Toller Commit
This commit is contained in:
parent
48c5bf9a79
commit
5864ead4b8
338
conf.conf
Normal file
338
conf.conf
Normal file
@ -0,0 +1,338 @@
|
|||||||
|
interfaces {
|
||||||
|
ethernet eth0 {
|
||||||
|
address 5.9.220.113/29
|
||||||
|
description WAN
|
||||||
|
}
|
||||||
|
ethernet eth1 {
|
||||||
|
address 172.16.7.1/24
|
||||||
|
description "Freifunk WAN"
|
||||||
|
}
|
||||||
|
loopback lo {
|
||||||
|
address 185.66.193.107/32
|
||||||
|
}
|
||||||
|
tunnel tun0 {
|
||||||
|
address 100.64.6.25/31
|
||||||
|
address 2a03:2260:0:30c::2/64
|
||||||
|
description gre_bb_a_ak_ber
|
||||||
|
encapsulation gre
|
||||||
|
remote 185.66.195.0
|
||||||
|
source-address 5.9.220.113
|
||||||
|
}
|
||||||
|
tunnel tun1 {
|
||||||
|
address 100.64.6.31/31
|
||||||
|
address 2a03:2260:0:30f::2/64
|
||||||
|
description gre_bb_b_ak_ber
|
||||||
|
encapsulation gre
|
||||||
|
remote 185.66.195.1
|
||||||
|
source-address 5.9.220.113
|
||||||
|
}
|
||||||
|
tunnel tun2 {
|
||||||
|
address 100.64.6.29/31
|
||||||
|
address 2a03:2260:0:30e::2/64
|
||||||
|
description gre_bb_a_ix_dus
|
||||||
|
encapsulation gre
|
||||||
|
remote 185.66.193.0
|
||||||
|
source-address 5.9.220.113
|
||||||
|
}
|
||||||
|
tunnel tun3 {
|
||||||
|
address 100.64.6.35/31
|
||||||
|
address 2a03:2260:0:311::2/64
|
||||||
|
description gre_bb_b_ix_dus
|
||||||
|
encapsulation gre
|
||||||
|
remote 185.66.193.1
|
||||||
|
source-address 5.9.220.113
|
||||||
|
}
|
||||||
|
tunnel tun4 {
|
||||||
|
address 100.64.6.27/31
|
||||||
|
address 2a03:2260:0:30d::2/64
|
||||||
|
description gre_bb_a_fra3_f
|
||||||
|
encapsulation gre
|
||||||
|
remote 185.66.194.0
|
||||||
|
source-address 5.9.220.113
|
||||||
|
}
|
||||||
|
tunnel tun5 {
|
||||||
|
address 100.64.6.33/31
|
||||||
|
address 2a03:2260:0:310::2/64
|
||||||
|
description gre-bb-b.fra3.f
|
||||||
|
encapsulation gre
|
||||||
|
remote 185.66.194.1
|
||||||
|
source-address 5.9.220.113
|
||||||
|
}
|
||||||
|
}
|
||||||
|
nat {
|
||||||
|
destination {
|
||||||
|
rule 1 {
|
||||||
|
description "Allow SSH to VPN-01 Port 2222"
|
||||||
|
destination {
|
||||||
|
address 185.66.193.107/32
|
||||||
|
port 2222
|
||||||
|
}
|
||||||
|
inbound-interface any
|
||||||
|
protocol tcp
|
||||||
|
translation {
|
||||||
|
address 172.16.7.2
|
||||||
|
port 22
|
||||||
|
}
|
||||||
|
}
|
||||||
|
rule 2 {
|
||||||
|
description "Wireguard VPN-01 42001"
|
||||||
|
destination {
|
||||||
|
address 185.66.193.107
|
||||||
|
port 42001
|
||||||
|
}
|
||||||
|
inbound-interface any
|
||||||
|
protocol udp
|
||||||
|
translation {
|
||||||
|
address 172.16.7.2
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
source {
|
||||||
|
rule 1 {
|
||||||
|
outbound-interface any
|
||||||
|
source {
|
||||||
|
address 172.16.7.0/24
|
||||||
|
}
|
||||||
|
translation {
|
||||||
|
address 185.66.193.107
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
policy {
|
||||||
|
local-route {
|
||||||
|
rule 10 {
|
||||||
|
set {
|
||||||
|
table 42
|
||||||
|
}
|
||||||
|
source 5.9.220.113
|
||||||
|
}
|
||||||
|
}
|
||||||
|
prefix-list FFRL-IN {
|
||||||
|
rule 10 {
|
||||||
|
action permit
|
||||||
|
prefix 0.0.0.0/0
|
||||||
|
}
|
||||||
|
}
|
||||||
|
prefix-list FFRL-OUT {
|
||||||
|
rule 10 {
|
||||||
|
action permit
|
||||||
|
prefix 185.66.193.107/32
|
||||||
|
}
|
||||||
|
}
|
||||||
|
route-map FFRL-IN {
|
||||||
|
rule 10 {
|
||||||
|
action permit
|
||||||
|
match {
|
||||||
|
ip {
|
||||||
|
address {
|
||||||
|
prefix-list FFRL-IN
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
route-map FFRL-OUT {
|
||||||
|
rule 10 {
|
||||||
|
action permit
|
||||||
|
match {
|
||||||
|
ip {
|
||||||
|
address {
|
||||||
|
prefix-list FFRL-OUT
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
protocols {
|
||||||
|
bgp {
|
||||||
|
address-family {
|
||||||
|
ipv4-unicast {
|
||||||
|
network 185.66.193.107/32 {
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
neighbor 100.64.6.24 {
|
||||||
|
address-family {
|
||||||
|
ipv4-unicast {
|
||||||
|
route-map {
|
||||||
|
export FFRL-OUT
|
||||||
|
import FFRL-IN
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
description ffrl_bb_a_ak_ber
|
||||||
|
remote-as 201701
|
||||||
|
update-source 100.64.6.25
|
||||||
|
}
|
||||||
|
neighbor 100.64.6.26 {
|
||||||
|
address-family {
|
||||||
|
ipv4-unicast {
|
||||||
|
route-map {
|
||||||
|
export FFRL-OUT
|
||||||
|
import FFRL-IN
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
description ffrl_bb_a_fra3_fra
|
||||||
|
remote-as 201701
|
||||||
|
update-source 100.64.6.27
|
||||||
|
}
|
||||||
|
neighbor 100.64.6.28 {
|
||||||
|
address-family {
|
||||||
|
ipv4-unicast {
|
||||||
|
route-map {
|
||||||
|
export FFRL-OUT
|
||||||
|
import FFRL-IN
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
description ffrl_bb_a_ix_dus
|
||||||
|
remote-as 201701
|
||||||
|
update-source 100.64.6.29
|
||||||
|
}
|
||||||
|
neighbor 100.64.6.30 {
|
||||||
|
address-family {
|
||||||
|
ipv4-unicast {
|
||||||
|
route-map {
|
||||||
|
export FFRL-OUT
|
||||||
|
import FFRL-IN
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
description ffrl_bb_b_ak_ber
|
||||||
|
remote-as 201701
|
||||||
|
update-source 100.64.6.31
|
||||||
|
}
|
||||||
|
neighbor 100.64.6.32 {
|
||||||
|
address-family {
|
||||||
|
ipv4-unicast {
|
||||||
|
route-map {
|
||||||
|
export FFRL-OUT
|
||||||
|
import FFRL-IN
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
description ffrl_bb_b_fra3_fra
|
||||||
|
remote-as 201701
|
||||||
|
update-source 100.64.6.33
|
||||||
|
}
|
||||||
|
neighbor 100.64.6.34 {
|
||||||
|
address-family {
|
||||||
|
ipv4-unicast {
|
||||||
|
route-map {
|
||||||
|
export FFRL-OUT
|
||||||
|
import FFRL-IN
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
description ffrl_bb_b_ix_dus
|
||||||
|
remote-as 201701
|
||||||
|
update-source 100.64.6.35
|
||||||
|
}
|
||||||
|
parameters {
|
||||||
|
router-id 10.188.255.7
|
||||||
|
}
|
||||||
|
system-as 65066
|
||||||
|
}
|
||||||
|
static {
|
||||||
|
table 42 {
|
||||||
|
route 0.0.0.0/0 {
|
||||||
|
next-hop 5.9.220.112 {
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
service {
|
||||||
|
dhcp-server {
|
||||||
|
listen-address 172.16.7.1
|
||||||
|
shared-network-name freifunk {
|
