From 5905fffd822aec9a994a55b1973d10096a6abdc6 Mon Sep 17 00:00:00 2001 From: Wojciech Kozlowski Date: Sun, 13 Aug 2023 23:47:03 +0200 Subject: [PATCH] Move wireguard to new config system --- system/base/utils/tasks/main.yml | 1 + vpn/bridge/templates/ifupdown.d/00-interface | 2 +- vpn/bridge/templates/ifupdown.d/20-routes | 16 ++-- vpn/wireguard/tasks/main.yml | 91 +++++++++++++------ vpn/wireguard/templates/client/IFACE | 21 ----- .../templates/ifupdown.d/00-interface | 36 ++++++++ .../templates/ifupdown.d/10-nftables | 27 ++++++ .../templates/ifupdown.d/20-routes-client | 27 ++++++ .../templates/ifupdown.d/20-routes-server | 47 ++++++++++ vpn/wireguard/templates/interface | 2 + vpn/wireguard/templates/nftables/down.nft | 4 + vpn/wireguard/templates/nftables/up.nft | 19 ++++ .../templates/post-up-IFACE-inet.nft | 16 ---- .../templates/pre-down-IFACE-inet.nft | 4 - vpn/wireguard/templates/server/IFACE | 49 ---------- .../wireguard-client.conf} | 0 .../wireguard-server.conf} | 0 17 files changed, 236 insertions(+), 126 deletions(-) delete mode 100644 vpn/wireguard/templates/client/IFACE create mode 100755 vpn/wireguard/templates/ifupdown.d/00-interface create mode 100755 vpn/wireguard/templates/ifupdown.d/10-nftables create mode 100755 vpn/wireguard/templates/ifupdown.d/20-routes-client create mode 100755 vpn/wireguard/templates/ifupdown.d/20-routes-server create mode 100644 vpn/wireguard/templates/interface create mode 100644 vpn/wireguard/templates/nftables/down.nft create mode 100644 vpn/wireguard/templates/nftables/up.nft delete mode 100644 vpn/wireguard/templates/post-up-IFACE-inet.nft delete mode 100644 vpn/wireguard/templates/pre-down-IFACE-inet.nft delete mode 100644 vpn/wireguard/templates/server/IFACE rename vpn/wireguard/templates/{client/IFACE.conf => wireguard/wireguard-client.conf} (100%) rename vpn/wireguard/templates/{server/IFACE.conf => wireguard/wireguard-server.conf} (100%) diff --git a/system/base/utils/tasks/main.yml b/system/base/utils/tasks/main.yml index 01a87af..dbb6da8 100644 --- a/system/base/utils/tasks/main.yml +++ b/system/base/utils/tasks/main.yml @@ -3,6 +3,7 @@ ansible.builtin.apt: name: - "acl" + - "gettext-base" - "git" - "htop" - "man" diff --git a/vpn/bridge/templates/ifupdown.d/00-interface b/vpn/bridge/templates/ifupdown.d/00-interface index 59638d2..c3287bb 100755 --- a/vpn/bridge/templates/ifupdown.d/00-interface +++ b/vpn/bridge/templates/ifupdown.d/00-interface @@ -16,7 +16,7 @@ case ${PHASE} in /usr/sbin/ip link add ${IFACE} type bridge /usr/sbin/ip link set dev ${IFACE} type bridge forward_delay 0 - /usr/sbin/sysctl -q -w net.ipv6.conf.br0.autoconf=0 + /usr/sbin/sysctl -q -w net.ipv6.conf.${IFACE}.autoconf=0 /usr/sbin/ip -4 address add {{ vpn_bridge_inet_address }}/{{ vpn_bridge_inet_prefixlen }} dev ${IFACE} /usr/sbin/ip -6 address add {{ vpn_bridge_inet6_address }}/{{ vpn_bridge_inet6_prefixlen }} dev ${IFACE} nodad diff --git a/vpn/bridge/templates/ifupdown.d/20-routes b/vpn/bridge/templates/ifupdown.d/20-routes index 0b49eb2..2bd370f 100755 --- a/vpn/bridge/templates/ifupdown.d/20-routes +++ b/vpn/bridge/templates/ifupdown.d/20-routes @@ -14,11 +14,11 @@ fi case ${PHASE} in "pre-up") {% if vpn_bridge_routing_table is defined %} - /usr/sbin/ip -4 rule add dev $IFACE table {{ vpn_bridge_routing_table }} - /usr/sbin/ip -6 rule add dev $IFACE table {{ vpn_bridge_routing_table }} + /usr/sbin/ip -4 rule add dev ${IFACE} table {{ vpn_bridge_routing_table }} + /usr/sbin/ip -6 rule add dev ${IFACE} table {{ vpn_bridge_routing_table }} - /usr/sbin/ip -4 rule add dev $IFACE to {{ local_inet_network }} table main priority 1 - /usr/sbin/ip -6 rule add dev $IFACE to {{ local_inet6_network }} table main priority 1 + /usr/sbin/ip -4 rule add dev ${IFACE} to {{ local_inet_network }} table main priority 1 + /usr/sbin/ip -6 rule add dev ${IFACE} to {{ local_inet6_network }} table main priority 1 {% endif %} ;; "post-up") @@ -27,11 +27,11 @@ case ${PHASE} in ;; "post-down") {% if vpn_bridge_routing_table is defined %} - /usr/sbin/ip -6 rule del dev $IFACE to {{ local_inet6_network }} table main priority 1 - /usr/sbin/ip -4 rule del dev $IFACE to {{ local_inet_network }} table main priority 1 + /usr/sbin/ip -6 rule del dev ${IFACE} to {{ local_inet6_network }} table main priority 1 + /usr/sbin/ip -4 rule del dev ${IFACE} to {{ local_inet_network }} table main priority 1 - /usr/sbin/ip -6 rule del dev $IFACE table {{ vpn_bridge_routing_table }} - /usr/sbin/ip -4 rule del dev $IFACE table {{ vpn_bridge_routing_table }} + /usr/sbin/ip -6 rule del dev ${IFACE} table {{ vpn_bridge_routing_table }} + /usr/sbin/ip -4 rule del dev ${IFACE} table {{ vpn_bridge_routing_table }} {% endif %} ;; esac diff --git a/vpn/wireguard/tasks/main.yml b/vpn/wireguard/tasks/main.yml index 8366db1..8b959db 100644 --- a/vpn/wireguard/tasks/main.yml +++ b/vpn/wireguard/tasks/main.yml @@ -3,33 +3,55 @@ ansible.builtin.apt: name: "wireguard" -- name: "configure wireguard" - ansible.builtin.template: - src: "./{{ vpn_wireguard_role }}/IFACE.conf" - dest: "/etc/wireguard/{{ vpn_wireguard_iface }}.conf" - mode: 0600 - register: vpn_wireguard_conf - -- name: "post-up nftables inet script" - ansible.builtin.template: - src: "./post-up-IFACE-inet.nft" - dest: "/usr/local/sbin/post-up-{{ vpn_wireguard_iface }}-inet.nft" +- name: "create interface directory hierarchy" + ansible.builtin.file: + path: "{{ system_etc_root_directory }}/network/interfaces/{{ item }}" + state: "directory" mode: 0755 - register: vpn_wireguard_post_up_iface_inet_nft + loop: + - "{{ vpn_wireguard_iface }}" + - "{{ vpn_wireguard_iface }}/ifup.d" + - "{{ vpn_wireguard_iface }}/ifdown.d" + - "{{ vpn_wireguard_iface }}/nftables" + - "{{ vpn_wireguard_iface }}/wireguard" + +- name: "wireguard configuration" + ansible.builtin.template: + src: "./wireguard/wireguard-{{ vpn_wireguard_role }}.conf" + dest: "\ + {{ system_etc_root_directory }}/network/interfaces/\ + {{ vpn_wireguard_iface }}/wireguard/wireguard-{{ vpn_wireguard_role }}.conf" + mode: 0600 + register: vpn_wireguard_configuration + +- name: "nftables up script" + ansible.builtin.template: + src: "./nftables/up.nft" + dest: "\ + {{ system_etc_root_directory }}/network/interfaces/\ + {{ vpn_wireguard_iface }}/nftables/up.nft" + mode: 0644 + register: vpn_wireguard_nftables_up + +- name: "interface up