From 5864ead4b8219977e5d871d61e104dfa99a7b46c Mon Sep 17 00:00:00 2001 From: Stefan Date: Mon, 6 Feb 2023 23:13:32 +0100 Subject: [PATCH] Toller Commit --- .DS_Store | Bin 6148 -> 6148 bytes conf.conf | 338 ++++++++++++++++++ host_vars/router4.yml | 3 + host_vars/troisdorf7.yml | 25 -- host_vars/troisdorf7/vars.yml | 41 +++ host_vars/troisdorf7/vault.yml | 9 + hosts.yml | 30 +- readme.md | 7 - roles/00-system-set-bird/tasks/main.yml | 15 - .../00-system-set-bird/templates/bird.conf.j2 | 93 ----- .../templates/bird6.conf.j2 | 89 ----- roles/00-system-set-network/tasks/main.yml | 20 -- .../tasks/templates/01-ffrl-gre.yaml.j2 | 62 ---- .../01-system-install-packages/tasks/main.yml | 33 +- roles/01-system-set-networking/tasks/main.yml | 26 ++ roles/11-create-cronjob/tasks/main.yml | 16 - .../templates/sn_startup.sh.j2 | 58 --- roles/20-install-openvpn/tasks/main.yml | 4 - roles/21-install-oitc/tasks/main.yml | 26 ++ roles/21-install-oitc/templates/oitc.ini.j2 | 177 +++++++++ roles/40-vyos-system/tasks/main.yml | 7 + roles/41-vyos-interfaces/tasks/main.yml | 14 + system-setup.yml | 10 +- update_wg.yml | 17 + vpn01.md | 72 ++++ vpn02.md | 72 ++++ vpn03.md | 72 ++++ 27 files changed, 901 insertions(+), 435 deletions(-) create mode 100644 conf.conf create mode 100644 host_vars/router4.yml delete mode 100644 host_vars/troisdorf7.yml create mode 100644 host_vars/troisdorf7/vars.yml create mode 100644 host_vars/troisdorf7/vault.yml delete mode 100644 roles/00-system-set-bird/tasks/main.yml delete mode 100644 roles/00-system-set-bird/templates/bird.conf.j2 delete mode 100644 roles/00-system-set-bird/templates/bird6.conf.j2 delete mode 100644 roles/00-system-set-network/tasks/main.yml delete mode 100644 roles/00-system-set-network/tasks/templates/01-ffrl-gre.yaml.j2 create mode 100644 roles/01-system-set-networking/tasks/main.yml delete mode 100644 roles/11-create-cronjob/tasks/main.yml delete mode 100644 roles/11-create-cronjob/templates/sn_startup.sh.j2 delete mode 100644 roles/20-install-openvpn/tasks/main.yml create mode 100644 roles/21-install-oitc/tasks/main.yml create mode 100644 roles/21-install-oitc/templates/oitc.ini.j2 create mode 100644 roles/40-vyos-system/tasks/main.yml create mode 100644 roles/41-vyos-interfaces/tasks/main.yml create mode 100644 update_wg.yml create mode 100644 vpn01.md create mode 100644 vpn02.md create mode 100644 vpn03.md diff --git a/.DS_Store b/.DS_Store index 43d83e341cf680310df007ac20160faa83a4b2e1..060efa99d78232597ec74be949650b0a00b383fc 100644 GIT binary patch delta 32 ocmZoMXfc@J&&awlU^gQp>t-INZpO{Wm>pRrHt26==lIJH0H!AjEdT%j delta 61 zcmZoMXfc@J&&akhU^gQp+h!i7Zbo?)hBAgkh9ZVy&z$_^q@4UD1_lNJAYKo|lmGwU O+`}BmvYDOZFFyeL6%iT$ diff --git a/conf.conf b/conf.conf new file mode 100644 index 0000000..ed30c67 --- /dev/null +++ b/conf.conf @@ -0,0 +1,338 @@ +interfaces { + ethernet eth0 { + address 5.9.220.113/29 + description WAN + } + ethernet eth1 { + address 172.16.7.1/24 + description "Freifunk WAN" + } + loopback lo { + address 185.66.193.107/32 + } + tunnel tun0 { + address 100.64.6.25/31 + address 2a03:2260:0:30c::2/64 + description gre_bb_a_ak_ber + encapsulation gre + remote 185.66.195.0 + source-address 5.9.220.113 + } + tunnel tun1 { + address 100.64.6.31/31 + address 2a03:2260:0:30f::2/64 + description gre_bb_b_ak_ber + encapsulation gre + remote 185.66.195.1 + source-address 5.9.220.113 + } + tunnel tun2 { + address 100.64.6.29/31 + address 2a03:2260:0:30e::2/64 + description gre_bb_a_ix_dus + encapsulation gre + remote 185.66.193.0 + source-address 5.9.220.113 + } + tunnel tun3 { + address 100.64.6.35/31 + address 2a03:2260:0:311::2/64 + description gre_bb_b_ix_dus + encapsulation gre + remote 185.66.193.1 + source-address 5.9.220.113 + } + tunnel tun4 { + address 100.64.6.27/31 + address 2a03:2260:0:30d::2/64 + description gre_bb_a_fra3_f + encapsulation gre + remote 185.66.194.0 + source-address 5.9.220.113 + } + tunnel tun5 { + address 100.64.6.33/31 + address 2a03:2260:0:310::2/64 + description gre-bb-b.fra3.f + encapsulation gre + remote 185.66.194.1 + source-address 5.9.220.113 + } +} +nat { + destination { + rule 1 { + description "Allow SSH to VPN-01 Port 2222" + destination { + address 185.66.193.107/32 + port 2222 + } + inbound-interface any + protocol tcp + translation { + address 172.16.7.2 + port 22 + } + } + rule 2 { + description "Wireguard VPN-01 42001" + destination { + address 185.66.193.107 + port 42001 + } + inbound-interface any + protocol udp + translation { + address 172.16.7.2 + } + } + } + source { + rule 1 { + outbound-interface any + source { + address 172.16.7.0/24 + } + translation { + address 185.66.193.107 + } + } + } +} +policy { + local-route { + rule 10 { + set { + table 42 + } + source 5.9.220.113 + } + } + prefix-list FFRL-IN { + rule 10 { + action permit + prefix 0.0.0.0/0 + } + } + prefix-list FFRL-OUT { + rule 10 { + action permit + prefix 185.66.193.107/32 + } + } + route-map FFRL-IN { + rule 10 { + action permit + match { + ip { + address { + prefix-list FFRL-IN + } + } + } + } + } + route-map FFRL-OUT { + rule 10 { + action permit + match { + ip { + address { + prefix-list FFRL-OUT + } + } + } + } + } +} +protocols { + bgp { + address-family { + ipv4-unicast { + network 185.66.193.107/32 { + } + } + } + neighbor 100.64.6.24 { + address-family { + ipv4-unicast { + route-map { + export FFRL-OUT + import FFRL-IN + } + } + } + description ffrl_bb_a_ak_ber + remote-as 201701 + update-source 100.64.6.25 + } + neighbor 100.64.6.26 { + address-family { + ipv4-unicast { + route-map { + export FFRL-OUT + import FFRL-IN + } + } + } + description ffrl_bb_a_fra3_fra + remote-as 201701 + update-source 100.64.6.27 + } + neighbor 100.64.6.28 { + address-family { + ipv4-unicast { + route-map { + export FFRL-OUT + import FFRL-IN + } + } + } + description ffrl_bb_a_ix_dus + remote-as 201701 + update-source 100.64.6.29 + } + neighbor 100.64.6.30 { + address-family { + ipv4-unicast { + route-map { + export FFRL-OUT + import FFRL-IN + } + } + } + description ffrl_bb_b_ak_ber + remote-as 201701 + update-source 100.64.6.31 + } + neighbor 100.64.6.32 { + address-family { + ipv4-unicast { + route-map { + export FFRL-OUT + import FFRL-IN + } + } + } + description ffrl_bb_b_fra3_fra + remote-as 201701 + update-source 100.64.6.33 + } + neighbor 100.64.6.34 { + address-family { + ipv4-unicast { + route-map { + export FFRL-OUT + import FFRL-IN + } + } + } + description ffrl_bb_b_ix_dus + remote-as 201701 + update-source 100.64.6.35 + } + parameters { + router-id 10.188.255.7 + } + system-as 65066 + } + static { + table 42 { + route 0.0.0.0/0 { + next-hop 5.9.220.112 { + } + } + } + } +} +service { + dhcp-server { + listen-address 172.16.7.1 + shared-network-name freifunk { + subnet 172.16.7.0/24 { + default-router 172.16.7.1 + name-server 1.1.1.1 + name-server 1.0.0.1 + range dhcp { + start 172.16.7.10 + stop 172.16.7.200 + } + static-mapping vpn-01 { + ip-address 172.16.7.2 + mac-address 36:f3:82:18:9b:03 + } + } + } + } + ntp { + allow-client { + address 0.0.0.0/0 + address ::/0 + } + server time1.vyos.net { + } + server time2.vyos.net { + } + server time3.vyos.net { + } + } + ssh { + port 22 + } +} +system { + config-management { + commit-revisions 100 + } + conntrack { + modules { + ftp + h323 + nfs + pptp + sip + sqlnet + tftp + } + } + console { + device ttyS0 { + speed 115200 + } + } + host-name 7.fftdf.de + login { + banner { + post-login "Welcome to the core Freifunk Router for Troisdorf!\n\nEnjoy it while you are here!\n" + } + user vyos { + authentication { + encrypted-password $6$WJiQoTPHLN8qj3s2$3vPtbSA48u8axMRDuOTaH4Hzg6kUuUJ8rkNuuSBacLfJ3YKRhDu5q4hxyhYr22n9F7E5NtovDM3A1.Ahpralf0 + plaintext-password "" + public-keys nils { + key AAAAB3NzaC1yc2EAAAADAQABAAACAQCvwA3/NDj7Oo28Q1XdRIgOp//35gFVvsDa1dnMkgRDqJYvlIDbRiQ+UIcgu5YhstPb8BAxfvqjRP4rnMKc7v69T2Lp+HOMx+1sOYrznEe2hC5lPr4+U1u4Fzqhq/keSoItifmdTgrE+01Zc5jMBosUIm79TDgEMuEGcYVJIyAzDv9ez4u+Bz/HubRO+qT/+UmOICEg9m/C+fiH/ZAJHi90dMsj7RF5YXrRHXTAdiecurwGAZx2Adug1fFTvzB1pqBUHje1PFtEI+LheYklpNtiJo8NQ2KDEiavSxBibJrywzQHaddf0bkeAhmiNY8PRoMpMNeiu94DyNFWgdm7bLzdzrN/o5U7MlnJlcn8D1tLtdp0ngTxaN6VIywI8mQ/Ukxz8p2Ce49vu6osz4CvYhKx4mrvOSmqg9VjKcL6/rIwK7y5CWgIrddktxrSpUHXkzoQSefgZ5Bnu3CNp0GixWV5JTHnFxCulJAGi3TTqx7IvsJ8gpuKkeGnIgnDhFbqVOKeEEnR13tTCJ7MgPQ+VHREQ68u73a5TfDxJd/ggnG4tQ67HOcqxwa74+X1lv7YiJ3AvbrR7FFPNM3o5N8ZmZWhBLDaUHrjElHkZdB/V2l2bCblWhD0INCYoskuK1dFGdf3gQQeKOivGzKtzI0xNKutrxfvarkikxCEV3Exj889rQ== + type ssh-rsa + } + public-keys stefan { + key AAAAB3NzaC1yc2EAAAADAQABAAABAQDM0d9uUUdkK80fYEAz+IwxbhQO2qsr87Q4uxxwqQCvjVWryL+IuKMBJJGroWDMz2d9UJcIXEYdMz4436U0DoPJuoXe5iDsVvum3Vz3276My+tqx1bZWCktPa8Isft7mO/wfELNjRNQduUiwh2y712s7/3GQI+5Rs/65HuLHTnpLKrlfptqmsmYw+IUFDzGwBLJ6sqP90ywjKkperPCAH3IWcTsQwnW3EJFPToMg6BrQslZlxx/z+co3e6jCWzUuuIRP9jp4SmNVfYaVGb1cOFdL1p1P0qWHBHdGUnXHZ+c773VKVSj+spUBxKGqNC1EhRCYTsPDLVrYrhKl2BRLcgB + type ssh-rsa + } + } + } + } + syslog { + global { + facility all { + level info + } + facility protocols { + level debug + } + } + } +} + + +// Warning: Do not remove the following line. +// vyos-config-version: "bgp@3:broadcast-relay@1:cluster@1:config-management@1:conntrack@3:conntrack-sync@2:container@1:dhcp-relay@2:dhcp-server@6:dhcpv6-server@1:dns-forwarding@3:firewall@9:flow-accounting@1:https@4:ids@1:interfaces@26:ipoe-server@1:ipsec@11:isis@2:l2tp@4:lldp@1:mdns@1:monitoring@1:nat@5:nat66@1:ntp@2:openconnect@2:ospf@1:policy@5:pppoe-server@6:pptp@2:qos@2:quagga@10:rpki@1:salt@1:snmp@3:ssh@2:sstp@4:system@25:vrf@3:vrrp@3:vyos-accel-ppp@2:wanloadbalance@3:webproxy@2" +// Release version: 1.4-rolling-202302041536 diff --git a/host_vars/router4.yml b/host_vars/router4.yml new file mode 100644 index 0000000..4697e73 --- /dev/null +++ b/host_vars/router4.yml @@ -0,0 +1,3 @@ +wan_address: 5.9.220.113/29 +local_address: 172.16.7.1/24 +ffrl_address: 185.66.193.107/32 \ No newline at end of file diff --git a/host_vars/troisdorf7.yml b/host_vars/troisdorf7.yml deleted file mode 100644 index 8945699..0000000 --- a/host_vars/troisdorf7.yml +++ /dev/null @@ -1,25 +0,0 @@ -wireguard_unmanaged_peers: - vpn1-testing: - public_key: zaxk4sSdmg/NBnjdLaslBA6sljpeW0RPWX00tKq2bnI= - allowed_ips: 10.255.1.2/32, 10.1.0.0/16, fd80:3ea2:e399:203a::2/128, 2a03:2260:121:7001::/64 - persistent_keepalive: 25 - vpn2-lindenstr-sh07: - public_key: 8wsck5Ek7cQ+YbktuUzB2xBAzzeH/ou2QOR4Ou5B6zs= - allowed_ips: 10.255.1.3/32, 10.2.0.0/16, fd80:3ea2:e399:203a::3/128, 2a03:2260:121:7002::/64 - persistent_keepalive: 25 -# vpn2-stefan: -# public_key: NvJKN6xorzvwL7NhMoY2bEwpDVTl9Ob/1gx9g8tHfic= -# allowed_ips: 10.255.1.3/32, 10.2.0.0/16 -# persistent_keepalive: 25 -# vpn3-empty: -# public_key: pwD87EgTk8fGctR1Cz6/DfwGuzTg8VO2YC2CM58Sdlw= -# allowed_ips: 10.255.1.2/32, 10.1.0.0/16 -# persistent_keepalive: 25 -# vpn4-empty: -# public_key: N54OfQCIQGbPltC4sq/1gvV/2UXFKcQAti9ORNvlFxA= -# allowed_ips: 10.255.1.2/32, 10.1.0.0/16 -# persistent_keepalive: 25 -# vpn5-empty: -# public_key: sKi7h1W89XEe9tzxbXbev3oHBoS0VOLXFFLvwQZ+wAM= -# allowed_ips: 10.255.1.2/32, 10.1.0.0/16 -# persistent_keepalive: 25 \ No newline at end of file diff --git a/host_vars/troisdorf7/vars.yml b/host_vars/troisdorf7/vars.yml new file mode 100644 index 0000000..da2e1ed --- /dev/null +++ b/host_vars/troisdorf7/vars.yml @@ -0,0 +1,41 @@ +### +### Ansible +### +ansible_host: 185.66.193.107 +ansible_port: 2222 +ansible_ssh_user: root +ansible_python_interpreter: /usr/bin/python3 + +### +### Vars +### +internal_network: "10.255.1.0/24" + +### +### Wireguard +### + +wireguard_address: "10.255.1.1/24, fd80:3ea2:e399:203a::1/64" +wireguard_port: 42001 + +wireguard_unmanaged_peers: + vpn1-testing: + public_key: dEqGBiASx0gY1T/m4chRkeWhF+4XmzmjLKLXXbe+rmg= + allowed_ips: 10.255.1.2/32, 10.1.0.0/16, fd80:3ea2:e399:203a::2/128 + persistent_keepalive: 25 + vpn2-lindenstr-h07: + public_key: VglVuinIYJOE3UNZxhFRCHwD7WtiVg83u/cp3modw0k= + allowed_ips: 10.255.1.3/32, 