||||||
|
subnet 172.16.7.0/24 {
|
||||||
|
default-router 172.16.7.1
|
||||||
|
name-server 1.1.1.1
|
||||||
|
name-server 1.0.0.1
|
||||||
|
range dhcp {
|
||||||
|
start 172.16.7.10
|
||||||
|
stop 172.16.7.200
|
||||||
|
}
|
||||||
|
static-mapping vpn-01 {
|
||||||
|
ip-address 172.16.7.2
|
||||||
|
mac-address 36:f3:82:18:9b:03
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
ntp {
|
||||||
|
allow-client {
|
||||||
|
address 0.0.0.0/0
|
||||||
|
address ::/0
|
||||||
|
}
|
||||||
|
server time1.vyos.net {
|
||||||
|
}
|
||||||
|
server time2.vyos.net {
|
||||||
|
}
|
||||||
|
server time3.vyos.net {
|
||||||
|
}
|
||||||
|
}
|
||||||
|
ssh {
|
||||||
|
port 22
|
||||||
|
}
|
||||||
|
}
|
||||||
|
system {
|
||||||
|
config-management {
|
||||||
|
commit-revisions 100
|
||||||
|
}
|
||||||
|
conntrack {
|
||||||
|
modules {
|
||||||
|
ftp
|
||||||
|
h323
|
||||||
|
nfs
|
||||||
|
pptp
|
||||||
|
sip
|
||||||
|
sqlnet
|
||||||
|
tftp
|
||||||
|
}
|
||||||
|
}
|
||||||
|
console {
|
||||||
|
device ttyS0 {
|
||||||
|
speed 115200
|
||||||
|
}
|
||||||
|
}
|
||||||
|
host-name 7.fftdf.de
|
||||||
|
login {
|
||||||
|
banner {
|
||||||
|
post-login "Welcome to the core Freifunk Router for Troisdorf!\n\nEnjoy it while you are here!\n"
|
||||||
|
}
|
||||||
|
user vyos {
|
||||||
|
authentication {
|
||||||
|
encrypted-password $6$WJiQoTPHLN8qj3s2$3vPtbSA48u8axMRDuOTaH4Hzg6kUuUJ8rkNuuSBacLfJ3YKRhDu5q4hxyhYr22n9F7E5NtovDM3A1.Ahpralf0
|
||||||
|
plaintext-password ""
|
||||||
|
public-keys nils {
|
||||||
|
key AAAAB3NzaC1yc2EAAAADAQABAAACAQCvwA3/NDj7Oo28Q1XdRIgOp//35gFVvsDa1dnMkgRDqJYvlIDbRiQ+UIcgu5YhstPb8BAxfvqjRP4rnMKc7v69T2Lp+HOMx+1sOYrznEe2hC5lPr4+U1u4Fzqhq/keSoItifmdTgrE+01Zc5jMBosUIm79TDgEMuEGcYVJIyAzDv9ez4u+Bz/HubRO+qT/+UmOICEg9m/C+fiH/ZAJHi90dMsj7RF5YXrRHXTAdiecurwGAZx2Adug1fFTvzB1pqBUHje1PFtEI+LheYklpNtiJo8NQ2KDEiavSxBibJrywzQHaddf0bkeAhmiNY8PRoMpMNeiu94DyNFWgdm7bLzdzrN/o5U7MlnJlcn8D1tLtdp0ngTxaN6VIywI8mQ/Ukxz8p2Ce49vu6osz4CvYhKx4mrvOSmqg9VjKcL6/rIwK7y5CWgIrddktxrSpUHXkzoQSefgZ5Bnu3CNp0GixWV5JTHnFxCulJAGi3TTqx7IvsJ8gpuKkeGnIgnDhFbqVOKeEEnR13tTCJ7MgPQ+VHREQ68u73a5TfDxJd/ggnG4tQ67HOcqxwa74+X1lv7YiJ3AvbrR7FFPNM3o5N8ZmZWhBLDaUHrjElHkZdB/V2l2bCblWhD0INCYoskuK1dFGdf3gQQeKOivGzKtzI0xNKutrxfvarkikxCEV3Exj889rQ==
|
||||||
|
type ssh-rsa
|
||||||
|
}
|
||||||
|
public-keys stefan {
|
||||||
|
key AAAAB3NzaC1yc2EAAAADAQABAAABAQDM0d9uUUdkK80fYEAz+IwxbhQO2qsr87Q4uxxwqQCvjVWryL+IuKMBJJGroWDMz2d9UJcIXEYdMz4436U0DoPJuoXe5iDsVvum3Vz3276My+tqx1bZWCktPa8Isft7mO/wfELNjRNQduUiwh2y712s7/3GQI+5Rs/65HuLHTnpLKrlfptqmsmYw+IUFDzGwBLJ6sqP90ywjKkperPCAH3IWcTsQwnW3EJFPToMg6BrQslZlxx/z+co3e6jCWzUuuIRP9jp4SmNVfYaVGb1cOFdL1p1P0qWHBHdGUnXHZ+c773VKVSj+spUBxKGqNC1EhRCYTsPDLVrYrhKl2BRLcgB
|
||||||
|
type ssh-rsa
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
syslog {
|
||||||
|
global {
|
||||||
|
facility all {
|
||||||
|
level info
|
||||||
|
}
|
||||||
|
facility protocols {
|
||||||
|
level debug
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
// Warning: Do not remove the following line.
|
||||||
|
// vyos-config-version: "bgp@3:broadcast-relay@1:cluster@1:config-management@1:conntrack@3:conntrack-sync@2:container@1:dhcp-relay@2:dhcp-server@6:dhcpv6-server@1:dns-forwarding@3:firewall@9:flow-accounting@1:https@4:ids@1:interfaces@26:ipoe-server@1:ipsec@11:isis@2:l2tp@4:lldp@1:mdns@1:monitoring@1:nat@5:nat66@1:ntp@2:openconnect@2:ospf@1:policy@5:pppoe-server@6:pptp@2:qos@2:quagga@10:rpki@1:salt@1:snmp@3:ssh@2:sstp@4:system@25:vrf@3:vrrp@3:vyos-accel-ppp@2:wanloadbalance@3:webproxy@2"
|
||||||
|
// Release version: 1.4-rolling-202302041536
|
3
host_vars/router4.yml
Normal file
3
host_vars/router4.yml
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
wan_address: 5.9.220.113/29
|
||||||
|
local_address: 172.16.7.1/24
|
||||||
|
ffrl_address: 185.66.193.107/32
|
@ -1,25 +0,0 @@
|
|||||||
wireguard_unmanaged_peers:
|
|
||||||
vpn1-testing:
|
|
||||||
public_key: zaxk4sSdmg/NBnjdLaslBA6sljpeW0RPWX00tKq2bnI=
|
|
||||||
allowed_ips: 10.255.1.2/32, 10.1.0.0/16, fd80:3ea2:e399:203a::2/128, 2a03:2260:121:7001::/64
|
|
||||||
persistent_keepalive: 25
|
|
||||||
vpn2-lindenstr-sh07:
|
|
||||||
public_key: 8wsck5Ek7cQ+YbktuUzB2xBAzzeH/ou2QOR4Ou5B6zs=
|
|
||||||
allowed_ips: 10.255.1.3/32, 10.2.0.0/16, fd80:3ea2:e399:203a::3/128, 2a03:2260:121:7002::/64
|
|
||||||
persistent_keepalive: 25
|
|
||||||
# vpn2-stefan:
|
|
||||||
# public_key: NvJKN6xorzvwL7NhMoY2bEwpDVTl9Ob/1gx9g8tHfic=
|
|
||||||
# allowed_ips: 10.255.1.3/32, 10.2.0.0/16
|
|
||||||
# persistent_keepalive: 25
|
|
||||||
# vpn3-empty:
|
|
||||||
# public_key: pwD87EgTk8fGctR1Cz6/DfwGuzTg8VO2YC2CM58Sdlw=
|
|
||||||
# allowed_ips: 10.255.1.2/32, 10.1.0.0/16
|
|
||||||
# persistent_keepalive: 25
|
|
||||||
# vpn4-empty:
|
|
||||||
# public_key: N54OfQCIQGbPltC4sq/1gvV/2UXFKcQAti9ORNvlFxA=
|
|
||||||
# allowed_ips: 10.255.1.2/32, 10.1.0.0/16
|
|
||||||
# persistent_keepalive: 25
|
|
||||||
# vpn5-empty:
|
|
||||||
# public_key: sKi7h1W89XEe9tzxbXbev3oHBoS0VOLXFFLvwQZ+wAM=
|
|
||||||
# allowed_ips: 10.255.1.2/32, 10.1.0.0/16
|
|
||||||
# persistent_keepalive: 25
|
|
41
host_vars/troisdorf7/vars.yml
Normal file
41
host_vars/troisdorf7/vars.yml
Normal file
@ -0,0 +1,41 @@
|
|||||||
|
###
|
||||||
|
### Ansible
|
||||||
|
###
|
||||||
|
ansible_host: 185.66.193.107
|
||||||
|
ansible_port: 2222
|
||||||
|
ansible_ssh_user: root
|
||||||
|
ansible_python_interpreter: /usr/bin/python3
|
||||||
|
|
||||||
|
###
|
||||||
|
### Vars
|
||||||
|
###
|
||||||
|
internal_network: "10.255.1.0/24"
|
||||||
|
|
||||||
|
###
|
||||||
|
### Wireguard
|
||||||
|
###
|
||||||
|
|
||||||
|
wireguard_address: "10.255.1.1/24, fd80:3ea2:e399:203a::1/64"
|
||||||
|
wireguard_port: 42001
|
||||||
|
|
||||||
|
wireguard_unmanaged_peers:
|
||||||
|
vpn1-testing:
|
||||||
|
public_key: dEqGBiASx0gY1T/m4chRkeWhF+4XmzmjLKLXXbe+rmg=
|
||||||
|
allowed_ips: 10.255.1.2/32, 10.1.0.0/16, fd80:3ea2:e399:203a::2/128
|
||||||
|
persistent_keepalive: 25
|
||||||
|
vpn2-lindenstr-h07:
|
||||||
|
public_key: VglVuinIYJOE3UNZxhFRCHwD7WtiVg83u/cp3modw0k=
|
||||||
|
allowed_ips: 10.255.1.3/32, 10.2.0.0/16, fd80:3ea2:e399:203a::3/128
|
||||||
|
persistent_keepalive: 25
|
||||||
|
vpn3-lindenstr-h01:
|
||||||
|
public_key: jWTWrLtxb19TkThXLmUs+kqelo27zb9XfcDQFPGVWxs=
|
||||||
