ansible.fftdf.supernode/roles/01-vpn-router-config/templates/edgerouter.conf.j2

## Webinterface Wizard ausführen
WAN auf eth0
Ein LAN mit Adresse: {{ ipv4_address }}

Dann auf der Konsole weiter

## Install Wireguard
cd /tmp
curl -OL https://github.com/WireGuard/wireguard-vyatta-ubnt/releases/download/1.0.20211208-1/e50-v2-v1.0.20211208-v1.0.20210914.deb
sudo dpkg -i e50-v2-v1.0.20211208-v1.0.20210914.deb

####
cd /config/auth
wg genkey | tee /config/auth/wg.key | wg pubkey >  wg.public
cat wg.public
cat wg.key
####

set firewall all-ping enable
set firewall broadcast-ping disable
set firewall group ipv6-network-group LAN-VPN-V6 description 'Networks on LAN destined to go out VPN by default'
set firewall group ipv6-network-group LAN-VPN-V6 ipv6-network '{{ ipv6_network }}'
set firewall group network-group LAN-VPN description 'Networks on LAN destined to go out VPN by default'
set firewall group network-group LAN-VPN network {{ ipv4_network }}

set firewall ipv6-modify LAN_to_VPN_V6 rule 1 action modify
set firewall ipv6-modify LAN_to_VPN_V6 rule 1 modify table 2
set firewall ipv6-modify LAN_to_VPN_V6 rule 1 source group ipv6-network-group LAN-VPN-V6
set firewall ipv6-modify LAN_to_VPN_V6 rule 1 description 'Route traffic from group LAN-VPN through LAN_to_VPN_V6 table'
set firewall ipv6-receive-redirects disable
set firewall ipv6-src-route disable
set firewall ip-src-route disable
set firewall log-martians enable
set firewall modify LAN_to_VPN rule 100 action modify
set firewall modify LAN_to_VPN rule 100 description 'Route traffic from group LAN-VPN through LAN_to_VPN table'
set firewall modify LAN_to_VPN rule 100 modify table 2
set firewall modify LAN_to_VPN rule 100 source group network-group LAN-VPN
set firewall name WAN_LOCAL default-action drop
set firewall name WAN_LOCAL rule 20 action accept
set firewall name WAN_LOCAL rule 20 description WireGuard
set firewall name WAN_LOCAL rule 20 destination port 51821
set firewall name WAN_LOCAL rule 20 protocol udp
set firewall options mss-clamp interface-type all
set firewall options mss-clamp mss 1340
set firewall options mss-clamp6 interface-type all
set firewall options mss-clamp6 mss 1340
set firewall receive-redirects disable
set firewall send-redirects enable
set firewall source-validation disable
set firewall syn-cookies enable
set interfaces switch switch0 address {{ ipv4_address }}/24
set interfaces switch switch0 address '{{ ipv6_address }}'
set interfaces switch switch0 description Local
set interfaces switch switch0 firewall in ipv6-modify LAN_to_VPN_V6
set interfaces switch switch0 firewall in modify LAN_to_VPN
set interfaces switch switch0 ipv6 dup-addr-detect-transmits 1
set interfaces switch switch0 ipv6 router-advert cur-hop-limit 64
set interfaces switch switch0 ipv6 router-advert link-mtu 1328
set interfaces switch switch0 ipv6 router-advert managed-flag true
set interfaces switch switch0 ipv6 router-advert max-interval 600
set interfaces switch switch0 ipv6 router-advert name-server '2606:4700:4700::1111'
set interfaces switch switch0 ipv6 router-advert other-config-flag false
set interfaces switch switch0 ipv6 router-advert prefix '{{ ipv6_network }}' autonomous-flag true
set interfaces switch switch0 ipv6 router-advert prefix '{{ ipv6_network }}' on-link-flag true
set interfaces switch switch0 ipv6 router-advert prefix '{{ ipv6_network }}' valid-lifetime 2592000
set interfaces switch switch0 ipv6 router-advert reachable-time 0
set interfaces switch switch0 ipv6 router-advert retrans-timer 0
