new net with nat64

master
Niklas Yann Wettengel 3 years ago
parent b53a8cf228
commit fb0dbf28a0

@ -7,3 +7,4 @@ wireguard_bb_peers:
pub_key: 'LobyJ67+/rGkTcFSchnJMz76MGVBAz5FrFypYq9GnzQ='
ipv4: '10.222.0.212'
port: 10151
dns_ip: '2a03:2260:1016::53'

@ -244,6 +244,19 @@ wireguard_bb_pub_key: 'zGubrJd9Wfa1Yo9I5xyJArdvX1bj7OS2VFth289PdlU='
wireguard_bb_ipv4: '10.222.0.11'
wireguard_bb_ipv6: 'fe80::ffbb:ffbb:11'
wireguard_bb_port: 10111
wireguard_vpn_port: 10010
wireguard_vpn_priv_key: !vault |
$ANSIBLE_VAULT;1.1;AES256
34313130643739316461343031626565323930303465623238356636636531656630396433383036
6337386336633165636633353139323366323563333464380a393438343365363661633331356438
62326531336666326662323535366463333265313130343430653162646461383230363064366264
6431663833633537660a343830623735633330643935363232366532346664353834623636326462
33393133363464313665623963393534306235653239636438343537366533306166623535663336
3864646261313135386563613637613330343935333636633434
wireguard_vpn_address: 'fe80::7e:adff:fefc:0b8c'
wireguard_vpn_client_range: '2a03:2260:1016:1000::/52'
tayga_ipv4: 10.1.0.1
tayga_pool: 10.1.0.0/16
ffrl_ip4: '185.66.194.56'
ffrl_peers:
- name: 'bbaakber'

@ -244,6 +244,19 @@ wireguard_bb_pub_key: 'ctSz9JjaPWM4Se39rSsbr39wXWfA1LJDF1OwwBui0VY='
wireguard_bb_ipv4: '10.222.0.12'
wireguard_bb_ipv6: 'fe80::ffbb:ffbb:12'
wireguard_bb_port: 10112
wireguard_vpn_port: 10010
wireguard_vpn_priv_key: !vault |
$ANSIBLE_VAULT;1.1;AES256
36623962663931636165643834636338373230623438306431316338633765333434626462626636
6330346538316361376531353932666363303431313737640a333931366638326164333937656566
32393639376561396161313365343563383132663338363437376563653930643835303230613336
6232616639643564360a613333666165623036613866383236323335383233376439386463333535
32616431393965313839613264326137633063366530336461643534623833306466653330373666
6364666534323361663937613837313031356262363338386563
wireguard_vpn_address: 'fe80::ce:30ff:fe37:94da'
wireguard_vpn_client_range: '2a03:2260:1016:2000::/52'
tayga_ipv4: 10.2.0.1
tayga_pool: 10.2.0.0/16
ffrl_ip4: '185.66.194.57'
ffrl_peers:
- name: 'bbafra2fra'

@ -0,0 +1,19 @@
---
- name: add aurto repo (1/3)
ansible.builtin.lineinfile:
path: /etc/pacman.conf
line: "[aurto]"
- name: add aurto repo (2/3)
ansible.builtin.lineinfile:
path: /etc/pacman.conf
line: "SigLevel = Optional TrustAll"
- name: add aurto repo (3/3)
ansible.builtin.lineinfile:
path: /etc/pacman.conf
line: "Server = https://aur.niyawe.de/"
- name: update pacman cache
pacman:
update_cache: yes

@ -52,6 +52,8 @@ COMMIT
-A INPUT -p udp -m udp --dport 10010:10023 -j ACCEPT
# respondd
-A INPUT -i bat+ -p udp -m udp --dport 1001 -j ACCEPT
# wg_prefix_provider
-A INPUT -i wgmyk -s fe80::/64 -p tcp -m tcp --dport 9999 -j ACCEPT
# wireguard_mesh
{% for site in sites %}
-A INPUT -s 2a03:2260:1016::/48 -p udp -m udp --dport {{ site.wireguard_mesh_port }} -j DROP

