From 126c1fd438fe58877a710a75ab9b5d48ff39f6f8 Mon Sep 17 00:00:00 2001 From: Jean-Marie Mineau Date: Mon, 12 Jul 2021 02:09:39 +0200 Subject: [PATCH] tweak the vpn template to route multiples subnets --- group_vars/all/networking.yml | 92 ++++++++++++++++------------ host_vars/azerty/vpn.yml | 4 +- host_vars/hellman/networking.yml | 5 ++ host_vars/hellman/vpn.yml | 4 +- host_vars/hindley/vpn.yml | 33 +++++----- host_vars/rossum/vpn.yml | 4 +- host_vars/vm1/vpn.yml | 4 +- host_vars/vm2/vpn.yml | 4 +- host_vars/vm3/vpn.yml | 4 +- host_vars/vm4/vpn.yml | 4 +- roles/vpn/templates/wiregard.conf.j2 | 4 +- 11 files changed, 91 insertions(+), 71 deletions(-) diff --git a/group_vars/all/networking.yml b/group_vars/all/networking.yml index 06739e8..3cd5f49 100644 --- a/group_vars/all/networking.yml +++ b/group_vars/all/networking.yml @@ -1,71 +1,85 @@ --- intranet: - domaine: "intra" - ipv4: "172.20.0.0" + domaine: intra + ipv4: 172.20.0.0 netmaskv4: 16 - comment: "The intranet" + gateway: 172.20.1.1 + comment: The intranet subnets: physical: - domaine: "phy" - ipv4: "172.20.1.0" + domaine: phy + ipv4: 172.20.1.0 netmaskv4: 24 - comment: "Physical machines" + gateway: 172.20.1.1 + comment: Physical machines subnets: hindley: - domaine: "hindley" - ipv4: "172.20.1.1" + domaine: hindley + ipv4: 172.20.1.1 netmaskv4: 32 - comment: "Hindley" + comment: Hindley azerty: - domaine: "azerty" - ipv4: "172.20.1.2" + domaine: azerty + ipv4: 172.20.1.2 netmaskv4: 32 - comment: "Azerty" + comment: Azerty hellman: - domaine: "hellman" - ipv4: "172.20.1.3" + domaine: hellman + ipv4: 172.20.1.3 netmaskv4: 32 - comment: "Hellman" + comment: Hellman rossum: - domaine: "rossum" - ipv4: "172.20.1.4" + domaine: rossum + ipv4: 172.20.1.4 netmaskv4: 32 - comment: "Rossum" + comment: Rossum + guest_hellman: + domaine: hllm + ipv4: 172.20.103.0 + netmaskv4: 24 + gateway: 172.20.103.1 + comment: Lan for the vm hosted on hellman + subnets: + hellman: + domaine: hellman + ipv4: 172.20.103.1 + netmaskv4: 32 + comment: Hellman test: - domaine: "test" - ipv4: "172.20.199.0" + domaine: test + ipv4: 172.20.199.0 netmaskv4: 24 - comment: "Test VM" + comment: Test VM subnets: vm1: - domaine: "vm1" - ipv4: "172.20.199.1" + domaine: vm1 + ipv4: 172.20.199.1 netmaskv4: 32 - comment: "Test vm 1, on knuth" + comment: Test vm 1, on knuth vm2: - domaine: "vm2" - ipv4: "172.20.199.2" + domaine: vm2 + ipv4: 172.20.199.2 netmaskv4: 32 - comment: "Test vm 2, on knuth" + comment: Test vm 2, on knuth vm3: - domaine: "vm3" - ipv4: "172.20.199.3" + domaine: vm3 + ipv4: 172.20.199.3 netmaskv4: 32 - comment: "Test vm 3, on knuth" + comment: Test vm 3, on knuth vm4: - domaine: "knuth" - ipv4: "172.20.199.4" + domaine: vm4 + ipv4: 172.20.199.4 netmaskv4: 32 - comment: "Test vm 4, on knuth" + comment: Test vm 4, on knuth guest: - domaine: "guest" - ipv4: "172.20.200.0" + domaine: guest + ipv4: 172.20.200.0 netmaskv4: 24 - comment: "Guest machines" + comment: Guest machines subnets: knuth: - domaine: "knuth" - ipv4: "172.20.200.1" + domaine: knuth + ipv4: 172.20.200.1 netmaskv4: 32 - comment: "Knuth" + comment: Knuth diff --git a/host_vars/azerty/vpn.yml b/host_vars/azerty/vpn.yml index 4ddc172..4eebdc5 100644 --- a/host_vars/azerty/vpn.yml +++ b/host_vars/azerty/vpn.yml @@ -8,6 +8,6 @@ vpn_interfaces: peers: - endpoint: "{{ hostvars['hindley'].interfaces.enp2s0.ipv4 }}" public_key: "{{ hostvars['hindley'].vpn_interfaces.wg0.public_key }}" - allowed_ip: "{{ hostvars['hindley'].vpn_interfaces.wg0.ip }}" - allowed_mask: "{{ interfaces.wg0.netmaskv4 }}" + allowed_ips: + - "{{ hostvars['hindley'].vpn_interfaces.wg0.ip }}/{{ interfaces.wg0.netmaskv4 }}" comment: "hindley" diff --git a/host_vars/hellman/networking.yml b/host_vars/hellman/networking.yml index f22213e..7b24268 100644 --- a/host_vars/hellman/networking.yml +++ b/host_vars/hellman/networking.yml @@ -10,6 +10,11 @@ interfaces: gateway: 10.50.0.254 interfaces: - enp7s0 + br1: + ipv4: "{{ intranet.subnets.guest_hellman.subnets.hellman.ipv4 }}" + netmaskv4: "{{ intranet.subnets.guest_hellman.netmaskv4 }}" + type: static + bridge: true wg0: ipv4: "{{ intranet.subnets.physical.subnets.hellman.ipv4 }}" netmaskv4: "{{ intranet.netmaskv4 }}" diff --git a/host_vars/hellman/vpn.yml b/host_vars/hellman/vpn.yml index 309a087..fb40805 100644 --- a/host_vars/hellman/vpn.yml +++ b/host_vars/hellman/vpn.yml @@ -8,6 +8,6 @@ vpn_interfaces: peers: - endpoint: "{{ hostvars['hindley'].interfaces.enp2s0.ipv4 }}" public_key: "{{ hostvars['hindley'].vpn_interfaces.wg0.public_key }}" - allowed_ip: "{{ hostvars['hindley'].vpn_interfaces.wg0.ip }}" - allowed_mask: "{{ interfaces.wg0.netmaskv4 }}" + allowed_ips: + - "{{ hostvars['hindley'].vpn_interfaces.wg0.ip }}/{{ interfaces.wg0.netmaskv4 }}" comment: "hindley" diff --git a/host_vars/hindley/vpn.yml b/host_vars/hindley/vpn.yml index e4472e7..1fb871c 100644 --- a/host_vars/hindley/vpn.yml +++ b/host_vars/hindley/vpn.yml @@ -8,43 +8,44 @@ vpn_interfaces: peers: - endpoint: "" public_key: "{{ hostvars['azerty'].vpn_interfaces.wg0.public_key }}" - allowed_ip: "{{ hostvars['azerty'].vpn_interfaces.wg0.ip }}" - allowed_mask: 32 + allowed_ips: + - "{{ hostvars['azerty'].vpn_interfaces.wg0.ip }}/32" comment: "azerty" - endpoint: "" public_key: "{{ hostvars['hellman'].vpn_interfaces.wg0.public_key }}" - allowed_ip: "{{ hostvars['hellman'].vpn_interfaces.wg0.ip }}" - allowed_mask: 32 + allowed_ips: + - "{{ hostvars['hellman'].vpn_interfaces.wg0.ip }}/32" + - "{{ intranet.subnets.guest_hellman.ipv4 }}/{{ intranet.subnets.guest_hellman.netmaskv4 }}" comment: "hellman" - endpoint: "" public_key: "{{ vpn_guest_keys.knuth }}" - allowed_ip: "{{ intranet.subnets.guest.subnets.knuth.ipv4 }}" - allowed_mask: "{{ intranet.subnets.guest.subnets.knuth.netmaskv4 }}" + allowed_ips: + - "{{ intranet.subnets.guest.subnets.knuth.ipv4 }}/{{ intranet.subnets.guest.subnets.knuth.netmaskv4 }}" comment: "Client laptop: knuth" - endpoint: "" public_key: "{{ hostvars['rossum'].vpn_interfaces.wg0.public_key }}" - allowed_ip: "{{ hostvars['rossum'].vpn_interfaces.wg0.ip }}" - allowed_mask: 32 + allowed_ips: + - "{{ hostvars['rossum'].vpn_interfaces.wg0.ip }}/32" comment: "Raspi at paris, Rossum" - endpoint: "" public_key: "{{ hostvars['vm1'].vpn_interfaces.wg0.public_key }}" - allowed_ip: "{{ hostvars['vm1'].vpn_interfaces.wg0.ip }}" - allowed_mask: 32 + allowed_ips: + - "{{ hostvars['vm1'].vpn_interfaces.wg0.ip }}/32" comment: "Test VM 1, hosted by knuth" - endpoint: "" public_key: "{{ hostvars['vm2'].vpn_interfaces.wg0.public_key }}" - allowed_ip: "{{ hostvars['vm2'].vpn_interfaces.wg0.ip }}" - allowed_mask: 32 + allowed_ips: + - "{{ hostvars['vm2'].vpn_interfaces.wg0.ip }}/32" comment: "Test VM 2, hosted by knuth" - endpoint: "" public_key: "{{ hostvars['vm3'].vpn_interfaces.wg0.public_key }}" - allowed_ip: "{{ hostvars['vm3'].vpn_interfaces.wg0.ip }}" - allowed_mask: 32 + allowed_ips: + - "{{ hostvars['vm3'].vpn_interfaces.wg0.ip }}/32" comment: "Test VM 3, hosted by knuth" - endpoint: "" public_key: "{{ hostvars['vm4'].vpn_interfaces.wg0.public_key }}" - allowed_ip: "{{ hostvars['vm4'].vpn_interfaces.wg0.ip }}" - allowed_mask: 32 + allowed_ips: + - "{{ hostvars['vm4'].vpn_interfaces.wg0.ip }}/32" comment: "Test VM 4, hosted by knuth" diff --git a/host_vars/rossum/vpn.yml b/host_vars/rossum/vpn.yml index e5fd30c..15f17a9 100644 --- a/host_vars/rossum/vpn.yml +++ b/host_vars/rossum/vpn.yml @@ -8,6 +8,6 @@ vpn_interfaces: peers: - endpoint: "{{ hostvars['hindley'].interfaces.enp2s0.ipv4 }}" public_key: "{{ hostvars['hindley'].vpn_interfaces.wg0.public_key }}" - allowed_ip: "{{ hostvars['hindley'].vpn_interfaces.wg0.ip }}" - allowed_mask: "{{ interfaces.wg0.netmaskv4 }}" + allowed_ips: + - "{{ hostvars['hindley'].vpn_interfaces.wg0.ip }}/{{ interfaces.wg0.netmaskv4 }}" comment: "hindley" diff --git a/host_vars/vm1/vpn.yml b/host_vars/vm1/vpn.yml index 121dd03..349ec5a 100644 --- a/host_vars/vm1/vpn.yml +++ b/host_vars/vm1/vpn.yml @@ -8,6 +8,6 @@ vpn_interfaces: peers: - endpoint: "{{ hostvars['hindley'].interfaces.enp2s0.ipv4 }}" public_key: "{{ hostvars['hindley'].vpn_interfaces.wg0.public_key }}" - allowed_ip: "{{ hostvars['hindley'].vpn_interfaces.wg0.ip }}" - allowed_mask: "{{ interfaces.wg0.netmaskv4 }}" + allowed_ips: + - "{{ hostvars['hindley'].vpn_interfaces.wg0.ip }}/{{ interfaces.wg0.netmaskv4 }}" comment: "hindley" diff --git a/host_vars/vm2/vpn.yml b/host_vars/vm2/vpn.yml index a3022a6..cce5491 100644 --- a/host_vars/vm2/vpn.yml +++ b/host_vars/vm2/vpn.yml @@ -8,6 +8,6 @@ vpn_interfaces: peers: - endpoint: "{{ hostvars['hindley'].interfaces.enp2s0.ipv4 }}" public_key: "{{ hostvars['hindley'].vpn_interfaces.wg0.public_key }}" - allowed_ip: "{{ hostvars['hindley'].vpn_interfaces.wg0.ip }}" - allowed_mask: "{{ interfaces.wg0.netmaskv4 }}" + allowed_ips: + - "{{ hostvars['hindley'].vpn_interfaces.wg0.ip }}/{{ interfaces.wg0.netmaskv4 }}" comment: "hindley" diff --git a/host_vars/vm3/vpn.yml b/host_vars/vm3/vpn.yml index 4f0556c..f6cf0a9 100644 --- a/host_vars/vm3/vpn.yml +++ b/host_vars/vm3/vpn.yml @@ -8,6 +8,6 @@ vpn_interfaces: peers: - endpoint: "{{ hostvars['hindley'].interfaces.enp2s0.ipv4 }}" public_key: "{{ hostvars['hindley'].vpn_interfaces.wg0.public_key }}" - allowed_ip: "{{ hostvars['hindley'].vpn_interfaces.wg0.ip }}" - allowed_mask: "{{ interfaces.wg0.netmaskv4 }}" + allowed_ips: + - "{{ hostvars['hindley'].vpn_interfaces.wg0.ip }}/{{ interfaces.wg0.netmaskv4 }}" comment: "hindley" diff --git a/host_vars/vm4/vpn.yml b/host_vars/vm4/vpn.yml index e8ff96f..ccd2acb 100644 --- a/host_vars/vm4/vpn.yml +++ b/host_vars/vm4/vpn.yml @@ -8,6 +8,6 @@ vpn_interfaces: peers: - endpoint: "{{ hostvars['hindley'].interfaces.enp2s0.ipv4 }}" public_key: "{{ hostvars['hindley'].vpn_interfaces.wg0.public_key }}" - allowed_ip: "{{ hostvars['hindley'].vpn_interfaces.wg0.ip }}" - allowed_mask: "{{ interfaces.wg0.netmaskv4 }}" + allowed_ips: + - "{{ hostvars['hindley'].vpn_interfaces.wg0.ip }}/{{ interfaces.wg0.netmaskv4 }}" comment: "hindley" diff --git a/roles/vpn/templates/wiregard.conf.j2 b/roles/vpn/templates/wiregard.conf.j2 index 25890c7..7f6af40 100644 --- a/roles/vpn/templates/wiregard.conf.j2 +++ b/roles/vpn/templates/wiregard.conf.j2 @@ -10,9 +10,9 @@ ListenPort = {{ vpn_port }} {{ peer.comment | comment }} Publickey = {{ peer.public_key }} {% if peer.endpoint %} -Endpoint = {{peer.endpoint}}:{{ vpn_port }} +Endpoint = {{ peer.endpoint }}:{{ vpn_port }} {% endif %} -AllowedIPs = {{peer.allowed_ip}}/{{ peer.allowed_mask }} +AllowedIPs = {{ peer.allowed_ips | join(", ") }} {% endfor %} {% if item.value.keepalive %}