|
allowed_ips: 10.255.1.4/32, 10.3.0.0/16, fd80:3ea2:e399:203a::4/128
|
||||||
|
persistent_keepalive: 25
|
||||||
|
vpn4-nils:
|
||||||
|
public_key: Z9kn/JvtCcTs2ok8z7Ci3E+dy6Hb/lnUNre4X8xWCjg=
|
||||||
|
allowed_ips: 10.255.1.5/32, 10.4.0.0/16, fd80:3ea2:e399:203a::5/128
|
||||||
|
persistent_keepalive: 25
|
||||||
|
vpn5-stefan:
|
||||||
|
public_key: UHaYitx18sO71Ssk2SVUgdjLaAILbCthCmosU+Fs5Es=
|
||||||
|
allowed_ips: 10.255.1.6/32, 10.5.0.0/16, fd80:3ea2:e399:203a::6/128
|
||||||
|
persistent_keepalive: 25
|
9
host_vars/troisdorf7/vault.yml
Normal file
9
host_vars/troisdorf7/vault.yml
Normal file
@ -0,0 +1,9 @@
|
|||||||
|
$ANSIBLE_VAULT;1.1;AES256
|
||||||
|
31653333646534336164323064616261666365636438363761663837663635613333386165313962
|
||||||
|
3732656532643062333235366564333633623937353335650a343334393265316131313935363337
|
||||||
|
61323339356237646631303039646132663161623739393130383338383339373063373566666330
|
||||||
|
3463346562336166340a313562613835386431613636303637626133346433393630623837646236
|
||||||
|
66633239393134336539346430343965383339653061633463653864653834633862353861663432
|
||||||
|
39633663663833373264623138376431353437623765643530373266643539616231376162663831
|
||||||
|
33643334323861653564333739376561306462316561336531656663396134336635666639343433
|
||||||
|
38613630313731343736
|
30
hosts.yml
30
hosts.yml
@ -5,32 +5,14 @@
|
|||||||
######################
|
######################
|
||||||
all:
|
all:
|
||||||
children:
|
children:
|
||||||
|
router:
|
||||||
|
children:
|
||||||
|
ffrl-uplink:
|
||||||
|
hosts:
|
||||||
|
r4.fftdf.de:
|
||||||
supernodes:
|
supernodes:
|
||||||
children:
|
children:
|
||||||
vpn-offloader:
|
vpn-offloader:
|
||||||
hosts:
|
hosts:
|
||||||
# tdf7
|
|
||||||
troisdorf7:
|
troisdorf7:
|
||||||
#TDF (alt)
|
|
||||||
#ansible_host: 93.241.53.100
|
|
||||||
ansible_host: 5.9.220.113
|
|
||||||
ansible_user: root
|
|
||||||
ansible_python_interpreter: /usr/bin/python3
|
|
||||||
ffrl_ipv4: 185.66.193.107
|
|
||||||
ffrl_ipv6: 2a03:2260:121:7000::107
|
|
||||||
ffrl_ipv6_net: "2a03:2260:121:7000::"
|
|
||||||
ffrl_router_id: 10.188.255.7
|
|
||||||
gre_bb_a_ak_ber_ipv4: 100.64.6.25
|
|
||||||
gre_bb_b_ak_ber_ipv4: 100.64.6.31
|
|
||||||
gre_bb_a_ix_dus_ipv4: 100.64.6.29
|
|
||||||
gre_bb_b_ix_dus_ipv4: 100.64.6.35
|
|
||||||
gre_bb_a_fra3_f_ipv4: 100.64.6.27
|
|
||||||
gre_bb_b_fra3_f_ipv4: 100.64.6.33
|
|
||||||
gre_bb_a_ak_ber_ipv6: 2a03:2260:0:30c::2
|
|
||||||
gre_bb_b_ak_ber_ipv6: 2a03:2260:0:30f::2
|
|
||||||
gre_bb_a_ix_dus_ipv6: 2a03:2260:0:30e::2
|
|
||||||
gre_bb_b_ix_dus_ipv6: 2a03:2260:0:311::2
|
|
||||||
gre_bb_a_fra3_f_ipv6: 2a03:2260:0:30d::2
|
|
||||||
gre_bb_b_fra3_f_ipv6: 2a03:2260:0:310::2
|
|
||||||
wireguard_address: "10.255.1.1/24, fd80:3ea2:e399:203a::1/64"
|
|
||||||
wireguard_port: 42001
|
|
@ -52,23 +52,16 @@ sudo dpkg -i e50-v2-v1.0.20211208-v1.0.20210914.deb
|
|||||||
set firewall name WAN_LOCAL rule 20 destination port 51821
|
set firewall name WAN_LOCAL rule 20 destination port 51821
|
||||||
set firewall group network-group LAN-VPN description 'Networks on LAN destined to go out VPN by default'
|
set firewall group network-group LAN-VPN description 'Networks on LAN destined to go out VPN by default'
|
||||||
set firewall group network-group LAN-VPN network 10.1.0.0/16
|
set firewall group network-group LAN-VPN network 10.1.0.0/16
|
||||||
set firewall group ipv6-network-group IPv6-VPN ipv6-network 2a03:2260:121:7001::/64
|
|
||||||
set firewall group network-group RFC1918 network 10.0.0.0/8
|
set firewall group network-group RFC1918 network 10.0.0.0/8
|
||||||
set firewall group network-group RFC1918 network 172.16.0.0/12
|
set firewall group network-group RFC1918 network 172.16.0.0/12
|
||||||
set firewall group network-group RFC1918 network 192.168.0.0/16
|
set firewall group network-group RFC1918 network 192.168.0.0/16
|
||||||
set firewall group network-group RFC1918 network 169.254.0.0/16
|
set firewall group network-group RFC1918 network 169.254.0.0/16
|
||||||
set protocols static table 2 route 0.0.0.0/0 next-hop 10.255.1.1
|
set protocols static table 2 route 0.0.0.0/0 next-hop 10.255.1.1
|
||||||
set protocols static table 2 route6 ::/0 next-hop fd80:3ea2:e399:203a::1
|
|
||||||
set firewall modify VPN_TDF7 rule 100 action modify
|
set firewall modify VPN_TDF7 rule 100 action modify
|
||||||
set firewall modify VPN_TDF7 rule 100 description 'Route traffic from group LAN-VPN through VPN-TDF7 table'
|
set firewall modify VPN_TDF7 rule 100 description 'Route traffic from group LAN-VPN through VPN-TDF7 table'
|
||||||
set firewall modify VPN_TDF7 rule 100 modify table 2
|
set firewall modify VPN_TDF7 rule 100 modify table 2
|
||||||
set firewall modify VPN_TDF7 rule 100 source group network-group LAN-VPN
|
set firewall modify VPN_TDF7 rule 100 source group network-group LAN-VPN
|
||||||
set firewall ipv6-modify IPv6-VPN_TDF7 rule 100 action modify
|
|
||||||
set firewall ipv6-modify IPv6-VPN_TDF7 rule 100 description 'Route traffic from group IPv6-VPN through IPv6-VPN-TDF7 table'
|
|
||||||
set firewall ipv6-modify IPv6-VPN_TDF7 rule 100 modify table 2
|
|
||||||
set firewall ipv6-modify IPv6-VPN_TDF7 rule 100 source group ipv6-network-group IPv6-VPN
|
|
||||||
set interfaces switch switch0 firewall in modify VPN_TDF7
|
set interfaces switch switch0 firewall in modify VPN_TDF7
|
||||||
set interfaces switch switch0 firewall in modify IPv6-VPN_TDF7
|
|
||||||
## NAT einrichten
|
## NAT einrichten
|
||||||
set service nat rule 5010 description 'masquerade for VPN'
|
set service nat rule 5010 description 'masquerade for VPN'
|
||||||
set service nat rule 5010 outbound-interface wg0
|
set service nat rule 5010 outbound-interface wg0
|
||||||
|
@ -1,15 +0,0 @@
|
|||||||
- name: Copy Bird Config
|
|
||||||
ansible.builtin.template:
|
|
||||||
src: bird.conf.j2
|
|
||||||
dest: /etc/bird/bird.conf
|
|
||||||
owner: root
|
|
||||||
group: root
|
|
||||||
mode: '0644'
|
|
||||||
|
|
||||||
- name: Copy Bird6 Config
|
|
||||||
ansible.builtin.template:
|
|
||||||
src: bird6.conf.j2
|
|
||||||
dest: /etc/bird/bird6.conf
|
|
||||||
owner: root
|
|
||||||
group: root
|
|
||||||
mode: '0644'
|
|
@ -1,93 +0,0 @@
|
|||||||
/*
|
|
||||||
* This is an example configuration file.
