diff --git a/edge1.md b/edge1.md deleted file mode 100644 index c2f493c..0000000 --- a/edge1.md +++ /dev/null @@ -1,121 +0,0 @@ -## Install Wireguard -cd /tmp -curl -OL https://github.com/WireGuard/wireguard-vyatta-ubnt/releases/download/1.0.20211208-1/e50-v2-v1.0.20211208-v1.0.20210914.deb -sudo dpkg -i e50-v2-v1.0.20211208-v1.0.20210914.deb - -#### -cd /config/auth -wg genkey | tee /config/auth/wg.key | wg pubkey > wg.public -cat wg.public -cat wg.key -#### - -set firewall all-ping enable -set firewall broadcast-ping disable -set firewall group network-group LAN-VPN-V6 description 'Networks on LAN destined to go out VPN by default' -set firewall group ipv6-network-group LAN-VPN-V6 ipv6-network '2a03:2260:121:603::/64' -set firewall group network-group LAN-VPN description 'Networks on LAN destined to go out VPN by default' -set firewall group network-group LAN-VPN network 10.1.0.0/16 - -set firewall ipv6-modify LAN_to_VPN_V6 rule 1 action modify -set firewall ipv6-modify LAN_to_VPN_V6 rule 1 modify table 2 -set firewall ipv6-modify LAN_to_VPN_V6 rule 1 source group ipv6-network-group LAN-VPN-V6 -set firewall ipv6-modify LAN_to_VPN_V6 rule 100 description 'Route traffic from group LAN-VPN through LAN_to_VPN_V6 table' -set firewall ipv6-receive-redirects disable -set firewall ipv6-src-route disable -set firewall ip-src-route disable -set firewall log-martians enable -set firewall modify LAN_to_VPN rule 100 action modify -set firewall modify LAN_to_VPN rule 100 description 'Route traffic from group LAN-VPN through LAN_to_VPN table' -set firewall modify LAN_to_VPN rule 100 modify table 2 -set firewall modify LAN_to_VPN rule 100 source group network-group LAN-VPN -set firewall name WAN_LOCAL default-action drop -set firewall name WAN_LOCAL rule 20 action accept -set firewall name WAN_LOCAL rule 20 description WireGuard -set firewall name WAN_LOCAL rule 20 destination port 51821 -set firewall name WAN_LOCAL rule 20 protocol udp -set firewall options mss-clamp interface-type all -set firewall options mss-clamp mss 1350 -set firewall options mss-clamp6 interface-type all -set firewall options mss-clamp6 mss 1350 -set firewall receive-redirects disable -set firewall send-redirects enable -set firewall source-validation disable -set firewall syn-cookies enable -set interfaces ethernet eth0 address dhcp -set interfaces ethernet eth0 description 'Internet via DHCP' -set interfaces ethernet eth0 duplex auto -set interfaces ethernet eth0 speed auto -set interfaces ethernet eth1 description Local -set interfaces ethernet eth1 duplex auto -set interfaces ethernet eth1 speed auto -set interfaces ethernet eth2 description Local -set interfaces ethernet eth2 duplex auto -set interfaces ethernet eth2 speed auto -set interfaces ethernet eth3 description Local -set interfaces ethernet eth3 duplex auto -set interfaces ethernet eth3 speed auto -set interfaces ethernet eth4 description Local -set interfaces ethernet eth4 duplex auto -set interfaces ethernet eth4 poe output off -set interfaces ethernet eth4 speed auto -set interfaces loopback lo -set interfaces switch switch0 address 10.1.0.1/24 -set interfaces switch switch0 address '2a03:2260:121:603::1/64' -set interfaces switch switch0 description Local -set interfaces switch switch0 firewall in ipv6-modify LAN_to_VPN_V6 -set interfaces switch switch0 firewall in modify LAN_to_VPN -set interfaces