Running Config with MTU Setup

.gitignore

@@ -1,2 +1,2 @@
 .DS_Store
-/edgerouter_configs
+edgerouter_configs

edgerouter_configs/edge1.md

@@ -35,9 +35,9 @@ set firewall name WAN_LOCAL rule 20 description WireGuard
 set firewall name WAN_LOCAL rule 20 destination port 51821
 set firewall name WAN_LOCAL rule 20 protocol udp
 set firewall options mss-clamp interface-type all
-set firewall options mss-clamp mss 1350
+set firewall options mss-clamp mss 1340
 set firewall options mss-clamp6 interface-type all
-set firewall options mss-clamp6 mss 1350
+set firewall options mss-clamp6 mss 1340
 set firewall receive-redirects disable
 set firewall send-redirects enable
 set firewall source-validation disable
@@ -67,7 +67,7 @@ set interfaces switch switch0 firewall in ipv6-modify LAN_to_VPN_V6
 set interfaces switch switch0 firewall in modify LAN_to_VPN
 set interfaces switch switch0 ipv6 dup-addr-detect-transmits 1
 set interfaces switch switch0 ipv6 router-advert cur-hop-limit 64
-set interfaces switch switch0 ipv6 router-advert link-mtu 0
+set interfaces switch switch0 ipv6 router-advert link-mtu 1328
 set interfaces switch switch0 ipv6 router-advert managed-flag true
 set interfaces switch switch0 ipv6 router-advert max-interval 600
 set interfaces switch switch0 ipv6 router-advert name-server '2606:4700:4700::1111'
@@ -85,8 +85,9 @@ set interfaces switch switch0 switch-port interface eth3
 set interfaces switch switch0 switch-port interface eth4
 set interfaces switch switch0 switch-port vlan-aware disable
 set interfaces wireguard wg0 address 10.255.1.2/24
+set interfaces wireguard wg0 address 2a03:2260:121:600::1/64
 set interfaces wireguard wg0 listen-port 51822
-set interfaces wireguard wg0 mtu 1355
+set interfaces wireguard wg0 mtu 1380
 set interfaces wireguard wg0 peer 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= allowed-ips 0.0.0.0/0
 set interfaces wireguard wg0 peer 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= allowed-ips '::0/0'
 set interfaces wireguard wg0 peer 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= endpoint 'vpn01.fftdf.de:42001'
@@ -94,8 +95,8 @@ set interfaces wireguard wg0 private-key /config/auth/wg.key
 set interfaces wireguard wg0 route-allowed-ips false
 set protocols static interface-route6 '::/0' next-hop-interface wg0
 set protocols static table 2 route 0.0.0.0/0 next-hop 10.255.1.1
-set protocols static table 2 route6 '::0/0' next-hop '2a03:2260:121:602::2'
-set protocols static table 2 route6 '::/0' next-hop '2a03:2260:121:602::2'
+set protocols static table 2 interface-route6 '::/0' next-hop-interface wg0
+set protocols static interface-route6 '::/0' next-hop-interface wg0
 set service dhcp-server disabled false
 set service dhcp-server hostfile-update disable
 set service dhcp-server shared-network-name LAN authoritative enable
@@ -117,5 +118,6 @@ set service nat rule 5010 type masquerade
 set service ssh port 22
 set service ssh protocol-version v2
 set service unms
+set service unms connection 'wss://unifi.freifunk-troisdorf.de:443+Jo_M9kbCiIXmkICVA15YT0fdMVHQPQw0qGSHnwuj_XUAAAAA+allowUntrustedCertificate'
 set system host-name edge1
 set system time-zone UTC

er-test.yml

@@ -1,4 +1,4 @@
-# ansible-playbook -i hosts.yml er-test.yml
+# ansible-playbook -i hosts.yml er-test.yml --ask-vault-password
 - name: System preperation
   hosts: edge_router
   roles:

