Freifunk-Troisdorf/ansible.fftdf.supernode
5
0
Fork 0
Code Issues 1 Pull Requests Releases Wiki Activity

Toller Commit

Browse Source
This commit is contained in:
Stefan Hoffmann 2023-02-06 23:13:32 +01:00
parent 48c5bf9a79
commit 5864ead4b8
27 changed files with 901 additions and 435 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
.DS_Store vendored
View File

Binary file not shown.

338
conf.conf Normal file
View File

@ -0,0 +1,338 @@
interfaces {
ethernet eth0 {
address 5.9.220.113/29
description WAN
}
ethernet eth1 {
address 172.16.7.1/24
description "Freifunk WAN"
}
loopback lo {
address 185.66.193.107/32
}
tunnel tun0 {
address 100.64.6.25/31
address 2a03:2260:0:30c::2/64
description gre_bb_a_ak_ber
encapsulation gre
remote 185.66.195.0
source-address 5.9.220.113
}
tunnel tun1 {
address 100.64.6.31/31
address 2a03:2260:0:30f::2/64
description gre_bb_b_ak_ber
encapsulation gre
remote 185.66.195.1
source-address 5.9.220.113
}
tunnel tun2 {
address 100.64.6.29/31
address 2a03:2260:0:30e::2/64
description gre_bb_a_ix_dus
encapsulation gre
remote 185.66.193.0
source-address 5.9.220.113
}
tunnel tun3 {
address 100.64.6.35/31
address 2a03:2260:0:311::2/64
description gre_bb_b_ix_dus
encapsulation gre
remote 185.66.193.1
source-address 5.9.220.113
}
tunnel tun4 {
address 100.64.6.27/31
address 2a03:2260:0:30d::2/64
description gre_bb_a_fra3_f
encapsulation gre
remote 185.66.194.0
source-address 5.9.220.113
}
tunnel tun5 {
address 100.64.6.33/31
address 2a03:2260:0:310::2/64
description gre-bb-b.fra3.f
encapsulation gre
remote 185.66.194.1
source-address 5.9.220.113
}
}
nat {
destination {
rule 1 {
description "Allow SSH to VPN-01 Port 2222"
destination {
address 185.66.193.107/32
port 2222
}
inbound-interface any
protocol tcp
translation {
address 172.16.7.2
port 22
}
}
rule 2 {
description "Wireguard VPN-01 42001"
destination {
address 185.66.193.107
port 42001
}
inbound-interface any
protocol udp
translation {
address 172.16.7.2
}
}
}
source {
rule 1 {
outbound-interface any
source {
address 172.16.7.0/24
}
translation {
address 185.66.193.107
}
}
}
}
policy {
local-route {
rule 10 {
set {
table 42
}
source 5.9.220.113
}
}
prefix-list FFRL-IN {
rule 10 {
action permit
prefix 0.0.0.0/0
}
}
prefix-list FFRL-OUT {
rule 10 {
action permit
prefix 185.66.193.107/32
}
}
route-map FFRL-IN {
rule 10 {
action permit
match {
ip {
address {
prefix-list FFRL-IN
}
}
}
}
}
route-map FFRL-OUT {
rule 10 {
action permit
match {
ip {
address {
prefix-list FFRL-OUT
}
}
}
}
}
}
protocols {
bgp {
address-family {
ipv4-unicast {
network 185.66.193.107/32 {
}
}
}
neighbor 100.64.6.24 {
address-family {
ipv4-unicast {
route-map {
export FFRL-OUT
import FFRL-IN
}
}
}
description ffrl_bb_a_ak_ber
remote-as 201701
update-source 100.64.6.25
}
neighbor 100.64.6.26 {
address-family {
ipv4-unicast {
route-map {
export FFRL-OUT
import FFRL-IN
}
}
}
description ffrl_bb_a_fra3_fra
remote-as 201701
update-source 100.64.6.27
}
neighbor 100.64.6.28 {
address-family {
ipv4-unicast {
route-map {
export FFRL-OUT
import FFRL-IN
}
}
}
description ffrl_bb_a_ix_dus
remote-as 201701
update-source 100.64.6.29
}
neighbor 100.64.6.30 {
address-family {
ipv4-unicast {
route-map {
export FFRL-OUT
import FFRL-IN
}
}
}
description ffrl_bb_b_ak_ber
remote-as 201701
update-source 100.64.6.31
}
neighbor 100.64.6.32 {
address-family {
ipv4-unicast {
route-map {
export FFRL-OUT
import FFRL-IN
}
}
}
description ffrl_bb_b_fra3_fra
remote-as 201701
update-source 100.64.6.33
}
neighbor 100.64.6.34 {
address-family {
ipv4-unicast {
route-map {
export FFRL-OUT
import FFRL-IN
}
}
}
description ffrl_bb_b_ix_dus
remote-as 201701
update-source 100.64.6.35
}
parameters {
router-id 10.188.255.7
}
system-as 65066
}
static {
table 42 {
route 0.0.0.0/0 {
next-hop 5.9.220.112 {
}
}
}
}
}
service {
dhcp-server {
listen-address 172.16.7.1
shared-network-name freifunk {
subnet 172.16.7.0/24 {
default-router 172.16.7.1
name-server 1.1.1.1
name-server 1.0.0.1
range dhcp {
start 172.16.7.10
stop 172.16.7.200
}
static-mapping vpn-01 {
ip-address 172.16.7.2
mac-address 36:f3:82:18:9b:03
}
}
}
}
ntp {
allow-client {
address 0.0.0.0/0
address ::/0
}
server time1.vyos.net {
}
server time2.vyos.net {
}
server time3.vyos.net {
}
}
ssh {
port 22
}
}
system {
config-management {
commit-revisions 100
}
conntrack {
modules {
ftp
h323
nfs
pptp
sip
sqlnet
tftp
}
}
console {
device ttyS0 {
speed 115200
}
}
host-name 7.fftdf.de
login {
banner {
post-login "Welcome to the core Freifunk Router for Troisdorf!\n\nEnjoy it while you are here!\n"
}
user vyos {
authentication {
encrypted-password $6$WJiQoTPHLN8qj3s2$3vPtbSA48u8axMRDuOTaH4Hzg6kUuUJ8rkNuuSBacLfJ3YKRhDu5q4hxyhYr22n9F7E5NtovDM3A1.Ahpralf0
plaintext-password ""
public-keys nils {
key AAAAB3NzaC1yc2EAAAADAQABAAACAQCvwA3/NDj7Oo28Q1XdRIgOp//35gFVvsDa1dnMkgRDqJYvlIDbRiQ+UIcgu5YhstPb8BAxfvqjRP4rnMKc7v69T2Lp+HOMx+1sOYrznEe2hC5lPr4+U1u4Fzqhq/keSoItifmdTgrE+01Zc5jMBosUIm79TDgEMuEGcYVJIyAzDv9ez4u+Bz/HubRO+qT/+UmOICEg9m/C+fiH/ZAJHi90dMsj7RF5YXrRHXTAdiecurwGAZx2Adug1fFTvzB1pqBUHje1PFtEI+LheYklpNtiJo8NQ2KDEiavSxBibJrywzQHaddf0bkeAhmiNY8PRoMpMNeiu94DyNFWgdm7bLzdzrN/o5U7MlnJlcn8D1tLtdp0ngTxaN6VIywI8mQ/Ukxz8p2Ce49vu6osz4CvYhKx4mrvOSmqg9VjKcL6/rIwK7y5CWgIrddktxrSpUHXkzoQSefgZ5Bnu3CNp0GixWV5JTHnFxCulJAGi3TTqx7IvsJ8gpuKkeGnIgnDhFbqVOKeEEnR13tTCJ7MgPQ+VHREQ68u73a5TfDxJd/ggnG4tQ67HOcqxwa74+X1lv7YiJ3AvbrR7FFPNM3o5N8ZmZWhBLDaUHrjElHkZdB/V2l2bCblWhD0INCYoskuK1dFGdf3gQQeKOivGzKtzI0xNKutrxfvarkikxCEV3Exj889rQ==
type ssh-rsa
}
public-keys stefan {
key AAAAB3NzaC1yc2EAAAADAQABAAABAQDM0d9uUUdkK80fYEAz+IwxbhQO2qsr87Q4uxxwqQCvjVWryL+IuKMBJJGroWDMz2d9UJcIXEYdMz4436U0DoPJuoXe5iDsVvum3Vz3276My+tqx1bZWCktPa8Isft7mO/wfELNjRNQduUiwh2y712s7/3GQI+5Rs/65HuLHTnpLKrlfptqmsmYw+IUFDzGwBLJ6sqP90ywjKkperPCAH3IWcTsQwnW3EJFPToMg6BrQslZlxx/z+co3e6jCWzUuuIRP9jp4SmNVfYaVGb1cOFdL1p1P0qWHBHdGUnXHZ+c773VKVSj+spUBxKGqNC1EhRCYTsPDLVrYrhKl2BRLcgB
type ssh-rsa
}
}
}
}
syslog {
global {
facility all {
level info
}
facility protocols {
level debug
}
}
}
}
// Warning: Do not remove the following line.
// vyos-config-version: "bgp@3:broadcast-relay@1:cluster@1:config-management@1:conntrack@3:conntrack-sync@2:container@1:dhcp-relay@2:dhcp-server@6:dhcpv6-server@1:dns-forwarding@3:firewall@9:flow-accounting@1:https@4:ids@1:interfaces@26:ipoe-server@1:ipsec@11:isis@2:l2tp@4:lldp@1:mdns@1:monitoring@1:nat@5:nat66@1:ntp@2:openconnect@2:ospf@1:policy@5:pppoe-server@6:pptp@2:qos@2:quagga@10:rpki@1:salt@1:snmp@3:ssh@2:sstp@4:system@25:vrf@3:vrrp@3:vyos-accel-ppp@2:wanloadbalance@3:webproxy@2"
// Release version: 1.4-rolling-202302041536

