Running Config with MTU Setup

This commit is contained in:
Stefan Hoffmann 2023-03-24 19:34:41 +01:00
parent 8fa6933c15
commit e3164e5665
12 changed files with 66 additions and 29 deletions

2
.gitignore vendored
View File

@ -1,2 +1,2 @@
.DS_Store .DS_Store
/edgerouter_configs edgerouter_configs

View File

@ -35,9 +35,9 @@ set firewall name WAN_LOCAL rule 20 description WireGuard
set firewall name WAN_LOCAL rule 20 destination port 51821 set firewall name WAN_LOCAL rule 20 destination port 51821
set firewall name WAN_LOCAL rule 20 protocol udp set firewall name WAN_LOCAL rule 20 protocol udp
set firewall options mss-clamp interface-type all set firewall options mss-clamp interface-type all
set firewall options mss-clamp mss 1350 set firewall options mss-clamp mss 1340
set firewall options mss-clamp6 interface-type all set firewall options mss-clamp6 interface-type all
set firewall options mss-clamp6 mss 1350 set firewall options mss-clamp6 mss 1340
set firewall receive-redirects disable set firewall receive-redirects disable
set firewall send-redirects enable set firewall send-redirects enable
set firewall source-validation disable set firewall source-validation disable
@ -67,7 +67,7 @@ set interfaces switch switch0 firewall in ipv6-modify LAN_to_VPN_V6
set interfaces switch switch0 firewall in modify LAN_to_VPN set interfaces switch switch0 firewall in modify LAN_to_VPN
set interfaces switch switch0 ipv6 dup-addr-detect-transmits 1 set interfaces switch switch0 ipv6 dup-addr-detect-transmits 1
set interfaces switch switch0 ipv6 router-advert cur-hop-limit 64 set interfaces switch switch0 ipv6 router-advert cur-hop-limit 64
set interfaces switch switch0 ipv6 router-advert link-mtu 0 set interfaces switch switch0 ipv6 router-advert link-mtu 1328
set interfaces switch switch0 ipv6 router-advert managed-flag true set interfaces switch switch0 ipv6 router-advert managed-flag true
set interfaces switch switch0 ipv6 router-advert max-interval 600 set interfaces switch switch0 ipv6 router-advert max-interval 600
set interfaces switch switch0 ipv6 router-advert name-server '2606:4700:4700::1111' set interfaces switch switch0 ipv6 router-advert name-server '2606:4700:4700::1111'
@ -85,8 +85,9 @@ set interfaces switch switch0 switch-port interface eth3
set interfaces switch switch0 switch-port interface eth4 set interfaces switch switch0 switch-port interface eth4
set interfaces switch switch0 switch-port vlan-aware disable set interfaces switch switch0 switch-port vlan-aware disable
set interfaces wireguard wg0 address 10.255.1.2/24 set interfaces wireguard wg0 address 10.255.1.2/24
set interfaces wireguard wg0 address 2a03:2260:121:600::1/64
set interfaces wireguard wg0 listen-port 51822 set interfaces wireguard wg0 listen-port 51822
set interfaces wireguard wg0 mtu 1355 set interfaces wireguard wg0 mtu 1380
set interfaces wireguard wg0 peer 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= allowed-ips 0.0.0.0/0 set interfaces wireguard wg0 peer 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= allowed-ips 0.0.0.0/0
set interfaces wireguard wg0 peer 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= allowed-ips '::0/0' set interfaces wireguard wg0 peer 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= allowed-ips '::0/0'
set interfaces wireguard wg0 peer 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= endpoint 'vpn01.fftdf.de:42001' set interfaces wireguard wg0 peer 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= endpoint 'vpn01.fftdf.de:42001'
@ -94,8 +95,8 @@ set interfaces wireguard wg0 private-key /config/auth/wg.key
set interfaces wireguard wg0 route-allowed-ips false set interfaces wireguard wg0 route-allowed-ips false
set protocols static interface-route6 '::/0' next-hop-interface wg0 set protocols static interface-route6 '::/0' next-hop-interface wg0
set protocols static table 2 route 0.0.0.0/0 next-hop 10.255.1.1 set protocols static table 2 route 0.0.0.0/0 next-hop 10.255.1.1
set protocols static table 2 route6 '::0/0' next-hop '2a03:2260:121:602::2' set protocols static table 2 interface-route6 '::/0' next-hop-interface wg0
set protocols static table 2 route6 '::/0' next-hop '2a03:2260:121:602::2' set protocols static interface-route6 '::/0' next-hop-interface wg0
set service dhcp-server disabled false set service dhcp-server disabled false
set service dhcp-server hostfile-update disable set service dhcp-server hostfile-update disable
set service dhcp-server shared-network-name LAN authoritative enable set service dhcp-server shared-network-name LAN authoritative enable
@ -117,5 +118,6 @@ set service nat rule 5010 type masquerade
set service ssh port 22 set service ssh port 22
set service ssh protocol-version v2 set service ssh protocol-version v2
set service unms set service unms
set service unms connection 'wss://unifi.freifunk-troisdorf.de:443+Jo_M9kbCiIXmkICVA15YT0fdMVHQPQw0qGSHnwuj_XUAAAAA+allowUntrustedCertificate'
set system host-name edge1 set system host-name edge1
set system time-zone UTC set system time-zone UTC

