000..c3f6574
--- /dev/null
+++ b/roles/install_respondd_poller/templates/respondd_poller.json.j2
@@ -0,0 +1,7 @@
+{
+ "interface":"wgmyk",
+ "prefix":"2a03:2260:1016::/48",
+ "yanic_addr": "fe80::41:18ff:fec5:5041%wgmyk",
+ "yanic_port": 10001,
+ "request":"GET nodeinfo statistics neighbours"
+}
diff --git a/roles/install_tayga/handlers/main.yml b/roles/install_tayga/handlers/main.yml
new file mode 100644
index 0000000..38fc10b
--- /dev/null
+++ b/roles/install_tayga/handlers/main.yml
@@ -0,0 +1,5 @@
+---
+- name: restart tayga
+ systemd:
+ name: tayga.service
+ state: restarted
diff --git a/roles/install_tayga/tasks/main.yml b/roles/install_tayga/tasks/main.yml
new file mode 100644
index 0000000..0f38790
--- /dev/null
+++ b/roles/install_tayga/tasks/main.yml
@@ -0,0 +1,25 @@
+---
+- name: install tayga
+ pacman:
+ name: tayga
+ state: present
+
+- name: tayga.conf
+ template:
+ src: tayga.conf.j2
+ dest: /etc/tayga.conf
+ mode: 0644
+ notify: restart tayga
+
+- name: systemd override.conf
+ template:
+ src: systemd_override.conf.j2
+ dest: /etc/systemd/system/tayga.service.d/override.conf
+ mode: 0644
+ notify: restart tayga
+
+- name: start and enable tayga service
+ systemd:
+ name: tayga.service
+ enabled: yes
+ state: started
diff --git a/roles/install_tayga/templates/systemd_override.conf.j2 b/roles/install_tayga/templates/systemd_override.conf.j2
new file mode 100644
index 0000000..a3e7229
--- /dev/null
+++ b/roles/install_tayga/templates/systemd_override.conf.j2
@@ -0,0 +1,10 @@
+[Service]
+ExecStart=
+ExecStartPre=/usr/bin/tayga --mktun --config /etc/tayga.conf
+ExecStartPre=/usr/bin/ip link set nat64 up
+ExecStartPre=/usr/bin/ip addr replace {{ tayga_ipv4 }}/32 dev nat64
+ExecStartPre=/usr/bin/ip addr replace 2a03:2260:1016::64/128 dev nat64
+ExecStartPre=/usr/bin/ip route replace {{ tayga_pool }} dev nat64 table ffmyk
+ExecStartPre=/usr/bin/ip -6 route replace 64:ff9b::/96 dev nat64 table ffmyk
+ExecStart=/usr/bin/tayga --nodetach --config /etc/tayga.conf
+Restart=always
diff --git a/roles/install_tayga/templates/tayga.conf.j2 b/roles/install_tayga/templates/tayga.conf.j2
new file mode 100644
index 0000000..8606dcb
--- /dev/null
+++ b/roles/install_tayga/templates/tayga.conf.j2
@@ -0,0 +1,6 @@
+tun-device nat64
+ipv4-addr {{ tayga_ipv4 }}
+ipv6-addr 2a03:2260:1016::64
+prefix 64:ff9b::/96
+dynamic-pool {{ tayga_pool }}
+data-dir /var/db/tayga
diff --git a/roles/install_wg_add_vpn/tasks/main.yml b/roles/install_wg_add_vpn/tasks/main.yml
new file mode 100644
index 0000000..40ed07c
--- /dev/null
+++ b/roles/install_wg_add_vpn/tasks/main.yml
@@ -0,0 +1,30 @@
+---
+- name: install wg_add dependencies
+ pacman:
+ name:
+ - git
+ - make
+ - gcc
+ state: present
+
+- name: clone wg_add repo
+ git:
+ repo: https://github.com/FreifunkMYK/wg_add.git
+ dest: /opt/wg_add_vpn
+ version: vpn
+
+- name: build wg_add
+ make:
+ chdir: /opt/wg_add_vpn
+
+- name: install wg_add service
+ template:
+ src: wg_add_vpn.service.j2
+ dest: /etc/systemd/system/wg_add_vpn.service
+ mode: 0644
+
+- name: start and enable wgkex service
+ systemd:
+ name: wg_add_vpn
+ state: started
+ enabled: yes
diff --git a/roles/install_wg_add_vpn/templates/wg_add_vpn.service.j2 b/roles/install_wg_add_vpn/templates/wg_add_vpn.service.j2
new file mode 100644
index 0000000..da1470d
--- /dev/null
+++ b/roles/install_wg_add_vpn/templates/wg_add_vpn.service.j2
@@ -0,0 +1,10 @@
+[Unit]
+Description=wg_add
+After=network.target
+
+[Service]
+ExecStart=/opt/wg_add_vpn/wg_add {{ ansible_default_ipv4.interface }} wgmyk
+Restart=always
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/install_wg_prefix_provider/tasks/main.yml b/roles/install_wg_prefix_provider/tasks/main.yml
new file mode 100644
index 0000000..a155300
--- /dev/null
+++ b/roles/install_wg_prefix_provider/tasks/main.yml
@@ -0,0 +1,29 @@
+---
+- name: install wg_prefix_provider dependencies
+ pacman:
+ name:
+ - git
+ - make
+ - gcc
+ state: present
+
+- name: clone wg_prefix_provider repo
+ git:
+ repo: https://github.com/FreifunkMYK/wg_prefix_provider.git
+ dest: /opt/wg_prefix_provider
+
+- name: build wg_prefix_provider
+ make:
