From b1218945b64311fa6095a569a6a8cfbc09c7e5cf Mon Sep 17 00:00:00 2001 From: Wojciech Kozlowski Date: Fri, 28 Jul 2023 22:30:55 +0200 Subject: [PATCH] Fully migrate wireguard to IPv6 --- vpn/bridge/meta/argument_specs.yml | 4 ++ vpn/wireguard/meta/argument_specs.yml | 16 +++++--- vpn/wireguard/templates/client/IFACE | 24 +++++------- .../templates/post-up-IFACE-inet.nft | 2 +- vpn/wireguard/templates/server/IFACE | 37 +++++++++++++------ vpn/wireguard/templates/server/IFACE.conf | 6 +-- 6 files changed, 54 insertions(+), 35 deletions(-) diff --git a/vpn/bridge/meta/argument_specs.yml b/vpn/bridge/meta/argument_specs.yml index 1afbda0..9a71e4c 100644 --- a/vpn/bridge/meta/argument_specs.yml +++ b/vpn/bridge/meta/argument_specs.yml @@ -6,6 +6,10 @@ argument_specs: interface: type: "str" required: true + ansible_default_ipv6: + interface: + type: "str" + required: true local_inet_network: type: "str" required: false diff --git a/vpn/wireguard/meta/argument_specs.yml b/vpn/wireguard/meta/argument_specs.yml index d9acc64..233592e 100644 --- a/vpn/wireguard/meta/argument_specs.yml +++ b/vpn/wireguard/meta/argument_specs.yml @@ -6,6 +6,10 @@ argument_specs: interface: type: "str" required: true + ansible_default_ipv6: + interface: + type: "str" + required: true vpn_wireguard_iface: type: "str" required: true @@ -15,18 +19,18 @@ argument_specs: vpn_wireguard_role: type: "str" required: true - vpn_wireguard_address: + vpn_wireguard_inet_address: type: "str" required: true - vpn_wireguard_prefixlen: + vpn_wireguard_inet_prefixlen: type: "str" required: true - vpn_wireguard_address_v6: + vpn_wireguard_inet6_address: type: "str" - required: false - vpn_wireguard_prefixlen_v6: + required: true + vpn_wireguard_inet6_prefixlen: type: "str" - required: "{{ vpn_wireguard_address_v6 is defined }}" + required: true vpn_wireguard_port: type: "int" required: true diff --git a/vpn/wireguard/templates/client/IFACE b/vpn/wireguard/templates/client/IFACE index 05b95b5..4445f58 100644 --- a/vpn/wireguard/templates/client/IFACE +++ b/vpn/wireguard/templates/client/IFACE @@ -1,24 +1,20 @@ auto {{ vpn_wireguard_iface }} -iface {{ vpn_wireguard_iface }} inet static +iface {{ vpn_wireguard_iface }} inet6 static pre-up /usr/local/sbin/ip-link-add.sh $IFACE type wireguard pre-up wg setconf $IFACE /etc/wireguard/$IFACE.conf pre-up ip link set mtu {{ vpn_wireguard_mtu }} dev $IFACE post-up /usr/local/sbin/post-up-$IFACE-inet.nft - post-up ip route add default dev $IFACE table {{ vpn_wireguard_routing_table }} - - pre-down ip route del default dev $IFACE table {{ vpn_wireguard_routing_table }} - pre-down /usr/local/sbin/pre-down-$IFACE-inet.nft - - address {{ vpn_wireguard_address }} - netmask {{ vpn_wireguard_prefixlen }} -{% if vpn_wireguard_address_v6 is defined %} - -iface {{ vpn_wireguard_iface }} inet6 static post-up ip -6 route add default dev $IFACE table {{ vpn_wireguard_routing_table }} pre-down ip -6 route del default dev $IFACE table {{ vpn_wireguard_routing_table }} + pre-down /usr/local/sbin/pre-down-$IFACE-inet.nft - address {{ vpn_wireguard_address_v6 }} - netmask {{ vpn_wireguard_prefixlen_v6 }} -{% endif %} + address {{ vpn_wireguard_inet6_address }}/{{ vpn_wireguard_inet6_prefixlen }} + +iface {{ vpn_wireguard_iface }} inet static + post-up ip route add default dev $IFACE table {{ vpn_wireguard_routing_table }} + + pre-down ip route del default dev $IFACE table {{ vpn_wireguard_routing_table }} + + address {{ vpn_wireguard_inet_address }}/{{ vpn_wireguard_inet_prefixlen }} diff --git a/vpn/wireguard/templates/post-up-IFACE-inet.nft b/vpn/wireguard/templates/post-up-IFACE-inet.nft index 50c1ed5..5fafd7c 100644 --- a/vpn/wireguard/templates/post-up-IFACE-inet.nft +++ b/vpn/wireguard/templates/post-up-IFACE-inet.nft @@ -10,7 +10,7 @@ table inet {{ vpn_wireguard_iface }}_inet { chain postrouting { type nat hook postrouting priority 100; - iif {{ vpn_wireguard_iface }} oif {{ ansible_default_ipv4.interface }} masquerade; + iif {{ vpn_wireguard_iface }} oif { {{ [ansible_default_ipv4.interface, ansible_default_ipv6.interface] | unique | join(", ") }} } masquerade; } {% endif %} } diff --git a/vpn/wireguard/templates/server/IFACE b/vpn/wireguard/templates/server/IFACE index d7456b2..44c5ce1 100644 --- a/vpn/wireguard/templates/server/IFACE +++ b/vpn/wireguard/templates/server/IFACE @@ -1,33 +1,48 @@ auto {{ vpn_wireguard_iface }} -iface {{ vpn_wireguard_iface }} inet static +iface {{ vpn_wireguard_iface }} inet6 static pre-up /usr/local/sbin/ip-link-add.sh $IFACE type wireguard pre-up wg setconf $IFACE /etc/wireguard/$IFACE.conf pre-up ip link set mtu {{ vpn_wireguard_mtu }} dev $IFACE post-up /usr/local/sbin/post-up-$IFACE-inet.nft {% if vpn_wireguard_routing_table is defined %} - post-up ip rule add sport {{ vpn_wireguard_port }} ipproto udp table {{ vpn_wireguard_routing_table }} post-up ip -6 rule add sport {{ vpn_wireguard_port }} ipproto udp table {{ vpn_wireguard_routing_table }} {% endif %} {% for client in vpn_wireguard_clients %} -{% if 'subnet' in client %} - post-up ip route add {{ client.subnet }} dev $IFACE +{% if 'inet6_subnet' in client %} + post-up ip route add {{ client.inet6_subnet }} dev $IFACE {% endif %} {% endfor %} {% for client in vpn_wireguard_clients %} -{% if 'subnet' in client %} - pre-down ip route del {{ client.subnet }} dev $IFACE +{% if 'inet6_subnet' in client %} + pre-down ip route del {{ client.inet6_subnet }} dev $IFACE {% endif %} {% endfor %} {% if vpn_wireguard_routing_table is defined %} pre-down ip -6 rule del sport {{ vpn_wireguard_port }} ipproto udp table {{ vpn_wireguard_routing_table }} - pre-down ip rule del sport {{ vpn_wireguard_port }} ipproto udp table {{ vpn_wireguard_routing_table }} {% endif %} pre-down /usr/local/sbin/pre-down-$IFACE-inet.nft - address {{ vpn_wireguard_address }} - netmask {{ vpn_wireguard_prefixlen }} -{% if vpn_wireguard_address_v6 is defined %} - {{ __assert__wireguard_server_role_not_supported_for_ipv6 }} + address {{ vpn_wireguard_inet6_address }}/{{ vpn_wireguard_inet6_prefixlen }} + +iface {{ vpn_wireguard_iface }} inet static +{% if vpn_wireguard_routing_table is defined %} + post-up ip rule add sport {{ vpn_wireguard_port }} ipproto udp table {{ vpn_wireguard_routing_table }} {% endif %} +{% for client in vpn_wireguard_clients %} +{% if 'inet_subnet' in client %} + post-up ip route add {{ client.inet_subnet }} dev $IFACE +{% endif %} +{% endfor %} + +{% for client in vpn_wireguard_clients %} +{% if 'inet_subnet' in client %} + pre-down ip route del {{ client.inet_subnet }} dev $IFACE +{% endif %} +{% endfor %} +{% if vpn_wireguard_routing_table is defined %} + pre-down ip rule del sport {{ vpn_wireguard_port }} ipproto udp table {{ vpn_wireguard_routing_table }} +{% endif %} + + address {{ vpn_wireguard_inet_address }}/{{ vpn_wireguard_inet_prefixlen }} diff --git a/vpn/wireguard/templates/server/IFACE.conf b/vpn/wireguard/templates/server/IFACE.conf index e5c3a72..98080d1 100644 --- a/vpn/wireguard/templates/server/IFACE.conf +++ b/vpn/wireguard/templates/server/IFACE.conf @@ -6,9 +6,9 @@ ListenPort = {{ vpn_wireguard_port }} [Peer] PublicKey = {{ client.public_key }} PresharedKey = {{ client.preshared_key }} -{% if 'subnet' in client %} -AllowedIPs = {{ vpn_wireguard_subnet }},{{ client.subnet }} +{% if 'inet6_subnet' in client %} +AllowedIPs = {{ vpn_wireguard_inet_subnet }}, {{ vpn_wireguard_inet6_subnet }}, {{ client.inet_subnet }}, {{ client.inet6_subnet }} {% else %} -AllowedIPs = {{ vpn_wireguard_subnet }} +AllowedIPs = {{ vpn_wireguard_inet_subnet }}, {{ vpn_wireguard_inet6_subnet }} {% endif %} {% endfor %}