View File

@ -1,4 +1,4 @@
# ansible-playbook -i hosts.yml er-test.yml # ansible-playbook -i hosts.yml er-test.yml --ask-vault-password
- name: System preperation - name: System preperation
hosts: edge_router hosts: edge_router
roles: roles:

View File

@ -8,6 +8,4 @@ ipv6_network: 2a03:2260:121:603::/64
ipv6_address: 2a03:2260:121:603::1/64 ipv6_address: 2a03:2260:121:603::1/64
wireguard_address: 10.255.1.2/24 wireguard_address: 10.255.1.2/24
wireguard_public: 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= wireguard_public: 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s=
wiregurad_v4: 10.255.1.1 wiregurad_v4: 10.255.1.1
wireguard_v6: 2a03:2260:121:602::2

12
host_vars/edge1/vault.yml Normal file
View File

@ -0,0 +1,12 @@
$ANSIBLE_VAULT;1.1;AES256
63373161393033633933653763653661626365376332306438326363333263656366623837333061
3665663736393837663634653439356465356234613933320a613530656335326538326262376163
36336139633033326430663362633839653831326362326439303634376666623862663037636533
3031306666356637370a396164386339653630343366393163623136333166643162393663323931
65376261356666313034633237323531363733343061396166343333666538313232616265303933
32303633343666346134666332626635396132313932623535383538326639316465633432343239
32353563643565393034653933356235663434376131366565636634376332353738363730626162
31353236303764663236346437613031623634663762653664383534613738353363346563313063
66363430306533666263356365383365303564303565316462306664356236316430653065613036
30386238616564326132303262623664313935376332373037343664666138303932316330336238
363762633930393837363662343133666363

View File

@ -17,16 +17,15 @@ core_router: 172.16.7.1
### Wireguard ### Wireguard
### ###
ipv6_network: 2a03:2260:121:600::/58 ipv6_network: 2a03:2260:121:600::/58
wireguard_address: "10.255.1.1/24, 2a03:2260:121:602::2/64" wireguard_address: "10.255.1.1/24, fd80:3ea2:e399:203a::1/64"
wireguard_port: 42001 wireguard_port: 42001
wireguard_public: 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= wireguard_public: 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s=
wiregurad_v4: 10.255.1.1 wiregurad_v4: 10.255.1.1
wireguard_v6: 2a03:2260:121:602::2
wireguard_unmanaged_peers: wireguard_unmanaged_peers:
vpn1-testing: vpn1-testing:
public_key: eoC9nkNTO+aWn1rkMPGguzeBAwBvK8Ob5N52MGoHEBA= public_key: eoC9nkNTO+aWn1rkMPGguzeBAwBvK8Ob5N52MGoHEBA=
allowed_ips: 10.255.1.2/32, 10.1.0.0/16, fd80:3ea2:e399:203a::2/128 allowed_ips: 10.255.1.2/32, 10.1.0.0/16, fd80:3ea2:e399:203a::2/128, 2a03:2260:121:600::/58
persistent_keepalive: 25 persistent_keepalive: 25
vpn2-lindenstr-h07: vpn2-lindenstr-h07:
public_key: VglVuinIYJOE3UNZxhFRCHwD7WtiVg83u/cp3modw0k= public_key: VglVuinIYJOE3UNZxhFRCHwD7WtiVg83u/cp3modw0k=