scripts" + ansible.builtin.template: + src: "./ifupdown.d/{{ item }}" + dest: "\ + {{ system_etc_root_directory }}/network/interfaces/\ + {{ vpn_wireguard_iface }}/ifup.d/{{ item }}" + mode: 0755 + loop: + - "00-interface" + - "10-nftables" + - "20-routes-{{ vpn_wireguard_role }}" + register: vpn_wireguard_interface_up - name: "configure interface" ansible.builtin.template: - src: "./{{ vpn_wireguard_role }}/IFACE" + src: "./interface" dest: "/etc/network/interfaces.d/{{ vpn_wireguard_iface }}" mode: 0644 - validate: > - bash -c - 'if ! diff %s /etc/network/interfaces.d/{{ vpn_wireguard_iface }} && - ip link show dev {{ vpn_wireguard_iface }} ; - then - ifdown {{ vpn_wireguard_iface }} ; - fi' - register: vpn_wireguard_intf + register: vpn_wireguard_interface_file - name: "restart interface" ansible.builtin.shell: | @@ -40,12 +62,27 @@ ifup {{ vpn_wireguard_iface }} fi when: - vpn_wireguard_conf.changed or - vpn_wireguard_post_up_iface_inet_nft.changed or - vpn_wireguard_intf.changed + vpn_wireguard_configuration.changed or + vpn_wireguard_nftables_up.changed or + vpn_wireguard_interface_up.changed or + vpn_wireguard_interface_file.changed -- name: "pre-down nftables inet script" +- name: "nftables down script" ansible.builtin.template: - src: "./pre-down-IFACE-inet.nft" - dest: "/usr/local/sbin/pre-down-{{ vpn_wireguard_iface }}-inet.nft" + src: "./nftables/down.nft" + dest: "\ + {{ system_etc_root_directory }}/network/interfaces/\ + {{ vpn_wireguard_iface }}/nftables/down.nft" + mode: 0644 + +- name: "interface down scripts" + ansible.builtin.template: + src: "./ifupdown.d/{{ item }}" + dest: "\ + {{ system_etc_root_directory }}/network/interfaces/\ + {{ vpn_wireguard_iface }}/ifdown.d/{{ item }}" mode: 0755 + loop: + - "00-interface" + - "10-nftables" + - "20-routes-{{ vpn_wireguard_role }}" diff --git a/vpn/wireguard/templates/client/IFACE b/vpn/wireguard/templates/client/IFACE deleted file mode 100644 index 4a67497..0000000 --- a/vpn/wireguard/templates/client/IFACE +++ /dev/null @@ -1,21 +0,0 @@ -auto {{ vpn_wireguard_iface }} -iface {{ vpn_wireguard_iface }} inet6 static - pre-up /usr/local/sbin/ip-link-add.sh $IFACE type wireguard - pre-up wg setconf $IFACE /etc/wireguard/$IFACE.conf - - post-up /usr/local/sbin/post-up-$IFACE-inet.nft - post-up ip -6 route add default dev $IFACE table {{ vpn_wireguard_routing_table }} - - pre-down ip -6 route del default dev $IFACE table {{ vpn_wireguard_routing_table }} - pre-down /usr/local/sbin/pre-down-$IFACE-inet.nft - - mtu {{ vpn_wireguard_mtu }} - - address {{ vpn_wireguard_inet6_address }}/{{ vpn_wireguard_inet6_prefixlen }} - -iface {{ vpn_wireguard_iface }} inet static - post-up ip route add default dev $IFACE table {{ vpn_wireguard_routing_table }} - - pre-down ip route del default dev $IFACE table {{ vpn_wireguard_routing_table }} - - address {{ vpn_wireguard_inet_address }}/{{ vpn_wireguard_inet_prefixlen }} diff --git a/vpn/wireguard/templates/ifupdown.d/00-interface b/vpn/wireguard/templates/ifupdown.d/00-interface new file mode 100755 index 0000000..4bd5fe9 --- /dev/null +++ b/vpn/wireguard/templates/ifupdown.d/00-interface @@ -0,0 +1,36 @@ +#!