ansible.fftdf.supernode/roles/01-vpn-router-config/templates/edgerouter.conf.j2

121 lines
6.3 KiB
Django/Jinja

## Install Wireguard
cd /tmp
curl -OL https://github.com/WireGuard/wireguard-vyatta-ubnt/releases/download/1.0.20211208-1/e50-v2-v1.0.20211208-v1.0.20210914.deb
sudo dpkg -i e50-v2-v1.0.20211208-v1.0.20210914.deb
####
cd /config/auth
wg genkey | tee /config/auth/wg.key | wg pubkey > wg.public
cat wg.public
cat wg.key
####
set firewall all-ping enable
set firewall broadcast-ping disable
set firewall group network-group LAN-VPN-V6 description 'Networks on LAN destined to go out VPN by default'
set firewall group ipv6-network-group LAN-VPN-V6 ipv6-network '{{ ipv6_network }}'
set firewall group network-group LAN-VPN description 'Networks on LAN destined to go out VPN by default'
set firewall group network-group LAN-VPN network {{ ipv4_network }}
set firewall ipv6-modify LAN_to_VPN_V6 rule 1 action modify
set firewall ipv6-modify LAN_to_VPN_V6 rule 1 modify table 2
set firewall ipv6-modify LAN_to_VPN_V6 rule 1 source group ipv6-network-group LAN-VPN-V6
set firewall ipv6-modify LAN_to_VPN_V6 rule 100 description 'Route traffic from group LAN-VPN through LAN_to_VPN_V6 table'
set firewall ipv6-receive-redirects disable
set firewall ipv6-src-route disable
set firewall ip-src-route disable
set firewall log-martians enable
set firewall modify LAN_to_VPN rule 100 action modify
set firewall modify LAN_to_VPN rule 100 description 'Route traffic from group LAN-VPN through LAN_to_VPN table'
set firewall modify LAN_to_VPN rule 100 modify table 2
set firewall modify LAN_to_VPN rule 100 source group network-group LAN-VPN
set firewall name WAN_LOCAL default-action drop
set firewall name WAN_LOCAL rule 20 action accept
set firewall name WAN_LOCAL rule 20 description WireGuard
set firewall name WAN_LOCAL rule 20 destination port 51821
set firewall name WAN_LOCAL rule 20 protocol udp
set firewall options mss-clamp interface-type all
set firewall options mss-clamp mss 1350
set firewall options mss-clamp6 interface-type all
set firewall options mss-clamp6 mss 1350
set firewall receive-redirects disable
set firewall send-redirects enable
set firewall source-validation disable
set firewall syn-cookies enable
set interfaces ethernet eth0 address dhcp
set interfaces ethernet eth0 description 'Internet via DHCP'
set interfaces ethernet eth0 duplex auto
set interfaces ethernet eth0 speed auto
set interfaces ethernet eth1 description Local
set interfaces ethernet eth1 duplex auto
set interfaces ethernet eth1 speed auto
set interfaces ethernet eth2 description Local
set interfaces ethernet eth2 duplex auto
set interfaces ethernet eth2 speed auto
set interfaces ethernet eth3 description Local
set interfaces ethernet eth3 duplex auto
set interfaces ethernet eth3 speed auto
set interfaces ethernet eth4 description Local
set interfaces ethernet eth4 duplex auto
set interfaces ethernet eth4 poe output off
set interfaces ethernet eth4 speed auto
set interfaces loopback lo
set interfaces switch switch0 address {{ ipv4_address }}
set interfaces switch switch0 address '{{ ipv6_address }}'
set interfaces switch switch0 description Local
set interfaces switch switch0 firewall in ipv6-modify LAN_to_VPN_V6
set interfaces switch switch0 firewall in modify LAN_to_VPN
set interfaces switch switch0 ipv6 dup-addr-detect-transmits 1
set interfaces switch switch0 ipv6 router-advert cur-hop-limit 64
set interfaces switch switch0 ipv6 router-advert link-mtu 0
set interfaces switch switch0 ipv6 router-advert managed-flag true
set interfaces switch switch0 ipv6 router-advert max-interval 600
set interfaces switch switch0 ipv6 router-advert name-server '2606:4700:4700::1111'
set interfaces switch switch0 ipv6 router-advert other-config-flag false
set interfaces switch switch0 ipv6 router-advert prefix '{{ ipv6_network }}' autonomous-flag true
set interfaces switch switch0 ipv6 router-advert prefix '{{ ipv6_network }}' on-link-flag true
set interfaces switch switch0 ipv6 router-advert prefix '{{ ipv6_network }}' valid-lifetime 2592000
set interfaces switch switch0 ipv6 router-advert reachable-time 0
set interfaces switch switch0 ipv6 router-advert retrans-timer 0
set interfaces switch switch0 ipv6 router-advert send-advert true
set interfaces switch switch0 mtu 1500
set interfaces switch switch0 switch-port interface eth1
set interfaces switch switch0 switch-port interface eth2
set interfaces switch switch0 switch-port interface eth3
set interfaces switch switch0 switch-port interface eth4
set interfaces switch switch0 switch-port vlan-aware disable
set interfaces wireguard wg0 address {{ wireguard_address }}
set interfaces wireguard wg0 listen-port 51822
set interfaces wireguard wg0 mtu 1355
set interfaces wireguard wg0 peer {{ wireguard_public }} allowed-ips 0.0.0.0/0
set interfaces wireguard wg0 peer {{ wireguard_public }} allowed-ips '::0/0'
set interfaces wireguard wg0 peer {{ wireguard_public }} endpoint 'vpn01.fftdf.de:42001'
set interfaces wireguard wg0 private-key /config/auth/wg.key
set interfaces wireguard wg0 route-allowed-ips false
set protocols static interface-route6 '::/0' next-hop-interface wg0
set protocols static table 2 route 0.0.0.0/0 next-hop {{ wiregurad_v4 }}
set protocols static table 2 route6 '::0/0' next-hop '{{ wireguard_v6 }}'
set protocols static table 2 route6 '::/0' next-hop '{{ wireguard_v6 }}'
set service dhcp-server disabled false
set service dhcp-server hostfile-update disable
set service dhcp-server shared-network-name LAN authoritative enable
set service dhcp-server shared-network-name LAN subnet {{ ipv4_address }} default-router {{ ipv4_address }}
set service dhcp-server shared-network-name LAN subnet {{ ipv4_address }} dns-server {{ ipv4_address }}
set service dhcp-server shared-network-name LAN subnet {{ ipv4_address }} lease 86400
set service dhcp-server shared-network-name LAN subnet {{ ipv4_address }} start 10.1.0.38 stop 10.1.0.243
set service dhcp-server static-arp disable
set service dhcp-server use-dnsmasq disable
set service dns forwarding cache-size 150
set service dns forwarding listen-on switch0
set service gui http-port 80
set service gui https-port 443
set service gui older-ciphers enable
set service nat rule 5010 description 'masquerade for VPN'
set service nat rule 5010 outbound-interface wg0
set service nat rule 5010 protocol all
set service nat rule 5010 type masquerade
set service ssh port 22
set service ssh protocol-version v2
set service unms
set system host-name {{ inventory_hostname }}
set system time-zone UTC