Tidy up

edge1.md

@@ -1,121 +0,0 @@
-## Install Wireguard
-cd /tmp
-curl -OL https://github.com/WireGuard/wireguard-vyatta-ubnt/releases/download/1.0.20211208-1/e50-v2-v1.0.20211208-v1.0.20210914.deb
-sudo dpkg -i e50-v2-v1.0.20211208-v1.0.20210914.deb
-
-####
-cd /config/auth
-wg genkey | tee /config/auth/wg.key | wg pubkey >  wg.public
-cat wg.public
-cat wg.key
-####
-
-set firewall all-ping enable
-set firewall broadcast-ping disable
-set firewall group network-group LAN-VPN-V6 description 'Networks on LAN destined to go out VPN by default'
-set firewall group ipv6-network-group LAN-VPN-V6 ipv6-network '2a03:2260:121:603::/64'
-set firewall group network-group LAN-VPN description 'Networks on LAN destined to go out VPN by default'
-set firewall group network-group LAN-VPN network 10.1.0.0/16
-
-set firewall ipv6-modify LAN_to_VPN_V6 rule 1 action modify
-set firewall ipv6-modify LAN_to_VPN_V6 rule 1 modify table 2
-set firewall ipv6-modify LAN_to_VPN_V6 rule 1 source group ipv6-network-group LAN-VPN-V6
-set firewall ipv6-modify LAN_to_VPN_V6 rule 100 description 'Route traffic from group LAN-VPN through LAN_to_VPN_V6 table'
-set firewall ipv6-receive-redirects disable
-set firewall ipv6-src-route disable
-set firewall ip-src-route disable
-set firewall log-martians enable
-set firewall modify LAN_to_VPN rule 100 action modify
-set firewall modify LAN_to_VPN rule 100 description 'Route traffic from group LAN-VPN through LAN_to_VPN table'
-set firewall modify LAN_to_VPN rule 100 modify table 2
-set firewall modify LAN_to_VPN rule 100 source group network-group LAN-VPN
-set firewall name WAN_LOCAL default-action drop
-set firewall name WAN_LOCAL rule 20 action accept
-set firewall name WAN_LOCAL rule 20 description WireGuard
-set firewall name WAN_LOCAL rule 20 destination port 51821
-set firewall name WAN_LOCAL rule 20 protocol udp
-set firewall options mss-clamp interface-type all
-set firewall options mss-clamp mss 1350
-set firewall options mss-clamp6 interface-type all
-set firewall options mss-clamp6 mss 1350
-set firewall receive-redirects disable
-set firewall send-redirects enable
-set firewall source-validation disable
-set firewall syn-cookies enable
-set interfaces ethernet eth0 address dhcp
-set interfaces ethernet eth0 description 'Internet via DHCP'
-set interfaces ethernet eth0 duplex auto
-set interfaces ethernet eth0 speed auto
-set interfaces ethernet eth1 description Local
-set interfaces ethernet eth1 duplex auto
-set interfaces ethernet eth1 speed auto
-set interfaces ethernet eth2 description Local
-set interfaces ethernet eth2 duplex auto
-set interfaces ethernet eth2 speed auto
-set interfaces ethernet eth3 description Local
-set interfaces ethernet eth3 duplex auto
-set interfaces ethernet eth3 speed auto
-set interfaces ethernet eth4 description Local
-set interfaces ethernet eth4 duplex auto
-set interfaces ethernet eth4 poe output off
-set interfaces ethernet eth4 speed auto
-set interfaces loopback lo
-set interfaces switch switch0 address 10.1.0.1/24
-set interfaces switch switch0 address '2a03:2260:121:603::1/64'
-set interfaces switch switch0 description Local
-set interfaces switch switch0 firewall in ipv6-modify LAN_to_VPN_V6
-set interfaces switch switch0 firewall in modify LAN_to_VPN
