IPv6 config
This commit is contained in:
parent
7fb1fe969f
commit
b818b32d66
31
definition.md
Normal file
31
definition.md
Normal file
@ -0,0 +1,31 @@
|
|||||||
|
# Network
|
||||||
|
## IP Spaces
|
||||||
|
|
||||||
|
### From FFRL
|
||||||
|
|
||||||
|
External IPv4:
|
||||||
|
- troisdorf4: 185.66.193.104
|
||||||
|
- troisdorf5: 185.66.193.105
|
||||||
|
- troisdorf6: 185.66.193.106
|
||||||
|
- troisdorf7: 185.66.193.107
|
||||||
|
|
||||||
|
IPv6 Prefix: 2a03:2260:121::/48
|
||||||
|
|
||||||
|
### Internal and Segmentation:
|
||||||
|
|
||||||
|
#### IPv4:
|
||||||
|
Wir unterscheiden zwischen Gluon Netzen und VPN-Offloader Netzen
|
||||||
|
|
||||||
|
Die Gluon Netze sind im bereich 10.188.0.0/16
|
||||||
|
|
||||||
|
Die VPN Offloader Netze im Bereich 10.0.0.0/8
|
||||||
|
|
||||||
|
#### IPv6:
|
||||||
|
|
||||||
|
FFRL 2a03:2260:121::/48 (/51)
|
||||||
|
|
||||||
|
GRE-Router: /52 (16x) (8x /55)
|
||||||
|
|
||||||
|
Supernodes / VPN Server 8x (8x /58)
|
||||||
|
|
||||||
|
Router (64x /64)
|
@ -1,21 +1,21 @@
|
|||||||
###
|
###
|
||||||
### Ansible
|
### Ansible
|
||||||
###
|
###
|
||||||
ansible_host: 185.66.193.107
|
ansible_host: 5.9.220.114
|
||||||
ansible_port: 2222
|
ansible_port: 22
|
||||||
ansible_ssh_user: root
|
ansible_ssh_user: root
|
||||||
ansible_python_interpreter: /usr/bin/python3
|
ansible_python_interpreter: /usr/bin/python3
|
||||||
|
|
||||||
###
|
###
|
||||||
### Vars
|
### Vars
|
||||||
###
|
###
|
||||||
internal_network: "10.255.1.0/24"
|
internal_network: "10.255.0.0/16"
|
||||||
|
|
||||||
###
|
###
|
||||||
### Wireguard
|
### Wireguard
|
||||||
###
|
###
|
||||||
|
ipv6_network: 2a03:2260:121:600::/58
|
||||||
wireguard_address: "10.255.1.1/24, fd80:3ea2:e399:203a::1/64"
|
wireguard_address: "10.255.1.1/24, 2a03:2260:121:602::2/64"
|
||||||
wireguard_port: 42001
|
wireguard_port: 42001
|
||||||
|
|
||||||
wireguard_unmanaged_peers:
|
wireguard_unmanaged_peers:
|
||||||
@ -37,5 +37,5 @@ wireguard_unmanaged_peers:
|
|||||||
persistent_keepalive: 25
|
persistent_keepalive: 25
|
||||||
vpn5-stefan:
|
vpn5-stefan:
|
||||||
public_key: UHaYitx18sO71Ssk2SVUgdjLaAILbCthCmosU+Fs5Es=
|
public_key: UHaYitx18sO71Ssk2SVUgdjLaAILbCthCmosU+Fs5Es=
|
||||||
allowed_ips: 10.255.1.6/32, 10.5.0.0/16, fd80:3ea2:e399:203a::6/128
|
allowed_ips: 10.255.1.6/32, 10.5.0.0/16, 2a03:2260:121:601::/64
|
||||||
persistent_keepalive: 25
|
persistent_keepalive: 25
|
@ -24,7 +24,7 @@
|
|||||||
- name: "Create user accounts and add users to groups"
|
- name: "Create user accounts and add users to groups"
|
||||||
user:
|
user:
|
||||||
name: "{{ item }}"
|
name: "{{ item }}"
|
||||||
groups: wheel
|
groups: sudo
|
||||||
with_items: "{{ users }}"
|
with_items: "{{ users }}"
|
||||||
|
|
||||||
- name: "Add authorized keys"
|
- name: "Add authorized keys"
|
||||||
@ -60,5 +60,21 @@
|
|||||||
- iw
|
- iw
|
||||||
- speedtest-cli
|
- speedtest-cli
|
||||||