|
|
||||||
*/
|
|
||||||
|
|
||||||
# Yes, even shell-like comments work...
|
|
||||||
|
|
||||||
# Configure logging
|
|
||||||
#log syslog { debug, trace, info, remote, warning, error, auth, fatal, bug };
|
|
||||||
#log stderr all;
|
|
||||||
#log "tmp" all;
|
|
||||||
#log syslog all;
|
|
||||||
|
|
||||||
#debug protocols all;
|
|
||||||
|
|
||||||
# Override router ID
|
|
||||||
router id {{ ffrl_router_id }};
|
|
||||||
|
|
||||||
|
|
||||||
protocol direct {
|
|
||||||
interface "*";
|
|
||||||
};
|
|
||||||
|
|
||||||
protocol kernel {
|
|
||||||
device routes;
|
|
||||||
import all;
|
|
||||||
export all;
|
|
||||||
kernel table 42;
|
|
||||||
};
|
|
||||||
|
|
||||||
protocol device {
|
|
||||||
scan time 8;
|
|
||||||
};
|
|
||||||
|
|
||||||
function is_default() {
|
|
||||||
return (net ~ [0.0.0.0/0]);
|
|
||||||
};
|
|
||||||
|
|
||||||
# own network
|
|
||||||
function is_self_net() {
|
|
||||||
return (net ~ [ 10.188.0.0/16+ ]);
|
|
||||||
}
|
|
||||||
|
|
||||||
# freifunk ip ranges in general
|
|
||||||
function is_freifunk() {
|
|
||||||
return net ~ [ 10.0.0.0/8+,
|
|
||||||
104.0.0.0/8+
|
|
||||||
];
|
|
||||||
}
|
|
||||||
|
|
||||||
filter hostroute {
|
|
||||||
if net ~ {{ ffrl_ipv4 }}/32 then accept;
|
|
||||||
reject;
|
|
||||||
};
|
|
||||||
|
|
||||||
# Uplink über ff Rheinland
|
|
||||||
template bgp uplink {
|
|
||||||
local as 65066;
|
|
||||||
import where is_default();
|
|
||||||
export filter hostroute;
|
|
||||||
next hop self;
|
|
||||||
multihop 64;
|
|
||||||
default bgp_local_pref 200;
|
|
||||||
};
|
|
||||||
|
|
||||||
protocol bgp ffrl_bb_a_ak_ber from uplink {
|
|
||||||
source address 100.64.6.25;
|
|
||||||
neighbor 100.64.6.24 as 201701;
|
|
||||||
};
|
|
||||||
|
|
||||||
protocol bgp ffrl_bb_b_ak_ber from uplink {
|
|
||||||
source address 100.64.6.31;
|
|
||||||
neighbor 100.64.6.30 as 201701;
|
|
||||||
};
|
|
||||||
|
|
||||||
protocol bgp ffrl_bb_a_ix_dus from uplink {
|
|
||||||
source address 100.64.6.29;
|
|
||||||
neighbor 100.64.6.28 as 201701;
|
|
||||||
};
|
|
||||||
|
|
||||||
protocol bgp ffrl_bb_b_ix_dus from uplink {
|
|
||||||
source address 100.64.6.35;
|
|
||||||
neighbor 100.64.6.34 as 201701;
|
|
||||||
};
|
|
||||||
|
|
||||||
protocol bgp ffrl_bb_a_fra3_fra from uplink {
|
|
||||||
source address 100.64.6.27;
|
|
||||||
neighbor 100.64.6.26 as 201701;
|
|
||||||
};
|
|
||||||
|
|
||||||
protocol bgp ffrl_bb_b_fra3_fra from uplink {
|
|
||||||
source address 100.64.6.33;
|
|
||||||
neighbor 100.64.6.32 as 201701;
|
|
||||||
};
|
|
@ -1,89 +0,0 @@
|
|||||||
# Configure logging
|
|
||||||
#log syslog { debug, trace, info, remote, warning, error, auth, fatal, bug };
|
|
||||||
#log stderr all;
|
|
||||||
#log "tmp" all;
|
|
||||||
#log syslog all;
|
|
||||||
|
|
||||||
#debug protocols all;
|
|
||||||
|
|
||||||
# Override router ID
|
|
||||||
router id {{ ffrl_router_id }};
|
|
||||||
|
|
||||||
protocol direct {
|
|
||||||
interface "bat0", "gre-*", "lo"; # Restrict network interfaces it works with
|
|
||||||
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
protocol kernel {
|
|
||||||
device routes;
|
|
||||||
import all;
|
|
||||||
export all; # Default is export none
|
|
||||||
kernel table 42; # Kernel table to synchronize with (default: main)
|
|
||||||
}
|
|
||||||
|
|
||||||
protocol device {
|
|
||||||
scan time 10; # Scan interfaces every 10 seconds
|
|
||||||
}
|
|
||||||
|
|
||||||
function is_default() {
|
|
||||||
return (net ~ [::/0]);
|
|
||||||
}
|
|
||||||
|
|
||||||
# own networks
|
|
||||||
function is_self_net() {
|
|
||||||
return net ~ [ fda0:747e:ab29:7405::/64+ ];
|
|
||||||
}
|
|
||||||
|
|
||||||
# freifunk ip ranges in general
|
|
||||||
function is_freifunk() {
|
|
||||||
return net ~ [ fc00::/7{48,64},
|
|
||||||
2001:bf7::/32+];
|
|
||||||
}
|
|
||||||
|
|
||||||
filter hostroute {
|
|
||||||
if net ~ {{ ffrl_ipv6_net }}/52 then accept;
|
|
||||||
reject;
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
# Uplink zum FF Rheinland
|
|
||||||
template bgp uplink {
|
|
||||||
local as 65066;
|
|
||||||
import where is_default();
|
|
||||||
export filter hostroute;
|
|
||||||
gateway recursive;
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
protocol bgp ffrl_bb_a_ak_ber from uplink {
|
|
||||||
source address 2a03:2260:0:30c::2;
|
|
||||||
neighbor 2a03:2260:0:30c::1 as 201701;
|
|
||||||
}
|
|
||||||
|
|
||||||
protocol bgp ffrl_bb_b_ak_ber from uplink {
|
|
||||||
source address 2a03:2260:0:30f::2;
|
|
||||||
neighbor 2a03:2260:0:30f::1 as 201701;
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
protocol bgp ffrl_bb_a_ix_dus from uplink {
|
|
||||||
source address 2a03:2260:0:30e::2;
|
|
||||||
neighbor 2a03:2260:0:30e::1 as 201701;
|
|
||||||
}
|
|
||||||
|
|
||||||
protocol bgp ffrl_bb_b_ix_dus from uplink {
|
|
||||||
source address 2a03:2260:0:311::2;
|
|
||||||
neighbor 2a03:2260:0:311::1 as 201701;
|
|
||||||
}
|
|
||||||
|
|
||||||
protocol bgp ffrl_bb_a_fra3_fra from uplink {
|
|
||||||
source address 2a03:2260:0:30d::2;
|
|
||||||
neighbor 2a03:2260:0:30d::1 as 201701;
|
|
||||||
}
|
|
||||||
|
|
||||||
protocol bgp ffrl_bb_b_fra3_fra from uplink {
|
|
||||||
source address 2a03:2260:0:310::2;
|
|
||||||
neighbor 2a03:2260:0:310::1 as 201701;
|
|
||||||
}
|
|
@ -1,20 +0,0 @@
|
|||||||
- name: Cop Network Config
|
|
||||||
ansible.builtin.template:
|
|
||||||
src: 01-ffrl-gre.yaml.j2
|
|
||||||
dest: /etc/netplan/01-ffrl-gre.yaml
|
|
||||||
owner: root
|
|
||||||
group: root
|
|
||||||
mode: '0644'
|
|
||||||
register: networkconfig
|
|
||||||
|
|
||||||
- name: Netplan Apply
|
|
||||||
ansible.builtin.shell: netplan apply
|
|
||||||
when: networkconfig.changed
|
|
||||||
|
|
||||||
- name: Add Table 42 after netplan Apply
|
|
||||||
ansible.builtin.shell: /bin/ip rule add fwmark 0x4 table 42
|
|
||||||
when: networkconfig.changed
|
|
||||||
|
|
||||||
- name: Add Table 42v6 after netplan Apply
|
|
||||||
ansible.builtin.shell: /bin/ip -6 rule add fwmark 0x4 table 42
|
|
||||||
when: networkconfig.changed
|
|
@ -1,62 +0,0 @@
|
|||||||
network:
|
|
||||||
tunnels:
|
|
||||||
gre-bb-a.ak.ber:
|
|
||||||
mode: gre
|
|
||||||
local: {{ ansible_host }}
|
|
||||||
remote: 185.66.195.0
|
|
||||||
mtu: 1400
|
|
||||||
addresses:
|
|
||||||
- {{ gre_bb_a_ak_ber_ipv4 }}/31
|
|
||||||
- {{ gre_bb_a_ak_ber_ipv6 }}/64
|
|
||||||
- fe80::200:5efe:2e04:9c72/64
|
|
||||||
gre-bb-b.ak.ber:
|
|
||||||
mode: gre
|
|
||||||
local: {{ ansible_host }}
|
|
||||||
remote: 185.66.195.1
|
|
||||||
mtu: 1400
|
|
||||||
addresses:
|
|
||||||
- {{ gre_bb_b_ak_ber_ipv4 }}/31
|
|
||||||
- {{ gre_bb_b_ak_ber_ipv6 }}/64
|
|
||||||
- fe80::200:5efe:2e04:9c72/64
|
|
||||||
gre-bb-a.ix.dus:
|
|
||||||
mode: gre
|
|
||||||
local: {{ ansible_host }}
|
|
||||||
remote: 185.66.193.0
|
|
||||||
mtu: 1400
|
|
||||||
addresses:
|
|
||||||
- {{ gre_bb_a_ix_dus_ipv4 }}/31
|
|
||||||
- {{ gre_bb_a_ix_dus_ipv6 }}/64
|
|
||||||
- fe80::200:5efe:2e04:9c72/64
|
|
||||||
gre-bb-b.ix.dus:
|
|
||||||
mode: gre
|
|
||||||
local: {{ ansible_host }}
|
|
||||||
remote: 185.66.193.1
|
|
||||||
mtu: 1400
|
|
||||||
addresses:
|
|
||||||
- {{ gre_bb_b_ix_dus_ipv4 }}/31
|
|
||||||
- {{ gre_bb_b_ix_dus_ipv6}}/64
|
|
||||||
- fe80::200:5efe:2e04:9c72/64
|
|
||||||
gre-bb-a.fra3.f:
|
|
||||||
mode: gre
|
|
||||||
local: {{ ansible_host }}
|
|
||||||
remote: 185.66.194.0
|
|
||||||
mtu: 1400
|
|
||||||
addresses:
|
|
||||||
- {{ gre_bb_a_fra3_f_ipv4 }}/31
|
|
||||||
- {{ gre_bb_a_fra3_f_ipv6 }}/64
|
|
||||||
- fe80::200:5efe:2e04:9c72/64
|
|
||||||