@ -2,7 +2,11 @@
#Alles, was mit 0x1 markiert wird gehört zu Tabelle ffmyk
ip -4 rule add from all fwmark 0x1 table ffmyk priority 10
ip -6 rule add from all fwmark 0x1 table ffmyk priority 10
ip -4 rule add iif nat64 table ffmyk priority 10
ip -6 rule add iif nat64 table ffmyk priority 10
ip -4 rule add to 10.1.0.0/16 table ffmyk priority 10
ip -4 rule add to 10.2.0.0/16 table ffmyk priority 10
#Alles mit Freifunk-IP - woher auch immer - gehört zu Tabelle ffmyk
ip -4 rule add to 10.222.1.0/24 table ffmyk priority 10
ip -4 rule add to 10.222.2.0/23 table ffmyk priority 10
@ -16,3 +20,6 @@ ip -6 rule add to 2001:470:cd45:ff00::/56 table ffmyk priority 10
ip -6 rule add to 2a03:2260:1016::/48 table ffmyk priority 10
ip -6 rule add to 64:ff9b::/96 table ffmyk priority 10
ip -6 rule add to fd62:44e1:da::/48 table ffmyk priority 10
ip -4 rule add from all iif nat64 type unreachable priority 200
ip -6 rule add from all iif nat64 type unreachable priority 200

@ -1,5 +1,5 @@
---
- name: install fastd
- name: install babeld
pacman:
name: babeld
state: present

@ -11,6 +11,16 @@
owner: named
group: named
- name: create systemd-folder
file:
path: /etc/systemd/system/named.service.d
state: directory
- name: bind ip override
template:
src: ipv6.conf.j2
dest: /etc/systemd/system/named.service.d/ipv6.conf
- name: bind config
template:
src: named.conf.j2

@ -0,0 +1,2 @@
[Service]
ExecStartPre=/usr/bin/ip addr replace {{ dns_ip }}/128 dev lo

@ -10,6 +10,7 @@ options {
auth-nxdomain no; # conform to RFC1035
listen-on-v6 {
2a03:2260:1016::53;
{% for site in sites %}
{{ site.bat_ipv6 }};
{% endfor %}

@ -1,73 +0,0 @@
#!/usr/bin/perl -w
# -*- perl -*-
=head1 NAME
fastd_peers_ - Plugin to monitor fastd peers
=head1 CONFIGURATION
Set user and group to have access to the socket
Set path to socketfile if not /tmp/fastd.sock
[fastd_peers_*]
user fastd
group fastd
env.socketfile /tmp/fastd.sock
=head1 USAGE
Link this plugin to /etc/munin/plugins/
After creating the links, restart munin-node. Don't forget to configure the plugin!
=head1 AUTHORS
Dominique Goersch <mail@dgoersch.info>
Niklas Yann Wettengel <niyawe@niyawe.de>
=head1 LICENSE
GPLv2
=head1 MAGIC MARKERS
#%# family=manual
=cut
use strict;
use warnings;
use File::Basename;
use IO::Socket::UNIX qw( SOCK_STREAM );
use JSON;
if ($ARGV[0] and $ARGV[0] eq "config") { #config graph
print "graph_title fastd peers\n";
print "graph_info This graph shows the peers of the fastd on this supernode\n";
print "graph_args -l 0\n";
print "graph_scale no\n";
print "graph_vlabel peers count\n";
print "graph_category fastd\n";
print "peers.label peers\n";
print "peers.draw AREA\n";
exit 0;
}
my $statusfile = exists $ENV{'socketfile'} ? $ENV{'socketfile'} : "/tmp/fastd.sock"; #get path to socket from environment or use default
my $socket = IO::Socket::UNIX->new(Type => SOCK_STREAM,Peer => $statusfile) #open socket
or die("Can't connect to server: $!\n");
my $fastdstatus = "";
foreach my $line (<$socket>) {$fastdstatus .= $line;} #read contents from socket
my $json = decode_json($fastdstatus); #decode json
#my $fastd_peers = scalar(keys(%{$json->{peers}})); #get number of peers from json
my $fastd_peers = 0;
for my $key (keys(%{$json->{peers}})) {
$fastd_peers = $fastd_peers + ($json->{peers}{$key}{connection}? 1 : 0);
}
print "peers.value $fastd_peers\n"; #return number of peers

