From 66269841a77b3f1d88f4fca4370c924aa5a45aa4 Mon Sep 17 00:00:00 2001 From: Yohann D'ANELLO Date: Tue, 28 Jun 2022 23:10:21 +0200 Subject: [PATCH] Create 3 different Wireguard tunnels Signed-off-by: Yohann D'ANELLO --- host_vars/boeing.adm.crans.org.yml | 40 +++++++++++++++++++----- host_vars/routeur-ft.adm.crans.org.yml | 18 +++++------ host_vars/routeur-thot.adm.crans.org.yml | 19 +++++------ host_vars/sputnik.adm.crans.org.yml | 2 +- 4 files changed, 53 insertions(+), 26 deletions(-) diff --git a/host_vars/boeing.adm.crans.org.yml b/host_vars/boeing.adm.crans.org.yml index e945734b..dad7adac 100644 --- a/host_vars/boeing.adm.crans.org.yml +++ b/host_vars/boeing.adm.crans.org.yml @@ -7,7 +7,7 @@ loc_wireguard: tunnels: - name: "sputnik" listen_port: 51820 - private_key: "{{ vault.wireguard.boeing.privkey }}" + private_key: "{{ vault.wireguard.boeing.sputnik.privkey }}" table: "off" peers: - public_key: "{{ vault.wireguard.sputnik.pubkey }}" @@ -15,23 +15,49 @@ loc_wireguard: - "{{ query('ldap', 'ip', 'sputnik', 'adm') | ipv4 | first }}/32" - "{{ query('ldap', 'ip', 'sputnik', 'adm') | ipv6 | first }}/128" endpoint: "{{ query('ldap', 'ip', 'sputnik', 'srv') | ipv4 | first }}:51820" + post_up: + - "sysctl -w net.ipv4.conf.%i.proxy_arp=1" + - "sysctl -w net.ipv6.conf.%i.proxy_ndp=1" + - "python3 /var/local/services/proxy/proxy.py --alter" + pre_down: + - "sysctl -w net.ipv4.conf.%i.proxy_arp=0" + - "sysctl -w net.ipv6.conf.%i.proxy_ndp=0" + - "ip route flush proto proxy; ip -6 route flush proto proxy; ip neigh flush proxy proto proxy" + - name: "viarezo" + listen_port: 51821 + private_key: "{{ vault.wireguard.boeing.viarezo.privkey }}" + table: "off" + peers: - public_key: "{{ vault.wireguard.routeur_ft.pubkey }}" allowed_ips: - "{{ query('ldap', 'network', 'adm') }}" - "fd00:0:0:{{ query('ldap', 'vlanid', 'adm') }}::/64" persistent_keepalive: 25 + post_up: + - "sysctl -w net.ipv4.conf.%i.proxy_arp=1" + - "sysctl -w net.ipv6.conf.%i.proxy_ndp=1" + - "python3 /var/local/services/proxy/proxy.py --alter" + pre_down: + - "sysctl -w net.ipv4.conf.%i.proxy_arp=0" + - "sysctl -w net.ipv6.conf.%i.proxy_ndp=0" + - "ip route flush proto proxy; ip -6 route flush proto proxy; ip neigh flush proxy proto proxy" + - name: "aurore" + listen_port: 51822 + private_key: "{{ vault.wireguard.boeing.aurore.privkey }}" + table: "off" + peers: - public_key: "{{ vault.wireguard.routeur_thot.pubkey }}" allowed_ips: - "{{ query('ldap', 'network', 'adm') }}" - "fd00:0:0:{{ query('ldap', 'vlanid', 'adm') }}::/64" persistent_keepalive: 25 post_up: - - "sysctl -w net.ipv4.conf.all.forwarding=1; sysctl -w net.ipv4.conf.ens18.proxy_arp=1; sysctl -w net.ipv4.conf.sputnik.proxy_arp=1" - - "sysctl -w net.ipv6.conf.all.forwarding=1; sysctl -w net.ipv6.conf.ens18.proxy_ndp=1; sysctl -w net.ipv6.conf.sputnik.proxy_ndp=1" + - "sysctl -w net.ipv4.conf.