6 files changed, 66 insertions, 12 deletions

diff --git a/roles/configure_iptables/templates/ip6tables.rules b/roles/configure_iptables/templates/ip6tables.rules
index 0f31387..913ac7c 100644
--- a/roles/configure_iptables/templates/ip6tables.rules
+++ b/roles/configure_iptables/templates/ip6tables.rules
@@ -10,13 +10,18 @@
 {% endfor %}
 {% endif %}
 
-{% if 'ffrl_uplink' in group_names %}
+{% if 'fastd' in group_names %}
+{% for peer in groups['ffrl_uplink'] %}
+-A PREROUTING -i bb{{ hostvars[peer]['wireguard_bb_name'] }} ! -s fe80::/64 ! -d fe80::/64 -j MARK --set-xmark 0x1/0xffffffff
+{% endfor %}
+{% endif %}
+{% if 'mullvad_uplink' in group_names %}
 {% for peer in groups['fastd'] %}
 -A PREROUTING -i bb{{ hostvars[peer]['wireguard_bb_name'] }} ! -s fe80::/64 ! -d fe80::/64 -j MARK --set-xmark 0x1/0xffffffff
 {% endfor %}
 {% endif %}
-{% if 'fastd' in group_names %}
-{% for peer in groups['ffrl_uplink'] %}
+{% if 'ffrl_uplink' in group_names %}
+{% for peer in groups['fastd'] %}
 -A PREROUTING -i bb{{ hostvars[peer]['wireguard_bb_name'] }} ! -s fe80::/64 ! -d fe80::/64 -j MARK --set-xmark 0x1/0xffffffff
 {% endfor %}
 {% endif %}
@@ -47,13 +52,18 @@ COMMIT
 {% endfor %}
 {% endif %}
 # wireguard_backbone
-{% if 'ffrl_uplink' in group_names %}
+{% if 'fastd' in group_names %}
+{% for peer in groups['ffrl_uplink'] %}
+-A INPUT -i bb{{ hostvars[peer]['wireguard_bb_name'] }} -p udp --dport 6696 -j ACCEPT
+{% endfor %}
+{% endif %}
+{% if 'mullvad_uplink' in group_names %}
 {% for peer in groups['fastd'] %}
 -A INPUT -i bb{{ hostvars[peer]['wireguard_bb_name'] }} -p udp --dport 6696 -j ACCEPT
 {% endfor %}
 {% endif %}
-{% if 'fastd' in group_names %}
-{% for peer in groups['ffrl_uplink'] %}
+{% if 'ffrl_uplink' in group_names %}
+{% for peer in groups['fastd'] %}
 -A INPUT -i bb{{ hostvars[peer]['wireguard_bb_name'] }} -p udp --dport 6696 -j ACCEPT
 {% endfor %}
 {% endif %}
diff --git a/roles/configure_iptables/templates/iptables.rules b/roles/configure_iptables/templates/iptables.rules
index d395a42..5b5410d 100644
--- a/roles/configure_iptables/templates/iptables.rules
+++ b/roles/configure_iptables/templates/iptables.rules
@@ -10,13 +10,18 @@
 {% endfor %}
 {% endif %}
 
-{% if 'ffrl_uplink' in group_names %}
+{% if 'fastd' in group_names %}
+{% for peer in groups['ffrl_uplink'] %}
+-A PREROUTING -i bb{{ hostvars[peer]['wireguard_bb_name'] }} -j MARK --set-xmark 0x1/0xffffffff
+{% endfor %}
+{% endif %}
+{% if 'mullvad_uplink' in group_names %}
 {% for peer in groups['fastd'] %}
 -A PREROUTING -i bb{{ hostvars[peer]['wireguard_bb_name'] }} -j MARK --set-xmark 0x1/0xffffffff
 {% endfor %}
 {% endif %}
-{% if 'fastd' in group_names %}
-{% for peer in groups['ffrl_uplink'] %}
+{% if 'ffrl_uplink' in group_names %}
+{% for peer in groups['fastd'] %}
 -A PREROUTING -i bb{{ hostvars[peer]['wireguard_bb_name'] }} -j MARK --set-xmark 0x1/0xffffffff
 {% endfor %}
 {% endif %}
@@ -78,4 +83,7 @@ COMMIT
 -A POSTROUTING ! -s {{ ffrl_ip4 }} -o {{ peer.name }} -j SNAT --to-source {{ ffrl_ip4 }}
 {% endfor %}
 {% endif %}
+{% if 'mullvad_uplink' in group_names %}
+-A POSTROUTING -o mullvad -j MASQUERADE
+{% endif %}
 COMMIT
diff --git a/roles/install_babeld/templates/babeld.conf.j2 b/roles/install_babeld/templates/babeld.conf.j2
index a675fd6..4a471dc 100644
--- a/roles/install_babeld/templates/babeld.conf.j2
+++ b/roles/install_babeld/templates/babeld.conf.j2
@@ -50,6 +50,9 @@ import-table 42
 #in ip 2001:db8:cafe:cafe::/64 allow
 #in deny
 
