Add vpn:bridge:br0

This commit is contained in:
Wojciech Kozlowski 2022-12-08 23:27:25 +01:00
parent 4285e87477
commit dda51db812
19 changed files with 127 additions and 117 deletions

View File

@ -3,5 +3,4 @@
hosts: asgard hosts: asgard
tasks: tasks:
- import_tasks: tasks/vpn/bridge.yml
- import_tasks: tasks/vpn/wireguard.yml - import_tasks: tasks/vpn/wireguard.yml

View File

@ -1,20 +0,0 @@
auto br0
iface br0 inet static
pre-up ip link add $IFACE type bridge
post-up /usr/local/sbin/post-up-$IFACE-inet.nft
post-up /usr/local/sbin/post-up-$IFACE-ipv4.nft
pre-down /usr/local/sbin/pre-down-$IFACE-ipv4.nft
pre-down /usr/local/sbin/pre-down-$IFACE-inet.nft
post-down ip link del dev $IFACE
bridge_stp off
bridge_waitport 0
bridge_fd 0
bridge_ports none
address {{ vpn_br0_address }}
broadcast {{ vpn_br0_broadcast }}
netmask {{ vpn_br0_netmask }}

View File

@ -1,13 +0,0 @@
#!/usr/bin/env -S nft -f
table ip br0_ipv4 {
chain prerouting {
type nat hook prerouting priority -100;
iif {{ ethx }} tcp dport { 80, 443 } dnat to {{ services['rproxy'].address }};
}
chain postrouting {
type nat hook postrouting priority 100;
iif br0 oif {{ ethx }} masquerade;
}
}

View File

@ -1,24 +0,0 @@
auto br0
iface br0 inet static
pre-up ip link add $IFACE type bridge
post-up /usr/local/sbin/post-up-$IFACE-inet.nft
post-up /usr/local/sbin/post-up-$IFACE-ipv4.nft
post-up ip rule add dev $IFACE table 66
post-up ip rule add dev $IFACE to {{ subnet }} table main priority 1
pre-down ip rule del dev $IFACE to {{ subnet }} table main priority 1
pre-down ip rule del dev $IFACE table 66
pre-down /usr/local/sbin/pre-down-$IFACE-ipv4.nft
pre-down /usr/local/sbin/pre-down-$IFACE-inet.nft
post-down ip link del dev $IFACE
bridge_stp off
bridge_waitport 0
bridge_fd 0
bridge_ports none
address {{ vpn_br0_address }}
broadcast {{ vpn_br0_broadcast }}
netmask {{ vpn_br0_netmask }}

View File

@ -1,5 +0,0 @@
#!/usr/bin/env -S nft -f
table inet br0_inet {
}

View File

@ -1,4 +0,0 @@
#!/usr/bin/env -S nft -f
flush table inet br0_inet
delete table inet br0_inet

View File

@ -1,4 +0,0 @@
#!/usr/bin/env -S nft -f
flush table ip br0_ipv4
delete table ip br0_ipv4

View File

@ -1,11 +1,11 @@
--- ---
- name: "system : group:ups" - name: "system : ups"
hosts: "ups" hosts: "ups"
roles: roles:
- role: "ups" - role: "ups"
tags: "system:ups" tags: "system:ups"
- name: "system : group:smart" - name: "system : smart"
hosts: "smart" hosts: "smart"
roles: roles:
- role: "smart" - role: "smart"
@ -13,13 +13,13 @@
system_base_smartd_conf_file: "files/smart/smartd.conf" system_base_smartd_conf_file: "files/smart/smartd.conf"
tags: "system:smart" tags: "system:smart"
- name: "system : group:zfs" - name: "system : zfs"
hosts: "zfs" hosts: "zfs"
roles: roles:
- role: "zfs" - role: "zfs"
tags: "system:zfs" tags: "system:zfs"
- name: "system : group:all" - name: "system : all"
hosts: "all" hosts: "all"
roles: roles:
- role: "mail" - role: "mail"

