From d5210c0d1632cdbe58f2e1ec0a3e9c36b242df78 Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Sat, 19 Nov 2022 11:53:33 +0100 Subject: ch-router: add wireguard remote interface (WIP) --- inventory/host_vars/ch-router.yml | 45 +++++++++++++++++++++++++++++++++++++-- 1 file changed, 43 insertions(+), 2 deletions(-) (limited to 'inventory/host_vars/ch-router.yml') diff --git a/inventory/host_vars/ch-router.yml b/inventory/host_vars/ch-router.yml index c0165250..794ae485 100644 --- a/inventory/host_vars/ch-router.yml +++ b/inventory/host_vars/ch-router.yml @@ -45,6 +45,8 @@ openwrt_packages_add: - mtr - usbutils - openvpn-openssl + - kmod-wireguard + - wireguard-tools - iptraf-ng - prometheus-node-exporter-lua - prometheus-node-exporter-lua-nat_traffic @@ -156,9 +158,11 @@ openwrt_mixin: define nic_mgmt = eth2 define nic_internal = eth0 define nic_openvpn = extern0 + define nic_remote = remote define prefix_mgmt = {{ network_zones.mgmt.prefix }} define prefix_openvpn = 192.168.8.0/24 + define prefix_remote = 192.168.51.0/24 define prefixes_internal = { {{ network_zones.svc.prefix }}, {{ network_zones.lan.prefix }} } @@ -180,7 +184,7 @@ openwrt_mixin: ip protocol icmp accept ip6 nexthdr ipv6-icmp accept tcp dport { {{ ansible_port }} } accept - udp dport { openvpn } accept + udp dport { openvpn, 51820 } accept } chain input_openvpn { @@ -189,10 +193,16 @@ openwrt_mixin: tcp dport { {{ ansible_port }} } accept } + chain input_remote { + ip saddr != $prefix_remote drop + ip protocol icmp accept + tcp dport { {{ ansible_port }} } accept + } + chain input { type filter hook input priority filter; policy drop; ct state vmap { established: accept, related: accept, invalid: drop } - iifname vmap { lo: accept, $nic_mgmt: jump input_mgmt, $nic_internal: jump input_internal, $nic_magenta: jump input_magenta, $nic_openvpn: jump input_openvpn } + iifname vmap { lo: accept, $nic_mgmt: jump input_mgmt, $nic_internal: jump input_internal, $nic_magenta: jump input_magenta, $nic_openvpn: jump input_openvpn, $nic_remote: jump input_remote } } @@ -203,6 +213,8 @@ openwrt_mixin: iif $nic_internal ip saddr $prefixes_internal oif $nic_magenta accept iif $nic_internal ip saddr $prefixes_internal oifname $nic_openvpn ip daddr $prefix_openvpn accept iifname $nic_openvpn ip saddr $prefix_openvpn oif $nic_internal ip daddr $prefixes_internal accept + iif $nic_internal ip saddr $prefixes_internal oifname $nic_remote ip daddr $prefix_remote accept + iifname $nic_remote ip saddr $prefix_remote oif $nic_internal ip daddr $prefixes_internal accept ## TODO: review allowed connections {% for name, svc in network_services.items() %} iif $nic_magenta oif $nic_internal ip daddr {{ svc.addr }} tcp dport { {{ svc.ports | join(', ') }} } accept comment "Service: {{ name }}" {% endfor %} @@ -341,6 +353,35 @@ openwrt_uci: netmask: "{{ network_zones.lan.prefix | ansible.utils.ipaddr('netmask') }}" gateway: "{{ network_zones.svc.prefix | ansible.utils.ipaddr(network_zones.svc.offsets['ch-gw-lan']) | ansible.utils.ipaddr('address') }}" + - name: interface 'remote' + options: + proto: wireguard + private_key: "{{ vault_wireguard_remote_private_key }}" + listen_port: 51820 + addresses: + - "{{ network_zones.remote.prefix | ansible.utils.ipaddr(network_zones.remote.offsets[inventory_hostname]) }}" + nohostroute: 1 + + - name: wireguard_remote 'ch-pan' + options: + public_key: "" ## TODO + # preshared_key: "" + endpoint_host: "{{ hostvars['ch-pan'].network.primary.address | ansible.utils.ipaddr('address') }}" + endpoint_port: 51820 + allowed_ips: + - "{{ network_zones.remote.prefix | ansible.utils.ipaddr(network_zones.remote.offsets['ch-pan']) }}" + persistent_keepalive: 60 + + - name: