Configure WireGuard™ subnets on Gate and Front.

And a peer, Core, on Front's wg0.

This is a little awkward while OpenVPN is "in the way".

diff --git a/README.org b/README.org
index 3c14eb83a9d4c2bf484906734b15107cc70f327c..a15018b03b11b37e280a73b4f90e6b870413005b 100644 (file)
--- a/README.org
+++ b/README.org
@@ -814,7 +814,9 @@ configuration using mostly-default VirtualBoxes (described [[*Testing][here]]).
 private_net_cidr:           192.168.56.0/24
 wild_net_cidr:              192.168.57.0/24
 public_vpn_net_cidr:        10.177.86.0/24
+public_wg_net_cidr:         10.177.87.0/24
 campus_vpn_net_cidr:        10.84.138.0/24
+campus_wg_net_cidr:         10.84.139.0/24
 #+END_SRC
 
 The network addresses are needed in several additional formats, e.g.
@@ -830,24 +832,36 @@ private_net:
 private_net_mask:
            "{{ private_net_cidr | ansible.utils.ipaddr('netmask') }}"
 private_net_and_mask:      "{{ private_net }} {{ private_net_mask }}"
+wild_net:     "{{ wild_net_cidr | ansible.utils.ipaddr('network') }}"
+wild_net_mask:
+              "{{ wild_net_cidr | ansible.utils.ipaddr('netmask') }}"
+wild_net_and_mask:               "{{ wild_net }} {{ wild_net_mask }}"
+wild_net_broadcast:
+            "{{ wild_net_cidr | ansible.utils.ipaddr('broadcast') }}"
 public_vpn_net:
         "{{ public_vpn_net_cidr | ansible.utils.ipaddr('network') }}"
 public_vpn_net_mask:
         "{{ public_vpn_net_cidr | ansible.utils.ipaddr('netmask') }}"
 public_vpn_net_and_mask:
                      "{{ public_vpn_net }} {{ public_vpn_net_mask }}"
+public_wg_net:
+         "{{ public_wg_net_cidr | ansible.utils.ipaddr('network') }}"
+public_wg_net_mask:
+         "{{ public_wg_net_cidr | ansible.utils.ipaddr('netmask') }}"
+public_wg_net_and_mask:
+                       "{{ public_wg_net }} {{ public_wg_net_mask }}"
 campus_vpn_net:
         "{{ campus_vpn_net_cidr | ansible.utils.ipaddr('network') }}"
 campus_vpn_net_mask:
         "{{ campus_vpn_net_cidr | ansible.utils.ipaddr('netmask') }}"
 campus_vpn_net_and_mask:
                      "{{ campus_vpn_net }} {{ campus_vpn_net_mask }}"
-wild_net:     "{{ wild_net_cidr | ansible.utils.ipaddr('network') }}"
-wild_net_mask:
-              "{{ wild_net_cidr | ansible.utils.ipaddr('netmask') }}"
-wild_net_and_mask:               "{{ wild_net }} {{ wild_net_mask }}"
-wild_net_broadcast:
-            "{{ wild_net_cidr | ansible.utils.ipaddr('broadcast') }}"
+campus_wg_net:
+         "{{ campus_wg_net_cidr | ansible.utils.ipaddr('network') }}"
+campus_wg_net_mask:
+         "{{ campus_wg_net_cidr | ansible.utils.ipaddr('netmask') }}"
+campus_wg_net_and_mask:
+    "{{ campus_wg_net }} {{ campus_wg_net_mask }}"
 #+END_SRC
 
