Make VPN configuration more robust

This commit is contained in:
Wojciech Kozlowski 2022-09-25 16:00:40 +02:00
parent 7f6813600a
commit 3bd5df7c65
28 changed files with 135 additions and 70 deletions

View File

@ -2,9 +2,11 @@ auto br0
iface br0 inet static iface br0 inet static
pre-up ip link add $IFACE type bridge pre-up ip link add $IFACE type bridge
post-up /usr/local/sbin/post-up-$IFACE.nft post-up /usr/local/sbin/post-up-$IFACE-inet.nft
post-up /usr/local/sbin/post-up-$IFACE-ipv4.nft
pre-down /usr/local/sbin/pre-down-$IFACE.nft pre-down /usr/local/sbin/pre-down-$IFACE-ipv4.nft
pre-down /usr/local/sbin/pre-down-$IFACE-inet.nft
post-down ip link del dev $IFACE post-down ip link del dev $IFACE

View File

@ -4,11 +4,13 @@ iface wg0 inet static
pre-up wg setconf $IFACE /etc/wireguard/$IFACE.conf pre-up wg setconf $IFACE /etc/wireguard/$IFACE.conf
pre-up ip link set mtu 1420 dev $IFACE pre-up ip link set mtu 1420 dev $IFACE
post-up /usr/local/sbin/post-up-$IFACE.nft post-up /usr/local/sbin/post-up-$IFACE-inet.nft
post-up /usr/local/sbin/post-up-$IFACE-ipv4.nft
post-up ip route add {{ vpn_remote_subnet }} dev $IFACE post-up ip route add {{ vpn_remote_subnet }} dev $IFACE
pre-down ip route del {{ vpn_remote_subnet }} dev $IFACE pre-down ip route del {{ vpn_remote_subnet }} dev $IFACE
pre-down /usr/local/sbin/pre-down-$IFACE.nft pre-down /usr/local/sbin/pre-down-$IFACE-ipv4.nft
pre-down /usr/local/sbin/pre-down-$IFACE-inet.nft
post-down ip link del dev $IFACE post-down ip link del dev $IFACE

View File

@ -0,0 +1,5 @@
#!/usr/bin/env -S nft -f
table inet br0_inet {
}

View File

@ -1,6 +1,6 @@
#!/usr/bin/env -S nft -f #!/usr/bin/env -S nft -f
table ip br0_nat { table ip br0_ipv4 {
chain prerouting { chain prerouting {
type nat hook prerouting priority -100; type nat hook prerouting priority -100;
iif {{ ethx }} tcp dport { 80, 443 } dnat to {{ vpn_reverse_proxy_address }}; iif {{ ethx }} tcp dport { 80, 443 } dnat to {{ vpn_reverse_proxy_address }};

View File

@ -1,16 +1,9 @@
#!/usr/bin/env -S nft -f #!/usr/bin/env -S nft -f
table inet wg0_mss_clamping { table inet wg0_inet {
chain forward { chain forward {
type filter hook forward priority 0; type filter hook forward priority 0;
iif wg0 tcp flags syn tcp option maxseg size set rt mtu; iif wg0 tcp flags syn tcp option maxseg size set rt mtu;
oif wg0 tcp flags syn tcp option maxseg size set rt mtu; oif wg0 tcp flags syn tcp option maxseg size set rt mtu;
} }
} }
table ip wg0_nat {
chain postrouting {
type nat hook postrouting priority 100;
iif wg0 oif {{ ethx }} masquerade;
}
}

View File

@ -0,0 +1,8 @@
#!/usr/bin/env -S nft -f
table ip wg0_ipv4 {
chain postrouting {
type nat hook postrouting priority 100;
iif wg0 oif {{ ethx }} masquerade;
}
}

View File

@ -0,0 +1,4 @@
#!/usr/bin/env -S nft -f
flush table ip br0_inet
delete table ip br0_inet

View File

@ -0,0 +1,4 @@
#!/usr/bin/env -S nft -f
flush table ip br0_ipv4
delete table ip br0_ipv4

