Running Config with MTU Setup
This commit is contained in:
parent
8fa6933c15
commit
e3164e5665
2
.gitignore
vendored
2
.gitignore
vendored
@ -1,2 +1,2 @@
|
|||||||
.DS_Store
|
.DS_Store
|
||||||
/edgerouter_configs
|
edgerouter_configs
|
||||||
|
@ -35,9 +35,9 @@ set firewall name WAN_LOCAL rule 20 description WireGuard
|
|||||||
set firewall name WAN_LOCAL rule 20 destination port 51821
|
set firewall name WAN_LOCAL rule 20 destination port 51821
|
||||||
set firewall name WAN_LOCAL rule 20 protocol udp
|
set firewall name WAN_LOCAL rule 20 protocol udp
|
||||||
set firewall options mss-clamp interface-type all
|
set firewall options mss-clamp interface-type all
|
||||||
set firewall options mss-clamp mss 1350
|
set firewall options mss-clamp mss 1340
|
||||||
set firewall options mss-clamp6 interface-type all
|
set firewall options mss-clamp6 interface-type all
|
||||||
set firewall options mss-clamp6 mss 1350
|
set firewall options mss-clamp6 mss 1340
|
||||||
set firewall receive-redirects disable
|
set firewall receive-redirects disable
|
||||||
set firewall send-redirects enable
|
set firewall send-redirects enable
|
||||||
set firewall source-validation disable
|
set firewall source-validation disable
|
||||||
@ -67,7 +67,7 @@ set interfaces switch switch0 firewall in ipv6-modify LAN_to_VPN_V6
|
|||||||
set interfaces switch switch0 firewall in modify LAN_to_VPN
|
set interfaces switch switch0 firewall in modify LAN_to_VPN
|
||||||
set interfaces switch switch0 ipv6 dup-addr-detect-transmits 1
|
set interfaces switch switch0 ipv6 dup-addr-detect-transmits 1
|
||||||
set interfaces switch switch0 ipv6 router-advert cur-hop-limit 64
|
set interfaces switch switch0 ipv6 router-advert cur-hop-limit 64
|
||||||
set interfaces switch switch0 ipv6 router-advert link-mtu 0
|
set interfaces switch switch0 ipv6 router-advert link-mtu 1328
|
||||||
set interfaces switch switch0 ipv6 router-advert managed-flag true
|
set interfaces switch switch0 ipv6 router-advert managed-flag true
|
||||||
set interfaces switch switch0 ipv6 router-advert max-interval 600
|
set interfaces switch switch0 ipv6 router-advert max-interval 600
|
||||||
set interfaces switch switch0 ipv6 router-advert name-server '2606:4700:4700::1111'
|
set interfaces switch switch0 ipv6 router-advert name-server '2606:4700:4700::1111'
|
||||||
@ -85,8 +85,9 @@ set interfaces switch switch0 switch-port interface eth3
|
|||||||
set interfaces switch switch0 switch-port interface eth4
|
set interfaces switch switch0 switch-port interface eth4
|
||||||
set interfaces switch switch0 switch-port vlan-aware disable
|
set interfaces switch switch0 switch-port vlan-aware disable
|
||||||
set interfaces wireguard wg0 address 10.255.1.2/24
|
set interfaces wireguard wg0 address 10.255.1.2/24
|
||||||
|
set interfaces wireguard wg0 address 2a03:2260:121:600::1/64
|
||||||
set interfaces wireguard wg0 listen-port 51822
|
set interfaces wireguard wg0 listen-port 51822
|
||||||
set interfaces wireguard wg0 mtu 1355
|
set interfaces wireguard wg0 mtu 1380
|
||||||
set interfaces wireguard wg0 peer 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= allowed-ips 0.0.0.0/0
|