10.2.0.0/16, fd80:3ea2:e399:203a::3/128 + persistent_keepalive: 25 + vpn3-lindenstr-h01: + public_key: jWTWrLtxb19TkThXLmUs+kqelo27zb9XfcDQFPGVWxs= + allowed_ips: 10.255.1.4/32, 10.3.0.0/16, fd80:3ea2:e399:203a::4/128 + persistent_keepalive: 25 + vpn4-nils: + public_key: Z9kn/JvtCcTs2ok8z7Ci3E+dy6Hb/lnUNre4X8xWCjg= + allowed_ips: 10.255.1.5/32, 10.4.0.0/16, fd80:3ea2:e399:203a::5/128 + persistent_keepalive: 25 + vpn5-stefan: + public_key: UHaYitx18sO71Ssk2SVUgdjLaAILbCthCmosU+Fs5Es= + allowed_ips: 10.255.1.6/32, 10.5.0.0/16, fd80:3ea2:e399:203a::6/128 + persistent_keepalive: 25 \ No newline at end of file diff --git a/host_vars/troisdorf7/vault.yml b/host_vars/troisdorf7/vault.yml new file mode 100644 index 0000000..963615a --- /dev/null +++ b/host_vars/troisdorf7/vault.yml @@ -0,0 +1,9 @@ +$ANSIBLE_VAULT;1.1;AES256 +31653333646534336164323064616261666365636438363761663837663635613333386165313962 +3732656532643062333235366564333633623937353335650a343334393265316131313935363337 +61323339356237646631303039646132663161623739393130383338383339373063373566666330 +3463346562336166340a313562613835386431613636303637626133346433393630623837646236 +66633239393134336539346430343965383339653061633463653864653834633862353861663432 +39633663663833373264623138376431353437623765643530373266643539616231376162663831 +33643334323861653564333739376561306462316561336531656663396134336635666639343433 +38613630313731343736 diff --git a/hosts.yml b/hosts.yml index f7a1b2b..33b5466 100644 --- a/hosts.yml +++ b/hosts.yml @@ -5,32 +5,14 @@ ###################### all: children: + router: + children: + ffrl-uplink: + hosts: + r4.fftdf.de: supernodes: children: vpn-offloader: hosts: - # tdf7 troisdorf7: - #TDF (alt) - #ansible_host: 93.241.53.100 - ansible_host: 5.9.220.113 - ansible_user: root - ansible_python_interpreter: /usr/bin/python3 - ffrl_ipv4: 185.66.193.107 - ffrl_ipv6: 2a03:2260:121:7000::107 - ffrl_ipv6_net: "2a03:2260:121:7000::" - ffrl_router_id: 10.188.255.7 - gre_bb_a_ak_ber_ipv4: 100.64.6.25 - gre_bb_b_ak_ber_ipv4: 100.64.6.31 - gre_bb_a_ix_dus_ipv4: 100.64.6.29 - gre_bb_b_ix_dus_ipv4: 100.64.6.35 - gre_bb_a_fra3_f_ipv4: 100.64.6.27 - gre_bb_b_fra3_f_ipv4: 100.64.6.33 - gre_bb_a_ak_ber_ipv6: 2a03:2260:0:30c::2 - gre_bb_b_ak_ber_ipv6: 2a03:2260:0:30f::2 - gre_bb_a_ix_dus_ipv6: 2a03:2260:0:30e::2 - gre_bb_b_ix_dus_ipv6: 2a03:2260:0:311::2 - gre_bb_a_fra3_f_ipv6: 2a03:2260:0:30d::2 - gre_bb_b_fra3_f_ipv6: 2a03:2260:0:310::2 - wireguard_address: "10.255.1.1/24, fd80:3ea2:e399:203a::1/64" - wireguard_port: 42001 + \ No newline at end of file diff --git a/readme.md b/readme.md index 5fb9532..d8e3e89 100644 --- a/readme.md +++ b/readme.md @@ -52,23 +52,16 @@ sudo dpkg -i e50-v2-v1.0.20211208-v1.0.20210914.deb set firewall name WAN_LOCAL rule 20 destination port 51821 set firewall group network-group LAN-VPN description 'Networks on LAN destined to go out VPN by default' set firewall group network-group LAN-VPN network 10.1.0.0/16 - set firewall group ipv6-network-group IPv6-VPN ipv6-network 2a03:2260:121:7001::/64 set firewall group network-group RFC1918 network 10.0.0.0/8 set firewall group network-group RFC1918 network 172.16.0.0/12 set firewall group network-group RFC1918 network 192.168.0.0/16 set firewall group network-group RFC1918 network 169.254.0.0/16 set protocols static table 2 route 0.0.0.0/0 next-hop 10.255.1.1 - set protocols static table 2 route6 ::/0 next-hop fd80:3ea2:e399:203a::1 set firewall modify VPN_TDF7 rule 100 action modify set firewall modify VPN_TDF7 rule 100 description 'Route traffic from group LAN-VPN through VPN-TDF7 table' set firewall modify VPN_TDF7 rule 100 modify table 2 set firewall modify VPN_TDF7 rule 100 source group network-group LAN-VPN - set firewall ipv6-modify IPv6-VPN_TDF7 rule 100 action modify - set firewall ipv6-modify IPv6-VPN_TDF7 rule 100 description 'Route traffic from group IPv6-VPN through IPv6-VPN-TDF7 table' - set firewall ipv6-modify IPv6-VPN_TDF7 rule 100 modify table 2 - set firewall ipv6-modify IPv6-VPN_TDF7 rule 100 source group ipv6-network-group IPv6-VPN set interfaces switch switch0 firewall in modify VPN_TDF7 - set interfaces switch switch0 firewall in modify IPv6-VPN_TDF7 ## NAT einrichten set service nat rule 5010 description 'masquerade for VPN' set service nat rule 5010 outbound-interface wg0 diff --git a/roles/00-system-set-bird/tasks/main.yml b/roles/00-system-set-bird/tasks/main.yml deleted file mode 100644 index 51f5346..0000000 --- a/roles/00-system-set-bird/tasks/main.yml +++ /dev/null @@ -1,15 +0,0 @@ -- name: Copy Bird Config - ansible.builtin.template: - src: bird.conf.j2 - dest: /etc/bird/bird.conf - owner: root - group: root - mode: '0644' - -- name: Copy Bird6 Config - ansible.builtin.template: - src: bird6.conf.j2 - dest: /etc/bird/bird6.conf - owner: root - group: root - mode: '0644' \ No newline at end of file diff --git a/roles/00-system-set-bird/templates/bird.conf.j2 b/roles/00-system-set-bird/templates/bird.conf.j2 deleted file mode 100644 index 036c1bb..0000000 --- a/roles/00-system-set-bird/templates/bird.conf.j2 +++ /dev/null @@ -1,93 +0,0 @@ -/* - * This is an example configuration file. - */ - -# Yes, even shell-like comments work... - -# Configure logging -#log syslog { debug, trace, info, remote, warning, error, auth, fatal, bug }; -#log stderr all; -#log "tmp" all; -#log syslog all; - -#debug protocols all; - -# Override router ID -router id {{ ffrl_router_id }}; - - -protocol direct { - interface "*"; -}; - -protocol kernel { - device routes; - import all; - export all; - kernel table 42; -}; - -protocol device { - scan time 8; -}; - -function is_default() { - return (net ~ [0.0.0.0/0]); -}; - -# own network -function is_self_net() { - return (net ~ [ 10.188.0.0/16+ ]); -} - -# freifunk ip ranges in general -function is_freifunk() { - return net ~ [ 10.0.0.0/8+, - 104.0.0.0/8+ - ]; -} - -filter hostroute { - if net ~ {{ ffrl_ipv4 }}/32 then accept; - reject; -}; - -# Uplink