View File

@ -1,4 +0,0 @@
#!/usr/bin/env -S nft -f
flush table ip br0_nat
delete table ip br0_nat

View File

@ -0,0 +1,4 @@
#!/usr/bin/env -S nft -f
flush table inet wg0_inet
delete table inet wg0_inet

View File

@ -0,0 +1,4 @@
#!/usr/bin/env -S nft -f
flush table ip wg0_ipv4
delete table ip wg0_ipv4

View File

@ -1,7 +0,0 @@
#!/usr/bin/env -S nft -f
flush table inet wg0_mss_clamping
delete table inet wg0_mss_clamping
flush table ip wg0_nat
delete table ip wg0_nat

View File

@ -2,13 +2,15 @@ auto br0
iface br0 inet static iface br0 inet static
pre-up ip link add $IFACE type bridge pre-up ip link add $IFACE type bridge
post-up /usr/local/sbin/post-up-$IFACE.nft post-up /usr/local/sbin/post-up-$IFACE-inet.nft
post-up /usr/local/sbin/post-up-$IFACE-ipv4.nft
post-up ip rule add dev $IFACE table 66 post-up ip rule add dev $IFACE table 66
post-up ip rule add dev $IFACE to {{ subnet }} table main priority 1 post-up ip rule add dev $IFACE to {{ subnet }} table main priority 1
pre-down ip rule del dev $IFACE to {{ subnet }} table main priority 1 pre-down ip rule del dev $IFACE to {{ subnet }} table main priority 1
pre-down ip rule del dev $IFACE table 66 pre-down ip rule del dev $IFACE table 66
pre-down /usr/local/sbin/pre-down-$IFACE.nft pre-down /usr/local/sbin/pre-down-$IFACE-ipv4.nft
pre-down /usr/local/sbin/pre-down-$IFACE-inet.nft
post-down ip link del dev $IFACE post-down ip link del dev $IFACE

View File

@ -4,11 +4,13 @@ iface wg0 inet static
pre-up wg setconf $IFACE /etc/wireguard/$IFACE.conf pre-up wg setconf $IFACE /etc/wireguard/$IFACE.conf
pre-up ip link set mtu 1420 dev $IFACE pre-up ip link set mtu 1420 dev $IFACE
post-up /usr/local/sbin/post-up-$IFACE.nft post-up /usr/local/sbin/post-up-$IFACE-inet.nft
post-up /usr/local/sbin/post-up-$IFACE-ipv4.nft
post-up ip route add default dev $IFACE table 66 post-up ip route add default dev $IFACE table 66
pre-down ip route del default dev $IFACE table 66 pre-down ip route del default dev $IFACE table 66
pre-down /usr/local/sbin/pre-down-$IFACE.nft pre-down /usr/local/sbin/pre-down-$IFACE-ipv4.nft
pre-down /usr/local/sbin/pre-down-$IFACE-inet.nft
post-down ip link del dev $IFACE post-down ip link del dev $IFACE

View File

@ -0,0 +1,5 @@
#!/usr/bin/env -S nft -f
table inet br0_inet {
}

View File

@ -1,19 +1,17 @@
#!/usr/bin/env -S nft -f #!/usr/bin/env -S nft -f
table inet br0_filter { table ip br0_ipv4 {
chain input {
type filter hook input priority -5;
ct state established,related accept;
iif br0 ip daddr {{ subnet }} drop;
}
}
table ip br0_nat {
chain prerouting { chain prerouting {
type nat hook prerouting priority -100; type nat hook prerouting priority -100;
iif {{ ethx }} tcp dport { 80, 443 } dnat to {{ vpn_reverse_proxy_address }}; iif {{ ethx }} tcp dport { 80, 443 } dnat to {{ vpn_reverse_proxy_address }};
} }
chain input {
type filter hook input priority 0;
ct state established,related accept;
iif br0 ip daddr {{ subnet }} drop;
}
chain postrouting { chain postrouting {
type nat hook postrouting priority 100; type nat hook postrouting priority 100;
iif br0 oif {{ ethx }} masquerade; iif br0 oif {{ ethx }} masquerade;

