Add vpn:bridge:wg0

This commit is contained in:
Wojciech Kozlowski 2022-12-09 01:16:00 +01:00
parent dda51db812
commit ad6a9c1396
21 changed files with 148 additions and 142 deletions

View File

@ -1,6 +0,0 @@
---
- name: Configure VPN network
hosts: asgard
tasks:
- import_tasks: tasks/vpn/wireguard.yml

View File

@ -1,18 +0,0 @@
auto wg0
iface wg0 inet static
pre-up ip link add $IFACE type wireguard
pre-up wg setconf $IFACE /etc/wireguard/$IFACE.conf
pre-up ip link set mtu 1420 dev $IFACE
post-up /usr/local/sbin/post-up-$IFACE-inet.nft
post-up /usr/local/sbin/post-up-$IFACE-ipv4.nft
post-up ip route add {{ vpn_remote_br0_subnet }} dev $IFACE
pre-down ip route del {{ vpn_remote_br0_subnet }} dev $IFACE
pre-down /usr/local/sbin/pre-down-$IFACE-ipv4.nft
pre-down /usr/local/sbin/pre-down-$IFACE-inet.nft
post-down ip link del dev $IFACE
address {{ vpn_wg0_address }}
netmask {{ vpn_wg0_netmask }}

View File

@ -1,8 +0,0 @@
[Interface]
PrivateKey = {{ vpn_wg0_interface_private_key }}
ListenPort = {{ vpn_wg0_port }}
[Peer]
PublicKey = {{ vpn_wg0_peer_public_key }}
PresharedKey = {{ vpn_wg0_preshared_key }}
AllowedIPs = {{ vpn_wg0_subnet }},{{ vpn_remote_br0_subnet }}

View File

@ -1,18 +0,0 @@
auto wg0
iface wg0 inet static
pre-up ip link add $IFACE type wireguard
pre-up wg setconf $IFACE /etc/wireguard/$IFACE.conf
pre-up ip link set mtu 1420 dev $IFACE
post-up /usr/local/sbin/post-up-$IFACE-inet.nft
post-up /usr/local/sbin/post-up-$IFACE-ipv4.nft
post-up ip route add default dev $IFACE table 66
pre-down ip route del default dev $IFACE table 66
pre-down /usr/local/sbin/pre-down-$IFACE-ipv4.nft
pre-down /usr/local/sbin/pre-down-$IFACE-inet.nft
post-down ip link del dev $IFACE
address {{ vpn_wg0_address }}
netmask {{ vpn_wg0_netmask }}

View File

@ -1,9 +0,0 @@
[Interface]
PrivateKey = {{ vpn_wg0_interface_private_key }}
[Peer]
PublicKey = {{ vpn_wg0_peer_public_key }}
PresharedKey = {{ vpn_wg0_preshared_key }}
Endpoint = {{ vpn_wg0_endpoint_address }}:{{ vpn_wg0_port }}
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 15

View File

@ -1,9 +0,0 @@
#!/usr/bin/env -S nft -f
table inet wg0_inet {
chain forward {
type filter hook forward priority 0;
iif wg0 tcp flags syn tcp option maxseg size set rt mtu;
oif wg0 tcp flags syn tcp option maxseg size set rt mtu;
}
}

View File

@ -1,5 +0,0 @@
#!/usr/bin/env -S nft -f
table ip wg0_ipv4 {
}

View File

@ -1,4 +0,0 @@
#!/usr/bin/env -S nft -f
flush table inet wg0_inet
delete table inet wg0_inet

View File

@ -1,4 +0,0 @@
#!/usr/bin/env -S nft -f
flush table ip wg0_ipv4
delete table ip wg0_ipv4

View File

@ -1,53 +0,0 @@
- name: WireGuard interface configuration
template:
src: ./filesystem/{{ ansible_hostname }}/etc/wireguard/wg0.conf.j2
dest: /etc/wireguard/wg0.conf
mode: 0600
register: wg_intf_conf
- name: WireGuard interface post-up nftables inet script
template:
src: ./filesystem/{{ ansible_hostname }}/usr/local/sbin/post-up-wg0-inet.nft.j2
dest: /usr/local/sbin/post-up-wg0-inet.nft
mode: 0755
register: wg_intf_post_up_inet
- name: WireGuard interface post-up nftables ipv4 script
template:
src: ./filesystem/{{ ansible_hostname }}/usr/local/sbin/post-up-wg0-ipv4.nft.j2
dest: /usr/local/sbin/post-up-wg0-ipv4.nft
mode: 0755
register: wg_intf_post_up_ipv4
- name: Create WireGuard interface
template:
src: ./filesystem/{{ ansible_hostname }}/etc/network/interfaces.d/wg0.j2
dest: /etc/network/interfaces.d/wg0
mode: 0644
validate: >
bash -c
'if ! diff %s /etc/network/interfaces.d/wg0 && ip link show dev wg0 ;
then
ifdown wg0 ;
fi'
register: wg_intf
- name: Restart WireGuard interface
shell: if ip link show dev wg0 ; then ifdown wg0 && ifup wg0 ; else ifup wg0 ; fi
when:
wg_intf_conf is changed or
wg_intf_post_up_inet is changed or
wg_intf_post_up_ipv4 is changed or
wg_intf is changed
- name: WireGuard interface pre-down nftables inet script
template:
src: ./filesystem/{{ ansible_hostname }}/usr/local/sbin/pre-down-wg0-inet.nft.j2
dest: /usr/local/sbin/pre-down-wg0-inet.nft
mode: 0755
- name: WireGuard interface pre-down nftables ipv4 script
template:
src: ./filesystem/{{ ansible_hostname }}/usr/local/sbin/pre-down-wg0-ipv4.nft.j2
dest: /usr/local/sbin/pre-down-wg0-ipv4.nft
mode: 0755

