new group wg

inventory.ini

@@ -15,6 +15,9 @@ fastd-aw2
 fastd-ko2
 fastd-my2
 
+[wg]
+ff-wg-niyawe1
+
 [icvpn]
 ff-icvpn
 

roles/configure_iptables/templates/ip6tables.rules

@@ -4,13 +4,13 @@
 :FORWARD ACCEPT [0:0]
 :OUTPUT ACCEPT [0:0]
 :POSTROUTING ACCEPT [0:0]
-{% if 'fastd' in group_names %}
+{% if 'fastd' in group_names or 'wg' in group_names %}
 {% for site in sites %}
 -A PREROUTING -i bat{{ site.name }} -j MARK --set-xmark 0x1/0xffffffff
 {% endfor %}
 {% endif %}
 
-{% if 'fastd' in group_names %}
+{% if 'fastd' in group_names or 'wg' in group_names %}
 {% for peer in groups['uplink'] %}
 -A PREROUTING -i bb{{ hostvars[peer]['wireguard_bb_name'] }} ! -s fe80::/64 ! -d fe80::/64 -j MARK --set-xmark 0x1/0xffffffff
 {% endfor %}
@@ -19,6 +19,9 @@
 {% for peer in groups['fastd'] %}
 -A PREROUTING -i bb{{ hostvars[peer]['wireguard_bb_name'] }} ! -s fe80::/64 ! -d fe80::/64 -j MARK --set-xmark 0x1/0xffffffff
 {% endfor %}
+{% for peer in groups['wg'] %}
+-A PREROUTING -i bb{{ hostvars[peer]['wireguard_bb_name'] }} ! -s fe80::/64 ! -d fe80::/64 -j MARK --set-xmark 0x1/0xffffffff
+{% endfor %}
 {% for peer in groups['uplink'] | difference([inventory_hostname]) %}
 -A PREROUTING -i bb{{ hostvars[peer]['wireguard_bb_name'] }} ! -s fe80::/64 ! -d fe80::/64 -j MARK --set-xmark 0x1/0xffffffff
 {% endfor %}
@@ -42,15 +45,24 @@ COMMIT
 # iperf3
 -A INPUT -p tcp -m tcp -s 2a03:2260:1016::/48 --dport 5201 -j ACCEPT
 
-{% if 'fastd' in group_names %}
+{% if 'fastd' in group_names or 'wg' in group_names %}
 # dns
 -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
 -A INPUT -p udp -m udp --dport 53 -j ACCEPT
 # ntp
 -A INPUT -p udp -m udp --dport 123 -j ACCEPT
+{% endif %}
+{% if 'fastd' in group_names %}
 # fastd
 -A INPUT -s 2a03:2260:1016::/48 -p udp -m udp --dport 10010:10023 -j DROP
 -A INPUT -p udp -m udp --dport 10010:10023 -j ACCEPT
+{% endif %}
+{% if 'wg' in group_names %}
+# wg
+-A INPUT -s 2a03:2260:1016::/48 -p udp -m udp --dport 10000 -j DROP
+-A INPUT -p udp -m udp --dport 10000 -j ACCEPT
+{% endif %}
+{% if 'fastd' in group_names or 'wg' in group_names %}
 # respondd
 -A INPUT -i bat+ -p udp -m udp --dport 1001 -j ACCEPT
 # wireguard_mesh
@@ -60,7 +72,7 @@ COMMIT
 {% endfor %}
 {% endif %}
 # wireguard_backbone
-{% if 'fastd' in group_names %}
+{% if 'fastd' in group_names or 'wg' in group_names %}
 {% for peer in groups['uplink'] %}
 -A INPUT -i bb{{ hostvars[peer]['wireguard_bb_name'] }} -p udp --dport 6696 -j ACCEPT
 -A INPUT -p udp --dport {{ hostvars[peer]['wireguard_bb_port'] }} -j ACCEPT
@@ -71,6 +83,10 @@ COMMIT
 -A INPUT -i bb{{ hostvars[peer]['wireguard_bb_name'] }} -p udp --dport 6696 -j ACCEPT
 -A INPUT -p udp --dport {{ hostvars[peer]['wireguard_bb_port'] }} -j ACCEPT
 {% endfor %}
+{% for peer in groups['wg'] %}
+-A INPUT -i bb{{ hostvars[peer]['wireguard_bb_name'] }} -p udp --dport 6696 -j ACCEPT
+-A INPUT -p udp --dport {{ hostvars[peer]['wireguard_bb_port'] }} -j ACCEPT
+{% endfor %}
 {% for peer in groups['uplink'] | difference([inventory_hostname]) %}
 -A INPUT -i bb{{ hostvars[peer]['wireguard_bb_name'] }} -p udp --dport 6696 -j ACCEPT
 -A INPUT -p udp --dport {{ hostvars[peer]['wireguard_bb_port'] }} -j ACCEPT
@@ -92,8 +108,9 @@ COMMIT
 # LOG
 -A INPUT -m limit --limit 2/min -j LOG --log-prefix "IP6Tables-Dropped input: " --log-level 4
 
