diff --git a/host_vars/edge1/vars.yml b/host_vars/edge1/vars.yml index 565bfed..9eb54c2 100644 --- a/host_vars/edge1/vars.yml +++ b/host_vars/edge1/vars.yml @@ -3,7 +3,9 @@ ansible_connection: local ansible_python_interpreter: /usr/bin/python3 ipv4_network: 10.1.0.0/16 -ipv4_address: 10.1.0.1/24 +ipv4_dhcp_start: 10.1.0.30 +ipv4_dhcp_stop: 10.1.0.250 +ipv4_address: 10.1.0.1 ipv6_network: 2a03:2260:121:603::/64 ipv6_address: 2a03:2260:121:603::1/64 wireguard_address: 10.255.1.2/24 diff --git a/host_vars/edge2/vars.yml b/host_vars/edge2/vars.yml new file mode 100644 index 0000000..6e464ee --- /dev/null +++ b/host_vars/edge2/vars.yml @@ -0,0 +1,13 @@ +ansible_host: localhost +ansible_connection: local +ansible_python_interpreter: /usr/bin/python3 + +ipv4_network: 10.7.0.0/16 +ipv4_dhcp_start: 10.7.0.30 +ipv4_dhcp_stop: 10.7.0.250 +ipv4_address: 10.7.0.1 +ipv6_network: 2a03:2260:121:607::/64 +ipv6_address: 2a03:2260:121:607::1/64 +wireguard_address: 10.255.1.7/24 +wireguard_public: 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= +wiregurad_v4: 10.255.1.1 \ No newline at end of file diff --git a/host_vars/edge2/vault.yml b/host_vars/edge2/vault.yml new file mode 100644 index 0000000..f4d44e6 --- /dev/null +++ b/host_vars/edge2/vault.yml @@ -0,0 +1,12 @@ +$ANSIBLE_VAULT;1.1;AES256 +63373161393033633933653763653661626365376332306438326363333263656366623837333061 +3665663736393837663634653439356465356234613933320a613530656335326538326262376163 +36336139633033326430663362633839653831326362326439303634376666623862663037636533 +3031306666356637370a396164386339653630343366393163623136333166643162393663323931 +65376261356666313034633237323531363733343061396166343333666538313232616265303933 +32303633343666346134666332626635396132313932623535383538326639316465633432343239 +32353563643565393034653933356235663434376131366565636634376332353738363730626162 +31353236303764663236346437613031623634663762653664383534613738353363346563313063 +66363430306533666263356365383365303564303565316462306664356236316430653065613036 +30386238616564326132303262623664313935376332373037343664666138303932316330336238 +363762633930393837363662343133666363 diff --git a/host_vars/vpn01/vars.yml b/host_vars/vpn01/vars.yml index 2a6a0d6..eb52e7f 100644 --- a/host_vars/vpn01/vars.yml +++ b/host_vars/vpn01/vars.yml @@ -43,3 +43,7 @@ wireguard_unmanaged_peers: public_key: UHaYitx18sO71Ssk2SVUgdjLaAILbCthCmosU+Fs5Es= allowed_ips: 10.255.1.6/32, 10.5.0.0/16, 2a03:2260:121:601::/64 persistent_keepalive: 25 + vpn6-stefan: + public_key: KxjuZJs7aIPFAUm/J5iw/oWiv4O44hjpnnfN+VN0iQ0= + allowed_ips: 10.255.1.7/32, 10.7.0.0/16, fd80:3ea2:e399:203a::7/128, 2a03:2260:121:607::/64 + persistent_keepalive: 25 diff --git a/hosts.yml b/hosts.yml index 10ef330..3d76955 100644 --- a/hosts.yml +++ b/hosts.yml @@ -21,4 +21,5 @@ all: edge_router: hosts: edge1: + edge2: \ No newline at end of file diff --git a/roles/01-vpn-router-config/templates/edgerouter.conf.j2 b/roles/01-vpn-router-config/templates/edgerouter.conf.j2 index 03d1565..904ee04 100644 --- a/roles/01-vpn-router-config/templates/edgerouter.conf.j2 +++ b/roles/01-vpn-router-config/templates/edgerouter.conf.j2 @@ -1,3 +1,9 @@ +## Webinterface Wizard ausführen +WAN auf eth0 +Ein LAN mit Adresse: {{ ipv4_address }} + +Dann auf der Konsole weiter + ## Install Wireguard cd /tmp curl -OL https://github.com/WireGuard/wireguard-vyatta-ubnt/releases/download/1.0.20211208-1/e50-v2-v1.0.20211208-v1.0.20210914.deb @@ -12,7 +18,7 @@ cat wg.key set firewall all-ping enable set firewall broadcast-ping disable -set firewall group network-group LAN-VPN-V6 description 'Networks on LAN destined to go out VPN by default' +set firewall group ipv6-network-group LAN-VPN-V6 description 'Networks on LAN destined to go out VPN by default' set firewall group ipv6-network-group LAN-VPN-V6 ipv6-network '{{ ipv6_network }}' set firewall group network-group LAN-VPN description 'Networks on LAN destined to go out VPN by default' set firewall group network-group LAN-VPN network {{ ipv4_network }} @@ -20,7 +26,7 @@ set firewall group network-group LAN-VPN network {{ ipv4_network }} set firewall ipv6-modify LAN_to_VPN_V6 rule 1 action modify set firewall