tweak the vpn template to route multiples subnets

3 years ago · 126c1fd438
parent b6b7003068
commit 126c1fd438
11 changed files with 91 additions and 71 deletions
--- a/group_vars/all/networking.yml
+++ b/group_vars/all/networking.yml
@ -1,71 +1,85 @@
 ---
 intranet:
-  domaine: "intra"
+  domaine: intra
-  ipv4: "172.20.0.0"
+  ipv4: 172.20.0.0
  netmaskv4: 16
-  comment: "The intranet"
+  gateway: 172.20.1.1
  comment: The intranet
  subnets:
    physical:
-      domaine: "phy"
+      domaine: phy
-      ipv4: "172.20.1.0"
+      ipv4: 172.20.1.0
      netmaskv4: 24
-      comment: "Physical machines"
+      gateway: 172.20.1.1
      comment: Physical machines
      subnets:
        hindley:
-          domaine: "hindley"
+          domaine: hindley
-          ipv4: "172.20.1.1"
+          ipv4: 172.20.1.1
          netmaskv4: 32
-          comment: "Hindley"
+          comment: Hindley
        azerty:
-          domaine: "azerty"
+          domaine: azerty
-          ipv4: "172.20.1.2"
+          ipv4: 172.20.1.2
          netmaskv4: 32
-          comment: "Azerty"
+          comment: Azerty
        hellman:
-          domaine: "hellman"
+          domaine: hellman
-          ipv4: "172.20.1.3"
+          ipv4: 172.20.1.3
          netmaskv4: 32
-          comment: "Hellman"
+          comment: Hellman
        rossum:
-          domaine: "rossum"
+          domaine: rossum
-          ipv4: "172.20.1.4"
+          ipv4: 172.20.1.4
          netmaskv4: 32
-          comment: "Rossum"
+          comment: Rossum
    guest_hellman:
      domaine: hllm
      ipv4: 172.20.103.0
      netmaskv4: 24
      gateway: 172.20.103.1
      comment: Lan for the vm hosted on hellman
      subnets:
        hellman:
          domaine: hellman
          ipv4: 172.20.103.1
          netmaskv4: 32
          comment: Hellman
    test:
-      domaine: "test"
+      domaine: test
-      ipv4: "172.20.199.0"
+      ipv4: 172.20.199.0
      netmaskv4: 24
-      comment: "Test VM"
+      comment: Test VM
      subnets:
        vm1:
-          domaine: "vm1"
+          domaine: vm1
-          ipv4: "172.20.199.1"
+          ipv4: 172.20.199.1
          netmaskv4: 32
-          comment: "Test vm 1, on knuth"
+          comment: Test vm 1, on knuth
        vm2:
-          domaine: "vm2"
+          domaine: vm2
-          ipv4: "172.20.199.2"
+          ipv4: 172.20.199.2
          netmaskv4: 32
-          comment: "Test vm 2, on knuth"
+          comment: Test vm 2, on knuth
        vm3:
-          domaine: "vm3"
+          domaine: vm3
-          ipv4: "172.20.199.3"
+          ipv4: 172.20.199.3
          netmaskv4: 32
-          comment: "Test vm 3, on knuth"
+          comment: Test vm 3, on knuth
        vm4:
-          domaine: "knuth"
+          domaine: vm4
-          ipv4: "172.20.199.4"
+          ipv4: 172.20.199.4
          netmaskv4: 32
-          comment: "Test vm 4, on knuth"
+          comment: Test vm 4, on knuth
    guest:
-      domaine: "guest"
+      domaine: guest
-      ipv4: "172.20.200.0"
+      ipv4: 172.20.200.0
      netmaskv4: 24
-      comment: "Guest machines"
+      comment: Guest machines
      subnets:
        knuth:
-          domaine: "knuth"
+          domaine: knuth
-          ipv4: "172.20.200.1"
+          ipv4: 172.20.200.1
          netmaskv4: 32
-          comment: "Knuth"
+          comment: Knuth
--- a/host_vars/azerty/vpn.yml
+++ b/host_vars/azerty/vpn.yml
@ -8,6 +8,6 @@ vpn_interfaces:
    peers:
    - endpoint: "{{ hostvars['hindley'].interfaces.enp2s0.ipv4 }}"
