Split bridge and wireguard into separate roles

This commit is contained in:
Wojciech Kozlowski 2022-12-09 22:45:58 +01:00
parent 8004b13c9e
commit 219fa8f044
18 changed files with 165 additions and 152 deletions

View File

@ -4,12 +4,8 @@
roles: roles:
- role: "base" - role: "base"
tags: "vpn:base" tags: "vpn:base"
- role: "wireguard"
# - name: "vpn : bifrost" tags: "vpn:wireguard"
# hosts: "bifrost"
# roles:
# - role: "gateway"
# tags: "vpn:gateway"
- name: "vpn : asgard" - name: "vpn : asgard"
hosts: "asgard" hosts: "asgard"

View File

@ -8,44 +8,22 @@ argument_specs:
local_network: local_network:
type: "str" type: "str"
required: false required: false
vpn_bridge_routing_table:
type: "int"
required: true
vpn_bridge_dnat: vpn_bridge_dnat:
type: "list" type: "list"
elements: "dict" elements: "dict"
required: true required: true
vpn_bridge_br0_address: vpn_bridge_address:
type: "str" type: "str"
required: true required: true
vpn_bridge_br0_broadcast: vpn_bridge_broadcast:
type: "str" type: "str"
required: true required: true
vpn_bridge_br0_netmask: vpn_bridge_netmask:
type: "str" type: "str"
required: true required: true
vpn_bridge_role: vpn_wireguard_role:
type: "str" type: "str"
required: true required: true
vpn_bridge_wg0_port: vpn_wireguard_routing_table:
type: "int" type: "int"
required: true required: true
vpn_bridge_wg0_interface_private_key:
type: "str"
required: true
vpn_bridge_wg0_preshared_key:
type: "str"
required: true
vpn_bridge_wg0_subnet:
type: "str"
required: true
vpn_bridge_wg0_clients:
type: "list"
elem: "dict"
required: "{{ vpn_bridge_role == 'server' }}"
vpn_bridge_wg0_server_public_key:
type: "str"
required: "{{ vpn_bridge_role == 'client' }}"
vpn_bridge_wg0_server_address:
type: "str"
required: "{{ vpn_bridge_role == 'client' }}"

View File

@ -1,51 +0,0 @@
- name: "br0 : post-up nftables inet script"
ansible.builtin.template:
src: "./br0/post-up-br0-inet.nft.j2"
dest: "/usr/local/sbin/post-up-br0-inet.nft"
mode: 0755
register: vpn_bridge_post_up_br0_inet_nft
- name: "br0 : post-up nftables ipv4 script"
ansible.builtin.template:
src: "./br0/post-up-br0-ipv4.nft.j2"
dest: "/usr/local/sbin/post-up-br0-ipv4.nft"
mode: 0755
register: vpn_bridge_post_up_br0_ipv4_nft
- name: "br0 : configure interface"
ansible.builtin.template:
src: "./br0/br0.j2"
dest: "/etc/network/interfaces.d/br0"
mode: 0644
validate: >
bash -c
'if ! diff %s /etc/network/interfaces.d/br0 && ip link show dev br0 ;
then
ifdown br0 ;
fi'
register: vpn_bridge_br0_intf
- name: "br0 : restart interface"
ansible.builtin.shell: |
if ip link show dev br0
then
ifdown br0 && ifup br0
else
ifup br0
fi
when:
vpn_bridge_post_up_br0_inet_nft.changed or
vpn_bridge_post_up_br0_ipv4_nft.changed or
vpn_bridge_br0_intf.changed
- name: "br0 : pre-down nftables inet script"
ansible.builtin.copy:
src: "./br0/pre-down-br0-inet.nft"
dest: "/usr/local/sbin/pre-down-br0-inet.nft"
mode: 0755
- name: "br0 : pre-down nftables ipv4 script"
ansible.builtin.copy:
src: "./br0/pre-down-br0-ipv4.nft"
dest: "/usr/local/sbin/pre-down-br0-ipv4.nft"
mode: 0755

