kreativmonkey
/
ffmyk-ansible
mirror of https://git.niyawe.de/ffmyk-ansible.git
1
1
Fork 0
Code Issues Releases Wiki Activity

ffrl uplink and fastd split

Browse Source
master
Niklas Yann Wettengel 7 years ago
parent d2270e2e50
commit 99dddff862
23 changed files with 437 additions and 94 deletions
Show Stats Download Patch File Download Diff File

39
roles/configure_iptables/templates/ip6tables.rules
Unescape Escape View File

@ -4,12 +4,22 @@
:FORWARD ACCEPT [0:0] :FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0]
{% if 'fastd' in group_names %}
{% for site in sites %} {% for site in sites %}
-A PREROUTING -i bat{{ site.name }} -j MARK --set-xmark 0x1/0xffffffff -A PREROUTING -i bat{{ site.name }} -j MARK --set-xmark 0x1/0xffffffff
{% endfor %} {% endfor %}
{% for peer in wireguard_bb_peers %} {% endif %}
-A PREROUTING -i bb{{ peer.name }} ! -s fe80::/64 ! -d fe80::/64 -j MARK --set-xmark 0x1/0xffffffff
{% if 'ffrl_uplink' in group_names %}
{% for peer in groups['fastd'] %}
-A PREROUTING -i bb{{ hostvars[peer]['wireguard_bb_name'] }} ! -s fe80::/64 ! -d fe80::/64 -j MARK --set-xmark 0x1/0xffffffff
{% endfor %}
{% endif %}
{% if 'fastd' in group_names %}
{% for peer in groups['ffrl_uplink'] %}
-A PREROUTING -i bb{{ hostvars[peer]['wireguard_bb_name'] }} ! -s fe80::/64 ! -d fe80::/64 -j MARK --set-xmark 0x1/0xffffffff
{% endfor %} {% endfor %}
{% endif %}
COMMIT COMMIT
*filter *filter
:INPUT DROP [0:0] :INPUT DROP [0:0]
@ -21,6 +31,8 @@ COMMIT
# SSH-Server # SSH-Server
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
{% if 'fastd' in group_names %}
# dns # dns
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT -A INPUT -p udp -m udp --dport 53 -j ACCEPT
@ -33,19 +45,35 @@ COMMIT
-A INPUT -p udp -m udp --dport {{ site.wireguard_mesh_port }} -j ACCEPT -A INPUT -p udp -m udp --dport {{ site.wireguard_mesh_port }} -j ACCEPT
-A INPUT -s {{ site.wireguard_mesh_address }}/48 -p gre -j ACCEPT -A INPUT -s {{ site.wireguard_mesh_address }}/48 -p gre -j ACCEPT
{% endfor %} {% endfor %}
{% endif %}
# wireguard_backbone # wireguard_backbone
-A INPUT -s fdff:4d59:4bbb::/48 -p gre -j ACCEPT {% if 'ffrl_uplink' in group_names %}
{% for peer in wireguard_bb_peers %} {% for peer in groups['fastd'] %}
-A INPUT -i bb{{ peer.name }} -p udp --dport 6696 -j ACCEPT -A INPUT -i bb{{ hostvars[peer]['wireguard_bb_name'] }} -p udp --dport 6696 -j ACCEPT
{% endfor %} {% endfor %}
{% endif %}
{% if 'fastd' in group_names %}
{% for peer in groups['ffrl_uplink'] %}
-A INPUT -i bb{{ hostvars[peer]['wireguard_bb_name'] }} -p udp --dport 6696 -j ACCEPT
{% endfor %}
{% endif %}
# MOSH # MOSH
-A INPUT -p udp -m udp --dport 60000:61000 -j ACCEPT -A INPUT -p udp -m udp --dport 60000:61000 -j ACCEPT
# ffrl bgp
{% if 'ffrl_uplink' in group_names %}
{% for peer in ffrl_peers %}
-A INPUT -i {{ peer.name }} -p tcp -m tcp --dport 179 -j ACCEPT
{% endfor %}
{% endif %}
# LOG # LOG
-A INPUT -m limit --limit 2/min -j LOG --log-prefix "IP6Tables-Dropped input: " --log-level 4 -A INPUT -m limit --limit 2/min -j LOG --log-prefix "IP6Tables-Dropped input: " --log-level 4
{% if 'fastd' in group_names %}
{% for site in sites %} {% for site in sites %}
-A FORWARD -i bat{{ site.name }} -p udp --dport 10010:10021 -j REJECT -A FORWARD -i bat{{ site.name }} -p udp --dport 10010:10021 -j REJECT
{% endfor %} {% endfor %}
{% endif %}
-A FORWARD -o {{ ansible_default_ipv6.interface }} -j REJECT -A FORWARD -o {{ ansible_default_ipv6.interface }} -j REJECT
COMMIT COMMIT
*nat *nat
@ -53,5 +81,4 @@ COMMIT
:INPUT ACCEPT [0:0] :INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o mullvad -j MASQUERADE
COMMIT COMMIT