host_vars/edge1/vars.yml

@@ -9,5 +9,3 @@ ipv6_address: 2a03:2260:121:603::1/64
 wireguard_address: 10.255.1.2/24
 wireguard_public: 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s=
 wiregurad_v4: 10.255.1.1
-wireguard_v6: 2a03:2260:121:602::2
-

host_vars/edge1/vault.yml

@@ -0,0 +1,12 @@
+$ANSIBLE_VAULT;1.1;AES256
+63373161393033633933653763653661626365376332306438326363333263656366623837333061
+3665663736393837663634653439356465356234613933320a613530656335326538326262376163
+36336139633033326430663362633839653831326362326439303634376666623862663037636533
+3031306666356637370a396164386339653630343366393163623136333166643162393663323931
+65376261356666313034633237323531363733343061396166343333666538313232616265303933
+32303633343666346134666332626635396132313932623535383538326639316465633432343239
+32353563643565393034653933356235663434376131366565636634376332353738363730626162
+31353236303764663236346437613031623634663762653664383534613738353363346563313063
+66363430306533666263356365383365303564303565316462306664356236316430653065613036
+30386238616564326132303262623664313935376332373037343664666138303932316330336238
+363762633930393837363662343133666363

host_vars/vpn01/vars.yml

@@ -17,16 +17,15 @@ core_router: 172.16.7.1
 ### Wireguard
 ###
 ipv6_network: 2a03:2260:121:600::/58
-wireguard_address: "10.255.1.1/24, 2a03:2260:121:602::2/64"
+wireguard_address: "10.255.1.1/24, fd80:3ea2:e399:203a::1/64"
 wireguard_port: 42001
 wireguard_public: 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s=
 wiregurad_v4: 10.255.1.1
-wireguard_v6: 2a03:2260:121:602::2
 
 wireguard_unmanaged_peers:
   vpn1-testing:
     public_key: eoC9nkNTO+aWn1rkMPGguzeBAwBvK8Ob5N52MGoHEBA=
-    allowed_ips: 10.255.1.2/32, 10.1.0.0/16, fd80:3ea2:e399:203a::2/128
+    allowed_ips: 10.255.1.2/32, 10.1.0.0/16, fd80:3ea2:e399:203a::2/128, 2a03:2260:121:600::/58
     persistent_keepalive: 25
   vpn2-lindenstr-h07:
     public_key: VglVuinIYJOE3UNZxhFRCHwD7WtiVg83u/cp3modw0k=

host_vars/vpn02.yml

@@ -0,0 +1,15 @@
+###
+### Ansible
+###
+ansible_host: 5.9.220.115
+ansible_port: 22
+ansible_ssh_user: root
+ansible_python_interpreter: /usr/bin/python3
+
+###
+### Vars Freifunk
+###
+internal_network: "10.255.0.0/16"
+freifunk_internal_ip: 172.16.7.11/24
+core_router: 172.16.7.1
+ipv6_network: 2a03:2260:121:640::/58

hosts.yml

@@ -12,9 +12,12 @@ all:
             core4:
     supernodes:
       children:
-        vpn-offloader:
+        vpn-offloader-wireguard:
           hosts:
             vpn01:
+        vpn-offloader-openvpn:
+          hosts:
+            vpn02:
     edge_router:
       hosts:
         edge1:

roles/01-vpn-offloader-setup/tasks/main.yml

@@ -32,12 +32,6 @@
     state: present
     reload: true
 
-- name: saveip6tables
-  ansible.builtin.shell: ip6tables-save > /etc/iptables/rules.v6
-
-- name: saveip4tables
-  ansible.builtin.shell: iptables-save > /etc/iptables/rules.v4
-
 - name: Create Routing Table 42
   ansible.builtin.lineinfile:
     path: /etc/iproute2/rt_tables
@@ -70,5 +64,11 @@
     group: root
     mode: 755
 