gre-bb-b.fra3.f:
|
|
||||||
mode: gre
|
|
||||||
local: {{ ansible_host }}
|
|
||||||
remote: 185.66.194.1
|
|
||||||
mtu: 1400
|
|
||||||
addresses:
|
|
||||||
- {{ gre_bb_b_fra3_f_ipv4 }}/31
|
|
||||||
- {{ gre_bb_b_fra3_f_ipv6 }}/64
|
|
||||||
- fe80::200:5efe:2e04:9c72/64
|
|
||||||
ethernets:
|
|
||||||
lo:
|
|
||||||
addresses:
|
|
||||||
- {{ ffrl_ipv4 }}/32
|
|
||||||
- {{ ffrl_ipv6 }}/52
|
|
||||||
- 127.0.0.1/8
|
|
@ -1,11 +1,10 @@
|
|||||||
- name: Install all Packages
|
- name: Install all Packages
|
||||||
apt: name={{ item }} state=latest update_cache=yes
|
ansible.builtin.apt:
|
||||||
with_items:
|
name:
|
||||||
- curl
|
- curl
|
||||||
- nano
|
- nano
|
||||||
- vim
|
- vim
|
||||||
- htop
|
- htop
|
||||||
- bird
|
|
||||||
- screen
|
- screen
|
||||||
- iproute2
|
- iproute2
|
||||||
- iptables
|
- iptables
|
||||||
@ -15,3 +14,5 @@
|
|||||||
- iw
|
- iw
|
||||||
- speedtest-cli
|
- speedtest-cli
|
||||||
- telnet
|
- telnet
|
||||||
|
state: latest
|
||||||
|
update_cache: yes
|
26
roles/01-system-set-networking/tasks/main.yml
Normal file
26
roles/01-system-set-networking/tasks/main.yml
Normal file
@ -0,0 +1,26 @@
|
|||||||
|
---
|
||||||
|
- name: Set NAT MASQUERADE
|
||||||
|
ansible.builtin.iptables:
|
||||||
|
chain: POSTROUTING
|
||||||
|
table: nat
|
||||||
|
source: "{{ internal_network }}"
|
||||||
|
jump: MASQUERADE
|
||||||
|
|
||||||
|
- ansible.posix.sysctl:
|
||||||
|
name: kernel.panic
|
||||||
|
value: '1'
|
||||||
|
sysctl_file: /etc/sysctl.conf
|
||||||
|
|
||||||
|
- ansible.posix.sysctl:
|
||||||
|
name: net.ipv4.ip_forward
|
||||||
|
value: '1'
|
||||||
|
sysctl_set: true
|
||||||
|
state: present
|
||||||
|
reload: true
|
||||||
|
|
||||||
|
- ansible.posix.sysctl:
|
||||||
|
name: net.ipv6.conf.all.forwarding
|
||||||
|
value: '1'
|
||||||
|
sysctl_set: true
|
||||||
|
state: present
|
||||||
|
reload: true
|
@ -1,16 +0,0 @@
|
|||||||
- name: Ensures Freifunk Folder exists
|
|
||||||
file: path=/opt/freifunk state=directory
|
|
||||||
|
|
||||||
- name: Copy Reboot Script
|
|
||||||
ansible.builtin.template:
|
|
||||||
src: sn_startup.sh.j2
|
|
||||||
dest: /opt/freifunk/sn_startup.sh
|
|
||||||
owner: root
|
|
||||||
group: root
|
|
||||||
mode: '0775'
|
|
||||||
|
|
||||||
- name: Cron Job to run after boot
|
|
||||||
ansible.builtin.cron:
|
|
||||||
name: "Set Freifunk Routes"
|
|
||||||
special_time: reboot
|
|
||||||
job: /opt/freifunk/sn_startup.sh
|
|
@ -1,58 +0,0 @@
|
|||||||
#!/bin/sh
|
|
||||||
# Version 1.91
|
|
||||||
|
|
||||||
sleep 5
|
|
||||||
|
|
||||||
# Activate IP forwarding
|
|
||||||
/sbin/sysctl -w net.ipv6.conf.all.forwarding=1
|
|
||||||
/sbin/sysctl -w net.ipv4.ip_forward=1
|
|
||||||
|
|
||||||
# restart when kernel panic
|
|
||||||
/sbin/sysctl kernel.panic=1
|
|
||||||
|
|
||||||
# Routing table 42
|
|
||||||
/bin/grep 42 /etc/iproute2/rt_tables || /bin/echo 42 ffrl >> /etc/iproute2/rt_tables
|
|
||||||
|
|
||||||
# Set table for traffice with mark 4
|
|
||||||
/bin/ip rule add fwmark 0x4 table 42
|
|
||||||
/bin/ip -6 rule add fwmark 0x4 table 42
|
|
||||||
|
|
||||||
# Set mark 4 to Freifunk traffic
|
|
||||||
/sbin/iptables -t mangle -A PREROUTING -s 10.0.0.0/8 ! -d 10.0.0.0/8 -j MARK --set-mark 4
|
|
||||||
/sbin/ip6tables -t mangle -A PREROUTING -s 2a03:2260:121::/48 ! -d 2a03:2260:121::/48 -j MARK --set-mark 4
|
|
||||||
|
|
||||||
# All from FF IPv4 via routing table 42
|
|
||||||
/bin/ip rule add from {{ ffrl_ipv4 }}/32 lookup 42
|
|
||||||
/bin/ip -6 rule add from {{ ffrl_ipv6_net }}/52 lookup 42
|
|
||||||
|
|
||||||
# Add NAT Rules manualy
|
|
||||||
iptables -t nat -D POSTROUTING -o gre-bb-a.ak.ber -j SNAT --to-source {{ ffrl_ipv4 }}
|
|
||||||
iptables -t nat -D POSTROUTING -o gre-bb-b.ak.ber -j SNAT --to-source {{ ffrl_ipv4 }}
|
|
||||||
iptables -t nat -D POSTROUTING -o gre-bb-a.fra3.f -j SNAT --to-source {{ ffrl_ipv4 }}
|
|
||||||
iptables -t nat -D POSTROUTING -o gre-bb-b.fra3.f -j SNAT --to-source {{ ffrl_ipv4 }}
|
|
||||||
iptables -t nat -D POSTROUTING -o gre-bb-a.ix.dus -j SNAT --to-source {{ ffrl_ipv4 }}
|
|
||||||
iptables -t nat -D POSTROUTING -o gre-bb-b.ix.dus -j SNAT --to-source {{ ffrl_ipv4 }}
|
|
||||||
sleep 30
|
|
||||||
iptables -t nat -A POSTROUTING -o gre-bb-a.ak.ber -j SNAT --to-source {{ ffrl_ipv4 }}
|
|
||||||
iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o gre-bb-a.ak.ber -j TCPMSS --set-mss 1312
|
|
||||||
ip6tables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o gre-bb-a.ak.ber -j TCPMSS --set-mss 1312
|
|
||||||
|
|
||||||
iptables -t nat -A POSTROUTING -o gre-bb-a.fra3.f -j SNAT --to-source {{ ffrl_ipv4 }}
|
|
||||||
iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o gre-bb-a.fra3.f -j TCPMSS --set-mss 1312
|
|
||||||
ip6tables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o gre-bb-a.fra3.f -j TCPMSS --set-mss 1312
|
|
||||||
|
|
||||||
iptables -t nat -A POSTROUTING -o gre-bb-a.ix.dus -j SNAT --to-source {{ ffrl_ipv4 }}
|
|
||||||
iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o gre-bb-a.ix.dus -j TCPMSS --set-mss 1312
|
|
||||||
ip6tables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o gre-bb-a.ix.dus -j TCPMSS --set-mss 1312
|
|
||||||
|
|
||||||
iptables -t nat -A POSTROUTING -o gre-bb-b.ak.ber -j SNAT --to-source {{ ffrl_ipv4 }}
|
|
||||||
iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o gre-bb-b.ak.ber -j TCPMSS --set-mss 1312
|
|
||||||
ip6tables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o gre-bb-b.ak.ber -j TCPMSS --set-mss 1312
|
|
||||||
|
|
||||||
iptables -t nat -A POSTROUTING -o gre-bb-b.fra3.f -j SNAT --to-source {{ ffrl_ipv4 }}
|
|
||||||
iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o gre-bb-b.fra3.f -j TCPMSS --set-mss 1312
|
|
||||||
ip6tables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o gre-bb-b.fra3.f -j TCPMSS --set-mss 1312
|
|
||||||
|
|
||||||
iptables -t nat -A POSTROUTING -o gre-bb-b.ix.dus -j SNAT --to-source {{ ffrl_ipv4 }}
|
|
||||||
iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o gre-bb-b.ix.dus -j TCPMSS --set-mss 1312
|
|
||||||
ip6tables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o gre-bb-b.ix.dus -j TCPMSS --set-mss 1312
|
|
@ -1,4 +0,0 @@
|
|||||||
- name: Install OpenVPN
|
|
||||||
apt: name={{ item }} state=latest update_cache=yes
|
|
||||||
with_items:
|
|
||||||
- openvpn
|
|
26
roles/21-install-oitc/tasks/main.yml
Normal file
26
roles/21-install-oitc/tasks/main.yml
Normal file
@ -0,0 +1,26 @@
|
|||||||
|
- name: Repo Key Import
|
||||||
|
ansible.builtin.shell: curl https://packages.openitcockpit.io/repokey.txt | sudo apt-key add
|
||||||
|
|
||||||
|
- name: Add specified repository into sources list
|
||||||
|
ansible.builtin.apt_repository:
|
||||||
|
repo: deb https://packages.openitcockpit.io/openitcockpit-agent/deb/stable deb main
|
||||||
|
state: present
|
||||||
|
|
||||||
|
|
||||||
|
- name: Install Wireguard
|
||||||
|
apt: name={{ item }} state=latest update_cache=yes
|
||||||
|
with_items:
|
||||||
|
- openitcockpit-agent
|
||||||
|
|
||||||
|
- name: Copy Config File
|
||||||
|
ansible.builtin.template:
|
||||||
|
src: oitc.ini.j2
|
||||||
|
dest: /etc/openitcockpit-agent/config.ini
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: '0775'
|
||||||
|
|
||||||
|
- name: Restart service httpd, in all cases
|
||||||
|
ansible.builtin.service:
|
||||||
|
name: openitcockpit-agent
|
||||||
|
state: restarted
|
177
roles/21-install-oitc/templates/oitc.ini.j2
Normal file
177
roles/21-install-oitc/templates/oitc.ini.j2
Normal file
@ -0,0 +1,177 @@
|
|||||||
|
[default]