set interfaces wireguard wg0 peer 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= allowed-ips 0.0.0.0/0
|
||||||
set interfaces wireguard wg0 peer 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= allowed-ips '::0/0'
|
set interfaces wireguard wg0 peer 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= allowed-ips '::0/0'
|
||||||
set interfaces wireguard wg0 peer 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= endpoint 'vpn01.fftdf.de:42001'
|
set interfaces wireguard wg0 peer 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= endpoint 'vpn01.fftdf.de:42001'
|
||||||
@ -94,8 +95,8 @@ set interfaces wireguard wg0 private-key /config/auth/wg.key
|
|||||||
set interfaces wireguard wg0 route-allowed-ips false
|
set interfaces wireguard wg0 route-allowed-ips false
|
||||||
set protocols static interface-route6 '::/0' next-hop-interface wg0
|
set protocols static interface-route6 '::/0' next-hop-interface wg0
|
||||||
set protocols static table 2 route 0.0.0.0/0 next-hop 10.255.1.1
|
set protocols static table 2 route 0.0.0.0/0 next-hop 10.255.1.1
|
||||||
set protocols static table 2 route6 '::0/0' next-hop '2a03:2260:121:602::2'
|
set protocols static table 2 interface-route6 '::/0' next-hop-interface wg0
|
||||||
set protocols static table 2 route6 '::/0' next-hop '2a03:2260:121:602::2'
|
set protocols static interface-route6 '::/0' next-hop-interface wg0
|
||||||
set service dhcp-server disabled false
|
set service dhcp-server disabled false
|
||||||
set service dhcp-server hostfile-update disable
|
set service dhcp-server hostfile-update disable
|
||||||
set service dhcp-server shared-network-name LAN authoritative enable
|
set service dhcp-server shared-network-name LAN authoritative enable
|
||||||
@ -117,5 +118,6 @@ set service nat rule 5010 type masquerade
|
|||||||
set service ssh port 22
|
set service ssh port 22
|
||||||
set service ssh protocol-version v2
|
set service ssh protocol-version v2
|
||||||
set service unms
|
set service unms
|
||||||
|
set service unms connection 'wss://unifi.freifunk-troisdorf.de:443+Jo_M9kbCiIXmkICVA15YT0fdMVHQPQw0qGSHnwuj_XUAAAAA+allowUntrustedCertificate'
|
||||||
set system host-name edge1
|
set system host-name edge1
|
||||||
set system time-zone UTC
|
set system time-zone UTC
|
@ -1,4 +1,4 @@
|
|||||||
# ansible-playbook -i hosts.yml er-test.yml
|
# ansible-playbook -i hosts.yml er-test.yml --ask-vault-password
|
||||||
- name: System preperation
|
- name: System preperation
|
||||||
hosts: edge_router
|
hosts: edge_router
|
||||||
roles:
|
roles:
|
||||||
|
@ -8,6 +8,4 @@ ipv6_network: 2a03:2260:121:603::/64
|
|||||||
ipv6_address: 2a03:2260:121:603::1/64
|
ipv6_address: 2a03:2260:121:603::1/64
|
||||||
wireguard_address: 10.255.1.2/24
|
wireguard_address: 10.255.1.2/24
|
||||||
wireguard_public: 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s=
|
wireguard_public: 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s=
|
||||||
wiregurad_v4: 10.255.1.1
|
wiregurad_v4: 10.255.1.1
|
||||||
wireguard_v6: 2a03:2260:121:602::2
|
|
||||||
|
|
12
host_vars/edge1/vault.yml
Normal file
12
host_vars/edge1/vault.yml
Normal file
@ -0,0 +1,12 @@
|
|||||||
|
$ANSIBLE_VAULT;1.1;AES256
