misc: WIP: vpn again
This commit is contained in:
parent
02910a8fc0
commit
887aadb5fe
GPG key ID:
800882B66C0C3326
7 changed files with 36 additions and 22 deletions
|
|
@ -219,8 +219,9 @@ firewall__forward:
|
||||||
verdict: accept
|
verdict: accept
|
||||||
# Admin Wireguard
|
# Admin Wireguard
|
||||||
- dst:
|
- dst:
|
||||||
- 2a09:6840:211::204
|
- 2a09:6840:211::1:1
|
||||||
- 45.66.111.204
|
- 45.66.111.204
|
||||||
|
- 10.211.1.1
|
||||||
protocols:
|
protocols:
|
||||||
udp:
|
udp:
|
||||||
dport: 5121
|
dport: 5121
|
||||||
|
|
|
||||||
|
|
@ -1,14 +1,20 @@
|
||||||
---
|
---
|
||||||
|
bird__tables:
|
||||||
|
- wg
|
||||||
|
|
||||||
bird__kernel:
|
bird__kernel:
|
||||||
kernel:
|
kernel:
|
||||||
learn: true
|
learn: true
|
||||||
import: accept
|
import: accept
|
||||||
export: accept
|
export: accept
|
||||||
vrf:
|
vrf:
|
||||||
import: reject
|
learn: true
|
||||||
|
import:
|
||||||
|
sources:
|
||||||
|
- "{{ iproute2__custom_protos.wireguard }}"
|
||||||
export: accept
|
export: accept
|
||||||
table: wg
|
table: wg
|
||||||
kernel: "{{ iproute2__custom_protos.wireguard }}"
|
kernel: "{{ iproute2__custom_tables.wireguard }}"
|
||||||
|
|
||||||
bird__ospf:
|
bird__ospf:
|
||||||
limits:
|
limits:
|
||||||
|
|
@ -17,17 +23,13 @@ bird__ospf:
|
||||||
table: wg
|
table: wg
|
||||||
import: accept
|
import: accept
|
||||||
export:
|
export:
|
||||||
protos:
|
sources:
|
||||||
- kernel
|
- "{{ iproute2__custom_protos.wireguard }}"
|
||||||
- wireguard
|
|
||||||
areas:
|
areas:
|
||||||
1:
|
1:
|
||||||
broadcast:
|
broadcast:
|
||||||
- vpn0
|
- vpn0
|
||||||
|
|
||||||
bird__tables:
|
|
||||||
- wg
|
|
||||||
|
|
||||||
bird__bgp:
|
bird__bgp:
|
||||||
infra1:
|
infra1:
|
||||||
local:
|
local:
|
||||||
|
|
|
||||||
|
|
@ -8,6 +8,7 @@ ifupdown2__wireguard:
|
||||||
private_key: "{{ vault_wireguard_wg0_private }}"
|
private_key: "{{ vault_wireguard_wg0_private }}"
|
||||||
listen_port: 5121
|
listen_port: 5121
|
||||||
vrf: wg-vrf
|
vrf: wg-vrf
|
||||||
|
table: "{{ iproute2__custom_tables.wireguard }}"
|
||||||
peer_allowed_addresses:
|
peer_allowed_addresses:
|
||||||
- 2a09:6840:212::1:1/128
|
- 2a09:6840:212::1:1/128
|
||||||
- 10.212.1.1/32
|
- 10.212.1.1/32
|
||||||
|
|
|
||||||
|
|
@ -3,5 +3,5 @@ iproute2__custom_tables:
|
||||||
wireguard: 2000
|
wireguard: 2000
|
||||||
|
|
||||||
iproute2__custom_protos:
|
iproute2__custom_protos:
|
||||||
wireguard: 2000
|
wireguard: 200
|
||||||
...
|
...