ipv6-modify LAN_to_VPN_V6 rule 1 modify table 2 set firewall ipv6-modify LAN_to_VPN_V6 rule 1 source group ipv6-network-group LAN-VPN-V6 -set firewall ipv6-modify LAN_to_VPN_V6 rule 100 description 'Route traffic from group LAN-VPN through LAN_to_VPN_V6 table' +set firewall ipv6-modify LAN_to_VPN_V6 rule 1 description 'Route traffic from group LAN-VPN through LAN_to_VPN_V6 table' set firewall ipv6-receive-redirects disable set firewall ipv6-src-route disable set firewall ip-src-route disable @@ -42,26 +48,8 @@ set firewall receive-redirects disable set firewall send-redirects enable set firewall source-validation disable set firewall syn-cookies enable -set interfaces ethernet eth0 address dhcp -set interfaces ethernet eth0 description 'Internet via DHCP' -set interfaces ethernet eth0 duplex auto -set interfaces ethernet eth0 speed auto -set interfaces ethernet eth1 description Local -set interfaces ethernet eth1 duplex auto -set interfaces ethernet eth1 speed auto -set interfaces ethernet eth2 description Local -set interfaces ethernet eth2 duplex auto -set interfaces ethernet eth2 speed auto -set interfaces ethernet eth3 description Local -set interfaces ethernet eth3 duplex auto -set interfaces ethernet eth3 speed auto -set interfaces ethernet eth4 description Local -set interfaces ethernet eth4 duplex auto -set interfaces ethernet eth4 poe output off -set interfaces ethernet eth4 speed auto -set interfaces loopback lo -set interfaces switch switch0 address {{ ipv4_address }} -set interfaces switch switch0 address '{{ ipv6_address }}' +set interfaces switch switch0 address {{ ipv4_address }}/24 +set interfaces switch switch0 address '{{ ipv6_address }}/24' set interfaces switch switch0 description Local set interfaces switch switch0 firewall in ipv6-modify LAN_to_VPN_V6 set interfaces switch switch0 firewall in modify LAN_to_VPN @@ -93,30 +81,24 @@ set interfaces wireguard wg0 peer {{ wireguard_public }} allowed-ips '::0/0' set interfaces wireguard wg0 peer {{ wireguard_public }} endpoint 'vpn01.fftdf.de:42001' set interfaces wireguard wg0 private-key /config/auth/wg.key set interfaces wireguard wg0 route-allowed-ips false -set protocols static interface-route6 '::/0' next-hop-interface wg0 -set protocols static table 2 route 0.0.0.0/0 next-hop {{ wiregurad_v4 }} +set protocols static table 2 interface-route 0.0.0.0/0 next-hop-interface wg0 set protocols static table 2 interface-route6 '::/0' next-hop-interface wg0 -set protocols static interface-route6 '::/0' next-hop-interface wg0 +delete service dhcp-server set service dhcp-server disabled false set service dhcp-server hostfile-update disable set service dhcp-server shared-network-name LAN authoritative enable -set service dhcp-server shared-network-name LAN subnet {{ ipv4_address }} default-router {{ ipv4_address }} -set service dhcp-server shared-network-name LAN subnet {{ ipv4_address }} dns-server {{ ipv4_address }} -set service dhcp-server shared-network-name LAN subnet {{ ipv4_address }} lease 86400 -set service dhcp-server shared-network-name LAN subnet {{ ipv4_address }} start 10.1.0.38 stop 10.1.0.243 +set service dhcp-server shared-network-name LAN subnet {{ ipv4_address }}/24 default-router {{ ipv4_address }} +set service dhcp-server shared-network-name LAN subnet {{ ipv4_address }}/24 dns-server {{ ipv4_address }} +set service dhcp-server shared-network-name LAN subnet {{ ipv4_address }}/24 lease 86400 +set service dhcp-server shared-network-name LAN subnet {{ ipv4_address }}/24 start {{ ipv4_dhcp_start }} stop {{ ipv4_dhcp_stop }} set service dhcp-server static-arp disable set service dhcp-server use-dnsmasq disable set service dns forwarding cache-size 150 set service dns forwarding listen-on switch0 -set service gui http-port 80 -set service gui https-port 443 -set service gui older-ciphers enable set service nat rule 5010 description 'masquerade for VPN' set service nat rule 5010 outbound-interface wg0 set service nat rule 5010 protocol all set service nat rule 5010 type masquerade -set service ssh port 22 -set service ssh protocol-version v2 set service unms set service unms connection '{{ unms_vault_URL }}' set system host-name {{ inventory_hostname }}