Bugfixing
This commit is contained in:
parent
aa3bf94140
commit
9a8ee7942c
@ -1,5 +1,5 @@
|
|||||||
wireguard_unmanaged_peers:
|
wireguard_unmanaged_peers:
|
||||||
vpn1-stefan:
|
vpn1-stefan:
|
||||||
public_key: Tkp/f1BlLSfl87+waTuZDRdrEgalBgy2oVg6fOluAx4=
|
public_key: 8BoLoKRwSNRdUe0uygneYFdTIx5iHwoMENbnzpomYCI=
|
||||||
allowed_ips: 10.255.1.2/32, 10.1.0.0/16
|
allowed_ips: 10.255.1.2/32, 10.1.0.0/16
|
||||||
persistent_keepalive: 25
|
persistent_keepalive: 25
|
70
readme.md
Normal file
70
readme.md
Normal file
@ -0,0 +1,70 @@
|
|||||||
|
# Supernode mit direkter VPN Ausleitung
|
||||||
|
|
||||||
|
|
||||||
|
## ER-X Stock Firmware Config:
|
||||||
|
cd /tmp
|
||||||
|
curl -OL https://github.com/WireGuard/wireguard-vyatta-ubnt/releases/download/1.0.20211208-1/e50-v2-v1.0.20211208-v1.0.20210914.deb
|
||||||
|
sudo dpkg -i e50-v2-v1.0.20211208-v1.0.20210914.deb
|
||||||
|
|
||||||
|
cd /config/auth
|
||||||
|
wg genkey | tee /config/auth/wg.key | wg pubkey > wg.public
|
||||||
|
cat wg.public
|
||||||
|
cat wg.key
|
||||||
|
######
|
||||||
|
configure
|
||||||
|
######
|
||||||
|
# Wireguard
|
||||||
|
set interfaces wireguard wg0 address 10.255.1.2/30
|
||||||
|
set interfaces wireguard wg0 listen-port 51821
|
||||||
|
set interfaces wireguard wg0 route-allowed-ips false
|
||||||
|
set interfaces wireguard wg0 persistent-keepalive 25
|
||||||
|
set interfaces wireguard wg0 peer 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= endpoint 7.fftdf.de:42001
|
||||||
|
set interfaces wireguard wg0 peer 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= allowed-ips 0.0.0.0/0
|
||||||
|
set interfaces wireguard wg0 private-key /config/auth/wg.key
|
||||||
|
# Firewall for Wireguard
|
||||||
|
set firewall name WAN_LOCAL rule 20 action accept
|
||||||
|
set firewall name WAN_LOCAL rule 20 protocol udp
|
||||||
|
set firewall name WAN_LOCAL rule 20 description 'WireGuard'
|
||||||
|
set firewall name WAN_LOCAL rule 20 destination port 51821
|
||||||
|
|
||||||
|
# Config WAN Interface
|
||||||
|
# delete interfaces ethernet eth0
|
||||||
|
# set interfaces ethernet eth0 address dhcp
|
||||||
|
|
||||||
|
# Config Client Interface
|
||||||
|
# set interfaces ethernet eth2 address 10.1.0.1/16
|
||||||
|
###### NAT Rules & DHCP
|
||||||
|
# configure
|
||||||
|
# set service dhcp-server disabled false
|
||||||
|
# set service dhcp-server shared-network-name Client authoritative enable
|
||||||
|
# set service dhcp-server shared-network-name Client subnet 10.1.0.0/16 default-router 10.1.0.1
|
||||||
|
# set service dhcp-server shared-network-name Client subnet 10.1.0.0/16 dns-server 1.1.1.1
|
||||||
|
# set service dhcp-server shared-network-name Client subnet 10.1.0.0/16 lease 86400
|
||||||
|
# set service dhcp-server shared-network-name Client subnet 10.1.0.0/16 start 10.1.1.1 stop 10.1.255.254
|
||||||
|
|
||||||
|
|
||||||
|
set firewall group network-group LAN-VPN description 'Networks on LAN destined to go out VPN by default'
|
||||||
|
set firewall group network-group LAN-VPN network 10.1.0.0/16
|
||||||
|
|
||||||
|
set firewall group network-group RFC1918 network 10.0.0.0/8
