From 194686564ee07a0030ef007fa9633f6f93ac5358 Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Sat, 29 Feb 2020 19:08:52 +0100 Subject: ele-router basic wireguard setup --- inventory/host_vars/ele-gwhetzner.yml | 2 +- inventory/host_vars/ele-media.yml | 4 +- inventory/host_vars/ele-router.yml | 88 ++++++++++++++++++++++++++++++++--- 3 files changed, 85 insertions(+), 9 deletions(-) (limited to 'inventory/host_vars') diff --git a/inventory/host_vars/ele-gwhetzner.yml b/inventory/host_vars/ele-gwhetzner.yml index 3575c943..7ebda8ff 100644 --- a/inventory/host_vars/ele-gwhetzner.yml +++ b/inventory/host_vars/ele-gwhetzner.yml @@ -39,7 +39,7 @@ wireguard_keys: priv: "{{ vault_wireguard_priv_keys.elemedia }}" emc: pub: "xgBLLDTRrVxUG0BEr0gNQ6ofkXSRDQR7OXilxCCwtxs=" - priv: "{{ vault_wireguard_priv_keys.elemedia }}" + priv: "{{ vault_wireguard_priv_keys.emc }}" wireguard_gateway_tunnels: wg-elemedia: diff --git a/inventory/host_vars/ele-media.yml b/inventory/host_vars/ele-media.yml index d6b89a65..cffc462b 100644 --- a/inventory/host_vars/ele-media.yml +++ b/inventory/host_vars/ele-media.yml @@ -83,7 +83,9 @@ wireguard_gateway_tunnels: inner: 192.168.254.1 peers: - pub_key: "{{ hostvars['ele-gwhetzner'].wireguard_keys.elemedia.pub }}" - endpoint: 178.63.180.138:51820 # TODO: fix this variable "{{ hostvars['ele-gwhetzner'].external_ip }}" + endpoint: + host: 178.63.180.138 # TODO: fix this variable "{{ hostvars['ele-gwhetzner'].external_ip }}" + port: 51820 keepalive_interval: 15 allowed_ips: - 0.0.0.0/0 diff --git a/inventory/host_vars/ele-router.yml b/inventory/host_vars/ele-router.yml index 72cb2b14..908ed17b 100644 --- a/inventory/host_vars/ele-router.yml +++ b/inventory/host_vars/ele-router.yml @@ -4,14 +4,33 @@ wireguard_keys: pub: "fqaKDJbSj6V0H98d78d/lnFLolefgp6zDPH9bN4+zUY=" priv: "{{ vault_wireguard_priv_keys.gwhetzner }}" +wireguard_gateway_tunnels: + wg-emc: + priv_key: "{{ wireguard_keys.gwhetzner.priv }}" + addresses: + - 192.168.254.6/30 + peers: + - pub_key: "{{ hostvars['ele-gwhetzner'].wireguard_keys.emc.pub }}" + endpoint: + host: 178.63.180.138 # TODO: fix this variable "{{ hostvars['ele-gwhetzner'].external_ip }}" + port: 51821 + keepalive_interval: 15 + allowed_ips: + - 0.0.0.0/0 + + network_mgmt_zone: "{{ network_zones.mgmt }}" -network_internal_zone_names: +network_internal_zone_names__emc: + - emc +network_internal_zone_names__wan: - lan - guest - mixer - infoscreens +network_internal_zone_names: "{{ network_internal_zone_names__wan + network_internal_zone_names__emc }}" + openwrt_network_external: - name: switch_vlan @@ -68,6 +87,12 @@ openwrt_network_external: src: "{{ network_zones.funkfeuer.prefix | ipaddr(network_zones.funkfeuer.offsets[inventory_hostname]) | ipaddr('address') }}/32" lookup: 102 + - name: rule + options: + priority: 39001 + mark: 1 + lookup: 102 + - name: route 'ffdefault' options: interface: 'wanff' @@ -221,10 +246,46 @@ openwrt_mixin: /etc/htoprc: file: "{{ global_files_dir }}/common/htoprc" + /etc/wireguard/wg-emc.priv: + content: "{{ wireguard_gateway_tunnels['wg-emc'].priv_key }}\n" + mode: "0600" + + /etc/rc.d/S21network-emc: + link: "../init.d/network-emc" + + /etc/rc.d/K91network-emc: + link: "../init.d/network-emc" + + /etc/init.d/network-emc: + mode: "0755" + content: | + #!