39
roles/configure_iptables/templates/iptables.rules
Unescape Escape View File

@ -4,12 +4,22 @@
:FORWARD ACCEPT [0:0] :FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0]
{% if 'fastd' in group_names %}
{% for site in sites %} {% for site in sites %}
-A PREROUTING -i bat{{ site.name }} -j MARK --set-xmark 0x1/0xffffffff -A PREROUTING -i bat{{ site.name }} -j MARK --set-xmark 0x1/0xffffffff
{% endfor %} {% endfor %}
{% for peer in wireguard_bb_peers %} {% endif %}
-A PREROUTING -i bb{{ peer.name }} -j MARK --set-xmark 0x1/0xffffffff
{% if 'ffrl_uplink' in group_names %}
{% for peer in groups['fastd'] %}
-A PREROUTING -i bb{{ hostvars[peer]['wireguard_bb_name'] }} -j MARK --set-xmark 0x1/0xffffffff
{% endfor %}
{% endif %}
{% if 'fastd' in group_names %}
{% for peer in groups['ffrl_uplink'] %}
-A PREROUTING -i bb{{ hostvars[peer]['wireguard_bb_name'] }} -j MARK --set-xmark 0x1/0xffffffff
{% endfor %} {% endfor %}
{% endif %}
COMMIT COMMIT
*filter *filter
:INPUT DROP [0:0] :INPUT DROP [0:0]
@ -21,6 +31,8 @@ COMMIT
# SSH-Server # SSH-Server
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
{% if 'fastd' in group_names %}
# dns # dns
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT -A INPUT -p udp -m udp --dport 53 -j ACCEPT
@ -32,19 +44,38 @@ COMMIT
-A INPUT -p udp -m udp --dport 123 -j ACCEPT -A INPUT -p udp -m udp --dport 123 -j ACCEPT
# fastd # fastd
-A INPUT -p udp -m udp --dport 10010:10021 -j ACCEPT -A INPUT -p udp -m udp --dport 10010:10021 -j ACCEPT
{% endif %}
# MOSH # MOSH
-A INPUT -p udp -m udp --dport 60000:61000 -j ACCEPT -A INPUT -p udp -m udp --dport 60000:61000 -j ACCEPT
{% if 'ffrl_uplink' in group_names %}
# ffrl-gre
{% for peer in ffrl_peers %}
-A INPUT -p gre -s {{ peer.remote }} -j ACCEPT
{% endfor %}
# ffrl bgp
{% for peer in ffrl_peers %}
-A INPUT -i {{ peer.name }} -p tcp -m tcp --dport 179 -j ACCEPT
{% endfor %}
{% endif %}
-A INPUT -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped input: " --log-level 4 -A INPUT -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped input: " --log-level 4
{% if 'fastd' in group_names %}
{% for site in sites %} {% for site in sites %}
-A FORWARD -i bat{{ site.name }} -p udp --dport 10010:10021 -j REJECT -A FORWARD -i bat{{ site.name }} -p udp --dport 10010:10021 -j REJECT
{% endfor %} {% endfor %}
-A FORWARD -o {{ ansible_default_ipv4.interface }} -j REJECT {% endif %}
COMMIT COMMIT
*nat *nat
:PREROUTING ACCEPT [0:0] :PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0] :INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o mullvad -j MASQUERADE {% if 'ffrl_uplink' in group_names %}
{% for peer in ffrl_peers %}
-A POSTROUTING ! -s {{ ffrl_ip4 }} -o {{ peer.name }} -j SNAT --to-source {{ ffrl_ip4 }}
{% endfor %}
{% endif %}
COMMIT COMMIT