|
||||||
|
63373161393033633933653763653661626365376332306438326363333263656366623837333061
|
||||||
|
3665663736393837663634653439356465356234613933320a613530656335326538326262376163
|
||||||
|
36336139633033326430663362633839653831326362326439303634376666623862663037636533
|
||||||
|
3031306666356637370a396164386339653630343366393163623136333166643162393663323931
|
||||||
|
65376261356666313034633237323531363733343061396166343333666538313232616265303933
|
||||||
|
32303633343666346134666332626635396132313932623535383538326639316465633432343239
|
||||||
|
32353563643565393034653933356235663434376131366565636634376332353738363730626162
|
||||||
|
31353236303764663236346437613031623634663762653664383534613738353363346563313063
|
||||||
|
66363430306533666263356365383365303564303565316462306664356236316430653065613036
|
||||||
|
30386238616564326132303262623664313935376332373037343664666138303932316330336238
|
||||||
|
363762633930393837363662343133666363
|
@ -17,16 +17,15 @@ core_router: 172.16.7.1
|
|||||||
### Wireguard
|
### Wireguard
|
||||||
###
|
###
|
||||||
ipv6_network: 2a03:2260:121:600::/58
|
ipv6_network: 2a03:2260:121:600::/58
|
||||||
wireguard_address: "10.255.1.1/24, 2a03:2260:121:602::2/64"
|
wireguard_address: "10.255.1.1/24, fd80:3ea2:e399:203a::1/64"
|
||||||
wireguard_port: 42001
|
wireguard_port: 42001
|
||||||
wireguard_public: 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s=
|
wireguard_public: 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s=
|
||||||
wiregurad_v4: 10.255.1.1
|
wiregurad_v4: 10.255.1.1
|
||||||
wireguard_v6: 2a03:2260:121:602::2
|
|
||||||
|
|
||||||
wireguard_unmanaged_peers:
|
wireguard_unmanaged_peers:
|
||||||
vpn1-testing:
|
vpn1-testing:
|
||||||
public_key: eoC9nkNTO+aWn1rkMPGguzeBAwBvK8Ob5N52MGoHEBA=
|
public_key: eoC9nkNTO+aWn1rkMPGguzeBAwBvK8Ob5N52MGoHEBA=
|
||||||
allowed_ips: 10.255.1.2/32, 10.1.0.0/16, fd80:3ea2:e399:203a::2/128
|
allowed_ips: 10.255.1.2/32, 10.1.0.0/16, fd80:3ea2:e399:203a::2/128, 2a03:2260:121:600::/58
|
||||||
persistent_keepalive: 25
|
persistent_keepalive: 25
|
||||||
vpn2-lindenstr-h07:
|
vpn2-lindenstr-h07:
|
||||||
public_key: VglVuinIYJOE3UNZxhFRCHwD7WtiVg83u/cp3modw0k=
|
public_key: VglVuinIYJOE3UNZxhFRCHwD7WtiVg83u/cp3modw0k=
|
||||||
|
15
host_vars/vpn02.yml
Normal file
15
host_vars/vpn02.yml
Normal file
@ -0,0 +1,15 @@
|
|||||||
|
###
|
||||||
|
### Ansible
|
||||||
|
###
|
||||||
|
ansible_host: 5.9.220.115
|
||||||
|
ansible_port: 22
|
||||||
|
ansible_ssh_user: root
|
||||||
|
ansible_python_interpreter: /usr/bin/python3
|
||||||
|
|
||||||
|
###
|
||||||
|
### Vars Freifunk
|
||||||
|
###
|
||||||
|
internal_network: "10.255.0.0/16"
|
||||||
|
freifunk_internal_ip: 172.16.7.11/24
|
||||||
|
core_router: 172.16.7.1
|
||||||
|
ipv6_network: 2a03:2260:121:640::/58
|
@ -12,9 +12,12 @@ all:
|
|||||||
core4:
|
core4:
|
||||||
supernodes:
|
supernodes:
|
||||||
children:
|
children:
|
||||||
vpn-offloader:
|
vpn-offloader-wireguard:
|
||||||
hosts:
|
hosts:
|
||||||
vpn01:
|
vpn01:
|
||||||
|
vpn-offloader-openvpn:
|
||||||
|
hosts:
|
||||||
|
vpn02:
|
||||||
edge_router:
|
edge_router:
|
||||||
hosts:
|
hosts:
|
||||||
edge1:
|
