nat64

6 years ago · 43ed9c0c88
parent 2befca5ea4
commit 43ed9c0c88
14 changed files with 98 additions and 169 deletions
--- a/host_vars/ff-nat64
+++ b/host_vars/ff-nat64
@ -0,0 +1,18 @@
 ---
 ansible_host: 2a01:4f8:a0:9395:2::3
 #ansible_host: 10.0.4.67
 wireguard_bb_name: 'nat64'
 wireguard_bb_endpoint: '2a01:4f8:a0:9395:2::3'
 wireguard_bb_priv_key: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          39303530363738363764303964346631313532353762343263316166383534373763303538376363
          3733366465336331353939346464306162353938353666370a613166623931613430613333613139
          63356231653035663232376330363763393732666135356639663537666534326136356431663264
          6330643965613562380a623830616437653563613630663332313266623239373634643431313064
          62306263343934616462356536613235363866303736636537633766616663346363326234323532
          3862346431613738663665613661623236323139616639613432
 wireguard_bb_pub_key: '4f3BbS38u97CNN3LDUZS//vO3JTzAl6zRWovuIAGcQM='
 wireguard_bb_ipv4: '10.222.0.6'
 wireguard_bb_ipv6: 'fe80::ffbb:ffbb:6'
 wireguard_bb_port: 10106
 preferred_uplink: 'uplink2'
--- a/inventory.ini
+++ b/inventory.ini
@ -27,3 +27,6 @@ ff-uplink2
 [uplink:children]
 mullvad_uplink
 ffrl_uplink
 [nat64]
 ff-nat64
--- a/roles/configure_iptables/templates/ip6tables.rules
+++ b/roles/configure_iptables/templates/ip6tables.rules
@ -10,7 +10,7 @@
 {% endfor %}
 {% endif %}
-{% if 'fastd' in group_names %}
+{% if 'fastd' in group_names or 'nat64' in group_names %}
 {% for peer in groups['uplink'] %}
 -A PREROUTING -i bb{{ hostvars[peer]['wireguard_bb_name'] }} ! -s fe80::/64 ! -d fe80::/64 -j MARK --set-xmark 0x1/0xffffffff
 {% endfor %}
@ -19,6 +19,9 @@
 {% for peer in groups['fastd'] %}
 -A PREROUTING -i bb{{ hostvars[peer]['wireguard_bb_name'] }} ! -s fe80::/64 ! -d fe80::/64 -j MARK --set-xmark 0x1/0xffffffff
 {% endfor %}
 {% for peer in groups['nat64'] %}
 -A PREROUTING -i bb{{ hostvars[peer]['wireguard_bb_name'] }} ! -s fe80::/64 ! -d fe80::/64 -j MARK --set-xmark 0x1/0xffffffff
 {% endfor %}
 {% for peer in groups['uplink'] | difference([inventory_hostname]) %}
 -A PREROUTING -i bb{{ hostvars[peer]['wireguard_bb_name'] }} ! -s fe80::/64 ! -d fe80::/64 -j MARK --set-xmark 0x1/0xffffffff
 {% endfor %}
@ -57,7 +60,7 @@ COMMIT
 {% endfor %}
 {% endif %}
 # wireguard_backbone
-{% if 'fastd' in group_names %}
+{% if 'fastd' in group_names or 'nat64' in group_names %}
 {% for peer in groups['uplink'] %}
 -A INPUT -i bb{{ hostvars[peer]['wireguard_bb_name'] }} -p udp --dport 6696 -j ACCEPT
 -A INPUT -p udp --dport {{ hostvars[peer]['wireguard_bb_port'] }} -j ACCEPT
@ -68,6 +71,10 @@ COMMIT
 -A INPUT -i bb{{ hostvars[peer]['wireguard_bb_name'] }} -p udp --dport 6696 -j ACCEPT
 -A INPUT -p udp --dport {{ hostvars[peer]['wireguard_bb_port'] }} -j ACCEPT
 {% endfor %}
 {% for peer in groups['nat64'] %}
 -A INPUT -i bb{{ hostvars[peer]['wireguard_bb_name'] }} -p udp --dport 6696 -j ACCEPT
 -A INPUT -p udp --dport {{ hostvars[peer]['wireguard_bb_port'] }} -j ACCEPT
 {% endfor %}
 {% for peer in groups['uplink'] | difference([inventory_hostname]) %}
 -A INPUT -i bb{{ hostvars[peer]['wireguard_bb_name'] }} -p udp --dport 6696 -j ACCEPT
 -A INPUT -p udp --dport {{ hostvars[peer]['wireguard_bb_port'] }} -j ACCEPT
--- a/roles/configure_iptables/templates/iptables.rules
+++ b/roles/configure_iptables/templates/iptables.rules
@ -23,6 +23,11 @@
