crans
/
ansible
mirror of http://gitlab.adm.crans.org/nounous/ansible.git
19
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge branch 'wireguard' into 'newinfra' 

[wireguard] Use NDP and ARP proxy

See merge request nounous/ansible!79
certbot_on_virtu
_benjamin 2020-08-24 17:40:18 +02:00
parent 4fc0147e1c 8c2e40bd56
commit 59c9428851
4 changed files with 6 additions and 76 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
plays/wireguard.yml
View File

@ -17,7 +17,7 @@
debian_mirror: http://mirror.adm.crans.org/debian debian_mirror: http://mirror.adm.crans.org/debian
wireguard: wireguard:
sputnik: false sputnik: false
if: ens20 if: ens18
private_key: "{{ vault_wireguard_boeing_private_key }}" private_key: "{{ vault_wireguard_boeing_private_key }}"
peer_public_key: "{{ vault_wireguard_sputnik_public_key }}" peer_public_key: "{{ vault_wireguard_sputnik_public_key }}"
roles: roles:

26
roles/wireguard/tasks/main.yml
View File

@ -46,29 +46,3 @@
name: wg-quick@sputnik name: wg-quick@sputnik
state: started state: started
enabled: true enabled: true
- name: Install nftables
apt:
name: nftables
state: present
update_cache: true
register: apt_result
retries: 3
until: apt_result is succeeded
when: not wireguard.sputnik
- name: Deploy nftables.conf
template:
src: nftables.conf
dest: /etc/nftables.conf
mode: 0644
owner: root
group: root
when: not wireguard.sputnik
- name: Enable and start nftables
systemd:
name: nftables
enabled: true
state: started
when: not wireguard.sputnik

43
roles/wireguard/templates/nftables.conf
View File

@ -1,43 +0,0 @@
#!/usr/sbin/nft -f
flush ruleset
{% set sputnik_ip = (query('ldap', 'ip', 'sputnik', 'adm') | ipv4)[0] %}
table ip nat {
chain prerouting {
type nat hook prerouting priority 0; policy accept;
ip daddr {{ sputnik_ip }} dnat to 172.31.0.2
}
chain postrouting {
type nat hook postrouting priority 100; policy accept;
ip saddr 172.31.0.2 ip protocol icmp snat to {{ sputnik_ip }}
ip saddr 172.31.0.2 ip protocol tcp snat to {{ sputnik_ip }}
ip saddr 172.31.0.2 ip protocol udp snat to {{ sputnik_ip }}
}
}
{% set sputnik_ip6 = (query('ldap', 'ip', 'sputnik', 'adm') | ipv6)[0] %}
table ip6 nat {
chain prerouting {
type nat hook prerouting priority 0; policy accept;
ip6 daddr {{ sputnik_ip6 }} dnat to fd0c:700:0:8::2
}
chain postrouting {
type nat hook postrouting priority 100; policy accept;
ip6 saddr fd0c:700:0:8::2 ip6 nexthdr icmpv6 snat to {{ sputnik_ip6 }}
ip6 saddr fd0c:700:0:8::2 ip6 nexthdr tcp snat to {{ sputnik_ip6 }}
ip6 saddr fd0c:700:0:8::2 ip6 nexthdr udp snat to {{ sputnik_ip6 }}
}
}
table inet filter {
chain input {
type filter hook input priority 0;
}
chain forward {
type filter hook forward priority 0;
}
chain output {
type filter hook output priority 0;
}
}

11
roles/wireguard/templates/wireguard/sputnik.conf.j2
View File

@ -1,7 +1,7 @@
{{ ansible_header | comment }} {{ ansible_header | comment }}
{% if wireguard.sputnik %} {% if wireguard.sputnik %}
[Interface] [Interface]
Address = 172.31.0.2/30, fd0c:700:0:8::2/64 Address = 172.16.10.32/24, fd00::10:0:ff:fe00:3210/64
ListenPort = 51820 ListenPort = 51820
PrivateKey = {{ wireguard.private_key }} PrivateKey = {{ wireguard.private_key }}
@ -9,20 +9,19 @@ PostUp = /sbin/ip link set sputnik alias adm
[Peer] [Peer]
PublicKey = {{ wireguard.peer_public_key }} PublicKey = {{ wireguard.peer_public_key }}
AllowedIPs = 172.31.0.1/32, fd0c:700:0:8::1/128, {{ query('ldap', 'network', 'adm') }}, fd00:0:0:{{ query('ldap', 'vlanid', 'adm') }}::/64 AllowedIPs = {{ query('ldap', 'network', 'adm') }}, fd00:0:0:{{ query('ldap', 'vlanid', 'adm') }}::/64
Endpoint = {{ (query('ldap', 'ip', 'boeing', 'srv') | ipv4)[0] }}:51820 Endpoint = {{ (query('ldap', 'ip', 'boeing', 'srv') | ipv4)[0] }}:51820
{% else %} {% else %}
[Interface] [Interface]
Address = 172.31.0.1/30, fd0c:700:0:8::1/64
ListenPort = 51820 ListenPort = 51820
PrivateKey = {{ wireguard.private_key }} PrivateKey = {{ wireguard.private_key }}
PostUp = ifup {{ wireguard.if }}; systemctl start nftables PostUp = sysctl -w net.ipv4.conf.{{ wireguard.if }}.proxy_arp=1; sysctl -w net.ipv4.conf.sputnik.proxy_arp=1; sysctl -w net.ipv6.conf.{{ wireguard.if }}.proxy_ndp=1; sysctl -w net.ipv6.conf.sputnik.proxy_ndp=1; ip neigh add proxy {{ (query('ldap', 'ip', 'sputnik', 'adm') | ipv6)[0] }} dev {{ wireguard.if }}
PostDown = ifdown {{ wireguard.if }}; systemctl stop nftables PostDown = sysctl -w net.ipv4.conf.{{ wireguard.if }}.proxy_arp=0; sysctl -w net.ipv4.conf.sputnik.proxy_arp=0; sysctl -w net.ipv6.conf.{{ wireguard.if }}.proxy_ndp=0; sysctl -w net.ipv6.conf.sputnik.proxy_ndp=0; ip neigh delete proxy {{ (query('ldap', 'ip', 'sputnik', 'adm') | ipv6)[0] }} dev {{ wireguard.if }}
[Peer] [Peer]
PublicKey = {{ wireguard.peer_public_key }} PublicKey = {{ wireguard.peer_public_key }}
AllowedIPs = 172.31.0.2/32, fd0c:700:0:8::2/128 AllowedIPs = {{ (query('ldap', 'ip', 'sputnik', 'adm') | ipv4)[0] }}/32, {{ (query('ldap', 'ip', 'sputnik', 'adm') | ipv6)[0] }}/128
Endpoint = {{ (query('ldap', 'ip', 'sputnik', 'srv') | ipv4)[0] }}:51820 Endpoint = {{ (query('ldap', 'ip', 'sputnik', 'srv') | ipv4)[0] }}:51820
{% endif %} {% endif %}