View File

@ -1,6 +1,6 @@
#!/usr/bin/env -S nft -f #!/usr/bin/env -S nft -f
table inet wg0_mss_clamping { table inet wg0_inet {
chain forward { chain forward {
type filter hook forward priority 0; type filter hook forward priority 0;
iif wg0 tcp flags syn tcp option maxseg size set rt mtu; iif wg0 tcp flags syn tcp option maxseg size set rt mtu;

View File

@ -0,0 +1,5 @@
#!/usr/bin/env -S nft -f
table ip wg0_ipv4 {
}

View File

@ -0,0 +1,4 @@
#!/usr/bin/env -S nft -f
flush table inet br0_inet
delete table inet br0_inet

View File

@ -0,0 +1,4 @@
#!/usr/bin/env -S nft -f
flush table ip br0_ipv4
delete table ip br0_ipv4

View File

@ -1,7 +0,0 @@
#!/usr/bin/env -S nft -f
flush table inet br0_filter
delete table inet br0_filter
flush table ip br0_nat
delete table ip br0_nat

View File

@ -0,0 +1,4 @@
#!/usr/bin/env -S nft -f
flush table inet wg0_inet
delete table inet wg0_inet

View File

@ -0,0 +1,4 @@
#!/usr/bin/env -S nft -f
flush table inet wg0_ipv4
delete table inet wg0_ipv4

View File

@ -1,4 +0,0 @@
#!/usr/bin/env -S nft -f
flush table inet wg0_mss_clamping
delete table inet wg0_mss_clamping

View File

@ -1,5 +1,6 @@
--- ---
- hosts: the_nine_worlds - name: Configure hosts
hosts: the_nine_worlds
tasks: tasks:
- import_tasks: tasks/hosts/sshd.yml - import_tasks: tasks/hosts/sshd.yml
@ -15,7 +16,8 @@
- import_tasks: tasks/hosts/user.yml - import_tasks: tasks/hosts/user.yml
- import_tasks: tasks/hosts/root-shell.yml - import_tasks: tasks/hosts/root-shell.yml
- hosts: yggdrasil - name: Configure yggdrasil extras
hosts: yggdrasil
tasks: tasks:
- import_tasks: tasks/hosts/systemd-mail.yml - import_tasks: tasks/hosts/systemd-mail.yml

View File

@ -1,25 +1,40 @@
- name: Bridge interface post-up nftables script - name: Bridge interface post-up nftables inet script
template: template:
src: ./filesystem/{{ ansible_hostname }}/usr/local/sbin/post-up-br0.nft.j2 src: ./filesystem/{{ ansible_hostname }}/usr/local/sbin/post-up-br0-inet.nft.j2
dest: /usr/local/sbin/post-up-br0.nft dest: /usr/local/sbin/post-up-br0-inet.nft
mode: 0755 mode: 0755
register: br_intf_post_up register: br_intf_post_up_inet
- name: Bridge interface post-up nftables ipv4 script
template:
src: ./filesystem/{{ ansible_hostname }}/usr/local/sbin/post-up-br0-ipv4.nft.j2
dest: /usr/local/sbin/post-up-br0-ipv4.nft
mode: 0755
register: br_intf_post_up_ipv4
- name: Create bridge interface - name: Create bridge interface
template: template:
src: ./filesystem/{{ ansible_hostname }}/etc/network/interfaces.d/br0.j2 src: ./filesystem/{{ ansible_hostname }}/etc/network/interfaces.d/br0.j2
dest: /etc/network/interfaces.d/br0 dest: /etc/network/interfaces.d/br0
mode: 0644 mode: 0644
validate: bash -c 'if ! diff %s /etc/network/interfaces.d/br0 && ip link show dev br0 ; then ifdown br0 ; fi'
register: br_intf register: br_intf
- name: Restart bridge interface - name: Restart bridge interface
shell: ifdown br0 && ifup br0 shell: if ip link show dev br0 ; then ifdown br0 && ifup br0 ; else ifup br0 ; fi
when: when:
br_intf_post_up is changed or br_intf_post_up_inet is changed or
br_intf_post_up_ipv4 is changed or
br_intf is changed br_intf is changed
- name: Bridge interface pre-down nftables script - name: Bridge interface pre-down nftables inet script
template: template:
src: ./filesystem/{{ ansible_hostname }}/usr/local/sbin/pre-down-br0.nft.j2 src: ./filesystem/{{ ansible_hostname }}/usr/local/sbin/pre-down-br0-inet.nft.j2
dest: /usr/local/sbin/pre-down-br0.nft dest: /usr/local/sbin/pre-down-br0-inet.nft
mode: 0755
- name: Bridge interface pre-down nftables ipv4 script
template:
src: ./filesystem/{{ ansible_hostname }}/usr/local/sbin/pre-down-br0-ipv4.nft.j2
dest: /usr/local/sbin/pre-down-br0-ipv4.nft
mode: 0755 mode: 0755