3
host_vars/router4.yml Normal file
View File

@ -0,0 +1,3 @@
wan_address: 5.9.220.113/29
local_address: 172.16.7.1/24
ffrl_address: 185.66.193.107/32

25
host_vars/troisdorf7.yml
View File

@ -1,25 +0,0 @@
wireguard_unmanaged_peers:
vpn1-testing:
public_key: zaxk4sSdmg/NBnjdLaslBA6sljpeW0RPWX00tKq2bnI=
allowed_ips: 10.255.1.2/32, 10.1.0.0/16, fd80:3ea2:e399:203a::2/128, 2a03:2260:121:7001::/64
persistent_keepalive: 25
vpn2-lindenstr-sh07:
public_key: 8wsck5Ek7cQ+YbktuUzB2xBAzzeH/ou2QOR4Ou5B6zs=
allowed_ips: 10.255.1.3/32, 10.2.0.0/16, fd80:3ea2:e399:203a::3/128, 2a03:2260:121:7002::/64
persistent_keepalive: 25
# vpn2-stefan:
# public_key: NvJKN6xorzvwL7NhMoY2bEwpDVTl9Ob/1gx9g8tHfic=
# allowed_ips: 10.255.1.3/32, 10.2.0.0/16
# persistent_keepalive: 25
# vpn3-empty:
# public_key: pwD87EgTk8fGctR1Cz6/DfwGuzTg8VO2YC2CM58Sdlw=
# allowed_ips: 10.255.1.2/32, 10.1.0.0/16
# persistent_keepalive: 25
# vpn4-empty:
# public_key: N54OfQCIQGbPltC4sq/1gvV/2UXFKcQAti9ORNvlFxA=
# allowed_ips: 10.255.1.2/32, 10.1.0.0/16
# persistent_keepalive: 25
# vpn5-empty:
# public_key: sKi7h1W89XEe9tzxbXbev3oHBoS0VOLXFFLvwQZ+wAM=
# allowed_ips: 10.255.1.2/32, 10.1.0.0/16
# persistent_keepalive: 25