View File

@ -1,6 +1,51 @@
- name: "play:vpn : role:bridge : tasks:br0" - name: "post-up nftables inet script"
ansible.builtin.import_tasks: "include/br0.yml" ansible.builtin.template:
tags: "vpn:bridge:br0" src: "./post-up-br0-inet.nft.j2"
- name: "play:vpn : role:bridge : tasks:wg0" dest: "/usr/local/sbin/post-up-br0-inet.nft"
ansible.builtin.import_tasks: "include/wg0.yml" mode: 0755
tags: "vpn:bridge:wg0" register: vpn_bridge_post_up_br0_inet_nft
- name: "post-up nftables ipv4 script"
ansible.builtin.template:
src: "./post-up-br0-ipv4.nft.j2"
dest: "/usr/local/sbin/post-up-br0-ipv4.nft"
mode: 0755
register: vpn_bridge_post_up_br0_ipv4_nft
- name: "configure interface"
ansible.builtin.template:
src: "./br0.j2"
dest: "/etc/network/interfaces.d/br0"
mode: 0644
validate: >
bash -c
'if ! diff %s /etc/network/interfaces.d/br0 && ip link show dev br0 ;
then
ifdown br0 ;
fi'
register: vpn_bridge_intf
- name: "restart interface"
ansible.builtin.shell: |
if ip link show dev br0
then
ifdown br0 && ifup br0
else
ifup br0
fi
when:
vpn_bridge_post_up_br0_inet_nft.changed or
vpn_bridge_post_up_br0_ipv4_nft.changed or
vpn_bridge_intf.changed
- name: "pre-down nftables inet script"
ansible.builtin.copy:
src: "./pre-down-br0-inet.nft"
dest: "/usr/local/sbin/pre-down-br0-inet.nft"
mode: 0755
- name: "pre-down nftables ipv4 script"
ansible.builtin.copy:
src: "./pre-down-br0-ipv4.nft"
dest: "/usr/local/sbin/pre-down-br0-ipv4.nft"
mode: 0755

View File

@ -4,14 +4,14 @@ iface br0 inet static
post-up /usr/local/sbin/post-up-$IFACE-inet.nft post-up /usr/local/sbin/post-up-$IFACE-inet.nft
post-up /usr/local/sbin/post-up-$IFACE-ipv4.nft post-up /usr/local/sbin/post-up-$IFACE-ipv4.nft
{% if vpn_bridge_role == "client" %} {% if vpn_wireguard_role == "client" %}
post-up ip rule add dev $IFACE table {{ vpn_bridge_routing_table }} post-up ip rule add dev $IFACE table {{ vpn_wireguard_routing_table }}
post-up ip rule add dev $IFACE to {{ local_network }} table main priority 1 post-up ip rule add dev $IFACE to {{ local_network }} table main priority 1
{% endif %} {% endif %}
{% if vpn_bridge_role == "client" %} {% if vpn_wireguard_role == "client" %}
pre-down ip rule del dev $IFACE to {{ local_network }} table main priority 1 pre-down ip rule del dev $IFACE to {{ local_network }} table main priority 1
pre-down ip rule del dev $IFACE table {{ vpn_bridge_routing_table }} pre-down ip rule del dev $IFACE table {{ vpn_wireguard_routing_table }}
{% endif %} {% endif %}
pre-down /usr/local/sbin/pre-down-$IFACE-ipv4.nft pre-down /usr/local/sbin/pre-down-$IFACE-ipv4.nft
pre-down /usr/local/sbin/pre-down-$IFACE-inet.nft pre-down /usr/local/sbin/pre-down-$IFACE-inet.nft
@ -21,6 +21,6 @@ iface br0 inet static
bridge_fd 0 bridge_fd 0
bridge_ports none bridge_ports none
address {{ vpn_bridge_br0_address }} address {{ vpn_bridge_address }}
broadcast {{ vpn_bridge_br0_broadcast }} broadcast {{ vpn_bridge_broadcast }}
netmask {{ vpn_bridge_br0_netmask }} netmask {{ vpn_bridge_netmask }}

View File

@ -1,23 +0,0 @@
[Interface]
PrivateKey = {{ vpn_bridge_wg0_interface_private_key }}
{% if vpn_bridge_role == "server" %}
ListenPort = {{ vpn_bridge_wg0_port }}
{% endif %}
{% if vpn_bridge_role == "server" %}
{% for client in vpn_bridge_wg0_clients %}
[Peer]
PublicKey = {{ client.public_key }}
PresharedKey = {{ vpn_bridge_wg0_preshared_key }}
AllowedIPs = {{ vpn_bridge_wg0_subnet }},{{ client.subnet }}
{% endfor %}
{% elif vpn_bridge_role == "client" %}
[Peer]
PublicKey = {{ vpn_bridge_wg0_server_public_key }}
PresharedKey = {{ vpn_bridge_wg0_preshared_key }}
Endpoint = {{ vpn_bridge_wg0_server_address }}:{{ vpn_bridge_wg0_port }}
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 15
{% endif %}

