From 99dddff8625388641b9dd84b0e87a55f5c13bc82 Mon Sep 17 00:00:00 2001 From: Niklas Yann Wettengel Date: Wed, 24 Jan 2018 03:27:03 +0100 Subject: [PATCH] ffrl uplink and fastd split --- .../templates/ip6tables.rules | 39 ++++- .../templates/iptables.rules | 39 ++++- .../files/ffmyk-iproute.sh | 3 +- .../tasks/fastd_tasks.yml | 14 ++ roles/configure_static_routes/tasks/main.yml | 21 +-- .../templates/ffmyk-iproute-down.j2 | 1 + .../templates/ffmyk-iproute-up.j2 | 1 + roles/install_babeld/tasks/main.yml | 6 +- roles/install_babeld/templates/babeld.conf.j2 | 30 ++-- roles/install_bind/templates/named.conf.j2 | 2 +- roles/install_fastd/tasks/main.yml | 6 +- roles/install_radvd/templates/radvd.conf.j2 | 2 +- .../tasks/fastd_tasks.yml | 29 ++++ .../tasks/ffrl_uplink_tasks.yml | 29 ++++ .../install_wireguard_backbone/tasks/main.yml | 33 +--- .../templates/down.sh.j2 | 8 +- .../templates/up.sh.j2 | 14 +- .../templates/wg.conf.j2 | 8 +- roles/setup_ffrl_tunnel/handlers/main.yml | 9 + roles/setup_ffrl_tunnel/tasks/main.yml | 36 ++++ roles/setup_ffrl_tunnel/templates/bird.conf | 160 ++++++++++++++++++ roles/setup_ffrl_tunnel/templates/netctl | 14 ++ setup_fastd.yml | 27 ++- 23 files changed, 437 insertions(+), 94 deletions(-) create mode 100644 roles/configure_static_routes/tasks/fastd_tasks.yml create mode 100644 roles/install_wireguard_backbone/tasks/fastd_tasks.yml create mode 100644 roles/install_wireguard_backbone/tasks/ffrl_uplink_tasks.yml create mode 100644 roles/setup_ffrl_tunnel/handlers/main.yml create mode 100644 roles/setup_ffrl_tunnel/tasks/main.yml create mode 100644 roles/setup_ffrl_tunnel/templates/bird.conf create mode 100644 roles/setup_ffrl_tunnel/templates/netctl diff --git a/roles/configure_iptables/templates/ip6tables.rules b/roles/configure_iptables/templates/ip6tables.rules index 677e074..0f31387 100644 --- a/roles/configure_iptables/templates/ip6tables.rules +++ b/roles/configure_iptables/templates/ip6tables.rules @@ -4,12 +4,22 @@ :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] +{% if 'fastd' in group_names %} {% for site in sites %} -A PREROUTING -i bat{{ site.name }} -j MARK --set-xmark 0x1/0xffffffff {% endfor %} -{% for peer in wireguard_bb_peers %} --A PREROUTING -i bb{{ peer.name }} ! -s fe80::/64 ! -d fe80::/64 -j MARK --set-xmark 0x1/0xffffffff +{% endif %} + +{% if 'ffrl_uplink' in group_names %} +{% for peer in groups['fastd'] %} +-A PREROUTING -i bb{{ hostvars[peer]['wireguard_bb_name'] }} ! -s fe80::/64 ! -d fe80::/64 -j MARK --set-xmark 0x1/0xffffffff +{% endfor %} +{% endif %} +{% if 'fastd' in group_names %} +{% for peer in groups['ffrl_uplink'] %} +-A PREROUTING -i bb{{ hostvars[peer]['wireguard_bb_name'] }} ! -s fe80::/64 ! -d fe80::/64 -j MARK --set-xmark 0x1/0xffffffff {% endfor %} +{% endif %} COMMIT *filter :INPUT DROP [0:0] @@ -21,6 +31,8 @@ COMMIT # SSH-Server -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT + +{% if 'fastd' in group_names %} # dns -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT -A INPUT -p udp -m udp --dport 53 -j ACCEPT @@ -33,19 +45,35 @@ COMMIT -A INPUT -p udp -m udp --dport {{ site.wireguard_mesh_port }} -j ACCEPT -A INPUT -s {{ site.wireguard_mesh_address }}/48 -p gre -j ACCEPT {% endfor %} +{% endif %} # wireguard_backbone --A INPUT -s fdff:4d59:4bbb::/48 -p gre -j ACCEPT -{% for peer in wireguard_bb_peers %} --A INPUT -i bb{{ peer.name }} -p udp --dport 6696 -j ACCEPT +{% if 'ffrl_uplink' in group_names %} +{% for peer in groups['fastd'] %} +-A INPUT -i bb{{ hostvars[peer]['wireguard_bb_name'] }} -p udp --dport 6696 -j ACCEPT {% endfor %} +{% endif %} +{% if 'fastd' in group_names %} +{% for peer in groups['ffrl_uplink'] %} +-A INPUT -i bb{{ hostvars[peer]['wireguard_bb_name'] }} -p udp --dport 6696 -j ACCEPT +{% endfor %} +{% endif %} # MOSH -A INPUT -p udp -m udp --dport 60000:61000 -j ACCEPT + +# ffrl bgp +{% if 'ffrl_uplink' in group_names %} +{% for peer in ffrl_peers %} +-A INPUT -i {{ peer.name }} -p tcp -m tcp --dport 179 -j ACCEPT +{% endfor %} +{% endif %} # LOG -A INPUT -m limit --limit 2/min -j LOG --log-prefix "IP6Tables-Dropped input: " --log-level 4 +{% if 'fastd' in group_names %} {% for site in sites %} -A FORWARD -i bat{{ site.name }} -p udp --dport 10010:10021 -j REJECT {% endfor %} +{% endif %} -A FORWARD -o {{ ansible_default_ipv6.interface }} -j REJECT COMMIT *nat @@ -53,5 +81,4 @@ COMMIT :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] --A POSTROUTING -o mullvad -j MASQUERADE COMMIT diff --git a/roles/configure_iptables/templates/iptables.rules b/roles/configure_iptables/templates/iptables.rules index 6da350c..d395a42 100644 --- a/roles/configure_iptables/templates/iptables.rules +++ b/roles/configure_iptables/templates/iptables.rules @@ -4,12 +4,22 @@ :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] +{% if 'fastd' in group_names %} {% for site in sites %} -A PREROUTING -i bat{{ site.name }} -j MARK --set-xmark 0x1/0xffffffff {% endfor %} -{% for peer in wireguard_bb_peers %} --A PREROUTING -i bb{{ peer.name }} -j MARK --set-xmark 0x1/0xffffffff +{% endif %} + +{% if 'ffrl_uplink' in group_names %} +{% for peer in groups['fastd'] %} +-A PREROUTING -i bb{{ hostvars[peer]['wireguard_bb_name'] }} -j MARK --set-xmark 0x1/0xffffffff +{% endfor %} +{% endif %} +{% if 'fastd' in group_names %} +{% for peer in groups['ffrl_uplink'] %} +-A PREROUTING -i bb{{ hostvars[peer]['wireguard_bb_name'] }} -j MARK --set-xmark 0x1/0xffffffff {% endfor %} +{% endif %} COMMIT *filter :INPUT DROP [0:0] @@ -21,6 +31,8 @@ COMMIT # SSH-Server -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT + +{% if 'fastd' in group_names %} # dns -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT -A INPUT -p udp -m udp --dport 53 -j ACCEPT @@ -32,19 +44,38 @@ COMMIT -A INPUT -p udp -m udp --dport 123 -j ACCEPT # fastd -A INPUT -p udp -m udp --dport 10010:10021 -j ACCEPT +{% endif %} # MOSH -A INPUT -p udp -m udp --dport 60000:61000 -j ACCEPT + +{% if 'ffrl_uplink' in group_names %} +# ffrl-gre +{% for peer in ffrl_peers %} +-A INPUT -p gre -s {{ peer.remote }} -j ACCEPT +{% endfor %} +# ffrl bgp +{% for peer in ffrl_peers %} +-A INPUT -i {{ peer.name }} -p tcp -m tcp --dport 179 -j ACCEPT +{% endfor %} +{% endif %} + -A INPUT -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped input: " --log-level 4 +{% if 'fastd' in group_names %} {% for site in sites %} -A FORWARD -i bat{{ site.name }} -p udp --dport 10010:10021 -j REJECT {% endfor %} --A FORWARD -o {{ ansible_default_ipv4.interface }} -j REJECT +{% endif %} + COMMIT *nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] --A