finalize ch-router config

author: Christian Pointner <equinox@spreadspace.org> 2019-07-29 00:34:45 +0200
committer: Christian Pointner <equinox@spreadspace.org> 2019-07-29 00:34:45 +0200
commit: 76dcda830cbd5a5ba68b42121d2464f3b73ac977 (patch)
tree: db03c228ce0e37a32eca42bb25be6adfbbe89968 /inventory/host_vars/ch-router.yml
parent: Merge branch 'buster-unpredictable-network-ifnames' (diff)
1 files changed, 125 insertions, 1 deletions
diff --git a/inventory/host_vars/ch-router.yml b/inventory/host_vars/ch-router.yml
index fe313d87..a4d8c2c7 100644
--- a/inventory/host_vars/ch-router.yml
+++ b/inventory/host_vars/ch-router.yml
@@ -27,9 +27,75 @@ openwrt_packages_add:
   - usbutils
   - kmod-ipt-nat
   - kmod-ipt-conntrack
-
+  - openvpn
 
 openwrt_mixin:
+  /etc/openvpn/ca.crt:
+    content: "{{ openvpn_ca_certificate }}"
+
+  /etc/openvpn/dhparams:
+    mode: "0600"
+    content: "{{ openvpn_dhparams }}"
+
+  /etc/openvpn/ta.key:
+    mode: "0600"
+    content: "{{ openvpn_ta_key }}"
+
+  /etc/openvpn/server.crt:
+    content: |
+      -----BEGIN CERTIFICATE-----
+      MIIHXDCCBUSgAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBqzELMAkGA1UEBhMCQVQx
+      DzANBgNVBAgTBlN0eXJpYTENMAsGA1UEBxMER3JhejEWMBQGA1UEChMNY2hhb3Mg
+      YXQgaG9tZTEPMA0GA1UECxMGc3lzb3BzMRkwFwYDVQQDExBjaGFvcyBhdCBob21l
+      IENBMRAwDgYDVQQpEwdFYXN5UlNBMSYwJAYJKoZIhvcNAQkBFhdhZG1pbkBjaGFv
+      cy1hdC1ob21lLm9yZzAeFw0xNTA1MDIwMTU3NDZaFw0yNTA0MjkwMTU3NDZaMIGi
+      MQswCQYDVQQGEwJBVDEPMA0GA1UECBMGU3R5cmlhMQ0wCwYDVQQHEwRHcmF6MRYw
+      FAYDVQQKEw1jaGFvcyBhdCBob21lMQ8wDQYDVQQLEwZzeXNvcHMxEDAOBgNVBAMT
+      B3BhbmRvcmExEDAOBgNVBCkTB0Vhc3lSU0ExJjAkBgkqhkiG9w0BCQEWF2FkbWlu
+      QGNoYW9zLWF0LWhvbWUub3JnMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKC
+      AgEAvwp3VeAZ2+uWLv0ePQ+I8T+0JMQkCdpv2Hn8gEQyUe4ubPtR6SE7455mXtGS
+      WA67M9uHmX6jleQmap7VQPweBy5UD6ge5q39oJMB5G2wug2/QRcgTZVF1r14ZEmk
+      mI31fQBHI/8M3gtMGzB5q0ohsaOuNSEyQir/CBDlDoyOzcVKRC3hQ4DVqD1Trp2M
+      +bxINC9jcQUQd/U5+Ui51tlSBMs/M+0gAlD0kypgcQNZcDDsLW+iTF79/XMweowp
+      bRDv8GbabL1E5kMYL1Ii0vNV6xmjbiyI/tX4DMyKa5d2LI80X932U/ILyq01GVhq
+      bhribfZzqfJhC7zAc09zw2NfQ2F6ZAAcTMmCK/GFTpKWgBufRl7gr93f3mNDzVP4
+      9KDvQa62CUKEy7ELwxpAEyAlGEkym2Nw+SfiAy2W2uHrpV5UF4uVs58MKUnq3Ktw
+      O04comiuLnXkY9/7USrMngnuJdxcwd6kEXuk6WUZGHWhgGkdP6Ww5DE2HNicSHnT
+      2gJFOkvvyXO5G7rmndJgK4dlsDuTdax6obIVyVEn20L8sLhuzQwfg1Z+1rnvkZVC
+      0n9gYp104e36HrAhX5xYwkZ2sn1Rls/PU94ciH/7TjCXOxdOLcXw4yo2btsGNtli
+      9I/tjPn5GHgLWa8VCGdGBsij7XP2AqPFGnzqS2lFi28YxukCAwEAAaOCAZAwggGM
+      MAkGA1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgZAMDQGCWCGSAGG+EIBDQQnFiVF
+      YXN5LVJTQSBHZW5lcmF0ZWQgU2VydmVyIENlcnRpZmljYXRlMB0GA1UdDgQWBBR/
+      DVVuzBz4Tb2mji2hC3IeOR5t7jCB4AYDVR0jBIHYMIHVgBTgUyHn3CGUn931tyDF
+      WVoc7+gfBaGBsaSBrjCBqzELMAkGA1UEBhMCQVQxDzANBgNVBAgTBlN0eXJpYTEN
+      MAsGA1UEBxMER3JhejEWMBQGA1UEChMNY2hhb3MgYXQgaG9tZTEPMA0GA1UECxMG
+      c3lzb3BzMRkwFwYDVQQDExBjaGFvcyBhdCBob21lIENBMRAwDgYDVQQpEwdFYXN5
+      UlNBMSYwJAYJKoZIhvcNAQkBFhdhZG1pbkBjaGFvcy1hdC1ob21lLm9yZ4IJAOGc
+      Xf3qnvfBMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAsGA1UdDwQEAwIFoDASBgNVHREE
+      CzAJggdwYW5kb3JhMA0GCSqGSIb3DQEBCwUAA4ICAQBTa8rgGfdlmKOhrzZEPUCZ
+      eAEICIpI1GnrHNLNAmbM4OIEO8lNPEVcsalqJSvFXaRh5lRBd4zGDhE2sehL13sX
+      ceeZTh4Ss6xBguHWh3ZCLcZimqbritAF9zl53Aer6AeCw0lYTlgFVgZBPU9X4UXV
+      mKqrmuorOy34vN/slRcsACrlWXonYAIrhSf6KPnTfmewp7c9LG2M8PBab05QC2tt
+      NYy9lKN6bf6e16lTREInQcf6t29OihbgWeOur4EdFg5QuckYDvr/fbbK1D2tVFjR
+      9p8jgb7gJfvbqSc9oA6RoLQCr5mpTZeYrJWoCGlT943sXwTemPSL9NcDq/hr0RDY
+      uYUGWWR7uKi4RwGt1S5TvpEsE0p1KeiEpytInC4crWUeX5eU5oHqEmwbKFTkzTXM
+      yTj6EL4hTK5nHCGPYgY6umnPnTEc/Z7/kB9GPV4dOqu8qCWL+82+4y5PPSw/6H9B
+      BY5WYFlE66aYHpRvAseN7HKU1lqcX09rx6vTjVKtBilga3m44pOxPPgI9FN6XYQl
+      r43j0QX7FStrSTBkU7QgkXimU7jxJF7PczAhwQW8+Eyk2T2C9o8/w6T27UqMVByB
+      xnw1Z7IOVbenP1JUpX+xKvweCFjkcdGHF+bQ3ufWmo3MIwsapKC1859E37ENqWaF
+      8ucdxgsmNPJk/dyj/4vqxQ==
+      -----END CERTIFICATE-----
+
+  /etc/openvpn/server.key:
+    mode: "0600"
+    content: "{{ vault_openvpn_key }}"
+
+  /etc/openvpn/ipp.txt:
+    mode: "0444"
+    content: |
+      pan,192.168.8.4
+      mimas,192.168.8.8
+
   /etc/dropbear/authorized_keys:
     content: "{{ ssh_keys_root | join('\n') }}\n"
 