/usr/bin/env bash + +if [ ${MODE} == "start" ] +then + set -ue +elif [ ${MODE} == "stop" ] +then + set -u +else + echo "$(basename ${0}): mode must be one of either 'start' or 'stop'" 1>&2 + exit 1 +fi + +case ${PHASE} in + "pre-up") + /usr/sbin/ip link add ${IFACE} type wireguard + /usr/sbin/ip link set dev ${IFACE} mtu {{ vpn_wireguard_mtu }} + + /usr/sbin/sysctl -q -w net.ipv6.conf.${IFACE}.autoconf=0 + + /usr/bin/wg setconf ${IFACE} {{ system_etc_root_directory }}/network/interfaces/${IFACE}/wireguard/wireguard-{{ vpn_wireguard_role }}.conf + + /usr/sbin/ip -4 address add {{ vpn_wireguard_inet_address }}/{{ vpn_wireguard_inet_prefixlen }} dev ${IFACE} + /usr/sbin/ip -6 address add {{ vpn_wireguard_inet6_address }}/{{ vpn_wireguard_inet6_prefixlen }} dev ${IFACE} + ;; + "post-up") + ;; + "pre-down") + ;; + "post-down") + /usr/sbin/ip -6 address flush dev ${IFACE} + /usr/sbin/ip -4 address flush dev ${IFACE} + + /usr/sbin/ip link delete dev ${IFACE} + ;; +esac diff --git a/vpn/wireguard/templates/ifupdown.d/10-nftables b/vpn/wireguard/templates/ifupdown.d/10-nftables new file mode 100755 index 0000000..746ca32 --- /dev/null +++ b/vpn/wireguard/templates/ifupdown.d/10-nftables @@ -0,0 +1,27 @@ +#!/usr/bin/env bash + +if [ ${MODE} == "start" ] +then + set -ue +elif [ ${MODE} == "stop" ] +then + set -u +else + echo "$(basename ${0}): mode must be one of either 'start' or 'stop'" 1>&2 + exit 1 +fi + +IFDIR={{ system_etc_root_directory }}/network/interfaces/${IFACE} + +case ${PHASE} in + "pre-up") + /usr/bin/envsubst '${IFACE}' < ${IFDIR}/nftables/up.nft | /usr/sbin/nft -f /dev/stdin + ;; + "post-up") + ;; + "pre-down") + ;; + "post-down") + /usr/bin/envsubst '${IFACE}' < ${IFDIR}/nftables/down.nft | /usr/sbin/nft -f /dev/stdin + ;; +esac diff --git a/vpn/wireguard/templates/ifupdown.d/20-routes-client b/vpn/wireguard/templates/ifupdown.d/20-routes-client new file mode 100755 index 0000000..632966a --- /dev/null +++ b/vpn/wireguard/templates/ifupdown.d/20-routes-client @@ -0,0 +1,27 @@ +#!/usr/bin/env bash + +if [ ${MODE} == "start" ] +then + set -ue +elif [ ${MODE} == "stop" ] +then + set -u +else + echo "$(basename ${0}): mode must be one of either 'start' or 'stop'" 1>&2 + exit 1 +fi + +case ${PHASE} in + "pre-up") + ;; + "post-up") + /usr/sbin/ip -4 route add default dev ${IFACE} table {{ vpn_wireguard_routing_table }} + /usr/sbin/ip -6 route add default dev ${IFACE} table {{ vpn_wireguard_routing_table }} + ;; + "pre-down") + /usr/sbin/ip -6 route del default dev ${IFACE} table {{ vpn_wireguard_routing_table }} + /usr/sbin/ip -4 route del default dev ${IFACE} table {{ vpn_wireguard_routing_table }} + ;; + "post-down") + ;; +esac diff --git a/vpn/wireguard/templates/ifupdown.d/20-routes-server b/vpn/wireguard/templates/ifupdown.d/20-routes-server new file mode 100755 index 0000000..a00a12e --- /dev/null +++ b/vpn/wireguard/templates/ifupdown.d/20-routes-server @@ -0,0 +1,47 @@ +#!