/bin/sh /etc/rc.common + + START=21 + STOP=91 + + start() { + ip link add dev wg-emc type wireguard + wg set wg-emc fwmark 1 private-key /etc/wireguard/wg-emc.priv + + {% for peer in wireguard_gateway_tunnels['wg-emc'].peers %} + wg set wg-emc peer {{ peer.pub_key }} endpoint {{ peer.endpoint.host }}:{{ peer.endpoint.port }} persistent-keepalive {{ peer.keepalive_interval }} allowed-ips {{ peer.allowed_ips | join(',') }} + {% endfor %} + + {% for addr in wireguard_gateway_tunnels['wg-emc'].addresses %} + ip addr add dev wg-emc {{ addr }} + {% endfor %} + ip link set up dev wg-emc + } + + stop() { + ip link del dev wgemc + } + /etc/rc.d/S22network-fw: link: "../init.d/network-fw" - /etc/rc.d/K91network-fw: + /etc/rc.d/K92network-fw: link: "../init.d/network-fw" /etc/init.d/network-fw: @@ -255,7 +316,12 @@ openwrt_mixin: iptables -A INPUT -i "$FF_IF" -p tcp --dport {{ ansible_port }} -j ACCEPT iptables -A INPUT -i "$FF_IF" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT - for zone in "{{ network_internal_zone_names | join('" "') }}"; do + iptables -A INPUT -i "wg-emc" -p icmp -j ACCEPT + iptables -A INPUT -i "wg-emc" -p tcp --dport {{ ansible_port }} -j ACCEPT + iptables -A INPUT -i "wg-emc" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + + # all internal zones + for zone in {{ network_internal_zone_names | join(' ') }}; do interface=$(uci get "network.$zone.ifname") ipaddr=$(uci get "network.$zone.ipaddr") netmask=$(uci get "network.$zone.netmask") @@ -270,10 +336,18 @@ openwrt_mixin: iptables -A INPUT -i "$interface" -p icmp -d "$ipaddr" -s "$ipaddr/$netmask" -j ACCEPT iptables -A INPUT -i "$interface" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT - - iptables -A FORWARD -i "$interface" -o "$WAN_IF" -s "$ipaddr/$netmask" -j ACCEPT - iptables -A FORWARD -i "$WAN_IF" -o "$interface" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT - iptables -t nat -A POSTROUTING -o "$WAN_IF" -s "$ipaddr/$netmask" -j MASQUERADE + case "$zone" in + {{ network_internal_zone_names__wan | join('|') }}) + iptables -A FORWARD -i "$interface" -o "$WAN_IF" -s "$ipaddr/$netmask" -j ACCEPT + iptables -A FORWARD -i "$WAN_IF" -o "$interface" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + iptables -t nat -A POSTROUTING -o "$WAN_IF" -s "$ipaddr/$netmask" -j MASQUERADE + ;; + {{ network_internal_zone_names__emc | join('|') }}) + iptables -A FORWARD -i "$interface" -o "$FF_IF" -s "$ipaddr/$netmask" -j ACCEPT + iptables -A FORWARD -i "$FF_IF" -o "$interface" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + iptables -t nat -A POSTROUTING -o "$FF_IF" -s "$ipaddr/$netmask" -j MASQUERADE + ;; + esac done iptables -P INPUT DROP -- cgit v1.2.3