 The institute prefers to configure its services with IP addresses
@@ -885,6 +899,20 @@ gate_wild_addr_cidr:
 wifi_wan_addr_cidr: "{{ wild_net_cidr | ansible.utils.ipaddr('2') }}"
 front_vpn_addr_cidr:
               "{{ public_vpn_net_cidr | ansible.utils.ipaddr('1') }}"
+front_wg_port: 39608
+front_wg_addr_cidr:
+               "{{ public_wg_net_cidr | ansible.utils.ipaddr('1') }}"
+core_wg_addr_cidr:
+               "{{ public_wg_net_cidr | ansible.utils.ipaddr('2') }}"
+wg_client_front_addr_cidr:
+               "{{ public_wg_net_cidr | ansible.utils.ipaddr('3') }}"
+campus_wg_port: 51820
+campus_wg_addr_cidr:
+               "{{ campus_wg_net_cidr | ansible.utils.ipaddr('1') }}"
+wg_appl_addr_cidr:
+               "{{ campus_wg_net_cidr | ansible.utils.ipaddr('2') }}"
+wg_client_gate_addr_cidr:
+               "{{ campus_wg_net_cidr | ansible.utils.ipaddr('3') }}"
 
 core_addr:   "{{ core_addr_cidr | ansible.utils.ipaddr('address') }}"
 gate_addr:   "{{ gate_addr_cidr | ansible.utils.ipaddr('address') }}"
@@ -894,6 +922,18 @@ wifi_wan_addr:
          "{{ wifi_wan_addr_cidr | ansible.utils.ipaddr('address') }}"
 front_vpn_addr:
         "{{ front_vpn_addr_cidr | ansible.utils.ipaddr('address') }}"
+front_wg_addr:
+         "{{ front_wg_addr_cidr | ansible.utils.ipaddr('address') }}"
+core_wg_addr:
+          "{{ core_wg_addr_cidr | ansible.utils.ipaddr('address') }}"
+wg_client_front_addr:
+  "{{ wg_client_front_addr_cidr | ansible.utils.ipaddr('address') }}"
+gate_wg_addr:
+        "{{ campus_wg_addr_cidr | ansible.utils.ipaddr('address') }}"
+wg_appl_addr:
+          "{{ wg_appl_addr_cidr | ansible.utils.ipaddr('address') }}"
+wg_client_gate_addr:
+   "{{ wg_client_gate_addr_cidr | ansible.utils.ipaddr('address') }}"
 #+END_SRC
 
 
@@ -1071,7 +1111,7 @@ modem and installed them as shown below.
 : $ sudo apt install netplan.io systemd-resolved unattended-upgrades \
 : _                  ntp isc-dhcp-server bind9 apache2 openvpn \
 : _                  postfix dovecot-imapd fetchmail expect rsync \
-: _                  gnupg openssh-server
+: _                  gnupg openssh-server wireguard
 
 The Nextcloud configuration requires Apache2, MariaDB and a number of
 PHP modules.  Installing them while Core was on a cable modem sped up
@@ -1224,7 +1264,7 @@ cable modem and installed them as shown below.
 
 : $ sudo apt install netplan.io systemd-resolved unattended-upgrades \
 : _                  ufw isc-dhcp-server postfix openvpn \
-: _                  openssh-server
+: _                  openssh-server wireguard
 
 Next, the administrator concatenated a personal public ssh key and the
 key found in [[file:Secret/ssh_admin/][=Secret/ssh_admin/=]] (created by [[*The CA Command][The CA Command]]) into an
@@ -1654,6 +1694,7 @@ relays messages from the campus.
 - p: mynetworks
   v: >-
      {{ public_vpn_net_cidr }}
+     {{ public_wg_net_cidr }}
      127.0.0.0/8
      [::ffff:127.0.0.0]/104
      [::1]/128
@@ -2280,6 +2321,96 @@ configure the OpenVPN server on Front.
     state: restarted
 #+END_SRC
 