@@ -72,15 +138,32 @@ openwrt_mixin:
         iptables -A INPUT -i "$MGMT_IF" -d "$MGMT_IPADDR" -s "$MGMT_IPADDR/$MGMT_NETMASK" -j ACCEPT
 
 
+        ## VPN Traffic
+        iptables -A FORWARD -i extern0 -s 192.168.8.0/24 -o "$SVC_IF" -j ACCEPT
+        iptables -A FORWARD -i "$SVC_IF" -o extern0 -d 192.168.8.0/24 -j ACCEPT
+
+
         ## WAN Traffic
         #
         iptables -A INPUT -i "$MAGENTA_IF" -d "$MAGENTA_IPADDR" -p icmp -j ACCEPT
         iptables -A INPUT -i "$MAGENTA_IF" -d "$MAGENTA_IPADDR" -p tcp --dport "$SSH_PORT" -j ACCEPT
+        iptables -A INPUT -i "$MAGENTA_IF" -d "$MAGENTA_IPADDR" -p udp --dport 1194 -j ACCEPT
         iptables -A INPUT -i "$MAGENTA_IF" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 
         iptables -t nat -A PREROUTING -i "$MAGENTA_IF" -d "$MAGENTA_IPADDR" -p tcp --dport 2342 -j DNAT --to "{{ network_zones.svc.prefix | ipaddr(network_zones.svc.offsets['ch-jump']) | ipaddr('address') }}"
         iptables -A FORWARD -i "$MAGENTA_IF" -o "$SVC_IF" -d "{{ network_zones.svc.prefix | ipaddr(network_zones.svc.offsets['ch-jump']) | ipaddr('address') }}" -p tcp --dport 2342 -j ACCEPT
 