@ -1,124 +0,0 @@
#!/usr/bin/perl -w
# -*- perl -*-
=head1 NAME
fastd_ - Plugin to monitor fastd uptime, peers and traffic
=head1 CONFIGURATION
Set user and group to have access to the socket
Set path to socketfile if not /tmp/fastd.sock
[fastd_*]
user fastd
group fastd
env.socketfile /tmp/fastd.sock
=head1 USAGE
Link this plugin to /etc/munin/plugins/ with the type of graph (uptime, peers, traffic)
append to the linkname, ie: /etc/munin/plugins/fastd_peers
After creating the links, restart munin-node. Don't forget to configure the plugin!
=head1 AUTHORS
Dominique Goersch <mail@dgoersch.info>
=head1 LICENSE
GPLv2
=head1 MAGIC MARKERS
#%# family=manual
#%# capabilities=suggest
=cut
use strict;
use warnings;
use File::Basename;
use IO::Socket::UNIX qw( SOCK_STREAM );
use JSON;
my $mode = basename($0); #get basename
$mode =~ s/fastd_//; #and strip 'fastd_' to get the mode
if ($ARGV[0] and $ARGV[0] eq "config") { #config graph
if ($mode eq 'uptime') { #for uptime
print "graph_title fastd Uptime\n";
print "graph_info This graph shows the uptime of the fastd on this supernode\n";
print "graph_args -l 0\n";
print "graph_scale no\n";
print "graph_vlabel uptime in days\n";
print "graph_category fastd\n";
print "uptime.label uptime\n";
print "uptime.draw AREA\n";
}
elsif ($mode eq 'peers') { #for peers
print "graph_title fastd peers\n";
print "graph_info This graph shows the peers of the fastd on this supernode\n";
print "graph_args -l 0\n";
print "graph_scale no\n";
print "graph_vlabel peers count\n";
print "graph_category fastd\n";
print "peers.label peers\n";
print "peers.draw AREA\n";
}
elsif ($mode eq 'traffic') { #for traffic
print "graph_order down up\n";
print "graph_title fastd traffic\n";
print "graph_args --base 1000\n";
print "graph_vlabel bits in (-) / out (+) per second\n";
print "graph_category fastd\n";
print "graph_info This graph shows the traffic of fast.\n";
print "down.label received\n";
print "down.type DERIVE\n";
print "down.graph no\n";
print "down.cdef down,8,*\n";
print "down.min 0\n";
print "up.label bps\n";
print "up.type DERIVE\n";
print "up.negative down\n";
print "up.cdef up,8,*\n";
print "up.min 0\n";
}
exit 0;
}
if ($ARGV[0] and $ARGV[0] eq "suggest") { #tell munin about our graphs
print "uptime\n";
print "peers\n";
print "traffic\n";
}
my $statusfile = exists $ENV{'socketfile'} ? $ENV{'socketfile'} : "/tmp/fastd.sock"; #get path to socket from environment or use default
my $socket = IO::Socket::UNIX->new(Type => SOCK_STREAM,Peer => $statusfile) #open socket
or die("Can't connect to server: $!\n");
my $fastdstatus = "";
foreach my $line (<$socket>) {$fastdstatus .= $line;} #read contents from socket
my $json = decode_json($fastdstatus); #decode json
my $fastd_uptime = $json->{uptime}; #get the uptime from json
#my $fastd_peers = scalar(keys(%{$json->{peers}})); #get number of peers from json
my $fastd_peers = 0;
for my $key (keys(%{$json->{peers}})) {
$fastd_peers = $fastd_peers + ($json->{peers}{$key}{connection}? 1 : 0);
}
my $fastd_rx_bytes = $json->{statistics}->{rx}->{bytes}; #get recieved bytes from json
my $fastd_tx_bytes = $json->{statistics}->{tx}->{bytes}; #get transmittetd bytes from json
if ( $mode eq 'uptime' ) {
printf "uptime.value %.0f\n",$fastd_uptime/86400000; #return uptime in seconds
} elsif ($mode eq 'peers') {
print "peers.value $fastd_peers\n"; #return number of peers
} elsif ($mode eq 'traffic') {
print "up.value $fastd_tx_bytes\n"; #return transmitted bytes
print "down.value $fastd_rx_bytes\n"; #and recieved bytes
}