POSTROUTING -o mullvad -j MASQUERADE +{% if 'ffrl_uplink' in group_names %} +{% for peer in ffrl_peers %} +-A POSTROUTING ! -s {{ ffrl_ip4 }} -o {{ peer.name }} -j SNAT --to-source {{ ffrl_ip4 }} +{% endfor %} +{% endif %} COMMIT diff --git a/roles/configure_static_routes/files/ffmyk-iproute.sh b/roles/configure_static_routes/files/ffmyk-iproute.sh index eb2f2fc..de56020 100755 --- a/roles/configure_static_routes/files/ffmyk-iproute.sh +++ b/roles/configure_static_routes/files/ffmyk-iproute.sh @@ -12,4 +12,5 @@ ip -4 rule add to 10.222.16.0/20 table ffmyk priority 10 ip -4 rule add to 10.222.32.0/19 table ffmyk priority 10 ip -4 rule add to 10.222.64.0/18 table ffmyk priority 10 ip -4 rule add to 10.222.128.0/17 table ffmyk priority 10 -ip -6 rule add to 2001:470:cd45:FF00::/56 table ffmyk priority 10 +ip -6 rule add to 2001:470:cd45:ff00::/56 table ffmyk priority 10 +ip -6 rule add to 2a03:2260:1016::/48 table ffmyk priority 10 diff --git a/roles/configure_static_routes/tasks/fastd_tasks.yml b/roles/configure_static_routes/tasks/fastd_tasks.yml new file mode 100644 index 0000000..4cd1583 --- /dev/null +++ b/roles/configure_static_routes/tasks/fastd_tasks.yml @@ -0,0 +1,14 @@ +--- +- name: copy site specific iproute up config script + template: + src: ffmyk-iproute-up.j2 + dest: /usr/local/bin/ffmyk-iproute{{ item.name }}-up.sh + mode: 0744 + with_items: "{{ sites }}" + +- name: copy site specific iproute down config script + template: + src: ffmyk-iproute-down.j2 + dest: /usr/local/bin/ffmyk-iproute{{ item.name }}-down.sh + mode: 0744 + with_items: "{{ sites }}" diff --git a/roles/configure_static_routes/tasks/main.yml b/roles/configure_static_routes/tasks/main.yml index e89d845..e37b598 100644 --- a/roles/configure_static_routes/tasks/main.yml +++ b/roles/configure_static_routes/tasks/main.yml @@ -4,25 +4,20 @@ path: /etc/iproute2/rt_tables line: 42 ffmyk +- name: name ffrl routing table + lineinfile: + path: /etc/iproute2/rt_tables + line: 47 ffrl + when: "'ffrl_uplink' in group_names" + - name: copy ffmyk iproute config script copy: src: ffmyk-iproute.sh dest: /usr/local/bin/ffmyk-iproute.sh mode: 0744 -- name: copy site specific iproute up config script - template: - src: ffmyk-iproute-up.j2 - dest: /usr/local/bin/ffmyk-iproute{{ item.name }}-up.sh - mode: 0744 - with_items: "{{ sites }}" - -- name: copy site specific iproute down config script - template: - src: ffmyk-iproute-down.j2 - dest: /usr/local/bin/ffmyk-iproute{{ item.name }}-down.sh - mode: 0744 - with_items: "{{ sites }}" +- include_tasks: fastd_tasks.yml + when: "'fastd' in group_names" - name: copy ffmyk iproute systemd service copy: diff --git a/roles/configure_static_routes/templates/ffmyk-iproute-down.j2 b/roles/configure_static_routes/templates/ffmyk-iproute-down.j2 index ae50297..d551203 100644 --- a/roles/configure_static_routes/templates/ffmyk-iproute-down.j2 +++ b/roles/configure_static_routes/templates/ffmyk-iproute-down.j2 @@ -2,6 +2,7 @@ ip -4 route del {{item.net4 }} dev bat{{ item.name }} proto static table ffmyk ip -6 route del {{item.net6 }} dev bat{{ item.name }} proto static table ffmyk +ip -6 route del {{item.site_net6 }} dev bat{{ item.name }} proto static table ffmyk ip -4 rule del iif bat{{ item.name }} table ffmyk ip -6 rule del iif bat{{ item.name }} table ffmyk diff --git a/roles/configure_static_routes/templates/ffmyk-iproute-up.j2 b/roles/configure_static_routes/templates/ffmyk-iproute-up.j2 index 47af244..29afdb9 100644 --- a/roles/configure_static_routes/templates/ffmyk-iproute-up.j2 +++ b/roles/configure_static_routes/templates/ffmyk-iproute-up.j2 @@ -10,3 +10,4 @@ ip -6 rule add from all iif bat{{ item.name }} type unreachable priority 200 ip -4 route replace {{item.net4 }} dev bat{{ item.name }} proto static table ffmyk ip -6 route replace {{item.net6 }} dev bat{{ item.name }} proto static table ffmyk +ip -6 route replace {{item.site_net6 }} dev bat{{ item.name }} proto static table ffmyk diff --git a/roles/install_babeld/tasks/main.yml b/roles/install_babeld/tasks/main.yml index f3cd693..a8299da 100644 --- a/roles/install_babeld/tasks/main.yml +++ b/roles/install_babeld/tasks/main.yml @@ -1,10 +1,8 @@ --- - name: install fastd - become: yes - become_user: '{{ aur_user }}' - aur: + pacman: name: babeld - tool: yaourt + state: present - name: babeld.conf template: diff --git a/roles/install_babeld/templates/babeld.conf.j2 b/roles/install_babeld/templates/babeld.conf.j2 index d654df8..a675fd6 100644 --- a/roles/install_babeld/templates/babeld.conf.j2 +++ b/roles/install_babeld/templates/babeld.conf.j2 @@ -5,10 +5,16 @@ ipv6-subtrees true # You must provide at least one interface for babeld to operate on. -{% for peer in wireguard_bb_peers %} -interface bb{{ peer.name }} +{% if 'ffrl_uplink' in group_names %} +{% for peer in groups['fastd'] %} +interface bb{{ hostvars[peer]['wireguard_bb_name'] }} {% endfor %} -#interface wlan0 +{% endif %} +{% if 'fastd' in group_names %} +{% for peer in groups['ffrl_uplink'] %} +interface bb{{ hostvars[peer]['wireguard_bb_name'] }} +{% endfor %} +{% endif %} # Global options you might want to set. There are many more, see the man page. #debug 1 @@ -44,16 +50,14 @@ import-table 42 #in ip 2001:db8:cafe:cafe::/64 allow #in deny -redistribute metric 128 +{% if 'ffrl_uplink' in group_names %} +{% for peer in ffrl_peers %} +redistribute if {{ peer.name }} metric 128 +{% endfor %} +{% endif %} # Only redistribute addresses from a given prefix, to avoid redistributing # all local addresses -redistribute ip 10.222.0.0/16 local allow -redistribute ip 2001:470:cd45:FF00::/56 local allow +redistribute ip 10.222.0.0/16 allow +redistribute ip 2001:470:cd45:FF00::/56 allow +redistribute ip 2a03:2260:1016::/48 allow redistribute local deny - -# Redistribute a default route obtained otherwise (here, through DHCP or -# configured statically). -# Note that babeld ignores kernel routes with proto 3 (boot) by default. -#redistribute proto 3 ip 0.0.0.0/0 eq 0 metric 50 -#redistribute proto 3 ip ::/0 eq 0 metric 50 - diff --git a/roles/install_bind/templates/named.conf.j2 b/roles/install_bind/templates/named.conf.j2 index 45c846c..1344d8b 100644 --- a/roles/install_bind/templates/named.conf.j2 +++ b/roles/install_bind/templates/named.conf.j2 @@ -22,7 +22,7 @@ options { {% endfor %} }; - allow-recursion { 127.0.0.1; 10.222.0.0/16; 2001:470:cd45:ff00::/56; }; + allow-recursion { 127.0.0.1; 10.222.0.0/16; 2001:470:cd45:ff00::/56; 2a03:2260:1016::/48; }; allow-transfer { none; }; allow-update { none; }; diff --git a/roles/install_fastd/tasks/main.yml