-{% if 'fastd' in group_names %}
+{% if 'fastd' in group_names or 'wg' in group_names %}
 {% for site in sites %}
+-A FORWARD -i bat{{ site.name }} -p udp --dport 10000 -j REJECT
 -A FORWARD -i bat{{ site.name }} -p udp --dport 10010:10021 -j REJECT
 {% endfor %}
 {% endif %}

roles/configure_iptables/templates/iptables.rules

@@ -10,7 +10,7 @@
 {% endfor %}
 {% endif %}
 
-{% if 'fastd' in group_names %}
+{% if 'fastd' in group_names or 'wg' in group_names %}
 {% for peer in groups['uplink'] %}
 -A PREROUTING -i bb{{ hostvars[peer]['wireguard_bb_name'] }} -j MARK --set-xmark 0x1/0xffffffff
 {% endfor %}
@@ -19,6 +19,9 @@
 {% for peer in groups['fastd'] %}
 -A PREROUTING -i bb{{ hostvars[peer]['wireguard_bb_name'] }} -j MARK --set-xmark 0x1/0xffffffff
 {% endfor %}
+{% for peer in groups['wg'] %}
+-A PREROUTING -i bb{{ hostvars[peer]['wireguard_bb_name'] }} -j MARK --set-xmark 0x1/0xffffffff
+{% endfor %}
 {% for peer in groups['uplink'] | difference([inventory_hostname]) %}
 -A PREROUTING -i bb{{ hostvars[peer]['wireguard_bb_name'] }} -j MARK --set-xmark 0x1/0xffffffff
 {% endfor %}
@@ -41,7 +44,7 @@ COMMIT
 -A INPUT -p tcp -m tcp -s 10.30.0.0/18 --dport 5201 -j ACCEPT
 -A INPUT -p tcp -m tcp -s 10.222.0.0/16 --dport 5201 -j ACCEPT
 
-{% if 'fastd' in group_names %}
+{% if 'fastd' in group_names or 'wg' in group_names %}
 # dns
 -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
 -A INPUT -p udp -m udp --dport 53 -j ACCEPT
@@ -51,11 +54,19 @@ COMMIT
 {% endfor %}
 # ntp
 -A INPUT -p udp -m udp --dport 123 -j ACCEPT
+{% endif %}
+{% if 'fastd' in group_names %}
 # fastd
 -A INPUT -s 10.30.0.0/18 -p udp -m udp --dport 10010:10023 -j DROP
 -A INPUT -s 10.222.0.0/16 -p udp -m udp --dport 10010:10023 -j DROP
 -A INPUT -p udp -m udp --dport 10010:10023 -j ACCEPT
 {% endif %}
+{% if 'wg' in group_names %}
+# wg
+-A INPUT -s 10.30.0.0/18 -p udp -m udp --dport 10000 -j DROP
+-A INPUT -s 10.222.0.0/16 -p udp -m udp --dport 10000 -j DROP
+-A INPUT -p udp -m udp --dport 10000 -j ACCEPT
+{% endif %}
 # MOSH
 -A INPUT -p udp -m udp --dport 60000:61000 -j ACCEPT
 
