Make VPN configuration more robust
This commit is contained in:
parent
7f6813600a
commit
3bd5df7c65
@ -2,9 +2,11 @@ auto br0
|
|||||||
iface br0 inet static
|
iface br0 inet static
|
||||||
pre-up ip link add $IFACE type bridge
|
pre-up ip link add $IFACE type bridge
|
||||||
|
|
||||||
post-up /usr/local/sbin/post-up-$IFACE.nft
|
post-up /usr/local/sbin/post-up-$IFACE-inet.nft
|
||||||
|
post-up /usr/local/sbin/post-up-$IFACE-ipv4.nft
|
||||||
|
|
||||||
pre-down /usr/local/sbin/pre-down-$IFACE.nft
|
pre-down /usr/local/sbin/pre-down-$IFACE-ipv4.nft
|
||||||
|
pre-down /usr/local/sbin/pre-down-$IFACE-inet.nft
|
||||||
|
|
||||||
post-down ip link del dev $IFACE
|
post-down ip link del dev $IFACE
|
||||||
|
|
||||||
|
@ -4,11 +4,13 @@ iface wg0 inet static
|
|||||||
pre-up wg setconf $IFACE /etc/wireguard/$IFACE.conf
|
pre-up wg setconf $IFACE /etc/wireguard/$IFACE.conf
|
||||||
pre-up ip link set mtu 1420 dev $IFACE
|
pre-up ip link set mtu 1420 dev $IFACE
|
||||||
|
|
||||||
post-up /usr/local/sbin/post-up-$IFACE.nft
|
post-up /usr/local/sbin/post-up-$IFACE-inet.nft
|
||||||
|
post-up /usr/local/sbin/post-up-$IFACE-ipv4.nft
|
||||||
post-up ip route add {{ vpn_remote_subnet }} dev $IFACE
|
post-up ip route add {{ vpn_remote_subnet }} dev $IFACE
|
||||||
|
|
||||||
pre-down ip route del {{ vpn_remote_subnet }} dev $IFACE
|
pre-down ip route del {{ vpn_remote_subnet }} dev $IFACE
|
||||||
pre-down /usr/local/sbin/pre-down-$IFACE.nft
|
pre-down /usr/local/sbin/pre-down-$IFACE-ipv4.nft
|
||||||
|
pre-down /usr/local/sbin/pre-down-$IFACE-inet.nft
|
||||||
|
|
||||||
post-down ip link del dev $IFACE
|
post-down ip link del dev $IFACE
|
||||||
|
|
||||||
|
@ -0,0 +1,5 @@
|
|||||||
|
#!/usr/bin/env -S nft -f
|
||||||
|
|
||||||
|
table inet br0_inet {
|
||||||
|
|
||||||
|
}
|
@ -1,6 +1,6 @@
|
|||||||
#!/usr/bin/env -S nft -f
|
#!/usr/bin/env -S nft -f
|
||||||
|
|
||||||
table ip br0_nat {
|
table ip br0_ipv4 {
|
||||||
chain prerouting {
|
chain prerouting {
|
||||||
type nat hook prerouting priority -100;
|
type nat hook prerouting priority -100;
|
||||||
iif {{ ethx }} tcp dport { 80, 443 } dnat to {{ vpn_reverse_proxy_address }};
|
iif {{ ethx }} tcp dport { 80, 443 } dnat to {{ vpn_reverse_proxy_address }};
|
@ -1,16 +1,9 @@
|
|||||||
#!/usr/bin/env -S nft -f
|
#!/usr/bin/env -S nft -f
|
||||||
|
|
||||||
table inet wg0_mss_clamping {
|
table inet wg0_inet {
|
||||||
chain forward {
|
chain forward {
|
||||||
type filter hook forward priority 0;
|
type filter hook forward priority 0;
|
||||||
iif wg0 tcp flags syn tcp option maxseg size set rt mtu;
|
iif wg0 tcp flags syn tcp option maxseg size set rt mtu;
|
||||||
oif wg0 tcp flags syn tcp option maxseg size set rt mtu;
|
oif wg0 tcp flags syn tcp option maxseg size set rt mtu;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
table ip wg0_nat {
|
|
||||||
chain postrouting {
|
|
||||||
type nat hook postrouting priority 100;
|
|
||||||
iif wg0 oif {{ ethx }} masquerade;
|
|
||||||
}
|
|
||||||
}
|
|
@ -0,0 +1,8 @@
|
|||||||
|