15
host_vars/vpn02.yml Normal file
View File

@ -0,0 +1,15 @@
###
### Ansible
###
ansible_host: 5.9.220.115
ansible_port: 22
ansible_ssh_user: root
ansible_python_interpreter: /usr/bin/python3
###
### Vars Freifunk
###
internal_network: "10.255.0.0/16"
freifunk_internal_ip: 172.16.7.11/24
core_router: 172.16.7.1
ipv6_network: 2a03:2260:121:640::/58

View File

@ -12,9 +12,12 @@ all:
core4: core4:
supernodes: supernodes:
children: children:
vpn-offloader: vpn-offloader-wireguard:
hosts: hosts:
vpn01: vpn01:
vpn-offloader-openvpn:
hosts:
vpn02:
edge_router: edge_router:
hosts: hosts:
edge1: edge1:

View File

@ -32,12 +32,6 @@
state: present state: present
reload: true reload: true
- name: saveip6tables
ansible.builtin.shell: ip6tables-save > /etc/iptables/rules.v6
- name: saveip4tables
ansible.builtin.shell: iptables-save > /etc/iptables/rules.v4
- name: Create Routing Table 42 - name: Create Routing Table 42
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
path: /etc/iproute2/rt_tables path: /etc/iproute2/rt_tables
@ -70,5 +64,11 @@
group: root group: root
mode: 755 mode: 755
- name: saveip6tables
ansible.builtin.shell: ip6tables-save > /etc/iptables/rules.v6
- name: saveip4tables
ansible.builtin.shell: iptables-save > /etc/iptables/rules.v4
- name: Apply Netplan - name: Apply Netplan
ansible.builtin.shell: netplan apply ansible.builtin.shell: netplan apply

