diff options
author | Christian Pointner <equinox@spreadspace.org> | 2022-11-20 23:30:14 +0100 |
---|---|---|
committer | Christian Pointner <equinox@spreadspace.org> | 2022-11-20 23:30:14 +0100 |
commit | b6d36823effe31d9c12c927f5d05ddab8c7005c0 (patch) | |
tree | f20a721e510a85da81428b2f7d9f46ae51614b05 /inventory | |
parent | ch-mimas: external_ip (diff) | |
parent | add wireguard-based remote vpn connections to ch-(pan|mimas) (diff) |
Merge branch 'topic/wireguard-extern-vpn'
Diffstat (limited to 'inventory')
-rw-r--r-- | inventory/group_vars/chaos-at-home/network.yml | 8 | ||||
-rw-r--r-- | inventory/host_vars/ch-mimas.yml | 23 | ||||
-rw-r--r-- | inventory/host_vars/ch-pan.yml | 23 | ||||
-rw-r--r-- | inventory/host_vars/ch-router.yml | 48 | ||||
-rw-r--r-- | inventory/host_vars/ele-gwhetzner.yml | 8 | ||||
-rw-r--r-- | inventory/host_vars/s2-thetys.yml | 16 |
6 files changed, 110 insertions, 16 deletions
diff --git a/inventory/group_vars/chaos-at-home/network.yml b/inventory/group_vars/chaos-at-home/network.yml index f461cc3c..0831d324 100644 --- a/inventory/group_vars/chaos-at-home/network.yml +++ b/inventory/group_vars/chaos-at-home/network.yml @@ -87,7 +87,6 @@ network_zones: ## legacy stuff ch-auth-legacy: 88 - mgmt: vlan: 42 prefix: 192.168.42.0/24 @@ -120,6 +119,13 @@ network_zones: offsets: ch-router: 2 + remote: + prefix: 192.168.51.0/24 + offsets: + ch-router: 1 + ch-pan: 2 + ch-mimas: 3 + network_services: ssh-jump: diff --git a/inventory/host_vars/ch-mimas.yml b/inventory/host_vars/ch-mimas.yml index 2bafafe1..32db8f65 100644 --- a/inventory/host_vars/ch-mimas.yml +++ b/inventory/host_vars/ch-mimas.yml @@ -47,6 +47,29 @@ zfs_sanoid_modules: process_children_only: yes +wireguard_p2p_interface: + name: remote0 + description: connection to chaos-at-home internal services + listen_port: 51820 + addresses: + - "{{ network_zones.remote.prefix | ansible.utils.ipaddr(network_zones.remote.offsets[inventory_hostname]) }}" + static_routes: + - dest: "{{ network_zones.svc.prefix }}" + gw: "{{ network_zones.remote.prefix | ansible.utils.ipaddr(network_zones.remote.offsets['ch-router']) | ansible.utils.ipaddr('address') }}" + - dest: "{{ network_zones.lan.prefix | ansible.utils.ipaddr(network_zones.lan.offsets['ch-prometheus-legacy']) | ansible.utils.ipaddr('address') }}/32" + gw: "{{ network_zones.remote.prefix | ansible.utils.ipaddr(network_zones.remote.offsets['ch-router']) | ansible.utils.ipaddr('address') }}" + +wireguard_p2p_peers: + - pub_key: "9pUDet+les5aI9UnHHVgyw95hNBxlAX8DBCxTjigpEI=" + endpoint: + host: "{{ network_zones.magenta.prefix | ansible.utils.ipaddr(network_zones.magenta.offsets['ch-router']) | ansible.utils.ipaddr('address') }}" + port: 51820 + allowed_ips: + - "{{ network_zones.remote.prefix }}" + - "{{ network_zones.svc.prefix }}" + - "{{ network_zones.lan.prefix | ansible.utils.ipaddr(network_zones.lan.offsets['ch-prometheus-legacy']) | ansible.utils.ipaddr('address') }}/32" + + bind_option_empty_zones_enable: no bind_option_allow_transfer: [] bind_option_allow_recursion: diff --git a/inventory/host_vars/ch-pan.yml b/inventory/host_vars/ch-pan.yml index 9f18ed93..5beabb31 100644 --- a/inventory/host_vars/ch-pan.yml +++ b/inventory/host_vars/ch-pan.yml @@ -41,6 +41,29 @@ sshd_allowusers_host: "{{ admin_users_host + ['dyndns'] }}" ntp_variant: systemd-timesyncd +wireguard_p2p_interface: + name: remote0 + description: connection to chaos-at-home internal services + listen_port: 51820 + addresses: + - "{{ network_zones.remote.prefix | ansible.utils.ipaddr(network_zones.remote.offsets[inventory_hostname]) }}" + static_routes: + - dest: "{{ network_zones.svc.prefix }}" + gw: "{{ network_zones.remote.prefix | ansible.utils.ipaddr(network_zones.remote.offsets['ch-router']) | ansible.utils.ipaddr('address') }}" + - dest: "{{ network_zones.lan.prefix | ansible.utils.ipaddr(network_zones.lan.offsets['ch-prometheus-legacy']) | ansible.utils.ipaddr('address') }}/32" + gw: "{{ network_zones.remote.prefix | ansible.utils.ipaddr(network_zones.remote.offsets['ch-router']) | ansible.utils.ipaddr('address') }}" + +wireguard_p2p_peers: + - pub_key: "9pUDet+les5aI9UnHHVgyw95hNBxlAX8DBCxTjigpEI=" + endpoint: + host: "{{ network_zones.magenta.prefix | ansible.utils.ipaddr(network_zones.magenta.offsets['ch-router']) | ansible.utils.ipaddr('address') }}" + port: 51820 + allowed_ips: + - "{{ network_zones.remote.prefix }}" + - "{{ network_zones.svc.prefix }}" + - "{{ network_zones.lan.prefix | ansible.utils.ipaddr(network_zones.lan.offsets['ch-prometheus-legacy']) | ansible.utils.ipaddr('address') }}/32" + + nginx_server_names_hash_bucket_size: 64 acmetool_directory_server: "{{ acmetool_directory_server_le_live_v2 }}" diff --git a/inventory/host_vars/ch-router.yml b/inventory/host_vars/ch-router.yml index c0165250..ce4ed984 100644 --- a/inventory/host_vars/ch-router.yml +++ b/inventory/host_vars/ch-router.yml @@ -45,6 +45,8 @@ openwrt_packages_add: - mtr - usbutils - openvpn-openssl + - kmod-wireguard + - wireguard-tools - iptraf-ng - prometheus-node-exporter-lua - prometheus-node-exporter-lua-nat_traffic @@ -156,11 +158,14 @@ openwrt_mixin: define nic_mgmt = eth2 define nic_internal = eth0 define nic_openvpn = extern0 + define nic_remote = remote define prefix_mgmt = {{ network_zones.mgmt.prefix }} define prefix_openvpn = 192.168.8.0/24 + define prefix_remote = 192.168.51.0/24 + define prefix_svc = {{ network_zones.svc.prefix }} define prefixes_internal = { {{ network_zones.svc.prefix }}, {{ network_zones.lan.prefix }} } - + define ip_prometheus_legacy = {{ network_zones.lan.prefix | ansible.utils.ipaddr(network_zones.lan.offsets['ch-prometheus-legacy']) | ansible.utils.ipaddr('address') }} table inet global { ## INPUT @@ -180,7 +185,7 @@ openwrt_mixin: ip protocol icmp accept ip6 nexthdr ipv6-icmp accept tcp dport { {{ ansible_port }} } accept - udp dport { openvpn } accept + udp dport { openvpn, 51820 } accept } chain input_openvpn { @@ -189,10 +194,16 @@ openwrt_mixin: tcp dport { {{ ansible_port }} } accept } + chain input_remote { + ip saddr != $prefix_remote drop + ip protocol icmp accept + tcp dport { {{ ansible_port }} } accept + } + chain input { type filter hook input priority filter; policy drop; ct state vmap { established: accept, related: accept, invalid: drop } - iifname vmap { lo: accept, $nic_mgmt: jump input_mgmt, $nic_internal: jump input_internal, $nic_magenta: jump input_magenta, $nic_openvpn: jump input_openvpn } + iifname vmap { lo: accept, $nic_mgmt: jump input_mgmt, $nic_internal: jump input_internal, $nic_magenta: jump input_magenta, $nic_openvpn: jump input_openvpn, $nic_remote: jump