From e3164e5665e937acbeeb57ae604235a47917ce93 Mon Sep 17 00:00:00 2001 From: Stefan Date: Fri, 24 Mar 2023 19:34:41 +0100 Subject: [PATCH] Running Config with MTU Setup --- .gitignore | 2 +- edgerouter_configs/edge1.md | 14 ++++++++------ er-test.yml | 2 +- host_vars/{edge1.yml => edge1/vars.yml} | 4 +--- host_vars/edge1/vault.yml | 12 ++++++++++++ host_vars/vpn01/vars.yml | 5 ++--- host_vars/vpn02.yml | 15 +++++++++++++++ hosts.yml | 5 ++++- roles/01-vpn-offloader-setup/tasks/main.yml | 12 ++++++------ .../templates/edgerouter.conf.j2 | 12 +++++++----- roles/21-install-wireguard/templates/wg.conf.j2 | 3 ++- system-setup.yml | 9 +++++++-- 12 files changed, 66 insertions(+), 29 deletions(-) rename host_vars/{edge1.yml => edge1/vars.yml} (83%) create mode 100644 host_vars/edge1/vault.yml create mode 100644 host_vars/vpn02.yml diff --git a/.gitignore b/.gitignore index 6d23cea..93379c6 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ .DS_Store -/edgerouter_configs \ No newline at end of file +edgerouter_configs diff --git a/edgerouter_configs/edge1.md b/edgerouter_configs/edge1.md index 2a7c6c3..03535e0 100755 --- a/edgerouter_configs/edge1.md +++ b/edgerouter_configs/edge1.md @@ -35,9 +35,9 @@ set firewall name WAN_LOCAL rule 20 description WireGuard set firewall name WAN_LOCAL rule 20 destination port 51821 set firewall name WAN_LOCAL rule 20 protocol udp set firewall options mss-clamp interface-type all -set firewall options mss-clamp mss 1350 +set firewall options mss-clamp mss 1340 set firewall options mss-clamp6 interface-type all -set firewall options mss-clamp6 mss 1350 +set firewall options mss-clamp6 mss 1340 set firewall receive-redirects disable set firewall send-redirects enable set firewall source-validation disable @@ -67,7 +67,7 @@ set interfaces switch switch0 firewall in ipv6-modify LAN_to_VPN_V6 set interfaces switch switch0 firewall in modify LAN_to_VPN set interfaces switch switch0 ipv6 dup-addr-detect-transmits 1 set interfaces switch switch0 ipv6 router-advert cur-hop-limit 64 -set interfaces switch switch0 ipv6 router-advert link-mtu 0 +set interfaces switch switch0 ipv6 router-advert link-mtu 1328 set interfaces switch switch0 ipv6 router-advert managed-flag true set interfaces switch switch0 ipv6 router-advert max-interval 600 set interfaces switch switch0 ipv6 router-advert name-server '2606:4700:4700::1111' @@ -85,8 +85,9 @@ set interfaces switch switch0 switch-port interface eth3 set interfaces switch switch0 switch-port interface eth4 set interfaces switch switch0 switch-port vlan-aware disable set interfaces wireguard wg0 address 10.255.1.2/24 +set interfaces wireguard wg0 address 2a03:2260:121:600::1/64 set interfaces wireguard wg0 listen-port 51822 -set interfaces wireguard wg0 mtu 1355 +set interfaces wireguard wg0 mtu 1380 set interfaces wireguard wg0 peer 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= allowed-ips 0.0.0.0/0 set interfaces wireguard wg0 peer 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= allowed-ips '::0/0' set interfaces wireguard wg0 peer 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= endpoint 'vpn01.fftdf.de:42001' @@ -94,8 +95,8 @@ set interfaces wireguard wg0 private-key /config/auth/wg.key set interfaces wireguard wg0 route-allowed-ips false set protocols static interface-route6 '::/0' next-hop-interface wg0 set protocols static table 2 route 0.0.0.0/0 next-hop 10.255.1.1 -set protocols static table 2 route6 '::0/0' next-hop '2a03:2260:121:602::2' -set protocols static table 2 route6 '::/0' next-hop '2a03:2260:121:602::2' +set protocols static table 2 interface-route6 '::/0' next-hop-interface wg0 +set protocols static interface-route6 '::/0' next-hop-interface wg0 set service dhcp-server disabled false set service dhcp-server hostfile-update disable set service dhcp-server shared-network-name LAN authoritative enable @@ -117,5 +118,6 @@ set service nat rule 5010 type masquerade set service ssh port 22 set service ssh protocol-version v2 set service unms +set service unms connection 'wss://unifi.freifunk-troisdorf.de:443+Jo_M9kbCiIXmkICVA15YT0fdMVHQPQw0qGSHnwuj_XUAAAAA+allowUntrustedCertificate' set