IPv6 config

definition.md

@@ -0,0 +1,31 @@
+# Network
+## IP Spaces
+
+### From FFRL
+
+External IPv4:
+- troisdorf4: 185.66.193.104
+- troisdorf5: 185.66.193.105
+- troisdorf6: 185.66.193.106
+- troisdorf7: 185.66.193.107
+
+IPv6 Prefix: 2a03:2260:121::/48
+
+### Internal and Segmentation:
+
+#### IPv4:
+Wir unterscheiden zwischen Gluon Netzen und VPN-Offloader Netzen
+
+Die Gluon Netze sind im bereich 10.188.0.0/16
+
+Die VPN Offloader Netze im Bereich 10.0.0.0/8
+
+#### IPv6:
+
+FFRL    2a03:2260:121::/48      (/51)
+
+GRE-Router: /52 (16x)           (8x /55)
+
+Supernodes / VPN Server 8x      (8x /58)
+
+Router                           (64x /64)

host_vars/troisdorf7/vars.yml

@@ -1,21 +1,21 @@
 ###
 ### Ansible
 ###
-ansible_host: 185.66.193.107
-ansible_port: 2222
+ansible_host: 5.9.220.114
+ansible_port: 22
 ansible_ssh_user: root
 ansible_python_interpreter: /usr/bin/python3
 
 ###
 ### Vars
 ###
-internal_network: "10.255.1.0/24"
+internal_network: "10.255.0.0/16"
 
 ###
 ### Wireguard
 ###
-
-wireguard_address: "10.255.1.1/24, fd80:3ea2:e399:203a::1/64"
+ipv6_network: 2a03:2260:121:600::/58
+wireguard_address: "10.255.1.1/24, 2a03:2260:121:602::2/64"
 wireguard_port: 42001
 
 wireguard_unmanaged_peers:
@@ -37,5 +37,5 @@ wireguard_unmanaged_peers:
     persistent_keepalive: 25
   vpn5-stefan:
     public_key: UHaYitx18sO71Ssk2SVUgdjLaAILbCthCmosU+Fs5Es=
-    allowed_ips: 10.255.1.6/32, 10.5.0.0/16, fd80:3ea2:e399:203a::6/128
+    allowed_ips: 10.255.1.6/32, 10.5.0.0/16, 2a03:2260:121:601::/64
     persistent_keepalive: 25

roles/00-ubuntu-basic/tasks/main.yml

@@ -24,7 +24,7 @@
 - name: "Create user accounts and add users to groups"
   user:
     name: "{{ item }}"
-    groups: wheel
+    groups: sudo
   with_items: "{{ users }}"
 
 - name: "Add authorized keys"
@@ -60,5 +60,21 @@
       - iw
       - speedtest-cli
       - telnet
+      - libndp0
+      - libndp-tools
+      - ndppd
+      - iptables-persistent
     state: latest
     update_cache: yes
+
+#
+# Copy ndppd Config
+#
+
+- name: Generate NDPPD Config
+  ansible.builtin.template:
+    src: ndppd.conf.j2
+    dest: /etc/ndppd.conf
+    owner: root
+    group: root
+    mode: 755

roles/00-ubuntu-basic/templates/ndppd.conf.j2

@@ -0,0 +1,5 @@
+proxy ens19 {
+   rule {{ ipv6_network }} {
+      static
+   }
+}

roles/01-vpn-offloader-setup/tasks/main.yml

@@ -24,3 +24,22 @@
     sysctl_set: true
     state: present
     reload: true
+
+- ansible.posix.sysctl:
+    name: net.ipv6.conf.ens19.proxy_ndp
+    value: '1'
+    sysctl_set: true
+    state: present
+    reload: true
+
+- name: saveip6tables
+  shell: ip6tables-save > /etc/iptables/rules.v6
+
+- name: saveip4tables
+  shell: iptables-save > /etc/iptables/rules.v4
+
+- name: Create Routing Table 42
+  ansible.builtin.lineinfile:
+    path: /etc/iproute2/rt_tables
+    line: 42 ffrl
+    create: yes

roles/21-install-wireguard/templates/wg.conf.j2

@@ -8,6 +8,8 @@ Address = {{ wireguard_address }}
 PrivateKey = {{ wireguard_private_key }}
 ListenPort = {{ wireguard_port }}
 
+PostUp = ip rule add fwmark 0x4 table 42 && iptables -t mangle -A PREROUTING -s 10.255.0.0/16 ! -d 10.0.0.0/8 -j MARK --set-mark 4
+
 
 {% if wireguard_unmanaged_peers is defined %}
 # Peers not managed by Ansible from "wireguard_unmanaged_peers" variable

update_wg.yml

@@ -1,17 +1,5 @@
-# ansible-playbook -i hosts.yml -u root system-setup.yml   
-- name: System preperation
-  hosts: supernodes
-  roles:
-    - 00-system-set-hostname
-    - 00-create-sudo-user
-    - 00-system-set-network
-    - 00-system-set-bird
-    - 01-system-install-packages
-    - 11-create-cronjob
-
+# ansible-playbook -i hosts.yml update_wg.yml -e vault.yml --ask-vault-password
 - name: System preperation
   hosts: vpn-offloader
   roles:
-#    - 20-install-openvpn
      - 21-install-wireguard
-     - 21-install-oitc