Bugfixes and edge2

host_vars/edge1/vars.yml

@@ -3,7 +3,9 @@ ansible_connection: local
 ansible_python_interpreter: /usr/bin/python3
 
 ipv4_network: 10.1.0.0/16
-ipv4_address: 10.1.0.1/24
+ipv4_dhcp_start: 10.1.0.30
+ipv4_dhcp_stop: 10.1.0.250
+ipv4_address: 10.1.0.1
 ipv6_network: 2a03:2260:121:603::/64
 ipv6_address: 2a03:2260:121:603::1/64
 wireguard_address: 10.255.1.2/24

host_vars/edge2/vars.yml

@@ -0,0 +1,13 @@
+ansible_host: localhost
+ansible_connection: local
+ansible_python_interpreter: /usr/bin/python3
+
+ipv4_network: 10.7.0.0/16
+ipv4_dhcp_start: 10.7.0.30
+ipv4_dhcp_stop: 10.7.0.250
+ipv4_address: 10.7.0.1
+ipv6_network: 2a03:2260:121:607::/64
+ipv6_address: 2a03:2260:121:607::1/64
+wireguard_address: 10.255.1.7/24
+wireguard_public: 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s=
+wiregurad_v4: 10.255.1.1

host_vars/edge2/vault.yml

@@ -0,0 +1,12 @@
+$ANSIBLE_VAULT;1.1;AES256
+63373161393033633933653763653661626365376332306438326363333263656366623837333061
+3665663736393837663634653439356465356234613933320a613530656335326538326262376163
+36336139633033326430663362633839653831326362326439303634376666623862663037636533
+3031306666356637370a396164386339653630343366393163623136333166643162393663323931
+65376261356666313034633237323531363733343061396166343333666538313232616265303933
+32303633343666346134666332626635396132313932623535383538326639316465633432343239
+32353563643565393034653933356235663434376131366565636634376332353738363730626162
+31353236303764663236346437613031623634663762653664383534613738353363346563313063
+66363430306533666263356365383365303564303565316462306664356236316430653065613036
+30386238616564326132303262623664313935376332373037343664666138303932316330336238
+363762633930393837363662343133666363

host_vars/vpn01/vars.yml

@@ -43,3 +43,7 @@ wireguard_unmanaged_peers:
     public_key: UHaYitx18sO71Ssk2SVUgdjLaAILbCthCmosU+Fs5Es=
     allowed_ips: 10.255.1.6/32, 10.5.0.0/16, 2a03:2260:121:601::/64
     persistent_keepalive: 25
+  vpn6-stefan:
+    public_key: KxjuZJs7aIPFAUm/J5iw/oWiv4O44hjpnnfN+VN0iQ0=
+    allowed_ips: 10.255.1.7/32, 10.7.0.0/16, fd80:3ea2:e399:203a::7/128, 2a03:2260:121:607::/64
+    persistent_keepalive: 25

hosts.yml

@@ -21,4 +21,5 @@ all:
     edge_router:
       hosts:
         edge1:
+        edge2:
             

roles/01-vpn-router-config/templates/edgerouter.conf.j2

@@ -1,3 +1,9 @@
+## Webinterface Wizard ausführen
+WAN auf eth0
+Ein LAN mit Adresse: {{ ipv4_address }}
+
+Dann auf der Konsole weiter
+
 ## Install Wireguard
 cd /tmp
 curl -OL https://github.com/WireGuard/wireguard-vyatta-ubnt/releases/download/1.0.20211208-1/e50-v2-v1.0.20211208-v1.0.20210914.deb
@@ -12,7 +18,7 @@ cat wg.key
 