|
||||||
|
|
|
||||||
|
|
@ -9,11 +9,13 @@ ifupdown2__interfaces:
|
||||||
addresses:
|
addresses:
|
||||||
- 2a09:6840:211::1:1/64
|
- 2a09:6840:211::1:1/64
|
||||||
- 10.211.1.1/16
|
- 10.211.1.1/16
|
||||||
- 45.66.111.200/30
|
- 45.66.111.204/30
|
||||||
vpn0:
|
vpn0:
|
||||||
addresses:
|
addresses:
|
||||||
- 2a09:6840:213::1:3/64
|
- 2a09:6840:213::1:3/64
|
||||||
- 10.213.1.3/16
|
- 10.213.1.3/16
|
||||||
|
# FIXME: move to group_vars
|
||||||
|
goto_table: "{{ iproute2__custom_tables.wireguard }}"
|
||||||
|
|
||||||
bird__router_id: 10.213.1.3
|
bird__router_id: 10.213.1.3
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -53,8 +53,8 @@ protocol kernel {{ name | bird_name(ipv4) }} {
|
||||||
{% set ipv4 = version == "ipv4" %}
|
{% set ipv4 = version == "ipv4" %}
|
||||||
protocol pipe {{ name | bird_name(ipv4) }} {
|
protocol pipe {{ name | bird_name(ipv4) }} {
|
||||||
table {{ pipe.table | bird_name(ipv4) }};
|
table {{ pipe.table | bird_name(ipv4) }};
|
||||||
peer_table {{ pipe.peer_table | bird_name(ipv4) }};
|
peer table {{ pipe.peer_table | default("master") | bird_name(ipv4) }};
|
||||||
{{ import_export(kernel, ipv4) | indent(8) }}
|
{{ import_export(kernel, ipv4) | indent(4) }}
|
||||||
}
|
}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
|
|
|
||||||
|
|
@ -15,11 +15,13 @@ ip-forward yes
|
||||||
ip6-forward yes
|
ip6-forward yes
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% if iface.goto_table is defined %}
|
{% if iface.goto_table is defined %}
|
||||||
{% set prio = ifupdown2__prio_base + 2 * index %}
|
{% set prio = ifupdown2__prio_base + 3 * index %}
|
||||||
pre-up ip rule add prio {{ prio }} iif $IFACE table {{ iface.goto_table }}
|
pre-up ip rule add prio {{ prio }} iif $IFACE table local
|
||||||
pre-up ip rule add prio {{ prio + 1 }} iif $IFACE blackhole
|
pre-up ip rule add prio {{ prio + 1 }} iif $IFACE table {{ iface.goto_table }}
|
||||||
post-down ip rule del prio {{ prio }} iif $IFACE table {{ iface.goto_table }}
|
pre-up ip rule add prio {{ prio + 2 }} iif $IFACE blackhole
|
||||||
post-down ip rule del prio {{ prio + 1 }} iif $IFACE blackhole
|
post-down ip rule del prio {{ prio }} iif $IFACE table local
|
||||||
|
post-down ip rule del prio {{ prio + 1 }} iif $IFACE table {{ iface.goto_table }}
|
||||||
|
post-down ip rule del prio {{ prio + 2 }} iif $IFACE blackhole
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% if iface.vrf is defined %}
|
{% if iface.vrf is defined %}
|
||||||
vrf {{ iface.vrf }}
|
vrf {{ iface.vrf }}
|
||||||
|
|
@ -30,10 +32,13 @@ ipv6-addrgen {{ iface.ipv6_addrgen
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% endmacro %}
|
{% endmacro %}
|
||||||
|
|
||||||
|
{% set index = 1 %}
|
||||||
|
|
||||||
{% for name, iface in ifupdown2__interfaces.items() %}
|
{% for name, iface in ifupdown2__interfaces.items() %}
|
||||||
|
{% set index = index + 4 %}
|
||||||
auto {{ name }}
|
auto {{ name }}
|
||||||
iface {{ name }}
|
iface {{ name }}
|
||||||
{{ iface_common(iface) | indent(4) }}
|
{{ iface_common(iface, index) | indent(4) }}
|
||||||
{% if iface.bridge_ports is defined %}
|
{% if iface.bridge_ports is defined %}
|
||||||
bridge-ports {{ iface.bridge_ports | join(" ") }}
|
bridge-ports {{ iface.bridge_ports | join(" ") }}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
@ -58,19 +63,22 @@ iface {{ name }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
|
|
||||||
{% for name, iface in ifupdown2__wireguard.items() | sort(attribute="0") %}
|
{% for name, iface in ifupdown2__wireguard.items() | sort(attribute="0") %}
|
||||||
|
{% set index = index + 4 %}
|
||||||
auto {{ name }}
|
auto {{ name }}
|
||||||
iface {{ name }}
|
iface {{ name }}
|
||||||
link-type wireguard
|
link-type wireguard
|
||||||
{{ iface_common(iface, index=loop.index) | indent(4) }}
|
{{ iface_common(iface, index) | indent(4) }}
|
||||||
pre-up wg setconf $IFACE /etc/wireguard/$IFACE.conf
|
pre-up wg setconf $IFACE /etc/wireguard/$IFACE.conf
|
||||||
{% for address in iface.peer_allowed_addresses | default([]) %}
|
{% for address in iface.peer_allowed_addresses | default([]) %}
|
||||||
post-up ip route add {{ address }} proto {{ ifupdown2__wireguard_proto }} dev $IFACE
|
post-up ip route add {{ address }} proto {{ ifupdown2__wireguard_proto }} \
|
||||||
|
table {{ iface.table | default("main") }} dev $IFACE
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
|
|
||||||
{% for name, iface in ifupdown2__vrf.items() | sort(attribute="0") %}
|
{% for name, iface in ifupdown2__vrf.items() | sort(attribute="0") %}
|
||||||
|
{% set index = index + 4 %}
|
||||||
auto {{ name }}
|
auto {{ name }}
|
||||||
iface {{ name }}
|
iface {{ name }}
|
||||||
{{ iface_common(iface, index=loop.index) | indent(4) }}
|
{{ iface_common(iface, index) | indent(4) }}
|
||||||
vrf-table {{ iface.table }}
|
vrf-table {{ iface.table }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue