ch-router: add wireguard remote interface (WIP)

author: Christian Pointner <equinox@spreadspace.org> 2022-11-19 11:53:33 +0100
committer: Christian Pointner <equinox@spreadspace.org> 2022-11-19 17:06:10 +0100
commit: d5210c0d1632cdbe58f2e1ec0a3e9c36b242df78 (patch)
tree: 4536050e9e2a3df1d0d88c8464e6c1b34f5a8ab2 /inventory/host_vars/ch-router.yml
parent: ch-mimas: external_ip (diff)
1 files changed, 43 insertions, 2 deletions
diff --git a/inventory/host_vars/ch-router.yml b/inventory/host_vars/ch-router.yml
index c0165250..794ae485 100644
--- a/inventory/host_vars/ch-router.yml
+++ b/inventory/host_vars/ch-router.yml
@@ -45,6 +45,8 @@ openwrt_packages_add:
   - mtr
   - usbutils
   - openvpn-openssl
+  - kmod-wireguard
+  - wireguard-tools
   - iptraf-ng
   - prometheus-node-exporter-lua
   - prometheus-node-exporter-lua-nat_traffic
@@ -156,9 +158,11 @@ openwrt_mixin:
       define nic_mgmt = eth2
       define nic_internal = eth0
       define nic_openvpn = extern0
+      define nic_remote = remote
 
       define prefix_mgmt = {{ network_zones.mgmt.prefix }}
       define prefix_openvpn = 192.168.8.0/24
+      define prefix_remote = 192.168.51.0/24
       define prefixes_internal = { {{ network_zones.svc.prefix }}, {{ network_zones.lan.prefix }} }
 
 
@@ -180,7 +184,7 @@ openwrt_mixin:
           ip protocol icmp accept
           ip6 nexthdr ipv6-icmp accept
           tcp dport { {{ ansible_port }} } accept
-          udp dport { openvpn } accept
+          udp dport { openvpn, 51820 } accept
         }
 
         chain input_openvpn {
@@ -189,10 +193,16 @@ openwrt_mixin:
           tcp dport { {{ ansible_port }} } accept
         }
 
+        chain input_remote {
+          ip saddr != $prefix_remote drop
+          ip protocol icmp accept
+          tcp dport { {{ ansible_port }} } accept
+        }
+
         chain input {
           type filter hook input priority filter; policy drop;
           ct state vmap { established: accept, related: accept, invalid: drop }
-          iifname vmap { lo: accept, $nic_mgmt: jump input_mgmt, $nic_internal: jump input_internal, $nic_magenta: jump input_magenta, $nic_openvpn: jump input_openvpn }
+          iifname vmap { lo: accept, $nic_mgmt: jump input_mgmt, $nic_internal: jump input_internal, $nic_magenta: jump input_magenta, $nic_openvpn: jump input_openvpn, $nic_remote: jump input_remote }
         }
 
 
@@ -203,6 +213,8 @@ openwrt_mixin:
           iif $nic_internal ip saddr $prefixes_internal oif $nic_magenta accept
           iif $nic_internal ip saddr $prefixes_internal oifname $nic_openvpn ip daddr $prefix_openvpn accept
           iifname $nic_openvpn ip saddr $prefix_openvpn oif $nic_internal ip daddr $prefixes_internal accept
+          iif $nic_internal ip saddr $prefixes_internal oifname $nic_remote ip daddr $prefix_remote accept
+          iifname $nic_remote ip saddr $prefix_remote oif $nic_internal ip daddr $prefixes_internal accept ## TODO: review allowed connections
       {% for name, svc in network_services.items() %}
           iif $nic_magenta oif $nic_internal ip daddr {{ svc.addr }} tcp dport { {{ svc.ports | join(', ') }} } accept comment "Service: {{ name }}"
       {% endfor %}
@@ -341,6 +353,35 @@ openwrt_uci:
         netmask: "{{ network_zones.lan.prefix | ansible.utils.ipaddr('netmask') }}"
         gateway: "{{ network_zones.svc.prefix | ansible.utils.ipaddr(network_zones.svc.offsets['ch-gw-lan']) | ansible.utils.ipaddr('address') }}"
 
+    - name: interface 'remote'
+      options:
+        proto: wireguard
+        private_key: "{{ vault_wireguard_remote_private_key }}"
+        listen_port: 51820
+        addresses:
+        - "{{ network_zones.remote.prefix | ansible.utils.ipaddr(network_zones.remote.offsets[inventory_hostname]) }}"
+        nohostroute: 1
+
+    - name: wireguard_remote 'ch-pan'
+      options:
+        public_key: "" ## TODO
+        # preshared_key: ""
+        endpoint_host: "{{ hostvars['ch-pan'].network.primary.address | ansible.utils.ipaddr('address') }}"
+        endpoint_port: 51820
+        allowed_ips:
+        - "{{ network_zones.remote.prefix | ansible.utils.ipaddr(network_zones.remote.offsets['ch-pan']) }}"
+        persistent_keepalive: 60
+
+    - name: wireguard_remote 'ch-mimas'
+      options:
+        public_key: "" ## TODO
+        # preshared_key: ""
+        endpoint_host: "{{ hostvars['ch-mimas'].external_ip }}"
+        endpoint_port: 51820
+        allowed_ips:
+        - "{{ network_zones.remote.prefix | ansible.utils.ipaddr(network_zones.remote.offsets['ch-mimas']) }}"
+        persistent_keepalive: 60
+
   sqm:
     - name: queue 'magenta'
       options:
author	Christian Pointner <equinox@spreadspace.org>	2022-11-19 11:53:33 +0100
committer	Christian Pointner <equinox@spreadspace.org>	2022-11-19 17:06:10 +0100
commit	d5210c0d1632cdbe58f2e1ec0a3e9c36b242df78 (patch)
tree	4536050e9e2a3df1d0d88c8464e6c1b34f5a8ab2 /inventory/host_vars/ch-router.yml
parent	ch-mimas: external_ip (diff)