View File

@ -8,7 +8,7 @@ argument_specs:
local_network: local_network:
type: "str" type: "str"
required: false required: false
vpn_routing_table: vpn_bridge_routing_table:
type: "int" type: "int"
required: true required: true
vpn_bridge_dnat: vpn_bridge_dnat:
@ -24,3 +24,28 @@ argument_specs:
vpn_bridge_br0_netmask: vpn_bridge_br0_netmask:
type: "str" type: "str"
required: true required: true
vpn_bridge_role:
type: "str"
required: true
vpn_bridge_wg0_port:
type: "int"
required: true
vpn_bridge_wg0_interface_private_key:
type: "str"
required: true
vpn_bridge_wg0_preshared_key:
type: "str"
required: true
vpn_bridge_wg0_subnet:
type: "str"
required: true
vpn_bridge_wg0_clients:
type: "list"
elem: "dict"
required: "{{ vpn_bridge_role == 'server' }}"
vpn_bridge_wg0_server_public_key:
type: "str"
required: "{{ vpn_bridge_role == 'client' }}"
vpn_bridge_wg0_server_address:
type: "str"
required: "{{ vpn_bridge_role == 'client' }}"

View File

@ -23,7 +23,7 @@
then then
ifdown br0 ; ifdown br0 ;
fi' fi'
register: vpn_bridge_br0_conf register: vpn_bridge_br0_intf
- name: "br0 : restart interface" - name: "br0 : restart interface"
ansible.builtin.shell: | ansible.builtin.shell: |
@ -36,7 +36,7 @@
when: when:
vpn_bridge_post_up_br0_inet_nft.changed or vpn_bridge_post_up_br0_inet_nft.changed or
vpn_bridge_post_up_br0_ipv4_nft.changed or vpn_bridge_post_up_br0_ipv4_nft.changed or
vpn_bridge_br0_conf.changed vpn_bridge_br0_intf.changed
- name: "br0 : pre-down nftables inet script" - name: "br0 : pre-down nftables inet script"
ansible.builtin.copy: ansible.builtin.copy:

View File

@ -0,0 +1,59 @@
- name: "wg0 : configure wireguard"
ansible.builtin.template:
src: "./wg0/wg0.conf.j2"
dest: "/etc/wireguard/wg0.conf"
mode: 0600
register: vpn_bridge_wg0_conf
- name: "wg0 : post-up nftables inet script"
ansible.builtin.template:
src: "./wg0/post-up-wg0-inet.nft.j2"
dest: "/usr/local/sbin/post-up-wg0-inet.nft"
mode: 0755
register: vpn_bridge_post_up_wg0_inet_nft
- name: "wg0 : post-up nftables ipv4 script"
ansible.builtin.template:
src: "./wg0/post-up-wg0-ipv4.nft.j2"
dest: "/usr/local/sbin/post-up-wg0-ipv4.nft"
mode: 0755
register: vpn_bridge_post_up_wg0_ipv4_nft
- name: "wg0 : configure interface"
ansible.builtin.template:
src: "./wg0/wg0.j2"
dest: "/etc/network/interfaces.d/wg0"
mode: 0644
validate: >
bash -c
'if ! diff %s /etc/network/interfaces.d/wg0 && ip link show dev wg0 ;
then
ifdown wg0 ;
fi'
register: vpn_bridge_wg0_intf
- name: "wg0 : restart interface"
ansible.builtin.shell: |
if ip link show dev wg0
then
ifdown wg0 && ifup wg0
else
ifup wg0
fi
when:
vpn_bridge_wg0_conf.changed or
vpn_bridge_post_up_wg0_inet_nft.changed or
vpn_bridge_post_up_wg0_ipv4_nft.changed or
vpn_bridge_wg0_intf.changed
- name: "wg0 : pre-down nftables inet script"
ansible.builtin.copy:
src: "./wg0/pre-down-wg0-inet.nft"
dest: "/usr/local/sbin/pre-down-wg0-inet.nft"
mode: 0755
- name: "wg0 : pre-down nftables ipv4 script"
ansible.builtin.copy:
src: "./wg0/pre-down-wg0-ipv4.nft"
dest: "/usr/local/sbin/pre-down-wg0-ipv4.nft"
mode: 0755