 -A PREROUTING -i bb{{ hostvars[peer]['wireguard_bb_name'] }} -j MARK --set-xmark 0x1/0xffffffff
 {% endfor %}
 {% endif %}
 {% if 'nat64' in group_names %}
 {% for peer in groups['uplink'] %}
 -A PREROUTING -i bb{{ hostvars[peer]['wireguard_bb_name'] }} -j MARK --set-xmark 0x1/0xffffffff
 {% endfor %}
 {% endif %}
 COMMIT
 *filter
 :INPUT DROP [0:0]
@ -34,8 +39,6 @@ COMMIT
 # SSH-Server
 -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
 # nginx
 -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
 # iperf3
 -A INPUT -p tcp -m tcp -s 10.222.0.0/16 --dport 5201 -j ACCEPT
--- a/roles/configure_static_routes/files/ffmyk-iproute.sh
+++ b/roles/configure_static_routes/files/ffmyk-iproute.sh
@ -14,4 +14,5 @@ ip -4 rule add to 10.222.64.0/18 table ffmyk priority 10
 ip -4 rule add to 10.222.128.0/17 table ffmyk priority 10
 ip -6 rule add to 2001:470:cd45:ff00::/56 table ffmyk priority 10
 ip -6 rule add to 2a03:2260:1016::/48 table ffmyk priority 10
 ip -6 rule add to 64:ff9b::/96 table ffmyk priority 10
 ip -6 rule add to fd62:44e1:da::/48 table ffmyk priority 10
--- a/roles/install_babeld/templates/babeld.conf.j2
+++ b/roles/install_babeld/templates/babeld.conf.j2
@ -5,7 +5,7 @@
 ipv6-subtrees true
 # You must provide at least one interface for babeld to operate on.
-{% if 'fastd' in group_names %}
+{% if ('fastd' in group_names) or ('nat64' in group_names) %}
 {% for peer in groups['uplink'] %}
 interface bb{{ hostvars[peer]['wireguard_bb_name'] }}
 {% endfor %}
@ -14,6 +14,9 @@ interface bb{{ hostvars[peer]['wireguard_bb_name'] }}
 {% for peer in groups['fastd'] %}
 interface bb{{ hostvars[peer]['wireguard_bb_name'] }}
 {% endfor %}
 {% for peer in groups['nat64'] %}
 interface bb{{ hostvars[peer]['wireguard_bb_name'] }}
 {% endfor %}
 {% for peer in groups['uplink'] | difference([inventory_hostname]) %}
 interface bb{{ hostvars[peer]['wireguard_bb_name'] }}
 {% endfor %}
@ -62,7 +65,7 @@ redistribute ip 64:ff9b::/96 allow
 redistribute ip fd62:44e1:da::/48 allow
 redistribute local deny
-{% if 'fastd' in group_names and preferred_uplink is defined %}
+{% if ('fastd' in group_names or 'nat64' in group_names) and preferred_uplink is defined %}
 {% for peer in groups['uplink'] %}
 {% if not hostvars[peer]['wireguard_bb_name'] == preferred_uplink %}
 in if bb{{ hostvars[peer]['wireguard_bb_name'] }} metric 64
--- a/roles/install_monitoring/files/vnstat
+++ b/roles/install_monitoring/files/vnstat
@ -1,37 +0,0 @@
 server {
 	listen       80 default_server;
 	listen [::]:80 default_server ipv6only=on;
 	server_name  localhost;
 	charset UTF-8;
 	index  index.html index.htm;
 	root   /srv/http/vnstat;
 	location / {
 		try_files $uri $uri/ =404;
 		autoindex on;
 	}
 	# redirect server error pages to the static page /50x.html
 	#
 	error_page   500 502 503 504  /50x.html;
 	location = /50x.html {
 		root   /usr/share/nginx/html;
 	}
 	location /nginx_status {
 		stub_status on;
 		access_log   off;
 		allow 127.0.0.1;
 		allow ::1;
 		deny all;
 	}
 	location ~* \.(?:jpg|jpeg|gif|bmp|ico|png|css|js|swf|svg)$ {
 		expires 30d;
 	# Optional: Don't log access to assets
 		access_log off;
 	}
 }
--- a/roles/install_monitoring/files/vnstat.sh
+++ b/roles/install_monitoring/files/vnstat.sh
@ -1,45 +0,0 @@
 #!/bin/sh
 set -e
 IFACES=$(ls /var/lib/vnstat/)
 TARGET=/srv/http/vnstat/
 for iface in $IFACES; do
    /usr/bin/vnstati -i ${iface} -h -o ${TARGET}${iface}_hourly.png
    /usr/bin/vnstati -i ${iface} -d -o ${TARGET}${iface}_daily.png