set interfaces switch switch0 ipv6 router-advert send-advert true
set interfaces switch switch0 mtu 1500
set interfaces switch switch0 switch-port interface eth1
set interfaces switch switch0 switch-port interface eth2
set interfaces switch switch0 switch-port interface eth3
set interfaces switch switch0 switch-port interface eth4
set interfaces switch switch0 switch-port vlan-aware disable
set interfaces wireguard wg0 address {{ wireguard_address }}
set interfaces wireguard wg0 address {{ wireguard_v6_address }}
set interfaces wireguard wg0 listen-port 51822
set interfaces wireguard wg0 mtu 1380
set interfaces wireguard wg0 peer {{ wireguard_public }} allowed-ips 0.0.0.0/0
set interfaces wireguard wg0 peer {{ wireguard_public }} allowed-ips '::0/0'
set interfaces wireguard wg0 peer {{ wireguard_public }} endpoint 'vpn01.fftdf.de:42001'
set interfaces wireguard wg0 private-key /config/auth/wg.key
set interfaces wireguard wg0 route-allowed-ips false
set protocols static interface-route6 ::/0 next-hop-interface wg0
set protocols static table 2 interface-route 0.0.0.0/0 next-hop-interface wg0
set protocols static table 2 interface-route6 '::/0' next-hop-interface wg0
delete service dhcp-server
set service dhcp-server disabled false
set service dhcp-server hostfile-update disable
set service dhcp-server shared-network-name LAN authoritative enable
set service dhcp-server shared-network-name LAN subnet {{ ipv4_address }}/24 default-router {{ ipv4_address }}
set service dhcp-server shared-network-name LAN subnet {{ ipv4_address }}/24 dns-server {{ ipv4_address }}
set service dhcp-server shared-network-name LAN subnet {{ ipv4_address }}/24 lease 86400
set service dhcp-server shared-network-name LAN subnet {{ ipv4_address }}/24 start {{ ipv4_dhcp_start }} stop {{ ipv4_dhcp_stop }}
set service dhcp-server static-arp disable
set service dhcp-server use-dnsmasq disable
set service dns forwarding cache-size 150
set service dns forwarding listen-on switch0
set service nat rule 5010 description 'masquerade for VPN'
set service nat rule 5010 outbound-interface wg0
set service nat rule 5010 protocol all
set service nat rule 5010 type masquerade
set service unms
set service unms connection '{{ unms_vault_URL }}'
set system host-name {{ inventory_hostname }}
set system time-zone UTC
Bugfixes and edge2 2023-03-26 15:53:00 +00:00			`## Webinterface Wizard ausführen`
			`WAN auf eth0`
			`Ein LAN mit Adresse: {{ ipv4_address }}`

			`Dann auf der Konsole weiter`

Added config for Edge Router 2023-03-12 20:40:59 +00:00			`## Install Wireguard`
			`cd /tmp`
			`curl -OL https://github.com/WireGuard/wireguard-vyatta-ubnt/releases/download/1.0.20211208-1/e50-v2-v1.0.20211208-v1.0.20210914.deb`
			`sudo dpkg -i e50-v2-v1.0.20211208-v1.0.20210914.deb`

			`####`
			`cd /config/auth`
			`wg genkey \| tee /config/auth/wg.key \| wg pubkey > wg.public`
			`cat wg.public`
			`cat wg.key`
			`####`

			`set firewall all-ping enable`
			`set firewall broadcast-ping disable`
Bugfixes and edge2 2023-03-26 15:53:00 +00:00			`set firewall group ipv6-network-group LAN-VPN-V6 description 'Networks on LAN destined to go out VPN by default'`
Added config for Edge Router 2023-03-12 20:40:59 +00:00			`set firewall group ipv6-network-group LAN-VPN-V6 ipv6-network '{{ ipv6_network }}'`
			`set firewall group network-group LAN-VPN description 'Networks on LAN destined to go out VPN by default'`
			`set firewall group network-group LAN-VPN network {{ ipv4_network }}`

