From d0b3f25f94d9ed8dce342fcba85d2ebc7cc9f9dd Mon Sep 17 00:00:00 2001 From: Wojciech Kozlowski Date: Mon, 24 Jul 2023 23:46:44 +0200 Subject: [PATCH] Update wireguard nftables for IPv6 --- vpn/wireguard/tasks/main.yml | 14 -------------- vpn/wireguard/templates/client/IFACE | 2 -- vpn/wireguard/templates/post-up-IFACE-inet.nft | 7 +++++++ vpn/wireguard/templates/post-up-IFACE-ipv4.nft | 12 ------------ vpn/wireguard/templates/pre-down-IFACE-ipv4.nft | 4 ---- vpn/wireguard/templates/server/IFACE | 2 -- 6 files changed, 7 insertions(+), 34 deletions(-) delete mode 100644 vpn/wireguard/templates/post-up-IFACE-ipv4.nft delete mode 100644 vpn/wireguard/templates/pre-down-IFACE-ipv4.nft diff --git a/vpn/wireguard/tasks/main.yml b/vpn/wireguard/tasks/main.yml index a526ff6..8366db1 100644 --- a/vpn/wireguard/tasks/main.yml +++ b/vpn/wireguard/tasks/main.yml @@ -17,13 +17,6 @@ mode: 0755 register: vpn_wireguard_post_up_iface_inet_nft -- name: "post-up nftables ipv4 script" - ansible.builtin.template: - src: "./post-up-IFACE-ipv4.nft" - dest: "/usr/local/sbin/post-up-{{ vpn_wireguard_iface }}-ipv4.nft" - mode: 0755 - register: vpn_wireguard_post_up_iface_ipv4_nft - - name: "configure interface" ansible.builtin.template: src: "./{{ vpn_wireguard_role }}/IFACE" @@ -49,7 +42,6 @@ when: vpn_wireguard_conf.changed or vpn_wireguard_post_up_iface_inet_nft.changed or - vpn_wireguard_post_up_iface_ipv4_nft.changed or vpn_wireguard_intf.changed - name: "pre-down nftables inet script" @@ -57,9 +49,3 @@ src: "./pre-down-IFACE-inet.nft" dest: "/usr/local/sbin/pre-down-{{ vpn_wireguard_iface }}-inet.nft" mode: 0755 - -- name: "pre-down nftables ipv4 script" - ansible.builtin.template: - src: "./pre-down-IFACE-ipv4.nft" - dest: "/usr/local/sbin/pre-down-{{ vpn_wireguard_iface }}-ipv4.nft" - mode: 0755 diff --git a/vpn/wireguard/templates/client/IFACE b/vpn/wireguard/templates/client/IFACE index b90f2b2..05b95b5 100644 --- a/vpn/wireguard/templates/client/IFACE +++ b/vpn/wireguard/templates/client/IFACE @@ -5,11 +5,9 @@ iface {{ vpn_wireguard_iface }} inet static pre-up ip link set mtu {{ vpn_wireguard_mtu }} dev $IFACE post-up /usr/local/sbin/post-up-$IFACE-inet.nft - post-up /usr/local/sbin/post-up-$IFACE-ipv4.nft post-up ip route add default dev $IFACE table {{ vpn_wireguard_routing_table }} pre-down ip route del default dev $IFACE table {{ vpn_wireguard_routing_table }} - pre-down /usr/local/sbin/pre-down-$IFACE-ipv4.nft pre-down /usr/local/sbin/pre-down-$IFACE-inet.nft address {{ vpn_wireguard_address }} diff --git a/vpn/wireguard/templates/post-up-IFACE-inet.nft b/vpn/wireguard/templates/post-up-IFACE-inet.nft index 110e3c3..50c1ed5 100644 --- a/vpn/wireguard/templates/post-up-IFACE-inet.nft +++ b/vpn/wireguard/templates/post-up-IFACE-inet.nft @@ -6,4 +6,11 @@ table inet {{ vpn_wireguard_iface }}_inet { iif {{ vpn_wireguard_iface }} tcp flags syn tcp option maxseg size set rt mtu; oif {{ vpn_wireguard_iface }} tcp flags syn tcp option maxseg size set rt mtu; } +{% if vpn_wireguard_role == "server" %} + + chain postrouting { + type nat hook postrouting priority 100; + iif {{ vpn_wireguard_iface }} oif {{ ansible_default_ipv4.interface }} masquerade; + } +{% endif %} } diff --git a/vpn/wireguard/templates/post-up-IFACE-ipv4.nft b/vpn/wireguard/templates/post-up-IFACE-ipv4.nft deleted file mode 100644 index d402c03..0000000 --- a/vpn/wireguard/templates/post-up-IFACE-ipv4.nft +++ /dev/null @@ -1,12 +0,0 @@ -#!/usr/bin/env -S nft -f - -table ip {{ vpn_wireguard_iface }}_ipv4 { - -{% if vpn_wireguard_role == "server" %} - chain postrouting { - type nat hook postrouting priority 100; - iif {{ vpn_wireguard_iface }} oif {{ ansible_default_ipv4.interface }} masquerade; - } - -{% endif %} -} diff --git a/vpn/wireguard/templates/pre-down-IFACE-ipv4.nft b/vpn/wireguard/templates/pre-down-IFACE-ipv4.nft deleted file mode 100644 index 822075f..0000000 --- a/vpn/wireguard/templates/pre-down-IFACE-ipv4.nft +++ /dev/null @@ -1,4 +0,0 @@ -#!/usr/bin/env -S nft -f - -flush table ip {{ vpn_wireguard_iface }}_ipv4 -delete table ip {{ vpn_wireguard_iface }}_ipv4 diff --git a/vpn/wireguard/templates/server/IFACE b/vpn/wireguard/templates/server/IFACE index 6cbe0b1..d7456b2 100644 --- a/vpn/wireguard/templates/server/IFACE +++ b/vpn/wireguard/templates/server/IFACE @@ -5,7 +5,6 @@ iface {{ vpn_wireguard_iface }} inet static pre-up ip link set mtu {{ vpn_wireguard_mtu }} dev $IFACE post-up /usr/local/sbin/post-up-$IFACE-inet.nft - post-up /usr/local/sbin/post-up-$IFACE-ipv4.nft {% if vpn_wireguard_routing_table is defined %} post-up ip rule add sport {{ vpn_wireguard_port }} ipproto udp table {{ vpn_wireguard_routing_table }} post-up ip -6 rule add sport {{ vpn_wireguard_port }} ipproto udp table {{ vpn_wireguard_routing_table }} @@ -25,7 +24,6 @@ iface {{ vpn_wireguard_iface }} inet static pre-down ip -6 rule del sport {{ vpn_wireguard_port }} ipproto udp table {{ vpn_wireguard_routing_table }} pre-down ip rule del sport {{ vpn_wireguard_port }} ipproto udp table {{ vpn_wireguard_routing_table }} {% endif %} - pre-down /usr/local/sbin/pre-down-$IFACE-ipv4.nft pre-down /usr/local/sbin/pre-down-$IFACE-inet.nft address {{ vpn_wireguard_address }}