IPv6 config

This commit is contained in:
Stefan Hoffmann 2023-03-02 20:25:22 +01:00
parent 7fb1fe969f
commit b818b32d66
7 changed files with 84 additions and 23 deletions

31
definition.md Normal file
View File

@ -0,0 +1,31 @@
# Network
## IP Spaces
### From FFRL
External IPv4:
- troisdorf4: 185.66.193.104
- troisdorf5: 185.66.193.105
- troisdorf6: 185.66.193.106
- troisdorf7: 185.66.193.107
IPv6 Prefix: 2a03:2260:121::/48
### Internal and Segmentation:
#### IPv4:
Wir unterscheiden zwischen Gluon Netzen und VPN-Offloader Netzen
Die Gluon Netze sind im bereich 10.188.0.0/16
Die VPN Offloader Netze im Bereich 10.0.0.0/8
#### IPv6:
FFRL 2a03:2260:121::/48 (/51)
GRE-Router: /52 (16x) (8x /55)
Supernodes / VPN Server 8x (8x /58)
Router (64x /64)

View File

@ -1,21 +1,21 @@
### ###
### Ansible ### Ansible
### ###
ansible_host: 185.66.193.107 ansible_host: 5.9.220.114
ansible_port: 2222 ansible_port: 22
ansible_ssh_user: root ansible_ssh_user: root
ansible_python_interpreter: /usr/bin/python3 ansible_python_interpreter: /usr/bin/python3
### ###
### Vars ### Vars
### ###
internal_network: "10.255.1.0/24" internal_network: "10.255.0.0/16"
### ###
### Wireguard ### Wireguard
### ###
ipv6_network: 2a03:2260:121:600::/58
wireguard_address: "10.255.1.1/24, fd80:3ea2:e399:203a::1/64" wireguard_address: "10.255.1.1/24, 2a03:2260:121:602::2/64"
wireguard_port: 42001 wireguard_port: 42001
wireguard_unmanaged_peers: wireguard_unmanaged_peers:
@ -37,5 +37,5 @@ wireguard_unmanaged_peers:
persistent_keepalive: 25 persistent_keepalive: 25
vpn5-stefan: vpn5-stefan:
public_key: UHaYitx18sO71Ssk2SVUgdjLaAILbCthCmosU+Fs5Es= public_key: UHaYitx18sO71Ssk2SVUgdjLaAILbCthCmosU+Fs5Es=
allowed_ips: 10.255.1.6/32, 10.5.0.0/16, fd80:3ea2:e399:203a::6/128 allowed_ips: 10.255.1.6/32, 10.5.0.0/16, 2a03:2260:121:601::/64
persistent_keepalive: 25 persistent_keepalive: 25

View File

@ -24,7 +24,7 @@
- name: "Create user accounts and add users to groups" - name: "Create user accounts and add users to groups"
user: user:
name: "{{ item }}" name: "{{ item }}"
groups: wheel groups: sudo
with_items: "{{ users }}" with_items: "{{ users }}"
- name: "Add authorized keys" - name: "Add authorized keys"
@ -60,5 +60,21 @@
- iw - iw
- speedtest-cli - speedtest-cli
- telnet - telnet
- libndp0
- libndp-tools
- ndppd
- iptables-persistent
state: latest state: latest
update_cache: yes update_cache: yes
#
# Copy ndppd Config
#
- name: Generate NDPPD Config
ansible.builtin.template:
src: ndppd.conf.j2
dest: /etc/ndppd.conf
owner: root
group: root
mode: 755

View File

@ -0,0 +1,5 @@
proxy ens19 {
rule {{ ipv6_network }} {
static
}
}

View File

@ -24,3 +24,22 @@
sysctl_set: true sysctl_set: true
state: present state: present
reload: true reload: true
- ansible.posix.sysctl:
name: net.ipv6.conf.ens19.proxy_ndp
value: '1'
sysctl_set: true
state: present
reload: true
- name: saveip6tables
shell: ip6tables-save > /etc/iptables/rules.v6
- name: saveip4tables
shell: iptables-save > /etc/iptables/rules.v4
- name: Create Routing Table 42
ansible.builtin.lineinfile:
path: /etc/iproute2/rt_tables
line: 42 ffrl
create: yes

View File

@ -8,6 +8,8 @@ Address = {{ wireguard_address }}
PrivateKey = {{ wireguard_private_key }} PrivateKey = {{ wireguard_private_key }}
ListenPort = {{ wireguard_port }} ListenPort = {{ wireguard_port }}
PostUp = ip rule add fwmark 0x4 table 42 && iptables -t mangle -A PREROUTING -s 10.255.0.0/16 ! -d 10.0.0.0/8 -j MARK --set-mark 4
{% if wireguard_unmanaged_peers is defined %} {% if wireguard_unmanaged_peers is defined %}
# Peers not managed by Ansible from "wireguard_unmanaged_peers" variable # Peers not managed by Ansible from "wireguard_unmanaged_peers" variable

View File

@ -1,17 +1,5 @@
# ansible-playbook -i hosts.yml -u root system-setup.yml # ansible-playbook -i hosts.yml update_wg.yml -e vault.yml --ask-vault-password
- name: System preperation
hosts: supernodes
roles:
- 00-system-set-hostname
- 00-create-sudo-user
- 00-system-set-network
- 00-system-set-bird
- 01-system-install-packages
- 11-create-cronjob
- name: System preperation - name: System preperation
hosts: vpn-offloader hosts: vpn-offloader
roles: roles:
# - 20-install-openvpn
- 21-install-wireguard - 21-install-wireguard
- 21-install-oitc