Compare commits
3 Commits
aa3bf94140
...
150be2ac7c
| Author | SHA1 | Date | |
|---|---|---|---|
| 150be2ac7c | |||
| f7674cd5bb | |||
| 9a8ee7942c |
@ -1,29 +0,0 @@
|
||||
---
|
||||
- name: restart wireguard
|
||||
ansible.builtin.service:
|
||||
name: "wg-quick@{{ wireguard_interface }}"
|
||||
state: "{{ item }}"
|
||||
loop:
|
||||
- stopped
|
||||
- started
|
||||
when:
|
||||
- wireguard__restart_interface
|
||||
- not ansible_os_family == 'Darwin'
|
||||
- wireguard_service_enabled == "yes"
|
||||
listen: "reconfigure wireguard"
|
||||
|
||||
- name: syncconf wireguard
|
||||
ansible.builtin.shell: |
|
||||
set -o errexit
|
||||
set -o pipefail
|
||||
set -o nounset
|
||||
systemctl is-active wg-quick@{{ wireguard_interface|quote }} || systemctl start wg-quick@{{ wireguard_interface|quote }}
|
||||
wg syncconf {{ wireguard_interface|quote }} <(wg-quick strip /etc/wireguard/{{ wireguard_interface|quote }}.conf)
|
||||
exit 0
|
||||
args:
|
||||
executable: "/bin/bash"
|
||||
when:
|
||||
- not wireguard__restart_interface
|
||||
- not ansible_os_family == 'Darwin'
|
||||
- wireguard_service_enabled == "yes"
|
||||
listen: "reconfigure wireguard"
|
||||
@ -1,5 +1,21 @@
|
||||
wireguard_unmanaged_peers:
|
||||
vpn1-stefan:
|
||||
public_key: Tkp/f1BlLSfl87+waTuZDRdrEgalBgy2oVg6fOluAx4=
|
||||
vpn1-testing:
|
||||
public_key: 8BoLoKRwSNRdUe0uygneYFdTIx5iHwoMENbnzpomYCI=
|
||||
allowed_ips: 10.255.1.2/32, 10.1.0.0/16
|
||||
persistent_keepalive: 25
|
||||
persistent_keepalive: 25
|
||||
# vpn2-stefan:
|
||||
# public_key: NvJKN6xorzvwL7NhMoY2bEwpDVTl9Ob/1gx9g8tHfic=
|
||||
# allowed_ips: 10.255.1.3/32, 10.2.0.0/16
|
||||
# persistent_keepalive: 25
|
||||
# vpn3-empty:
|
||||
# public_key: pwD87EgTk8fGctR1Cz6/DfwGuzTg8VO2YC2CM58Sdlw=
|
||||
# allowed_ips: 10.255.1.2/32, 10.1.0.0/16
|
||||
# persistent_keepalive: 25
|
||||
# vpn4-empty:
|
||||
# public_key: N54OfQCIQGbPltC4sq/1gvV/2UXFKcQAti9ORNvlFxA=
|
||||
# allowed_ips: 10.255.1.2/32, 10.1.0.0/16
|
||||
# persistent_keepalive: 25
|
||||
# vpn5-empty:
|
||||
# public_key: sKi7h1W89XEe9tzxbXbev3oHBoS0VOLXFFLvwQZ+wAM=
|
||||
# allowed_ips: 10.255.1.2/32, 10.1.0.0/16
|
||||
# persistent_keepalive: 25
|
||||
70
readme.md
Normal file
70
readme.md
Normal file
@ -0,0 +1,70 @@
|
||||
# Supernode mit direkter VPN Ausleitung
|
||||
|
||||
|
||||
## ER-X Stock Firmware Config:
|
||||
cd /tmp
|
||||
curl -OL https://github.com/WireGuard/wireguard-vyatta-ubnt/releases/download/1.0.20211208-1/e50-v2-v1.0.20211208-v1.0.20210914.deb
|
||||
sudo dpkg -i e50-v2-v1.0.20211208-v1.0.20210914.deb
|
||||
|
||||
cd /config/auth
|
||||
wg genkey | tee /config/auth/wg.key | wg pubkey > wg.public
|
||||
cat wg.public
|
||||
cat wg.key
|
||||
######
|
||||
configure
|
||||
######
|
||||
# Wireguard
|
||||
set interfaces wireguard wg0 address 10.255.1.2/30
|
||||
set interfaces wireguard wg0 listen-port 51821
|
||||
set interfaces wireguard wg0 route-allowed-ips false
|
||||
set interfaces wireguard wg0 persistent-keepalive 25
|
||||