View File

@ -0,0 +1,41 @@
argument_specs:
main:
options:
ansible_default_ipv4:
interface:
type: "str"
required: true
vpn_wireguard_routing_table:
type: "int"
required: true
vpn_wireguard_role:
type: "str"
required: true
vpn_wireguard_address:
type: "str"
required: true
vpn_wireguard_netmask:
type: "str"
required: true
vpn_wireguard_port:
type: "int"
required: true
vpn_wireguard_interface_private_key:
type: "str"
required: true
vpn_wireguard_preshared_key:
type: "str"
required: true
vpn_wireguard_subnet:
type: "str"
required: false
vpn_wireguard_clients:
type: "list"
elem: "dict"
required: "{{ vpn_wireguard_role == 'server' }}"
vpn_wireguard_server_public_key:
type: "str"
required: "{{ vpn_wireguard_role == 'client' }}"
vpn_wireguard_server_address:
type: "str"
required: "{{ vpn_wireguard_role == 'client' }}"

View File

@ -1,27 +1,27 @@
- name: "wg0 : configure wireguard" - name: "configure wireguard"
ansible.builtin.template: ansible.builtin.template:
src: "./wg0/wg0.conf.j2" src: "./wg0.conf.j2"
dest: "/etc/wireguard/wg0.conf" dest: "/etc/wireguard/wg0.conf"
mode: 0600 mode: 0600
register: vpn_bridge_wg0_conf register: vpn_wireguard_conf
- name: "wg0 : post-up nftables inet script" - name: "post-up nftables inet script"
ansible.builtin.template: ansible.builtin.template:
src: "./wg0/post-up-wg0-inet.nft.j2" src: "./post-up-wg0-inet.nft.j2"
dest: "/usr/local/sbin/post-up-wg0-inet.nft" dest: "/usr/local/sbin/post-up-wg0-inet.nft"
mode: 0755 mode: 0755
register: vpn_bridge_post_up_wg0_inet_nft register: vpn_wireguard_post_up_wg0_inet_nft
- name: "wg0 : post-up nftables ipv4 script" - name: "post-up nftables ipv4 script"
ansible.builtin.template: ansible.builtin.template:
src: "./wg0/post-up-wg0-ipv4.nft.j2" src: "./post-up-wg0-ipv4.nft.j2"
dest: "/usr/local/sbin/post-up-wg0-ipv4.nft" dest: "/usr/local/sbin/post-up-wg0-ipv4.nft"
mode: 0755 mode: 0755
register: vpn_bridge_post_up_wg0_ipv4_nft register: vpn_wireguard_post_up_wg0_ipv4_nft
- name: "wg0 : configure interface" - name: "configure interface"
ansible.builtin.template: ansible.builtin.template:
src: "./wg0/wg0.j2" src: "./wg0.j2"
dest: "/etc/network/interfaces.d/wg0" dest: "/etc/network/interfaces.d/wg0"
mode: 0644 mode: 0644
validate: > validate: >
@ -30,9 +30,9 @@
then then
ifdown wg0 ; ifdown wg0 ;
fi' fi'
register: vpn_bridge_wg0_intf register: vpn_wireguard_intf
- name: "wg0 : restart interface" - name: "restart interface"
ansible.builtin.shell: | ansible.builtin.shell: |
if ip link show dev wg0 if ip link show dev wg0
then then
@ -41,19 +41,19 @@
ifup wg0 ifup wg0
fi fi
when: when:
vpn_bridge_wg0_conf.changed or vpn_wireguard_conf.changed or
vpn_bridge_post_up_wg0_inet_nft.changed or vpn_wireguard_post_up_wg0_inet_nft.changed or
vpn_bridge_post_up_wg0_ipv4_nft.changed or vpn_wireguard_post_up_wg0_ipv4_nft.changed or
vpn_bridge_wg0_intf.changed vpn_wireguard_intf.changed
- name: "wg0 : pre-down nftables inet script" - name: "pre-down nftables inet script"
ansible.builtin.copy: ansible.builtin.copy:
src: "./wg0/pre-down-wg0-inet.nft" src: "./pre-down-wg0-inet.nft"
dest: "/usr/local/sbin/pre-down-wg0-inet.nft" dest: "/usr/local/sbin/pre-down-wg0-inet.nft"
mode: 0755 mode: 0755
- name: "wg0 : pre-down nftables ipv4 script" - name: "pre-down nftables ipv4 script"
ansible.builtin.copy: ansible.builtin.copy:
src: "./wg0/pre-down-wg0-ipv4.nft" src: "./pre-down-wg0-ipv4.nft"
dest: "/usr/local/sbin/pre-down-wg0-ipv4.nft" dest: "/usr/local/sbin/pre-down-wg0-ipv4.nft"
mode: 0755 mode: 0755