über ff Rheinland -template bgp uplink { - local as 65066; - import where is_default(); - export filter hostroute; - next hop self; - multihop 64; - default bgp_local_pref 200; -}; - -protocol bgp ffrl_bb_a_ak_ber from uplink { - source address 100.64.6.25; - neighbor 100.64.6.24 as 201701; -}; - -protocol bgp ffrl_bb_b_ak_ber from uplink { - source address 100.64.6.31; - neighbor 100.64.6.30 as 201701; -}; - -protocol bgp ffrl_bb_a_ix_dus from uplink { - source address 100.64.6.29; - neighbor 100.64.6.28 as 201701; -}; - -protocol bgp ffrl_bb_b_ix_dus from uplink { - source address 100.64.6.35; - neighbor 100.64.6.34 as 201701; -}; - -protocol bgp ffrl_bb_a_fra3_fra from uplink { - source address 100.64.6.27; - neighbor 100.64.6.26 as 201701; -}; - -protocol bgp ffrl_bb_b_fra3_fra from uplink { - source address 100.64.6.33; - neighbor 100.64.6.32 as 201701; -}; diff --git a/roles/00-system-set-bird/templates/bird6.conf.j2 b/roles/00-system-set-bird/templates/bird6.conf.j2 deleted file mode 100644 index 8f096d7..0000000 --- a/roles/00-system-set-bird/templates/bird6.conf.j2 +++ /dev/null @@ -1,89 +0,0 @@ -# Configure logging -#log syslog { debug, trace, info, remote, warning, error, auth, fatal, bug }; -#log stderr all; -#log "tmp" all; -#log syslog all; - -#debug protocols all; - -# Override router ID -router id {{ ffrl_router_id }}; - -protocol direct { - interface "bat0", "gre-*", "lo"; # Restrict network interfaces it works with - -} - - -protocol kernel { - device routes; - import all; - export all; # Default is export none - kernel table 42; # Kernel table to synchronize with (default: main) -} - -protocol device { - scan time 10; # Scan interfaces every 10 seconds -} - -function is_default() { - return (net ~ [::/0]); -} - -# own networks -function is_self_net() { -return net ~ [ fda0:747e:ab29:7405::/64+ ]; -} - -# freifunk ip ranges in general -function is_freifunk() { -return net ~ [ fc00::/7{48,64}, -2001:bf7::/32+]; -} - -filter hostroute { - if net ~ {{ ffrl_ipv6_net }}/52 then accept; - reject; -} - - - -# Uplink zum FF Rheinland -template bgp uplink { - local as 65066; - import where is_default(); - export filter hostroute; - gateway recursive; -} - - -protocol bgp ffrl_bb_a_ak_ber from uplink { - source address 2a03:2260:0:30c::2; - neighbor 2a03:2260:0:30c::1 as 201701; -} - -protocol bgp ffrl_bb_b_ak_ber from uplink { - source address 2a03:2260:0:30f::2; - neighbor 2a03:2260:0:30f::1 as 201701; -} - - -protocol bgp ffrl_bb_a_ix_dus from uplink { - source address 2a03:2260:0:30e::2; - neighbor 2a03:2260:0:30e::1 as 201701; -} - -protocol bgp ffrl_bb_b_ix_dus from uplink { - source address 2a03:2260:0:311::2; - neighbor 2a03:2260:0:311::1 as 201701; -} - -protocol bgp ffrl_bb_a_fra3_fra from uplink { - source address 2a03:2260:0:30d::2; - neighbor 2a03:2260:0:30d::1 as 201701; -} - -protocol bgp ffrl_bb_b_fra3_fra from uplink { - source address 2a03:2260:0:310::2; - neighbor 2a03:2260:0:310::1 as 201701; -} \ No newline at end of file diff --git a/roles/00-system-set-network/tasks/main.yml b/roles/00-system-set-network/tasks/main.yml deleted file mode 100644 index 4c407ac..0000000 --- a/roles/00-system-set-network/tasks/main.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: Cop Network Config - ansible.builtin.template: - src: 01-ffrl-gre.yaml.j2 - dest: /etc/netplan/01-ffrl-gre.yaml - owner: root - group: root - mode: '0644' - register: networkconfig - -- name: Netplan Apply - ansible.builtin.shell: netplan apply - when: networkconfig.changed - -- name: Add Table 42 after netplan Apply - ansible.builtin.shell: /bin/ip rule add fwmark 0x4 table 42 - when: networkconfig.changed - -- name: Add Table 42v6 after netplan Apply - ansible.builtin.shell: /bin/ip -6 rule add fwmark 0x4 table 42 - when: networkconfig.changed \ No newline at end of file diff --git a/roles/00-system-set-network/tasks/templates/01-ffrl-gre.yaml.j2 b/roles/00-system-set-network/tasks/templates/01-ffrl-gre.yaml.j2 deleted file mode 100644 index 75053e2..0000000 --- a/roles/00-system-set-network/tasks/templates/01-ffrl-gre.yaml.j2 +++ /dev/null @@ -1,62 +0,0 @@ -network: - tunnels: - gre-bb-a.ak.ber: - mode: gre - local: {{ ansible_host }} - remote: 185.66.195.0 - mtu: 1400 - addresses: - - {{ gre_bb_a_ak_ber_ipv4 }}/31 - - {{ gre_bb_a_ak_ber_ipv6 }}/64 - - fe80::200:5efe:2e04:9c72/64 - gre-bb-b.ak.ber: - mode: gre - local: {{ ansible_host }} - remote: 185.66.195.1 - mtu: 1400 - addresses: - - {{ gre_bb_b_ak_ber_ipv4 }}/31 - - {{ gre_bb_b_ak_ber_ipv6 }}/64 - - fe80::200:5efe:2e04:9c72/64 - gre-bb-a.ix.dus: - mode: gre - local: {{ ansible_host }} - remote: 185.66.193.0 - mtu: 1400 - addresses: - - {{ gre_bb_a_ix_dus_ipv4 }}/31 - - {{ gre_bb_a_ix_dus_ipv6 }}/64 - - fe80::200:5efe:2e04:9c72/64 - gre-bb-b.ix.dus: - mode: gre - local: {{ ansible_host }} - remote: 185.66.193.1 - mtu: 1400 - addresses: - - {{ gre_bb_b_ix_dus_ipv4 }}/31 - - {{ gre_bb_b_ix_dus_ipv6}}/64 - - fe80::200:5efe:2e04:9c72/64 - gre-bb-a.fra3.f: - mode: gre - local: {{ ansible_host }} - remote: 185.66.194.0 - mtu: 1400 - addresses: - - {{ gre_bb_a_fra3_f_ipv4 }}/31 - - {{ gre_bb_a_fra3_f_ipv6 }}/64 - - fe80::200:5efe:2e04:9c72/64 - gre-bb-b.fra3.f: - mode: gre - local: {{ ansible_host }} - remote: 185.66.194.1 - mtu: 1400 - addresses: - - {{ gre_bb_b_fra3_f_ipv4 }}/31 - - {{ gre_bb_b_fra3_f_ipv6 }}/64 - - fe80::200:5efe:2e04:9c72/64 - ethernets: - lo: - addresses: - - {{ ffrl_ipv4 }}/32 - - {{ ffrl_ipv6 }}/52 - - 127.0.0.1/8 \ No newline at end of file diff --git a/roles/01-system-install-packages/tasks/main.yml b/roles/01-system-install-packages/tasks/main.yml index 3805e0b..985a88d 100644 --- a/roles/01-system-install-packages/tasks/main.yml +++ b/roles/01-system-install-packages/tasks/main.yml @@ -1,17 +1,18 @@ - name: Install all Packages - apt: name={{ item }} state=latest update_cache=yes - with_items: - - curl - - nano - - vim - - htop - - bird - - screen - - iproute2 - - iptables - - cron - - qemu-guest-agent - - iputils-ping - - iw - - speedtest-cli - - telnet \ No newline at end of file + ansible.builtin.apt: + name: + - curl + - nano + - vim + - htop + - screen + - iproute2 + - iptables + - cron + - qemu-guest-agent + - iputils-ping + - iw + - speedtest-cli + - telnet + state: latest + update_cache: yes \ No newline at end of file diff --git a/roles/01-system-set-networking/tasks/main.yml b/roles/01-system-set-networking/tasks/main.yml new file mode 100644 index 0000000..b212766 --- /dev/null +++ b/roles/01-system-set-networking/tasks/main.yml @@ -0,0 +1,26 @@ +--- +- name: Set NAT MASQUERADE +ansible.builtin.iptables: + chain: POSTROUTING + table: nat + source: "{{ internal_network }}" + jump: MASQUERADE + +- ansible.posix.sysctl: + name: kernel.panic + value: '1' + sysctl_file: /etc/sysctl.conf + +- ansible.posix.sysctl: + name: net.ipv4.ip_forward + value: '1' + sysctl_set: true + state: present + reload: true + +- ansible.posix.sysctl: + name: net.ipv6.conf.all.forwarding + value: '1' + sysctl_set: true + state: present + reload: true \ No newline at end of file diff --git a/roles/11-create-cronjob/tasks/main.yml b/roles/11-create-cronjob/tasks/main.yml deleted file mode 100644 index 89e8cd2..0000000 --- a/roles/11-create-cronjob/tasks/main.yml +++ /dev/null @@ -1,16 +0,0 @@ -- name: Ensures Freifunk Folder exists - file: path=/opt/freifunk state=directory - -- name: Copy Reboot Script - ansible.builtin.template: - src: sn_startup.sh.j2 - dest: /opt/freifunk/sn_startup.sh - owner: root - group: root - mode: '0775' - -- name: Cron Job to run after boot - ansible.builtin.cron: - name: "Set Freifunk Routes" - special_time: reboot - job: /opt/freifunk/sn_startup.sh \ No newline at end of file diff --git a/roles/11-create-cronjob/templates/sn_startup.sh.j2 b/roles/11-create-cronjob/templates/sn_startup.sh.j2 deleted file mode 100644 index a6a8f25..0000000 --- a/roles/11-create-cronjob/templates/sn_startup.sh.j2 +++ /dev/null @@ -1,58 +0,0 @@ -#!/bin/sh -# Version 1.91 - -sleep 5 - -# Activate IP forwarding -/sbin/sysctl -w net.ipv6.conf.all.forwarding=1 -/sbin/sysctl -w net.ipv4.ip_forward=1 - -# restart when kernel panic -/sbin/sysctl kernel.panic=1 - -# Routing table 42 -/bin/grep 42 /etc/iproute2/rt_tables || /bin/echo 42 ffrl >> /etc/iproute2/rt_tables - -# Set table for traffice with mark 4 -/bin/ip rule add fwmark 0x4 table 42 -/bin/ip -6 rule add fwmark 0x4 table 42 - -# Set mark 4 to Freifunk traffic -/sbin/iptables -t mangle -A PREROUTING -s 10.0.0.0/8 ! -d 10.0.0.0/8 -j MARK --set-mark 4 -/sbin/ip6tables -t mangle -A PREROUTING -s 2a03:2260:121::/48 ! -d 2a03:2260:121::/48 -j MARK --set-mark 4 - -# All from FF IPv4 via routing table 42 -/bin/ip rule add from {{ ffrl_ipv4 }}/32 lookup 42 -/bin/ip -6 rule add from {{ ffrl_ipv6_net }}/52 lookup 42 - -# Add NAT Rules manualy -iptables -t nat -D POSTROUTING -o gre-bb-a.ak.ber -j SNAT --to-source {{ ffrl_ipv4 }} -iptables -t nat -D POSTROUTING -o gre-bb-b.ak.ber -j SNAT --to-source {{ ffrl_ipv4 }} -iptables -t nat -D POSTROUTING -o gre-bb-a.fra3.f -j SNAT --to-source {{ ffrl_ipv4 }} -iptables -t nat -D POSTROUTING -o gre-bb-b.fra3.f -j SNAT --to-source {{ ffrl_ipv4 }} -iptables -t nat -D POSTROUTING -o gre-bb-a.ix.dus -j SNAT --to-source {{ ffrl_ipv4 }} -iptables -t nat -D POSTROUTING -o gre-bb-b.ix.dus -j SNAT --to-source {{ ffrl_ipv4 }} -sleep 30 -iptables -t nat -A POSTROUTING -o gre-bb-a.ak.ber -j SNAT --to-source {{ ffrl_ipv4 }} -iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o gre-bb-a.ak.ber -j TCPMSS --set-mss 1312 -ip6tables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o gre-bb-a.ak.ber -j TCPMSS --set-mss 1312 - -iptables -t nat -A POSTROUTING -o gre-bb-a.fra3.f -j SNAT --to-source {{ ffrl_ipv4 }} -iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o gre-bb-a.fra3.f -j TCPMSS --set-mss 1312 -ip6tables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o gre-bb-a.fra3.f -j TCPMSS --set-mss 1312 - -iptables -t nat -A POSTROUTING -o gre-bb-a.ix.dus -j SNAT --to-source {{ ffrl_ipv4 }} -iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o gre-bb-a.ix.dus -j TCPMSS --set-mss 1312 -ip6tables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o gre-bb-a.ix.dus -j TCPMSS --set-mss 1312 - -iptables -t nat -A POSTROUTING -o gre-bb-b.ak.ber -j SNAT --to-source {{ ffrl_ipv4 }} -iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o gre-bb-b.ak.ber -j TCPMSS --set-mss 1312 -ip6tables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o gre-bb-b.ak.ber -j TCPMSS --set-mss 1312 - -iptables -t nat -A POSTROUTING -o gre-bb-b.fra3.f -j SNAT --to-source {{ ffrl_ipv4 }} -iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o gre-bb-b.fra3.f -j TCPMSS --set-mss 1312 -ip6tables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o gre-bb-b.fra3.f -j TCPMSS --set-mss 1312 - -iptables -t nat -A POSTROUTING -o gre-bb-b.ix.dus -j SNAT --to-source {{ ffrl_ipv4 }} -iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o gre-bb-b.ix.dus -j TCPMSS --set-mss 1312 -ip6tables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o gre-bb-b.ix.dus -j TCPMSS --set-mss 1312 \ No newline at end of file diff --git a/roles/20-install-openvpn/tasks/main.yml b/roles/20-install-openvpn/tasks/main.yml deleted file mode 100644 index d009472..0000000 --- a/roles/20-install-openvpn/tasks/main.yml +++ /dev/null @@ -1,4 +0,0 @@ -- name: Install OpenVPN - apt: name={{ item }} state=latest update_cache=yes - with_items: - - openvpn \ No newline at end of file diff --git a/roles/21-install-oitc/tasks/main.yml b/roles/21-install-oitc/tasks/main.yml new file mode 100644 index 0000000..16383a3 --- /dev/null +++ b/roles/21-install-oitc/tasks/main.yml @@ -0,0 +1,26 @@ +- name: Repo Key Import + ansible.builtin.shell: curl https://packages.openitcockpit.io/repokey.txt | sudo apt-key add + +- name: Add specified repository into sources list + ansible.builtin.apt_repository: + repo: deb