wireguard site mesh

host_vars/fastd

@@ -14,6 +14,16 @@ sites:
     dhcp_netmask: '<netzmaske>'
     dhcp_start: <ipv4>
     dhcp_end: <ipv4>
+    wireguard_mesh_key: '< priv key >'
+    wireguard_mesh_port: < wg mesh port>
+    wireguard_mesh_address: '< own wg mesh ipv6 ula>'
+    wireguard_mesh_peers:
+      - number: <peer number>
+        key: '<peer pub key>'
+        address: '< peer wg mesh ipv6 ula>'
+        endpoint: '< peer public ipv6 >'
+        mac: '< own mac for mesh interface with peer >'
+    wireguard_bb_key: '< priv key >'
 mullvad_country: nl
 mullvad_crt: |
     -----BEGIN CERTIFICATE-----

roles/configure_iptables/files/ip6tables.rules

@@ -15,6 +15,19 @@
 -A INPUT -p udp -m udp --dport 123 -j ACCEPT
 # fastd
 -A INPUT -p udp -m udp --dport 10010:10021 -j ACCEPT
+# wireguard_mesh
+-A INPUT -p udp -m udp --dport 10110 -j ACCEPT
+-A INPUT -p udp -m udp --dport 10112 -j ACCEPT
+-A INPUT -p udp -m udp --dport 10114 -j ACCEPT
+-A INPUT -p udp -m udp --dport 10116 -j ACCEPT
+-A INPUT -p udp -m udp --dport 10118 -j ACCEPT
+-A INPUT -p udp -m udp --dport 10120 -j ACCEPT
+-A INPUT -s fdff:4157:bb::/48 -p gre -j ACCEPT
+-A INPUT -s fdff:434f:43bb::/48 -p gre -j ACCEPT
+-A INPUT -s fdff:454d:53bb::/48 -p gre -j ACCEPT
+-A INPUT -s fdff:4b4f:bb::/48 -p gre -j ACCEPT
+-A INPUT -s fdff:4d59:bb::/48 -p gre -j ACCEPT
+-A INPUT -s fdff:5349:4dbb::/48 -p gre -j ACCEPT
 # MOSH
 -A INPUT -p udp -m udp --dport 60000:61000 -j ACCEPT
 # LOG

roles/install_wireguard/tasks/main.yml

@@ -0,0 +1,10 @@
+---
+- name: install wireguard
+  pacman:
+      name: "{{ item }}"
+      state: present
+  with_items:
+      - wireguard-dkms
+      - wireguard-tools
+      - linux-headers
+

roles/install_wireguard_mesh/tasks/main.yml

@@ -0,0 +1,28 @@
+---
+- name: create wireguard config for sites
+  template:
+      src: wg.conf.j2
+      dest: /etc/wireguard/wg{{ item.name }}.conf
+      mode: 0400
+  with_items: "{{ sites }}"
+
+- name: create wireguard up scripts for sites
+  template:
+      src: up.sh.j2
+      dest: /etc/wireguard/up{{ item.name }}.sh
+      mode: 0744
+  with_items: "{{ sites }}"
+
+- name: create wireguard down scripts for sites
+  template:
+      src: down.sh.j2
+      dest: /etc/wireguard/down{{ item.name }}.sh
+      mode: 0744
+  with_items: "{{ sites }}"
+
+- name: start and enable wireguard mesh
+  systemd:
+      name: wg-quick@wg{{ item.name }}.service
+      enabled: yes
+      state: started
+  with_items: "{{ sites }}"

roles/install_wireguard_mesh/templates/down.sh.j2

@@ -0,0 +1,6 @@
+#!/bin/bash
+{% for peer in item.wireguard_mesh_peers %}
+batctl -m bat0 if del mesh{{ item.name }}{{ peer.number }}
+ip link set down dev mesh{{ item.name }}{{ peer.number }}
+ip link del mesh{{ item.name }}{{ peer.number }} type ip6gretap
+{% endfor %}

roles/install_wireguard_mesh/templates/up.sh.j2

@@ -0,0 +1,15 @@
+#!/bin/bash
+{% for peer in item.wireguard_mesh_peers %}
+ip link add mesh{{ item.name }}{{ peer.number }} type ip6gretap remote {{ peer.address }} local {{ item.wireguard_mesh_address }} ttl 255 dev wg{{ item.name }}
+ip link set mtu 1280 dev mesh{{ item.name }}{{ peer.number }}
+ip link set address {{ peer.mac }} dev mesh{{ item.name }}{{ peer.number }}
+ip link set up dev mesh{{ item.name }}{{ peer.number }}
+batctl -m bat{{ item.name }} if add mesh{{ item.name }}{{ peer.number }}
+{% endfor %}
+batctl -m bat{{ item.name }} gw server 1000000/1000000
+batctl -m bat{{ item.name }} it 10000
+batctl -m bat{{ item.name }} mm 1
+echo 64 > /sys/class/net/bat{{ item.name }}/mesh/hop_penalty
+netctl start bat{{ item.name }}
+systemctl restart dhcpd4.service
+systemctl restart named.service

roles/install_wireguard_mesh/templates/wg.conf.j2

@@ -0,0 +1,15 @@
+[Interface]
+ListenPort = {{ item.wireguard_mesh_port }}
+PrivateKey = {{ item.wireguard_mesh_key }}
+Address = {{ item.wireguard_mesh_address }}/48
+MTU = 1400
+PostUp = /etc/wireguard/up{{ item.name }}.sh
+PreDown = /etc/wireguard/down{{ item.name }}.sh
+
+{% for peer in item.wireguard_mesh_peers %}
+[Peer]
+PublicKey = {{ peer.key }}
+AllowedIPs = {{ peer.address }}/128
+Endpoint = [{{ peer.endpoint }}]:{{ item.wireguard_mesh_port }}
+PersistentKeepalive = 30
+{% endfor %}

setup_fastd.yml

@@ -18,6 +18,8 @@
       - install_dhcp
       - install_radvd
       - install_bind
+      - install_wireguard
+      - install_wireguard_mesh
       - install_fastd
       #- install_openvpn
       #- install_monitoring