3
roles/configure_static_routes/files/ffmyk-iproute.sh
Unescape Escape View File

@ -12,4 +12,5 @@ ip -4 rule add to 10.222.16.0/20 table ffmyk priority 10
ip -4 rule add to 10.222.32.0/19 table ffmyk priority 10 ip -4 rule add to 10.222.32.0/19 table ffmyk priority 10
ip -4 rule add to 10.222.64.0/18 table ffmyk priority 10 ip -4 rule add to 10.222.64.0/18 table ffmyk priority 10
ip -4 rule add to 10.222.128.0/17 table ffmyk priority 10 ip -4 rule add to 10.222.128.0/17 table ffmyk priority 10
ip -6 rule add to 2001:470:cd45:FF00::/56 table ffmyk priority 10 ip -6 rule add to 2001:470:cd45:ff00::/56 table ffmyk priority 10
ip -6 rule add to 2a03:2260:1016::/48 table ffmyk priority 10

14
roles/configure_static_routes/tasks/fastd_tasks.yml
Unescape Escape View File

@ -0,0 +1,14 @@
---
- name: copy site specific iproute up config script
template:
src: ffmyk-iproute-up.j2
dest: /usr/local/bin/ffmyk-iproute{{ item.name }}-up.sh
mode: 0744
with_items: "{{ sites }}"
- name: copy site specific iproute down config script
template:
src: ffmyk-iproute-down.j2
dest: /usr/local/bin/ffmyk-iproute{{ item.name }}-down.sh
mode: 0744
with_items: "{{ sites }}"

21
roles/configure_static_routes/tasks/main.yml
Unescape Escape View File

@ -4,25 +4,20 @@
path: /etc/iproute2/rt_tables path: /etc/iproute2/rt_tables
line: 42 ffmyk line: 42 ffmyk
- name: name ffrl routing table
lineinfile:
path: /etc/iproute2/rt_tables
line: 47 ffrl
when: "'ffrl_uplink' in group_names"
- name: copy ffmyk iproute config script - name: copy ffmyk iproute config script
copy: copy:
src: ffmyk-iproute.sh src: ffmyk-iproute.sh
dest: /usr/local/bin/ffmyk-iproute.sh dest: /usr/local/bin/ffmyk-iproute.sh
mode: 0744 mode: 0744
- name: copy site specific iproute up config script - include_tasks: fastd_tasks.yml
template: when: "'fastd' in group_names"
src: ffmyk-iproute-up.j2
dest: /usr/local/bin/ffmyk-iproute{{ item.name }}-up.sh
mode: 0744
with_items: "{{ sites }}"
- name: copy site specific iproute down config script
template:
src: ffmyk-iproute-down.j2
dest: /usr/local/bin/ffmyk-iproute{{ item.name }}-down.sh
mode: 0744
with_items: "{{ sites }}"
- name: copy ffmyk iproute systemd service - name: copy ffmyk iproute systemd service
copy: copy:

1
roles/configure_static_routes/templates/ffmyk-iproute-down.j2
Unescape Escape View File

@ -2,6 +2,7 @@
ip -4 route del {{item.net4 }} dev bat{{ item.name }} proto static table ffmyk ip -4 route del {{item.net4 }} dev bat{{ item.name }} proto static table ffmyk
ip -6 route del {{item.net6 }} dev bat{{ item.name }} proto static table ffmyk ip -6 route del {{item.net6 }} dev bat{{ item.name }} proto static table ffmyk
ip -6 route del {{item.site_net6 }} dev bat{{ item.name }} proto static table ffmyk
ip -4 rule del iif bat{{ item.name }} table ffmyk ip -4 rule del iif bat{{ item.name }} table ffmyk
ip -6 rule del iif bat{{ item.name }} table ffmyk ip -6 rule del iif bat{{ item.name }} table ffmyk

1
roles/configure_static_routes/templates/ffmyk-iproute-up.j2
Unescape Escape View File

@ -10,3 +10,4 @@ ip -6 rule add from all iif bat{{ item.name }} type unreachable priority 200
ip -4 route replace {{item.net4 }} dev bat{{ item.name }} proto static table ffmyk ip -4 route replace {{item.net4 }} dev bat{{ item.name }} proto static table ffmyk
ip -6 route replace {{item.net6 }} dev bat{{ item.name }} proto static table ffmyk ip -6 route replace {{item.net6 }} dev bat{{ item.name }} proto static table ffmyk
ip -6 route replace {{item.site_net6 }} dev bat{{ item.name }} proto static table ffmyk

6
roles/install_babeld/tasks/main.yml
Unescape Escape View File

@ -1,10 +1,8 @@
--- ---
- name: install fastd - name: install fastd
become: yes pacman:
become_user: '{{ aur_user }}'
aur:
name: babeld name: babeld
tool: yaourt state: present
- name: babeld.conf - name: babeld.conf
template: template:

30
roles/install_babeld/templates/babeld.conf.j2
Unescape Escape View File

@ -5,10 +5,16 @@
ipv6-subtrees true ipv6-subtrees true
# You must provide at least one interface for babeld to operate on. # You must provide at least one interface for babeld to operate on.
{% for peer in wireguard_bb_peers %} {% if 'ffrl_uplink' in group_names %}
interface bb{{ peer.name }} {% for peer in groups['fastd'] %}
interface bb{{ hostvars[peer]['wireguard_bb_name'] }}
{% endfor %} {% endfor %}
#interface wlan0 {% endif %}
{% if 'fastd' in group_names %}
{% for peer in groups['ffrl_uplink'] %}
interface bb{{ hostvars[peer]['wireguard_bb_name'] }}
{% endfor %}
{% endif %}
# Global options you might want to set. There are many more, see the man page. # Global options you might want to set. There are many more, see the man page.
#debug 1 #debug 1
@ -44,16 +50,14 @@ import-table 42
#in ip 2001:db8:cafe:cafe::/64 allow #in ip 2001:db8:cafe:cafe::/64 allow
#in deny #in deny
redistribute metric 128 {% if 'ffrl_uplink' in group_names %}
{% for peer in ffrl_peers %}
redistribute if {{ peer.name }} metric 128
{% endfor %}
{% endif %}
# Only redistribute addresses from a given prefix, to avoid redistributing # Only redistribute addresses from a given prefix, to avoid redistributing
# all local addresses # all local addresses
redistribute ip 10.222.0.0/16 local allow redistribute ip 10.222.0.0/16 allow
redistribute ip 2001:470:cd45:FF00::/56 local allow redistribute ip 2001:470:cd45:FF00::/56 allow
redistribute ip 2a03:2260:1016::/48 allow
redistribute local deny redistribute local deny
# Redistribute a default route obtained otherwise (here, through DHCP or
# configured statically).
# Note that babeld ignores kernel routes with proto 3 (boot) by default.
#redistribute proto 3 ip 0.0.0.0/0 eq 0 metric 50
#redistribute proto 3 ip ::/0 eq 0 metric 50

