diff options
author | Hugo Hörnquist <hugo@lysator.liu.se> | 2022-11-03 14:40:41 +0100 |
---|---|---|
committer | Hugo Hörnquist <hugo@lysator.liu.se> | 2022-11-03 16:52:45 +0100 |
commit | d62c19a2cb05a97961c73dc62691058604699f53 (patch) | |
tree | 41128ad5c3e7101a84bfac5bf148348b99c48714 | |
parent | Add backlight. (diff) | |
download | profiles-d62c19a2cb05a97961c73dc62691058604699f53.tar.gz profiles-d62c19a2cb05a97961c73dc62691058604699f53.tar.xz |
Add initial wireguard profiles.
-rw-r--r-- | manifests/wireguard.pp | 16 | ||||
-rw-r--r-- | manifests/wireguard_peer.pp | 67 | ||||
-rw-r--r-- | manifests/wireguard_server.pp | 81 |
3 files changed, 164 insertions, 0 deletions
diff --git a/manifests/wireguard.pp b/manifests/wireguard.pp new file mode 100644 index 0000000..3baa5ec --- /dev/null +++ b/manifests/wireguard.pp @@ -0,0 +1,16 @@ +# qrencode -t ansiutf8 < tunnel.conf +class profiles::wireguard ( + $port = 51871, +) { + ensure_packages ([ + 'wireguard-tools', # userspace utilities + ]) + + # TODO Where are these currently set in puppet? + # sysctl -w net.ipv4.ip_forward=1 + # sysctl -w net.ipv6.conf.all.forwarding=1 + + + + +} diff --git a/manifests/wireguard_peer.pp b/manifests/wireguard_peer.pp new file mode 100644 index 0000000..0f02e39 --- /dev/null +++ b/manifests/wireguard_peer.pp @@ -0,0 +1,67 @@ +class profiles::wireguard_peer ( + Sensitive[String] $private_key, + String $peer_key, +) { + include ::profiles::wireguard + + + # ithryn $ + # [root@ithryn hugo]# ip link add dev wg0 type wireguard + # [root@ithryn hugo]# ip addr add 10.0.10.2/24 dev wg0 + # [root@ithryn hugo]# ip addr add fdc9:281f:04d7:9ee9::2/64 dev wg0 + # [root@ithryn hugo]# wg set wg0 listen-port 51902 private-key peer_B.key + # [root@ithryn hugo]# wg set wg0 peer MSplIgjOqQoODOOWkkJd3x/FWuxTirTrsVwqJOJzAEQ= + # [root@ithryn hugo]# wg set wg0 peer MSplIgjOqQoODOOWkkJd3x/FWuxTirTrsVwqJOJzAEQ= allowed-ips 10.0.10.0/24,[THAT IPV6 ADDRESS]/64 + # [root@ithryn hugo]# wg set wg0 peer MSplIgjOqQoODOOWkkJd3x/FWuxTirTrsVwqJOJzAEQ= endpoint gandalf.adrift.space:51781 + # [root@ithryn hugo]# ip link set wg0 up + # + + # ip addr add 10.0.0.45/23 dev wg0 + # ip addr add 10.0.0.0/23 via 10.0.0.45 dev wg0 + # [root@gandalf manifests]# iptables -t nat -A POSTROUTING -s 10.0.10.0/24 -o br0 -j MASQUERADE + + networking::networkd_instance { 'wg0': + type => 'netdev', + content => { + 'NetDev' => { + 'Name' => 'wg0', + 'Kind' => 'wireguard', + 'Description' => 'WireGuard tunnal wg0' + }, + 'WireGuard' => { + 'ListenPort' => $profiles::wireguard::port, + 'PrivateKey' => $private_key, + }, + 'WireGuardPeer' => { + 'PublicKey' => $peer_key, + # IP addresses which the kernel will accept sending over this + # interface. Set it to 0.0.0.0/0 to allow anything to traverse + # the tunnel + 'AllowedIPs' => [ + '10.0.0.0/23', # adrift.space localnet + '10.0.10.2/32', # Wireguard return + ], + # TODO is IP addresses allowed here? + # Where the peer we want to connect to resides + 'Endpoint' => "gandalf.adrift.space:${profiles::wireguard::port}", + } + } + } + + networking::networkd_instance { 'wg0-network': + type => 'network', + content => { + 'Match' => { + 'Name' => 'wg0', + }, + 'Network' => { + 'Address' => '10.0.10.2/24', + }, + 'Route' => { + 'Destination' => '10.0.0.0/23', + 'Source' => '10.0.10.2', + 'Gateway' => '10.0.10.1', + } + } + } +} diff --git a/manifests/wireguard_server.pp b/manifests/wireguard_server.pp new file mode 100644 index 0000000..03c4cda --- /dev/null +++ b/manifests/wireguard_server.pp @@ -0,0 +1,81 @@ +class profiles::wireguard_server ( + Sensitive[String] $private_key, + String $peer_key, +) { + include ::profiles::wireguard + + # gandalf $ + # ip link add dev wg0 type wireguard + # ip addr add 10.0.10.1/24 dev wg0 + # [root@gandalf profiles]# ip addr add fdc9:281f:04df:9ee9::1/64 dev wg0 + # wg set wg0 listen-port 51871 private-key ~/peer_A.key + # ## wg set wg0 peer CONTENTS_OF<peer_B.pub> + # ip link set wg0 up + # wg set wg0 peer 87Erkb8rXeSd162eBEXuuKUft/frF2iqdPdrMTStNVM= \ + # allowed-ips 10.0.10.0/24,fdc9:281f:4d7:9ee9::/64 + + # på B + # wg set wg0 peer <> endpoint gandalf.adrift.space:51871 + + + networking::networkd_instance { 'wg0': + type => 'netdev', + content => { + 'NetDev' => { + 'Name' => 'wg0', + 'Kind' => 'wireguard', + 'Description' => 'Wireguard tunnel wg0', + }, + 'WireGuard' => { + 'ListenPort' => $profiles::wireguard::port, + 'PrivateKey' => $private_key, + }, + # TODO multiple public peers + 'WireGuardPeer' => { + 'PublicKey' => $peer_key, + 'AllowedIPs' => '10.0.10.2/32', + } + } + } + + networking::networkd_instance { 'wg0-network': + type => 'network', + content => { + 'Match' => { + 'Name' => 'wg0', + }, + 'Network' => { + 'Address' => '10.0.10.1/24', + } + } + } + + firewall { '100 Forward wireguard to network': + table => 'nat', + chain => 'POSTROUTING', + jump => 'MASQUERADE', + outiface => 'br0', + #iniface => 'wg0', + #source => '10.0.10.0/24', + } + + # -A FORWARD -p udp -m udp --dport 51871 --destination $(dig +short gandalf.adrift.space AAAA) + @@firewall { '100 Allow IPv6 traffic to wiregaurd': + provider => 'ip6tables', + proto => 'udp', + dport => $profiles::wireguard::port, + destination => $facts['ipaddress6'], + tag => [ 'router', ], + } + + # -A VSERVER -p udp -m udp --dport 51871 -j DNAT --to-destination 10.0.0.40 + @@firewall { '100 PortForward to wiregaurd server': + provider => 'iptables', + proto => 'udp', + chain => 'VSERVER', + dport => $profiles::wireguard::port, + goto => 'DNAT', + destination => $facts['ipaddress'], + tag => [ 'router', ], + } +} |