-set interfaces switch switch0 ipv6 dup-addr-detect-transmits 1
-set interfaces switch switch0 ipv6 router-advert cur-hop-limit 64
-set interfaces switch switch0 ipv6 router-advert link-mtu 0
-set interfaces switch switch0 ipv6 router-advert managed-flag true
-set interfaces switch switch0 ipv6 router-advert max-interval 600
-set interfaces switch switch0 ipv6 router-advert name-server '2606:4700:4700::1111'
-set interfaces switch switch0 ipv6 router-advert other-config-flag false
-set interfaces switch switch0 ipv6 router-advert prefix '2a03:2260:121:603::/64' autonomous-flag true
-set interfaces switch switch0 ipv6 router-advert prefix '2a03:2260:121:603::/64' on-link-flag true
-set interfaces switch switch0 ipv6 router-advert prefix '2a03:2260:121:603::/64' valid-lifetime 2592000
-set interfaces switch switch0 ipv6 router-advert reachable-time 0
-set interfaces switch switch0 ipv6 router-advert retrans-timer 0
-set interfaces switch switch0 ipv6 router-advert send-advert true
-set interfaces switch switch0 mtu 1500
-set interfaces switch switch0 switch-port interface eth1
-set interfaces switch switch0 switch-port interface eth2
-set interfaces switch switch0 switch-port interface eth3
-set interfaces switch switch0 switch-port interface eth4
-set interfaces switch switch0 switch-port vlan-aware disable
-set interfaces wireguard wg0 address 10.255.1.2/24
-set interfaces wireguard wg0 listen-port 51822
-set interfaces wireguard wg0 mtu 1384
-set interfaces wireguard wg0 peer 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= allowed-ips 0.0.0.0/0
-set interfaces wireguard wg0 peer 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= allowed-ips '::0/0'
-set interfaces wireguard wg0 peer 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= endpoint 'vpn01.fftdf.de:42001'
-set interfaces wireguard wg0 private-key /config/auth/wg.key
-set interfaces wireguard wg0 route-allowed-ips false
-set protocols static interface-route6 '::/0' next-hop-interface wg0
-set protocols static table 2 route 0.0.0.0/0 next-hop 10.255.1.1
-set protocols static table 2 route6 '::0/0' next-hop '2a03:2260:121:602::2'
-set protocols static table 2 route6 '::/0' next-hop '2a03:2260:121:602::2'
-set service dhcp-server disabled false
-set service dhcp-server hostfile-update disable
-set service dhcp-server shared-network-name LAN authoritative enable
-set service dhcp-server shared-network-name LAN subnet 10.1.0.1/24 default-router 10.1.0.1/24
-set service dhcp-server shared-network-name LAN subnet 10.1.0.1/24 dns-server 10.1.0.1/24
-set service dhcp-server shared-network-name LAN subnet 10.1.0.1/24 lease 86400
-set service dhcp-server shared-network-name LAN subnet 10.1.0.1/24 start 10.1.0.38 stop 10.1.0.243
-set service dhcp-server static-arp disable
-set service dhcp-server use-dnsmasq disable
-set service dns forwarding cache-size 150
-set service dns forwarding listen-on switch0
-set service gui http-port 80
-set service gui https-port 443
-set service gui older-ciphers enable
-set service nat rule 5010 description 'masquerade for VPN'
-set service nat rule 5010 outbound-interface wg0
-set service nat rule 5010 protocol all
-set service nat rule 5010 type masquerade
-set service ssh port 22
-set service ssh protocol-version v2
-set service unms
-set system host-name edge1
-set system time-zone UTC