View File

@ -1,6 +1,18 @@
--- ---
- name: "vpn : group:all" - name: "vpn : all"
hosts: "all" hosts: "all"
roles: roles:
- role: "base" - role: "base"
tags: "vpn:base" tags: "vpn:base"
# - name: "vpn : bifrost"
# hosts: "bifrost"
# roles:
# - role: "gateway"
# tags: "vpn:gateway"
- name: "vpn : asgard"
hosts: "asgard"
roles:
- role: "bridge"
tags: "vpn:bridge"

View File

@ -0,0 +1,8 @@
#!/usr/bin/env bash
set -u
if ! ip link show dev "${1}" > /dev/null 2>&1
then
ip link add "${@}"
fi

View File

@ -8,3 +8,9 @@
- name: "install wireguard" - name: "install wireguard"
ansible.builtin.apt: ansible.builtin.apt:
name: "wireguard" name: "wireguard"
- name: "script for creating virtual interfaces"
ansible.builtin.copy:
src: "./ip-link-add.sh"
dest: "/usr/local/sbin/ip-link-add.sh"
mode: 0755

View File

@ -0,0 +1,26 @@
argument_specs:
main:
options:
ansible_default_ipv4:
interface:
type: "str"
required: true
local_network:
type: "str"
required: false
vpn_routing_table:
type: "int"
required: true
vpn_bridge_dnat:
type: "list"
elements: "dict"
required: true
vpn_bridge_br0_address:
type: "str"
required: true
vpn_bridge_br0_broadcast:
type: "str"
required: true
vpn_bridge_br0_netmask:
type: "str"
required: true

View File

@ -1,21 +1,21 @@
- name: Bridge interface post-up nftables inet script - name: "br0 : post-up nftables inet script"
template: ansible.builtin.template:
src: ./filesystem/{{ ansible_hostname }}/usr/local/sbin/post-up-br0-inet.nft.j2 src: "./br0/post-up-br0-inet.nft.j2"
dest: /usr/local/sbin/post-up-br0-inet.nft dest: "/usr/local/sbin/post-up-br0-inet.nft"
mode: 0755 mode: 0755
register: br_intf_post_up_inet register: vpn_bridge_post_up_br0_inet_nft
- name: Bridge interface post-up nftables ipv4 script - name: "br0 : post-up nftables ipv4 script"
template: ansible.builtin.template:
src: ./filesystem/{{ ansible_hostname }}/usr/local/sbin/post-up-br0-ipv4.nft.j2 src: "./br0/post-up-br0-ipv4.nft.j2"
dest: /usr/local/sbin/post-up-br0-ipv4.nft dest: "/usr/local/sbin/post-up-br0-ipv4.nft"
mode: 0755 mode: 0755
register: br_intf_post_up_ipv4 register: vpn_bridge_post_up_br0_ipv4_nft
- name: Create bridge interface - name: "br0 : configure interface"
template: ansible.builtin.template:
src: ./filesystem/{{ ansible_hostname }}/etc/network/interfaces.d/br0.j2 src: "./br0/br0.j2"
dest: /etc/network/interfaces.d/br0 dest: "/etc/network/interfaces.d/br0"
mode: 0644 mode: 0644
validate: > validate: >
bash -c bash -c
@ -23,32 +23,29 @@
then then
ifdown br0 ; ifdown br0 ;
fi' fi'
register: br_intf register: vpn_bridge_br0_conf
- block:
- name: Restart bridge interface
shell: if ip link show dev br0 ; then ifdown br0 && ifup br0 ; else ifup br0 ; fi
- name: Reconnect all services
systemd:
name: connect-pod-service@{{ item }}.service
state: started
with_items:
- "{{ host_services }}"
- name: "br0 : restart interface"
ansible.builtin.shell: |
if ip link show dev br0
then
ifdown br0 && ifup br0
else
ifup br0
fi
when: when:
br_intf_post_up_inet is changed or vpn_bridge_post_up_br0_inet_nft.changed or
br_intf_post_up_ipv4 is changed or vpn_bridge_post_up_br0_ipv4_nft.changed or
br_intf is changed vpn_bridge_br0_conf.changed
- name: Bridge interface pre-down nftables inet script - name: "br0 : pre-down nftables inet script"
template: ansible.builtin.copy:
src: ./filesystem/{{ ansible_hostname }}/usr/local/sbin/pre-down-br0-inet.nft.j2 src: "./br0/pre-down-br0-inet.nft"
dest: /usr/local/sbin/pre-down-br0-inet.nft dest: "/usr/local/sbin/pre-down-br0-inet.nft"
mode: 0755 mode: 0755
- name: Bridge interface pre-down nftables ipv4 script - name: "br0 : pre-down nftables ipv4 script"
template: ansible.builtin.copy:
src: ./filesystem/{{ ansible_hostname }}/usr/local/sbin/pre-down-br0-ipv4.nft.j2 src: "./br0/pre-down-br0-ipv4.nft"
dest: /usr/local/sbin/pre-down-br0-ipv4.nft dest: "/usr/local/sbin/pre-down-br0-ipv4.nft"
mode: 0755 mode: 0755