edge1:
|
||||||
|
@ -32,12 +32,6 @@
|
|||||||
state: present
|
state: present
|
||||||
reload: true
|
reload: true
|
||||||
|
|
||||||
- name: saveip6tables
|
|
||||||
ansible.builtin.shell: ip6tables-save > /etc/iptables/rules.v6
|
|
||||||
|
|
||||||
- name: saveip4tables
|
|
||||||
ansible.builtin.shell: iptables-save > /etc/iptables/rules.v4
|
|
||||||
|
|
||||||
- name: Create Routing Table 42
|
- name: Create Routing Table 42
|
||||||
ansible.builtin.lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
path: /etc/iproute2/rt_tables
|
path: /etc/iproute2/rt_tables
|
||||||
@ -70,5 +64,11 @@
|
|||||||
group: root
|
group: root
|
||||||
mode: 755
|
mode: 755
|
||||||
|
|
||||||
|
- name: saveip6tables
|
||||||
|
ansible.builtin.shell: ip6tables-save > /etc/iptables/rules.v6
|
||||||
|
|
||||||
|
- name: saveip4tables
|
||||||
|
ansible.builtin.shell: iptables-save > /etc/iptables/rules.v4
|
||||||
|
|
||||||
- name: Apply Netplan
|
- name: Apply Netplan
|
||||||
ansible.builtin.shell: netplan apply
|
ansible.builtin.shell: netplan apply
|
@ -35,9 +35,9 @@ set firewall name WAN_LOCAL rule 20 description WireGuard
|
|||||||
set firewall name WAN_LOCAL rule 20 destination port 51821
|
set firewall name WAN_LOCAL rule 20 destination port 51821
|
||||||
set firewall name WAN_LOCAL rule 20 protocol udp
|
set firewall name WAN_LOCAL rule 20 protocol udp
|
||||||
set firewall options mss-clamp interface-type all
|
set firewall options mss-clamp interface-type all
|
||||||
set firewall options mss-clamp mss 1328
|
set firewall options mss-clamp mss 1340
|
||||||
set firewall options mss-clamp6 interface-type all
|
set firewall options mss-clamp6 interface-type all
|
||||||
set firewall options mss-clamp6 mss 1328
|
set firewall options mss-clamp6 mss 1340
|
||||||
set firewall receive-redirects disable
|
set firewall receive-redirects disable
|
||||||
set firewall send-redirects enable
|
set firewall send-redirects enable
|
||||||
set firewall source-validation disable
|
set firewall source-validation disable
|
||||||
@ -85,8 +85,9 @@ set interfaces switch switch0 switch-port interface eth3
|
|||||||
set interfaces switch switch0 switch-port interface eth4
|
set interfaces switch switch0 switch-port interface eth4
|
||||||
set interfaces switch switch0 switch-port vlan-aware disable
|
set interfaces switch switch0 switch-port vlan-aware disable
|
||||||
set interfaces wireguard wg0 address {{ wireguard_address }}
|
set interfaces wireguard wg0 address {{ wireguard_address }}
|
||||||
|
set interfaces wireguard wg0 address 2a03:2260:121:600::1/64
|
||||||
set interfaces wireguard wg0 listen-port 51822
|
set interfaces wireguard wg0 listen-port 51822
|
||||||
set interfaces wireguard wg0 mtu 1328
|
set interfaces wireguard wg0 mtu 1380
|
||||||
set interfaces wireguard wg0 peer {{ wireguard_public }} allowed-ips 0.0.0.0/0
|
set interfaces wireguard wg0 peer {{ wireguard_public }} allowed-ips 0.0.0.0/0
|
||||||
set interfaces wireguard wg0 peer {{ wireguard_public }} allowed-ips '::0/0'
|
set interfaces wireguard wg0 peer {{ wireguard_public }} allowed-ips '::0/0'
|
||||||
set interfaces wireguard wg0 peer {{ wireguard_public }} endpoint 'vpn01.fftdf.de:42001'