#!/usr/bin/env -S nft -f
|
||||||
|
|
||||||
|
table ip wg0_ipv4 {
|
||||||
|
chain postrouting {
|
||||||
|
type nat hook postrouting priority 100;
|
||||||
|
iif wg0 oif {{ ethx }} masquerade;
|
||||||
|
}
|
||||||
|
}
|
@ -0,0 +1,4 @@
|
|||||||
|
#!/usr/bin/env -S nft -f
|
||||||
|
|
||||||
|
flush table ip br0_inet
|
||||||
|
delete table ip br0_inet
|
@ -0,0 +1,4 @@
|
|||||||
|
#!/usr/bin/env -S nft -f
|
||||||
|
|
||||||
|
flush table ip br0_ipv4
|
||||||
|
delete table ip br0_ipv4
|
@ -1,4 +0,0 @@
|
|||||||
#!/usr/bin/env -S nft -f
|
|
||||||
|
|
||||||
flush table ip br0_nat
|
|
||||||
delete table ip br0_nat
|
|
@ -0,0 +1,4 @@
|
|||||||
|
#!/usr/bin/env -S nft -f
|
||||||
|
|
||||||
|
flush table inet wg0_inet
|
||||||
|
delete table inet wg0_inet
|
@ -0,0 +1,4 @@
|
|||||||
|
#!/usr/bin/env -S nft -f
|
||||||
|
|
||||||
|
flush table ip wg0_ipv4
|
||||||
|
delete table ip wg0_ipv4
|
@ -1,7 +0,0 @@
|
|||||||
#!/usr/bin/env -S nft -f
|
|
||||||
|
|
||||||
flush table inet wg0_mss_clamping
|
|
||||||
delete table inet wg0_mss_clamping
|
|
||||||
|
|
||||||
flush table ip wg0_nat
|
|
||||||
delete table ip wg0_nat
|
|
@ -2,13 +2,15 @@ auto br0
|
|||||||
iface br0 inet static
|
iface br0 inet static
|
||||||
pre-up ip link add $IFACE type bridge
|
pre-up ip link add $IFACE type bridge
|
||||||
|
|
||||||
post-up /usr/local/sbin/post-up-$IFACE.nft
|
post-up /usr/local/sbin/post-up-$IFACE-inet.nft
|
||||||
|
post-up /usr/local/sbin/post-up-$IFACE-ipv4.nft
|
||||||
post-up ip rule add dev $IFACE table 66
|
post-up ip rule add dev $IFACE table 66
|
||||||
post-up ip rule add dev $IFACE to {{ subnet }} table main priority 1
|
post-up ip rule add dev $IFACE to {{ subnet }} table main priority 1
|
||||||
|
|
||||||
pre-down ip rule del dev $IFACE to {{ subnet }} table main priority 1
|
pre-down ip rule del dev $IFACE to {{ subnet }} table main priority 1
|
||||||
pre-down ip rule del dev $IFACE table 66
|
pre-down ip rule del dev $IFACE table 66
|
||||||
pre-down /usr/local/sbin/pre-down-$IFACE.nft
|
pre-down /usr/local/sbin/pre-down-$IFACE-ipv4.nft
|
||||||
|
pre-down /usr/local/sbin/pre-down-$IFACE-inet.nft
|
||||||
|
|
||||||
post-down ip link del dev $IFACE
|
post-down ip link del dev $IFACE
|
||||||
|
|
||||||
|
@ -4,11 +4,13 @@ iface wg0 inet static
|
|||||||
pre-up wg setconf $IFACE /etc/wireguard/$IFACE.conf
|
pre-up wg setconf $IFACE /etc/wireguard/$IFACE.conf
|
||||||
pre-up ip link set mtu 1420 dev $IFACE
|
pre-up ip link set mtu 1420 dev $IFACE
|
||||||
|
|
||||||
post-up /usr/local/sbin/post-up-$IFACE.nft
|
post-up /usr/local/sbin/post-up-$IFACE-inet.nft
|
||||||
|
post-up /usr/local/sbin/post-up-$IFACE-ipv4.nft
|
||||||
post-up ip route add default dev $IFACE table 66
|
post-up ip route add default dev $IFACE table 66
|
||||||
|
|
||||||
pre-down ip route del default dev $IFACE table 66
|
pre-down ip route del default dev $IFACE table 66
|
||||||
pre-down /usr/local/sbin/pre-down-$IFACE.nft
|
pre-down /usr/local/sbin/pre-down-$IFACE-ipv4.nft
|
||||||
|
pre-down /usr/local/sbin/pre-down-$IFACE-inet.nft
