Fully migrate wireguard to IPv6
This commit is contained in:
parent
bd66dc341e
commit
b1218945b6
@ -6,6 +6,10 @@ argument_specs:
|
|||||||
interface:
|
interface:
|
||||||
type: "str"
|
type: "str"
|
||||||
required: true
|
required: true
|
||||||
|
ansible_default_ipv6:
|
||||||
|
interface:
|
||||||
|
type: "str"
|
||||||
|
required: true
|
||||||
local_inet_network:
|
local_inet_network:
|
||||||
type: "str"
|
type: "str"
|
||||||
required: false
|
required: false
|
||||||
|
@ -6,6 +6,10 @@ argument_specs:
|
|||||||
interface:
|
interface:
|
||||||
type: "str"
|
type: "str"
|
||||||
required: true
|
required: true
|
||||||
|
ansible_default_ipv6:
|
||||||
|
interface:
|
||||||
|
type: "str"
|
||||||
|
required: true
|
||||||
vpn_wireguard_iface:
|
vpn_wireguard_iface:
|
||||||
type: "str"
|
type: "str"
|
||||||
required: true
|
required: true
|
||||||
@ -15,18 +19,18 @@ argument_specs:
|
|||||||
vpn_wireguard_role:
|
vpn_wireguard_role:
|
||||||
type: "str"
|
type: "str"
|
||||||
required: true
|
required: true
|
||||||
vpn_wireguard_address:
|
vpn_wireguard_inet_address:
|
||||||
type: "str"
|
type: "str"
|
||||||
required: true
|
required: true
|
||||||
vpn_wireguard_prefixlen:
|
vpn_wireguard_inet_prefixlen:
|
||||||
type: "str"
|
type: "str"
|
||||||
required: true
|
required: true
|
||||||
vpn_wireguard_address_v6:
|
vpn_wireguard_inet6_address:
|
||||||
type: "str"
|
type: "str"
|
||||||
required: false
|
required: true
|
||||||
vpn_wireguard_prefixlen_v6:
|
vpn_wireguard_inet6_prefixlen:
|
||||||
type: "str"
|
type: "str"
|
||||||
required: "{{ vpn_wireguard_address_v6 is defined }}"
|
required: true
|
||||||
vpn_wireguard_port:
|
vpn_wireguard_port:
|
||||||
type: "int"
|
type: "int"
|
||||||
required: true
|
required: true
|
||||||
|
@ -1,24 +1,20 @@
|
|||||||
auto {{ vpn_wireguard_iface }}
|
auto {{ vpn_wireguard_iface }}
|
||||||
iface {{ vpn_wireguard_iface }} inet static
|
iface {{ vpn_wireguard_iface }} inet6 static
|
||||||
pre-up /usr/local/sbin/ip-link-add.sh $IFACE type wireguard
|
pre-up /usr/local/sbin/ip-link-add.sh $IFACE type wireguard
|
||||||
pre-up wg setconf $IFACE /etc/wireguard/$IFACE.conf
|
pre-up wg setconf $IFACE /etc/wireguard/$IFACE.conf
|
||||||
pre-up ip link set mtu {{ vpn_wireguard_mtu }} dev $IFACE
|
pre-up ip link set mtu {{ vpn_wireguard_mtu }} dev $IFACE
|
||||||
|
|
||||||
post-up /usr/local/sbin/post-up-$IFACE-inet.nft
|
post-up /usr/local/sbin/post-up-$IFACE-inet.nft
|
||||||
post-up ip route add default dev $IFACE table {{ vpn_wireguard_routing_table }}
|
|
||||||
|
|
||||||
pre-down ip route del default dev $IFACE table {{ vpn_wireguard_routing_table }}
|
|
||||||
pre-down /usr/local/sbin/pre-down-$IFACE-inet.nft
|
|
||||||
|
|
||||||
address {{ vpn_wireguard_address }}
|
|
||||||
netmask {{ vpn_wireguard_prefixlen }}
|
|
||||||
{% if vpn_wireguard_address_v6 is defined %}
|
|
||||||
|
|
||||||
iface {{ vpn_wireguard_iface }} inet6 static
|
|
||||||
post-up ip -6 route add default dev $IFACE table {{ vpn_wireguard_routing_table }}