    /usr/bin/vnstati -i ${iface} -m -o ${TARGET}${iface}_monthly.png
    /usr/bin/vnstati -i ${iface} -t -o ${TARGET}${iface}_top10.png
    /usr/bin/vnstati -i ${iface} -s -o ${TARGET}${iface}_summary.png
 done
 cat > ${TARGET}index.html <<EOT
 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
 <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
 <head>
  <titleu1 - Network Traffic</title>
  <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
  <meta http-equiv="Content-Language" content="en" />
 </head>
 <body style="white-space: nowrap">
 EOT
 for iface in $IFACES; do
    sed s/IFACE/${iface}/g >> ${TARGET}index.html <<EOT
    <div style="display:inline-block;vertical-align: top">
    <img src="IFACE_summary.png" alt="traffic summary" /><br>
    <img src="IFACE_monthly.png" alt="traffic per month" /><br>
    <img src="IFACE_hourly.png" alt="traffic per hour" /><br>
    <img src="IFACE_top10.png" alt="traffic top10" /><br>
    <img src="IFACE_daily.png" alt="traffic per day" />
    </div>
 EOT
 done
 echo "</body></html>" >> ${TARGET}index.html
--- a/roles/install_monitoring/tasks/install_vnstat.yml
+++ b/roles/install_monitoring/tasks/install_vnstat.yml
@ -1,73 +0,0 @@
 ---
 - name: install vnstat
  pacman:
      name: vnstat
      state: present
 - name: start and enable vnstat service
  systemd:
      name: vnstat.service
      enabled: yes
      state: started
 - name: add interfaces to vnstat for batman interfaces
  command: /usr/bin/vnstat -u -i bat{{ item.name }}
  args:
      creates: '/var/lib/vnstat/bat{{ item.name }}'
  with_items: "{{ sites }}"
  when: "'fastd' in group_names"
 - name: add interfaces to vnstat for uplink interfaces
  command: /usr/bin/vnstat -u -i bb{{ hostvars[item]['wireguard_bb_name'] }}
  args:
      creates: "/var/lib/vnstat/bb{{ hostvars[item]['wireguard_bb_name'] }}"
  with_items:
      - "{{ groups['uplink'] }}"
  when: "'fastd' in group_names"
 - name: add interfaces to vnstat for outgoing v4 interface
  command: /usr/bin/vnstat -u -i {{ ansible_default_ipv4.interface }}
  args:
      creates: '/var/lib/vnstat/{{ ansible_default_ipv4.interface }}'
 - name: add interfaces to vnstat for outgoing v6 interface
  command: /usr/bin/vnstat -u -i {{ ansible_default_ipv6.interface }}
  args:
      creates: '/var/lib/vnstat/{{ ansible_default_ipv6.interface }}'
 - name: add output folder for vnstat graphs
  file:
      path: /srv/http/vnstat
      state: directory
 - name: install gd which is needed for graph generation
  pacman:
      name: gd
      state: present
 - name: add bash script to generate vnstat graphs
  copy:
      src: vnstat.sh
      dest: /usr/local/bin/vnstat.sh
      mode: 0744
 - name: add cronjob to generate vnstat graphs
  cron:
      name: vnstat
      minute: '*/5'
      user: root
      cron_file: vnstat
      job: '/usr/local/bin/vnstat.sh'
 - name: add vnstat nginx config
  copy:
      src: vnstat
      dest: /etc/nginx/sites-available/vnstat
  notify: reload nginx
 - name: enable vnstat nginx config
  file:
      src: /etc/nginx/sites-available/vnstat
      dest: /etc/nginx/sites-enabled/vnstat
      state: link
  notify: reload nginx
--- a/roles/install_monitoring/tasks/main.yml
+++ b/roles/install_monitoring/tasks/main.yml
@ -1,7 +1,4 @@
 ---
 - name: install vnstat
  import_tasks: install_vnstat.yml
 - name: install ffmyk-influx
  include: install_ffmyk-influx.yml
  when: "'fastd' in group_names"
--- a/roles/install_radvd/templates/radvd.conf.j2