@ -1,79 +0,0 @@
#!/usr/bin/perl -w
# -*- perl -*-
=head1 NAME
fastd_traffic_ - Plugin to monitor fastd traffic
=head1 CONFIGURATION
Set user and group to have access to the socket
Set path to socketfile if not /tmp/fastd.sock
[fastd_traffic_*]
user fastd
group fastd
env.socketfile /tmp/fastd.sock
=head1 USAGE
Link this plugin to /etc/munin/plugins/
After creating the links, restart munin-node. Don't forget to configure the plugin!
=head1 AUTHORS
Dominique Goersch <mail@dgoersch.info>
Niklas Yann Wettengel <niyawe@niyawe.de>
=head1 LICENSE
GPLv2
=head1 MAGIC MARKERS
#%# family=manual
=cut
use strict;
use warnings;
use File::Basename;
use IO::Socket::UNIX qw( SOCK_STREAM );
use JSON;
if ($ARGV[0] and $ARGV[0] eq "config") { #config graph
print "graph_order down up\n";
print "graph_title fastd traffic\n";
print "graph_args --base 1000\n";
print "graph_vlabel bits in (-) / out (+) per second\n";
print "graph_category fastd\n";
print "graph_info This graph shows the traffic of fast.\n";
print "down.label received\n";
print "down.type DERIVE\n";
print "down.graph no\n";
print "down.cdef down,8,*\n";
print "down.min 0\n";
print "up.label bps\n";
print "up.type DERIVE\n";
print "up.negative down\n";
print "up.cdef up,8,*\n";
print "up.min 0\n";
exit 0;
}
my $statusfile = exists $ENV{'socketfile'} ? $ENV{'socketfile'} : "/tmp/fastd.sock"; #get path to socket from environment or use default
my $socket = IO::Socket::UNIX->new(Type => SOCK_STREAM,Peer => $statusfile) #open socket
or die("Can't connect to server: $!\n");
my $fastdstatus = "";
foreach my $line (<$socket>) {$fastdstatus .= $line;} #read contents from socket
my $json = decode_json($fastdstatus); #decode json
my $fastd_rx_bytes = $json->{statistics}->{rx}->{bytes}; #get recieved bytes from json
my $fastd_tx_bytes = $json->{statistics}->{tx}->{bytes}; #get transmittetd bytes from json
print "up.value $fastd_tx_bytes\n"; #return transmitted bytes
print "down.value $fastd_rx_bytes\n"; #and recieved bytes

@ -15,42 +15,6 @@
name: perl-json
state: present
- name: copy fastd peers plugin
copy:
src: munin/munin_fastd_peers
dest: /usr/lib/munin/plugins/fastd_peers_
mode: 0755
notify: restart munin-node
- name: copy fastd traffic plugin
copy:
src: munin/munin_fastd_traffic
dest: /usr/lib/munin/plugins/fastd_traffic_
mode: 0755
notify: restart munin-node
- name: enable munin plugins for fastd peers
file:
path: /etc/munin/plugins/fastd_peers_ff{{ item.name }}
src: /usr/lib/munin/plugins/fastd_peers_
state: link
with_items: "{{ sites }}"
notify: restart munin-node
- name: enable munin plugins for fastd traffic
file:
path: /etc/munin/plugins/fastd_traffic_ff{{ item.name }}
src: /usr/lib/munin/plugins/fastd_traffic_
state: link
with_items: "{{ sites }}"
notify: restart munin-node
- name: copy fastd plugin config
template:
src: munin_fastd_conf.j2
dest: /etc/munin/plugin-conf.d/fastd
notify: restart munin-node
- name: copy wg peers plugin
copy:
src: munin/munin_wg_peers