|
post-up ip -6 route add default dev $IFACE table {{ vpn_wireguard_routing_table }}
|
||||||
|
|
||||||
pre-down ip -6 route del default dev $IFACE table {{ vpn_wireguard_routing_table }}
|
pre-down ip -6 route del default dev $IFACE table {{ vpn_wireguard_routing_table }}
|
||||||
|
pre-down /usr/local/sbin/pre-down-$IFACE-inet.nft
|
||||||
|
|
||||||
address {{ vpn_wireguard_address_v6 }}
|
address {{ vpn_wireguard_inet6_address }}/{{ vpn_wireguard_inet6_prefixlen }}
|
||||||
netmask {{ vpn_wireguard_prefixlen_v6 }}
|
|
||||||
{% endif %}
|
iface {{ vpn_wireguard_iface }} inet static
|
||||||
|
post-up ip route add default dev $IFACE table {{ vpn_wireguard_routing_table }}
|
||||||
|
|
||||||
|
pre-down ip route del default dev $IFACE table {{ vpn_wireguard_routing_table }}
|
||||||
|
|
||||||
|
address {{ vpn_wireguard_inet_address }}/{{ vpn_wireguard_inet_prefixlen }}
|
||||||
|
@ -10,7 +10,7 @@ table inet {{ vpn_wireguard_iface }}_inet {
|
|||||||
|
|
||||||
chain postrouting {
|
chain postrouting {
|
||||||
type nat hook postrouting priority 100;
|
type nat hook postrouting priority 100;
|
||||||
iif {{ vpn_wireguard_iface }} oif {{ ansible_default_ipv4.interface }} masquerade;
|
iif {{ vpn_wireguard_iface }} oif { {{ [ansible_default_ipv4.interface, ansible_default_ipv6.interface] | unique | join(", ") }} } masquerade;
|
||||||
}
|
}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
}
|
}
|
||||||
|
@ -1,33 +1,48 @@
|
|||||||
auto {{ vpn_wireguard_iface }}
|
auto {{ vpn_wireguard_iface }}
|
||||||
iface {{ vpn_wireguard_iface }} inet static
|
iface {{ vpn_wireguard_iface }} inet6 static
|
||||||
pre-up /usr/local/sbin/ip-link-add.sh $IFACE type wireguard
|
pre-up /usr/local/sbin/ip-link-add.sh $IFACE type wireguard
|
||||||
pre-up wg setconf $IFACE /etc/wireguard/$IFACE.conf
|
pre-up wg setconf $IFACE /etc/wireguard/$IFACE.conf
|
||||||
pre-up ip link set mtu {{ vpn_wireguard_mtu }} dev $IFACE
|
pre-up ip link set mtu {{ vpn_wireguard_mtu }} dev $IFACE
|
||||||
|
|
||||||
post-up /usr/local/sbin/post-up-$IFACE-inet.nft
|
post-up /usr/local/sbin/post-up-$IFACE-inet.nft
|
||||||
{% if vpn_wireguard_routing_table is defined %}
|
{% if vpn_wireguard_routing_table is defined %}
|
||||||
post-up ip rule add sport {{ vpn_wireguard_port }} ipproto udp table {{ vpn_wireguard_routing_table }}
|
|
||||||
post-up ip -6 rule add sport {{ vpn_wireguard_port }} ipproto udp table {{ vpn_wireguard_routing_table }}
|
post-up ip -6 rule add sport {{ vpn_wireguard_port }} ipproto udp table {{ vpn_wireguard_routing_table }}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% for client in vpn_wireguard_clients %}
|
{% for client in vpn_wireguard_clients %}
|
||||||
{% if 'subnet' in client %}
|
{% if 'inet6_subnet' in client %}
|
||||||
post-up ip route add {{ client.subnet }} dev $IFACE
|
post-up ip route add {{ client.inet6_subnet }} dev $IFACE
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
|
|
||||||
