From d62c19a2cb05a97961c73dc62691058604699f53 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Hugo=20H=C3=B6rnquist?= Date: Thu, 3 Nov 2022 14:40:41 +0100 Subject: Add initial wireguard profiles. --- manifests/wireguard.pp | 16 +++++++++ manifests/wireguard_peer.pp | 67 +++++++++++++++++++++++++++++++++++ manifests/wireguard_server.pp | 81 +++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 164 insertions(+) create mode 100644 manifests/wireguard.pp create mode 100644 manifests/wireguard_peer.pp create mode 100644 manifests/wireguard_server.pp (limited to 'manifests') diff --git a/manifests/wireguard.pp b/manifests/wireguard.pp new file mode 100644 index 0000000..3baa5ec --- /dev/null +++ b/manifests/wireguard.pp @@ -0,0 +1,16 @@ +# qrencode -t ansiutf8 < tunnel.conf +class profiles::wireguard ( + $port = 51871, +) { + ensure_packages ([ + 'wireguard-tools', # userspace utilities + ]) + + # TODO Where are these currently set in puppet? + # sysctl -w net.ipv4.ip_forward=1 + # sysctl -w net.ipv6.conf.all.forwarding=1 + + + + +} diff --git a/manifests/wireguard_peer.pp b/manifests/wireguard_peer.pp new file mode 100644 index 0000000..0f02e39 --- /dev/null +++ b/manifests/wireguard_peer.pp @@ -0,0 +1,67 @@ +class profiles::wireguard_peer ( + Sensitive[String] $private_key, + String $peer_key, +) { + include ::profiles::wireguard + + + # ithryn $ + # [root@ithryn hugo]# ip link add dev wg0 type wireguard + # [root@ithryn hugo]# ip addr add 10.0.10.2/24 dev wg0 + # [root@ithryn hugo]# ip addr add fdc9:281f:04d7:9ee9::2/64 dev wg0 + # [root@ithryn hugo]# wg set wg0 listen-port 51902 private-key peer_B.key + # [root@ithryn hugo]# wg set wg0 peer MSplIgjOqQoODOOWkkJd3x/FWuxTirTrsVwqJOJzAEQ= + # [root@ithryn hugo]# wg set wg0 peer MSplIgjOqQoODOOWkkJd3x/FWuxTirTrsVwqJOJzAEQ= allowed-ips 10.0.10.0/24,[THAT IPV6 ADDRESS]/64 + # [root@ithryn hugo]# wg set wg0 peer MSplIgjOqQoODOOWkkJd3x/FWuxTirTrsVwqJOJzAEQ= endpoint gandalf.adrift.space:51781 + # [root@ithryn hugo]# ip link set wg0 up + # + + # ip addr add 10.0.0.45/23 dev wg0 + # ip addr add 10.0.0.0/23 via 10.0.0.45 dev wg0 + # [root@gandalf manifests]# iptables -t nat -A POSTROUTING -s 10.0.10.0/24 -o br0 -j MASQUERADE + + networking::networkd_instance { 'wg0': + type => 'netdev', + content => { + 'NetDev' => { + 'Name' => 'wg0', + 'Kind' => 'wireguard', + 'Description' => 'WireGuard tunnal wg0' + }, + 'WireGuard' => { + 'ListenPort' => $profiles::wireguard::port, + 'PrivateKey' => $private_key, + }, + 'WireGuardPeer' => { + 'PublicKey' => $peer_key, + # IP addresses which the kernel will accept sending over this + # interface. Set it to 0.0.0.0/0 to allow anything to traverse + # the tunnel + 'AllowedIPs' => [ + '10.0.0.0/23', # adrift.space localnet + '10.0.10.2/32', # Wireguard return + ], + # TODO is IP addresses allowed here? + # Where the peer we want to connect to resides + 'Endpoint' => "gandalf.adrift.space:${profiles::wireguard::port}", + } + } + } + + networking::networkd_instance { 'wg0-network': + type => 'network', + content => { + 'Match' => { + 'Name' => 'wg0', + }, + 'Network' => { + 'Address' => '10.0.10.2/24', + }, + 'Route' => { + 'Destination' => '10.0.0.0/23', + 'Source' => '10.0.10.2', + 'Gateway' => '10.0.10.1', + } + } + } +} diff --git a/manifests/wireguard_server.pp b/manifests/wireguard_server.pp new file mode 100644 index 0000000..03c4cda --- /dev/null +++ b/manifests/wireguard_server.pp @@ -0,0 +1,81 @@ +class profiles::wireguard_server ( + Sensitive[String] $private_key, + String $peer_key, +) { + include ::profiles::wireguard + + # gandalf $ + # ip link add dev wg0 type wireguard + # ip addr add 10.0.10.1/24 dev wg0 + # [root@gandalf profiles]# ip addr add fdc9:281f:04df:9ee9::1/64 dev wg0 + # wg set wg0 listen-port 51871 private-key ~/peer_A.key + # ## wg set wg0 peer CONTENTS_OF + # ip link set wg0 up + # wg set wg0 peer 87Erkb8rXeSd162eBEXuuKUft/frF2iqdPdrMTStNVM= \ + # allowed-ips 10.0.10.0/24,fdc9:281f:4d7:9ee9::/64 + + # på B + # wg set wg0 peer <> endpoint gandalf.adrift.space:51871 + + + networking::networkd_instance { 'wg0': + type => 'netdev', + content => { + 'NetDev' => { + 'Name' => 'wg0', + 'Kind' => 'wireguard', + 'Description' => 'Wireguard tunnel wg0', + }, + 'WireGuard' => { + 'ListenPort' => $profiles::wireguard::port, + 'PrivateKey' => $private_key, + }, + # TODO multiple public peers + 'WireGuardPeer' => { + 'PublicKey' => $peer_key, + 'AllowedIPs' => '10.0.10.2/32', + } + } + } + + networking::networkd_instance { 'wg0-network': + type => 'network', + content => { + 'Match' => { + 'Name' => 'wg0', + }, + 'Network' => { + 'Address' => '10.0.10.1/24', + } + } + } + + firewall { '100 Forward wireguard to network': + table => 'nat', + chain => 'POSTROUTING', + jump => 'MASQUERADE', + outiface => 'br0', + #iniface => 'wg0', + #source => '10.0.10.0/24', + } + + # -A FORWARD -p udp -m udp --dport 51871 --destination $(dig +short gandalf.adrift.space AAAA) + @@firewall { '100 Allow IPv6 traffic to wiregaurd': + provider => 'ip6tables', + proto => 'udp', + dport => $profiles::wireguard::port, + destination => $facts['ipaddress6'], + tag => [ 'router', ], + } + + # -A VSERVER -p udp -m udp --dport 51871 -j DNAT --to-destination 10.0.0.40 + @@firewall { '100 PortForward to wiregaurd server': + provider => 'iptables', + proto => 'udp', + chain => 'VSERVER', + dport => $profiles::wireguard::port, + goto => 'DNAT', + destination => $facts['ipaddress'], + tag => [ 'router', ], + } +} -- cgit v1.2.3