|
||||||
|
#
|
||||||
|
# This is the configuration file for the openITCOCKPIT Monitoring Agent 3.x
|
||||||
|
# Notice: Empty values will not been ignored! If you want to disable an option like proxy comment it out!
|
||||||
|
|
||||||
|
#########################
|
||||||
|
# Web Server #
|
||||||
|
#########################
|
||||||
|
|
||||||
|
# Bind address of the build-in web server
|
||||||
|
# Use 0.0.0.0 to bind on all interfaces
|
||||||
|
address = 0.0.0.0
|
||||||
|
|
||||||
|
# Port of the Agents build-in web server
|
||||||
|
# Default port is 3333
|
||||||
|
port = 3333
|
||||||
|
|
||||||
|
#########################
|
||||||
|
# Security Settings #
|
||||||
|
#########################
|
||||||
|
|
||||||
|
# Try to enable auto ssl mode for webserver
|
||||||
|
try-autossl = True
|
||||||
|
|
||||||
|
# File paths used to store autossl related files (default: /etc/openitcockpit-agent/):
|
||||||
|
# Leave this blank to use the default values
|
||||||
|
# Example: /etc/openitcockpit-agent/agent.csr
|
||||||
|
#autossl-csr-file =
|
||||||
|
|
||||||
|
# Example: /etc/openitcockpit-agent/agent.crt
|
||||||
|
#autossl-crt-file =
|
||||||
|
|
||||||
|
# Example: /etc/openitcockpit-agent/agent.key
|
||||||
|
#autossl-key-file =
|
||||||
|
|
||||||
|
# Example: /etc/openitcockpit-agent/server_ca.crt
|
||||||
|
#autossl-ca-file =
|
||||||
|
|
||||||
|
# If a certificate file is given, the agent will only be accessible through HTTPS
|
||||||
|
# Instead of messing around with self-signed certificates we recommend to use the autossl feature.
|
||||||
|
# Example: /etc/ssl/certs/ssl-cert-snakeoil.pem
|
||||||
|
#certfile = /etc/ssl/certs/ssl-cert-snakeoil.pem
|
||||||
|
|
||||||
|
# Private key file of the given TLS certificate
|
||||||
|
# Example: /etc/ssl/private/ssl-cert-snakeoil.key
|
||||||
|
#keyfile = /etc/ssl/private/ssl-cert-snakeoil.key
|
||||||
|
|
||||||
|
# Enable remote read and write access to the current agent configuration (this file) and
|
||||||
|
# the customchecks config
|
||||||
|
# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
|
||||||
|
# ! WARNING: This could lead to remote code execution !
|
||||||
|
# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
|
||||||
|
config-update-mode = False
|
||||||
|
|
||||||
|
# Enable HTTP Basic Authentication
|
||||||
|
# Example: auth = user:password
|
||||||
|
#auth = user:password
|
||||||
|
|
||||||
|
#########################
|
||||||
|
# Checks #
|
||||||
|
#########################
|
||||||
|
|
||||||
|
# Determines in seconds how often the agent will schedule all internal checks
|
||||||
|
interval = 30
|
||||||
|
|
||||||
|
# Remote Plugin Execution
|
||||||
|
# Path to config will where custom checks can be defined
|
||||||
|
# Comment to use the default value
|
||||||
|
#
|
||||||
|
# Linux: /etc/openitcockpit-agent/customchecks.ini
|
||||||
|
# Windows: C:\Program Files\it-novum\openitcockpit-agent\customchecks.ini
|
||||||
|
# macOS: /Applications/openitcockpit-agent/customchecks.ini
|
||||||
|
#customchecks = /etc/openitcockpit-agent/customchecks.ini
|
||||||
|
|
||||||
|
#########################
|
||||||
|
# Enable/Disable checks #
|
||||||
|
#########################
|
||||||
|
|
||||||
|
# Enable CPU monitoring
|
||||||
|
cpustats = True
|
||||||
|
|
||||||
|
# Enable memory monitoring
|
||||||
|
memory = True
|
||||||
|
|
||||||
|
# Enable Swap monitoring
|
||||||
|
swap = True
|
||||||
|
|
||||||
|
# Enable monitoring of running processes
|
||||||
|
processstats = True
|
||||||
|
|
||||||
|
# Enable monitoring of network interfaces
|
||||||
|
netstats = True
|
||||||
|
|
||||||
|
# Enable monitoring of the traffic (I/O) of network interfaces
|
||||||
|
netio = True
|
||||||
|
|
||||||
|
# Enable disk usage monitoring
|
||||||
|
diskstats = True
|
||||||
|
|
||||||
|
# Enable monitoring of disk I/O
|
||||||
|
diskio = True
|
||||||
|
|
||||||
|
# Enable monitoring of Systemd Services (Linux only)
|
||||||
|
systemdservices = True
|
||||||
|
|
||||||
|
# Enable monitoring of Launchd Services (macOS only)
|
||||||
|
launchdservices = True
|
||||||
|
|
||||||
|
# Enable monitoring of Windows Services (Windows only)
|
||||||
|
winservices = True
|
||||||
|
|
||||||
|
# Enable monitoring of Windows Event Log records (Windows only)
|
||||||
|
wineventlog = False
|
||||||
|
|
||||||
|
# Determines how the openITCOCKPIT Monitoring Agent should query the Windows Event Log.
|
||||||
|
# Since Version 3.0.9 WMI (Windows Management Instrumentation) will be used by default
|
||||||
|
# As alternative the Agent could use the PowerShell Get-EventLog cmdlet.
|
||||||
|
# The WMI method will maybe memory leak on Windows Server 2016. The PowerShell workaround
|
||||||
|
# on the other hand could lead to blue screens (OA-40).
|
||||||
|
wineventlog-method = WMI
|
||||||
|
#wineventlog-method = PowerShell
|
||||||
|
|
||||||
|
# Define comma separated windows event log log types
|
||||||
|
# Event Logs containing spaces DO NOT need to be quoted: Security,Sophos Cloud AD Sync,Application
|
||||||
|
wineventlog-logtypes = System,Application,Security
|
||||||
|
|
||||||
|
# Enable monitoring of temperature and battery sensors
|
||||||
|
sensorstats = True
|
||||||
|
|
||||||
|
# Enable support to monitor Docker containers
|
||||||
|
# Known issues: Error response from daemon: client version 1.41 is too new. Maximum supported API version is 1.40
|
||||||
|
# Workaround: export DOCKER_API_VERSION=1.40
|
||||||
|
dockerstats = False
|
||||||
|
|
||||||
|
# Check KVMs through libvirt
|
||||||
|
# This requires to complie the openITCOCKPIT Monitoring Agent by yourself.
|
||||||
|
# Please see the Wiki for instructions: https://github.com/it-novum/openitcockpit-agent-go/wiki/Build-binary
|
||||||
|
libvirt = True
|
||||||
|
|
||||||
|
# Enable logged in users check
|
||||||
|
userstats = True
|
||||||
|
|
||||||
|
#########################
|
||||||
|
# Push mode #
|
||||||
|
#########################
|
||||||
|
|
||||||
|
# By default openITCOCKPIT will pull check results from the openITCOCKPIT Agent.
|
||||||
|
# In a cloud environments or behind a NAT network it could become handy
|
||||||
|
# if the openITCOCKPIT Monitoring Agent will push the results to your openITCOCKPIT Server
|
||||||
|
[oitc]