41
host_vars/troisdorf7/vars.yml Normal file
View File

@ -0,0 +1,41 @@
###
### Ansible
###
ansible_host: 185.66.193.107
ansible_port: 2222
ansible_ssh_user: root
ansible_python_interpreter: /usr/bin/python3
###
### Vars
###
internal_network: "10.255.1.0/24"
###
### Wireguard
###
wireguard_address: "10.255.1.1/24, fd80:3ea2:e399:203a::1/64"
wireguard_port: 42001
wireguard_unmanaged_peers:
vpn1-testing:
public_key: dEqGBiASx0gY1T/m4chRkeWhF+4XmzmjLKLXXbe+rmg=
allowed_ips: 10.255.1.2/32, 10.1.0.0/16, fd80:3ea2:e399:203a::2/128
persistent_keepalive: 25
vpn2-lindenstr-h07:
public_key: VglVuinIYJOE3UNZxhFRCHwD7WtiVg83u/cp3modw0k=
allowed_ips: 10.255.1.3/32, 10.2.0.0/16, fd80:3ea2:e399:203a::3/128
persistent_keepalive: 25
vpn3-lindenstr-h01:
public_key: jWTWrLtxb19TkThXLmUs+kqelo27zb9XfcDQFPGVWxs=
allowed_ips: 10.255.1.4/32, 10.3.0.0/16, fd80:3ea2:e399:203a::4/128
persistent_keepalive: 25
vpn4-nils:
public_key: Z9kn/JvtCcTs2ok8z7Ci3E+dy6Hb/lnUNre4X8xWCjg=
allowed_ips: 10.255.1.5/32, 10.4.0.0/16, fd80:3ea2:e399:203a::5/128
persistent_keepalive: 25
vpn5-stefan:
public_key: UHaYitx18sO71Ssk2SVUgdjLaAILbCthCmosU+Fs5Es=
allowed_ips: 10.255.1.6/32, 10.5.0.0/16, fd80:3ea2:e399:203a::6/128
persistent_keepalive: 25

9
host_vars/troisdorf7/vault.yml Normal file
View File

@ -0,0 +1,9 @@
$ANSIBLE_VAULT;1.1;AES256
31653333646534336164323064616261666365636438363761663837663635613333386165313962
3732656532643062333235366564333633623937353335650a343334393265316131313935363337
61323339356237646631303039646132663161623739393130383338383339373063373566666330
3463346562336166340a313562613835386431613636303637626133346433393630623837646236
66633239393134336539346430343965383339653061633463653864653834633862353861663432
39633663663833373264623138376431353437623765643530373266643539616231376162663831
33643334323861653564333739376561306462316561336531656663396134336635666639343433
38613630313731343736

30
hosts.yml
View File

@ -5,32 +5,14 @@
######################
all:
children:
router:
children:
ffrl-uplink:
hosts:
r4.fftdf.de:
supernodes:
children:
vpn-offloader:
hosts:
# tdf7
troisdorf7:
#TDF (alt)
#ansible_host: 93.241.53.100
ansible_host: 5.9.220.113
ansible_user: root
ansible_python_interpreter: /usr/bin/python3
ffrl_ipv4: 185.66.193.107
ffrl_ipv6: 2a03:2260:121:7000::107
ffrl_ipv6_net: "2a03:2260:121:7000::"
ffrl_router_id: 10.188.255.7
gre_bb_a_ak_ber_ipv4: 100.64.6.25
gre_bb_b_ak_ber_ipv4: 100.64.6.31
gre_bb_a_ix_dus_ipv4: 100.64.6.29
gre_bb_b_ix_dus_ipv4: 100.64.6.35
gre_bb_a_fra3_f_ipv4: 100.64.6.27
gre_bb_b_fra3_f_ipv4: 100.64.6.33
gre_bb_a_ak_ber_ipv6: 2a03:2260:0:30c::2
gre_bb_b_ak_ber_ipv6: 2a03:2260:0:30f::2
gre_bb_a_ix_dus_ipv6: 2a03:2260:0:30e::2
gre_bb_b_ix_dus_ipv6: 2a03:2260:0:311::2
gre_bb_a_fra3_f_ipv6: 2a03:2260:0:30d::2
gre_bb_b_fra3_f_ipv6: 2a03:2260:0:310::2
wireguard_address: "10.255.1.1/24, fd80:3ea2:e399:203a::1/64"
wireguard_port: 42001

7
readme.md
View File

@ -52,23 +52,16 @@ sudo dpkg -i e50-v2-v1.0.20211208-v1.0.20210914.deb
set firewall name WAN_LOCAL rule 20 destination port 51821
set firewall group network-group LAN-VPN description 'Networks on LAN destined to go out VPN by default'
set firewall group network-group LAN-VPN network 10.1.0.0/16
set firewall group ipv6-network-group IPv6-VPN ipv6-network 2a03:2260:121:7001::/64
set firewall group network-group RFC1918 network 10.0.0.0/8
set firewall group network-group RFC1918 network 172.16.0.0/12
set firewall group network-group RFC1918 network 192.168.0.0/16
set firewall group network-group RFC1918 network 169.254.0.0/16
set protocols static table 2 route 0.0.0.0/0 next-hop 10.255.1.1
set protocols static table 2 route6 ::/0 next-hop fd80:3ea2:e399:203a::1
set firewall modify VPN_TDF7 rule 100 action modify
set firewall modify VPN_TDF7 rule 100 description 'Route traffic from group LAN-VPN through VPN-TDF7 table'
set firewall modify VPN_TDF7 rule 100 modify table 2
set firewall modify VPN_TDF7 rule 100 source group network-group LAN-VPN
set firewall ipv6-modify IPv6-VPN_TDF7 rule 100 action modify
set firewall ipv6-modify IPv6-VPN_TDF7 rule 100 description 'Route traffic from group IPv6-VPN through IPv6-VPN-TDF7 table'
set firewall ipv6-modify IPv6-VPN_TDF7 rule 100 modify table 2
set firewall ipv6-modify IPv6-VPN_TDF7 rule 100 source group ipv6-network-group IPv6-VPN
set interfaces switch switch0 firewall in modify VPN_TDF7
set interfaces switch switch0 firewall in modify IPv6-VPN_TDF7
## NAT einrichten
set service nat rule 5010 description 'masquerade for VPN'
set service nat rule 5010 outbound-interface wg0

15
roles/00-system-set-bird/tasks/main.yml
View File

@ -1,15 +0,0 @@
- name: Copy Bird Config
ansible.builtin.template:
src: bird.conf.j2
dest: /etc/bird/bird.conf
owner: root
group: root
mode: '0644'
- name: Copy Bird6 Config
ansible.builtin.template:
src: bird6.conf.j2
dest: /etc/bird/bird6.conf
owner: root
group: root
mode: '0644'