View File

@ -0,0 +1,3 @@
- name: "play:vpn : role:bridge : tasks:br0"
ansible.builtin.import_tasks: "include/br0.yml"
tags: "vpn:bridge:br0"

View File

@ -0,0 +1,26 @@
auto br0
iface br0 inet static
pre-up /usr/local/sbin/ip-link-add.sh $IFACE type bridge
post-up /usr/local/sbin/post-up-$IFACE-inet.nft
post-up /usr/local/sbin/post-up-$IFACE-ipv4.nft
{% if local_network is defined %}
post-up ip rule add dev $IFACE table {{ vpn_routing_table }}
post-up ip rule add dev $IFACE to {{ local_network }} table main priority 1
{% endif %}
{% if local_network is defined %}
pre-down ip rule del dev $IFACE to {{ local_network }} table main priority 1
pre-down ip rule del dev $IFACE table {{ vpn_routing_table }}
{% endif %}
pre-down /usr/local/sbin/pre-down-$IFACE-ipv4.nft
pre-down /usr/local/sbin/pre-down-$IFACE-inet.nft
bridge_stp off
bridge_waitport 0
bridge_fd 0
bridge_ports none
address {{ vpn_bridge_br0_address }}
broadcast {{ vpn_bridge_br0_broadcast }}
netmask {{ vpn_bridge_br0_netmask }}

View File

@ -3,18 +3,21 @@
table ip br0_ipv4 { table ip br0_ipv4 {
chain prerouting { chain prerouting {
type nat hook prerouting priority -100; type nat hook prerouting priority -100;
iif {{ ethx }} tcp dport { 80, 443 } dnat to {{ services['lrproxy'].address }}; {% for forward in vpn_bridge_dnat %}
iif {{ ethx }} tcp dport {{ services['git'].ssh_port }} dnat to {{ services['git'].address }}; iif {{ ansible_default_ipv4.interface }} tcp dport { {{ forward.ports | join(", ") }} } dnat to {{ forward.address }};
{% endfor %}
} }
{% if local_network is defined %}
chain input { chain input {
type filter hook input priority 0; type filter hook input priority 0;
ct state established,related accept; ct state established,related accept;
iif br0 ip daddr {{ subnet }} drop; iif br0 ip daddr {{ local_network }} drop;
} }
{% endif %}
chain postrouting { chain postrouting {
type nat hook postrouting priority 100; type nat hook postrouting priority 100;
iif br0 oif {{ ethx }} masquerade; iif br0 oif {{ ansible_default_ipv4.interface }} masquerade;
} }
} }