View File

@ -9,29 +9,44 @@
mode: 0600 mode: 0600
register: wg_intf_conf register: wg_intf_conf
- name: WireGuard interface post-up nftables script - name: WireGuard interface post-up nftables inet script
template: template:
src: ./filesystem/{{ ansible_hostname }}/usr/local/sbin/post-up-wg0.nft.j2 src: ./filesystem/{{ ansible_hostname }}/usr/local/sbin/post-up-wg0-inet.nft.j2
dest: /usr/local/sbin/post-up-wg0.nft dest: /usr/local/sbin/post-up-wg0-inet.nft
mode: 0755 mode: 0755
register: wg_intf_post_up register: wg_intf_post_up_inet
- name: WireGuard interface post-up nftables ipv4 script
template:
src: ./filesystem/{{ ansible_hostname }}/usr/local/sbin/post-up-wg0-ipv4.nft.j2
dest: /usr/local/sbin/post-up-wg0-ipv4.nft
mode: 0755
register: wg_intf_post_up_ipv4
- name: Create WireGuard interface - name: Create WireGuard interface
template: template:
src: ./filesystem/{{ ansible_hostname }}/etc/network/interfaces.d/wg0.j2 src: ./filesystem/{{ ansible_hostname }}/etc/network/interfaces.d/wg0.j2
dest: /etc/network/interfaces.d/wg0 dest: /etc/network/interfaces.d/wg0
mode: 0644 mode: 0644
validate: bash -c 'if ! diff %s /etc/network/interfaces.d/wg0 && ip link show dev wg0 ; then ifdown wg0 ; fi'
register: wg_intf register: wg_intf
- name: Restart WireGuard interface - name: Restart WireGuard interface
shell: ifdown wg0 && ifup wg0 shell: if ip link show dev wg0 ; then ifdown wg0 && ifup wg0 ; else ifup wg0 ; fi
when: when:
wg_intf_conf is changed or wg_intf_conf is changed or
wg_intf_post_up is changed or wg_intf_post_up_inet is changed or
wg_intf_post_up_ipv4 is changed or
wg_intf is changed wg_intf is changed
- name: WireGuard interface pre-down nftables script - name: WireGuard interface pre-down nftables inet script
template: template:
src: ./filesystem/{{ ansible_hostname }}/usr/local/sbin/pre-down-wg0.nft.j2 src: ./filesystem/{{ ansible_hostname }}/usr/local/sbin/pre-down-wg0-inet.nft.j2
dest: /usr/local/sbin/pre-down-wg0.nft dest: /usr/local/sbin/pre-down-wg0-inet.nft
mode: 0755
- name: WireGuard interface pre-down nftables ipv4 script
template:
src: ./filesystem/{{ ansible_hostname }}/usr/local/sbin/pre-down-wg0-ipv4.nft.j2
dest: /usr/local/sbin/pre-down-wg0-ipv4.nft
mode: 0755 mode: 0755

View File

@ -1,5 +1,6 @@
--- ---
- hosts: the_nine_worlds - name: Configure VPN network
hosts: the_nine_worlds
tasks: tasks:
- import_tasks: tasks/vpn/ipforward.yml - import_tasks: tasks/vpn/ipforward.yml