wireguard_remote 'ch-mimas' + options: + public_key: "" ## TODO + # preshared_key: "" + endpoint_host: "{{ hostvars['ch-mimas'].external_ip }}" + endpoint_port: 51820 + allowed_ips: + - "{{ network_zones.remote.prefix | ansible.utils.ipaddr(network_zones.remote.offsets['ch-mimas']) }}" + persistent_keepalive: 60 + sqm: - name: queue 'magenta' options: -- cgit v1.2.3 From 0f6cabbae37d2750a1841d2e1abd07eca064af29 Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Sun, 20 Nov 2022 23:30:00 +0100 Subject: add wireguard-based remote vpn connections to ch-(pan|mimas) --- chaos-at-home/ch-mimas.yml | 2 ++ chaos-at-home/ch-pan.yml | 2 ++ inventory/host_vars/ch-mimas.yml | 23 ++++++++++++++++++++++ inventory/host_vars/ch-pan.yml | 23 ++++++++++++++++++++++ inventory/host_vars/ch-router.yml | 19 +++++++++--------- roles/network/wireguard/p2p/defaults/main.yml | 9 ++++++--- roles/network/wireguard/p2p/tasks/main.yml | 16 ++++++++++++++- .../wireguard/p2p/templates/systemd.netdev.j2 | 4 ++++ .../wireguard/p2p/templates/systemd.network.j2 | 6 ++++++ 9 files changed, 91 insertions(+), 13 deletions(-) (limited to 'inventory/host_vars/ch-router.yml') diff --git a/chaos-at-home/ch-mimas.yml b/chaos-at-home/ch-mimas.yml index 178f9093..8aee418f 100644 --- a/chaos-at-home/ch-mimas.yml +++ b/chaos-at-home/ch-mimas.yml @@ -19,6 +19,8 @@ roles: - role: storage/zfs/pools - role: storage/zfs/sanoid + - role: network/wireguard/base + - role: network/wireguard/p2p - role: network/bind - role: acmetool/base - role: apt-repo/spreadspace diff --git a/chaos-at-home/ch-pan.yml b/chaos-at-home/ch-pan.yml index 93871234..6edd32fc 100644 --- a/chaos-at-home/ch-pan.yml +++ b/chaos-at-home/ch-pan.yml @@ -11,6 +11,8 @@ - name: Payload Setup hosts: ch-pan roles: + - role: network/wireguard/base + - role: network/wireguard/p2p - role: network/bind - role: dyndns/server - role: acmetool/base diff --git a/inventory/host_vars/ch-mimas.yml b/inventory/host_vars/ch-mimas.yml index 2bafafe1..32db8f65 100644 --- a/inventory/host_vars/ch-mimas.yml +++ b/inventory/host_vars/ch-mimas.yml @@ -47,6 +47,29 @@ zfs_sanoid_modules: process_children_only: yes +wireguard_p2p_interface: + name: remote0 + description: connection to chaos-at-home internal services + listen_port: 51820 + addresses: + - "{{ network_zones.remote.prefix | ansible.utils.ipaddr(network_zones.remote.offsets[inventory_hostname]) }}" + static_routes: + - dest: "{{ network_zones.svc.prefix }}" + gw: "{{ network_zones.remote.prefix | ansible.utils.ipaddr(network_zones.remote.offsets['ch-router']) | ansible.utils.ipaddr('address') }}" + - dest: "{{ network_zones.lan.prefix | ansible.utils.ipaddr(network_zones.lan.offsets['ch-prometheus-legacy']) | ansible.utils.ipaddr('address') }}/32" + gw: "{{ network_zones.remote.prefix | ansible.utils.ipaddr(network_zones.remote.offsets['ch-router']) | ansible.utils.ipaddr('address') }}" + +wireguard_p2p_peers: + - pub_key: "9pUDet+les5aI9UnHHVgyw95hNBxlAX8DBCxTjigpEI=" + endpoint: + host: "{{ network_zones.magenta.prefix | ansible.utils.ipaddr(network_zones.magenta.offsets['ch-router']) | ansible.utils.ipaddr('address') }}" + port: 51820 + allowed_ips: + - "{{ network_zones.remote.prefix }}" + - "{{ network_zones.svc.prefix }}" + - "{{ network_zones.lan.prefix | ansible.utils.ipaddr(network_zones.lan.offsets['ch-prometheus-legacy']) | ansible.utils.ipaddr('address') }}/32" + + bind_option_empty_zones_enable: no bind_option_allow_transfer: [] bind_option_allow_recursion: diff --git a/inventory/host_vars/ch-pan.yml b/inventory/host_vars/ch-pan.yml index 9f18ed93..5beabb31 100644 --- a/inventory/host_vars/ch-pan.yml +++ b/inventory/host_vars/ch-pan.yml @@ -41,6 +41,29 @@ sshd_allowusers_host: "{{ admin_users_host + ['dyndns'] }}" ntp_variant: systemd-timesyncd +wireguard_p2p_interface: + name: remote0 + description: connection to chaos-at-home internal services + listen_port: 51820 + addresses: + - "{{ network_zones.remote.prefix | ansible.utils.ipaddr(network_zones.remote.offsets[inventory_hostname]) }}" + static_routes: + - dest: "{{ network_zones.svc.prefix }}" + gw: "{{ network_zones.remote.prefix | ansible.utils.ipaddr(network_zones.remote.offsets['ch-router']) | ansible.utils.ipaddr('address') }}" + - dest: "{{ network_zones.lan.prefix | ansible.utils.ipaddr(network_zones.lan.offsets['ch-prometheus-legacy']) | ansible.utils.ipaddr('address') }}/32" + gw: "{{ network_zones.remote.prefix | ansible.utils.ipaddr(network_zones.remote.offsets['ch-router']) | ansible.utils.ipaddr('address') }}" + +wireguard_p2p_peers: + - pub_key: "9pUDet+les5aI9UnHHVgyw95hNBxlAX8DBCxTjigpEI=" + endpoint: + host: "{{ network_zones.magenta.prefix | ansible.utils.ipaddr(network_zones.magenta.offsets['ch-router']) | ansible.utils.ipaddr('address') }}" + port: 51820 + allowed_ips: + - "{{ network_zones.remote.prefix }}" + - "{{ network_zones.svc.prefix }}" + - "{{ network_zones.lan.prefix | ansible.utils.ipaddr(network_zones.lan.offsets['ch-prometheus-legacy']) | ansible.utils.ipaddr('address') }}/32" + + nginx_server_names_hash_bucket_size: 64 acmetool_directory_server: "{{ acmetool_directory_server_le_live_v2 }}" diff --git a/inventory/host_vars/ch-router.yml b/inventory/host_vars/ch-router.yml index 794ae485..ce4ed984 100644 --- a/inventory/host_vars/ch-router.yml +++ b/inventory/host_vars/ch-router.yml @@ -163,8 +163,9 @@ openwrt_mixin: define prefix_mgmt = {{ network_zones.mgmt.prefix }} define prefix_openvpn = 192.168.8.0/24 define prefix_remote = 192.168.51.0/24 + define prefix_svc = {{ network_zones.svc.prefix }} define prefixes_internal = { {{ network_zones.svc.prefix }}, {{ network_zones.lan.prefix }} } - + define ip_prometheus_legacy = {{ network_zones.lan.prefix | ansible.utils.ipaddr(network_zones.lan.offsets['ch-prometheus-legacy']) | ansible.utils.ipaddr('address') }} table inet global { ## INPUT @@ -213,8 +214,8 @@ openwrt_mixin: iif $nic_internal ip saddr $prefixes_internal oif $nic_magenta accept iif $nic_internal ip saddr $prefixes_internal oifname $nic_openvpn ip daddr $prefix_openvpn accept iifname $nic_openvpn ip saddr $prefix_openvpn oif $nic_internal ip daddr $prefixes_internal accept - iif $nic_internal ip saddr $prefixes_internal oifname $nic_remote ip daddr $prefix_remote accept - iifname $nic_remote ip saddr $prefix_remote oif $nic_internal ip daddr $prefixes_internal accept ## TODO: review allowed connections + iif $nic_internal ip saddr { $prefix_svc, $ip_prometheus_legacy } oifname $nic_remote ip daddr $prefix_remote accept + iifname $nic_remote ip saddr $prefix_remote oif $nic_internal ip daddr { $prefix_svc, $ip_prometheus_legacy } accept {% for name, svc in network_services.items() %} iif $nic_magenta oif $nic_internal ip daddr {{ svc.addr }} tcp dport { {{ svc.ports | join(', ') }} } accept comment "Service: {{ name }}" {% endfor %} @@ -362,24 +363,24 @@ openwrt_uci: - "{{ network_zones.remote.prefix | ansible.utils.ipaddr(network_zones.remote.offsets[inventory_hostname]) }}" nohostroute: 1 - - name: wireguard_remote 'ch-pan' + - name: wireguard_remote 'pan' options: - public_key: "" ## TODO + public_key: "sd/OqiO0hktuJ3FvIBnM8RJpqG0lkN7wWJjdKbU1TSw=" # preshared_key: "" endpoint_host: "{{ hostvars['ch-pan'].network.primary.address | ansible.utils.ipaddr('address') }}" endpoint_port: 51820 allowed_ips: - - "{{ network_zones.remote.prefix | ansible.utils.ipaddr(network_zones.remote.offsets['ch-pan']) }}" + - "{{ network_zones.remote.prefix | ansible.utils.ipaddr(network_zones.remote.offsets['ch-pan']) | ansible.utils.ipaddr('address') }}" persistent_keepalive: 60 - - name: wireguard_remote 'ch-mimas' + - name: wireguard_remote 'mimas' options: - public_key: "" ## TODO + public_key: "ZpvJ3Myn/FSJTqsEkNB5AQaVAuTqfFFCAqLomkeZV3g=" # preshared_key: "" endpoint_host: "{{ hostvars['ch-mimas'].external_ip }}" endpoint_port: 51820 allowed_ips: - - "{{ network_zones.remote.prefix | ansible.utils.ipaddr(network_zones.remote.offsets['ch-mimas']) }}" + - "{{ network_zones.remote.prefix | ansible.utils.ipaddr(network_zones.remote.offsets['ch-mimas']) | ansible.utils.ipaddr('address') }}" persistent_keepalive: 60 sqm: diff --git a/roles/network/wireguard/p2p/defaults/main.yml b/roles/network/wireguard/p2p/defaults/main.yml index cb8d6f18..68000a83 100644 --- a/roles/network/wireguard/p2p/defaults/main.yml +++ b/roles/network/wireguard/p2p/defaults/main.yml @@ -5,7 +5,10 @@ # priv_key: secret # listen_port: 1234 # addresses: -# - 192.168.123.254/24 +# - 192.168.255.254/24 +# static_routes: +# - dest: 192.168.123.0/24 +# gw: 192.168.255.3 # wireguard_p2p_peers: # - pub_key: public_key_of_peer @@ -14,5 +17,5 @@ # host: 5.6.7.8 # port: 1234 # allowed_ips: -# - 192.168.255.3/32 -# - 192.168.123.0/24 +# - 192.168.255.3/32 +# - 192.168.123.0/24 diff --git a/roles/network/wireguard/p2p/tasks/main.yml b/roles/network/wireguard/p2p/tasks/main.yml index 78cfaf43..c1c21263 100644 --- a/roles/network/wireguard/p2p/tasks/main.yml +++ b/roles/network/wireguard/p2p/tasks/main.yml @@ -1,4 +1,18 @@ --- +- name: autogenerate wireguard private key file + when: "'priv_key' not in wireguard_p2p_interface" + block: + - name: generate private key + shell: + cmd: "umask 0027; wg genkey > '/etc/systemd/network/{{ wireguard_p2p_interface.name }}.privkey'" + creates: "/etc/systemd/network/{{ wireguard_p2p_interface.name }}.privkey" + + - name: make sure systemd-netword can read the private key file + file: + path: "/etc/systemd/network/{{ wireguard_p2p_interface.name }}.privkey" + mode: 0640 + group: systemd-network + - name: install wireguard interfaces (netdev) template: src: systemd.netdev.j2 @@ -13,7 +27,7 @@ dest: "/etc/systemd/network/{{ wireguard_p2p_interface.name }}.network" notify: restart systemd-networkd -- name: enable systemd-networkd +- name: make sure systemd-networkd is enabled systemd: name: systemd-networkd enabled: yes diff --git a/roles/network/wireguard/p2p/templates/systemd.netdev.j2 b/roles/network/wireguard/p2p/templates/systemd.netdev.j2 index 336fdfb2..3e73f474 100644 --- a/roles/network/wireguard/p2p/templates/systemd.netdev.j2 +++ b/roles/network/wireguard/p2p/templates/systemd.netdev.j2 @@ -7,7 +7,11 @@ Description={{ wireguard_p2p_interface.description }} [WireGuard] +{% if 'priv_key' in wireguard_p2p_interface %} PrivateKey={{ wireguard_p2p_interface.priv_key }} +{% else %} +PrivateKeyFile=/etc/systemd/network/{{ wireguard_p2p_interface.name }}.privkey +{% endif %} {% if 'listen_port' in wireguard_p2p_interface %} ListenPort={{ wireguard_p2p_interface.listen_port }} {% endif %} diff --git a/roles/network/wireguard/p2p/templates/systemd.network.j2 b/roles/network/wireguard/p2p/templates/systemd.network.j2 index 3d1e2431..e40e610b 100644 --- a/roles/network/wireguard/p2p/templates/systemd.network.j2 +++ b/roles/network/wireguard/p2p/templates/systemd.network.j2 @@ -5,3 +5,9 @@ Name={{ wireguard_p2p_interface.name }} {% for addr in wireguard_p2p_interface.addresses %} Address={{ addr }} {% endfor %} +{% for route in wireguard_p2p_interface.static_routes | default([]) %} + +[Route] +Destination={{ route.dest }} +Gateway={{ route.gw }} +{% endfor %} -- cgit v1.2.3