{% for client in vpn_wireguard_clients %}
|
{% for client in vpn_wireguard_clients %}
|
||||||
{% if 'subnet' in client %}
|
{% if 'inet6_subnet' in client %}
|
||||||
pre-down ip route del {{ client.subnet }} dev $IFACE
|
pre-down ip route del {{ client.inet6_subnet }} dev $IFACE
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% if vpn_wireguard_routing_table is defined %}
|
{% if vpn_wireguard_routing_table is defined %}
|
||||||
pre-down ip -6 rule del sport {{ vpn_wireguard_port }} ipproto udp table {{ vpn_wireguard_routing_table }}
|
pre-down ip -6 rule del sport {{ vpn_wireguard_port }} ipproto udp table {{ vpn_wireguard_routing_table }}
|
||||||
pre-down ip rule del sport {{ vpn_wireguard_port }} ipproto udp table {{ vpn_wireguard_routing_table }}
|
|
||||||
{% endif %}
|
{% endif %}
|
||||||
pre-down /usr/local/sbin/pre-down-$IFACE-inet.nft
|
pre-down /usr/local/sbin/pre-down-$IFACE-inet.nft
|
||||||
|
|
||||||
address {{ vpn_wireguard_address }}
|
address {{ vpn_wireguard_inet6_address }}/{{ vpn_wireguard_inet6_prefixlen }}
|
||||||
netmask {{ vpn_wireguard_prefixlen }}
|
|
||||||
{% if vpn_wireguard_address_v6 is defined %}
|
iface {{ vpn_wireguard_iface }} inet static
|
||||||
{{ __assert__wireguard_server_role_not_supported_for_ipv6 }}
|
{% if vpn_wireguard_routing_table is defined %}
|
||||||
|
post-up ip rule add sport {{ vpn_wireguard_port }} ipproto udp table {{ vpn_wireguard_routing_table }}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
{% for client in vpn_wireguard_clients %}
|
||||||
|
{% if 'inet_subnet' in client %}
|
||||||
|
post-up ip route add {{ client.inet_subnet }} dev $IFACE
|
||||||
|
{% endif %}
|
||||||
|
{% endfor %}
|
||||||
|
|
||||||
|
{% for client in vpn_wireguard_clients %}
|
||||||
|
{% if 'inet_subnet' in client %}
|
||||||
|
pre-down ip route del {{ client.inet_subnet }} dev $IFACE
|
||||||
|
{% endif %}
|
||||||
|
{% endfor %}
|
||||||
|
{% if vpn_wireguard_routing_table is defined %}
|
||||||
|
pre-down ip rule del sport {{ vpn_wireguard_port }} ipproto udp table {{ vpn_wireguard_routing_table }}
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
|
address {{ vpn_wireguard_inet_address }}/{{ vpn_wireguard_inet_prefixlen }}
|
||||||
|
@ -6,9 +6,9 @@ ListenPort = {{ vpn_wireguard_port }}
|
|||||||
[Peer]
|
[Peer]
|
||||||
PublicKey = {{ client.public_key }}
|
PublicKey = {{ client.public_key }}
|
||||||
PresharedKey = {{ client.preshared_key }}
|
PresharedKey = {{ client.preshared_key }}
|
||||||
{% if 'subnet' in client %}
|
{% if 'inet6_subnet' in client %}
|
||||||
AllowedIPs = {{ vpn_wireguard_subnet }},{{ client.subnet }}
|
AllowedIPs = {{ vpn_wireguard_inet_subnet }}, {{ vpn_wireguard_inet6_subnet }}, {{ client.inet_subnet }}, {{ client.inet6_subnet }}
|
||||||
{% else %}
|
{% else %}
|
||||||
AllowedIPs = {{ vpn_wireguard_subnet }}
|
AllowedIPs = {{ vpn_wireguard_inet_subnet }}, {{ vpn_wireguard_inet6_subnet }}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
|
Loading…
Reference in New Issue
Block a user