View File

@ -1,3 +1,6 @@
- name: "play:vpn : role:bridge : tasks:br0" - name: "play:vpn : role:bridge : tasks:br0"
ansible.builtin.import_tasks: "include/br0.yml" ansible.builtin.import_tasks: "include/br0.yml"
tags: "vpn:bridge:br0" tags: "vpn:bridge:br0"
- name: "play:vpn : role:bridge : tasks:wg0"
ansible.builtin.import_tasks: "include/wg0.yml"
tags: "vpn:bridge:wg0"

View File

@ -4,14 +4,14 @@ iface br0 inet static
post-up /usr/local/sbin/post-up-$IFACE-inet.nft post-up /usr/local/sbin/post-up-$IFACE-inet.nft
post-up /usr/local/sbin/post-up-$IFACE-ipv4.nft post-up /usr/local/sbin/post-up-$IFACE-ipv4.nft
{% if local_network is defined %} {% if vpn_bridge_role == "client" %}
post-up ip rule add dev $IFACE table {{ vpn_routing_table }} post-up ip rule add dev $IFACE table {{ vpn_bridge_routing_table }}
post-up ip rule add dev $IFACE to {{ local_network }} table main priority 1 post-up ip rule add dev $IFACE to {{ local_network }} table main priority 1
{% endif %} {% endif %}
{% if local_network is defined %} {% if vpn_bridge_role == "client" %}
pre-down ip rule del dev $IFACE to {{ local_network }} table main priority 1 pre-down ip rule del dev $IFACE to {{ local_network }} table main priority 1
pre-down ip rule del dev $IFACE table {{ vpn_routing_table }} pre-down ip rule del dev $IFACE table {{ vpn_bridge_routing_table }}
{% endif %} {% endif %}
pre-down /usr/local/sbin/pre-down-$IFACE-ipv4.nft pre-down /usr/local/sbin/pre-down-$IFACE-ipv4.nft
pre-down /usr/local/sbin/pre-down-$IFACE-inet.nft pre-down /usr/local/sbin/pre-down-$IFACE-inet.nft

View File

@ -1,8 +1,12 @@
#!/usr/bin/env -S nft -f #!/usr/bin/env -S nft -f
table ip wg0_ipv4 { table ip wg0_ipv4 {
{% if vpn_bridge_role == "server" %}
chain postrouting { chain postrouting {
type nat hook postrouting priority 100; type nat hook postrouting priority 100;
iif wg0 oif {{ ethx }} masquerade; iif wg0 oif {{ ansible_default_ipv4.interface }} masquerade;
} }
{% endif %}
} }

View File

@ -0,0 +1,21 @@
[Interface]
PrivateKey = {{ vpn_bridge_wg0_interface_private_key }}
{% if vpn_bridge_role == "server" %}
ListenPort = {{ vpn_bridge_wg0_port }}
{% endif %}
{% if vpn_bridge_role == "server" %}
{% for client in vpn_bridge_wg0_clients %}
[Peer]
PublicKey = {{ client.public_key }}
PresharedKey = {{ vpn_bridge_wg0_preshared_key }}
AllowedIPs = {{ vpn_bridge_wg0_subnet }},{{ client.subnet }}
{% endfor %}
{% elif vpn_bridge_role == "client" %}
[Peer]
PublicKey = {{ vpn_bridge_wg0_server_public_key }}
PresharedKey = {{ vpn_bridge_wg0_preshared_key }}
Endpoint = {{ vpn_bridge_wg0_server_address }}:{{ vpn_bridge_wg0_port }}
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 15
{% endif %}

View File

@ -0,0 +1,28 @@
auto wg0
iface wg0 inet static
pre-up /usr/local/sbin/ip-link-add.sh $IFACE type wireguard
pre-up wg setconf $IFACE /etc/wireguard/$IFACE.conf
pre-up ip link set mtu 1420 dev $IFACE
post-up /usr/local/sbin/post-up-$IFACE-inet.nft
post-up /usr/local/sbin/post-up-$IFACE-ipv4.nft
{% if vpn_bridge_role == "client" %}
post-up ip route add default dev $IFACE table {{ vpn_bridge_routing_table }}
{% elif vpn_bridge_role == "server" %}
{% for client in vpn_bridge_wg0_clients %}
post-up ip route add {{ client.subnet }} dev $IFACE
{% endfor %}
{% endif %}
{% if vpn_bridge_role == "server" %}
{% for client in vpn_bridge_wg0_clients %}
pre-down ip route del {{ client.subnet }} dev $IFACE
{% endfor %}
{% elif vpn_bridge_role == "client" %}
pre-down ip route del default dev $IFACE table {{ vpn_bridge_routing_table }}
{% endif %}
pre-down /usr/local/sbin/pre-down-$IFACE-ipv4.nft
pre-down /usr/local/sbin/pre-down-$IFACE-inet.nft
address {{ vpn_bridge_wg0_address }}
netmask {{ vpn_bridge_wg0_netmask }}