system host-name edge1 set system time-zone UTC \ No newline at end of file diff --git a/er-test.yml b/er-test.yml index 05f9ff9..f49383b 100644 --- a/er-test.yml +++ b/er-test.yml @@ -1,4 +1,4 @@ -# ansible-playbook -i hosts.yml er-test.yml +# ansible-playbook -i hosts.yml er-test.yml --ask-vault-password - name: System preperation hosts: edge_router roles: diff --git a/host_vars/edge1.yml b/host_vars/edge1/vars.yml similarity index 83% rename from host_vars/edge1.yml rename to host_vars/edge1/vars.yml index 56e2c82..565bfed 100644 --- a/host_vars/edge1.yml +++ b/host_vars/edge1/vars.yml @@ -8,6 +8,4 @@ ipv6_network: 2a03:2260:121:603::/64 ipv6_address: 2a03:2260:121:603::1/64 wireguard_address: 10.255.1.2/24 wireguard_public: 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= -wiregurad_v4: 10.255.1.1 -wireguard_v6: 2a03:2260:121:602::2 - +wiregurad_v4: 10.255.1.1 \ No newline at end of file diff --git a/host_vars/edge1/vault.yml b/host_vars/edge1/vault.yml new file mode 100644 index 0000000..f4d44e6 --- /dev/null +++ b/host_vars/edge1/vault.yml @@ -0,0 +1,12 @@ +$ANSIBLE_VAULT;1.1;AES256 +63373161393033633933653763653661626365376332306438326363333263656366623837333061 +3665663736393837663634653439356465356234613933320a613530656335326538326262376163 +36336139633033326430663362633839653831326362326439303634376666623862663037636533 +3031306666356637370a396164386339653630343366393163623136333166643162393663323931 +65376261356666313034633237323531363733343061396166343333666538313232616265303933 +32303633343666346134666332626635396132313932623535383538326639316465633432343239 +32353563643565393034653933356235663434376131366565636634376332353738363730626162 +31353236303764663236346437613031623634663762653664383534613738353363346563313063 +66363430306533666263356365383365303564303565316462306664356236316430653065613036 +30386238616564326132303262623664313935376332373037343664666138303932316330336238 +363762633930393837363662343133666363 diff --git a/host_vars/vpn01/vars.yml b/host_vars/vpn01/vars.yml index 23abd4b..2a6a0d6 100644 --- a/host_vars/vpn01/vars.yml +++ b/host_vars/vpn01/vars.yml @@ -17,16 +17,15 @@ core_router: 172.16.7.1 ### Wireguard ### ipv6_network: 2a03:2260:121:600::/58 -wireguard_address: "10.255.1.1/24, 2a03:2260:121:602::2/64" +wireguard_address: "10.255.1.1/24, fd80:3ea2:e399:203a::1/64" wireguard_port: 42001 wireguard_public: 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= wiregurad_v4: 10.255.1.1 -wireguard_v6: 2a03:2260:121:602::2 wireguard_unmanaged_peers: vpn1-testing: public_key: eoC9nkNTO+aWn1rkMPGguzeBAwBvK8Ob5N52MGoHEBA= - allowed_ips: 10.255.1.2/32, 10.1.0.0/16, fd80:3ea2:e399:203a::2/128 + allowed_ips: 10.255.1.2/32, 10.1.0.0/16, fd80:3ea2:e399:203a::2/128, 2a03:2260:121:600::/58 persistent_keepalive: 25 vpn2-lindenstr-h07: public_key: VglVuinIYJOE3UNZxhFRCHwD7WtiVg83u/cp3modw0k= diff --git a/host_vars/vpn02.yml b/host_vars/vpn02.yml new file mode 100644 index 0000000..e9eafd7 --- /dev/null +++ b/host_vars/vpn02.yml @@ -0,0 +1,15 @@ +### +### Ansible +### +ansible_host: 5.9.220.115 +ansible_port: 22 +ansible_ssh_user: root +ansible_python_interpreter: /usr/bin/python3 + +### +### Vars Freifunk +### +internal_network: "10.255.0.0/16" +freifunk_internal_ip: 172.16.7.11/24 +core_router: 172.16.7.1 +ipv6_network: 2a03:2260:121:640::/58 \ No newline at end of file diff --git a/hosts.yml b/hosts.yml index 48bb710..10ef330 100644 --- a/hosts.yml +++ b/hosts.yml @@ -12,9 +12,12 @@ all: core4: supernodes: children: - vpn-offloader: + vpn-offloader-wireguard: hosts: vpn01: + vpn-offloader-openvpn: + hosts: + vpn02: edge_router: hosts: edge1: diff --git a/roles/01-vpn-offloader-setup/tasks/main.yml b/roles/01-vpn-offloader-setup/tasks/main.yml index d798d10..c9bfac4 100644 --- a/roles/01-vpn-offloader-setup/tasks/main.yml +++ b/roles/01-vpn-offloader-setup/tasks/main.yml @@ -32,12 +32,6 @@ state: present reload: true -- name: saveip6tables - ansible.builtin.shell: ip6tables-save > /etc/iptables/rules.v6 - -- name: saveip4tables - ansible.builtin.shell: iptables-save > /etc/iptables/rules.v4 - - name: Create Routing Table 42 ansible.builtin.lineinfile: path: /etc/iproute2/rt_tables @@ -70,5 +64,11 @@ group: root mode: 755 +- name: saveip6tables + ansible.builtin.shell: ip6tables-save > /etc/iptables/rules.v6 + +- name: saveip4tables + ansible.builtin.shell: iptables-save > /etc/iptables/rules.v4 + - name: Apply Netplan ansible.builtin.shell: netplan apply \ No newline at end of file diff --git a/roles/01-vpn-router-config/templates/edgerouter.conf.j2 b/roles/01-vpn-router-config/templates/edgerouter.conf.j2 index 4e3f882..03d1565 100644 --- a/roles/01-vpn-router-config/templates/edgerouter.conf.j2 +++ b/roles/01-vpn-router-config/templates/edgerouter.conf.j2 @@ -35,9 +35,9 @@ set firewall name WAN_LOCAL rule 20 description WireGuard set firewall name WAN_LOCAL rule 20 destination port 51821 set firewall name WAN_LOCAL rule 20 protocol udp set firewall options mss-clamp interface-type all -set firewall options mss-clamp mss 1328 +set firewall options mss-clamp mss 1340 set firewall options mss-clamp6 interface-type all -set firewall options mss-clamp6 mss 1328 +set firewall options mss-clamp6 mss 1340 set firewall receive-redirects disable set firewall send-redirects enable set firewall source-validation disable @@ -85,8 +85,9 @@ set interfaces switch switch0 switch-port interface eth3 set interfaces switch switch0 switch-port interface eth4 set interfaces switch switch0 switch-port vlan-aware disable set interfaces wireguard wg0 address {{ wireguard_address }} +set interfaces wireguard wg0 address 2a03:2260:121:600::1/64 set interfaces wireguard wg0 listen-port 51822 -set interfaces wireguard wg0 mtu 1328 +set interfaces wireguard wg0 mtu 1380 set interfaces wireguard wg0 peer {{ wireguard_public }} allowed-ips 0.0.0.0/0 set interfaces wireguard wg0 peer {{ wireguard_public }} allowed-ips '::0/0' set interfaces wireguard wg0 peer {{ wireguard_public }} endpoint 'vpn01.fftdf.de:42001' @@ -94,8 +95,8 @@ set interfaces wireguard wg0 private-key /config/auth/wg.key set interfaces wireguard wg0 route-allowed-ips false set protocols static interface-route6 '::/0' next-hop-interface wg0 set protocols static table 2 route 0.0.0.0/0 next-hop {{ wiregurad_v4 }} -set protocols static table 2 route6 '::0/0' next-hop '{{ wireguard_v6 }}' -set protocols static table 2 route6 '::/0' next-hop '{{ wireguard_v6 }}' +set protocols static table 2 interface-route6 '::/0' next-hop-interface wg0 +set protocols static interface-route6 '::/0' next-hop-interface wg0 set service dhcp-server disabled false set service dhcp-server hostfile-update disable set service dhcp-server shared-network-name LAN authoritative enable @@ -117,5 +118,6 @@ set service nat rule 5010 type masquerade set service ssh port 22 set service ssh protocol-version v2 set service unms +set service unms connection '{{ unms_vault_URL }}' set system host-name {{ inventory_hostname }} set system time-zone UTC \ No newline at end of file diff --git a/roles/21-install-wireguard/templates/wg.conf.j2 b/roles/21-install-wireguard/templates/wg.conf.j2 index 1661f01..6cfcd5c 100644 --- a/roles/21-install-wireguard/templates/wg.conf.j2 +++ b/roles/21-install-wireguard/templates/wg.conf.j2 @@ -7,9 +7,10 @@ Address = {{ wireguard_address }} PrivateKey = {{ wireguard_private_key }} ListenPort = {{ wireguard_port }} -MTU = 1355 +MTU = 1380 PostUp = ip rule add fwmark 0x4 table 42 && iptables -t mangle -A PREROUTING -s 10.255.0.0/16 ! -d 10.0.0.0/8 -j MARK --set-mark 4 && ip route add default via 172.16.7.1 table 42 +PostDown = ip route del default via 172.16.7.1 table 42 {% if wireguard_unmanaged_peers is defined %} diff --git a/system-setup.yml b/system-setup.yml index a92cdd8..4b5a974 100644 --- a/system-setup.yml +++ b/system-setup.yml @@ -5,7 +5,12 @@ - 00-ubuntu-basic - name: VPN Offloader Setup - hosts: vpn-offloader + hosts: vpn-offloader-wireguard roles: - 01-vpn-offloader-setup - - 21-install-wireguard \ No newline at end of file + - 21-install-wireguard + +- name: VPN Offloader Setup + hosts: vpn-offloader-openvpn + roles: + - 01-vpn-offloader-setup \ No newline at end of file