2
roles/install_bind/templates/named.conf.j2
Unescape Escape View File

@ -22,7 +22,7 @@ options {
{% endfor %} {% endfor %}
}; };
allow-recursion { 127.0.0.1; 10.222.0.0/16; 2001:470:cd45:ff00::/56; }; allow-recursion { 127.0.0.1; 10.222.0.0/16; 2001:470:cd45:ff00::/56; 2a03:2260:1016::/48; };
allow-transfer { none; }; allow-transfer { none; };
allow-update { none; }; allow-update { none; };

6
roles/install_fastd/tasks/main.yml
Unescape Escape View File

@ -1,10 +1,8 @@
--- ---
- name: install fastd - name: install fastd
become: yes pacman:
become_user: '{{ aur_user }}'
aur:
name: fastd name: fastd
tool: yaourt state: present
- name: create site folder - name: create site folder
file: file:

2
roles/install_radvd/templates/radvd.conf.j2
Unescape Escape View File

@ -18,7 +18,7 @@ interface bat{{ site.name }}
RDNSS {{ site.bat_ipv6 }} RDNSS {{ site.bat_ipv6 }}
{ {
AdvRDNSSLifetime 30; AdvRDNSSLifetime 900;
}; };
}; };

29
roles/install_wireguard_backbone/tasks/fastd_tasks.yml
Unescape Escape View File

@ -0,0 +1,29 @@
---
- name: create wireguard config for peers
template:
src: wg.conf.j2
dest: /etc/wireguard/wgbb{{ hostvars[item]['wireguard_bb_name'] }}.conf
mode: 0400
with_items: "{{ groups['ffrl_uplink'] }}"
- name: create wireguard up scripts for peers
template:
src: up.sh.j2
dest: /etc/wireguard/upbb{{ hostvars[item]['wireguard_bb_name'] }}.sh
mode: 0744
with_items: "{{ groups['ffrl_uplink'] }}"
- name: create wireguard down scripts for peers
template:
src: down.sh.j2
dest: /etc/wireguard/downbb{{ hostvars[item]['wireguard_bb_name'] }}.sh
mode: 0744
with_items: "{{ groups['ffrl_uplink'] }}"
- name: start and enable wireguard mesh
systemd:
name: wgbackbone@{{ hostvars[item]['wireguard_bb_name'] }}.service
enabled: yes
state: started
daemon_reload: yes
with_items: "{{ groups['ffrl_uplink'] }}"

29
roles/install_wireguard_backbone/tasks/ffrl_uplink_tasks.yml
Unescape Escape View File

@ -0,0 +1,29 @@
---
- name: create wireguard config for peers
template:
src: wg.conf.j2
dest: /etc/wireguard/wgbb{{ hostvars[item]['wireguard_bb_name'] }}.conf
mode: 0400
with_items: "{{ groups['fastd'] }}"
- name: create wireguard up scripts for peers
template:
src: up.sh.j2
dest: /etc/wireguard/upbb{{ hostvars[item]['wireguard_bb_name'] }}.sh
mode: 0744
with_items: "{{ groups['fastd'] }}"
- name: create wireguard down scripts for peers
template:
src: down.sh.j2
dest: /etc/wireguard/downbb{{ hostvars[item]['wireguard_bb_name'] }}.sh
mode: 0744
with_items: "{{ groups['fastd'] }}"
- name: start and enable wireguard mesh
systemd:
name: wgbackbone@{{ hostvars[item]['wireguard_bb_name'] }}.service
enabled: yes
state: started
daemon_reload: yes
with_items: "{{ groups['fastd'] }}"