switch switch0 ipv6 dup-addr-detect-transmits 1 -set interfaces switch switch0 ipv6 router-advert cur-hop-limit 64 -set interfaces switch switch0 ipv6 router-advert link-mtu 0 -set interfaces switch switch0 ipv6 router-advert managed-flag true -set interfaces switch switch0 ipv6 router-advert max-interval 600 -set interfaces switch switch0 ipv6 router-advert name-server '2606:4700:4700::1111' -set interfaces switch switch0 ipv6 router-advert other-config-flag false -set interfaces switch switch0 ipv6 router-advert prefix '2a03:2260:121:603::/64' autonomous-flag true -set interfaces switch switch0 ipv6 router-advert prefix '2a03:2260:121:603::/64' on-link-flag true -set interfaces switch switch0 ipv6 router-advert prefix '2a03:2260:121:603::/64' valid-lifetime 2592000 -set interfaces switch switch0 ipv6 router-advert reachable-time 0 -set interfaces switch switch0 ipv6 router-advert retrans-timer 0 -set interfaces switch switch0 ipv6 router-advert send-advert true -set interfaces switch switch0 mtu 1500 -set interfaces switch switch0 switch-port interface eth1 -set interfaces switch switch0 switch-port interface eth2 -set interfaces switch switch0 switch-port interface eth3 -set interfaces switch switch0 switch-port interface eth4 -set interfaces switch switch0 switch-port vlan-aware disable -set interfaces wireguard wg0 address 10.255.1.2/24 -set interfaces wireguard wg0 listen-port 51822 -set interfaces wireguard wg0 mtu 1384 -set interfaces wireguard wg0 peer 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= allowed-ips 0.0.0.0/0 -set interfaces wireguard wg0 peer 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= allowed-ips '::0/0' -set interfaces wireguard wg0 peer 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= endpoint 'vpn01.fftdf.de:42001' -set interfaces wireguard wg0 private-key /config/auth/wg.key -set interfaces wireguard wg0 route-allowed-ips false -set protocols static interface-route6 '::/0' next-hop-interface wg0 -set protocols static table 2 route 0.0.0.0/0 next-hop 10.255.1.1 -set protocols static table 2 route6 '::0/0' next-hop '2a03:2260:121:602::2' -set protocols static table 2 route6 '::/0' next-hop '2a03:2260:121:602::2' -set service dhcp-server disabled false -set service dhcp-server hostfile-update disable -set service dhcp-server shared-network-name LAN authoritative enable -set service dhcp-server shared-network-name LAN subnet 10.1.0.1/24 default-router 10.1.0.1/24 -set service dhcp-server shared-network-name LAN subnet 10.1.0.1/24 dns-server 10.1.0.1/24 -set service dhcp-server shared-network-name LAN subnet 10.1.0.1/24 lease 86400 -set service dhcp-server shared-network-name LAN subnet 10.1.0.1/24 start 10.1.0.38 stop 10.1.0.243 -set service dhcp-server static-arp disable -set service dhcp-server use-dnsmasq disable -set service dns forwarding cache-size 150 -set service dns forwarding listen-on switch0 -set service gui http-port 80 -set service gui https-port 443 -set service gui older-ciphers enable -set service nat rule 5010 description 'masquerade for VPN' -set service nat rule 5010 outbound-interface wg0 -set service nat rule 5010 protocol all -set service nat rule 5010 type masquerade -set service ssh port 22 -set service ssh protocol-version v2 -set service unms -set system host-name edge1 -set system time-zone UTC \ No newline at end of file diff --git a/host_vars/vpn02.yml