|
||||||
|
|
||||||
|
# Enable Push Mode
|
||||||
|
enabled = False
|
||||||
|
|
||||||
|
# This option disables the webserver of the openITCOCKPIT Monitoring Agent when running in PUSH mode.
|
||||||
|
# When you also want to enable the Webserver even if the agent is running in PUSH mode we highly recommend
|
||||||
|
# to enable HTTP Basic Authentication and to use the certfile and keyfile options to enable HTTPS
|
||||||
|
enable-webserver = False
|
||||||
|
|
||||||
|
# Address of your openITCOCKPIT Server where the Agent will push the results to
|
||||||
|
# Example: https://demo.openitcockpit.io
|
||||||
|
url =
|
||||||
|
|
||||||
|
# Enable this option when your openITCOCKPIT server uses valid TLS certificates
|
||||||
|
# like from Let's Encrypt
|
||||||
|
verify-server-certificate = False
|
||||||
|
|
||||||
|
# Timeout in seconds for the HTTP push client
|
||||||
|
timeout = 10
|
||||||
|
|
||||||
|
# API-Key of your openITCOCKPIT Server
|
||||||
|
apikey =
|
||||||
|
|
||||||
|
# Address of HTTP/HTTPS Proxy if required.
|
||||||
|
# Comment to disable
|
||||||
|
# Example: http://10.10.1.10:3128
|
||||||
|
#proxy = http://10.10.1.10:3128
|
7
roles/40-vyos-system/tasks/main.yml
Normal file
7
roles/40-vyos-system/tasks/main.yml
Normal file
@ -0,0 +1,7 @@
|
|||||||
|
---
|
||||||
|
- name: Set Vyos Hostname
|
||||||
|
vyos.vyos.vyos_hostname:
|
||||||
|
config:
|
||||||
|
hostname: "{{ inventory_hostname }}"
|
||||||
|
state: merged
|
||||||
|
|
14
roles/41-vyos-interfaces/tasks/main.yml
Normal file
14
roles/41-vyos-interfaces/tasks/main.yml
Normal file
@ -0,0 +1,14 @@
|
|||||||
|
---
|
||||||
|
- name: Create Local Interfaces
|
||||||
|
vyos.vyos.vyos_l3_interfaces:
|
||||||
|
config:
|
||||||
|
- name: eth0
|
||||||
|
ipv4:
|
||||||
|
- address: "{{ wan_address }}"
|
||||||
|
- name: eth1
|
||||||
|
ipv4:
|
||||||
|
- address: "{{ local_address }}"
|
||||||
|
- name: lo
|
||||||
|
- address: "{{ ffrl_address }}"
|
||||||
|
state: merged
|
||||||
|
|
@ -1,16 +1,14 @@
|
|||||||
# ansible-playbook -i hosts.yml -u root system-setup.yml
|
# ansible-playbook -i hosts.yml system-setup.yml
|
||||||
- name: System preperation
|
- name: System preperation
|
||||||
hosts: supernodes
|
hosts: supernodes
|
||||||
roles:
|
roles:
|
||||||
- 00-system-set-hostname
|
- 00-system-set-hostname
|
||||||
- 00-create-sudo-user
|
- 00-create-sudo-user
|
||||||
- 00-system-set-network
|
- 01-system-set-networking
|
||||||
- 00-system-set-bird
|
|
||||||
- 01-system-install-packages
|
- 01-system-install-packages
|
||||||
- 11-create-cronjob
|
|
||||||
|
|
||||||
- name: System preperation
|
- name: System preperation
|
||||||
hosts: vpn-offloader
|
hosts: vpn-offloader
|
||||||
roles:
|
roles:
|
||||||
# - 20-install-openvpn
|
|
||||||
- 21-install-wireguard
|
- 21-install-wireguard
|
||||||
|
- 21-install-oitc
|
17
update_wg.yml
Normal file
17
update_wg.yml
Normal file
@ -0,0 +1,17 @@
|
|||||||
|
# ansible-playbook -i hosts.yml -u root system-setup.yml
|
||||||
|
- name: System preperation
|
||||||
|
hosts: supernodes
|
||||||
|
roles:
|
||||||
|
- 00-system-set-hostname
|
||||||
|
- 00-create-sudo-user
|
||||||
|
- 00-system-set-network
|
||||||
|
- 00-system-set-bird
|
||||||
|
- 01-system-install-packages
|
||||||
|
- 11-create-cronjob
|
||||||
|
|
||||||
|
- name: System preperation
|
||||||
|
hosts: vpn-offloader
|
||||||
|
roles:
|
||||||
|
# - 20-install-openvpn
|
||||||
|
- 21-install-wireguard
|
||||||
|
- 21-install-oitc
|
72
vpn01.md
Normal file
72
vpn01.md
Normal file
@ -0,0 +1,72 @@
|
|||||||
|
vpn02
|
||||||
|
# Supernode mit direkter VPN Ausleitung
|
||||||
|
|
||||||
|
Ausleitung über das FFRL Backbone.
|
||||||
|
Supernode Config:
|
||||||
|
- GRE-Tunnel zum FFRL Backbone
|
||||||
|
- VPN per Wireguard
|
||||||
|
- NAT auf VPN Routern
|
||||||
|
|
||||||
|
## Adressbereiche:
|
||||||
|
|
||||||
|
Supernode: 10.255.1.1/32
|
||||||
|
|
||||||
|
VPN01: 10.255.1.2/32, Client: 10.1.0.0/16
|
||||||
|
VPN02: 10.255.1.3/32, Client: 10.2.0.0/16
|
||||||
|
VPN03: 10.255.1.4/32, Client: 10.3.0.0/16
|
||||||
|
etc.
|
||||||
|
|
||||||
|
|
||||||
|
## ER-X Stock Firmware Config:
|
||||||
|
> Vor der Installation:
|
||||||
|
> - eth0 als DHCP Client
|
||||||
|
> - eth1-4 auf den Switch
|
||||||
|
> - Switch mit DHCP Server einrichten. Adressbereich aus Tabelle beachten!
|
||||||
|
|
||||||
|
## Install Wireguard
|
||||||
|
cd /tmp
|
||||||
|
curl -OL https://github.com/WireGuard/wireguard-vyatta-ubnt/releases/download/1.0.20211208-1/e50-v2-v1.0.20211208-v1.0.20210914.deb
|
||||||
|
sudo dpkg -i e50-v2-v1.0.20211208-v1.0.20210914.deb
|
||||||
|
|
||||||
|
## Generate Keys
|
||||||
|
cd /config/auth
|
||||||
|
wg genkey | tee /config/auth/wg.key | wg pubkey > wg.public
|
||||||
|
cat wg.public
|
||||||
|
cat wg.key
|
||||||
|
|
||||||
|
## Config ER-X
|
||||||
|
configure
|
||||||
|
## Wireguard
|
||||||
|
set interfaces wireguard wg0 address 10.255.1.2/24
|
||||||
|
set interfaces wireguard wg0 address fd80:3ea2:e399:203a::2/64
|
||||||
|
set interfaces wireguard wg0 listen-port 51822
|
||||||
|
set interfaces wireguard wg0 route-allowed-ips false
|
||||||
|
set interfaces wireguard wg0 persistent-keepalive 25
|
||||||
|
set interfaces wireguard wg0 peer 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= endpoint 7.fftdf.de:42001
|
||||||
|
set interfaces wireguard wg0 peer 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= allowed-ips 0.0.0.0/0
|
||||||
|
set interfaces wireguard wg0 peer 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= allowed-ips ::0/0
|
||||||
|
set interfaces wireguard wg0 private-key /config/auth/wg.key
|
||||||
|
## Firewall for Wireguard
|
||||||
|
set firewall name WAN_LOCAL rule 20 action accept
|
||||||
|
set firewall name WAN_LOCAL rule 20 protocol udp
|
||||||
|
set firewall name WAN_LOCAL rule 20 description 'WireGuard'
|
||||||
|
set firewall name WAN_LOCAL rule 20 destination port 51821
|
||||||
|
set firewall group network-group LAN-VPN description 'Networks on LAN destined to go out VPN by default'
|
||||||
|
set firewall group network-group LAN-VPN network 10.1.0.0/16
|
||||||
|
set firewall group network-group RFC1918 network 10.0.0.0/8
|
||||||
|
set firewall group network-group RFC1918 network 172.16.0.0/12
|
||||||
|
set firewall group network-group RFC1918 network 192.168.0.0/16
|
||||||
|
set firewall group network-group RFC1918 network 169.254.0.0/16
|
||||||
|
set protocols static table 2 route 0.0.0.0/0 next-hop 10.255.1.1
|
||||||
|
set firewall modify VPN_TDF7 rule 100 action modify
|
||||||
|
set firewall modify VPN_TDF7 rule 100 description 'Route traffic from group LAN-VPN through VPN-TDF7 table'
|
||||||
|
set firewall modify VPN_TDF7 rule 100 modify table 2
|
||||||
|
set firewall modify VPN_TDF7 rule 100 source group network-group LAN-VPN
|
||||||
|
set interfaces switch switch0 firewall in modify VPN_TDF7
|
||||||
|
## NAT einrichten
|
||||||
|
set service nat rule 5010 description 'masquerade for VPN'
|
||||||
|
set service nat rule 5010 outbound-interface wg0
|
||||||
|
set service nat rule 5010 type masquerade
|
||||||
|
set service nat rule 5010 protocol all
|
||||||
|
## Speichern
|
||||||
|
commit ; save
|
72
vpn02.md
Normal file
72
vpn02.md
Normal file
@ -0,0 +1,72 @@
|
|||||||
|
vpn02
|
||||||
|
# Supernode mit direkter VPN Ausleitung
|
||||||
|
|
||||||
|
Ausleitung über das FFRL Backbone.