			`set firewall ipv6-modify LAN_to_VPN_V6 rule 1 action modify`
			`set firewall ipv6-modify LAN_to_VPN_V6 rule 1 modify table 2`
			`set firewall ipv6-modify LAN_to_VPN_V6 rule 1 source group ipv6-network-group LAN-VPN-V6`
Bugfixes and edge2 2023-03-26 15:53:00 +00:00			`set firewall ipv6-modify LAN_to_VPN_V6 rule 1 description 'Route traffic from group LAN-VPN through LAN_to_VPN_V6 table'`
Added config for Edge Router 2023-03-12 20:40:59 +00:00			`set firewall ipv6-receive-redirects disable`
			`set firewall ipv6-src-route disable`
			`set firewall ip-src-route disable`
			`set firewall log-martians enable`
			`set firewall modify LAN_to_VPN rule 100 action modify`
			`set firewall modify LAN_to_VPN rule 100 description 'Route traffic from group LAN-VPN through LAN_to_VPN table'`
			`set firewall modify LAN_to_VPN rule 100 modify table 2`
			`set firewall modify LAN_to_VPN rule 100 source group network-group LAN-VPN`
			`set firewall name WAN_LOCAL default-action drop`
			`set firewall name WAN_LOCAL rule 20 action accept`
			`set firewall name WAN_LOCAL rule 20 description WireGuard`
			`set firewall name WAN_LOCAL rule 20 destination port 51821`
			`set firewall name WAN_LOCAL rule 20 protocol udp`
			`set firewall options mss-clamp interface-type all`
Running Config with MTU Setup 2023-03-24 18:34:41 +00:00			`set firewall options mss-clamp mss 1340`
Added config for Edge Router 2023-03-12 20:40:59 +00:00			`set firewall options mss-clamp6 interface-type all`
Running Config with MTU Setup 2023-03-24 18:34:41 +00:00			`set firewall options mss-clamp6 mss 1340`
Added config for Edge Router 2023-03-12 20:40:59 +00:00			`set firewall receive-redirects disable`
			`set firewall send-redirects enable`
			`set firewall source-validation disable`
			`set firewall syn-cookies enable`
Bugfixes and edge2 2023-03-26 15:53:00 +00:00			`set interfaces switch switch0 address {{ ipv4_address }}/24`
Add ERX Routers 2023-04-13 15:07:18 +00:00			`set interfaces switch switch0 address '{{ ipv6_address }}'`
Added config for Edge Router 2023-03-12 20:40:59 +00:00			`set interfaces switch switch0 description Local`
			`set interfaces switch switch0 firewall in ipv6-modify LAN_to_VPN_V6`
			`set interfaces switch switch0 firewall in modify LAN_to_VPN`
			`set interfaces switch switch0 ipv6 dup-addr-detect-transmits 1`
			`set interfaces switch switch0 ipv6 router-advert cur-hop-limit 64`
Changed MTU 2023-03-12 20:58:53 +00:00			`set interfaces switch switch0 ipv6 router-advert link-mtu 1328`
Added config for Edge Router 2023-03-12 20:40:59 +00:00			`set interfaces switch switch0 ipv6 router-advert managed-flag true`
			`set interfaces switch switch0 ipv6 router-advert max-interval 600`
			`set interfaces switch switch0 ipv6 router-advert name-server '2606:4700:4700::1111'`
			`set interfaces switch switch0 ipv6 router-advert other-config-flag false`
			`set interfaces switch switch0 ipv6 router-advert prefix '{{ ipv6_network }}' autonomous-flag true`
			`set interfaces switch switch0 ipv6 router-advert prefix '{{ ipv6_network }}' on-link-flag true`
			`set interfaces switch switch0 ipv6 router-advert prefix '{{ ipv6_network }}' valid-lifetime 2592000`
			`set interfaces switch switch0 ipv6 router-advert reachable-time 0`