|
||||||
|
|
||||||
post-down ip link del dev $IFACE
|
post-down ip link del dev $IFACE
|
||||||
|
|
||||||
|
@ -0,0 +1,5 @@
|
|||||||
|
#!/usr/bin/env -S nft -f
|
||||||
|
|
||||||
|
table inet br0_inet {
|
||||||
|
|
||||||
|
}
|
@ -1,19 +1,17 @@
|
|||||||
#!/usr/bin/env -S nft -f
|
#!/usr/bin/env -S nft -f
|
||||||
|
|
||||||
table inet br0_filter {
|
table ip br0_ipv4 {
|
||||||
chain input {
|
|
||||||
type filter hook input priority -5;
|
|
||||||
ct state established,related accept;
|
|
||||||
iif br0 ip daddr {{ subnet }} drop;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
table ip br0_nat {
|
|
||||||
chain prerouting {
|
chain prerouting {
|
||||||
type nat hook prerouting priority -100;
|
type nat hook prerouting priority -100;
|
||||||
iif {{ ethx }} tcp dport { 80, 443 } dnat to {{ vpn_reverse_proxy_address }};
|
iif {{ ethx }} tcp dport { 80, 443 } dnat to {{ vpn_reverse_proxy_address }};
|
||||||
}
|
}
|
||||||
|
|
||||||
|
chain input {
|
||||||
|
type filter hook input priority 0;
|
||||||
|
ct state established,related accept;
|
||||||
|
iif br0 ip daddr {{ subnet }} drop;
|
||||||
|
}
|
||||||
|
|
||||||
chain postrouting {
|
chain postrouting {
|
||||||
type nat hook postrouting priority 100;
|
type nat hook postrouting priority 100;
|
||||||
iif br0 oif {{ ethx }} masquerade;
|
iif br0 oif {{ ethx }} masquerade;
|
@ -1,6 +1,6 @@
|
|||||||
#!/usr/bin/env -S nft -f
|
#!/usr/bin/env -S nft -f
|
||||||
|
|
||||||
table inet wg0_mss_clamping {
|
table inet wg0_inet {
|
||||||
chain forward {
|
chain forward {
|
||||||
type filter hook forward priority 0;
|
type filter hook forward priority 0;
|
||||||
iif wg0 tcp flags syn tcp option maxseg size set rt mtu;
|
iif wg0 tcp flags syn tcp option maxseg size set rt mtu;
|
@ -0,0 +1,5 @@
|
|||||||
|
#!/usr/bin/env -S nft -f
|
||||||
|
|
||||||
|
table ip wg0_ipv4 {
|
||||||
|
|
||||||
|
}
|
@ -0,0 +1,4 @@
|
|||||||
|
#!/usr/bin/env -S nft -f
|
||||||
|
|
||||||
|
flush table inet br0_inet
|
||||||
|
delete table inet br0_inet
|
@ -0,0 +1,4 @@
|
|||||||
|
#!/usr/bin/env -S nft -f
|
||||||
|
|
||||||
|
flush table ip br0_ipv4
|
||||||
|
delete table ip br0_ipv4
|
@ -1,7 +0,0 @@
|
|||||||
#!/usr/bin/env -S nft -f
|
|
||||||
|
|
||||||
flush table inet br0_filter
|
|
||||||
delete table inet br0_filter
|
|
||||||
|
|
||||||
flush table ip br0_nat
|
|
||||||
delete table ip br0_nat
|
|
@ -0,0 +1,4 @@
|
|||||||
|
#!/usr/bin/env -S nft -f
|
||||||
|
|
||||||
|
flush table inet wg0_inet
|
||||||
|
delete table inet wg0_inet
|
@ -0,0 +1,4 @@
|
|||||||
|
#!/usr/bin/env -S nft -f
|
||||||
|
|
||||||
|
flush table inet wg0_ipv4
|
||||||
|
delete table inet wg0_ipv4
|
@ -1,4 +0,0 @@
|
|||||||
#!/usr/bin/env -S nft -f
|
|
||||||
|
|
||||||
flush table inet wg0_mss_clamping
|
|
||||||
delete table inet wg0_mss_clamping
|
|
@ -1,5 +1,6 @@
|
|||||||
---
|
---
|
||||||
- hosts: the_nine_worlds
|
- name: Configure hosts
|
||||||
|
hosts: the_nine_worlds
|
||||||
|
|
||||||
tasks:
|
tasks:
|
||||||