+- name: saveip6tables
+  ansible.builtin.shell: ip6tables-save > /etc/iptables/rules.v6
+
+- name: saveip4tables
+  ansible.builtin.shell: iptables-save > /etc/iptables/rules.v4
+  
 - name: Apply Netplan
   ansible.builtin.shell: netplan apply

roles/01-vpn-router-config/templates/edgerouter.conf.j2

@@ -35,9 +35,9 @@ set firewall name WAN_LOCAL rule 20 description WireGuard
 set firewall name WAN_LOCAL rule 20 destination port 51821
 set firewall name WAN_LOCAL rule 20 protocol udp
 set firewall options mss-clamp interface-type all
-set firewall options mss-clamp mss 1328
+set firewall options mss-clamp mss 1340
 set firewall options mss-clamp6 interface-type all
-set firewall options mss-clamp6 mss 1328
+set firewall options mss-clamp6 mss 1340
 set firewall receive-redirects disable
 set firewall send-redirects enable
 set firewall source-validation disable
@@ -85,8 +85,9 @@ set interfaces switch switch0 switch-port interface eth3
 set interfaces switch switch0 switch-port interface eth4
 set interfaces switch switch0 switch-port vlan-aware disable
 set interfaces wireguard wg0 address {{ wireguard_address }}
+set interfaces wireguard wg0 address 2a03:2260:121:600::1/64
 set interfaces wireguard wg0 listen-port 51822
-set interfaces wireguard wg0 mtu 1328
+set interfaces wireguard wg0 mtu 1380
 set interfaces wireguard wg0 peer {{ wireguard_public }} allowed-ips 0.0.0.0/0
 set interfaces wireguard wg0 peer {{ wireguard_public }} allowed-ips '::0/0'
 set interfaces wireguard wg0 peer {{ wireguard_public }} endpoint 'vpn01.fftdf.de:42001'
@@ -94,8 +95,8 @@ set interfaces wireguard wg0 private-key /config/auth/wg.key
 set interfaces wireguard wg0 route-allowed-ips false
 set protocols static interface-route6 '::/0' next-hop-interface wg0
 set protocols static table 2 route 0.0.0.0/0 next-hop {{ wiregurad_v4 }}
-set protocols static table 2 route6 '::0/0' next-hop '{{ wireguard_v6 }}'
-set protocols static table 2 route6 '::/0' next-hop '{{ wireguard_v6 }}'
+set protocols static table 2 interface-route6 '::/0' next-hop-interface wg0
+set protocols static interface-route6 '::/0' next-hop-interface wg0
 set service dhcp-server disabled false
 set service dhcp-server hostfile-update disable
 set service dhcp-server shared-network-name LAN authoritative enable
@@ -117,5 +118,6 @@ set service nat rule 5010 type masquerade
 set service ssh port 22
 set service ssh protocol-version v2
 set service unms
+set service unms connection '{{ unms_vault_URL }}'
 set system host-name {{ inventory_hostname }}
 set system time-zone UTC

roles/21-install-wireguard/templates/wg.conf.j2

@@ -7,9 +7,10 @@
 Address = {{ wireguard_address }}
 PrivateKey = {{ wireguard_private_key }}
 ListenPort = {{ wireguard_port }}
-MTU = 1355
+MTU = 1380
 
 PostUp = ip rule add fwmark 0x4 table 42 && iptables -t mangle -A PREROUTING -s 10.255.0.0/16 ! -d 10.0.0.0/8 -j MARK --set-mark 4 && ip route add default via 172.16.7.1 table 42
+PostDown = ip route del default via 172.16.7.1 table 42
 
 
 {% if wireguard_unmanaged_peers is defined %}

system-setup.yml

@@ -5,7 +5,12 @@
     - 00-ubuntu-basic
 
 - name: VPN Offloader Setup
-  hosts: vpn-offloader
+  hosts: vpn-offloader-wireguard
   roles:
     - 01-vpn-offloader-setup
     - 21-install-wireguard
+
+- name: VPN Offloader Setup
+  hosts: vpn-offloader-openvpn
+  roles:
+    - 01-vpn-offloader-setup