View File

@ -35,9 +35,9 @@ set firewall name WAN_LOCAL rule 20 description WireGuard
set firewall name WAN_LOCAL rule 20 destination port 51821 set firewall name WAN_LOCAL rule 20 destination port 51821
set firewall name WAN_LOCAL rule 20 protocol udp set firewall name WAN_LOCAL rule 20 protocol udp
set firewall options mss-clamp interface-type all set firewall options mss-clamp interface-type all
set firewall options mss-clamp mss 1328 set firewall options mss-clamp mss 1340
set firewall options mss-clamp6 interface-type all set firewall options mss-clamp6 interface-type all
set firewall options mss-clamp6 mss 1328 set firewall options mss-clamp6 mss 1340
set firewall receive-redirects disable set firewall receive-redirects disable
set firewall send-redirects enable set firewall send-redirects enable
set firewall source-validation disable set firewall source-validation disable
@ -85,8 +85,9 @@ set interfaces switch switch0 switch-port interface eth3
set interfaces switch switch0 switch-port interface eth4 set interfaces switch switch0 switch-port interface eth4
set interfaces switch switch0 switch-port vlan-aware disable set interfaces switch switch0 switch-port vlan-aware disable
set interfaces wireguard wg0 address {{ wireguard_address }} set interfaces wireguard wg0 address {{ wireguard_address }}
set interfaces wireguard wg0 address 2a03:2260:121:600::1/64
set interfaces wireguard wg0 listen-port 51822 set interfaces wireguard wg0 listen-port 51822
set interfaces wireguard wg0 mtu 1328 set interfaces wireguard wg0 mtu 1380
set interfaces wireguard wg0 peer {{ wireguard_public }} allowed-ips 0.0.0.0/0 set interfaces wireguard wg0 peer {{ wireguard_public }} allowed-ips 0.0.0.0/0
set interfaces wireguard wg0 peer {{ wireguard_public }} allowed-ips '::0/0' set interfaces wireguard wg0 peer {{ wireguard_public }} allowed-ips '::0/0'
set interfaces wireguard wg0 peer {{ wireguard_public }} endpoint 'vpn01.fftdf.de:42001' set interfaces wireguard wg0 peer {{ wireguard_public }} endpoint 'vpn01.fftdf.de:42001'
@ -94,8 +95,8 @@ set interfaces wireguard wg0 private-key /config/auth/wg.key
set interfaces wireguard wg0 route-allowed-ips false set interfaces wireguard wg0 route-allowed-ips false
set protocols static interface-route6 '::/0' next-hop-interface wg0 set protocols static interface-route6 '::/0' next-hop-interface wg0
set protocols static table 2 route 0.0.0.0/0 next-hop {{ wiregurad_v4 }} set protocols static table 2 route 0.0.0.0/0 next-hop {{ wiregurad_v4 }}
set protocols static table 2 route6 '::0/0' next-hop '{{ wireguard_v6 }}' set protocols static table 2 interface-route6 '::/0' next-hop-interface wg0
set protocols static table 2 route6 '::/0' next-hop '{{ wireguard_v6 }}' set protocols static interface-route6 '::/0' next-hop-interface wg0
set service dhcp-server disabled false set service dhcp-server disabled false
set service dhcp-server hostfile-update disable set service dhcp-server hostfile-update disable
set service dhcp-server shared-network-name LAN authoritative enable set service dhcp-server shared-network-name LAN authoritative enable
@ -117,5 +118,6 @@ set service nat rule 5010 type masquerade
set service ssh port 22 set service ssh port 22
set service ssh protocol-version v2 set service ssh protocol-version v2
set service unms set service unms
set service unms connection '{{ unms_vault_URL }}'
set system host-name {{ inventory_hostname }} set system host-name {{ inventory_hostname }}
set system time-zone UTC set system time-zone UTC

View File

@ -7,9 +7,10 @@
Address = {{ wireguard_address }} Address = {{ wireguard_address }}
PrivateKey = {{ wireguard_private_key }} PrivateKey = {{ wireguard_private_key }}
ListenPort = {{ wireguard_port }} ListenPort = {{ wireguard_port }}
MTU = 1355 MTU = 1380
PostUp = ip rule add fwmark 0x4 table 42 && iptables -t mangle -A PREROUTING -s 10.255.0.0/16 ! -d 10.0.0.0/8 -j MARK --set-mark 4 && ip route add default via 172.16.7.1 table 42 PostUp = ip rule add fwmark 0x4 table 42 && iptables -t mangle -A PREROUTING -s 10.255.0.0/16 ! -d 10.0.0.0/8 -j MARK --set-mark 4 && ip route add default via 172.16.7.1 table 42
PostDown = ip route del default via 172.16.7.1 table 42
{% if wireguard_unmanaged_peers is defined %} {% if wireguard_unmanaged_peers is defined %}

View File

@ -5,7 +5,12 @@
- 00-ubuntu-basic - 00-ubuntu-basic
- name: VPN Offloader Setup - name: VPN Offloader Setup
hosts: vpn-offloader hosts: vpn-offloader-wireguard
roles: roles:
- 01-vpn-offloader-setup - 01-vpn-offloader-setup
- 21-install-wireguard - 21-install-wireguard
- name: VPN Offloader Setup
hosts: vpn-offloader-openvpn
roles:
- 01-vpn-offloader-setup