## Install Wireguard cd /tmp curl -OL https://github.com/WireGuard/wireguard-vyatta-ubnt/releases/download/1.0.20211208-1/e50-v2-v1.0.20211208-v1.0.20210914.deb sudo dpkg -i e50-v2-v1.0.20211208-v1.0.20210914.deb #### cd /config/auth wg genkey | tee /config/auth/wg.key | wg pubkey > wg.public cat wg.public cat wg.key #### set firewall all-ping enable set firewall broadcast-ping disable set firewall group network-group LAN-VPN-V6 description 'Networks on LAN destined to go out VPN by default' set firewall group ipv6-network-group LAN-VPN-V6 ipv6-network '{{ ipv6_network }}' set firewall group network-group LAN-VPN description 'Networks on LAN destined to go out VPN by default' set firewall group network-group LAN-VPN network {{ ipv4_network }} set firewall ipv6-modify LAN_to_VPN_V6 rule 1 action modify set firewall ipv6-modify LAN_to_VPN_V6 rule 1 modify table 2 set firewall ipv6-modify LAN_to_VPN_V6 rule 1 source group ipv6-network-group LAN-VPN-V6 set firewall ipv6-modify LAN_to_VPN_V6 rule 100 description 'Route traffic from group LAN-VPN through LAN_to_VPN_V6 table' set firewall ipv6-receive-redirects disable set firewall ipv6-src-route disable set firewall ip-src-route disable set firewall log-martians enable set firewall modify LAN_to_VPN rule 100 action modify set firewall modify LAN_to_VPN rule 100 description 'Route traffic from group LAN-VPN through LAN_to_VPN table' set firewall modify LAN_to_VPN rule 100 modify table 2 set firewall modify LAN_to_VPN rule 100 source group network-group LAN-VPN set firewall name WAN_LOCAL default-action drop set firewall name WAN_LOCAL rule 20 action accept set firewall name WAN_LOCAL rule 20 description WireGuard set firewall name WAN_LOCAL rule 20 destination port 51821 set firewall name WAN_LOCAL rule 20 protocol udp set firewall options mss-clamp interface-type all set firewall options mss-clamp mss 1340 set firewall options mss-clamp6 interface-type all set firewall options mss-clamp6 mss 1340 set firewall receive-redirects disable set firewall send-redirects enable set firewall source-validation disable set firewall syn-cookies enable set interfaces ethernet eth0 address dhcp set interfaces ethernet eth0 description 'Internet via DHCP' set interfaces ethernet eth0 duplex auto set interfaces ethernet eth0 speed auto set interfaces ethernet eth1 description Local set interfaces ethernet eth1 duplex auto set interfaces ethernet eth1 speed auto set interfaces ethernet eth2 description Local set interfaces ethernet eth2 duplex auto set interfaces ethernet eth2 speed auto set interfaces ethernet eth3 description Local set interfaces ethernet eth3 duplex auto set interfaces ethernet eth3 speed auto set interfaces ethernet eth4 description Local set interfaces ethernet eth4 duplex auto set interfaces ethernet eth4 poe output off set interfaces ethernet eth4 speed auto set interfaces loopback lo set interfaces switch switch0 address {{ ipv4_address }} set interfaces switch switch0 address '{{ ipv6_address }}' set interfaces switch switch0 description Local set interfaces switch switch0 firewall in ipv6-modify LAN_to_VPN_V6 set interfaces switch switch0 firewall in modify LAN_to_VPN set interfaces switch switch0 ipv6 dup-addr-detect-transmits 1 set interfaces switch switch0 ipv6 router-advert cur-hop-limit 64 set interfaces switch switch0 ipv6 router-advert link-mtu 1328 set interfaces switch switch0 ipv6 router-advert managed-flag true set interfaces switch switch0 ipv6 router-advert max-interval 600 set interfaces switch switch0 ipv6 router-advert name-server '2606:4700:4700::1111' set interfaces switch switch0 ipv6 router-advert other-config-flag false set interfaces switch switch0 ipv6 router-advert prefix '{{ ipv6_network }}' autonomous-flag true set interfaces switch switch0 ipv6 router-advert prefix '{{ ipv6_network }}' on-link-flag true set interfaces switch switch0 ipv6 router-advert prefix '{{ ipv6_network }}' valid-lifetime 2592000 set interfaces switch switch0 ipv6 router-advert reachable-time 0 set interfaces switch switch0 ipv6 router-advert retrans-timer 0 set interfaces switch switch0 ipv6 router-advert send-advert true set interfaces switch switch0 mtu 1500 set interfaces switch switch0 switch-port interface eth1 set interfaces switch switch0 switch-port interface eth2 set interfaces switch switch0 switch-port interface eth3 set interfaces switch switch0 switch-port interface eth4 set interfaces switch switch0 switch-port vlan-aware disable set interfaces wireguard wg0 address {{ wireguard_address }} set interfaces wireguard wg0 address 2a03:2260:121:600::1/64 set interfaces wireguard wg0 listen-port 51822 set interfaces wireguard wg0 mtu 1380 set interfaces wireguard wg0 peer {{ wireguard_public }} allowed-ips 0.0.0.0/0 set interfaces wireguard wg0 peer {{ wireguard_public }} allowed-ips '::0/0' set interfaces wireguard wg0 peer {{ wireguard_public }} endpoint 'vpn01.fftdf.de:42001' set interfaces wireguard wg0 private-key /config/auth/wg.key set interfaces wireguard wg0 route-allowed-ips false set protocols static interface-route6 '::/0' next-hop-interface wg0 set protocols static table 2 route 0.0.0.0/0 next-hop {{ wiregurad_v4 }} set protocols static table 2 interface-route6 '::/0' next-hop-interface wg0 set protocols static interface-route6 '::/0' next-hop-interface wg0 set service dhcp-server disabled false set service dhcp-server hostfile-update disable set service dhcp-server shared-network-name LAN authoritative enable set service dhcp-server shared-network-name LAN subnet {{ ipv4_address }} default-router {{ ipv4_address }} set service dhcp-server shared-network-name LAN subnet {{ ipv4_address }} dns-server {{ ipv4_address }} set service dhcp-server shared-network-name LAN subnet {{ ipv4_address }} lease 86400 set service dhcp-server shared-network-name LAN subnet {{ ipv4_address }} start 10.1.0.38 stop 10.1.0.243 set service dhcp-server static-arp disable set service dhcp-server use-dnsmasq disable set service dns forwarding cache-size 150 set service dns forwarding listen-on switch0 set service gui http-port 80 set service gui https-port 443 set service gui older-ciphers enable set service nat rule 5010 description 'masquerade for VPN' set service nat rule 5010 outbound-interface wg0 set service nat rule 5010 protocol all set service nat rule 5010 type masquerade set service ssh port 22 set service ssh protocol-version v2 set service unms set service unms connection '{{ unms_vault_URL }}' set system host-name {{ inventory_hostname }} set system time-zone UTC