@ -0,0 +1,147 @@
#!/usr/bin/env python
import socket
import ipaddress
import threading
import time
import zlib
import json
import os.path
import sys
from wgnlpy import WireGuard
import requests
from xml.etree import ElementTree
if not os.path.exists("/etc/respondd_poller.json"):
print("/etc/respondd_poller.json missing")
sys.exit(1)
interface = None
prefix = None
yanic_addr = None
request = None
with open("/etc/respondd_poller.json", "r") as f:
config = json.load(f)
if "interface" in config:
interface = config["interface"]
if "prefix" in config:
prefix = ipaddress.IPv6Network(config["prefix"])
if "yanic_addr" in config and "yanic_port" in config:
yanic_addr = (config["yanic_addr"], int(config["yanic_port"]))
if "request" in config:
request = config["request"].encode("ascii")
wg = WireGuard()
sock = socket.socket(socket.AF_INET6, socket.SOCK_DGRAM)
last_request = dict()
last_response = dict()
def get_wg_peers():
wgpeers = wg.get_interface(interface).peers
for peer in wgpeers:
for ip in wgpeers[peer].allowedips:
if ip.subnet_of(prefix):
yield ip
def inflate(data):
decompress = zlib.decompressobj(-zlib.MAX_WBITS)
inflated = decompress.decompress(data)
inflated += decompress.flush()
return inflated.decode()
def cleanup():
while True:
time.sleep(60)
old = time.monotonic() - 360
ips = []
macs = []
for ip in last_request:
if last_response[ip] < old:
ips.append(ip)
for ip in ips:
del last_response[ip]
del last_request[ip]
def recv():
global sock
while True:
data, addr = sock.recvfrom(1500)
sock.sendto(data, yanic_addr)
j = json.loads(inflate(data))
last_response[ipaddress.IPv6Address(addr[0])] = time.monotonic()
def send(ip):
global request
try:
sock.sendto(request, (bytearray(str(ip).encode('ascii')), 1001))
except:
print("failed to send packet to", ip)
return
def get_http_nodeinfo(ip):
global last_request
now = time.monotonic()
try:
status = requests.get('http://[' + str(ip) + ']/cgi-bin/status')
except:
return
status_tree = ElementTree.fromstring(status.content)
mesh_ifs = []
interface_list = status_tree.findall(".//*[@data-interface]")
for interface in interface_list:
mesh_ifs.append(interface.attrib["data-interface"])
for mesh_if in mesh_ifs:
try:
nodeinfo = requests.get('http://[' + str(ip) + ']/cgi-bin/dyn/neighbours-nodeinfo?' + mesh_if)
except:
return
for line in nodeinfo.content.split(b'\n'):
if line.startswith(b'data: {'):
data = line.split(b': ', maxsplit=1)[1]
data = json.loads(data)
if "network" in data and "addresses" in data["network"]:
for address in data["network"]["addresses"]:
if ipaddress.IPv6Network(address).subnet_of(prefix):
node_ip = ipaddress.IPv6Address(address)
if node_ip not in last_request:
last_request[node_ip] = now
last_response[node_ip] = now
def scan_wg_peers():
global last_request
while True:
print("scanning wg peers")
request_threads = []
now = time.monotonic()
for net in get_wg_peers():
ip = ipaddress.IPv6Address(str(net.network_address) + "1")
if ip not in last_request:
last_request[ip] = now
last_response[ip] = now
request_thread = threading.Thread(target=get_http_nodeinfo, args=(ip,))
request_thread.start()
request_threads.append(request_thread)
if len(request_threads) > 10:
for thread in request_threads:
thread.join()
request_threads = []
time.sleep(60)
listen_thread = threading.Thread(target=recv)
listen_thread.start()
cleanup_thread = threading.Thread(target=cleanup)
cleanup_thread.start()
scan_thread = threading.Thread(target=scan_wg_peers)
scan_thread.start()
last_wg_time = 0
while True:
now = time.monotonic()
for ip in last_request:
if now - last_request[ip] > 15:
last_request[ip] = now
send(ip)
time.sleep(1)