@@ -72,7 +83,7 @@ COMMIT
 
 -A INPUT -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped input: " --log-level 4
 
-{% if 'fastd' in group_names %}
+{% if 'fastd' in group_names or 'wg' in group_names %}
 {% for site in sites %}
 -A FORWARD -i bat{{ site.name }} -p udp --dport 10010:10021 -j REJECT
 {% endfor %}

roles/configure_static_routes/tasks/main.yml

@@ -13,6 +13,9 @@
 - include_tasks: fastd_tasks.yml
   when: "'fastd' in group_names"
 
+- include_tasks: wg_tasks.yml
+  when: "'wg' in group_names"
+
 - name: copy ffmyk iproute systemd service
   copy:
       src: ffmyk-iproute.service

roles/configure_static_routes/tasks/wg_tasks.yml

@@ -0,0 +1,14 @@
+---
+- name: copy site specific iproute up config script
+  template:
+      src: ffmyk-iproute-up.j2
+      dest: /usr/local/bin/ffmyk-iproute{{ item.name }}-up.sh
+      mode: 0744
+  with_items: "{{ sites }}"
+
+- name: copy site specific iproute down config script
+  template:
+      src: ffmyk-iproute-down.j2
+      dest: /usr/local/bin/ffmyk-iproute{{ item.name }}-down.sh
+      mode: 0744
+  with_items: "{{ sites }}"

roles/install_babeld/templates/babeld.conf.j2

@@ -5,7 +5,7 @@
 ipv6-subtrees true
 
 # You must provide at least one interface for babeld to operate on.
-{% if ('fastd' in group_names) %}
+{% if ('fastd' in group_names or 'wg' in group_names) %}
 {% for peer in groups['uplink'] %}
 interface bb{{ hostvars[peer]['wireguard_bb_name'] }}
 {% endfor %}
@@ -14,6 +14,9 @@ interface bb{{ hostvars[peer]['wireguard_bb_name'] }}
 {% for peer in groups['fastd'] %}
 interface bb{{ hostvars[peer]['wireguard_bb_name'] }}
 {% endfor %}
+{% for peer in groups['wg'] %}
+interface bb{{ hostvars[peer]['wireguard_bb_name'] }}
+{% endfor %}
 {% for peer in groups['uplink'] | difference([inventory_hostname]) %}
 interface bb{{ hostvars[peer]['wireguard_bb_name'] }}
 {% endfor %}
@@ -63,7 +66,7 @@ redistribute ip 64:ff9b::/96 allow
 redistribute ip fd62:44e1:da::/48 allow
 redistribute local deny
 
-{% if ('fastd' in group_names) and preferred_uplink is defined %}
+{% if ('fastd' in group_names or 'wg' in group_names) and preferred_uplink is defined %}
 {% for peer in groups['uplink'] %}
 {% if not hostvars[peer]['wireguard_bb_name'] == preferred_uplink %}
 in if bb{{ hostvars[peer]['wireguard_bb_name'] }} metric 64

roles/install_monitoring/tasks/install_munin.yml

@@ -143,7 +143,9 @@
       src: /usr/lib/munin/plugins/if_
       state: link
   notify: restart munin-node
-  with_items: "{{ groups['fastd'] }}"
+  with_items:
+    - "{{ groups['fastd'] }}"
+    - "{{ groups['wg'] }}"
   when: "'uplink' in group_names"
 
 - name: enable munin plugins for network monitoring (6/9)

roles/install_wireguard_backbone/tasks/main.yml

@@ -7,5 +7,8 @@
 - include_tasks: fastd_tasks.yml
   when: "('fastd' in group_names)"
 
+- include_tasks: wg_tasks.yml
+  when: "('wg' in group_names)"
+
 - include_tasks: uplink_tasks.yml
   when: "'uplink' in group_names"

roles/install_wireguard_backbone/tasks/uplink_tasks.yml

@@ -4,7 +4,9 @@
       src: wg.conf.j2
       dest: /etc/wireguard/wgbb{{ hostvars[item]['wireguard_bb_name'] }}.conf
       mode: 0400
-  with_items: "{{ groups['fastd'] }}"
+  with_items:
+    - "{{ groups['fastd'] }}"
+    - "{{ groups['wg'] }}"
 