/usr/bin/env bash + +if [ ${MODE} == "start" ] +then + set -ue +elif [ ${MODE} == "stop" ] +then + set -u +else + echo "$(basename ${0}): mode must be one of either 'start' or 'stop'" 1>&2 + exit 1 +fi + +case ${PHASE} in + "pre-up") +{% if vpn_wireguard_routing_table is defined %} + /usr/sbin/ip -4 rule add sport {{ vpn_wireguard_port }} ipproto udp table {{ vpn_wireguard_routing_table }} + /usr/sbin/ip -6 rule add sport {{ vpn_wireguard_port }} ipproto udp table {{ vpn_wireguard_routing_table }} +{% endif %} + ;; + "post-up") +{% for client in vpn_wireguard_clients %} +{% if 'inet_subnet' in client %} + /usr/sbin/ip -4 route add {{ client.inet_subnet }} dev ${IFACE} +{% endif %} +{% if 'inet6_subnet' in client %} + /usr/sbin/ip -6 route add {{ client.inet6_subnet }} dev ${IFACE} +{% endif %} +{% endfor %} + ;; + "pre-down") +{% for client in vpn_wireguard_clients %} +{% if 'inet6_subnet' in client %} + /usr/sbin/ip -6 route del {{ client.inet6_subnet }} dev ${IFACE} +{% endif %} +{% if 'inet_subnet' in client %} + /usr/sbin/ip -4 route del {{ client.inet_subnet }} dev ${IFACE} +{% endif %} +{% endfor %} + ;; + "post-down") +{% if vpn_wireguard_routing_table is defined %} + /usr/sbin/ip -6 rule del sport {{ vpn_wireguard_port }} ipproto udp table {{ vpn_wireguard_routing_table }} + /usr/sbin/ip -4 rule del sport {{ vpn_wireguard_port }} ipproto udp table {{ vpn_wireguard_routing_table }} +{% endif %} + ;; +esac diff --git a/vpn/wireguard/templates/interface b/vpn/wireguard/templates/interface new file mode 100644 index 0000000..91e8361 --- /dev/null +++ b/vpn/wireguard/templates/interface @@ -0,0 +1,2 @@ +auto {{ vpn_wireguard_iface }} +iface {{ vpn_wireguard_iface }} inet6 manual diff --git a/vpn/wireguard/templates/nftables/down.nft b/vpn/wireguard/templates/nftables/down.nft new file mode 100644 index 0000000..fb72e3a --- /dev/null +++ b/vpn/wireguard/templates/nftables/down.nft @@ -0,0 +1,4 @@ +#!/usr/bin/env -S nft -f + +flush table inet ${IFACE}_inet +delete table inet ${IFACE}_inet diff --git a/vpn/wireguard/templates/nftables/up.nft b/vpn/wireguard/templates/nftables/up.nft new file mode 100644 index 0000000..eb67419 --- /dev/null +++ b/vpn/wireguard/templates/nftables/up.nft @@ -0,0 +1,19 @@ +#!/usr/bin/env -S nft -f + +table inet ${IFACE}_inet { + chain forward { + type filter hook forward priority 0; + iif ${IFACE} tcp flags syn tcp option maxseg size set rt mtu; + oif ${IFACE} tcp flags syn tcp option maxseg size set rt mtu; + } +{% if vpn_wireguard_role == "server" %} + + chain postrouting { + type nat hook postrouting priority 100; + iif ${IFACE} oif { {{ [ + ansible_default_ipv4.interface | default(ansible_default_ipv6.interface), + ansible_default_ipv6.interface | default(ansible_default_ipv4.interface) + ] | unique | join(", ") }} } masquerade; + } +{% endif %} +} diff --git a/vpn/wireguard/templates/post-up-IFACE-inet.nft b/vpn/wireguard/templates/post-up-IFACE-inet.nft deleted file mode 100644 index 5fafd7c..0000000 --- a/vpn/wireguard/templates/post-up-IFACE-inet.nft +++ /dev/null @@ -1,16 +0,0 @@ -#!