@ -0,0 +1,12 @@
[Unit]
Description=respondd_poller
After=network.target
[Service]
ExecStart=/opt/respondd_poller/venv/bin/python -u /opt/respondd_poller/respondd_poller.py
Restart=always
WorkingDirectory=/opt/respondd_poller
Environment=PYTHONPATH=/opt/respondd_poller
[Install]
WantedBy=multi-user.target

@ -0,0 +1,48 @@
---
- name: install respondd_poller dependencies
pacman:
name:
- git
- python-virtualenv
- python-setuptools
state: present
- name: create venv
command:
cmd: "python -m venv /opt/respondd_poller/venv"
creates: /opt/respondd_poller/venv
- name: install respondd_poller requirements
copy:
src: requirements.txt
dest: /opt/respondd_poller/requirements.txt
mode: 0644
- name: install respondd_poller script
copy:
src: respondd_poller.py
dest: /opt/respondd_poller/respondd_poller.py
mode: 0644
- name: install requirements
pip:
requirements: /opt/respondd_poller/requirements.txt
virtualenv: /opt/respondd_poller/venv
- name: install respondd_poller config
template:
src: respondd_poller.json.j2
dest: /etc/respondd_poller.json
mode: 0644
- name: create respondd_poller service
copy:
src: respondd_poller.service
dest: /etc/systemd/system/respondd_poller.service
mode: 0644
- name: start and enable respondd_poller service
systemd:
name: respondd_poller
state: started
enabled: yes

@ -0,0 +1,7 @@
{
"interface":"wgmyk",
"prefix":"2a03:2260:1016::/48",
"yanic_addr": "fe80::41:18ff:fec5:5041%wgmyk",
"yanic_port": 10001,
"request":"GET nodeinfo statistics neighbours"
}

@ -0,0 +1,5 @@
---
- name: restart tayga
systemd:
name: tayga.service
state: restarted

@ -0,0 +1,25 @@
---
- name: install tayga
pacman:
name: tayga
state: present
- name: tayga.conf
template:
src: tayga.conf.j2
dest: /etc/tayga.conf
mode: 0644
notify: restart tayga
- name: systemd override.conf
template:
src: systemd_override.conf.j2
dest: /etc/systemd/system/tayga.service.d/override.conf
mode: 0644
notify: restart tayga
- name: start and enable tayga service
systemd:
name: tayga.service
enabled: yes
state: started

@ -0,0 +1,10 @@
[Service]
ExecStart=
ExecStartPre=/usr/bin/tayga --mktun --config /etc/tayga.conf
ExecStartPre=/usr/bin/ip link set nat64 up
ExecStartPre=/usr/bin/ip addr replace {{ tayga_ipv4 }}/32 dev nat64
ExecStartPre=/usr/bin/ip addr replace 2a03:2260:1016::64/128 dev nat64
ExecStartPre=/usr/bin/ip route replace {{ tayga_pool }} dev nat64 table ffmyk
ExecStartPre=/usr/bin/ip -6 route replace 64:ff9b::/96 dev nat64 table ffmyk
ExecStart=/usr/bin/tayga --nodetach --config /etc/tayga.conf
Restart=always

@ -0,0 +1,6 @@
tun-device nat64
ipv4-addr {{ tayga_ipv4 }}
ipv6-addr 2a03:2260:1016::64
prefix 64:ff9b::/96
dynamic-pool {{ tayga_pool }}
data-dir /var/db/tayga

@ -0,0 +1,30 @@
---
- name: install wg_add dependencies
pacman:
name:
- git
- make
- gcc
state: present
- name: clone wg_add repo
git:
repo: https://github.com/FreifunkMYK/wg_add.git
dest: /opt/wg_add_vpn
version: vpn
- name: build wg_add
make:
chdir: /opt/wg_add_vpn
- name: install wg_add service
template:
src: wg_add_vpn.service.j2
dest: /etc/systemd/system/wg_add_vpn.service
mode: 0644
- name: start and enable wgkex service
systemd:
name: wg_add_vpn
state: started
enabled: yes