93
roles/00-system-set-bird/templates/bird.conf.j2
View File

@ -1,93 +0,0 @@
/*
* This is an example configuration file.
*/
# Yes, even shell-like comments work...
# Configure logging
#log syslog { debug, trace, info, remote, warning, error, auth, fatal, bug };
#log stderr all;
#log "tmp" all;
#log syslog all;
#debug protocols all;
# Override router ID
router id {{ ffrl_router_id }};
protocol direct {
interface "*";
};
protocol kernel {
device routes;
import all;
export all;
kernel table 42;
};
protocol device {
scan time 8;
};
function is_default() {
return (net ~ [0.0.0.0/0]);
};
# own network
function is_self_net() {
return (net ~ [ 10.188.0.0/16+ ]);
}
# freifunk ip ranges in general
function is_freifunk() {
return net ~ [ 10.0.0.0/8+,
104.0.0.0/8+
];
}
filter hostroute {
if net ~ {{ ffrl_ipv4 }}/32 then accept;
reject;
};
# Uplink über ff Rheinland
template bgp uplink {
local as 65066;
import where is_default();
export filter hostroute;
next hop self;
multihop 64;
default bgp_local_pref 200;
};
protocol bgp ffrl_bb_a_ak_ber from uplink {
source address 100.64.6.25;
neighbor 100.64.6.24 as 201701;
};
protocol bgp ffrl_bb_b_ak_ber from uplink {
source address 100.64.6.31;
neighbor 100.64.6.30 as 201701;
};
protocol bgp ffrl_bb_a_ix_dus from uplink {
source address 100.64.6.29;
neighbor 100.64.6.28 as 201701;
};
protocol bgp ffrl_bb_b_ix_dus from uplink {
source address 100.64.6.35;
neighbor 100.64.6.34 as 201701;
};
protocol bgp ffrl_bb_a_fra3_fra from uplink {
source address 100.64.6.27;
neighbor 100.64.6.26 as 201701;
};
protocol bgp ffrl_bb_b_fra3_fra from uplink {
source address 100.64.6.33;
neighbor 100.64.6.32 as 201701;
};

89
roles/00-system-set-bird/templates/bird6.conf.j2
View File

@ -1,89 +0,0 @@
# Configure logging
#log syslog { debug, trace, info, remote, warning, error, auth, fatal, bug };
#log stderr all;
#log "tmp" all;
#log syslog all;
#debug protocols all;
# Override router ID
router id {{ ffrl_router_id }};
protocol direct {
interface "bat0", "gre-*", "lo"; # Restrict network interfaces it works with
}
protocol kernel {
device routes;
import all;
export all; # Default is export none
kernel table 42; # Kernel table to synchronize with (default: main)
}
protocol device {
scan time 10; # Scan interfaces every 10 seconds
}
function is_default() {
return (net ~ [::/0]);
}
# own networks
function is_self_net() {
return net ~ [ fda0:747e:ab29:7405::/64+ ];
}
# freifunk ip ranges in general
function is_freifunk() {
return net ~ [ fc00::/7{48,64},
2001:bf7::/32+];
}
filter hostroute {
if net ~ {{ ffrl_ipv6_net }}/52 then accept;
reject;
}
# Uplink zum FF Rheinland
template bgp uplink {
local as 65066;
import where is_default();
export filter hostroute;
gateway recursive;
}
protocol bgp ffrl_bb_a_ak_ber from uplink {
source address 2a03:2260:0:30c::2;
neighbor 2a03:2260:0:30c::1 as 201701;
}
protocol bgp ffrl_bb_b_ak_ber from uplink {
source address 2a03:2260:0:30f::2;
neighbor 2a03:2260:0:30f::1 as 201701;
}
protocol bgp ffrl_bb_a_ix_dus from uplink {
source address 2a03:2260:0:30e::2;
neighbor 2a03:2260:0:30e::1 as 201701;
}
protocol bgp ffrl_bb_b_ix_dus from uplink {
source address 2a03:2260:0:311::2;
neighbor 2a03:2260:0:311::1 as 201701;
}
protocol bgp ffrl_bb_a_fra3_fra from uplink {
source address 2a03:2260:0:30d::2;
neighbor 2a03:2260:0:30d::1 as 201701;
}
protocol bgp ffrl_bb_b_fra3_fra from uplink {
source address 2a03:2260:0:310::2;
neighbor 2a03:2260:0:310::1 as 201701;
}

20
roles/00-system-set-network/tasks/main.yml
View File

@ -1,20 +0,0 @@
- name: Cop Network Config
ansible.builtin.template:
src: 01-ffrl-gre.yaml.j2
dest: /etc/netplan/01-ffrl-gre.yaml
owner: root
group: root
mode: '0644'
register: networkconfig
- name: Netplan Apply
ansible.builtin.shell: netplan apply
when: networkconfig.changed
- name: Add Table 42 after netplan Apply
ansible.builtin.shell: /bin/ip rule add fwmark 0x4 table 42
when: networkconfig.changed
- name: Add Table 42v6 after netplan Apply
ansible.builtin.shell: /bin/ip -6 rule add fwmark 0x4 table 42
when: networkconfig.changed

62
roles/00-system-set-network/tasks/templates/01-ffrl-gre.yaml.j2
View File

@ -1,62 +0,0 @@
network:
tunnels:
gre-bb-a.ak.ber:
mode: gre
local: {{ ansible_host }}
remote: 185.66.195.0
mtu: 1400
addresses:
- {{ gre_bb_a_ak_ber_ipv4 }}/31
- {{ gre_bb_a_ak_ber_ipv6 }}/64
- fe80::200:5efe:2e04:9c72/64
gre-bb-b.ak.ber:
mode: gre
local: {{ ansible_host }}
remote: 185.66.195.1
mtu: 1400
addresses:
- {{ gre_bb_b_ak_ber_ipv4 }}/31
- {{ gre_bb_b_ak_ber_ipv6 }}/64
- fe80::200:5efe:2e04:9c72/64
gre-bb-a.ix.dus:
mode: gre
local: {{ ansible_host }}
remote: 185.66.193.0
mtu: 1400
addresses:
- {{ gre_bb_a_ix_dus_ipv4 }}/31
- {{ gre_bb_a_ix_dus_ipv6 }}/64
- fe80::200:5efe:2e04:9c72/64
gre-bb-b.ix.dus:
mode: gre
local: {{ ansible_host }}
remote: 185.66.193.1
mtu: 1400
addresses:
- {{ gre_bb_b_ix_dus_ipv4 }}/31
- {{ gre_bb_b_ix_dus_ipv6}}/64
- fe80::200:5efe:2e04:9c72/64
gre-bb-a.fra3.f:
mode: gre
local: {{ ansible_host }}
remote: 185.66.194.0
mtu: 1400
addresses:
- {{ gre_bb_a_fra3_f_ipv4 }}/31
- {{ gre_bb_a_fra3_f_ipv6 }}/64
- fe80::200:5efe:2e04:9c72/64
gre-bb-b.fra3.f:
mode: gre
local: {{ ansible_host }}
remote: 185.66.194.1
mtu: 1400
addresses:
- {{ gre_bb_b_fra3_f_ipv4 }}/31
- {{ gre_bb_b_fra3_f_ipv6 }}/64
- fe80::200:5efe:2e04:9c72/64
ethernets:
lo:
addresses:
- {{ ffrl_ipv4 }}/32
- {{ ffrl_ipv6 }}/52
- 127.0.0.1/8