input_remote } } @@ -203,6 +214,8 @@ openwrt_mixin: iif $nic_internal ip saddr $prefixes_internal oif $nic_magenta accept iif $nic_internal ip saddr $prefixes_internal oifname $nic_openvpn ip daddr $prefix_openvpn accept iifname $nic_openvpn ip saddr $prefix_openvpn oif $nic_internal ip daddr $prefixes_internal accept + iif $nic_internal ip saddr { $prefix_svc, $ip_prometheus_legacy } oifname $nic_remote ip daddr $prefix_remote accept + iifname $nic_remote ip saddr $prefix_remote oif $nic_internal ip daddr { $prefix_svc, $ip_prometheus_legacy } accept {% for name, svc in network_services.items() %} iif $nic_magenta oif $nic_internal ip daddr {{ svc.addr }} tcp dport { {{ svc.ports | join(', ') }} } accept comment "Service: {{ name }}" {% endfor %} @@ -341,6 +354,35 @@ openwrt_uci: netmask: "{{ network_zones.lan.prefix | ansible.utils.ipaddr('netmask') }}" gateway: "{{ network_zones.svc.prefix | ansible.utils.ipaddr(network_zones.svc.offsets['ch-gw-lan']) | ansible.utils.ipaddr('address') }}" + - name: interface 'remote' + options: + proto: wireguard + private_key: "{{ vault_wireguard_remote_private_key }}" + listen_port: 51820 + addresses: + - "{{ network_zones.remote.prefix | ansible.utils.ipaddr(network_zones.remote.offsets[inventory_hostname]) }}" + nohostroute: 1 + + - name: wireguard_remote 'pan' + options: + public_key: "sd/OqiO0hktuJ3FvIBnM8RJpqG0lkN7wWJjdKbU1TSw=" + # preshared_key: "" + endpoint_host: "{{ hostvars['ch-pan'].network.primary.address | ansible.utils.ipaddr('address') }}" + endpoint_port: 51820 + allowed_ips: + - "{{ network_zones.remote.prefix | ansible.utils.ipaddr(network_zones.remote.offsets['ch-pan']) | ansible.utils.ipaddr('address') }}" + persistent_keepalive: 60 + + - name: wireguard_remote 'mimas' + options: + public_key: "ZpvJ3Myn/FSJTqsEkNB5AQaVAuTqfFFCAqLomkeZV3g=" + # preshared_key: "" + endpoint_host: "{{ hostvars['ch-mimas'].external_ip }}" + endpoint_port: 51820 + allowed_ips: + - "{{ network_zones.remote.prefix | ansible.utils.ipaddr(network_zones.remote.offsets['ch-mimas']) | ansible.utils.ipaddr('address') }}" + persistent_keepalive: 60 + sqm: - name: queue 'magenta' options: diff --git a/inventory/host_vars/ele-gwhetzner.yml b/inventory/host_vars/ele-gwhetzner.yml index aa9cc7b3..d3faf0cf 100644 --- a/inventory/host_vars/ele-gwhetzner.yml +++ b/inventory/host_vars/ele-gwhetzner.yml @@ -87,7 +87,7 @@ wireguard_p2p_interface: addresses: - 192.168.123.1/30 -wireguard_p2p_peer: - pub_key: "RDNeaG06AUkEZqEr/v3zTidroGfTBTsXluOx2ArITyE=" - allowed_ips: - - 192.168.123.2/32 +wireguard_p2p_peers: + - pub_key: "RDNeaG06AUkEZqEr/v3zTidroGfTBTsXluOx2ArITyE=" + allowed_ips: + - 192.168.123.2/32 diff --git a/inventory/host_vars/s2-thetys.yml b/inventory/host_vars/s2-thetys.yml index 689c124b..d373ff63 100644 --- a/inventory/host_vars/s2-thetys.yml +++ b/inventory/host_vars/s2-thetys.yml @@ -85,11 +85,11 @@ wireguard_p2p_interface: addresses: - 192.168.123.2/30 -wireguard_p2p_peer: - pub_key: "r/pFU+OOHmSZUJPSA15emuCQhC/MvLnmfx5o5MPl7yo=" - keepalive_interval: 10 - endpoint: - host: 178.63.180.138 - port: 51920 - allowed_ips: - - 192.168.123.1/32 +wireguard_p2p_peers: + - pub_key: "r/pFU+OOHmSZUJPSA15emuCQhC/MvLnmfx5o5MPl7yo=" + keepalive_interval: 10 + endpoint: + host: 178.63.180.138 + port: 51920 + allowed_ips: + - 192.168.123.1/32 |