@ -0,0 +1,10 @@
[Unit]
Description=wg_add
After=network.target
[Service]
ExecStart=/opt/wg_add_vpn/wg_add {{ ansible_default_ipv4.interface }} wgmyk
Restart=always
[Install]
WantedBy=multi-user.target

@ -0,0 +1,29 @@
---
- name: install wg_prefix_provider dependencies
pacman:
name:
- git
- make
- gcc
state: present
- name: clone wg_prefix_provider repo
git:
repo: https://github.com/FreifunkMYK/wg_prefix_provider.git
dest: /opt/wg_prefix_provider
- name: build wg_prefix_provider
make:
chdir: /opt/wg_prefix_provider
- name: install wg_prefix_provider service
template:
src: wg_prefix_provider.service.j2
dest: /etc/systemd/system/wg_prefix_provider.service
mode: 0644
- name: start and enable wg_prefix_provider service
systemd:
name: wg_prefix_provider
state: started
enabled: yes

@ -0,0 +1,10 @@
[Unit]
Description=wg_prefix_provider
After=network.target
[Service]
ExecStart=/opt/wg_prefix_provider/wg_prefix_provider wgmyk 9999 {{ wireguard_vpn_client_range }}
Restart=always
[Install]
WantedBy=multi-user.target

@ -0,0 +1,24 @@
---
- name: create wireguard config for wgmyk
template:
src: wg.conf.j2
dest: /etc/wireguard/wgmyk.conf
mode: 0400
- name: create wireguard up scripts for wgmyk
template:
src: up.sh.j2
dest: /etc/wireguard/upmyk.sh
mode: 0744
- name: create wireguard down scripts for wgmyk
template:
src: down.sh.j2
dest: /etc/wireguard/downmyk.sh
mode: 0744
- name: start and enable wireguard mesh
systemd:
name: wg-quick@wgmyk.service
enabled: yes
state: started

@ -0,0 +1,6 @@
#!/bin/bash
ip -6 route del {{ wireguard_vpn_client_range }} table ffmyk dev wgmyk
ip -6 rule del iif wgmyk
ip -6 rule del from {{ wireguard_vpn_client_range }}

@ -0,0 +1,9 @@
#!/bin/bash
ip -6 rule add iif wgmyk table ffmyk priority 10
ip -6 rule add from {{ wireguard_vpn_client_range }} table ffmyk priority 10
ip -6 rule add from all iif wgmyk type unreachable priority 200
ip -6 route add {{ wireguard_vpn_client_range }} table ffmyk dev wgmyk
systemctl restart named.service

@ -0,0 +1,7 @@
[Interface]
ListenPort = {{ wireguard_vpn_port }}
PrivateKey = {{ wireguard_vpn_priv_key }}
Address = {{ wireguard_vpn_address }}/128
MTU = 1400
PostUp = /etc/wireguard/upmyk.sh
PreDown = /etc/wireguard/downmyk.sh

@ -84,6 +84,7 @@ protocol static ffrl_uplink_hostroute4 {
protocol static ffrl_public_routes6 {
ipv6 { table ffrl6; };
route 2a03:2260:1016::/48 reject;
route {{ wireguard_vpn_client_range }} reject;
}
# Wir legen die Transfernetze in die interne BIRD Routing Table

@ -3,6 +3,7 @@
hosts: fastd
user: root
roles:
- configure_aurto_repo
- configure_journald
- configure_sysctl
- configure_iptables
@ -18,10 +19,14 @@
- install_bind
- install_wireguard
- install_wireguard_mesh
- install_wireguard_vpn
- install_wireguard_backbone
- install_babeld
- install_tayga
- install_wg_add
- install_fastd
- install_wg_add_vpn
- install_wg_prefix_provider
- install_respondd_poller
- install_mesh-announce
- install_monitoring
- install_iperf3

Loading…
Cancel
Save