+ chdir: /opt/wg_prefix_provider
+
+- name: install wg_prefix_provider service
+ template:
+ src: wg_prefix_provider.service.j2
+ dest: /etc/systemd/system/wg_prefix_provider.service
+ mode: 0644
+
+- name: start and enable wg_prefix_provider service
+ systemd:
+ name: wg_prefix_provider
+ state: started
+ enabled: yes
diff --git a/roles/install_wg_prefix_provider/templates/wg_prefix_provider.service.j2 b/roles/install_wg_prefix_provider/templates/wg_prefix_provider.service.j2
new file mode 100644
index 0000000..485517a
--- /dev/null
+++ b/roles/install_wg_prefix_provider/templates/wg_prefix_provider.service.j2
@@ -0,0 +1,10 @@
+[Unit]
+Description=wg_prefix_provider
+After=network.target
+
+[Service]
+ExecStart=/opt/wg_prefix_provider/wg_prefix_provider wgmyk 9999 {{ wireguard_vpn_client_range }}
+Restart=always
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/install_wireguard_vpn/tasks/main.yml b/roles/install_wireguard_vpn/tasks/main.yml
new file mode 100644
index 0000000..3ca9dcc
--- /dev/null
+++ b/roles/install_wireguard_vpn/tasks/main.yml
@@ -0,0 +1,24 @@
+---
+- name: create wireguard config for wgmyk
+ template:
+ src: wg.conf.j2
+ dest: /etc/wireguard/wgmyk.conf
+ mode: 0400
+
+- name: create wireguard up scripts for wgmyk
+ template:
+ src: up.sh.j2
+ dest: /etc/wireguard/upmyk.sh
+ mode: 0744
+
+- name: create wireguard down scripts for wgmyk
+ template:
+ src: down.sh.j2
+ dest: /etc/wireguard/downmyk.sh
+ mode: 0744
+
+- name: start and enable wireguard mesh
+ systemd:
+ name: wg-quick@wgmyk.service
+ enabled: yes
+ state: started
diff --git a/roles/install_wireguard_vpn/templates/down.sh.j2 b/roles/install_wireguard_vpn/templates/down.sh.j2
new file mode 100644
index 0000000..d33011f
--- /dev/null
+++ b/roles/install_wireguard_vpn/templates/down.sh.j2
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+ip -6 route del {{ wireguard_vpn_client_range }} table ffmyk dev wgmyk
+
+ip -6 rule del iif wgmyk
+ip -6 rule del from {{ wireguard_vpn_client_range }}
diff --git a/roles/install_wireguard_vpn/templates/up.sh.j2 b/roles/install_wireguard_vpn/templates/up.sh.j2
new file mode 100644
index 0000000..c57d16f
--- /dev/null
+++ b/roles/install_wireguard_vpn/templates/up.sh.j2
@@ -0,0 +1,9 @@
+#!/bin/bash
+
+ip -6 rule add iif wgmyk table ffmyk priority 10
+ip -6 rule add from {{ wireguard_vpn_client_range }} table ffmyk priority 10
+
+ip -6 rule add from all iif wgmyk type unreachable priority 200
+
+ip -6 route add {{ wireguard_vpn_client_range }} table ffmyk dev wgmyk
+systemctl restart named.service
diff --git a/roles/install_wireguard_vpn/templates/wg.conf.j2 b/roles/install_wireguard_vpn/templates/wg.conf.j2
new file mode 100644
index 0000000..3e25549
--- /dev/null
+++ b/roles/install_wireguard_vpn/templates/wg.conf.j2
@@ -0,0 +1,7 @@
+[Interface]
+ListenPort = {{ wireguard_vpn_port }}
+PrivateKey = {{ wireguard_vpn_priv_key }}
+Address = {{ wireguard_vpn_address }}/128
+MTU = 1400
+PostUp = /etc/wireguard/upmyk.sh
+PreDown = /etc/wireguard/downmyk.sh
diff --git a/roles/setup_ffrl_tunnel/templates/bird.conf b/roles/setup_ffrl_tunnel/templates/bird.conf
index 2ba27c7..c609a5b 100644
--- a/roles/setup_ffrl_tunnel/templates/bird.conf
+++ b/roles/setup_ffrl_tunnel/templates/bird.conf
@@ -84,6 +84,7 @@ protocol static ffrl_uplink_hostroute4 {
protocol static ffrl_public_routes6 {
ipv6 { table ffrl6; };
route 2a03:2260:1016::/48 reject;
+ route {{ wireguard_vpn_client_range }} reject;
}
# Wir legen die Transfernetze in die interne BIRD Routing Table
diff --git a/setup_fastd.yml b/setup_fastd.yml
index e55f267..3bcb077 100644
--- a/setup_fastd.yml
+++ b/setup_fastd.yml
@@ -3,6 +3,7 @@
hosts: fastd
user: root
roles:
+ - configure_aurto_repo
- configure_journald
- configure_sysctl
- configure_iptables
@@ -18,10 +19,14 @@
- install_bind
- install_wireguard
- install_wireguard_mesh
+ - install_wireguard_vpn
- install_wireguard_backbone
- install_babeld
+ - install_tayga
- install_wg_add
- - install_fastd
+ - install_wg_add_vpn
+ - install_wg_prefix_provider
+ - install_respondd_poller
- install_mesh-announce
- install_monitoring
- install_iperf3