|
set interfaces wireguard wg0 peer {{ wireguard_public }} endpoint 'vpn01.fftdf.de:42001'
|
||||||
@ -94,8 +95,8 @@ set interfaces wireguard wg0 private-key /config/auth/wg.key
|
|||||||
set interfaces wireguard wg0 route-allowed-ips false
|
set interfaces wireguard wg0 route-allowed-ips false
|
||||||
set protocols static interface-route6 '::/0' next-hop-interface wg0
|
set protocols static interface-route6 '::/0' next-hop-interface wg0
|
||||||
set protocols static table 2 route 0.0.0.0/0 next-hop {{ wiregurad_v4 }}
|
set protocols static table 2 route 0.0.0.0/0 next-hop {{ wiregurad_v4 }}
|
||||||
set protocols static table 2 route6 '::0/0' next-hop '{{ wireguard_v6 }}'
|
set protocols static table 2 interface-route6 '::/0' next-hop-interface wg0
|
||||||
set protocols static table 2 route6 '::/0' next-hop '{{ wireguard_v6 }}'
|
set protocols static interface-route6 '::/0' next-hop-interface wg0
|
||||||
set service dhcp-server disabled false
|
set service dhcp-server disabled false
|
||||||
set service dhcp-server hostfile-update disable
|
set service dhcp-server hostfile-update disable
|
||||||
set service dhcp-server shared-network-name LAN authoritative enable
|
set service dhcp-server shared-network-name LAN authoritative enable
|
||||||
@ -117,5 +118,6 @@ set service nat rule 5010 type masquerade
|
|||||||
set service ssh port 22
|
set service ssh port 22
|
||||||
set service ssh protocol-version v2
|
set service ssh protocol-version v2
|
||||||
set service unms
|
set service unms
|
||||||
|
set service unms connection '{{ unms_vault_URL }}'
|
||||||
set system host-name {{ inventory_hostname }}
|
set system host-name {{ inventory_hostname }}
|
||||||
set system time-zone UTC
|
set system time-zone UTC
|
@ -7,9 +7,10 @@
|
|||||||
Address = {{ wireguard_address }}
|
Address = {{ wireguard_address }}
|
||||||
PrivateKey = {{ wireguard_private_key }}
|
PrivateKey = {{ wireguard_private_key }}
|
||||||
ListenPort = {{ wireguard_port }}
|
ListenPort = {{ wireguard_port }}
|
||||||
MTU = 1355
|
MTU = 1380
|
||||||
|
|
||||||
PostUp = ip rule add fwmark 0x4 table 42 && iptables -t mangle -A PREROUTING -s 10.255.0.0/16 ! -d 10.0.0.0/8 -j MARK --set-mark 4 && ip route add default via 172.16.7.1 table 42
|
PostUp = ip rule add fwmark 0x4 table 42 && iptables -t mangle -A PREROUTING -s 10.255.0.0/16 ! -d 10.0.0.0/8 -j MARK --set-mark 4 && ip route add default via 172.16.7.1 table 42
|
||||||
|
PostDown = ip route del default via 172.16.7.1 table 42
|
||||||
|
|
||||||
|
|
||||||
{% if wireguard_unmanaged_peers is defined %}
|
{% if wireguard_unmanaged_peers is defined %}
|
||||||
|
@ -5,7 +5,12 @@
|
|||||||
- 00-ubuntu-basic
|
- 00-ubuntu-basic
|
||||||
|
|
||||||
- name: VPN Offloader Setup
|
- name: VPN Offloader Setup
|
||||||
hosts: vpn-offloader
|
hosts: vpn-offloader-wireguard
|
||||||
roles:
|
roles:
|
||||||
- 01-vpn-offloader-setup
|
- 01-vpn-offloader-setup
|
||||||
- 21-install-wireguard
|
- 21-install-wireguard
|
||||||
|
|
||||||
|
- name: VPN Offloader Setup
|
||||||
|
hosts: vpn-offloader-openvpn
|
||||||
|
roles:
|
||||||
|
- 01-vpn-offloader-setup
|
Loading…
Reference in New Issue
Block a user