- import_tasks: tasks/hosts/sshd.yml
|
- import_tasks: tasks/hosts/sshd.yml
|
||||||
@ -15,7 +16,8 @@
|
|||||||
- import_tasks: tasks/hosts/user.yml
|
- import_tasks: tasks/hosts/user.yml
|
||||||
- import_tasks: tasks/hosts/root-shell.yml
|
- import_tasks: tasks/hosts/root-shell.yml
|
||||||
|
|
||||||
- hosts: yggdrasil
|
- name: Configure yggdrasil extras
|
||||||
|
hosts: yggdrasil
|
||||||
|
|
||||||
tasks:
|
tasks:
|
||||||
- import_tasks: tasks/hosts/systemd-mail.yml
|
- import_tasks: tasks/hosts/systemd-mail.yml
|
||||||
|
@ -1,25 +1,40 @@
|
|||||||
- name: Bridge interface post-up nftables script
|
- name: Bridge interface post-up nftables inet script
|
||||||
template:
|
template:
|
||||||
src: ./filesystem/{{ ansible_hostname }}/usr/local/sbin/post-up-br0.nft.j2
|
src: ./filesystem/{{ ansible_hostname }}/usr/local/sbin/post-up-br0-inet.nft.j2
|
||||||
dest: /usr/local/sbin/post-up-br0.nft
|
dest: /usr/local/sbin/post-up-br0-inet.nft
|
||||||
mode: 0755
|
mode: 0755
|
||||||
register: br_intf_post_up
|
register: br_intf_post_up_inet
|
||||||
|
|
||||||
|
- name: Bridge interface post-up nftables ipv4 script
|
||||||
|
template:
|
||||||
|
src: ./filesystem/{{ ansible_hostname }}/usr/local/sbin/post-up-br0-ipv4.nft.j2
|
||||||
|
dest: /usr/local/sbin/post-up-br0-ipv4.nft
|
||||||
|
mode: 0755
|
||||||
|
register: br_intf_post_up_ipv4
|
||||||
|
|
||||||
- name: Create bridge interface
|
- name: Create bridge interface
|
||||||
template:
|
template:
|
||||||
src: ./filesystem/{{ ansible_hostname }}/etc/network/interfaces.d/br0.j2
|
src: ./filesystem/{{ ansible_hostname }}/etc/network/interfaces.d/br0.j2
|
||||||
dest: /etc/network/interfaces.d/br0
|
dest: /etc/network/interfaces.d/br0
|
||||||
mode: 0644
|
mode: 0644
|
||||||
|
validate: bash -c 'if ! diff %s /etc/network/interfaces.d/br0 && ip link show dev br0 ; then ifdown br0 ; fi'
|
||||||
register: br_intf
|
register: br_intf
|
||||||
|
|
||||||
- name: Restart bridge interface
|
- name: Restart bridge interface
|
||||||
shell: ifdown br0 && ifup br0
|
shell: if ip link show dev br0 ; then ifdown br0 && ifup br0 ; else ifup br0 ; fi
|
||||||
when:
|
when:
|
||||||
br_intf_post_up is changed or
|
br_intf_post_up_inet is changed or
|
||||||
|
br_intf_post_up_ipv4 is changed or
|
||||||
br_intf is changed
|
br_intf is changed
|
||||||
|
|
||||||
- name: Bridge interface pre-down nftables script
|
- name: Bridge interface pre-down nftables inet script
|
||||||
template:
|
template:
|
||||||
src: ./filesystem/{{ ansible_hostname }}/usr/local/sbin/pre-down-br0.nft.j2
|
src: ./filesystem/{{ ansible_hostname }}/usr/local/sbin/pre-down-br0-inet.nft.j2
|
||||||
dest: /usr/local/sbin/pre-down-br0.nft
|
dest: /usr/local/sbin/pre-down-br0-inet.nft
|
||||||
|
mode: 0755
|
||||||
|
|
||||||
|
- name: Bridge interface pre-down nftables ipv4 script
|
||||||
|
template:
|
||||||
|
src: ./filesystem/{{ ansible_hostname }}/usr/local/sbin/pre-down-br0-ipv4.nft.j2
|
||||||
|
dest: /usr/local/sbin/pre-down-br0-ipv4.nft
|
||||||
mode: 0755
|
mode: 0755
|
||||||