b/roles/install_fastd/tasks/main.yml index 8f01e47..03004ce 100644 --- a/roles/install_fastd/tasks/main.yml +++ b/roles/install_fastd/tasks/main.yml @@ -1,10 +1,8 @@ --- - name: install fastd - become: yes - become_user: '{{ aur_user }}' - aur: + pacman: name: fastd - tool: yaourt + state: present - name: create site folder file: diff --git a/roles/install_radvd/templates/radvd.conf.j2 b/roles/install_radvd/templates/radvd.conf.j2 index 0774189..e735443 100644 --- a/roles/install_radvd/templates/radvd.conf.j2 +++ b/roles/install_radvd/templates/radvd.conf.j2 @@ -18,7 +18,7 @@ interface bat{{ site.name }} RDNSS {{ site.bat_ipv6 }} { - AdvRDNSSLifetime 30; + AdvRDNSSLifetime 900; }; }; diff --git a/roles/install_wireguard_backbone/tasks/fastd_tasks.yml b/roles/install_wireguard_backbone/tasks/fastd_tasks.yml new file mode 100644 index 0000000..2fe4ce6 --- /dev/null +++ b/roles/install_wireguard_backbone/tasks/fastd_tasks.yml @@ -0,0 +1,29 @@ +--- +- name: create wireguard config for peers + template: + src: wg.conf.j2 + dest: /etc/wireguard/wgbb{{ hostvars[item]['wireguard_bb_name'] }}.conf + mode: 0400 + with_items: "{{ groups['ffrl_uplink'] }}" + +- name: create wireguard up scripts for peers + template: + src: up.sh.j2 + dest: /etc/wireguard/upbb{{ hostvars[item]['wireguard_bb_name'] }}.sh + mode: 0744 + with_items: "{{ groups['ffrl_uplink'] }}" + +- name: create wireguard down scripts for peers + template: + src: down.sh.j2 + dest: /etc/wireguard/downbb{{ hostvars[item]['wireguard_bb_name'] }}.sh + mode: 0744 + with_items: "{{ groups['ffrl_uplink'] }}" + +- name: start and enable wireguard mesh + systemd: + name: wgbackbone@{{ hostvars[item]['wireguard_bb_name'] }}.service + enabled: yes + state: started + daemon_reload: yes + with_items: "{{ groups['ffrl_uplink'] }}" diff --git a/roles/install_wireguard_backbone/tasks/ffrl_uplink_tasks.yml b/roles/install_wireguard_backbone/tasks/ffrl_uplink_tasks.yml new file mode 100644 index 0000000..d894758 --- /dev/null +++ b/roles/install_wireguard_backbone/tasks/ffrl_uplink_tasks.yml @@ -0,0 +1,29 @@ +--- +- name: create wireguard config for peers + template: + src: wg.conf.j2 + dest: /etc/wireguard/wgbb{{ hostvars[item]['wireguard_bb_name'] }}.conf + mode: 0400 + with_items: "{{ groups['fastd'] }}" + +- name: create wireguard up scripts for peers + template: + src: up.sh.j2 + dest: /etc/wireguard/upbb{{ hostvars[item]['wireguard_bb_name'] }}.sh + mode: 0744 + with_items: "{{ groups['fastd'] }}" + +- name: create wireguard down scripts for peers + template: + src: down.sh.j2 + dest: /etc/wireguard/downbb{{ hostvars[item]['wireguard_bb_name'] }}.sh + mode: 0744 + with_items: "{{ groups['fastd'] }}" + +- name: start and enable wireguard mesh + systemd: + name: wgbackbone@{{ hostvars[item]['wireguard_bb_name'] }}.service + enabled: yes + state: started + daemon_reload: yes + with_items: "{{ groups['fastd'] }}" diff --git a/roles/install_wireguard_backbone/tasks/main.yml b/roles/install_wireguard_backbone/tasks/main.yml index 09edb03..eafd889 100644 --- a/roles/install_wireguard_backbone/tasks/main.yml +++ b/roles/install_wireguard_backbone/tasks/main.yml @@ -1,34 +1,11 @@ --- -- name: create wireguard config for peers - template: - src: wg.conf.j2 - dest: /etc/wireguard/wgbb{{ item.name }}.conf - mode: 0400 - with_items: "{{ wireguard_bb_peers }}" - -- name: create wireguard up scripts for peers - template: - src: up.sh.j2 - dest: /etc/wireguard/upbb{{ item.name }}.sh - mode: 0744 - with_items: "{{ wireguard_bb_peers }}" - -- name: create wireguard down scripts for peers - template: - src: down.sh.j2 - dest: /etc/wireguard/downbb{{ item.name }}.sh - mode: 0744 - with_items: "{{ wireguard_bb_peers }}" - - name: create wireguard backbone service template copy: src: wgbackbone@.service dest: /etc/systemd/system/wgbackbone@.service -- name: start and enable wireguard mesh - systemd: - name: wgbackbone@{{ item.name }}.service - enabled: yes - state: started - daemon_reload: yes - with_items: "{{ wireguard_bb_peers }}" +- include_tasks: ffrl_uplink_tasks.yml + when: "'ffrl_uplink' in group_names" + +- include_tasks: fastd_tasks.yml + when: "'fastd' in group_names" diff --git a/roles/install_wireguard_backbone/templates/down.sh.j2 b/roles/install_wireguard_backbone/templates/down.sh.j2 index fbdd387..6b78d2e 100644 --- a/roles/install_wireguard_backbone/templates/down.sh.j2 +++ b/roles/install_wireguard_backbone/templates/down.sh.j2 @@ -1,5 +1,5 @@ #!/bin/bash -ip -4 rule del iif bb{{ item.name }} table ffmyk -ip -6 rule del iif bb{{ item.name }} table ffmyk -ip link set down dev bb{{ item.name }} -ip link del bb{{ item.name }} +ip -4 rule del iif bb{{ hostvars[item]['wireguard_bb_name'] }} table ffmyk +ip -6 rule del iif bb{{ hostvars[item]['wireguard_bb_name'] }} table ffmyk +ip link set down dev bb{{ hostvars[item]['wireguard_bb_name'] }} +ip link del bb{{ hostvars[item]['wireguard_bb_name'] }} diff --git a/roles/install_wireguard_backbone/templates/up.sh.j2 b/roles/install_wireguard_backbone/templates/up.sh.j2 index 38b3c26..5af1a81 100644 --- a/roles/install_wireguard_backbone/templates/up.sh.j2 +++ b/roles/install_wireguard_backbone/templates/up.sh.j2 @@ -1,8 +1,8 @@ #!/bin/bash -ip link add bb{{ item.name }} type wireguard -wg setconf bb{{ item.name }} /etc/wireguard/wgbb{{ item.name }}.conf -ip addr add {{ item.address6 }} dev bb{{ item.name }} -ip addr add {{ wireguard_bb_ipv4 }}/32 peer {{ item.address }}/32 dev bb{{ item.name }} -ip link set up dev bb{{ item.name }} -ip -4 rule add iif bb{{ item.name }} table ffmyk priority 10 -ip -6 rule add iif bb{{ item.name }} table ffmyk priority 10 +ip link add bb{{ hostvars[item]['wireguard_bb_name'] }} type wireguard +wg setconf bb{{ hostvars[item]['wireguard_bb_name'] }} /etc/wireguard/wgbb{{ hostvars[item]['wireguard_bb_name'] }}.conf +ip addr add {{ wireguard_bb_ipv6 }} dev bb{{ hostvars[item]['wireguard_bb_name'] }} +ip addr add {{ wireguard_bb_ipv4 }}/32 peer {{ hostvars[item]['wireguard_bb_ipv4'] }}/32 dev bb{{ hostvars[item]['wireguard_bb_name'] }} +ip link set up dev bb{{ hostvars[item]['wireguard_bb_name'] }} +ip -4 rule add iif bb{{ hostvars[item]['wireguard_bb_name'] }} table ffmyk priority 10 +ip -6 rule add iif bb{{ hostvars[item]['wireguard_bb_name'] }} table ffmyk priority 10 diff --git a/roles/install_wireguard_backbone/templates/wg.conf.j2 b/roles/install_wireguard_backbone/templates/wg.conf.j2 index de0e1fb..a52655c 100644 --- a/roles/install_wireguard_backbone/templates/wg.conf.j2 +++ b/roles/install_wireguard_backbone/templates/wg.conf.j2 @@ -1,9 +1,9 @@ [Interface] -ListenPort = {{ item.local_port }} -PrivateKey = {{ wireguard_bb_key }} +ListenPort = {{ hostvars[item]['wireguard_bb_port'] }} +PrivateKey = {{ wireguard_bb_priv_key }} [Peer] -PublicKey = {{ item.key }} +PublicKey = {{ hostvars[item]['wireguard_bb_pub_key'] }} AllowedIPs = 0.0.0.0/0,::/0 -Endpoint = [{{ item.endpoint }}]:{{ item.remote_port }} +Endpoint = [{{ hostvars[item]['wireguard_bb_endpoint'] }}]:{{ wireguard_bb_port }} PersistentKeepalive = 30 diff --git a/roles/setup_ffrl_tunnel/handlers/main.yml b/roles/setup_ffrl_tunnel/handlers/main.yml new file mode 100644 index 0000000..df37d30 --- /dev/null +++ b/roles/setup_ffrl_tunnel/handlers/main.yml @@ -0,0 +1,9 @@ +--- +- name: reenable netctl + command: netctl reenable {{ item.name }} + with_items: "{{ ffrl_peers }}" + +- name: reload bird + systemd: + name: bird.service + state: reloaded diff --git a/roles/setup_ffrl_tunnel/tasks/main.yml b/roles/setup_ffrl_tunnel/tasks/main.yml new file mode 100644 index 0000000..e22787f --- /dev/null +++ b/roles/setup_ffrl_tunnel/tasks/main.yml @@ -0,0 +1,36 @@ +--- +- name: create netctl config + template: + src: netctl + dest: /etc/netctl/{{ item.name }} + with_items: "{{ ffrl_peers }}" + notify: reenable netctl + +- name: enable netctl config + command: netctl enable {{ item.name }} + args: + creates: /etc/systemd/system/netctl@{{ item.name }}.service + with_items: "{{ ffrl_peers }}" + +- name: start netctl config + systemd: + name: netctl@{{ item.name }}.service + state: started + with_items: "{{ ffrl_peers }}" + +- name: install bird + pacman: + name: bird + state: present + +- name: create bird config + template: + src: bird.conf + dest: /etc/bird.conf + notify: reload bird + +- name: start and enable bird + systemd: + name: bird.service + state: started + enabled: yes diff --git a/roles/setup_ffrl_tunnel/templates/bird.conf b/roles/setup_ffrl_tunnel/templates/bird.conf new file mode 100644 index 0000000..df242a6 --- /dev/null +++ b/roles/setup_ffrl_tunnel/templates/bird.conf @@ -0,0 +1,160 @@ +timeformat protocol iso long; + +log "bird.log" all; +# debug protocols all; + +define ffrl_nat_address = {{ ffrl_ip4 }}; + +define ffmyk_as = 65032; # private AS of ffmyk +define ffrl_as = 201701; # public AS of rheinland + +router id ffrl_nat_address; + +ipv4 table ffrl4; +ipv6 table ffrl6; + +function is_default4() { + return net ~ [ + 0.0.0.0/0 + ]; +} + +function is_default6() { + return net ~ [ + ::/0 + ]; +} + +function is_ffrl_nat4() { + return net ~ [ + {{ ffrl_ip4 }}/32 + ]; +} + +function is_ffrl_public_nets6() { + return net ~ [ + 2a03:2260:1016::/48{48,56} + ]; +} + +function is_ffrl_tunnel_nets4() { + return net ~ [ + 100.64.0.0/10 + ]; +} + +function is_ffrl_tunnel_nets6() { + return net ~ [ + 2a03:2260:0::/48 + ]; +} + +# BGP Import Filter für Rheinland +filter ebgp_ffrl_import_filter4 { + if is_default4() then accept; + reject; +} + +# BGP Export Filter für Rheinland +filter ebgp_ffrl_export_filter4 { + if is_ffrl_nat4() then accept; + reject; +} + +filter ebgp_ffrl_import_filter6 { + if is_default6() then accept; + reject; +} + +filter ebgp_ffrl_export_filter6 { + if is_ffrl_public_nets6() then accept; + reject; +} + +protocol device { + scan time 10; +} + +# IP-NAT-Adresse legen wir in die interne BIRD Routing Table +protocol