https://packages.openitcockpit.io/openitcockpit-agent/deb/stable deb main + state: present + + +- name: Install Wireguard + apt: name={{ item }} state=latest update_cache=yes + with_items: + - openitcockpit-agent + +- name: Copy Config File + ansible.builtin.template: + src: oitc.ini.j2 + dest: /etc/openitcockpit-agent/config.ini + owner: root + group: root + mode: '0775' + +- name: Restart service httpd, in all cases + ansible.builtin.service: + name: openitcockpit-agent + state: restarted diff --git a/roles/21-install-oitc/templates/oitc.ini.j2 b/roles/21-install-oitc/templates/oitc.ini.j2 new file mode 100644 index 0000000..aa23e3a --- /dev/null +++ b/roles/21-install-oitc/templates/oitc.ini.j2 @@ -0,0 +1,177 @@ +[default] +# +# This is the configuration file for the openITCOCKPIT Monitoring Agent 3.x +# Notice: Empty values will not been ignored! If you want to disable an option like proxy comment it out! + +######################### +# Web Server # +######################### + +# Bind address of the build-in web server +# Use 0.0.0.0 to bind on all interfaces +address = 0.0.0.0 + +# Port of the Agents build-in web server +# Default port is 3333 +port = 3333 + +######################### +# Security Settings # +######################### + +# Try to enable auto ssl mode for webserver +try-autossl = True + +# File paths used to store autossl related files (default: /etc/openitcockpit-agent/): +# Leave this blank to use the default values +# Example: /etc/openitcockpit-agent/agent.csr +#autossl-csr-file = + +# Example: /etc/openitcockpit-agent/agent.crt +#autossl-crt-file = + +# Example: /etc/openitcockpit-agent/agent.key +#autossl-key-file = + +# Example: /etc/openitcockpit-agent/server_ca.crt +#autossl-ca-file = + +# If a certificate file is given, the agent will only be accessible through HTTPS +# Instead of messing around with self-signed certificates we recommend to use the autossl feature. +# Example: /etc/ssl/certs/ssl-cert-snakeoil.pem +#certfile = /etc/ssl/certs/ssl-cert-snakeoil.pem + +# Private key file of the given TLS certificate +# Example: /etc/ssl/private/ssl-cert-snakeoil.key +#keyfile = /etc/ssl/private/ssl-cert-snakeoil.key + +# Enable remote read and write access to the current agent configuration (this file) and +# the customchecks config +# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! +# ! WARNING: This could lead to remote code execution ! +# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! +config-update-mode = False + +# Enable HTTP Basic Authentication +# Example: auth = user:password +#auth = user:password + +######################### +# Checks # +######################### + +# Determines in seconds how often the agent will schedule all internal checks +interval = 30 + +# Remote Plugin Execution +# Path to config will where custom checks can be defined +# Comment to use the default value +# +# Linux: /etc/openitcockpit-agent/customchecks.ini +# Windows: C:\Program Files\it-novum\openitcockpit-agent\customchecks.ini +# macOS: /Applications/openitcockpit-agent/customchecks.ini +#customchecks = /etc/openitcockpit-agent/customchecks.ini + +######################### +# Enable/Disable checks # +######################### + +# Enable CPU monitoring +cpustats = True + +# Enable memory monitoring +memory = True + +# Enable Swap monitoring +swap = True + +# Enable monitoring of running processes +processstats = True + +# Enable monitoring of network interfaces +netstats = True + +# Enable monitoring of the traffic (I/O) of network interfaces +netio = True + +# Enable disk usage monitoring +diskstats = True + +# Enable monitoring of disk I/O +diskio = True + +# Enable monitoring of Systemd Services (Linux only) +systemdservices = True + +# Enable monitoring of Launchd Services (macOS only) +launchdservices = True + +# Enable monitoring of Windows Services (Windows only) +winservices = True + +# Enable monitoring of Windows Event Log records (Windows only) +wineventlog = False + +# Determines how the openITCOCKPIT Monitoring Agent should query the Windows Event Log. +# Since Version 3.0.9 WMI (Windows Management Instrumentation) will be used by default +# As alternative the Agent could use the PowerShell Get-EventLog cmdlet. +# The WMI method will maybe memory leak on Windows Server 2016. The PowerShell workaround +# on the other hand could lead to blue screens (OA-40). +wineventlog-method = WMI +#wineventlog-method = PowerShell + +# Define comma separated windows event log log types +# Event Logs containing spaces DO NOT need to be quoted: Security,Sophos Cloud AD Sync,Application +wineventlog-logtypes = System,Application,Security + +# Enable monitoring of temperature and battery sensors +sensorstats = True + +# Enable support to monitor Docker containers +# Known issues: Error response from daemon: client version 1.41 is too new. Maximum supported API version is 1.40 +# Workaround: export DOCKER_API_VERSION=1.40 +dockerstats = False + +# Check KVMs through libvirt +# This requires to complie the openITCOCKPIT Monitoring Agent by yourself. +# Please see the Wiki for instructions: https://github.com/it-novum/openitcockpit-agent-go/wiki/Build-binary +libvirt = True + +# Enable logged in users check +userstats = True + +######################### +# Push mode # +######################### + +# By default openITCOCKPIT will pull check results from the openITCOCKPIT Agent. +# In a cloud environments or behind a NAT network it could become handy +# if the openITCOCKPIT Monitoring Agent will push the results to your openITCOCKPIT Server +[oitc] + +# Enable Push Mode +enabled = False + +# This option disables the webserver of the openITCOCKPIT Monitoring Agent when running in PUSH mode. +# When you also want to enable the Webserver even if the agent is running in PUSH mode we highly recommend +# to enable HTTP Basic Authentication and to use the certfile and keyfile options to enable HTTPS +enable-webserver = False + +# Address of your