/usr/bin/env -S nft -f - -table inet {{ vpn_wireguard_iface }}_inet { - chain forward { - type filter hook forward priority 0; - iif {{ vpn_wireguard_iface }} tcp flags syn tcp option maxseg size set rt mtu; - oif {{ vpn_wireguard_iface }} tcp flags syn tcp option maxseg size set rt mtu; - } -{% if vpn_wireguard_role == "server" %} - - chain postrouting { - type nat hook postrouting priority 100; - iif {{ vpn_wireguard_iface }} oif { {{ [ansible_default_ipv4.interface, ansible_default_ipv6.interface] | unique | join(", ") }} } masquerade; - } -{% endif %} -} diff --git a/vpn/wireguard/templates/pre-down-IFACE-inet.nft b/vpn/wireguard/templates/pre-down-IFACE-inet.nft deleted file mode 100644 index 0dac7dd..0000000 --- a/vpn/wireguard/templates/pre-down-IFACE-inet.nft +++ /dev/null @@ -1,4 +0,0 @@ -#!/usr/bin/env -S nft -f - -flush table inet {{ vpn_wireguard_iface }}_inet -delete table inet {{ vpn_wireguard_iface }}_inet diff --git a/vpn/wireguard/templates/server/IFACE b/vpn/wireguard/templates/server/IFACE deleted file mode 100644 index e66f2c3..0000000 --- a/vpn/wireguard/templates/server/IFACE +++ /dev/null @@ -1,49 +0,0 @@ -auto {{ vpn_wireguard_iface }} -iface {{ vpn_wireguard_iface }} inet6 static - pre-up /usr/local/sbin/ip-link-add.sh $IFACE type wireguard - pre-up wg setconf $IFACE /etc/wireguard/$IFACE.conf - - post-up /usr/local/sbin/post-up-$IFACE-inet.nft -{% if vpn_wireguard_routing_table is defined %} - post-up ip -6 rule add sport {{ vpn_wireguard_port }} ipproto udp table {{ vpn_wireguard_routing_table }} -{% endif %} -{% for client in vpn_wireguard_clients %} -{% if 'inet6_subnet' in client %} - post-up ip route add {{ client.inet6_subnet }} dev $IFACE -{% endif %} -{% endfor %} - -{% for client in vpn_wireguard_clients %} -{% if 'inet6_subnet' in client %} - pre-down ip route del {{ client.inet6_subnet }} dev $IFACE -{% endif %} -{% endfor %} -{% if vpn_wireguard_routing_table is defined %} - pre-down ip -6 rule del sport {{ vpn_wireguard_port }} ipproto udp table {{ vpn_wireguard_routing_table }} -{% endif %} - pre-down /usr/local/sbin/pre-down-$IFACE-inet.nft - - mtu {{ vpn_wireguard_mtu }} - - address {{ vpn_wireguard_inet6_address }}/{{ vpn_wireguard_inet6_prefixlen }} - -iface {{ vpn_wireguard_iface }} inet static -{% if vpn_wireguard_routing_table is defined %} - post-up ip rule add sport {{ vpn_wireguard_port }} ipproto udp table {{ vpn_wireguard_routing_table }} -{% endif %} -{% for client in vpn_wireguard_clients %} -{% if 'inet_subnet' in client %} - post-up ip route add {{ client.inet_subnet }} dev $IFACE -{% endif %} -{% endfor %} - -{% for client in vpn_wireguard_clients %} -{% if 'inet_subnet' in client %} - pre-down ip route del {{ client.inet_subnet }} dev $IFACE -{% endif %} -{% endfor %} -{% if vpn_wireguard_routing_table is defined %} - pre-down ip rule del sport {{ vpn_wireguard_port }} ipproto udp table {{ vpn_wireguard_routing_table }} -{% endif %} - - address {{ vpn_wireguard_inet_address }}/{{ vpn_wireguard_inet_prefixlen }} diff --git a/vpn/wireguard/templates/client/IFACE.conf b/vpn/wireguard/templates/wireguard/wireguard-client.conf similarity index 100% rename from vpn/wireguard/templates/client/IFACE.conf rename to vpn/wireguard/templates/wireguard/wireguard-client.conf diff --git a/vpn/wireguard/templates/server/IFACE.conf b/vpn/wireguard/templates/wireguard/wireguard-server.conf similarity index 100% rename from vpn/wireguard/templates/server/IFACE.conf rename to vpn/wireguard/templates/wireguard/wireguard-server.conf