View File

@ -2,7 +2,7 @@
table ip wg0_ipv4 { table ip wg0_ipv4 {
{% if vpn_bridge_role == "server" %} {% if vpn_wireguard_role == "server" %}
chain postrouting { chain postrouting {
type nat hook postrouting priority 100; type nat hook postrouting priority 100;
iif wg0 oif {{ ansible_default_ipv4.interface }} masquerade; iif wg0 oif {{ ansible_default_ipv4.interface }} masquerade;

View File

@ -0,0 +1,27 @@
[Interface]
PrivateKey = {{ vpn_wireguard_interface_private_key }}
{% if vpn_wireguard_role == "server" %}
ListenPort = {{ vpn_wireguard_port }}
{% endif %}
{% if vpn_wireguard_role == "server" %}
{% for client in vpn_wireguard_clients %}
[Peer]
PublicKey = {{ client.public_key }}
PresharedKey = {{ vpn_wireguard_preshared_key }}
{% if vpn_wireguard_subnet is defined %}
AllowedIPs = {{ vpn_wireguard_subnet }},{{ client.subnet }}
{% else %}
AllowedIPs = {{ client.subnet }}
{% endif %}
{% endfor %}
{% elif vpn_wireguard_role == "client" %}
[Peer]
PublicKey = {{ vpn_wireguard_server_public_key }}
PresharedKey = {{ vpn_wireguard_preshared_key }}
Endpoint = {{ vpn_wireguard_server_address }}:{{ vpn_wireguard_port }}
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 15
{% endif %}

View File

@ -6,23 +6,23 @@ iface wg0 inet static
post-up /usr/local/sbin/post-up-$IFACE-inet.nft post-up /usr/local/sbin/post-up-$IFACE-inet.nft
post-up /usr/local/sbin/post-up-$IFACE-ipv4.nft post-up /usr/local/sbin/post-up-$IFACE-ipv4.nft
{% if vpn_bridge_role == "client" %} {% if vpn_wireguard_role == "client" %}
post-up ip route add default dev $IFACE table {{ vpn_bridge_routing_table }} post-up ip route add default dev $IFACE table {{ vpn_wireguard_routing_table }}
{% elif vpn_bridge_role == "server" %} {% elif vpn_wireguard_role == "server" %}
{% for client in vpn_bridge_wg0_clients %} {% for client in vpn_wireguard_clients %}
post-up ip route add {{ client.subnet }} dev $IFACE post-up ip route add {{ client.subnet }} dev $IFACE
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% if vpn_bridge_role == "server" %} {% if vpn_wireguard_role == "server" %}
{% for client in vpn_bridge_wg0_clients %} {% for client in vpn_wireguard_clients %}
pre-down ip route del {{ client.subnet }} dev $IFACE pre-down ip route del {{ client.subnet }} dev $IFACE
{% endfor %} {% endfor %}
{% elif vpn_bridge_role == "client" %} {% elif vpn_wireguard_role == "client" %}
pre-down ip route del default dev $IFACE table {{ vpn_bridge_routing_table }} pre-down ip route del default dev $IFACE table {{ vpn_wireguard_routing_table }}
{% endif %} {% endif %}
pre-down /usr/local/sbin/pre-down-$IFACE-ipv4.nft pre-down /usr/local/sbin/pre-down-$IFACE-ipv4.nft
pre-down /usr/local/sbin/pre-down-$IFACE-inet.nft pre-down /usr/local/sbin/pre-down-$IFACE-inet.nft
address {{ vpn_bridge_wg0_address }} address {{ vpn_wireguard_address }}
netmask {{ vpn_bridge_wg0_netmask }} netmask {{ vpn_wireguard_netmask }}