b/host_vars/vpn02.yml deleted file mode 100644 index e9eafd7..0000000 --- a/host_vars/vpn02.yml +++ /dev/null @@ -1,15 +0,0 @@ -### -### Ansible -### -ansible_host: 5.9.220.115 -ansible_port: 22 -ansible_ssh_user: root -ansible_python_interpreter: /usr/bin/python3 - -### -### Vars Freifunk -### -internal_network: "10.255.0.0/16" -freifunk_internal_ip: 172.16.7.11/24 -core_router: 172.16.7.1 -ipv6_network: 2a03:2260:121:640::/58 \ No newline at end of file diff --git a/hosts.yml b/hosts.yml index 3d76955..2cc4b3f 100644 --- a/hosts.yml +++ b/hosts.yml @@ -15,9 +15,6 @@ all: vpn-offloader-wireguard: hosts: vpn01: - vpn-offloader-openvpn: - hosts: - vpn02: edge_router: hosts: edge1: diff --git a/readme.md b/readme.md index d8e3e89..4143a12 100644 --- a/readme.md +++ b/readme.md @@ -6,66 +6,13 @@ Supernode Config: - VPN per Wireguard - NAT auf VPN Routern -## Adressbereiche: +## Naming: -Supernode: 10.255.1.1/32 +CORE[1-x] +Core Router auf Vyos mit Verbidung zum FFRL Backbone über GRE Tunnel. Die Core Router stellen das Freifunk Netz über ein LAN auf unseren Proxmox Servern bereit. -VPN01: 10.255.1.2/32, Client: 10.1.0.0/16 -VPN02: 10.255.1.3/32, Client: 10.2.0.0/16 -VPN03: 10.255.1.4/32, Client: 10.3.0.0/16 -etc. +VPN[1-x] +VPN Server aka Supernodes. Die VPN Server nehmen VPN Verbindungen von Routern und/oder Clients entgegen und managen diese. Hier sind diekte anbindungen möglich, ebenso aber Supernodes mit dem klassischen Freifunk (Batman) Konzept. - -## ER-X Stock Firmware Config: -> Vor der Installation: -> - eth0 als DHCP Client -> - eth1-4 auf den Switch -> - Switch mit DHCP Server einrichten. Adressbereich aus Tabelle beachten! - -## Install Wireguard -cd /tmp -curl -OL https://github.com/WireGuard/wireguard-vyatta-ubnt/releases/download/1.0.20211208-1/e50-v2-v1.0.20211208-v1.0.20210914.deb -sudo dpkg -i e50-v2-v1.0.20211208-v1.0.20210914.deb - -## Generate Keys - cd /config/auth - wg genkey | tee /config/auth/wg.key | wg pubkey > wg.public - cat wg.public - cat wg.key - -## Config ER-X - configure -## Wireguard - set interfaces wireguard wg0 address 10.255.1.2/24 - set interfaces wireguard wg0 address fd80:3ea2:e399:203a::2/64 - set interfaces wireguard wg0 listen-port 51821 - set interfaces wireguard wg0 route-allowed-ips false - set interfaces wireguard wg0 persistent-keepalive 25 - set interfaces wireguard wg0 peer 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= endpoint 7.fftdf.de:42001 - set interfaces wireguard wg0 peer 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= allowed-ips 0.0.0.0/0 - set interfaces wireguard wg0 peer 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= allowed-ips ::0/0 - set interfaces wireguard wg0 private-key /config/auth/wg.key -## Firewall for Wireguard - set firewall name WAN_LOCAL rule 20 action accept - set firewall name WAN_LOCAL rule 20 protocol udp - set firewall name WAN_LOCAL rule 20 description 'WireGuard' - set firewall name WAN_LOCAL rule 20 destination port 51821 - set firewall group network-group LAN-VPN description 'Networks on LAN destined to go out VPN by default' - set firewall group network-group LAN-VPN network 10.1.0.0/16 - set firewall group network-group RFC1918 network 10.0.0.0/8 - set firewall group network-group RFC1918 network 172.16.0.0/12 - set firewall group network-group RFC1918 network 192.168.0.0/16 - set firewall group network-group RFC1918 