33
roles/01-system-install-packages/tasks/main.yml
View File

@ -1,17 +1,18 @@
- name: Install all Packages
apt: name={{ item }} state=latest update_cache=yes
with_items:
- curl
- nano
- vim
- htop
- bird
- screen
- iproute2
- iptables
- cron
- qemu-guest-agent
- iputils-ping
- iw
- speedtest-cli
- telnet
ansible.builtin.apt:
name:
- curl
- nano
- vim
- htop
- screen
- iproute2
- iptables
- cron
- qemu-guest-agent
- iputils-ping
- iw
- speedtest-cli
- telnet
state: latest
update_cache: yes

26
roles/01-system-set-networking/tasks/main.yml Normal file
View File

@ -0,0 +1,26 @@
---
- name: Set NAT MASQUERADE
ansible.builtin.iptables:
chain: POSTROUTING
table: nat
source: "{{ internal_network }}"
jump: MASQUERADE
- ansible.posix.sysctl:
name: kernel.panic
value: '1'
sysctl_file: /etc/sysctl.conf
- ansible.posix.sysctl:
name: net.ipv4.ip_forward
value: '1'
sysctl_set: true
state: present
reload: true
- ansible.posix.sysctl:
name: net.ipv6.conf.all.forwarding
value: '1'
sysctl_set: true
state: present
reload: true

16
roles/11-create-cronjob/tasks/main.yml
View File

@ -1,16 +0,0 @@
- name: Ensures Freifunk Folder exists
file: path=/opt/freifunk state=directory
- name: Copy Reboot Script
ansible.builtin.template:
src: sn_startup.sh.j2
dest: /opt/freifunk/sn_startup.sh
owner: root
group: root
mode: '0775'
- name: Cron Job to run after boot
ansible.builtin.cron:
name: "Set Freifunk Routes"
special_time: reboot
job: /opt/freifunk/sn_startup.sh

58
roles/11-create-cronjob/templates/sn_startup.sh.j2
View File

@ -1,58 +0,0 @@
#!/bin/sh
# Version 1.91
sleep 5
# Activate IP forwarding
/sbin/sysctl -w net.ipv6.conf.all.forwarding=1
/sbin/sysctl -w net.ipv4.ip_forward=1
# restart when kernel panic
/sbin/sysctl kernel.panic=1
# Routing table 42
/bin/grep 42 /etc/iproute2/rt_tables || /bin/echo 42 ffrl >> /etc/iproute2/rt_tables
# Set table for traffice with mark 4
/bin/ip rule add fwmark 0x4 table 42
/bin/ip -6 rule add fwmark 0x4 table 42
# Set mark 4 to Freifunk traffic
/sbin/iptables -t mangle -A PREROUTING -s 10.0.0.0/8 ! -d 10.0.0.0/8 -j MARK --set-mark 4
/sbin/ip6tables -t mangle -A PREROUTING -s 2a03:2260:121::/48 ! -d 2a03:2260:121::/48 -j MARK --set-mark 4
# All from FF IPv4 via routing table 42
/bin/ip rule add from {{ ffrl_ipv4 }}/32 lookup 42
/bin/ip -6 rule add from {{ ffrl_ipv6_net }}/52 lookup 42
# Add NAT Rules manualy
iptables -t nat -D POSTROUTING -o gre-bb-a.ak.ber -j SNAT --to-source {{ ffrl_ipv4 }}
iptables -t nat -D POSTROUTING -o gre-bb-b.ak.ber -j SNAT --to-source {{ ffrl_ipv4 }}
iptables -t nat -D POSTROUTING -o gre-bb-a.fra3.f -j SNAT --to-source {{ ffrl_ipv4 }}
iptables -t nat -D POSTROUTING -o gre-bb-b.fra3.f -j SNAT --to-source {{ ffrl_ipv4 }}
iptables -t nat -D POSTROUTING -o gre-bb-a.ix.dus -j SNAT --to-source {{ ffrl_ipv4 }}
iptables -t nat -D POSTROUTING -o gre-bb-b.ix.dus -j SNAT --to-source {{ ffrl_ipv4 }}
sleep 30
iptables -t nat -A POSTROUTING -o gre-bb-a.ak.ber -j SNAT --to-source {{ ffrl_ipv4 }}
iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o gre-bb-a.ak.ber -j TCPMSS --set-mss 1312
ip6tables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o gre-bb-a.ak.ber -j TCPMSS --set-mss 1312
iptables -t nat -A POSTROUTING -o gre-bb-a.fra3.f -j SNAT --to-source {{ ffrl_ipv4 }}
iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o gre-bb-a.fra3.f -j TCPMSS --set-mss 1312
ip6tables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o gre-bb-a.fra3.f -j TCPMSS --set-mss 1312
iptables -t nat -A POSTROUTING -o gre-bb-a.ix.dus -j SNAT --to-source {{ ffrl_ipv4 }}
iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o gre-bb-a.ix.dus -j TCPMSS --set-mss 1312
ip6tables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o gre-bb-a.ix.dus -j TCPMSS --set-mss 1312
iptables -t nat -A POSTROUTING -o gre-bb-b.ak.ber -j SNAT --to-source {{ ffrl_ipv4 }}
iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o gre-bb-b.ak.ber -j TCPMSS --set-mss 1312
ip6tables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o gre-bb-b.ak.ber -j TCPMSS --set-mss 1312
iptables -t nat -A POSTROUTING -o gre-bb-b.fra3.f -j SNAT --to-source {{ ffrl_ipv4 }}
iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o gre-bb-b.fra3.f -j TCPMSS --set-mss 1312
ip6tables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o gre-bb-b.fra3.f -j TCPMSS --set-mss 1312
iptables -t nat -A POSTROUTING -o gre-bb-b.ix.dus -j SNAT --to-source {{ ffrl_ipv4 }}
iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o gre-bb-b.ix.dus -j TCPMSS --set-mss 1312
ip6tables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o gre-bb-b.ix.dus -j TCPMSS --set-mss 1312