static ffrl_uplink_hostroute4 { + ipv4 { table ffrl4; }; + route {{ ffrl_ip4 }}/32 reject; +} + +protocol static ffrl_public_routes6 { + ipv6 { table ffrl6; }; + route 2a03:2260:1016::/48 reject; +} + +# Wir legen die Transfernetze in die interne BIRD Routing Table +#protocol direct { +# ipv4; +# table ffrl4; +# interface {% for peer in ffrl_peers %}"{{ peer.name }}", {% endfor %}; +# import where is_ffrl_tunnel_nets4(); +#} + +# Wir exportieren über Rheinland gelernte Routen in die Kernel Table 47 (ffrl) +protocol kernel kernel_ffrl4 { + scan time 30; + ipv4 { + import none; + export filter { + krt_prefsrc = ffrl_nat_address; + accept; + }; + table ffrl4; + }; + kernel table 42; +}; + +protocol kernel kernel_ffrl6 { + scan time 30; + ipv6 { + import none; + export filter { + if is_default6() then accept; + reject; + }; + table ffrl6; + }; + kernel table 42; +}; + +# BGP Template für Rheinland Peerings +template bgp ffrl_uplink4 { + local as ffmyk_as; + ipv4 { + table ffrl4; + import keep filtered; + import filter ebgp_ffrl_import_filter4; + export filter ebgp_ffrl_export_filter4; + next hop self; + }; + direct; +}; + +template bgp ffrl_uplink6 { + local as ffmyk_as; + ipv6 { + table ffrl6; + import keep filtered; + import filter ebgp_ffrl_import_filter6; + export filter ebgp_ffrl_export_filter6; + next hop self; + }; + direct; +}; + +{% for peer in ffrl_peers %} +protocol bgp ffrl_{{ peer.name }}4 from ffrl_uplink4 { + source address {{ peer.ip4 }}; + neighbor {{ peer.peer_ip4 }} as 201701; +}; + +protocol bgp ffrl_{{ peer.name }}6 from ffrl_uplink6 { + source address {{ peer.ip6 }}; + neighbor {{ peer.peer_ip6 }} as 201701; +} + +{% endfor %} diff --git a/roles/setup_ffrl_tunnel/templates/netctl b/roles/setup_ffrl_tunnel/templates/netctl new file mode 100644 index 0000000..98e8af4 --- /dev/null +++ b/roles/setup_ffrl_tunnel/templates/netctl @@ -0,0 +1,14 @@ +Connection=tunnel +Interface={{ item.name }} + +Mode=gre +Local={{ ansible_default_ipv4.address }} +Remote={{ item.remote }} + +ExecUpPost="/usr/bin/ip link set dev {{ item.name }} mtu 1400; /usr/bin/ip tunnel change {{ item.name }} ttl 64" + +IP=static +Address=('{{ item.ip4 }}/31' '{{ ffrl_ip4 }}/32') + +IP6=static +Address6=('{{ item.ip6 }}/64') diff --git a/setup_fastd.yml b/setup_fastd.yml index 1ddbb54..fcc2385 100644 --- a/setup_fastd.yml +++ b/setup_fastd.yml @@ -1,9 +1,9 @@ --- - name: setup fastds - hosts: fastds + hosts: fastd user: root roles: - - install_yaourt + #- install_yaourt - configure_journald - configure_sysctl - configure_iptables @@ -19,14 +19,33 @@ - install_radvd - install_bind - install_wireguard - - install_wireguard_mesh + #- install_wireguard_mesh - install_wireguard_backbone - install_babeld - install_fastd #- install_monitoring - install_admin_packages - name: install openvpn uplink - hosts: mullvad_fastds + hosts: mullvad_fastd user: root roles: - install_openvpn +- name: setup ffrl + hosts: ffrl_uplink + user: root + roles: + - configure_journald + - configure_sysctl + - configure_iptables + - configure_static_routes + - install_cronie + #- install_php + #- install_nginx + - install_ntp + - install_haveged + - install_wireguard + - install_wireguard_backbone + - install_babeld + - setup_ffrl_tunnel + #- install_monitoring + - install_admin_packages