set interfaces wireguard wg0 peer 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= endpoint 7.fftdf.de:42001
|
||||
set interfaces wireguard wg0 peer 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= allowed-ips 0.0.0.0/0
|
||||
set interfaces wireguard wg0 private-key /config/auth/wg.key
|
||||
# Firewall for Wireguard
|
||||
set firewall name WAN_LOCAL rule 20 action accept
|
||||
set firewall name WAN_LOCAL rule 20 protocol udp
|
||||
set firewall name WAN_LOCAL rule 20 description 'WireGuard'
|
||||
set firewall name WAN_LOCAL rule 20 destination port 51821
|
||||
|
||||
# Config WAN Interface
|
||||
# delete interfaces ethernet eth0
|
||||
# set interfaces ethernet eth0 address dhcp
|
||||
|
||||
# Config Client Interface
|
||||
# set interfaces ethernet eth2 address 10.1.0.1/16
|
||||
###### NAT Rules & DHCP
|
||||
# configure
|
||||
# set service dhcp-server disabled false
|
||||
# set service dhcp-server shared-network-name Client authoritative enable
|
||||
# set service dhcp-server shared-network-name Client subnet 10.1.0.0/16 default-router 10.1.0.1
|
||||
# set service dhcp-server shared-network-name Client subnet 10.1.0.0/16 dns-server 1.1.1.1
|
||||
# set service dhcp-server shared-network-name Client subnet 10.1.0.0/16 lease 86400
|
||||
# set service dhcp-server shared-network-name Client subnet 10.1.0.0/16 start 10.1.1.1 stop 10.1.255.254
|
||||
|
||||
|
||||
set firewall group network-group LAN-VPN description 'Networks on LAN destined to go out VPN by default'
|
||||
set firewall group network-group LAN-VPN network 10.1.0.0/16
|
||||
|
||||
set firewall group network-group RFC1918 network 10.0.0.0/8
|
||||
set firewall group network-group RFC1918 network 172.16.0.0/12
|
||||
set firewall group network-group RFC1918 network 192.168.0.0/16
|
||||
set firewall group network-group RFC1918 network 169.254.0.0/16
|
||||
|
||||
set protocols static table 2 route 0.0.0.0/0 next-hop 10.255.1.1
|
||||
|
||||
set firewall modify VPN_TDF7 rule 100 action modify
|
||||
set firewall modify VPN_TDF7 rule 100 description 'Route traffic from group LAN-VPN through VPN-TDF7 table'
|
||||
set firewall modify VPN_TDF7 rule 100 modify table 2
|
||||
set firewall modify VPN_TDF7 rule 100 source group network-group LAN-VPN
|
||||
|
||||
set interfaces ethernet eth2 firewall in modify VPN_TDF7
|
||||
set interfaces ethernet switch0 firewall in modify VPN_TDF7
|
||||
### nat
|
||||
set service nat rule 5010 description 'masquerade for VPN'
|
||||
set service nat rule 5010 outbound-interface wg0
|
||||
set service nat rule 5010 type masquerade
|
||||
set service nat rule 5010 protocol all
|
||||
|
||||
|
||||
commit ; save
|
||||
@ -5,22 +5,16 @@
|
||||
owner: root
|
||||
group: root
|
||||
mode: '0644'
|
||||
register: networkconfig
|
||||
|
||||
- name: Netplan Apply
|
||||
ansible.builtin.shell: netplan apply
|
||||
when: networkconfig.changed
|
||||
|
||||
- name: Add ifDown Scripts via networkd-dispatcher
|
||||
ansible.builtin.template:
|
||||
src: 50-ifdown-hooks.sh.j2
|
||||
dest: /etc/networkd-dispatcher/off.d/50-ifdown-hooks.sh