 - name: create wireguard config for uplinks
   template:
@@ -25,7 +27,9 @@
       src: up.sh.j2
       dest: /etc/wireguard/upbb{{ hostvars[item]['wireguard_bb_name'] }}.sh
       mode: 0744
-  with_items: "{{ groups['fastd'] }}"
+  with_items:
+    - "{{ groups['fastd'] }}"
+    - "{{ groups['wg'] }}"
 
 - name: create wireguard up scripts for uplinks
   template:
@@ -46,7 +50,9 @@
       src: down.sh.j2
       dest: /etc/wireguard/downbb{{ hostvars[item]['wireguard_bb_name'] }}.sh
       mode: 0744
-  with_items: "{{ groups['fastd'] }}"
+  with_items:
+    - "{{ groups['fastd'] }}"
+    - "{{ groups['wg'] }}"
 
 - name: create wireguard down scripts for uplinks
   template:
@@ -68,7 +74,9 @@
       enabled: yes
       state: started
       daemon_reload: yes
-  with_items: "{{ groups['fastd'] }}"
+  with_items:
+    - "{{ groups['fastd'] }}"
+    - "{{ groups['wg'] }}"
 
 - name: start and enable wireguard mesh for uplinks
   systemd:

roles/install_wireguard_backbone/tasks/wg_tasks.yml

@@ -0,0 +1,33 @@
+---
+- name: create wireguard config for peers
+  template:
+      src: wg.conf.j2
+      dest: /etc/wireguard/wgbb{{ hostvars[item]['wireguard_bb_name'] }}.conf
+      mode: 0400
+  with_items:
+      - "{{ groups['uplink'] }}"
+
+- name: create wireguard up scripts for peers
+  template:
+      src: up.sh.j2
+      dest: /etc/wireguard/upbb{{ hostvars[item]['wireguard_bb_name'] }}.sh
+      mode: 0744
+  with_items: 
+      - "{{ groups['uplink'] }}"
+
+- name: create wireguard down scripts for peers
+  template:
+      src: down.sh.j2
+      dest: /etc/wireguard/downbb{{ hostvars[item]['wireguard_bb_name'] }}.sh
+      mode: 0744
+  with_items: 
+      - "{{ groups['uplink'] }}"
+
+- name: start and enable wireguard mesh
+  systemd:
+      name: wgbackbone@{{ hostvars[item]['wireguard_bb_name'] }}.service
+      enabled: yes
+      state: started
+      daemon_reload: yes
+  with_items: 
+      - "{{ groups['uplink'] }}"

roles/setup_ffrl_tunnel/templates/bird.conf

@@ -1,6 +1,6 @@
 timeformat protocol iso long;
 
-log "bird.log" all;
+#log "bird.log" all;
 # debug protocols all;
 
 define ffrl_nat_address = {{ ffrl_ip4 }};

setup_fastd.yml

@@ -27,25 +27,30 @@
       - install_iperf3
       - update_ssh_keys
       - install_admin_packages
-- name: setup icvpn
+- name: setup wg gw
-  hosts: icvpn
+  hosts: wg
   user: root
   roles:
       - configure_journald
       - configure_sysctl
-      #- configure_iptables
+      - configure_iptables
-      #- configure_static_routes
+      - configure_static_routes
       #- install_ssmtp
       - install_cronie
       #- install_php
       #- install_nginx
       - install_ntp
       - install_haveged
-      #- setup_batman
+      - setup_batman
+      #- install_dhcp
+      #- install_radvd
       #- install_bind
       - install_wireguard
-      #- install_wireguard_backbone
+      #- install_wireguard_mesh
-      #- install_babeld
+      - install_wireguard_backbone
+      - install_babeld
+      #- install_fastd
+      #- install_mesh-announce
       #- install_monitoring
       - install_iperf3
       - update_ssh_keys