host_vars/vpn02.yml

@@ -1,15 +0,0 @@
-###
-### Ansible
-###
-ansible_host: 5.9.220.115
-ansible_port: 22
-ansible_ssh_user: root
-ansible_python_interpreter: /usr/bin/python3
-
-###
-### Vars Freifunk
-###
-internal_network: "10.255.0.0/16"
-freifunk_internal_ip: 172.16.7.11/24
-core_router: 172.16.7.1
-ipv6_network: 2a03:2260:121:640::/58

hosts.yml

@@ -15,9 +15,6 @@ all:
         vpn-offloader-wireguard:
           hosts:
             vpn01:
-        vpn-offloader-openvpn:
-          hosts:
-            vpn02:
     edge_router:
       hosts:
         edge1:

readme.md

@@ -6,66 +6,13 @@ Supernode Config:
 - VPN per Wireguard
 - NAT auf VPN Routern
 
-## Adressbereiche:
+## Naming:
 
-Supernode: 10.255.1.1/32
+CORE[1-x]
+Core Router auf Vyos mit Verbidung zum FFRL Backbone über GRE Tunnel. Die Core Router stellen das Freifunk Netz über ein LAN auf unseren Proxmox Servern bereit.
 
-VPN01: 10.255.1.2/32, Client: 10.1.0.0/16
+VPN[1-x]
-VPN02: 10.255.1.3/32, Client: 10.2.0.0/16
+VPN Server aka Supernodes. Die VPN Server nehmen VPN Verbindungen von Routern und/oder Clients entgegen und managen diese. Hier sind diekte anbindungen möglich, ebenso aber Supernodes mit dem klassischen Freifunk (Batman) Konzept.
-VPN03: 10.255.1.4/32, Client: 10.3.0.0/16
-etc.
 
-
+ROUTER[1-x], EDGE[1-x], CLIENT[1-x]
-## ER-X Stock Firmware Config:
+Angebundene Router oder Clients an einen VPN Server, falls dieser aus diesem Ansible eine Config erhält.
-> Vor der Installation:
-> - eth0 als DHCP Client
-> - eth1-4 auf den Switch
-> - Switch mit DHCP Server einrichten. Adressbereich aus Tabelle beachten!
-
-## Install Wireguard
-cd /tmp
-curl -OL https://github.com/WireGuard/wireguard-vyatta-ubnt/releases/download/1.0.20211208-1/e50-v2-v1.0.20211208-v1.0.20210914.deb
-sudo dpkg -i e50-v2-v1.0.20211208-v1.0.20210914.deb
-
-## Generate Keys
-    cd /config/auth
-    wg genkey | tee /config/auth/wg.key | wg pubkey >  wg.public
-    cat wg.public
-    cat wg.key
-
-## Config ER-X
-    configure
-## Wireguard
-    set interfaces wireguard wg0 address 10.255.1.2/24
-    set interfaces wireguard wg0 address fd80:3ea2:e399:203a::2/64
-    set interfaces wireguard wg0 listen-port 51821
-    set interfaces wireguard wg0 route-allowed-ips false
-    set interfaces wireguard wg0 persistent-keepalive 25
-    set interfaces wireguard wg0 peer 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= endpoint 7.fftdf.de:42001
-    set interfaces wireguard wg0 peer 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= allowed-ips 0.0.0.0/0
-    set interfaces wireguard wg0 peer 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= allowed-ips ::0/0
-    set interfaces wireguard wg0 private-key /config/auth/wg.key
-## Firewall for Wireguard
-    set firewall name WAN_LOCAL rule 20 action accept
-    set firewall name WAN_LOCAL rule 20 protocol udp
-    set firewall name WAN_LOCAL rule 20 description 'WireGuard'
-    set firewall name WAN_LOCAL rule 20 destination port 51821
-    set firewall group network-group LAN-VPN description 'Networks on LAN destined to go out VPN by default'
-    set firewall group network-group LAN-VPN network 10.1.0.0/16
-    set firewall group network-group RFC1918 network 10.0.0.0/8
-    set firewall group network-group RFC1918 network 172.16.0.0/12
-    set firewall group network-group RFC1918 network 192.168.0.0/16
-    set firewall group network-group RFC1918 network 169.254.0.0/16
-    set protocols static table 2 route 0.0.0.0/0 next-hop 10.255.1.1
-    set firewall modify VPN_TDF7 rule 100 action modify
-    set firewall modify VPN_TDF7 rule 100 description 'Route traffic from group LAN-VPN through VPN-TDF7 table'
-    set firewall modify VPN_TDF7 rule 100 modify table 2
-    set firewall modify VPN_TDF7 rule 100 source group network-group LAN-VPN
-    set interfaces switch switch0 firewall in modify VPN_TDF7
-## NAT einrichten
-    set service nat rule 5010 description 'masquerade for VPN'
-    set service nat rule 5010 outbound-interface wg0
-    set service nat rule 5010 type masquerade
-    set service nat rule 5010 protocol all
-## Speichern
-    commit ; save