      public_key: "{{ hostvars['hindley'].vpn_interfaces.wg0.public_key }}"
-      allowed_ip: "{{ hostvars['hindley'].vpn_interfaces.wg0.ip }}"
+      allowed_ips:
-      allowed_mask: "{{ interfaces.wg0.netmaskv4 }}"
+        - "{{ hostvars['hindley'].vpn_interfaces.wg0.ip }}/{{ interfaces.wg0.netmaskv4 }}"
      comment: "hindley"
--- a/host_vars/hellman/networking.yml
+++ b/host_vars/hellman/networking.yml
@ -10,6 +10,11 @@ interfaces:
    gateway: 10.50.0.254
    interfaces:
      - enp7s0
  br1:
    ipv4: "{{ intranet.subnets.guest_hellman.subnets.hellman.ipv4 }}"
    netmaskv4: "{{ intranet.subnets.guest_hellman.netmaskv4 }}"
    type: static
    bridge: true
  wg0:
    ipv4: "{{ intranet.subnets.physical.subnets.hellman.ipv4 }}"
    netmaskv4: "{{ intranet.netmaskv4 }}"
--- a/host_vars/hellman/vpn.yml
+++ b/host_vars/hellman/vpn.yml
@ -8,6 +8,6 @@ vpn_interfaces:
    peers:
    - endpoint: "{{ hostvars['hindley'].interfaces.enp2s0.ipv4 }}"
      public_key: "{{ hostvars['hindley'].vpn_interfaces.wg0.public_key }}"
-      allowed_ip: "{{ hostvars['hindley'].vpn_interfaces.wg0.ip }}"
+      allowed_ips:
-      allowed_mask: "{{ interfaces.wg0.netmaskv4 }}"
+        - "{{ hostvars['hindley'].vpn_interfaces.wg0.ip }}/{{ interfaces.wg0.netmaskv4 }}"
      comment: "hindley"
--- a/host_vars/hindley/vpn.yml
+++ b/host_vars/hindley/vpn.yml
@ -8,43 +8,44 @@ vpn_interfaces:
    peers:
    - endpoint: ""
      public_key: "{{ hostvars['azerty'].vpn_interfaces.wg0.public_key }}"
-      allowed_ip: "{{ hostvars['azerty'].vpn_interfaces.wg0.ip }}"
+      allowed_ips: 
-      allowed_mask: 32
+        - "{{ hostvars['azerty'].vpn_interfaces.wg0.ip }}/32"
      comment: "azerty"
    - endpoint: ""
      public_key: "{{ hostvars['hellman'].vpn_interfaces.wg0.public_key }}"
-      allowed_ip: "{{ hostvars['hellman'].vpn_interfaces.wg0.ip }}"
+      allowed_ips:
-      allowed_mask: 32
+        - "{{ hostvars['hellman'].vpn_interfaces.wg0.ip }}/32"
        - "{{ intranet.subnets.guest_hellman.ipv4 }}/{{ intranet.subnets.guest_hellman.netmaskv4 }}"
      comment: "hellman"
    - endpoint: ""
      public_key: "{{ vpn_guest_keys.knuth }}"
-      allowed_ip: "{{ intranet.subnets.guest.subnets.knuth.ipv4 }}"
+      allowed_ips: 
-      allowed_mask: "{{ intranet.subnets.guest.subnets.knuth.netmaskv4 }}"
+        - "{{ intranet.subnets.guest.subnets.knuth.ipv4 }}/{{ intranet.subnets.guest.subnets.knuth.netmaskv4 }}"
      comment: "Client laptop: knuth"
    - endpoint: ""
      public_key: "{{ hostvars['rossum'].vpn_interfaces.wg0.public_key }}"
-      allowed_ip: "{{ hostvars['rossum'].vpn_interfaces.wg0.ip }}"
+      allowed_ips: 
-      allowed_mask: 32
+        - "{{ hostvars['rossum'].vpn_interfaces.wg0.ip }}/32"
      comment: "Raspi at paris, Rossum"
    - endpoint: ""
      public_key: "{{ hostvars['vm1'].vpn_interfaces.wg0.public_key }}"
-      allowed_ip: "{{ hostvars['vm1'].vpn_interfaces.wg0.ip }}"
+      allowed_ips: 
-      allowed_mask: 32
+        - "{{ hostvars['vm1'].vpn_interfaces.wg0.ip }}/32"
      comment: "Test VM 1, hosted by knuth"
    - endpoint: ""
      public_key: "{{ hostvars['vm2'].vpn_interfaces.wg0.public_key }}"
-      allowed_ip: "{{ hostvars['vm2'].vpn_interfaces.wg0.ip }}"
+      allowed_ips: 
-      allowed_mask: 32
+        - "{{ hostvars['vm2'].vpn_interfaces.wg0.ip }}/32"
      comment: "Test VM 2, hosted by knuth"
    - endpoint: ""
      public_key: "{{ hostvars['vm3'].vpn_interfaces.wg0.public_key }}"