			`set interfaces switch switch0 ipv6 router-advert retrans-timer 0`
			`set interfaces switch switch0 ipv6 router-advert send-advert true`
			`set interfaces switch switch0 mtu 1500`
			`set interfaces switch switch0 switch-port interface eth1`
			`set interfaces switch switch0 switch-port interface eth2`
			`set interfaces switch switch0 switch-port interface eth3`
			`set interfaces switch switch0 switch-port interface eth4`
			`set interfaces switch switch0 switch-port vlan-aware disable`
			`set interfaces wireguard wg0 address {{ wireguard_address }}`
Add ERX Routers 2023-04-13 15:07:18 +00:00			`set interfaces wireguard wg0 address {{ wireguard_v6_address }}`
Added config for Edge Router 2023-03-12 20:40:59 +00:00			`set interfaces wireguard wg0 listen-port 51822`
Running Config with MTU Setup 2023-03-24 18:34:41 +00:00			`set interfaces wireguard wg0 mtu 1380`
Added config for Edge Router 2023-03-12 20:40:59 +00:00			`set interfaces wireguard wg0 peer {{ wireguard_public }} allowed-ips 0.0.0.0/0`
			`set interfaces wireguard wg0 peer {{ wireguard_public }} allowed-ips '::0/0'`
			`set interfaces wireguard wg0 peer {{ wireguard_public }} endpoint 'vpn01.fftdf.de:42001'`
			`set interfaces wireguard wg0 private-key /config/auth/wg.key`
			`set interfaces wireguard wg0 route-allowed-ips false`
Add ERX Routers 2023-04-13 15:07:18 +00:00			`set protocols static interface-route6 ::/0 next-hop-interface wg0`
Bugfixes and edge2 2023-03-26 15:53:00 +00:00			`set protocols static table 2 interface-route 0.0.0.0/0 next-hop-interface wg0`
Running Config with MTU Setup 2023-03-24 18:34:41 +00:00			`set protocols static table 2 interface-route6 '::/0' next-hop-interface wg0`
Bugfixes and edge2 2023-03-26 15:53:00 +00:00			`delete service dhcp-server`
Added config for Edge Router 2023-03-12 20:40:59 +00:00			`set service dhcp-server disabled false`
			`set service dhcp-server hostfile-update disable`
			`set service dhcp-server shared-network-name LAN authoritative enable`
Bugfixes and edge2 2023-03-26 15:53:00 +00:00			`set service dhcp-server shared-network-name LAN subnet {{ ipv4_address }}/24 default-router {{ ipv4_address }}`
			`set service dhcp-server shared-network-name LAN subnet {{ ipv4_address }}/24 dns-server {{ ipv4_address }}`
			`set service dhcp-server shared-network-name LAN subnet {{ ipv4_address }}/24 lease 86400`
			`set service dhcp-server shared-network-name LAN subnet {{ ipv4_address }}/24 start {{ ipv4_dhcp_start }} stop {{ ipv4_dhcp_stop }}`
Added config for Edge Router 2023-03-12 20:40:59 +00:00			`set service dhcp-server static-arp disable`
			`set service dhcp-server use-dnsmasq disable`
			`set service dns forwarding cache-size 150`
			`set service dns forwarding listen-on switch0`
			`set service nat rule 5010 description 'masquerade for VPN'`
			`set service nat rule 5010 outbound-interface wg0`
			`set service nat rule 5010 protocol all`
			`set service nat rule 5010 type masquerade`
			`set service unms`
Running Config with MTU Setup 2023-03-24 18:34:41 +00:00			`set service unms connection '{{ unms_vault_URL }}'`
Added config for Edge Router 2023-03-12 20:40:59 +00:00			`set system host-name {{ inventory_hostname }}`
			`set system time-zone UTC`