vpn01.md

@@ -1,72 +0,0 @@
-vpn02
-# Supernode mit direkter VPN Ausleitung
-
-Ausleitung über das FFRL Backbone.
-Supernode Config:
-- GRE-Tunnel zum FFRL Backbone
-- VPN per Wireguard
-- NAT auf VPN Routern
-
-## Adressbereiche:
-
-Supernode: 10.255.1.1/32
-
-VPN01: 10.255.1.2/32, Client: 10.1.0.0/16
-VPN02: 10.255.1.3/32, Client: 10.2.0.0/16
-VPN03: 10.255.1.4/32, Client: 10.3.0.0/16
-etc.
-
-
-## ER-X Stock Firmware Config:
-> Vor der Installation:
-> - eth0 als DHCP Client
-> - eth1-4 auf den Switch
-> - Switch mit DHCP Server einrichten. Adressbereich aus Tabelle beachten!
-
-## Install Wireguard
-cd /tmp
-curl -OL https://github.com/WireGuard/wireguard-vyatta-ubnt/releases/download/1.0.20211208-1/e50-v2-v1.0.20211208-v1.0.20210914.deb
-sudo dpkg -i e50-v2-v1.0.20211208-v1.0.20210914.deb
-
-## Generate Keys
-    cd /config/auth
-    wg genkey | tee /config/auth/wg.key | wg pubkey >  wg.public
-    cat wg.public
-    cat wg.key
-
-## Config ER-X
-    configure
-## Wireguard
-    set interfaces wireguard wg0 address 10.255.1.2/24
-    set interfaces wireguard wg0 address fd80:3ea2:e399:203a::2/64
-    set interfaces wireguard wg0 listen-port 51822
-    set interfaces wireguard wg0 route-allowed-ips false
-    set interfaces wireguard wg0 persistent-keepalive 25
-    set interfaces wireguard wg0 peer 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= endpoint 7.fftdf.de:42001
-    set interfaces wireguard wg0 peer 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= allowed-ips 0.0.0.0/0
-    set interfaces wireguard wg0 peer 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= allowed-ips ::0/0
-    set interfaces wireguard wg0 private-key /config/auth/wg.key
-## Firewall for Wireguard
-    set firewall name WAN_LOCAL rule 20 action accept
-    set firewall name WAN_LOCAL rule 20 protocol udp
-    set firewall name WAN_LOCAL rule 20 description 'WireGuard'
-    set firewall name WAN_LOCAL rule 20 destination port 51821
-    set firewall group network-group LAN-VPN description 'Networks on LAN destined to go out VPN by default'
-    set firewall group network-group LAN-VPN network 10.1.0.0/16
-    set firewall group network-group RFC1918 network 10.0.0.0/8
-    set firewall group network-group RFC1918 network 172.16.0.0/12
-    set firewall group network-group RFC1918 network 192.168.0.0/16
-    set firewall group network-group RFC1918 network 169.254.0.0/16
-    set protocols static table 2 route 0.0.0.0/0 next-hop 10.255.1.1
-    set firewall modify VPN_TDF7 rule 100 action modify
-    set firewall modify VPN_TDF7 rule 100 description 'Route traffic from group LAN-VPN through VPN-TDF7 table'
-    set firewall modify VPN_TDF7 rule 100 modify table 2
-    set firewall modify VPN_TDF7 rule 100 source group network-group LAN-VPN
-    set interfaces switch switch0 firewall in modify VPN_TDF7
-## NAT einrichten
-    set service nat rule 5010 description 'masquerade for VPN'
-    set service nat rule 5010 outbound-interface wg0
-    set service nat rule 5010 type masquerade
-    set service nat rule 5010 protocol all
-## Speichern
-    commit ; save