+        iptables -t nat -A PREROUTING -i "$MAGENTA_IF" -d "$MAGENTA_IPADDR" -p tcp --dport 80 -j DNAT --to "{{ network_zones.svc.prefix | ipaddr(network_zones.svc.offsets['ch-web']) | ipaddr('address') }}"
+        iptables -t nat -A PREROUTING -i "$MAGENTA_IF" -d "$MAGENTA_IPADDR" -p tcp --dport 443 -j DNAT --to "{{ network_zones.svc.prefix | ipaddr(network_zones.svc.offsets['ch-web']) | ipaddr('address') }}"
+        iptables -A FORWARD -i "$MAGENTA_IF" -o "$SVC_IF" -d "{{ network_zones.svc.prefix | ipaddr(network_zones.svc.offsets['ch-web']) | ipaddr('address') }}" -p tcp --dport 80 -j ACCEPT
+        iptables -A FORWARD -i "$MAGENTA_IF" -o "$SVC_IF" -d "{{ network_zones.svc.prefix | ipaddr(network_zones.svc.offsets['ch-web']) | ipaddr('address') }}" -p tcp --dport 443 -j ACCEPT
+
+        iptables -t nat -A PREROUTING -i "$MAGENTA_IF" -d "$MAGENTA_IPADDR" -p tcp --dport 143 -j DNAT --to "{{ network_zones.svc.prefix | ipaddr(network_zones.svc.offsets['ch-mail']) | ipaddr('address') }}:144"
+        iptables -t nat -A PREROUTING -i "$MAGENTA_IF" -d "$MAGENTA_IPADDR" -p tcp --dport 993 -j DNAT --to "{{ network_zones.svc.prefix | ipaddr(network_zones.svc.offsets['ch-mail']) | ipaddr('address') }}"
+        iptables -A FORWARD -i "$MAGENTA_IF" -o "$SVC_IF" -d "{{ network_zones.svc.prefix | ipaddr(network_zones.svc.offsets['ch-mail']) | ipaddr('address') }}" -p tcp --dport 144 -j ACCEPT
+        iptables -A FORWARD -i "$MAGENTA_IF" -o "$SVC_IF" -d "{{ network_zones.svc.prefix | ipaddr(network_zones.svc.offsets['ch-mail']) | ipaddr('address') }}" -p tcp --dport 993 -j ACCEPT
+
+
 
         ## LAN Traffic
         #
@@ -105,6 +188,7 @@ openwrt_mixin:
         iptables -F INPUT
         iptables -P FORWARD ACCEPT
         iptables -F FORWARD
+        iptables -t nat -F PREROUTING
         iptables -t nat -F POSTROUTING
       }
 
@@ -141,6 +225,39 @@ openwrt_uci:
         RootPasswordAuth: 'off'
         Port: '{{ ansible_port | default(22) }}'
 
+  openvpn:
+    - name: openvpn 'extern'
+      options:
+        enabled: '1'
+        port: '1194'
+        proto: 'udp'
+        dev_type: 'tun'
+        dev: 'extern0'
+
+        server: '192.168.8.0 255.255.255.0'
+        client_to_client: '1'
+        ifconfig_pool_persist: '/etc/openvpn/ipp.txt'
+        push:
+          - 'route 192.168.28.0 255.255.255.0'
+          - 'route 192.168.32.0 255.255.255.0'
+
+        tls_auth: '/etc/openvpn/ta.key 0'
+        ca: '/etc/openvpn/ca.crt'
+        cert: '/etc/openvpn/server.crt'
+        key: '/etc/openvpn/server.key'
+        dh: '/etc/openvpn/dhparams'
+
+        tls_cipher: 'DHE-RSA-AES256-SHA'
+        cipher: 'AES-256-CBC'
+        auth: 'SHA256'
+        comp_lzo: 'yes'
+
+        keepalive: '10 120'
+        persist_key: '1'
+        persist_tun: '1'
+        user: 'nobody'
+        verb: '3'
+
   network:
     - name: globals 'globals'
       options:
@@ -176,6 +293,13 @@ openwrt_uci:
         ipaddr: "{{ network_zones.mgmt.prefix | ipaddr(network_zones.mgmt.offsets[inventory_hostname]) | ipaddr('address') }}"
         netmask: "{{ network_zones.mgmt.prefix | ipaddr('netmask') }}"
 
+    - name: route 'lan'
+      options:
+        interface: svc
+        target: "{{ network_zones.lan.prefix | ipaddr('network') }}"
+        netmask: "{{ network_zones.lan.prefix | ipaddr('netmask') }}"
+        gateway: "{{ network_zones.svc.prefix | ipaddr(network_zones.svc.offsets['ch-gw-lan']) | ipaddr('address') }}"
+
 
 virsh_domxml: |
   <domain type='kvm'>
author	Christian Pointner <equinox@spreadspace.org>	2019-07-29 00:34:45 +0200
committer	Christian Pointner <equinox@spreadspace.org>	2019-07-29 00:34:45 +0200
commit	76dcda830cbd5a5ba68b42121d2464f3b73ac977 (patch)
tree	db03c228ce0e37a32eca42bb25be6adfbbe89968 /inventory/host_vars/ch-router.yml
parent	Merge branch 'buster-unpredictable-network-ifnames' (diff)