misc: WIP: vpn again

6 months ago · 887aadb5fe
parent 02910a8fc0
commit 887aadb5fe
7 changed files with 36 additions and 22 deletions
--- a/group_vars/infra/firewall.yml
+++ b/group_vars/infra/firewall.yml
@ -219,8 +219,9 @@ firewall__forward:
    verdict: accept
  # Admin Wireguard
  - dst:
-      - 2a09:6840:211::204
+      - 2a09:6840:211::1:1
      - 45.66.111.204
+      - 10.211.1.1
    protocols:
      udp:
        dport: 5121
--- a/group_vars/vpn/bird.yml
+++ b/group_vars/vpn/bird.yml
@ -1,14 +1,20 @@
 ---
+bird__tables:
+  - wg
+
 bird__kernel:
  kernel:
    learn: true
    import: accept
    export: accept
  vrf:
-    import: reject
+    learn: true
+    import:
+      sources:
+        - "{{ iproute2__custom_protos.wireguard }}"
    export: accept
    table: wg
-    kernel: "{{ iproute2__custom_protos.wireguard }}"
+    kernel: "{{ iproute2__custom_tables.wireguard }}"

 bird__ospf:
  limits:
@ -17,17 +23,13 @@ bird__ospf:
  table: wg
  import: accept
  export:
-    protos:
-      - kernel
-      - wireguard
+    sources:
+      - "{{ iproute2__custom_protos.wireguard }}"
  areas:
    1:
      broadcast:
        - vpn0

-bird__tables:
-  - wg
-
 bird__bgp:
  infra1:
    local:
--- a/group_vars/vpn/ifupdown2.yml
+++ b/group_vars/vpn/ifupdown2.yml
@ -8,6 +8,7 @@ ifupdown2__wireguard:
    private_key: "{{ vault_wireguard_wg0_private }}"
    listen_port: 5121
    vrf: wg-vrf
+    table: "{{ iproute2__custom_tables.wireguard }}"
    peer_allowed_addresses:
      - 2a09:6840:212::1:1/128
      - 10.212.1.1/32
--- a/group_vars/vpn/iproute2.yml
+++ b/group_vars/vpn/iproute2.yml
@ -3,5 +3,5 @@ iproute2__custom_tables:
  wireguard: 2000

 iproute2__custom_protos:
-  wireguard: 2000
+  wireguard: 200
 ...
--- a/host_vars/wg-1.vpn.infra.auro.re.yml
+++ b/host_vars/wg-1.vpn.infra.auro.re.yml
@ -9,11 +9,13 @@ ifupdown2__interfaces:
    addresses:
      - 2a09:6840:211::1:1/64
      - 10.211.1.1/16
-      - 45.66.111.200/30
+      - 45.66.111.204/30
  vpn0:
    addresses:
      - 2a09:6840:213::1:3/64
      - 10.213.1.3/16
+    # FIXME: move to group_vars
+    goto_table: "{{ iproute2__custom_tables.wireguard }}"

 bird__router_id: 10.213.1.3

--- a/roles/bird/templates/bird.conf.j2
+++ b/roles/bird/templates/bird.conf.j2
@ -53,8 +53,8 @@ protocol kernel {{ name | bird_name(ipv4) }} {
 {% set ipv4 = version == "ipv4" %}
 protocol pipe {{ name | bird_name(ipv4) }} {
    table {{ pipe.table | bird_name(ipv4) }};
-    peer_table {{ pipe.peer_table | bird_name(ipv4) }};
-    {{ import_export(kernel, ipv4) | indent(8) }}
+    peer table {{ pipe.peer_table | default("master") | bird_name(ipv4) }};
+    {{ import_export(kernel, ipv4) | indent(4) }}
 }
 {% endfor %}
 {% endfor %}
--- a/roles/ifupdown2/templates/interfaces.j2
+++ b/roles/ifupdown2/templates/interfaces.j2
@ -15,11 +15,13 @@ ip-forward yes
 ip6-forward yes
 {% endif %}
 {% if iface.goto_table is defined %}
-{% set prio = ifupdown2__prio_base + 2 * index %}
-pre-up ip rule add prio {{ prio }} iif $IFACE table {{ iface.goto_table }}
-pre-up ip rule add prio {{ prio + 1 }} iif $IFACE blackhole
-post-down ip rule del prio {{ prio }} iif $IFACE table {{ iface.goto_table }}
-post-down ip rule del prio {{ prio + 1 }} iif $IFACE blackhole
+{% set prio = ifupdown2__prio_base + 3 * index %}
+pre-up ip rule add prio {{ prio }} iif $IFACE table local
+pre-up ip rule add prio {{ prio + 1 }} iif $IFACE table {{ iface.goto_table }}
+pre-up ip rule add prio {{ prio + 2 }} iif $IFACE blackhole
+post-down ip rule del prio {{ prio }} iif $IFACE table local
+post-down ip rule del prio {{ prio + 1 }} iif $IFACE table {{ iface.goto_table }}
+post-down ip rule del prio {{ prio + 2 }} iif $IFACE blackhole
 {% endif %}
 {% if iface.vrf is defined %}
 vrf {{ iface.vrf }}
@ -30,10 +32,13 @@ ipv6-addrgen {{ iface.ipv6_addrgen
 {% endif %}
 {% endmacro %}

+{% set index = 1 %}
+
 {% for name, iface in ifupdown2__interfaces.items() %}
+{% set index = index + 4 %}
 auto {{ name }}
 iface {{ name }}
-    {{ iface_common(iface) | indent(4) }}
+    {{ iface_common(iface, index) | indent(4) }}
 {% if iface.bridge_ports is defined %}
    bridge-ports {{ iface.bridge_ports | join(" ") }}
 {% endif %}
@ -58,19 +63,22 @@ iface {{ name }}
 {% endfor %}

 {% for name, iface in ifupdown2__wireguard.items() | sort(attribute="0") %}
+{% set index = index + 4 %}
 auto {{ name }}
 iface {{ name }}
    link-type wireguard
-    {{ iface_common(iface, index=loop.index) | indent(4) }}
+    {{ iface_common(iface, index) | indent(4) }}
    pre-up wg setconf $IFACE /etc/wireguard/$IFACE.conf
 {% for address in iface.peer_allowed_addresses | default([]) %}
-    post-up ip route add {{ address }} proto {{ ifupdown2__wireguard_proto }} dev $IFACE
+    post-up ip route add {{ address }} proto {{ ifupdown2__wireguard_proto }} \
+        table {{ iface.table | default("main") }} dev $IFACE
 {% endfor %}
 {% endfor %}

 {% for name, iface in ifupdown2__vrf.items() | sort(attribute="0") %}
+{% set index = index + 4 %}
 auto {{ name }}
 iface {{ name }}
-    {{ iface_common(iface, index=loop.index) | indent(4) }}
+    {{ iface_common(iface, index) | indent(4) }}
    vrf-table {{ iface.table }}
 {% endfor %}