33
roles/install_wireguard_backbone/tasks/main.yml
Unescape Escape View File

@ -1,34 +1,11 @@
--- ---
- name: create wireguard config for peers
template:
src: wg.conf.j2
dest: /etc/wireguard/wgbb{{ item.name }}.conf
mode: 0400
with_items: "{{ wireguard_bb_peers }}"
- name: create wireguard up scripts for peers
template:
src: up.sh.j2
dest: /etc/wireguard/upbb{{ item.name }}.sh
mode: 0744
with_items: "{{ wireguard_bb_peers }}"
- name: create wireguard down scripts for peers
template:
src: down.sh.j2
dest: /etc/wireguard/downbb{{ item.name }}.sh
mode: 0744
with_items: "{{ wireguard_bb_peers }}"
- name: create wireguard backbone service template - name: create wireguard backbone service template
copy: copy:
src: wgbackbone@.service src: wgbackbone@.service
dest: /etc/systemd/system/wgbackbone@.service dest: /etc/systemd/system/wgbackbone@.service
- name: start and enable wireguard mesh - include_tasks: ffrl_uplink_tasks.yml
systemd: when: "'ffrl_uplink' in group_names"
name: wgbackbone@{{ item.name }}.service
enabled: yes - include_tasks: fastd_tasks.yml
state: started when: "'fastd' in group_names"
daemon_reload: yes
with_items: "{{ wireguard_bb_peers }}"

8
roles/install_wireguard_backbone/templates/down.sh.j2
Unescape Escape View File

@ -1,5 +1,5 @@
#!/bin/bash #!/bin/bash
ip -4 rule del iif bb{{ item.name }} table ffmyk ip -4 rule del iif bb{{ hostvars[item]['wireguard_bb_name'] }} table ffmyk
ip -6 rule del iif bb{{ item.name }} table ffmyk ip -6 rule del iif bb{{ hostvars[item]['wireguard_bb_name'] }} table ffmyk
ip link set down dev bb{{ item.name }} ip link set down dev bb{{ hostvars[item]['wireguard_bb_name'] }}
ip link del bb{{ item.name }} ip link del bb{{ hostvars[item]['wireguard_bb_name'] }}

14
roles/install_wireguard_backbone/templates/up.sh.j2
Unescape Escape View File

@ -1,8 +1,8 @@
#!/bin/bash #!/bin/bash
ip link add bb{{ item.name }} type wireguard ip link add bb{{ hostvars[item]['wireguard_bb_name'] }} type wireguard
wg setconf bb{{ item.name }} /etc/wireguard/wgbb{{ item.name }}.conf wg setconf bb{{ hostvars[item]['wireguard_bb_name'] }} /etc/wireguard/wgbb{{ hostvars[item]['wireguard_bb_name'] }}.conf
ip addr add {{ item.address6 }} dev bb{{ item.name }} ip addr add {{ wireguard_bb_ipv6 }} dev bb{{ hostvars[item]['wireguard_bb_name'] }}
ip addr add {{ wireguard_bb_ipv4 }}/32 peer {{ item.address }}/32 dev bb{{ item.name }} ip addr add {{ wireguard_bb_ipv4 }}/32 peer {{ hostvars[item]['wireguard_bb_ipv4'] }}/32 dev bb{{ hostvars[item]['wireguard_bb_name'] }}
ip link set up dev bb{{ item.name }} ip link set up dev bb{{ hostvars[item]['wireguard_bb_name'] }}
ip -4 rule add iif bb{{ item.name }} table ffmyk priority 10 ip -4 rule add iif bb{{ hostvars[item]['wireguard_bb_name'] }} table ffmyk priority 10
ip -6 rule add iif bb{{ item.name }} table ffmyk priority 10 ip -6 rule add iif bb{{ hostvars[item]['wireguard_bb_name'] }} table ffmyk priority 10

8
roles/install_wireguard_backbone/templates/wg.conf.j2
Unescape Escape View File