+++ b/roles/install_radvd/templates/radvd.conf.j2
@ -3,8 +3,8 @@ interface bat{{ site.name }}
 {
        AdvSendAdvert on;
        IgnoreIfMissing on;
-        MinRtrAdvInterval 60;
+        MinRtrAdvInterval 10;
-        MaxRtrAdvInterval 600;
+        MaxRtrAdvInterval 300;
        AdvDefaultPreference low;
        AdvHomeAgentFlag off;
--- a/roles/install_wireguard_backbone/tasks/main.yml
+++ b/roles/install_wireguard_backbone/tasks/main.yml
@ -5,7 +5,7 @@
      dest: /etc/systemd/system/wgbackbone@.service
 - include_tasks: fastd_tasks.yml
-  when: "'fastd' in group_names"
+  when: "('fastd' in group_names) or ('nat64' in group_names)"
 - include_tasks: uplink_tasks.yml
  when: "'uplink' in group_names"
--- a/roles/install_wireguard_backbone/tasks/uplink_tasks.yml
+++ b/roles/install_wireguard_backbone/tasks/uplink_tasks.yml
@ -6,6 +6,13 @@
      mode: 0400
  with_items: "{{ groups['fastd'] }}"
 - name: create wireguard config for nat64
  template:
      src: wg.conf.j2
      dest: /etc/wireguard/wgbb{{ hostvars[item]['wireguard_bb_name'] }}.conf
      mode: 0400
  with_items: "{{ groups['nat64'] }}"
 - name: create wireguard config for uplinks
  template:
      src: wg.conf.j2
@ -27,6 +34,13 @@
      mode: 0744
  with_items: "{{ groups['fastd'] }}"
 - name: create wireguard up scripts for nat64
  template:
      src: up.sh.j2
      dest: /etc/wireguard/upbb{{ hostvars[item]['wireguard_bb_name'] }}.sh
      mode: 0744
  with_items: "{{ groups['nat64'] }}"
 - name: create wireguard up scripts for uplinks
  template:
      src: up.sh.j2
@ -48,6 +62,13 @@
      mode: 0744
  with_items: "{{ groups['fastd'] }}"
 - name: create wireguard down scripts for nat64
  template:
      src: down.sh.j2
      dest: /etc/wireguard/downbb{{ hostvars[item]['wireguard_bb_name'] }}.sh
      mode: 0744
  with_items: "{{ groups['nat64'] }}"
 - name: create wireguard down scripts for uplinks
  template:
      src: down.sh.j2
@ -70,6 +91,14 @@
      daemon_reload: yes
  with_items: "{{ groups['fastd'] }}"
 - name: start and enable wireguard mesh for nat64
  systemd:
      name: wgbackbone@{{ hostvars[item]['wireguard_bb_name'] }}.service
      enabled: yes
      state: started
      daemon_reload: yes
  with_items: "{{ groups['nat64'] }}"
 - name: start and enable wireguard mesh for uplinks
  systemd:
      name: wgbackbone@{{ hostvars[item]['wireguard_bb_name'] }}.service
--- a/setup_fastd.yml
+++ b/setup_fastd.yml
@ -10,7 +10,7 @@
      #- install_ssmtp
      - install_cronie
      - install_php
-      - install_nginx
+      #- install_nginx
      - install_ntp
      - install_haveged
      - setup_batman
@ -58,7 +58,7 @@
      - configure_iptables
      - configure_static_routes
      - install_cronie
-      - install_nginx
+      #- install_nginx
      - install_ntp
      - install_haveged
      - install_wireguard
@ -78,3 +78,26 @@
  user: root
  roles:
      - setup_ffrl_tunnel
 - name: setup nat64
  hosts: nat64
  user: root
  roles:
      - configure_journald
      - configure_sysctl
      - configure_iptables
      - configure_static_routes
      #- install_ssmtp
      - install_cronie
      #- install_php
      #- install_nginx
      - install_ntp
      - install_haveged
      #- setup_batman
      #- install_bind
      - install_wireguard
      - install_wireguard_backbone
      - install_babeld
      - install_monitoring
      - install_iperf3
      - update_ssh_keys
      - install_admin_packages