%i.proxy_arp=1" + - "sysctl -w net.ipv6.conf.%i.proxy_ndp=1" - "python3 /var/local/services/proxy/proxy.py --alter" pre_down: - - "sysctl -w net.ipv4.conf.all.forwarding=0; sysctl -w net.ipv4.conf.ens18.proxy_arp=0; sysctl -w net.ipv4.conf.sputnik.proxy_arp=0" - - "sysctl -w net.ipv6.conf.all.forwarding=0; sysctl -w net.ipv6.conf.ens18.proxy_ndp=0; sysctl -w net.ipv6.conf.sputnik.proxy_ndp=0" + - "sysctl -w net.ipv4.conf.%i.proxy_arp=0" + - "sysctl -w net.ipv6.conf.%i.proxy_ndp=0" - "ip route flush proto proxy; ip -6 route flush proto proxy; ip neigh flush proxy proto proxy" loc_service_proxy: @@ -42,6 +68,6 @@ loc_service_proxy: filter: "adm.crans.org" proxy: default: "ens18" - viarezo: "sputnik" - aurore: "sputnik" + viarezo: "viarezo" + aurore: "aurore" ovh: "sputnik" diff --git a/host_vars/routeur-ft.adm.crans.org.yml b/host_vars/routeur-ft.adm.crans.org.yml index 7b5b403f..dfabbc24 100644 --- a/host_vars/routeur-ft.adm.crans.org.yml +++ b/host_vars/routeur-ft.adm.crans.org.yml @@ -5,25 +5,25 @@ interfaces: loc_wireguard: tunnels: - - name: "wg0" + - name: "boeing" listen_port: 51820 private_key: "{{ vault.wireguard.routeur_ft.privkey }}" table: "off" peers: - - public_key: "{{ vault.wireguard.boeing.pubkey }}" + - public_key: "{{ vault.wireguard.boeing.viarezo.pubkey }}" allowed_ips: - "{{ query('ldap', 'network', 'adm') }}" - "fd00:0:0:{{ query('ldap', 'vlanid', 'adm') }}::/64" - endpoint: "{{ query('ldap', 'ip', 'boeing', 'srv') | ipv4 | first }}:51820" + endpoint: "{{ query('ldap', 'ip', 'boeing', 'srv') | ipv4 | first }}:51821" persistent_keepalive: 25 post_up: - - "sysctl -w net.ipv4.conf.all.forwarding=1; sysctl -w net.ipv4.conf.ens18.proxy_arp=1; sysctl -w net.ipv4.conf.wg0.proxy_arp=1" - - "sysctl -w net.ipv6.conf.all.forwarding=1; sysctl -w net.ipv6.conf.ens18.proxy_ndp=1; sysctl -w net.ipv6.conf.wg0.proxy_ndp=1" - - "ip route add 172.16.10.1 dev wg0 proto proxy" + - "sysctl -w net.ipv4.conf.%i.proxy_arp=1" + - "sysctl -w net.ipv6.conf.%i.proxy_ndp=1" + - "ip route add 172.16.10.1 dev %i proto proxy" - "python3 /var/local/services/proxy/proxy.py --alter" pre_down: - - "sysctl -w net.ipv4.conf.all.forwarding=0; sysctl -w net.ipv4.conf.ens18.proxy_arp=0; sysctl -w net.ipv4.conf.wg0.proxy_arp=0" - - "sysctl -w net.ipv6.conf.all.forwarding=0; sysctl -w net.ipv6.conf.ens18.proxy_ndp=0; sysctl -w net.ipv6.conf.wg0.proxy_ndp=0" + - "sysctl -w net.ipv4.conf.%i.proxy_arp=0" + - "sysctl -w net.ipv6.conf.