|
@ -9,29 +9,44 @@
|
|||||||
mode: 0600
|
mode: 0600
|
||||||
register: wg_intf_conf
|
register: wg_intf_conf
|
||||||
|
|
||||||
- name: WireGuard interface post-up nftables script
|
- name: WireGuard interface post-up nftables inet script
|
||||||
template:
|
template:
|
||||||
src: ./filesystem/{{ ansible_hostname }}/usr/local/sbin/post-up-wg0.nft.j2
|
src: ./filesystem/{{ ansible_hostname }}/usr/local/sbin/post-up-wg0-inet.nft.j2
|
||||||
dest: /usr/local/sbin/post-up-wg0.nft
|
dest: /usr/local/sbin/post-up-wg0-inet.nft
|
||||||
mode: 0755
|
mode: 0755
|
||||||
register: wg_intf_post_up
|
register: wg_intf_post_up_inet
|
||||||
|
|
||||||
|
- name: WireGuard interface post-up nftables ipv4 script
|
||||||
|
template:
|
||||||
|
src: ./filesystem/{{ ansible_hostname }}/usr/local/sbin/post-up-wg0-ipv4.nft.j2
|
||||||
|
dest: /usr/local/sbin/post-up-wg0-ipv4.nft
|
||||||
|
mode: 0755
|
||||||
|
register: wg_intf_post_up_ipv4
|
||||||
|
|
||||||
- name: Create WireGuard interface
|
- name: Create WireGuard interface
|
||||||
template:
|
template:
|
||||||
src: ./filesystem/{{ ansible_hostname }}/etc/network/interfaces.d/wg0.j2
|
src: ./filesystem/{{ ansible_hostname }}/etc/network/interfaces.d/wg0.j2
|
||||||
dest: /etc/network/interfaces.d/wg0
|
dest: /etc/network/interfaces.d/wg0
|
||||||
mode: 0644
|
mode: 0644
|
||||||
|
validate: bash -c 'if ! diff %s /etc/network/interfaces.d/wg0 && ip link show dev wg0 ; then ifdown wg0 ; fi'
|
||||||
register: wg_intf
|
register: wg_intf
|
||||||
|
|
||||||
- name: Restart WireGuard interface
|
- name: Restart WireGuard interface
|
||||||
shell: ifdown wg0 && ifup wg0
|
shell: if ip link show dev wg0 ; then ifdown wg0 && ifup wg0 ; else ifup wg0 ; fi
|
||||||
when:
|
when:
|
||||||
wg_intf_conf is changed or
|
wg_intf_conf is changed or
|
||||||
wg_intf_post_up is changed or
|
wg_intf_post_up_inet is changed or
|
||||||
|
wg_intf_post_up_ipv4 is changed or
|
||||||
wg_intf is changed
|
wg_intf is changed
|
||||||
|
|
||||||
- name: WireGuard interface pre-down nftables script
|
- name: WireGuard interface pre-down nftables inet script
|
||||||
template:
|
template:
|
||||||
src: ./filesystem/{{ ansible_hostname }}/usr/local/sbin/pre-down-wg0.nft.j2
|
src: ./filesystem/{{ ansible_hostname }}/usr/local/sbin/pre-down-wg0-inet.nft.j2
|
||||||
dest: /usr/local/sbin/pre-down-wg0.nft
|
dest: /usr/local/sbin/pre-down-wg0-inet.nft
|
||||||
|
mode: 0755
|
||||||
|
|
||||||
|
- name: WireGuard interface pre-down nftables ipv4 script
|
||||||
|
template:
|
||||||
|
src: ./filesystem/{{ ansible_hostname }}/usr/local/sbin/pre-down-wg0-ipv4.nft.j2
|
||||||
|
dest: /usr/local/sbin/pre-down-wg0-ipv4.nft
|
||||||
mode: 0755
|
mode: 0755
|
||||||
|
@ -1,5 +1,6 @@
|
|||||||
---
|
---
|
||||||
- hosts: the_nine_worlds
|
- name: Configure VPN network
|
||||||
|
hosts: the_nine_worlds
|
||||||
|
|
||||||
tasks:
|
tasks:
|
||||||
- import_tasks: tasks/vpn/ipforward.yml
|
- import_tasks: tasks/vpn/ipforward.yml
|
||||||
|
Loading…
Reference in New Issue
Block a user