the-nine-worlds/ansible-roles
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fully migrate wireguard to IPv6

Browse Source
This commit is contained in:
Wojciech Kozlowski 2023-07-28 22:30:55 +02:00
parent bd66dc341e
commit b1218945b6
6 changed files with 54 additions and 35 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
vpn/bridge/meta/argument_specs.yml
View File

@ -6,6 +6,10 @@ argument_specs:
interface: interface:
type: "str" type: "str"
required: true required: true
ansible_default_ipv6:
interface:
type: "str"
required: true
local_inet_network: local_inet_network:
type: "str" type: "str"
required: false required: false

16
vpn/wireguard/meta/argument_specs.yml
View File

@ -6,6 +6,10 @@ argument_specs:
interface: interface:
type: "str" type: "str"
required: true required: true
ansible_default_ipv6:
interface:
type: "str"
required: true
vpn_wireguard_iface: vpn_wireguard_iface:
type: "str" type: "str"
required: true required: true
@ -15,18 +19,18 @@ argument_specs:
vpn_wireguard_role: vpn_wireguard_role:
type: "str" type: "str"
required: true required: true
vpn_wireguard_address: vpn_wireguard_inet_address:
type: "str" type: "str"
required: true required: true
vpn_wireguard_prefixlen: vpn_wireguard_inet_prefixlen:
type: "str" type: "str"
required: true required: true
vpn_wireguard_address_v6: vpn_wireguard_inet6_address:
type: "str" type: "str"
required: false required: true
vpn_wireguard_prefixlen_v6: vpn_wireguard_inet6_prefixlen:
type: "str" type: "str"
required: "{{ vpn_wireguard_address_v6 is defined }}" required: true
vpn_wireguard_port: vpn_wireguard_port:
type: "int" type: "int"
required: true required: true

24
vpn/wireguard/templates/client/IFACE
View File

@ -1,24 +1,20 @@
auto {{ vpn_wireguard_iface }} auto {{ vpn_wireguard_iface }}
iface {{ vpn_wireguard_iface }} inet static iface {{ vpn_wireguard_iface }} inet6 static
pre-up /usr/local/sbin/ip-link-add.sh $IFACE type wireguard pre-up /usr/local/sbin/ip-link-add.sh $IFACE type wireguard
pre-up wg setconf $IFACE /etc/wireguard/$IFACE.conf pre-up wg setconf $IFACE /etc/wireguard/$IFACE.conf
pre-up ip link set mtu {{ vpn_wireguard_mtu }} dev $IFACE pre-up ip link set mtu {{ vpn_wireguard_mtu }} dev $IFACE
post-up /usr/local/sbin/post-up-$IFACE-inet.nft post-up /usr/local/sbin/post-up-$IFACE-inet.nft
post-up ip route add default dev $IFACE table {{ vpn_wireguard_routing_table }}
pre-down ip route del default dev $IFACE table {{ vpn_wireguard_routing_table }}
pre-down /usr/local/sbin/pre-down-$IFACE-inet.nft
address {{ vpn_wireguard_address }}
netmask {{ vpn_wireguard_prefixlen }}
{% if vpn_wireguard_address_v6 is defined %}
iface {{ vpn_wireguard_iface }} inet6 static
post-up ip -6 route add default dev $IFACE table {{ vpn_wireguard_routing_table }} post-up ip -6 route add default dev $IFACE table {{ vpn_wireguard_routing_table }}
pre-down ip -6 route del default dev $IFACE table {{ vpn_wireguard_routing_table }} pre-down ip -6 route del default dev $IFACE table {{ vpn_wireguard_routing_table }}
pre-down /usr/local/sbin/pre-down-$IFACE-inet.nft
address {{ vpn_wireguard_address_v6 }} address {{ vpn_wireguard_inet6_address }}/{{ vpn_wireguard_inet6_prefixlen }}
netmask {{ vpn_wireguard_prefixlen_v6 }}
{% endif %} iface {{ vpn_wireguard_iface }} inet static
post-up ip route add default dev $IFACE table {{ vpn_wireguard_routing_table }}
pre-down ip route del default dev $IFACE table {{ vpn_wireguard_routing_table }}
address {{ vpn_wireguard_inet_address }}/{{ vpn_wireguard_inet_prefixlen }}

2
vpn/wireguard/templates/post-up-IFACE-inet.nft
View File

@ -10,7 +10,7 @@ table inet {{ vpn_wireguard_iface }}_inet {
chain postrouting { chain postrouting {
type nat hook postrouting priority 100; type nat hook postrouting priority 100;
iif {{ vpn_wireguard_iface }} oif {{ ansible_default_ipv4.interface }} masquerade; iif {{ vpn_wireguard_iface }} oif { {{ [ansible_default_ipv4.interface, ansible_default_ipv6.interface] | unique | join(", ") }} } masquerade;
} }
{% endif %} {% endif %}
} }