%i.proxy_ndp=0" - "ip route flush proto proxy; ip -6 route flush proto proxy; ip neigh flush proxy proto proxy" loc_service_proxy: @@ -33,5 +33,5 @@ loc_service_proxy: protocol: "proxy" filter: "adm.crans.org" proxy: - default: "wg0" + default: "boeing" viarezo: "ens18" diff --git a/host_vars/routeur-thot.adm.crans.org.yml b/host_vars/routeur-thot.adm.crans.org.yml index d5c81610..3bd9c1c5 100644 --- a/host_vars/routeur-thot.adm.crans.org.yml +++ b/host_vars/routeur-thot.adm.crans.org.yml @@ -5,27 +5,28 @@ interfaces: loc_wireguard: tunnels: - - name: "wg0" + - name: "boeing" listen_port: 51820 private_key: "{{ vault.wireguard.routeur_thot.privkey }}" table: "off" peers: - - public_key: "{{ vault.wireguard.boeing.pubkey }}" + - public_key: "{{ vault.wireguard.boeing.aurore.pubkey }}" allowed_ips: - "{{ query('ldap', 'network', 'adm') }}" - "fd00:0:0:{{ query('ldap', 'vlanid', 'adm') }}::/64" - endpoint: "{{ query('ldap', 'ip', 'boeing', 'srv') | ipv4 | first }}:51820" + endpoint: "{{ query('ldap', 'ip', 'boeing', 'srv') | ipv4 | first }}:51822" persistent_keepalive: 25 post_up: - - "sysctl -w net.ipv4.conf.all.forwarding=1; sysctl -w net.ipv4.conf.ens18.proxy_arp=1; sysctl -w net.ipv4.conf.wg0.proxy_arp=1" - - "sysctl -w net.ipv6.conf.all.forwarding=1; sysctl -w net.ipv6.conf.ens18.proxy_ndp=1; sysctl -w net.ipv6.conf.wg0.proxy_ndp=1" - - "ip route add 172.16.10.1 dev wg0 proto proxy" + - "sysctl -w net.ipv4.conf.%i.proxy_arp=1" + - "sysctl -w net.ipv6.conf.%i.proxy_ndp=1" + - "ip route add 172.16.10.1 dev %i proto proxy" - "python3 /var/local/services/proxy/proxy.py --alter" pre_down: - - "sysctl -w net.ipv4.conf.all.forwarding=0; sysctl -w net.ipv4.conf.ens18.proxy_arp=0; sysctl -w net.ipv4.conf.wg0.proxy_arp=0" - - "sysctl -w net.ipv6.conf.all.forwarding=0; sysctl -w net.ipv6.conf.ens18.proxy_ndp=0; sysctl -w net.ipv6.conf.wg0.proxy_ndp=0" + - "sysctl -w net.ipv4.conf.%i.proxy_arp=0" + - "sysctl -w net.ipv6.conf.%i.proxy_ndp=0" - "ip route flush proto proxy; ip -6 route flush proto proxy; ip neigh flush proxy proto proxy" + loc_service_proxy: config: ldap: @@ -33,5 +34,5 @@ loc_service_proxy: protocol: "proxy" filter: "adm.crans.org" proxy: - default: "wg0" + default: "boeing" aurore: "ens18" diff --git a/host_vars/sputnik.adm.crans.org.yml b/host_vars/sputnik.adm.crans.org.yml index 356ff00d..5416e20b 100644 --- a/host_vars/sputnik.adm.crans.org.yml +++ b/host_vars/sputnik.adm.crans.org.yml @@ -17,7 +17,7 @@ loc_wireguard: listen_port: 51820 private_key: "{{ vault.wireguard.sputnik.privkey }}" peers: - - public_key: "{{ vault.wireguard.boeing.pubkey }}" + - public_key: "{{ vault.wireguard.boeing.sputnik.pubkey }}" allowed_ips: - "{{ query('ldap', 'network', 'adm') }}" - "fd00:0:0:{{ query('ldap', 'vlanid', 'adm') }}::/64"