4
roles/20-install-openvpn/tasks/main.yml
View File

@ -1,4 +0,0 @@
- name: Install OpenVPN
apt: name={{ item }} state=latest update_cache=yes
with_items:
- openvpn

26
roles/21-install-oitc/tasks/main.yml Normal file
View File

@ -0,0 +1,26 @@
- name: Repo Key Import
ansible.builtin.shell: curl https://packages.openitcockpit.io/repokey.txt | sudo apt-key add
- name: Add specified repository into sources list
ansible.builtin.apt_repository:
repo: deb https://packages.openitcockpit.io/openitcockpit-agent/deb/stable deb main
state: present
- name: Install Wireguard
apt: name={{ item }} state=latest update_cache=yes
with_items:
- openitcockpit-agent
- name: Copy Config File
ansible.builtin.template:
src: oitc.ini.j2
dest: /etc/openitcockpit-agent/config.ini
owner: root
group: root
mode: '0775'
- name: Restart service httpd, in all cases
ansible.builtin.service:
name: openitcockpit-agent
state: restarted

177
roles/21-install-oitc/templates/oitc.ini.j2 Normal file
View File

@ -0,0 +1,177 @@
[default]
#
# This is the configuration file for the openITCOCKPIT Monitoring Agent 3.x
# Notice: Empty values will not been ignored! If you want to disable an option like proxy comment it out!
#########################
# Web Server #
#########################
# Bind address of the build-in web server
# Use 0.0.0.0 to bind on all interfaces
address = 0.0.0.0
# Port of the Agents build-in web server
# Default port is 3333
port = 3333
#########################
# Security Settings #
#########################
# Try to enable auto ssl mode for webserver
try-autossl = True
# File paths used to store autossl related files (default: /etc/openitcockpit-agent/):
# Leave this blank to use the default values
# Example: /etc/openitcockpit-agent/agent.csr
#autossl-csr-file =
# Example: /etc/openitcockpit-agent/agent.crt
#autossl-crt-file =
# Example: /etc/openitcockpit-agent/agent.key
#autossl-key-file =
# Example: /etc/openitcockpit-agent/server_ca.crt
#autossl-ca-file =
# If a certificate file is given, the agent will only be accessible through HTTPS
# Instead of messing around with self-signed certificates we recommend to use the autossl feature.
# Example: /etc/ssl/certs/ssl-cert-snakeoil.pem
#certfile = /etc/ssl/certs/ssl-cert-snakeoil.pem
# Private key file of the given TLS certificate
# Example: /etc/ssl/private/ssl-cert-snakeoil.key
#keyfile = /etc/ssl/private/ssl-cert-snakeoil.key
# Enable remote read and write access to the current agent configuration (this file) and
# the customchecks config
# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
# ! WARNING: This could lead to remote code execution !
# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
config-update-mode = False
# Enable HTTP Basic Authentication
# Example: auth = user:password
#auth = user:password
#########################
# Checks #
#########################
# Determines in seconds how often the agent will schedule all internal checks
interval = 30
# Remote Plugin Execution
# Path to config will where custom checks can be defined
# Comment to use the default value
#
# Linux: /etc/openitcockpit-agent/customchecks.ini
# Windows: C:\Program Files\it-novum\openitcockpit-agent\customchecks.ini
# macOS: /Applications/openitcockpit-agent/customchecks.ini
#customchecks = /etc/openitcockpit-agent/customchecks.ini
#########################
# Enable/Disable checks #
#########################
# Enable CPU monitoring
cpustats = True
# Enable memory monitoring
memory = True
# Enable Swap monitoring
swap = True
# Enable monitoring of running processes
processstats = True
# Enable monitoring of network interfaces
netstats = True
# Enable monitoring of the traffic (I/O) of network interfaces
netio = True
# Enable disk usage monitoring
diskstats = True
# Enable monitoring of disk I/O
diskio = True
# Enable monitoring of Systemd Services (Linux only)
systemdservices = True
# Enable monitoring of Launchd Services (macOS only)
launchdservices = True
# Enable monitoring of Windows Services (Windows only)
winservices = True
# Enable monitoring of Windows Event Log records (Windows only)
wineventlog = False
# Determines how the openITCOCKPIT Monitoring Agent should query the Windows Event Log.
# Since Version 3.0.9 WMI (Windows Management Instrumentation) will be used by default
# As alternative the Agent could use the PowerShell Get-EventLog cmdlet.
# The WMI method will maybe memory leak on Windows Server 2016. The PowerShell workaround
# on the other hand could lead to blue screens (OA-40).
wineventlog-method = WMI
#wineventlog-method = PowerShell
# Define comma separated windows event log log types
# Event Logs containing spaces DO NOT need to be quoted: Security,Sophos Cloud AD Sync,Application
wineventlog-logtypes = System,Application,Security
# Enable monitoring of temperature and battery sensors
sensorstats = True
# Enable support to monitor Docker containers
# Known issues: Error response from daemon: client version 1.41 is too new. Maximum supported API version is 1.40
# Workaround: export DOCKER_API_VERSION=1.40
dockerstats = False
# Check KVMs through libvirt
# This requires to complie the openITCOCKPIT Monitoring Agent by yourself.
# Please see the Wiki for instructions: https://github.com/it-novum/openitcockpit-agent-go/wiki/Build-binary
libvirt = True
# Enable logged in users check
userstats = True
#########################
# Push mode #
#########################
# By default openITCOCKPIT will pull check results from the openITCOCKPIT Agent.
# In a cloud environments or behind a NAT network it could become handy
# if the openITCOCKPIT Monitoring Agent will push the results to your openITCOCKPIT Server
[oitc]
# Enable Push Mode
enabled = False
# This option disables the webserver of the openITCOCKPIT Monitoring Agent when running in PUSH mode.
# When you also want to enable the Webserver even if the agent is running in PUSH mode we highly recommend
# to enable HTTP Basic Authentication and to use the certfile and keyfile options to enable HTTPS
enable-webserver = False
# Address of your openITCOCKPIT Server where the Agent will push the results to
# Example: https://demo.openitcockpit.io
url =
# Enable this option when your openITCOCKPIT server uses valid TLS certificates
# like from Let's Encrypt
verify-server-certificate = False
# Timeout in seconds for the HTTP push client
timeout = 10
# API-Key of your openITCOCKPIT Server
apikey =
# Address of HTTP/HTTPS Proxy if required.
# Comment to disable
# Example: http://10.10.1.10:3128
#proxy = http://10.10.1.10:3128