vpn02.md

@@ -1,72 +0,0 @@
-vpn02
-# Supernode mit direkter VPN Ausleitung
-
-Ausleitung über das FFRL Backbone.
-Supernode Config:
-- GRE-Tunnel zum FFRL Backbone
-- VPN per Wireguard
-- NAT auf VPN Routern
-
-## Adressbereiche:
-
-Supernode: 10.255.1.1/32
-
-VPN01: 10.255.1.2/32, Client: 10.1.0.0/16
-VPN02: 10.255.1.3/32, Client: 10.2.0.0/16
-VPN03: 10.255.1.4/32, Client: 10.3.0.0/16
-etc.
-
-
-## ER-X Stock Firmware Config:
-> Vor der Installation:
-> - eth0 als DHCP Client
-> - eth1-4 auf den Switch
-> - Switch mit DHCP Server einrichten. Adressbereich aus Tabelle beachten!
-
-## Install Wireguard
-cd /tmp
-curl -OL https://github.com/WireGuard/wireguard-vyatta-ubnt/releases/download/1.0.20211208-1/e50-v2-v1.0.20211208-v1.0.20210914.deb
-sudo dpkg -i e50-v2-v1.0.20211208-v1.0.20210914.deb
-
-## Generate Keys
-    cd /config/auth
-    wg genkey | tee /config/auth/wg.key | wg pubkey >  wg.public
-    cat wg.public
-    cat wg.key
-
-## Config ER-X
-    configure
-## Wireguard
-    set interfaces wireguard wg0 address 10.255.1.3/24
-    set interfaces wireguard wg0 address fd80:3ea2:e399:203a::3/64
-    set interfaces wireguard wg0 listen-port 51821
-    set interfaces wireguard wg0 route-allowed-ips false
-    set interfaces wireguard wg0 persistent-keepalive 25
-    set interfaces wireguard wg0 peer 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= endpoint 7.fftdf.de:42001
-    set interfaces wireguard wg0 peer 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= allowed-ips 0.0.0.0/0
-    set interfaces wireguard wg0 peer 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= allowed-ips ::0/0
-    set interfaces wireguard wg0 private-key /config/auth/wg.key
-## Firewall for Wireguard
-    set firewall name WAN_LOCAL rule 20 action accept
-    set firewall name WAN_LOCAL rule 20 protocol udp
-    set firewall name WAN_LOCAL rule 20 description 'WireGuard'
-    set firewall name WAN_LOCAL rule 20 destination port 51821
-    set firewall group network-group LAN-VPN description 'Networks on LAN destined to go out VPN by default'
-    set firewall group network-group LAN-VPN network 10.2.0.0/16
-    set firewall group network-group RFC1918 network 10.0.0.0/8
-    set firewall group network-group RFC1918 network 172.16.0.0/12
-    set firewall group network-group RFC1918 network 192.168.0.0/16
-    set firewall group network-group RFC1918 network 169.254.0.0/16
-    set protocols static table 2 route 0.0.0.0/0 next-hop 10.255.1.1
-    set firewall modify VPN_TDF7 rule 100 action modify
-    set firewall modify VPN_TDF7 rule 100 description 'Route traffic from group LAN-VPN through VPN-TDF7 table'
-    set firewall modify VPN_TDF7 rule 100 modify table 2
-    set firewall modify VPN_TDF7 rule 100 source group network-group LAN-VPN
-    set interfaces switch switch0 firewall in modify VPN_TDF7
-## NAT einrichten
-    set service nat rule 5010 description 'masquerade for VPN'
-    set service nat rule 5010 outbound-interface wg0
-    set service nat rule 5010 type masquerade
-    set service nat rule 5010 protocol all
-## Speichern
-    commit ; save