-      allowed_ip: "{{ hostvars['vm3'].vpn_interfaces.wg0.ip }}"
+      allowed_ips: 
-      allowed_mask: 32
+        - "{{ hostvars['vm3'].vpn_interfaces.wg0.ip }}/32"
      comment: "Test VM 3, hosted by knuth"
    - endpoint: ""
      public_key: "{{ hostvars['vm4'].vpn_interfaces.wg0.public_key }}"
-      allowed_ip: "{{ hostvars['vm4'].vpn_interfaces.wg0.ip }}"
+      allowed_ips: 
-      allowed_mask: 32
+        - "{{ hostvars['vm4'].vpn_interfaces.wg0.ip }}/32"
      comment: "Test VM 4, hosted by knuth"
--- a/host_vars/rossum/vpn.yml
+++ b/host_vars/rossum/vpn.yml
@ -8,6 +8,6 @@ vpn_interfaces:
    peers:
    - endpoint: "{{ hostvars['hindley'].interfaces.enp2s0.ipv4 }}"
      public_key: "{{ hostvars['hindley'].vpn_interfaces.wg0.public_key }}"
-      allowed_ip: "{{ hostvars['hindley'].vpn_interfaces.wg0.ip }}"
+      allowed_ips:
-      allowed_mask: "{{ interfaces.wg0.netmaskv4 }}"
+        - "{{ hostvars['hindley'].vpn_interfaces.wg0.ip }}/{{ interfaces.wg0.netmaskv4 }}"
      comment: "hindley"
--- a/host_vars/vm1/vpn.yml
+++ b/host_vars/vm1/vpn.yml
@ -8,6 +8,6 @@ vpn_interfaces:
    peers:
    - endpoint: "{{ hostvars['hindley'].interfaces.enp2s0.ipv4 }}"
      public_key: "{{ hostvars['hindley'].vpn_interfaces.wg0.public_key }}"
-      allowed_ip: "{{ hostvars['hindley'].vpn_interfaces.wg0.ip }}"
+      allowed_ips:
-      allowed_mask: "{{ interfaces.wg0.netmaskv4 }}"
+        - "{{ hostvars['hindley'].vpn_interfaces.wg0.ip }}/{{ interfaces.wg0.netmaskv4 }}"
      comment: "hindley"
--- a/host_vars/vm2/vpn.yml
+++ b/host_vars/vm2/vpn.yml
@ -8,6 +8,6 @@ vpn_interfaces:
    peers:
    - endpoint: "{{ hostvars['hindley'].interfaces.enp2s0.ipv4 }}"
      public_key: "{{ hostvars['hindley'].vpn_interfaces.wg0.public_key }}"
-      allowed_ip: "{{ hostvars['hindley'].vpn_interfaces.wg0.ip }}"
+      allowed_ips:
-      allowed_mask: "{{ interfaces.wg0.netmaskv4 }}"
+        - "{{ hostvars['hindley'].vpn_interfaces.wg0.ip }}/{{ interfaces.wg0.netmaskv4 }}"
      comment: "hindley"
--- a/host_vars/vm3/vpn.yml
+++ b/host_vars/vm3/vpn.yml
@ -8,6 +8,6 @@ vpn_interfaces:
    peers:
    - endpoint: "{{ hostvars['hindley'].interfaces.enp2s0.ipv4 }}"
      public_key: "{{ hostvars['hindley'].vpn_interfaces.wg0.public_key }}"
-      allowed_ip: "{{ hostvars['hindley'].vpn_interfaces.wg0.ip }}"
+      allowed_ips: 
-      allowed_mask: "{{ interfaces.wg0.netmaskv4 }}"
+        - "{{ hostvars['hindley'].vpn_interfaces.wg0.ip }}/{{ interfaces.wg0.netmaskv4 }}"
      comment: "hindley"
--- a/host_vars/vm4/vpn.yml
+++ b/host_vars/vm4/vpn.yml
@ -8,6 +8,6 @@ vpn_interfaces:
    peers:
    - endpoint: "{{ hostvars['hindley'].interfaces.enp2s0.ipv4 }}"
      public_key: "{{ hostvars['hindley'].vpn_interfaces.wg0.public_key }}"
-      allowed_ip: "{{ hostvars['hindley'].vpn_interfaces.wg0.ip }}"
+      allowed_ips:
-      allowed_mask: "{{ interfaces.wg0.netmaskv4 }}"
+        - "{{ hostvars['hindley'].vpn_interfaces.wg0.ip }}/{{ interfaces.wg0.netmaskv4 }}"
      comment: "hindley"
--- a/roles/vpn/templates/wiregard.conf.j2
+++ b/roles/vpn/templates/wiregard.conf.j2
@ -10,9 +10,9 @@ ListenPort = {{ vpn_port }}
 {{ peer.comment | comment }}
 Publickey = {{ peer.public_key }}
 {% if peer.endpoint %}
-Endpoint = {{peer.endpoint}}:{{ vpn_port }}
+Endpoint = {{ peer.endpoint }}:{{ vpn_port }}
 {% endif %}
-AllowedIPs = {{peer.allowed_ip}}/{{ peer.allowed_mask }}
+AllowedIPs = {{ peer.allowed_ips | join(", ") }}
 {% endfor %}
 {% if item.value.keepalive %}