@ -1,9 +1,9 @@
[Interface] [Interface]
ListenPort = {{ item.local_port }} ListenPort = {{ hostvars[item]['wireguard_bb_port'] }}
PrivateKey = {{ wireguard_bb_key }} PrivateKey = {{ wireguard_bb_priv_key }}
[Peer] [Peer]
PublicKey = {{ item.key }} PublicKey = {{ hostvars[item]['wireguard_bb_pub_key'] }}
AllowedIPs = 0.0.0.0/0,::/0 AllowedIPs = 0.0.0.0/0,::/0
Endpoint = [{{ item.endpoint }}]:{{ item.remote_port }} Endpoint = [{{ hostvars[item]['wireguard_bb_endpoint'] }}]:{{ wireguard_bb_port }}
PersistentKeepalive = 30 PersistentKeepalive = 30

9
roles/setup_ffrl_tunnel/handlers/main.yml
Unescape Escape View File

@ -0,0 +1,9 @@
---
- name: reenable netctl
command: netctl reenable {{ item.name }}
with_items: "{{ ffrl_peers }}"
- name: reload bird
systemd:
name: bird.service
state: reloaded

36
roles/setup_ffrl_tunnel/tasks/main.yml
Unescape Escape View File

@ -0,0 +1,36 @@
---
- name: create netctl config
template:
src: netctl
dest: /etc/netctl/{{ item.name }}
with_items: "{{ ffrl_peers }}"
notify: reenable netctl
- name: enable netctl config
command: netctl enable {{ item.name }}
args:
creates: /etc/systemd/system/netctl@{{ item.name }}.service
with_items: "{{ ffrl_peers }}"
- name: start netctl config
systemd:
name: netctl@{{ item.name }}.service
state: started
with_items: "{{ ffrl_peers }}"
- name: install bird
pacman:
name: bird
state: present
- name: create bird config
template:
src: bird.conf
dest: /etc/bird.conf
notify: reload bird
- name: start and enable bird
systemd:
name: bird.service
state: started
enabled: yes