37
vpn/wireguard/templates/server/IFACE
View File

@ -1,33 +1,48 @@
auto {{ vpn_wireguard_iface }} auto {{ vpn_wireguard_iface }}
iface {{ vpn_wireguard_iface }} inet static iface {{ vpn_wireguard_iface }} inet6 static
pre-up /usr/local/sbin/ip-link-add.sh $IFACE type wireguard pre-up /usr/local/sbin/ip-link-add.sh $IFACE type wireguard
pre-up wg setconf $IFACE /etc/wireguard/$IFACE.conf pre-up wg setconf $IFACE /etc/wireguard/$IFACE.conf
pre-up ip link set mtu {{ vpn_wireguard_mtu }} dev $IFACE pre-up ip link set mtu {{ vpn_wireguard_mtu }} dev $IFACE
post-up /usr/local/sbin/post-up-$IFACE-inet.nft post-up /usr/local/sbin/post-up-$IFACE-inet.nft
{% if vpn_wireguard_routing_table is defined %} {% if vpn_wireguard_routing_table is defined %}
post-up ip rule add sport {{ vpn_wireguard_port }} ipproto udp table {{ vpn_wireguard_routing_table }}
post-up ip -6 rule add sport {{ vpn_wireguard_port }} ipproto udp table {{ vpn_wireguard_routing_table }} post-up ip -6 rule add sport {{ vpn_wireguard_port }} ipproto udp table {{ vpn_wireguard_routing_table }}
{% endif %} {% endif %}
{% for client in vpn_wireguard_clients %} {% for client in vpn_wireguard_clients %}
{% if 'subnet' in client %} {% if 'inet6_subnet' in client %}
post-up ip route add {{ client.subnet }} dev $IFACE post-up ip route add {{ client.inet6_subnet }} dev $IFACE
{% endif %} {% endif %}
{% endfor %} {% endfor %}
{% for client in vpn_wireguard_clients %} {% for client in vpn_wireguard_clients %}
{% if 'subnet' in client %} {% if 'inet6_subnet' in client %}
pre-down ip route del {{ client.subnet }} dev $IFACE pre-down ip route del {{ client.inet6_subnet }} dev $IFACE
{% endif %} {% endif %}
{% endfor %} {% endfor %}
{% if vpn_wireguard_routing_table is defined %} {% if vpn_wireguard_routing_table is defined %}
pre-down ip -6 rule del sport {{ vpn_wireguard_port }} ipproto udp table {{ vpn_wireguard_routing_table }} pre-down ip -6 rule del sport {{ vpn_wireguard_port }} ipproto udp table {{ vpn_wireguard_routing_table }}
pre-down ip rule del sport {{ vpn_wireguard_port }} ipproto udp table {{ vpn_wireguard_routing_table }}
{% endif %} {% endif %}
pre-down /usr/local/sbin/pre-down-$IFACE-inet.nft pre-down /usr/local/sbin/pre-down-$IFACE-inet.nft
address {{ vpn_wireguard_address }} address {{ vpn_wireguard_inet6_address }}/{{ vpn_wireguard_inet6_prefixlen }}
netmask {{ vpn_wireguard_prefixlen }}
{% if vpn_wireguard_address_v6 is defined %} iface {{ vpn_wireguard_iface }} inet static
{{ __assert__wireguard_server_role_not_supported_for_ipv6 }} {% if vpn_wireguard_routing_table is defined %}
post-up ip rule add sport {{ vpn_wireguard_port }} ipproto udp table {{ vpn_wireguard_routing_table }}
{% endif %} {% endif %}
{% for client in vpn_wireguard_clients %}
{% if 'inet_subnet' in client %}
post-up ip route add {{ client.inet_subnet }} dev $IFACE
{% endif %}
{% endfor %}
{% for client in vpn_wireguard_clients %}
{% if 'inet_subnet' in client %}
pre-down ip route del {{ client.inet_subnet }} dev $IFACE
{% endif %}
{% endfor %}
{% if vpn_wireguard_routing_table is defined %}
pre-down ip rule del sport {{ vpn_wireguard_port }} ipproto udp table {{ vpn_wireguard_routing_table }}
{% endif %}
address {{ vpn_wireguard_inet_address }}/{{ vpn_wireguard_inet_prefixlen }}

6
vpn/wireguard/templates/server/IFACE.conf
View File

@ -6,9 +6,9 @@ ListenPort = {{ vpn_wireguard_port }}
[Peer] [Peer]
PublicKey = {{ client.public_key }} PublicKey = {{ client.public_key }}
PresharedKey = {{ client.preshared_key }} PresharedKey = {{ client.preshared_key }}
{% if 'subnet' in client %} {% if 'inet6_subnet' in client %}
AllowedIPs = {{ vpn_wireguard_subnet }},{{ client.subnet }} AllowedIPs = {{ vpn_wireguard_inet_subnet }}, {{ vpn_wireguard_inet6_subnet }}, {{ client.inet_subnet }}, {{ client.inet6_subnet }}
{% else %} {% else %}
AllowedIPs = {{ vpn_wireguard_subnet }} AllowedIPs = {{ vpn_wireguard_inet_subnet }}, {{ vpn_wireguard_inet6_subnet }}
{% endif %} {% endif %}
{% endfor %} {% endfor %}