- telnet
|
- telnet
|
||||||
|
- libndp0
|
||||||
|
- libndp-tools
|
||||||
|
- ndppd
|
||||||
|
- iptables-persistent
|
||||||
state: latest
|
state: latest
|
||||||
update_cache: yes
|
update_cache: yes
|
||||||
|
|
||||||
|
#
|
||||||
|
# Copy ndppd Config
|
||||||
|
#
|
||||||
|
|
||||||
|
- name: Generate NDPPD Config
|
||||||
|
ansible.builtin.template:
|
||||||
|
src: ndppd.conf.j2
|
||||||
|
dest: /etc/ndppd.conf
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: 755
|
5
roles/00-ubuntu-basic/templates/ndppd.conf.j2
Normal file
5
roles/00-ubuntu-basic/templates/ndppd.conf.j2
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
proxy ens19 {
|
||||||
|
rule {{ ipv6_network }} {
|
||||||
|
static
|
||||||
|
}
|
||||||
|
}
|
@ -24,3 +24,22 @@
|
|||||||
sysctl_set: true
|
sysctl_set: true
|
||||||
state: present
|
state: present
|
||||||
reload: true
|
reload: true
|
||||||
|
|
||||||
|
- ansible.posix.sysctl:
|
||||||
|
name: net.ipv6.conf.ens19.proxy_ndp
|
||||||
|
value: '1'
|
||||||
|
sysctl_set: true
|
||||||
|
state: present
|
||||||
|
reload: true
|
||||||
|
|
||||||
|
- name: saveip6tables
|
||||||
|
shell: ip6tables-save > /etc/iptables/rules.v6
|
||||||
|
|
||||||
|
- name: saveip4tables
|
||||||
|
shell: iptables-save > /etc/iptables/rules.v4
|
||||||
|
|
||||||
|
- name: Create Routing Table 42
|
||||||
|
ansible.builtin.lineinfile:
|
||||||
|
path: /etc/iproute2/rt_tables
|
||||||
|
line: 42 ffrl
|
||||||
|
create: yes
|
@ -8,6 +8,8 @@ Address = {{ wireguard_address }}
|
|||||||
PrivateKey = {{ wireguard_private_key }}
|
PrivateKey = {{ wireguard_private_key }}
|
||||||
ListenPort = {{ wireguard_port }}
|
ListenPort = {{ wireguard_port }}
|
||||||
|
|
||||||
|
PostUp = ip rule add fwmark 0x4 table 42 && iptables -t mangle -A PREROUTING -s 10.255.0.0/16 ! -d 10.0.0.0/8 -j MARK --set-mark 4
|
||||||
|
|
||||||
|
|
||||||
{% if wireguard_unmanaged_peers is defined %}
|
{% if wireguard_unmanaged_peers is defined %}
|
||||||
# Peers not managed by Ansible from "wireguard_unmanaged_peers" variable
|
# Peers not managed by Ansible from "wireguard_unmanaged_peers" variable
|
||||||
|
@ -1,17 +1,5 @@
|
|||||||
# ansible-playbook -i hosts.yml -u root system-setup.yml
|
# ansible-playbook -i hosts.yml update_wg.yml -e vault.yml --ask-vault-password
|
||||||
- name: System preperation
|
|
||||||
hosts: supernodes
|
|
||||||
roles:
|
|
||||||
- 00-system-set-hostname
|
|
||||||
- 00-create-sudo-user
|
|
||||||
- 00-system-set-network
|
|
||||||
- 00-system-set-bird
|
|
||||||
- 01-system-install-packages
|
|
||||||
- 11-create-cronjob
|
|
||||||
|
|
||||||
- name: System preperation
|
- name: System preperation
|
||||||
hosts: vpn-offloader
|
hosts: vpn-offloader
|
||||||
roles:
|
roles:
|
||||||
# - 20-install-openvpn
|
|
||||||
- 21-install-wireguard
|
- 21-install-wireguard
|
||||||
- 21-install-oitc
|
|
Loading…
Reference in New Issue
Block a user