diff --git a/host_vars/troisdorf7.yml b/host_vars/troisdorf7.yml index 86299d6..28133d4 100644 --- a/host_vars/troisdorf7.yml +++ b/host_vars/troisdorf7.yml @@ -1,5 +1,5 @@ wireguard_unmanaged_peers: vpn1-stefan: - public_key: Tkp/f1BlLSfl87+waTuZDRdrEgalBgy2oVg6fOluAx4= + public_key: 8BoLoKRwSNRdUe0uygneYFdTIx5iHwoMENbnzpomYCI= allowed_ips: 10.255.1.2/32, 10.1.0.0/16 persistent_keepalive: 25 \ No newline at end of file diff --git a/readme.md b/readme.md new file mode 100644 index 0000000..41713ed --- /dev/null +++ b/readme.md @@ -0,0 +1,70 @@ +# Supernode mit direkter VPN Ausleitung + + +## ER-X Stock Firmware Config: +cd /tmp +curl -OL https://github.com/WireGuard/wireguard-vyatta-ubnt/releases/download/1.0.20211208-1/e50-v2-v1.0.20211208-v1.0.20210914.deb +sudo dpkg -i e50-v2-v1.0.20211208-v1.0.20210914.deb + +cd /config/auth +wg genkey | tee /config/auth/wg.key | wg pubkey > wg.public +cat wg.public +cat wg.key +###### +configure +###### +# Wireguard +set interfaces wireguard wg0 address 10.255.1.2/30 +set interfaces wireguard wg0 listen-port 51821 +set interfaces wireguard wg0 route-allowed-ips false +set interfaces wireguard wg0 persistent-keepalive 25 +set interfaces wireguard wg0 peer 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= endpoint 7.fftdf.de:42001 +set interfaces wireguard wg0 peer 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= allowed-ips 0.0.0.0/0 +set interfaces wireguard wg0 private-key /config/auth/wg.key +# Firewall for Wireguard +set firewall name WAN_LOCAL rule 20 action accept +set firewall name WAN_LOCAL rule 20 protocol udp +set firewall name WAN_LOCAL rule 20 description 'WireGuard' +set firewall name WAN_LOCAL rule 20 destination port 51821 + +# Config WAN Interface +# delete interfaces ethernet eth0 +# set interfaces ethernet eth0 address dhcp + +# Config Client Interface +# set interfaces ethernet eth2 address 10.1.0.1/16 +###### NAT Rules & DHCP +# configure +# set service dhcp-server disabled false +# set service dhcp-server shared-network-name Client authoritative enable +# set service dhcp-server shared-network-name Client subnet 10.1.0.0/16 default-router 10.1.0.1 +# set service dhcp-server shared-network-name Client subnet 10.1.0.0/16 dns-server 1.1.1.1 +# set service dhcp-server shared-network-name Client subnet 10.1.0.0/16 lease 86400 +# set service dhcp-server shared-network-name Client subnet 10.1.0.0/16 start 10.1.1.1 stop 10.1.255.254 + + +set firewall group network-group LAN-VPN description 'Networks on LAN destined to go out VPN by default' +set firewall group network-group LAN-VPN network 10.1.0.0/16 + +set firewall group network-group RFC1918 network 10.0.0.0/8 +set firewall group network-group RFC1918 network 172.16.0.0/12 +set firewall group network-group RFC1918 network 192.168.0.0/16 +set firewall group network-group RFC1918 network 169.254.0.0/16 + +set protocols static table 2 route 0.0.0.0/0 next-hop 10.255.1.1 + +set firewall modify VPN_TDF7 rule 100 action modify +set firewall modify VPN_TDF7 rule 100 description 'Route traffic from group LAN-VPN through VPN-TDF7 table' +set firewall modify VPN_TDF7 rule 100 modify table 2 +set firewall modify VPN_TDF7 rule 100 source group network-group LAN-VPN + +set interfaces ethernet eth2 firewall in modify VPN_TDF7 +set interfaces ethernet switch0 firewall in modify VPN_TDF7 +### nat +set service nat rule 5010 description 'masquerade for VPN' +set service nat rule 5010 outbound-interface wg0 +set service nat rule 5010 type masquerade +set service nat rule 5010 protocol all + + +commit ; save diff --git a/roles/00-system-set-network/tasks/main.yml b/roles/00-system-set-network/tasks/main.yml index 6c5822b..a42bb71 100644 --- a/roles/00-system-set-network/tasks/main.yml +++ b/roles/00-system-set-network/tasks/main.yml @@ -5,9 +5,11 @@ owner: root group: root mode: '0644' + register: networkconfig - name: Netplan Apply ansible.builtin.shell: netplan apply + when: networkconfig.changed - name: Add ifDown Scripts via networkd-dispatcher ansible.builtin.template: diff --git a/roles/11-create-cronjob/templates/sn_startup.sh.j2 b/roles/11-create-cronjob/templates/sn_startup.sh.j2 index ba64061..a6a8f25 100644 --- a/roles/11-create-cronjob/templates/sn_startup.sh.j2 +++ b/roles/11-create-cronjob/templates/sn_startup.sh.j2 @@ -26,7 +26,13 @@ sleep 5 /bin/ip -6 rule add from {{ ffrl_ipv6_net }}/52 lookup 42 # Add NAT Rules manualy -sleep 60 +iptables -t nat -D POSTROUTING -o gre-bb-a.ak.ber -j SNAT --to-source {{ ffrl_ipv4 }} +iptables -t nat -D POSTROUTING -o gre-bb-b.ak.ber -j SNAT --to-source {{ ffrl_ipv4 }} +iptables -t nat -D POSTROUTING -o gre-bb-a.fra3.f -j SNAT --to-source {{ ffrl_ipv4 }} +iptables -t nat -D POSTROUTING -o gre-bb-b.fra3.f -j SNAT --to-source {{ ffrl_ipv4 }} +iptables -t nat -D POSTROUTING -o gre-bb-a.ix.dus -j SNAT --to-source {{ ffrl_ipv4 }} +iptables -t nat -D POSTROUTING -o gre-bb-b.ix.dus -j SNAT --to-source {{ ffrl_ipv4 }} +sleep 30 iptables -t nat -A POSTROUTING -o gre-bb-a.ak.ber -j SNAT --to-source {{ ffrl_ipv4 }} iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o gre-bb-a.ak.ber -j TCPMSS --set-mss 1312 ip6tables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o gre-bb-a.ak.ber -j TCPMSS --set-mss 1312