From 739f97d85908baba47589bb7466a7d559b4424b2 Mon Sep 17 00:00:00 2001 From: Niklas Yann Wettengel Date: Wed, 5 Jul 2017 12:37:39 +0200 Subject: [PATCH] wireguard site mesh --- host_vars/fastd | 10 +++++++ .../configure_iptables/files/ip6tables.rules | 13 +++++++++ roles/install_wireguard/tasks/main.yml | 10 +++++++ roles/install_wireguard_mesh/tasks/main.yml | 28 +++++++++++++++++++ .../templates/down.sh.j2 | 6 ++++ .../install_wireguard_mesh/templates/up.sh.j2 | 15 ++++++++++ .../templates/wg.conf.j2 | 15 ++++++++++ setup_fastd.yml | 2 ++ 8 files changed, 99 insertions(+) create mode 100644 roles/install_wireguard/tasks/main.yml create mode 100644 roles/install_wireguard_mesh/tasks/main.yml create mode 100644 roles/install_wireguard_mesh/templates/down.sh.j2 create mode 100644 roles/install_wireguard_mesh/templates/up.sh.j2 create mode 100644 roles/install_wireguard_mesh/templates/wg.conf.j2 diff --git a/host_vars/fastd b/host_vars/fastd index d1ace4a..87b7313 100644 --- a/host_vars/fastd +++ b/host_vars/fastd @@ -14,6 +14,16 @@ sites: dhcp_netmask: '' dhcp_start: dhcp_end: + wireguard_mesh_key: '< priv key >' + wireguard_mesh_port: < wg mesh port> + wireguard_mesh_address: '< own wg mesh ipv6 ula>' + wireguard_mesh_peers: + - number: + key: '' + address: '< peer wg mesh ipv6 ula>' + endpoint: '< peer public ipv6 >' + mac: '< own mac for mesh interface with peer >' + wireguard_bb_key: '< priv key >' mullvad_country: nl mullvad_crt: | -----BEGIN CERTIFICATE----- diff --git a/roles/configure_iptables/files/ip6tables.rules b/roles/configure_iptables/files/ip6tables.rules index 7a1ea51..764e05b 100644 --- a/roles/configure_iptables/files/ip6tables.rules +++ b/roles/configure_iptables/files/ip6tables.rules @@ -15,6 +15,19 @@ -A INPUT -p udp -m udp --dport 123 -j ACCEPT # fastd -A INPUT -p udp -m udp --dport 10010:10021 -j ACCEPT +# wireguard_mesh +-A INPUT -p udp -m udp --dport 10110 -j ACCEPT +-A INPUT -p udp -m udp --dport 10112 -j ACCEPT +-A INPUT -p udp -m udp --dport 10114 -j ACCEPT +-A INPUT -p udp -m udp --dport 10116 -j ACCEPT +-A INPUT -p udp -m udp --dport 10118 -j ACCEPT +-A INPUT -p udp -m udp --dport 10120 -j ACCEPT +-A INPUT -s fdff:4157:bb::/48 -p gre -j ACCEPT +-A INPUT -s fdff:434f:43bb::/48 -p gre -j ACCEPT +-A INPUT -s fdff:454d:53bb::/48 -p gre -j ACCEPT +-A INPUT -s fdff:4b4f:bb::/48 -p gre -j ACCEPT +-A INPUT -s fdff:4d59:bb::/48 -p gre -j ACCEPT +-A INPUT -s fdff:5349:4dbb::/48 -p gre -j ACCEPT # MOSH -A INPUT -p udp -m udp --dport 60000:61000 -j ACCEPT # LOG diff --git a/roles/install_wireguard/tasks/main.yml b/roles/install_wireguard/tasks/main.yml new file mode 100644 index 0000000..1e47116 --- /dev/null +++ b/roles/install_wireguard/tasks/main.yml @@ -0,0 +1,10 @@ +--- +- name: install wireguard + pacman: + name: "{{ item }}" + state: present + with_items: + - wireguard-dkms + - wireguard-tools + - linux-headers + diff --git a/roles/install_wireguard_mesh/tasks/main.yml b/roles/install_wireguard_mesh/tasks/main.yml new file mode 100644 index 0000000..1672769 --- /dev/null +++ b/roles/install_wireguard_mesh/tasks/main.yml @@ -0,0 +1,28 @@ +--- +- name: create wireguard config for