7
roles/40-vyos-system/tasks/main.yml Normal file
View File

@ -0,0 +1,7 @@
---
- name: Set Vyos Hostname
vyos.vyos.vyos_hostname:
config:
hostname: "{{ inventory_hostname }}"
state: merged

14
roles/41-vyos-interfaces/tasks/main.yml Normal file
View File

@ -0,0 +1,14 @@
---
- name: Create Local Interfaces
vyos.vyos.vyos_l3_interfaces:
config:
- name: eth0
ipv4:
- address: "{{ wan_address }}"
- name: eth1
ipv4:
- address: "{{ local_address }}"
- name: lo
- address: "{{ ffrl_address }}"
state: merged

10
system-setup.yml
View File

@ -1,16 +1,14 @@
# ansible-playbook -i hosts.yml -u root system-setup.yml
# ansible-playbook -i hosts.yml system-setup.yml
- name: System preperation
hosts: supernodes
roles:
- 00-system-set-hostname
- 00-create-sudo-user
- 00-system-set-network
- 00-system-set-bird
- 01-system-set-networking
- 01-system-install-packages
- 11-create-cronjob
- name: System preperation
hosts: vpn-offloader
roles:
# - 20-install-openvpn
- 21-install-wireguard
- 21-install-wireguard
- 21-install-oitc

17
update_wg.yml Normal file
View File

@ -0,0 +1,17 @@
# ansible-playbook -i hosts.yml -u root system-setup.yml
- name: System preperation
hosts: supernodes
roles:
- 00-system-set-hostname
- 00-create-sudo-user
- 00-system-set-network
- 00-system-set-bird
- 01-system-install-packages
- 11-create-cronjob
- name: System preperation
hosts: vpn-offloader
roles:
# - 20-install-openvpn
- 21-install-wireguard
- 21-install-oitc

72
vpn01.md Normal file
View File

@ -0,0 +1,72 @@
vpn02
# Supernode mit direkter VPN Ausleitung
Ausleitung über das FFRL Backbone.
Supernode Config:
- GRE-Tunnel zum FFRL Backbone
- VPN per Wireguard
- NAT auf VPN Routern
## Adressbereiche:
Supernode: 10.255.1.1/32
VPN01: 10.255.1.2/32, Client: 10.1.0.0/16
VPN02: 10.255.1.3/32, Client: 10.2.0.0/16
VPN03: 10.255.1.4/32, Client: 10.3.0.0/16
etc.
## ER-X Stock Firmware Config:
> Vor der Installation:
> - eth0 als DHCP Client
> - eth1-4 auf den Switch
> - Switch mit DHCP Server einrichten. Adressbereich aus Tabelle beachten!
## Install Wireguard
cd /tmp
curl -OL https://github.com/WireGuard/wireguard-vyatta-ubnt/releases/download/1.0.20211208-1/e50-v2-v1.0.20211208-v1.0.20210914.deb
sudo dpkg -i e50-v2-v1.0.20211208-v1.0.20210914.deb
## Generate Keys
cd /config/auth
wg genkey | tee /config/auth/wg.key | wg pubkey > wg.public
cat wg.public
cat wg.key
## Config ER-X
configure
## Wireguard
set interfaces wireguard wg0 address 10.255.1.2/24
set interfaces wireguard wg0 address fd80:3ea2:e399:203a::2/64
set interfaces wireguard wg0 listen-port 51822
set interfaces wireguard wg0 route-allowed-ips false
set interfaces wireguard wg0 persistent-keepalive 25
set interfaces wireguard wg0 peer 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= endpoint 7.fftdf.de:42001
set interfaces wireguard wg0 peer 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= allowed-ips 0.0.0.0/0
set interfaces wireguard wg0 peer 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= allowed-ips ::0/0
set interfaces wireguard wg0 private-key /config/auth/wg.key
## Firewall for Wireguard
set firewall name WAN_LOCAL rule 20 action accept
set firewall name WAN_LOCAL rule 20 protocol udp
set firewall name WAN_LOCAL rule 20 description 'WireGuard'
set firewall name WAN_LOCAL rule 20 destination port 51821
set firewall group network-group LAN-VPN description 'Networks on LAN destined to go out VPN by default'
set firewall group network-group LAN-VPN network 10.1.0.0/16
set firewall group network-group RFC1918 network 10.0.0.0/8
set firewall group network-group RFC1918 network 172.16.0.0/12
set firewall group network-group RFC1918 network 192.168.0.0/16
set firewall group network-group RFC1918 network 169.254.0.0/16
set protocols static table 2 route 0.0.0.0/0 next-hop 10.255.1.1
set firewall modify VPN_TDF7 rule 100 action modify
set firewall modify VPN_TDF7 rule 100 description 'Route traffic from group LAN-VPN through VPN-TDF7 table'
set firewall modify VPN_TDF7 rule 100 modify table 2
set firewall modify VPN_TDF7 rule 100 source group network-group LAN-VPN
set interfaces switch switch0 firewall in modify VPN_TDF7
## NAT einrichten
set service nat rule 5010 description 'masquerade for VPN'
set service nat rule 5010 outbound-interface wg0
set service nat rule 5010 type masquerade
set service nat rule 5010 protocol all
## Speichern
commit ; save

