Merge branch 'wireguard' into 'newinfra'

[wireguard] Use NDP and ARP proxy See merge request nounous/ansible!79
2020-08-24 17:40:18 +02:00 · 2020-08-24 17:40:18 +02:00 · 59c9428851
parent 4fc0147e1c 8c2e40bd56
commit 59c9428851
4 changed files with 6 additions and 76 deletions
--- a/plays/wireguard.yml
+++ b/plays/wireguard.yml
@ -17,7 +17,7 @@
    debian_mirror: http://mirror.adm.crans.org/debian
    wireguard:
      sputnik: false
-      if: ens20
+      if: ens18
      private_key: "{{ vault_wireguard_boeing_private_key }}"
      peer_public_key: "{{ vault_wireguard_sputnik_public_key }}"
  roles:
--- a/roles/wireguard/tasks/main.yml
+++ b/roles/wireguard/tasks/main.yml
@ -46,29 +46,3 @@
    name: wg-quick@sputnik
    state: started
    enabled: true
-
- name: Install nftables
-  apt:
-    name: nftables
-    state: present
-    update_cache: true
-  register: apt_result
-  retries: 3
-  until: apt_result is succeeded
-  when: not wireguard.sputnik
-
- name: Deploy nftables.conf
-  template:
-    src: nftables.conf
-    dest: /etc/nftables.conf
-    mode: 0644
-    owner: root
-    group: root
-  when: not wireguard.sputnik
-
- name: Enable and start nftables
-  systemd:
-    name: nftables
-    enabled: true
-    state: started
-  when: not wireguard.sputnik
--- a/roles/wireguard/templates/nftables.conf
+++ b/roles/wireguard/templates/nftables.conf
@ -1,43 +0,0 @@
-#!/usr/sbin/nft -f
-
-flush ruleset
-
-{% set sputnik_ip = (query('ldap', 'ip', 'sputnik', 'adm') | ipv4)[0] %}
-table ip nat {
-	chain prerouting {
-		type nat hook prerouting priority 0; policy accept;
-		ip daddr {{ sputnik_ip }} dnat to 172.31.0.2
-	}
-	chain postrouting {
-		type nat hook postrouting priority 100; policy accept;
-		ip saddr 172.31.0.2 ip protocol icmp snat to {{ sputnik_ip }}
-		ip saddr 172.31.0.2 ip protocol tcp snat to {{ sputnik_ip }}
-		ip saddr 172.31.0.2 ip protocol udp snat to {{ sputnik_ip }}
-	}
-}
-
-{% set sputnik_ip6 = (query('ldap', 'ip', 'sputnik', 'adm') | ipv6)[0] %}
-table ip6 nat {
-	chain prerouting {
-		type nat hook prerouting priority 0; policy accept;
-		ip6 daddr {{ sputnik_ip6 }} dnat to fd0c:700:0:8::2
-	}
-	chain postrouting {
-		type nat hook postrouting priority 100; policy accept;
-		ip6 saddr fd0c:700:0:8::2 ip6 nexthdr icmpv6 snat to {{ sputnik_ip6 }}
-		ip6 saddr fd0c:700:0:8::2 ip6 nexthdr tcp snat to {{ sputnik_ip6 }}
-		ip6 saddr fd0c:700:0:8::2 ip6 nexthdr udp snat to {{ sputnik_ip6 }}
-	}
-}
-
-table inet filter {
-	chain input {
-		type filter hook input priority 0;
-	}
-	chain forward {
-		type filter hook forward priority 0;
-	}
-	chain output {
-		type filter hook output priority 0;
-	}
-}
--- a/roles/wireguard/templates/wireguard/sputnik.conf.j2
+++ b/roles/wireguard/templates/wireguard/sputnik.conf.j2
@ -1,7 +1,7 @@
 {{ ansible_header | comment }}
 {% if wireguard.sputnik %}
 [Interface]
-Address = 172.31.0.2/30, fd0c:700:0:8::2/64
+Address = 172.16.10.32/24, fd00::10:0:ff:fe00:3210/64
 ListenPort = 51820
 PrivateKey = {{ wireguard.private_key }}

@ -9,20 +9,19 @@ PostUp = /sbin/ip link set sputnik alias adm

 [Peer]
 PublicKey = {{ wireguard.peer_public_key }}
-AllowedIPs = 172.31.0.1/32, fd0c:700:0:8::1/128, {{ query('ldap', 'network', 'adm') }}, fd00:0:0:{{ query('ldap', 'vlanid', 'adm') }}::/64
+AllowedIPs = {{ query('ldap', 'network', 'adm') }}, fd00:0:0:{{ query('ldap', 'vlanid', 'adm') }}::/64
 Endpoint = {{ (query('ldap', 'ip', 'boeing', 'srv') | ipv4)[0] }}:51820
 {% else %}
 [Interface]
-Address = 172.31.0.1/30, fd0c:700:0:8::1/64
 ListenPort = 51820
 PrivateKey = {{ wireguard.private_key }}

-PostUp =   ifup   {{ wireguard.if }}; systemctl start nftables
-PostDown = ifdown {{ wireguard.if }}; systemctl stop nftables
+PostUp =   sysctl -w net.ipv4.conf.{{ wireguard.if }}.proxy_arp=1; sysctl -w net.ipv4.conf.sputnik.proxy_arp=1; sysctl -w net.ipv6.conf.{{ wireguard.if }}.proxy_ndp=1; sysctl -w net.ipv6.conf.sputnik.proxy_ndp=1; ip neigh add proxy {{ (query('ldap', 'ip', 'sputnik', 'adm') | ipv6)[0] }} dev {{ wireguard.if }}
+PostDown = sysctl -w net.ipv4.conf.{{ wireguard.if }}.proxy_arp=0; sysctl -w net.ipv4.conf.sputnik.proxy_arp=0; sysctl -w net.ipv6.conf.{{ wireguard.if }}.proxy_ndp=0; sysctl -w net.ipv6.conf.sputnik.proxy_ndp=0; ip neigh delete proxy {{ (query('ldap', 'ip', 'sputnik', 'adm') | ipv6)[0] }} dev {{ wireguard.if }}

 [Peer]
 PublicKey = {{ wireguard.peer_public_key }}
-AllowedIPs = 172.31.0.2/32, fd0c:700:0:8::2/128
+AllowedIPs = {{ (query('ldap', 'ip', 'sputnik', 'adm') | ipv4)[0] }}/32, {{ (query('ldap', 'ip', 'sputnik', 'adm') | ipv6)[0] }}/128
 Endpoint = {{ (query('ldap', 'ip', 'sputnik', 'srv') | ipv4)[0] }}:51820
 {% endif %}