vpn03.md

@@ -1,72 +0,0 @@
-vpn03
-# Supernode mit direkter VPN Ausleitung
-
-Ausleitung über das FFRL Backbone.
-Supernode Config:
-- GRE-Tunnel zum FFRL Backbone
-- VPN per Wireguard
-- NAT auf VPN Routern
-
-## Adressbereiche:
-
-Supernode: 10.255.1.1/32
-
-VPN01: 10.255.1.2/32, Client: 10.1.0.0/16
-VPN02: 10.255.1.3/32, Client: 10.2.0.0/16
-VPN03: 10.255.1.4/32, Client: 10.3.0.0/16
-etc.
-
-
-## ER-X Stock Firmware Config:
-> Vor der Installation:
-> - eth0 als DHCP Client
-> - eth1-4 auf den Switch
-> - Switch mit DHCP Server einrichten. Adressbereich aus Tabelle beachten!
-
-## Install Wireguard
-cd /tmp
-curl -OL https://github.com/WireGuard/wireguard-vyatta-ubnt/releases/download/1.0.20211208-1/e50-v2-v1.0.20211208-v1.0.20210914.deb
-sudo dpkg -i e50-v2-v1.0.20211208-v1.0.20210914.deb
-
-## Generate Keys
-    cd /config/auth
-    wg genkey | tee /config/auth/wg.key | wg pubkey >  wg.public
-    cat wg.public
-    cat wg.key
-
-## Config ER-X
-    configure
-## Wireguard
-    set interfaces wireguard wg0 address 10.255.1.4/24
-    set interfaces wireguard wg0 address fd80:3ea2:e399:203a::4/64
-    set interfaces wireguard wg0 listen-port 51821
-    set interfaces wireguard wg0 route-allowed-ips false
-    set interfaces wireguard wg0 persistent-keepalive 25
-    set interfaces wireguard wg0 peer 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= endpoint 7.fftdf.de:42001
-    set interfaces wireguard wg0 peer 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= allowed-ips 0.0.0.0/0
-    set interfaces wireguard wg0 peer 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= allowed-ips ::0/0
-    set interfaces wireguard wg0 private-key /config/auth/wg.key
-## Firewall for Wireguard
-    set firewall name WAN_LOCAL rule 20 action accept
-    set firewall name WAN_LOCAL rule 20 protocol udp
-    set firewall name WAN_LOCAL rule 20 description 'WireGuard'
-    set firewall name WAN_LOCAL rule 20 destination port 51821
-    set firewall group network-group LAN-VPN description 'Networks on LAN destined to go out VPN by default'
-    set firewall group network-group LAN-VPN network 10.3.0.0/16
-    set firewall group network-group RFC1918 network 10.0.0.0/8
-    set firewall group network-group RFC1918 network 172.16.0.0/12
-    set firewall group network-group RFC1918 network 192.168.0.0/16
-    set firewall group network-group RFC1918 network 169.254.0.0/16
-    set protocols static table 2 route 0.0.0.0/0 next-hop 10.255.1.1
-    set firewall modify VPN_TDF7 rule 100 action modify
-    set firewall modify VPN_TDF7 rule 100 description 'Route traffic from group LAN-VPN through VPN-TDF7 table'
-    set firewall modify VPN_TDF7 rule 100 modify table 2
-    set firewall modify VPN_TDF7 rule 100 source group network-group LAN-VPN
-    set interfaces switch switch0 firewall in modify VPN_TDF7
-## NAT einrichten
-    set service nat rule 5010 description 'masquerade for VPN'
-    set service nat rule 5010 outbound-interface wg0
-    set service nat rule 5010 type masquerade
-    set service nat rule 5010 protocol all
-## Speichern
-    commit ; save