|
||||||
|
Supernode Config:
|
||||||
|
- GRE-Tunnel zum FFRL Backbone
|
||||||
|
- VPN per Wireguard
|
||||||
|
- NAT auf VPN Routern
|
||||||
|
|
||||||
|
## Adressbereiche:
|
||||||
|
|
||||||
|
Supernode: 10.255.1.1/32
|
||||||
|
|
||||||
|
VPN01: 10.255.1.2/32, Client: 10.1.0.0/16
|
||||||
|
VPN02: 10.255.1.3/32, Client: 10.2.0.0/16
|
||||||
|
VPN03: 10.255.1.4/32, Client: 10.3.0.0/16
|
||||||
|
etc.
|
||||||
|
|
||||||
|
|
||||||
|
## ER-X Stock Firmware Config:
|
||||||
|
> Vor der Installation:
|
||||||
|
> - eth0 als DHCP Client
|
||||||
|
> - eth1-4 auf den Switch
|
||||||
|
> - Switch mit DHCP Server einrichten. Adressbereich aus Tabelle beachten!
|
||||||
|
|
||||||
|
## Install Wireguard
|
||||||
|
cd /tmp
|
||||||
|
curl -OL https://github.com/WireGuard/wireguard-vyatta-ubnt/releases/download/1.0.20211208-1/e50-v2-v1.0.20211208-v1.0.20210914.deb
|
||||||
|
sudo dpkg -i e50-v2-v1.0.20211208-v1.0.20210914.deb
|
||||||
|
|
||||||
|
## Generate Keys
|
||||||
|
cd /config/auth
|
||||||
|
wg genkey | tee /config/auth/wg.key | wg pubkey > wg.public
|
||||||
|
cat wg.public
|
||||||
|
cat wg.key
|
||||||
|
|
||||||
|
## Config ER-X
|
||||||
|
configure
|
||||||
|
## Wireguard
|
||||||
|
set interfaces wireguard wg0 address 10.255.1.3/24
|
||||||
|
set interfaces wireguard wg0 address fd80:3ea2:e399:203a::3/64
|
||||||
|
set interfaces wireguard wg0 listen-port 51821
|
||||||
|
set interfaces wireguard wg0 route-allowed-ips false
|
||||||
|
set interfaces wireguard wg0 persistent-keepalive 25
|
||||||
|
set interfaces wireguard wg0 peer 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= endpoint 7.fftdf.de:42001
|
||||||
|
set interfaces wireguard wg0 peer 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= allowed-ips 0.0.0.0/0
|
||||||
|
set interfaces wireguard wg0 peer 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= allowed-ips ::0/0
|
||||||
|
set interfaces wireguard wg0 private-key /config/auth/wg.key
|
||||||
|
## Firewall for Wireguard
|
||||||
|
set firewall name WAN_LOCAL rule 20 action accept
|
||||||
|
set firewall name WAN_LOCAL rule 20 protocol udp
|
||||||
|
set firewall name WAN_LOCAL rule 20 description 'WireGuard'
|
||||||
|
set firewall name WAN_LOCAL rule 20 destination port 51821
|
||||||
|
set firewall group network-group LAN-VPN description 'Networks on LAN destined to go out VPN by default'
|
||||||
|
set firewall group network-group LAN-VPN network 10.2.0.0/16
|
||||||
|
set firewall group network-group RFC1918 network 10.0.0.0/8
|
||||||
|
set firewall group network-group RFC1918 network 172.16.0.0/12
|
||||||
|
set firewall group network-group RFC1918 network 192.168.0.0/16
|
||||||
|
set firewall group network-group RFC1918 network 169.254.0.0/16
|
||||||
|
set protocols static table 2 route 0.0.0.0/0 next-hop 10.255.1.1
|
||||||
|
set firewall modify VPN_TDF7 rule 100 action modify
|
||||||
|
set firewall modify VPN_TDF7 rule 100 description 'Route traffic from group LAN-VPN through VPN-TDF7 table'
|
||||||
|
set firewall modify VPN_TDF7 rule 100 modify table 2
|
||||||
|
set firewall modify VPN_TDF7 rule 100 source group network-group LAN-VPN
|
||||||
|
set interfaces switch switch0 firewall in modify VPN_TDF7
|
||||||
|
## NAT einrichten
|
||||||
|
set service nat rule 5010 description 'masquerade for VPN'
|
||||||
|
set service nat rule 5010 outbound-interface wg0
|
||||||
|
set service nat rule 5010 type masquerade
|
||||||
|
set service nat rule 5010 protocol all
|
||||||
|
## Speichern
|
||||||
|
commit ; save
|
72
vpn03.md
Normal file
72
vpn03.md
Normal file
@ -0,0 +1,72 @@
|
|||||||
|
vpn03
|
||||||
|
# Supernode mit direkter VPN Ausleitung
|
||||||
|
|
||||||
|
Ausleitung über das FFRL Backbone.
|
||||||
|
Supernode Config:
|
||||||
|
- GRE-Tunnel zum FFRL Backbone
|
||||||
|
- VPN per Wireguard
|
||||||
|
- NAT auf VPN Routern
|
||||||
|
|
||||||
|
## Adressbereiche:
|
||||||
|
|
||||||
|
Supernode: 10.255.1.1/32
|
||||||
|
|
||||||
|
VPN01: 10.255.1.2/32, Client: 10.1.0.0/16
|
||||||
|
VPN02: 10.255.1.3/32, Client: 10.2.0.0/16
|
||||||
|
VPN03: 10.255.1.4/32, Client: 10.3.0.0/16
|
||||||
|
etc.
|
||||||
|
|
||||||
|
|
||||||
|
## ER-X Stock Firmware Config:
|
||||||
|
> Vor der Installation:
|
||||||
|
> - eth0 als DHCP Client
|
||||||
|
> - eth1-4 auf den Switch
|
||||||
|
> - Switch mit DHCP Server einrichten. Adressbereich aus Tabelle beachten!
|
||||||
|
|
||||||
|
## Install Wireguard
|
||||||
|
cd /tmp
|
||||||
|
curl -OL https://github.com/WireGuard/wireguard-vyatta-ubnt/releases/download/1.0.20211208-1/e50-v2-v1.0.20211208-v1.0.20210914.deb
|
||||||
|
sudo dpkg -i e50-v2-v1.0.20211208-v1.0.20210914.deb
|
||||||
|
|
||||||
|
## Generate Keys
|
||||||
|
cd /config/auth
|
||||||
|
wg genkey | tee /config/auth/wg.key | wg pubkey > wg.public
|
||||||
|
cat wg.public
|
||||||
|
cat wg.key
|
||||||
|
|
||||||
|
## Config ER-X
|
||||||
|
configure
|
||||||
|
## Wireguard
|
||||||
|
set interfaces wireguard wg0 address 10.255.1.4/24
|
||||||
|
set interfaces wireguard wg0 address fd80:3ea2:e399:203a::4/64
|
||||||
|
set interfaces wireguard wg0 listen-port 51821
|
||||||
|
set interfaces wireguard wg0 route-allowed-ips false
|
||||||
|
set interfaces wireguard wg0 persistent-keepalive 25
|
||||||
|
set interfaces wireguard wg0 peer 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= endpoint 7.fftdf.de:42001
|
||||||
|
set interfaces wireguard wg0 peer 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= allowed-ips 0.0.0.0/0
|
||||||
|
set interfaces wireguard wg0 peer 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= allowed-ips ::0/0
|
||||||
|
set interfaces wireguard wg0 private-key /config/auth/wg.key
|
||||||
|
## Firewall for Wireguard
|
||||||
|
set firewall name WAN_LOCAL rule 20 action accept
|
||||||
|
set firewall name WAN_LOCAL rule 20 protocol udp
|
||||||
|
set firewall name WAN_LOCAL rule 20 description 'WireGuard'
|
||||||
|
set firewall name WAN_LOCAL rule 20 destination port 51821
|
||||||
|
set firewall group network-group LAN-VPN description 'Networks on LAN destined to go out VPN by default'
|
||||||
|
set firewall group network-group LAN-VPN network 10.3.0.0/16
|
||||||
|
set firewall group network-group RFC1918 network 10.0.0.0/8
|
||||||
|
set firewall group network-group RFC1918 network 172.16.0.0/12
|
||||||
|
set firewall group network-group RFC1918 network 192.168.0.0/16
|
||||||
|
set firewall group network-group RFC1918 network 169.254.0.0/16
|
||||||
|
set protocols static table 2 route 0.0.0.0/0 next-hop 10.255.1.1
|
||||||
|
set firewall modify VPN_TDF7 rule 100 action modify
|
||||||
|
set firewall modify VPN_TDF7 rule 100 description 'Route traffic from group LAN-VPN through VPN-TDF7 table'
|
||||||
|
set firewall modify VPN_TDF7 rule 100 modify table 2
|
||||||
|
set firewall modify VPN_TDF7 rule 100 source group network-group LAN-VPN
|
||||||
|
set interfaces switch switch0 firewall in modify VPN_TDF7
|
||||||
|
## NAT einrichten
|
||||||
|
set service nat rule 5010 description 'masquerade for VPN'
|
||||||
|
set service nat rule 5010 outbound-interface wg0
|
||||||
|
set service nat rule 5010 type masquerade
|
||||||
|
set service nat rule 5010 protocol all
|
||||||
|
## Speichern
|
||||||
|
commit ; save
|
Loading…
Reference in New Issue
Block a user