openITCOCKPIT Server where the Agent will push the results to +# Example: https://demo.openitcockpit.io +url = + +# Enable this option when your openITCOCKPIT server uses valid TLS certificates +# like from Let's Encrypt +verify-server-certificate = False + +# Timeout in seconds for the HTTP push client +timeout = 10 + +# API-Key of your openITCOCKPIT Server +apikey = + +# Address of HTTP/HTTPS Proxy if required. +# Comment to disable +# Example: http://10.10.1.10:3128 +#proxy = http://10.10.1.10:3128 \ No newline at end of file diff --git a/roles/40-vyos-system/tasks/main.yml b/roles/40-vyos-system/tasks/main.yml new file mode 100644 index 0000000..ccdaee8 --- /dev/null +++ b/roles/40-vyos-system/tasks/main.yml @@ -0,0 +1,7 @@ +--- +- name: Set Vyos Hostname + vyos.vyos.vyos_hostname: + config: + hostname: "{{ inventory_hostname }}" + state: merged + diff --git a/roles/41-vyos-interfaces/tasks/main.yml b/roles/41-vyos-interfaces/tasks/main.yml new file mode 100644 index 0000000..c681162 --- /dev/null +++ b/roles/41-vyos-interfaces/tasks/main.yml @@ -0,0 +1,14 @@ +--- +- name: Create Local Interfaces + vyos.vyos.vyos_l3_interfaces: + config: + - name: eth0 + ipv4: + - address: "{{ wan_address }}" + - name: eth1 + ipv4: + - address: "{{ local_address }}" + - name: lo + - address: "{{ ffrl_address }}" + state: merged + diff --git a/system-setup.yml b/system-setup.yml index aca1ab8..1154b4e 100644 --- a/system-setup.yml +++ b/system-setup.yml @@ -1,16 +1,14 @@ -# ansible-playbook -i hosts.yml -u root system-setup.yml +# ansible-playbook -i hosts.yml system-setup.yml - name: System preperation hosts: supernodes roles: - 00-system-set-hostname - 00-create-sudo-user - - 00-system-set-network - - 00-system-set-bird + - 01-system-set-networking - 01-system-install-packages - - 11-create-cronjob - name: System preperation hosts: vpn-offloader roles: -# - 20-install-openvpn - - 21-install-wireguard \ No newline at end of file + - 21-install-wireguard + - 21-install-oitc \ No newline at end of file diff --git a/update_wg.yml b/update_wg.yml new file mode 100644 index 0000000..a7855dc --- /dev/null +++ b/update_wg.yml @@ -0,0 +1,17 @@ +# ansible-playbook -i hosts.yml -u root system-setup.yml +- name: System preperation + hosts: supernodes + roles: + - 00-system-set-hostname + - 00-create-sudo-user + - 00-system-set-network + - 00-system-set-bird + - 01-system-install-packages + - 11-create-cronjob + +- name: System preperation + hosts: vpn-offloader + roles: +# - 20-install-openvpn + - 21-install-wireguard + - 21-install-oitc \ No newline at end of file diff --git a/vpn01.md b/vpn01.md new file mode 100644 index 0000000..b690f73 --- /dev/null +++ b/vpn01.md @@ -0,0 +1,72 @@ +vpn02 +# Supernode mit direkter VPN Ausleitung + +Ausleitung über das FFRL Backbone. +Supernode Config: +- GRE-Tunnel zum FFRL Backbone +- VPN per Wireguard +- NAT auf VPN Routern + +## Adressbereiche: + +Supernode: 10.255.1.1/32 + +VPN01: 10.255.1.2/32, Client: 10.1.0.0/16 +VPN02: 10.255.1.3/32, Client: 10.2.0.0/16 +VPN03: 10.255.1.4/32, Client: 10.3.0.0/16 +etc. + + +## ER-X Stock Firmware Config: +> Vor der Installation: +> - eth0 als DHCP Client +> - eth1-4 auf den Switch +> - Switch mit DHCP Server einrichten. Adressbereich aus Tabelle beachten! + +## Install Wireguard +cd /tmp +curl -OL https://github.com/WireGuard/wireguard-vyatta-ubnt/releases/download/1.0.20211208-1/e50-v2-v1.0.20211208-v1.0.20210914.deb +sudo dpkg -i e50-v2-v1.0.20211208-v1.0.20210914.deb + +## Generate Keys + cd /config/auth + wg genkey | tee /config/auth/wg.key | wg pubkey > wg.public + cat wg.public + cat wg.key + +## Config ER-X + configure +## Wireguard + set interfaces wireguard wg0 address 10.255.1.2/24 + set interfaces wireguard wg0 address fd80:3ea2:e399:203a::2/64 + set interfaces wireguard wg0 listen-port 51822 + set interfaces wireguard wg0 route-allowed-ips false + set interfaces wireguard wg0 persistent-keepalive 25 + set interfaces wireguard wg0 peer 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= endpoint 7.fftdf.de:42001 + set interfaces wireguard wg0 peer 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= allowed-ips 0.0.0.0/0 + set interfaces wireguard wg0 peer 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= allowed-ips ::0/0 + set interfaces wireguard wg0 private-key /config/auth/wg.key +## Firewall for Wireguard + set firewall name WAN_LOCAL rule 20 action accept + set firewall name WAN_LOCAL rule 20 protocol udp + set firewall name WAN_LOCAL rule 20 description 'WireGuard' + set firewall name WAN_LOCAL rule 20 destination port 51821 + set firewall group network-group LAN-VPN description 'Networks on LAN destined to go out VPN by default' + set firewall group network-group LAN-VPN network 10.1.0.0/16 + set firewall group network-group RFC1918 network 10.0.0.0/8 + set firewall group network-group RFC1918 network 172.16.0.0/12 + set firewall group network-group RFC1918 network 192.168.0.0/16 + set firewall group network-group RFC1918 network 169.254.0.0/16 + set protocols static table 2 route 0.0.0.0/0 next-hop 10.255.1.1 + set firewall modify VPN_TDF7 rule 100 action modify + set firewall modify VPN_TDF7 rule 100 description 'Route traffic from group LAN-VPN through VPN-TDF7 table' + set firewall modify VPN_TDF7 rule 100 modify table 2 + set firewall modify VPN_TDF7 rule 100 source group network-group LAN-VPN + set interfaces switch switch0 firewall in modify VPN_TDF7 +## NAT einrichten + set service nat rule 5010 description 'masquerade for VPN' + set service nat rule 5010 outbound-interface wg0 + set service nat rule 5010 type masquerade + set service nat rule 5010 protocol all +## Speichern + commit ; save \ No newline at end of file diff --git a/vpn02.md b/vpn02.md new file mode 100644 index 0000000..5946c94 --- /dev/null +++ b/vpn02.md @@ -0,0 +1,72 @@ +vpn02 +# Supernode mit direkter VPN Ausleitung + +Ausleitung über das FFRL Backbone. +Supernode Config: +- GRE-Tunnel