network 169.254.0.0/16 - set protocols static table 2 route 0.0.0.0/0 next-hop 10.255.1.1 - set firewall modify VPN_TDF7 rule 100 action modify - set firewall modify VPN_TDF7 rule 100 description 'Route traffic from group LAN-VPN through VPN-TDF7 table' - set firewall modify VPN_TDF7 rule 100 modify table 2 - set firewall modify VPN_TDF7 rule 100 source group network-group LAN-VPN - set interfaces switch switch0 firewall in modify VPN_TDF7 -## NAT einrichten - set service nat rule 5010 description 'masquerade for VPN' - set service nat rule 5010 outbound-interface wg0 - set service nat rule 5010 type masquerade - set service nat rule 5010 protocol all -## Speichern - commit ; save +ROUTER[1-x], EDGE[1-x], CLIENT[1-x] +Angebundene Router oder Clients an einen VPN Server, falls dieser aus diesem Ansible eine Config erhält. diff --git a/vpn01.md b/vpn01.md deleted file mode 100644 index b690f73..0000000 --- a/vpn01.md +++ /dev/null @@ -1,72 +0,0 @@ -vpn02 -# Supernode mit direkter VPN Ausleitung - -Ausleitung über das FFRL Backbone. -Supernode Config: -- GRE-Tunnel zum FFRL Backbone -- VPN per Wireguard -- NAT auf VPN Routern - -## Adressbereiche: - -Supernode: 10.255.1.1/32 - -VPN01: 10.255.1.2/32, Client: 10.1.0.0/16 -VPN02: 10.255.1.3/32, Client: 10.2.0.0/16 -VPN03: 10.255.1.4/32, Client: 10.3.0.0/16 -etc. - - -## ER-X Stock Firmware Config: -> Vor der Installation: -> - eth0 als DHCP Client -> - eth1-4 auf den Switch -> - Switch mit DHCP Server einrichten. Adressbereich aus Tabelle beachten! - -## Install Wireguard -cd /tmp -curl -OL https://github.com/WireGuard/wireguard-vyatta-ubnt/releases/download/1.0.20211208-1/e50-v2-v1.0.20211208-v1.0.20210914.deb -sudo dpkg -i e50-v2-v1.0.20211208-v1.0.20210914.deb - -## Generate Keys - cd /config/auth - wg genkey | tee /config/auth/wg.key | wg pubkey > wg.public - cat wg.public - cat wg.key - -## Config ER-X - configure -## Wireguard - set interfaces wireguard wg0 address 10.255.1.2/24 - set interfaces wireguard wg0 address fd80:3ea2:e399:203a::2/64 - set interfaces wireguard wg0 listen-port 51822 - set interfaces wireguard wg0 route-allowed-ips false - set interfaces wireguard wg0 persistent-keepalive 25 - set interfaces wireguard wg0 peer 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= endpoint 7.fftdf.de:42001 - set interfaces wireguard wg0 peer 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= allowed-ips 0.0.0.0/0 - set interfaces wireguard wg0 peer 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= allowed-ips ::0/0 - set interfaces wireguard wg0 private-key /config/auth/wg.key -## Firewall for Wireguard - set firewall name WAN_LOCAL rule 20 action accept - set firewall name WAN_LOCAL rule 20 protocol udp - set firewall name WAN_LOCAL rule 20 description 'WireGuard' - set firewall name WAN_LOCAL rule 20 destination port 51821 - set firewall group network-group LAN-VPN description 'Networks on LAN destined to go out VPN by default' - set firewall group network-group LAN-VPN network 10.1.0.0/16 - set firewall group network-group RFC1918 network 10.0.0.0/8 - set firewall group network-group RFC1918 network 172.16.0.0/12 - set firewall group network-group RFC1918 network 192.168.0.0/16 - set firewall group network-group RFC1918 network 169.254.0.0/16 - set protocols static table 2 route 0.0.0.0/0 next-hop 10.255.1.1 - set firewall modify VPN_TDF7 rule 100 action modify - set firewall modify VPN_TDF7 rule 100 description 'Route traffic from group LAN-VPN through VPN-TDF7 table' - set firewall modify VPN_TDF7 rule 100 modify table 2 - set firewall modify VPN_TDF7 rule 100 source group network-group LAN-VPN - set interfaces switch switch0 firewall in modify VPN_TDF7 -## NAT einrichten - set service nat rule 5010 description 'masquerade for VPN' - set service nat rule 5010 outbound-interface wg0 - set service nat rule 5010 type masquerade - set service nat rule 5010 protocol all -## Speichern - commit ; save \ No newline at end of file diff --git a/vpn02.md b/vpn02.md deleted file mode 100644 index 5946c94..0000000 --- a/vpn02.md +++ /dev/null @@ -1,72 +0,0 @@ -vpn02 -# Supernode mit direkter VPN Ausleitung - -Ausleitung über das FFRL Backbone. -Supernode Config: -- GRE-Tunnel zum FFRL Backbone -- VPN per Wireguard -- NAT auf VPN Routern - -## Adressbereiche: - -Supernode: 10.255.1.1/32 - -VPN01: 10.255.1.2/32, Client: 10.1.0.0/16 -VPN02: 10.255.1.3/32, Client: 10.2.0.0/16 -VPN03: 10.255.1.4/32, Client: 10.3.0.0/16 -etc. - - -## ER-X Stock Firmware Config: -> Vor der Installation: -> - eth0 als DHCP Client -> - eth1-4 auf den Switch -> - Switch mit DHCP Server einrichten. Adressbereich aus Tabelle beachten! - -## Install Wireguard -cd /tmp -curl -OL https://github.com/WireGuard/wireguard-vyatta-ubnt/releases/download/1.0.20211208-1/e50-v2-v1.0.20211208-v1.0.20210914.deb -sudo dpkg -i e50-v2-v1.0.20211208-v1.0.20210914.deb - -## Generate Keys - cd /config/auth - wg genkey | tee /config/auth/wg.key | wg pubkey > wg.public - cat wg.public - cat wg.key - -## Config ER-X - configure -## Wireguard - set interfaces wireguard wg0 address 10.255.1.3/24 - set interfaces wireguard wg0 address fd80:3ea2:e399:203a::3/64 - set interfaces wireguard wg0 listen-port 51821 - set interfaces wireguard wg0 route-allowed-ips false - set interfaces wireguard wg0 persistent-keepalive 25 - set interfaces wireguard wg0 peer 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= endpoint 7.fftdf.de:42001 - set interfaces wireguard wg0 peer 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= allowed-ips 0.0.0.0/0 - set interfaces wireguard wg0 peer 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= allowed-ips ::0/0 - set interfaces wireguard wg0 private-key /config/auth/wg.key -## Firewall for Wireguard - set firewall name WAN_LOCAL rule 20 action accept - set firewall name WAN_LOCAL rule 20 protocol udp - set firewall name WAN_LOCAL rule 20 description 'WireGuard' - set firewall name WAN_LOCAL rule 20 destination port 51821 - set firewall group network-group LAN-VPN description 'Networks on LAN destined to go out VPN by default' - set firewall group network-group LAN-VPN network 10.2.0.0/16 - set firewall group network-group RFC1918 network 10.0.0.0/8 - set firewall group network-group RFC1918 network 172.16.0.0/12 - set firewall group network-group RFC1918 network 192.168.0.0/16 - set firewall group network-group RFC1918 network 169.254.0.0/16 - set protocols static table 2 route 0.0.0.0/0 next-hop 10.255.1.1 - set firewall modify VPN_TDF7 rule 100 action modify - set firewall modify VPN_TDF7 rule 100 description 'Route traffic from group LAN-VPN through VPN-TDF7 table' - set firewall modify VPN_TDF7 rule 100 modify table 2 - set firewall modify VPN_TDF7 rule 100 source group network-group LAN-VPN - set interfaces