 set firewall all-ping enable
 set firewall broadcast-ping disable
-set firewall group network-group LAN-VPN-V6 description 'Networks on LAN destined to go out VPN by default'
+set firewall group ipv6-network-group LAN-VPN-V6 description 'Networks on LAN destined to go out VPN by default'
 set firewall group ipv6-network-group LAN-VPN-V6 ipv6-network '{{ ipv6_network }}'
 set firewall group network-group LAN-VPN description 'Networks on LAN destined to go out VPN by default'
 set firewall group network-group LAN-VPN network {{ ipv4_network }}
@@ -20,7 +26,7 @@ set firewall group network-group LAN-VPN network {{ ipv4_network }}
 set firewall ipv6-modify LAN_to_VPN_V6 rule 1 action modify
 set firewall ipv6-modify LAN_to_VPN_V6 rule 1 modify table 2
 set firewall ipv6-modify LAN_to_VPN_V6 rule 1 source group ipv6-network-group LAN-VPN-V6
-set firewall ipv6-modify LAN_to_VPN_V6 rule 100 description 'Route traffic from group LAN-VPN through LAN_to_VPN_V6 table'
+set firewall ipv6-modify LAN_to_VPN_V6 rule 1 description 'Route traffic from group LAN-VPN through LAN_to_VPN_V6 table'
 set firewall ipv6-receive-redirects disable
 set firewall ipv6-src-route disable
 set firewall ip-src-route disable
@@ -42,26 +48,8 @@ set firewall receive-redirects disable
 set firewall send-redirects enable
 set firewall source-validation disable
 set firewall syn-cookies enable
-set interfaces ethernet eth0 address dhcp
+set interfaces switch switch0 address {{ ipv4_address }}/24
-set interfaces ethernet eth0 description 'Internet via DHCP'
+set interfaces switch switch0 address '{{ ipv6_address }}/24'
-set interfaces ethernet eth0 duplex auto
-set interfaces ethernet eth0 speed auto
-set interfaces ethernet eth1 description Local
-set interfaces ethernet eth1 duplex auto
-set interfaces ethernet eth1 speed auto
-set interfaces ethernet eth2 description Local
-set interfaces ethernet eth2 duplex auto
-set interfaces ethernet eth2 speed auto
-set interfaces ethernet eth3 description Local
-set interfaces ethernet eth3 duplex auto
-set interfaces ethernet eth3 speed auto
-set interfaces ethernet eth4 description Local
-set interfaces ethernet eth4 duplex auto
-set interfaces ethernet eth4 poe output off
-set interfaces ethernet eth4 speed auto
-set interfaces loopback lo
-set interfaces switch switch0 address {{ ipv4_address }}
-set interfaces switch switch0 address '{{ ipv6_address }}'
 set interfaces switch switch0 description Local
 set interfaces switch switch0 firewall in ipv6-modify LAN_to_VPN_V6
 set interfaces switch switch0 firewall in modify LAN_to_VPN
@@ -93,30 +81,24 @@ set interfaces wireguard wg0 peer {{ wireguard_public }} allowed-ips '::0/0'
 set interfaces wireguard wg0 peer {{ wireguard_public }} endpoint 'vpn01.fftdf.de:42001'
 set interfaces wireguard wg0 private-key /config/auth/wg.key
 set interfaces wireguard wg0 route-allowed-ips false
-set protocols static interface-route6 '::/0' next-hop-interface wg0
+set protocols static table 2 interface-route 0.0.0.0/0 next-hop-interface wg0
-set protocols static table 2 route 0.0.0.0/0 next-hop {{ wiregurad_v4 }}
 set protocols static table 2 interface-route6 '::/0' next-hop-interface wg0
-set protocols static interface-route6 '::/0' next-hop-interface wg0
+delete service dhcp-server
 set service dhcp-server disabled false
 set service dhcp-server hostfile-update disable
 set service dhcp-server shared-network-name LAN authoritative enable
-set service dhcp-server shared-network-name LAN subnet {{ ipv4_address }} default-router {{ ipv4_address }}
+set service dhcp-server shared-network-name LAN subnet {{ ipv4_address }}/24 default-router {{ ipv4_address }}
-set service dhcp-server shared-network-name LAN subnet {{ ipv4_address }} dns-server {{ ipv4_address }}
+set service dhcp-server shared-network-name LAN subnet {{ ipv4_address }}/24 dns-server {{ ipv4_address }}
-set service dhcp-server shared-network-name LAN subnet {{ ipv4_address }} lease 86400
+set service dhcp-server shared-network-name LAN subnet {{ ipv4_address }}/24 lease 86400
-set service dhcp-server shared-network-name LAN subnet {{ ipv4_address }} start 10.1.0.38 stop 10.1.0.243
+set service dhcp-server shared-network-name LAN subnet {{ ipv4_address }}/24 start {{ ipv4_dhcp_start }} stop {{ ipv4_dhcp_stop }}
 set service dhcp-server static-arp disable
 set service dhcp-server use-dnsmasq disable
 set service dns forwarding cache-size 150
 set service dns forwarding listen-on switch0
-set service gui http-port 80
-set service gui https-port 443
-set service gui older-ciphers enable
 set service nat rule 5010 description 'masquerade for VPN'
 set service nat rule 5010 outbound-interface wg0
 set service nat rule 5010 protocol all
 set service nat rule 5010 type masquerade
-set service ssh port 22
-set service ssh protocol-version v2
 set service unms
 set service unms connection '{{ unms_vault_URL }}'
 set system host-name {{ inventory_hostname }}