|
||||
owner: root
|
||||
group: root
|
||||
mode: '0755'
|
||||
- name: Add Table 42 after netplan Apply
|
||||
ansible.builtin.shell: /bin/ip rule add fwmark 0x4 table 42
|
||||
when: networkconfig.changed
|
||||
|
||||
- name: Add ifUP Scripts via networkd-dispatcher
|
||||
ansible.builtin.template:
|
||||
src: 50-ifup-hooks.sh.j2
|
||||
dest: /etc/networkd-dispatcher/routable.d/50-ifup-hooks.sh
|
||||
owner: root
|
||||
group: root
|
||||
mode: '0755'
|
||||
- name: Add Table 42v6 after netplan Apply
|
||||
ansible.builtin.shell: /bin/ip -6 rule add fwmark 0x4 table 42
|
||||
when: networkconfig.changed
|
||||
@ -1,6 +0,0 @@
|
||||
#!/bin/bash
|
||||
|
||||
if [ "$IFACE" == "gre*" ];
|
||||
then
|
||||
iptables -t nat -D POSTROUTING -o $IFACE -j SNAT --to-source {{ ffrl_ipv4 }}
|
||||
fi
|
||||
@ -1,8 +0,0 @@
|
||||
#!/bin/bash
|
||||
|
||||
if [ "$IFACE" == "gre*" ];
|
||||
then
|
||||
iptables -t nat -A POSTROUTING -o $IFACE -j SNAT --to-source {{ ffrl_ipv4 }}
|
||||
iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o $IFACE -j TCPMSS --set-mss 1312
|
||||
ip6tables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o $IFACE -j TCPMSS --set-mss 1312
|
||||
fi
|
||||
@ -26,7 +26,13 @@ sleep 5
|
||||
/bin/ip -6 rule add from {{ ffrl_ipv6_net }}/52 lookup 42
|
||||
|
||||
# Add NAT Rules manualy
|
||||
sleep 60
|
||||
iptables -t nat -D POSTROUTING -o gre-bb-a.ak.ber -j SNAT --to-source {{ ffrl_ipv4 }}
|
||||
iptables -t nat -D POSTROUTING -o gre-bb-b.ak.ber -j SNAT --to-source {{ ffrl_ipv4 }}
|
||||
iptables -t nat -D POSTROUTING -o gre-bb-a.fra3.f -j SNAT --to-source {{ ffrl_ipv4 }}
|
||||
iptables -t nat -D POSTROUTING -o gre-bb-b.fra3.f -j SNAT --to-source {{ ffrl_ipv4 }}
|
||||
iptables -t nat -D POSTROUTING -o gre-bb-a.ix.dus -j SNAT --to-source {{ ffrl_ipv4 }}
|
||||
iptables -t nat -D POSTROUTING -o gre-bb-b.ix.dus -j SNAT --to-source {{ ffrl_ipv4 }}
|
||||
sleep 30
|
||||
iptables -t nat -A POSTROUTING -o gre-bb-a.ak.ber -j SNAT --to-source {{ ffrl_ipv4 }}
|
||||
iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o gre-bb-a.ak.ber -j TCPMSS --set-mss 1312
|
||||
ip6tables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o gre-bb-a.ak.ber -j TCPMSS --set-mss 1312
|
||||
|
||||
20
roles/21-install-wireguard/handlers/main.yml
Normal file
20
roles/21-install-wireguard/handlers/main.yml
Normal file
@ -0,0 +1,20 @@
|
||||
---
|
||||
- name: restart wireguard
|
||||
ansible.builtin.service:
|
||||
name: "wg-quick@vpn01"
|
||||
state: "{{ item }}"
|
||||
loop:
|
||||
- stopped
|
||||
- started
|
||||
listen: "reconfigure wireguard"
|
||||
- name: syncconf wireguard
|
||||
ansible.builtin.shell: |
|
||||
set -o errexit
|
||||
set -o pipefail
|
||||
set -o nounset
|
||||
systemctl is-active wg-quick@vpn01 || systemctl start wg-quick@vpn01
|
||||
wg syncconf vpn01 <(wg-quick strip /etc/wireguard/vpn01.conf)
|
||||
exit 0
|
||||
args:
|
||||
executable: "/bin/bash"
|
||||
listen: "reconfigure wireguard"
|
||||
Loading…
Reference in New Issue
Block a user