switch switch0 firewall in modify VPN_TDF7 -## NAT einrichten - set service nat rule 5010 description 'masquerade for VPN' - set service nat rule 5010 outbound-interface wg0 - set service nat rule 5010 type masquerade - set service nat rule 5010 protocol all -## Speichern - commit ; save diff --git a/vpn03.md b/vpn03.md deleted file mode 100644 index 1f956de..0000000 --- a/vpn03.md +++ /dev/null @@ -1,72 +0,0 @@ -vpn03 -# Supernode mit direkter VPN Ausleitung - -Ausleitung über das FFRL Backbone. -Supernode Config: -- GRE-Tunnel zum FFRL Backbone -- VPN per Wireguard -- NAT auf VPN Routern - -## Adressbereiche: - -Supernode: 10.255.1.1/32 - -VPN01: 10.255.1.2/32, Client: 10.1.0.0/16 -VPN02: 10.255.1.3/32, Client: 10.2.0.0/16 -VPN03: 10.255.1.4/32, Client: 10.3.0.0/16 -etc. - - -## ER-X Stock Firmware Config: -> Vor der Installation: -> - eth0 als DHCP Client -> - eth1-4 auf den Switch -> - Switch mit DHCP Server einrichten. Adressbereich aus Tabelle beachten! - -## Install Wireguard -cd /tmp -curl -OL https://github.com/WireGuard/wireguard-vyatta-ubnt/releases/download/1.0.20211208-1/e50-v2-v1.0.20211208-v1.0.20210914.deb -sudo dpkg -i e50-v2-v1.0.20211208-v1.0.20210914.deb - -## Generate Keys - cd /config/auth - wg genkey | tee /config/auth/wg.key | wg pubkey > wg.public - cat wg.public - cat wg.key - -## Config ER-X - configure -## Wireguard - set interfaces wireguard wg0 address 10.255.1.4/24 - set interfaces wireguard wg0 address fd80:3ea2:e399:203a::4/64 - set interfaces wireguard wg0 listen-port 51821 - set interfaces wireguard wg0 route-allowed-ips false - set interfaces wireguard wg0 persistent-keepalive 25 - set interfaces wireguard wg0 peer 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= endpoint 7.fftdf.de:42001 - set interfaces wireguard wg0 peer 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= allowed-ips 0.0.0.0/0 - set interfaces wireguard wg0 peer 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= allowed-ips ::0/0 - set interfaces wireguard wg0 private-key /config/auth/wg.key -## Firewall for Wireguard - set firewall name WAN_LOCAL rule 20 action accept - set firewall name WAN_LOCAL rule 20 protocol udp - set firewall name WAN_LOCAL rule 20 description 'WireGuard' - set firewall name WAN_LOCAL rule 20 destination port 51821 - set firewall group network-group LAN-VPN description 'Networks on LAN destined to go out VPN by default' - set firewall group network-group LAN-VPN network 10.3.0.0/16 - set firewall group network-group RFC1918 network 10.0.0.0/8 - set firewall group network-group RFC1918 network 172.16.0.0/12 - set firewall group network-group RFC1918 network 192.168.0.0/16 - set firewall group network-group RFC1918 network 169.254.0.0/16 - set protocols static table 2 route 0.0.0.0/0 next-hop 10.255.1.1 - set firewall modify VPN_TDF7 rule 100 action modify - set firewall modify VPN_TDF7 rule 100 description 'Route traffic from group LAN-VPN through VPN-TDF7 table' - set firewall modify VPN_TDF7 rule 100 modify table 2 - set firewall modify VPN_TDF7 rule 100 source group network-group LAN-VPN - set interfaces switch switch0 firewall in modify VPN_TDF7 -## NAT einrichten - set service nat rule 5010 description 'masquerade for VPN' - set service nat rule 5010 outbound-interface wg0 - set service nat rule 5010 type masquerade - set service nat rule 5010 protocol all -## Speichern - commit ; save