|
||||||
|
set firewall group network-group RFC1918 network 172.16.0.0/12
|
||||||
|
set firewall group network-group RFC1918 network 192.168.0.0/16
|
||||||
|
set firewall group network-group RFC1918 network 169.254.0.0/16
|
||||||
|
|
||||||
|
set protocols static table 2 route 0.0.0.0/0 next-hop 10.255.1.1
|
||||||
|
|
||||||
|
set firewall modify VPN_TDF7 rule 100 action modify
|
||||||
|
set firewall modify VPN_TDF7 rule 100 description 'Route traffic from group LAN-VPN through VPN-TDF7 table'
|
||||||
|
set firewall modify VPN_TDF7 rule 100 modify table 2
|
||||||
|
set firewall modify VPN_TDF7 rule 100 source group network-group LAN-VPN
|
||||||
|
|
||||||
|
set interfaces ethernet eth2 firewall in modify VPN_TDF7
|
||||||
|
set interfaces ethernet switch0 firewall in modify VPN_TDF7
|
||||||
|
### nat
|
||||||
|
set service nat rule 5010 description 'masquerade for VPN'
|
||||||
|
set service nat rule 5010 outbound-interface wg0
|
||||||
|
set service nat rule 5010 type masquerade
|
||||||
|
set service nat rule 5010 protocol all
|
||||||
|
|
||||||
|
|
||||||
|
commit ; save
|
@ -5,9 +5,11 @@
|
|||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
mode: '0644'
|
mode: '0644'
|
||||||
|
register: networkconfig
|
||||||
|
|
||||||
- name: Netplan Apply
|
- name: Netplan Apply
|
||||||
ansible.builtin.shell: netplan apply
|
ansible.builtin.shell: netplan apply
|
||||||
|
when: networkconfig.changed
|
||||||
|
|
||||||
- name: Add ifDown Scripts via networkd-dispatcher
|
- name: Add ifDown Scripts via networkd-dispatcher
|
||||||
ansible.builtin.template:
|
ansible.builtin.template:
|
||||||
|
@ -26,7 +26,13 @@ sleep 5
|
|||||||
/bin/ip -6 rule add from {{ ffrl_ipv6_net }}/52 lookup 42
|
/bin/ip -6 rule add from {{ ffrl_ipv6_net }}/52 lookup 42
|
||||||
|
|
||||||
# Add NAT Rules manualy
|
# Add NAT Rules manualy
|
||||||
sleep 60
|
iptables -t nat -D POSTROUTING -o gre-bb-a.ak.ber -j SNAT --to-source {{ ffrl_ipv4 }}
|
||||||
|
iptables -t nat -D POSTROUTING -o gre-bb-b.ak.ber -j SNAT --to-source {{ ffrl_ipv4 }}
|
||||||
|
iptables -t nat -D POSTROUTING -o gre-bb-a.fra3.f -j SNAT --to-source {{ ffrl_ipv4 }}
|
||||||
|
iptables -t nat -D POSTROUTING -o gre-bb-b.fra3.f -j SNAT --to-source {{ ffrl_ipv4 }}
|
||||||
|
iptables -t nat -D POSTROUTING -o gre-bb-a.ix.dus -j SNAT --to-source {{ ffrl_ipv4 }}
|
||||||
|
iptables -t nat -D POSTROUTING -o gre-bb-b.ix.dus -j SNAT --to-source {{ ffrl_ipv4 }}
|
||||||
|
sleep 30
|
||||||
iptables -t nat -A POSTROUTING -o gre-bb-a.ak.ber -j SNAT --to-source {{ ffrl_ipv4 }}
|
iptables -t nat -A POSTROUTING -o gre-bb-a.ak.ber -j SNAT --to-source {{ ffrl_ipv4 }}
|
||||||
iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o gre-bb-a.ak.ber -j TCPMSS --set-mss 1312
|
iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o gre-bb-a.ak.ber -j TCPMSS --set-mss 1312
|
||||||
ip6tables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o gre-bb-a.ak.ber -j TCPMSS --set-mss 1312
|
ip6tables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o gre-bb-a.ak.ber -j TCPMSS --set-mss 1312
|
||||||
|
Loading…
Reference in New Issue
Block a user