sites + template: + src: wg.conf.j2 + dest: /etc/wireguard/wg{{ item.name }}.conf + mode: 0400 + with_items: "{{ sites }}" + +- name: create wireguard up scripts for sites + template: + src: up.sh.j2 + dest: /etc/wireguard/up{{ item.name }}.sh + mode: 0744 + with_items: "{{ sites }}" + +- name: create wireguard down scripts for sites + template: + src: down.sh.j2 + dest: /etc/wireguard/down{{ item.name }}.sh + mode: 0744 + with_items: "{{ sites }}" + +- name: start and enable wireguard mesh + systemd: + name: wg-quick@wg{{ item.name }}.service + enabled: yes + state: started + with_items: "{{ sites }}" diff --git a/roles/install_wireguard_mesh/templates/down.sh.j2 b/roles/install_wireguard_mesh/templates/down.sh.j2 new file mode 100644 index 0000000..29d4fb7 --- /dev/null +++ b/roles/install_wireguard_mesh/templates/down.sh.j2 @@ -0,0 +1,6 @@ +#!/bin/bash +{% for peer in item.wireguard_mesh_peers %} +batctl -m bat0 if del mesh{{ item.name }}{{ peer.number }} +ip link set down dev mesh{{ item.name }}{{ peer.number }} +ip link del mesh{{ item.name }}{{ peer.number }} type ip6gretap +{% endfor %} diff --git a/roles/install_wireguard_mesh/templates/up.sh.j2 b/roles/install_wireguard_mesh/templates/up.sh.j2 new file mode 100644 index 0000000..cdab474 --- /dev/null +++ b/roles/install_wireguard_mesh/templates/up.sh.j2 @@ -0,0 +1,15 @@ +#!/bin/bash +{% for peer in item.wireguard_mesh_peers %} +ip link add mesh{{ item.name }}{{ peer.number }} type ip6gretap remote {{ peer.address }} local {{ item.wireguard_mesh_address }} ttl 255 dev wg{{ item.name }} +ip link set mtu 1280 dev mesh{{ item.name }}{{ peer.number }} +ip link set address {{ peer.mac }} dev mesh{{ item.name }}{{ peer.number }} +ip link set up dev mesh{{ item.name }}{{ peer.number }} +batctl -m bat{{ item.name }} if add mesh{{ item.name }}{{ peer.number }} +{% endfor %} +batctl -m bat{{ item.name }} gw server 1000000/1000000 +batctl -m bat{{ item.name }} it 10000 +batctl -m bat{{ item.name }} mm 1 +echo 64 > /sys/class/net/bat{{ item.name }}/mesh/hop_penalty +netctl start bat{{ item.name }} +systemctl restart dhcpd4.service +systemctl restart named.service diff --git a/roles/install_wireguard_mesh/templates/wg.conf.j2 b/roles/install_wireguard_mesh/templates/wg.conf.j2 new file mode 100644 index 0000000..e3af3f2 --- /dev/null +++ b/roles/install_wireguard_mesh/templates/wg.conf.j2 @@ -0,0 +1,15 @@ +[Interface] +ListenPort = {{ item.wireguard_mesh_port }} +PrivateKey = {{ item.wireguard_mesh_key }} +Address = {{ item.wireguard_mesh_address }}/48 +MTU = 1400 +PostUp = /etc/wireguard/up{{ item.name }}.sh +PreDown = /etc/wireguard/down{{ item.name }}.sh + +{% for peer in item.wireguard_mesh_peers %} +[Peer] +PublicKey = {{ peer.key }} +AllowedIPs = {{ peer.address }}/128 +Endpoint = [{{ peer.endpoint }}]:{{ item.wireguard_mesh_port }} +PersistentKeepalive = 30 +{% endfor %} diff --git a/setup_fastd.yml b/setup_fastd.yml index d34cd02..a3ea662 100644 --- a/setup_fastd.yml +++ b/setup_fastd.yml @@ -18,6 +18,8 @@ - install_dhcp - install_radvd - install_bind + - install_wireguard + - install_wireguard_mesh - install_fastd #- install_openvpn #- install_monitoring