160
roles/setup_ffrl_tunnel/templates/bird.conf
Unescape Escape View File

@ -0,0 +1,160 @@
timeformat protocol iso long;
log "bird.log" all;
# debug protocols all;
define ffrl_nat_address = {{ ffrl_ip4 }};
define ffmyk_as = 65032; # private AS of ffmyk
define ffrl_as = 201701; # public AS of rheinland
router id ffrl_nat_address;
ipv4 table ffrl4;
ipv6 table ffrl6;
function is_default4() {
return net ~ [
0.0.0.0/0
];
}
function is_default6() {
return net ~ [
::/0
];
}
function is_ffrl_nat4() {
return net ~ [
{{ ffrl_ip4 }}/32
];
}
function is_ffrl_public_nets6() {
return net ~ [
2a03:2260:1016::/48{48,56}
];
}
function is_ffrl_tunnel_nets4() {
return net ~ [
100.64.0.0/10
];
}
function is_ffrl_tunnel_nets6() {
return net ~ [
2a03:2260:0::/48
];
}
# BGP Import Filter für Rheinland
filter ebgp_ffrl_import_filter4 {
if is_default4() then accept;
reject;
}
# BGP Export Filter für Rheinland
filter ebgp_ffrl_export_filter4 {
if is_ffrl_nat4() then accept;
reject;
}
filter ebgp_ffrl_import_filter6 {
if is_default6() then accept;
reject;
}
filter ebgp_ffrl_export_filter6 {
if is_ffrl_public_nets6() then accept;
reject;
}
protocol device {
scan time 10;
}
# IP-NAT-Adresse legen wir in die interne BIRD Routing Table
protocol static ffrl_uplink_hostroute4 {
ipv4 { table ffrl4; };
route {{ ffrl_ip4 }}/32 reject;
}
protocol static ffrl_public_routes6 {
ipv6 { table ffrl6; };
route 2a03:2260:1016::/48 reject;
}
# Wir legen die Transfernetze in die interne BIRD Routing Table
#protocol direct {
# ipv4;
# table ffrl4;
# interface {% for peer in ffrl_peers %}"{{ peer.name }}", {% endfor %};
# import where is_ffrl_tunnel_nets4();
#}
# Wir exportieren über Rheinland gelernte Routen in die Kernel Table 47 (ffrl)
protocol kernel kernel_ffrl4 {
scan time 30;
ipv4 {
import none;
export filter {
krt_prefsrc = ffrl_nat_address;
accept;
};
table ffrl4;
};
kernel table 42;
};
protocol kernel kernel_ffrl6 {
scan time 30;
ipv6 {
import none;
export filter {
if is_default6() then accept;
reject;
};
table ffrl6;
};
kernel table 42;
};
# BGP Template für Rheinland Peerings
template bgp ffrl_uplink4 {
local as ffmyk_as;
ipv4 {
table ffrl4;
import keep filtered;
import filter ebgp_ffrl_import_filter4;
export filter ebgp_ffrl_export_filter4;
next hop self;
};
direct;
};
template bgp ffrl_uplink6 {
local as ffmyk_as;
ipv6 {
table ffrl6;
import keep filtered;
import filter ebgp_ffrl_import_filter6;
export filter ebgp_ffrl_export_filter6;
next hop self;
};
direct;
};
{% for peer in ffrl_peers %}
protocol bgp ffrl_{{ peer.name }}4 from ffrl_uplink4 {
source address {{ peer.ip4 }};
neighbor {{ peer.peer_ip4 }} as 201701;
};
protocol bgp ffrl_{{ peer.name }}6 from ffrl_uplink6 {
source address {{ peer.ip6 }};
neighbor {{ peer.peer_ip6 }} as 201701;
}
{% endfor %}

14
roles/setup_ffrl_tunnel/templates/netctl
Unescape Escape View File

@ -0,0 +1,14 @@
Connection=tunnel
Interface={{ item.name }}
Mode=gre
Local={{ ansible_default_ipv4.address }}
Remote={{ item.remote }}
ExecUpPost="/usr/bin/ip link set dev {{ item.name }} mtu 1400; /usr/bin/ip tunnel change {{ item.name }} ttl 64"
IP=static
Address=('{{ item.ip4 }}/31' '{{ ffrl_ip4 }}/32')
IP6=static
Address6=('{{ item.ip6 }}/64')

27
setup_fastd.yml
Unescape Escape View File

@ -1,9 +1,9 @@
--- ---
- name: setup fastds - name: setup fastds
hosts: fastds hosts: fastd
user: root user: root
roles: roles:
- install_yaourt #- install_yaourt
- configure_journald - configure_journald
- configure_sysctl - configure_sysctl
- configure_iptables - configure_iptables
@ -19,14 +19,33 @@
- install_radvd - install_radvd
- install_bind - install_bind
- install_wireguard - install_wireguard
- install_wireguard_mesh #- install_wireguard_mesh
- install_wireguard_backbone - install_wireguard_backbone
- install_babeld - install_babeld
- install_fastd - install_fastd
#- install_monitoring #- install_monitoring
- install_admin_packages - install_admin_packages
- name: install openvpn uplink - name: install openvpn uplink
hosts: mullvad_fastds hosts: mullvad_fastd
user: root user: root
roles: roles:
- install_openvpn - install_openvpn
- name: setup ffrl
hosts: ffrl_uplink
user: root
roles:
- configure_journald
- configure_sysctl
- configure_iptables
- configure_static_routes
- install_cronie
#- install_php
#- install_nginx
- install_ntp
- install_haveged
- install_wireguard
- install_wireguard_backbone
- install_babeld
- setup_ffrl_tunnel
#- install_monitoring
- install_admin_packages

Write Preview
Loading…
Cancel
Save