72
vpn02.md Normal file
View File

@ -0,0 +1,72 @@
vpn02
# Supernode mit direkter VPN Ausleitung
Ausleitung über das FFRL Backbone.
Supernode Config:
- GRE-Tunnel zum FFRL Backbone
- VPN per Wireguard
- NAT auf VPN Routern
## Adressbereiche:
Supernode: 10.255.1.1/32
VPN01: 10.255.1.2/32, Client: 10.1.0.0/16
VPN02: 10.255.1.3/32, Client: 10.2.0.0/16
VPN03: 10.255.1.4/32, Client: 10.3.0.0/16
etc.
## ER-X Stock Firmware Config:
> Vor der Installation:
> - eth0 als DHCP Client
> - eth1-4 auf den Switch
> - Switch mit DHCP Server einrichten. Adressbereich aus Tabelle beachten!
## Install Wireguard
cd /tmp
curl -OL https://github.com/WireGuard/wireguard-vyatta-ubnt/releases/download/1.0.20211208-1/e50-v2-v1.0.20211208-v1.0.20210914.deb
sudo dpkg -i e50-v2-v1.0.20211208-v1.0.20210914.deb
## Generate Keys
cd /config/auth
wg genkey | tee /config/auth/wg.key | wg pubkey > wg.public
cat wg.public
cat wg.key
## Config ER-X
configure
## Wireguard
set interfaces wireguard wg0 address 10.255.1.3/24
set interfaces wireguard wg0 address fd80:3ea2:e399:203a::3/64
set interfaces wireguard wg0 listen-port 51821
set interfaces wireguard wg0 route-allowed-ips false
set interfaces wireguard wg0 persistent-keepalive 25
set interfaces wireguard wg0 peer 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= endpoint 7.fftdf.de:42001
set interfaces wireguard wg0 peer 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= allowed-ips 0.0.0.0/0
set interfaces wireguard wg0 peer 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= allowed-ips ::0/0
set interfaces wireguard wg0 private-key /config/auth/wg.key
## Firewall for Wireguard
set firewall name WAN_LOCAL rule 20 action accept
set firewall name WAN_LOCAL rule 20 protocol udp
set firewall name WAN_LOCAL rule 20 description 'WireGuard'
set firewall name WAN_LOCAL rule 20 destination port 51821
set firewall group network-group LAN-VPN description 'Networks on LAN destined to go out VPN by default'
set firewall group network-group LAN-VPN network 10.2.0.0/16
set firewall group network-group RFC1918 network 10.0.0.0/8
set firewall group network-group RFC1918 network 172.16.0.0/12
set firewall group network-group RFC1918 network 192.168.0.0/16
set firewall group network-group RFC1918 network 169.254.0.0/16
set protocols static table 2 route 0.0.0.0/0 next-hop 10.255.1.1
set firewall modify VPN_TDF7 rule 100 action modify
set firewall modify VPN_TDF7 rule 100 description 'Route traffic from group LAN-VPN through VPN-TDF7 table'
set firewall modify VPN_TDF7 rule 100 modify table 2
set firewall modify VPN_TDF7 rule 100 source group network-group LAN-VPN
set interfaces switch switch0 firewall in modify VPN_TDF7
## NAT einrichten
set service nat rule 5010 description 'masquerade for VPN'
set service nat rule 5010 outbound-interface wg0
set service nat rule 5010 type masquerade
set service nat rule 5010 protocol all
## Speichern
commit ; save

72
vpn03.md Normal file
View File

@ -0,0 +1,72 @@
vpn03
# Supernode mit direkter VPN Ausleitung
Ausleitung über das FFRL Backbone.
Supernode Config:
- GRE-Tunnel zum FFRL Backbone
- VPN per Wireguard
- NAT auf VPN Routern
## Adressbereiche:
Supernode: 10.255.1.1/32
VPN01: 10.255.1.2/32, Client: 10.1.0.0/16
VPN02: 10.255.1.3/32, Client: 10.2.0.0/16
VPN03: 10.255.1.4/32, Client: 10.3.0.0/16
etc.
## ER-X Stock Firmware Config:
> Vor der Installation:
> - eth0 als DHCP Client
> - eth1-4 auf den Switch
> - Switch mit DHCP Server einrichten. Adressbereich aus Tabelle beachten!
## Install Wireguard
cd /tmp
curl -OL https://github.com/WireGuard/wireguard-vyatta-ubnt/releases/download/1.0.20211208-1/e50-v2-v1.0.20211208-v1.0.20210914.deb
sudo dpkg -i e50-v2-v1.0.20211208-v1.0.20210914.deb
## Generate Keys
cd /config/auth
wg genkey | tee /config/auth/wg.key | wg pubkey > wg.public
cat wg.public
cat wg.key
## Config ER-X
configure
## Wireguard
set interfaces wireguard wg0 address 10.255.1.4/24
set interfaces wireguard wg0 address fd80:3ea2:e399:203a::4/64
set interfaces wireguard wg0 listen-port 51821
set interfaces wireguard wg0 route-allowed-ips false
set interfaces wireguard wg0 persistent-keepalive 25
set interfaces wireguard wg0 peer 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= endpoint 7.fftdf.de:42001
set interfaces wireguard wg0 peer 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= allowed-ips 0.0.0.0/0
set interfaces wireguard wg0 peer 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= allowed-ips ::0/0
set interfaces wireguard wg0 private-key /config/auth/wg.key
## Firewall for Wireguard
set firewall name WAN_LOCAL rule 20 action accept
set firewall name WAN_LOCAL rule 20 protocol udp
set firewall name WAN_LOCAL rule 20 description 'WireGuard'
set firewall name WAN_LOCAL rule 20 destination port 51821
set firewall group network-group LAN-VPN description 'Networks on LAN destined to go out VPN by default'
set firewall group network-group LAN-VPN network 10.3.0.0/16
set firewall group network-group RFC1918 network 10.0.0.0/8
set firewall group network-group RFC1918 network 172.16.0.0/12
set firewall group network-group RFC1918 network 192.168.0.0/16
set firewall group network-group RFC1918 network 169.254.0.0/16
set protocols static table 2 route 0.0.0.0/0 next-hop 10.255.1.1
set firewall modify VPN_TDF7 rule 100 action modify
set firewall modify VPN_TDF7 rule 100 description 'Route traffic from group LAN-VPN through VPN-TDF7 table'
set firewall modify VPN_TDF7 rule 100 modify table 2
set firewall modify VPN_TDF7 rule 100 source group network-group LAN-VPN
set interfaces switch switch0 firewall in modify VPN_TDF7
## NAT einrichten
set service nat rule 5010 description 'masquerade for VPN'
set service nat rule 5010 outbound-interface wg0
set service nat rule 5010 type masquerade
set service nat rule 5010 protocol all
## Speichern
commit ; save