zum FFRL Backbone +- VPN per Wireguard +- NAT auf VPN Routern + +## Adressbereiche: + +Supernode: 10.255.1.1/32 + +VPN01: 10.255.1.2/32, Client: 10.1.0.0/16 +VPN02: 10.255.1.3/32, Client: 10.2.0.0/16 +VPN03: 10.255.1.4/32, Client: 10.3.0.0/16 +etc. + + +## ER-X Stock Firmware Config: +> Vor der Installation: +> - eth0 als DHCP Client +> - eth1-4 auf den Switch +> - Switch mit DHCP Server einrichten. Adressbereich aus Tabelle beachten! + +## Install Wireguard +cd /tmp +curl -OL https://github.com/WireGuard/wireguard-vyatta-ubnt/releases/download/1.0.20211208-1/e50-v2-v1.0.20211208-v1.0.20210914.deb +sudo dpkg -i e50-v2-v1.0.20211208-v1.0.20210914.deb + +## Generate Keys + cd /config/auth + wg genkey | tee /config/auth/wg.key | wg pubkey > wg.public + cat wg.public + cat wg.key + +## Config ER-X + configure +## Wireguard + set interfaces wireguard wg0 address 10.255.1.3/24 + set interfaces wireguard wg0 address fd80:3ea2:e399:203a::3/64 + set interfaces wireguard wg0 listen-port 51821 + set interfaces wireguard wg0 route-allowed-ips false + set interfaces wireguard wg0 persistent-keepalive 25 + set interfaces wireguard wg0 peer 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= endpoint 7.fftdf.de:42001 + set interfaces wireguard wg0 peer 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= allowed-ips 0.0.0.0/0 + set interfaces wireguard wg0 peer 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= allowed-ips ::0/0 + set interfaces wireguard wg0 private-key /config/auth/wg.key +## Firewall for Wireguard + set firewall name WAN_LOCAL rule 20 action accept + set firewall name WAN_LOCAL rule 20 protocol udp + set firewall name WAN_LOCAL rule 20 description 'WireGuard' + set firewall name WAN_LOCAL rule 20 destination port 51821 + set firewall group network-group LAN-VPN description 'Networks on LAN destined to go out VPN by default' + set firewall group network-group LAN-VPN network 10.2.0.0/16 + set firewall group network-group RFC1918 network 10.0.0.0/8 + set firewall group network-group RFC1918 network 172.16.0.0/12 + set firewall group network-group RFC1918 network 192.168.0.0/16 + set firewall group network-group RFC1918 network 169.254.0.0/16 + set protocols static table 2 route 0.0.0.0/0 next-hop 10.255.1.1 + set firewall modify VPN_TDF7 rule 100 action modify + set firewall modify VPN_TDF7 rule 100 description 'Route traffic from group LAN-VPN through VPN-TDF7 table' + set firewall modify VPN_TDF7 rule 100 modify table 2 + set firewall modify VPN_TDF7 rule 100 source group network-group LAN-VPN + set interfaces switch switch0 firewall in modify VPN_TDF7 +## NAT einrichten + set service nat rule 5010 description 'masquerade for VPN' + set service nat rule 5010 outbound-interface wg0 + set service nat rule 5010 type masquerade + set service nat rule 5010 protocol all +## Speichern + commit ; save diff --git a/vpn03.md b/vpn03.md new file mode 100644 index 0000000..1f956de --- /dev/null +++ b/vpn03.md @@ -0,0 +1,72 @@ +vpn03 +# Supernode mit direkter VPN Ausleitung + +Ausleitung über das FFRL Backbone. +Supernode Config: +- GRE-Tunnel zum FFRL Backbone +- VPN per Wireguard +- NAT auf VPN Routern + +## Adressbereiche: + +Supernode: 10.255.1.1/32 + +VPN01: 10.255.1.2/32, Client: 10.1.0.0/16 +VPN02: 10.255.1.3/32, Client: 10.2.0.0/16 +VPN03: 10.255.1.4/32, Client: 10.3.0.0/16 +etc. + + +## ER-X Stock Firmware Config: +> Vor der Installation: +> - eth0 als DHCP Client +> - eth1-4 auf den Switch +> - Switch mit DHCP Server einrichten. Adressbereich aus Tabelle beachten! + +## Install Wireguard +cd /tmp +curl -OL https://github.com/WireGuard/wireguard-vyatta-ubnt/releases/download/1.0.20211208-1/e50-v2-v1.0.20211208-v1.0.20210914.deb +sudo dpkg -i e50-v2-v1.0.20211208-v1.0.20210914.deb + +## Generate Keys + cd /config/auth + wg genkey | tee /config/auth/wg.key | wg pubkey > wg.public + cat wg.public + cat wg.key + +## Config ER-X + configure +## Wireguard + set interfaces wireguard wg0 address 10.255.1.4/24 + set interfaces wireguard wg0 address fd80:3ea2:e399:203a::4/64 + set interfaces wireguard wg0 listen-port 51821 + set interfaces wireguard wg0 route-allowed-ips false + set interfaces wireguard wg0 persistent-keepalive 25 + set interfaces wireguard wg0 peer 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= endpoint 7.fftdf.de:42001 + set interfaces wireguard wg0 peer 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= allowed-ips 0.0.0.0/0 + set interfaces wireguard wg0 peer 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= allowed-ips ::0/0 + set interfaces wireguard wg0 private-key /config/auth/wg.key +## Firewall for Wireguard + set firewall name WAN_LOCAL rule 20 action accept + set firewall name WAN_LOCAL rule 20 protocol udp + set firewall name WAN_LOCAL rule 20 description 'WireGuard' + set firewall name WAN_LOCAL rule 20 destination port 51821 + set firewall group network-group LAN-VPN description 'Networks on LAN destined to go out VPN by default' + set firewall group network-group LAN-VPN network 10.3.0.0/16 + set firewall group network-group RFC1918 network 10.0.0.0/8 + set firewall group network-group RFC1918 network 172.16.0.0/12 + set firewall group network-group RFC1918 network 192.168.0.0/16 + set firewall group network-group RFC1918 network 169.254.0.0/16 + set protocols static table 2 route 0.0.0.0/0 next-hop 10.255.1.1 + set firewall modify VPN_TDF7 rule 100 action modify + set firewall modify VPN_TDF7 rule 100 description 'Route traffic from group LAN-VPN through VPN-TDF7 table' + set firewall modify VPN_TDF7 rule 100 modify table 2 + set firewall modify VPN_TDF7 rule 100 source group network-group LAN-VPN + set interfaces switch switch0 firewall in modify VPN_TDF7 +## NAT einrichten + set service nat rule 5010 description 'masquerade for VPN' + set service nat rule 5010 outbound-interface wg0 + set service nat rule 5010 type masquerade + set service nat rule 5010 protocol all +## Speichern + commit ; save