+{% if 'mullvad_uplink' in group_names %}
+redistribute if mullvad metric 128
+{% endif %}
 {% if 'ffrl_uplink' in group_names %}
 {% for peer in ffrl_peers %}
 redistribute if {{ peer.name }} metric 128
diff --git a/roles/install_openvpn/files/mullvad-up.sh b/roles/install_openvpn/files/mullvad-up.sh
index 9a339f0..4d5795f 100755
--- a/roles/install_openvpn/files/mullvad-up.sh
+++ b/roles/install_openvpn/files/mullvad-up.sh
@@ -3,6 +3,6 @@
 sleep 3
 echo Reroute via $route_vpn_gateway
 ip route replace 0.0.0.0/0 via $route_vpn_gateway proto static table ffmyk
-ip -6 route replace default dev $dev proto static table ffmyk
+#ip -6 route replace default dev $dev proto static table ffmyk
 
 exit 0
diff --git a/roles/install_wireguard_backbone/tasks/main.yml b/roles/install_wireguard_backbone/tasks/main.yml
index eafd889..8f9ca5a 100644
--- a/roles/install_wireguard_backbone/tasks/main.yml
+++ b/roles/install_wireguard_backbone/tasks/main.yml
@@ -4,8 +4,12 @@
       src: wgbackbone@.service
       dest: /etc/systemd/system/wgbackbone@.service
 
+- include_tasks: fastd_tasks.yml
+  when: "'fastd' in group_names"
+
+- include_tasks: mullvad_uplink_tasks.yml
+  when: "'mullvad_uplink' in group_names"
+
 - include_tasks: ffrl_uplink_tasks.yml
   when: "'ffrl_uplink' in group_names"
 
-- include_tasks: fastd_tasks.yml
-  when: "'fastd' in group_names"
diff --git a/roles/install_wireguard_backbone/tasks/mullvad_uplink_tasks.yml b/roles/install_wireguard_backbone/tasks/mullvad_uplink_tasks.yml
new file mode 100644
index 0000000..d894758
--- /dev/null
+++ b/roles/install_wireguard_backbone/tasks/mullvad_uplink_tasks.yml
@@ -0,0 +1,29 @@
+---
+- name: create wireguard config for peers
+  template:
+      src: wg.conf.j2
+      dest: /etc/wireguard/wgbb{{ hostvars[item]['wireguard_bb_name'] }}.conf
+      mode: 0400
+  with_items: "{{ groups['fastd'] }}"
+
+- name: create wireguard up scripts for peers
+  template:
+      src: up.sh.j2
+      dest: /etc/wireguard/upbb{{ hostvars[item]['wireguard_bb_name'] }}.sh
+      mode: 0744
+  with_items: "{{ groups['fastd'] }}"
+
+- name: create wireguard down scripts for peers
+  template:
+      src: down.sh.j2
+      dest: /etc/wireguard/downbb{{ hostvars[item]['wireguard_bb_name'] }}.sh
+      mode: 0744
+  with_items: "{{ groups['fastd'] }}"
+
+- name: start and enable wireguard mesh
+  systemd:
+      name: wgbackbone@{{ hostvars[item]['wireguard_bb_name'] }}.service
+      enabled: yes
+      state: started
+      daemon_reload: yes
+  with_items: "{{ groups['fastd'] }}"