+** Configure Public WireGuard™
+
+Front uses WireGuard™ to provide a public VPN service.  Core has an
+interface on this VPN (address: ~core_wg_addr~) and is expected to
+forward packets between it and the institute's other private networks.
+
+The following example [[file:Secret/front-wg0.conf][=Secret/front-wg0.conf=]] configuration recognizes
+Core by its public key, ~lGhC51~, and routes the institute's private
+networks to it.  It also recognizes a member client, Dick's Notebook,
+by its public key ~4qd4xd...~ assigning it host number 4 on the VPN.
+
+#+CAPTION: [[file:Secret/front-wg0.conf][=Secret/front-wg0.conf=]]
+#+BEGIN_SRC conf :tangle Secret/front-wg0.conf
+[Interface]
+Address = 10.177.87.1/24
+PrivateKey = AJkzVxfTm/KvRjzTN/9X2jYy+CAugiwZfN5F3JTegms=
+ListenPort = 39608
+PostUp = resolvectl dns wg0 192.168.56.1
+PostUp = resolvectl domain wg0 small.private
+
+# Core
+[Peer]
+PublicKey = lGhC51IBgZtlq4H2bsYFuKvPtV0VAEwUvVIn5fW7D0c=
+AllowedIPs = 10.177.87.2
+# AllowedIPs = 192.168.56.0/24  OpenVPN has this route.
+AllowedIPs = 10.84.138.0/24, 10.84.139.0/24
+
+# dicks-note
+[Peer]
+PublicKey = 4qd4xdRztZBKhFrX9jI/b4fnMzpKQ5qhg691hwYSsX8=
+AllowedIPs = 10.177.87.4
+#+END_SRC
+
+The configuration used on Dick's notebook when it is abroad looks like
+this:
+
+#+CAPTION: WireGuard™ tunnel on Dick's notebook, used abroad
+#+BEGIN_SRC conf
+[Interface]
+Address = 10.177.87.3
+PrivateKey = WAhrlGccPf/BaFS5bRtBE4hEyt3kDxCavmwZfVTsfGs=
+PostUp = resolvectl dns wg0 192.168.56.1
+PostUp = resolvectl domain wg0 small.private
+
+# Front
+[Peer]
+PublicKey = S+6HaTnOwwhWgUGXjSBcPAvifKw+j8BDTRfq534gNW4=
+AllowedIPs = 10.177.87.1
+AllowedIPs = 10.177.87.0/24
+AllowedIPs = 192.168.56.0/24
+AllowedIPs = 10.84.138.0/24, 10.84.139.0/24
+AllowedIPs = 10.177.86.0/24
+#+END_SRC
+
+The following tasks install WireGuard™, configure it with
+=Secret/front-wg0.conf=, and enable the service.
+
+#+CAPTION: [[file:roles_t/front/tasks/main.yml][=roles_t/front/tasks/main.yml=]]
+#+BEGIN_SRC conf :tangle roles_t/front/tasks/main.yml
+
+- name: Install WireGuard™.
+  become: yes
+  apt: pkg=wireguard
+
+- name: Configure WireGuard™.
+  become: yes
+  copy:
+    src: ../Secret/front-wg0.conf
+    dest: /etc/wireguard/wg0.conf
+    mode: u=r,g=,o=
+    owner: root
+    group: root
+  notify: Reload WireGuard™.
+
+- name: Enable/Start WireGuard™ on boot.
+  become: yes
+  systemd:
+    service: wg-quick@wg0
+    enabled: yes
+    state: started
+#+END_SRC
+
+#+CAPTION: [[file:roles_t/front/handlers/main.yml][=roles_t/front/handlers/main.yml=]]
+#+BEGIN_SRC conf :tangle roles_t/front/handlers/main.yml
+
+- name: Reload WireGuard™.
+  become: yes
+  command: wg setconf wg0
+#+END_SRC
+
 ** Configure Kamailio
 
 Front uses Kamailio to provide a SIP service on the public VPN so that
@@ -2301,6 +2432,7 @@ specifies the actual IP, known here as ~front_vpn_addr~.
 #+CAPTION: ~kamailio~
 #+BEGIN_SRC conf
 listen=udp:{{ front_vpn_addr }}:5060
+listen=udp:{{ front_wg_addr }}:5060
 #+END_SRC
 
 The Ansible tasks that install and configure Kamailio follow, but
@@ -2573,7 +2705,9 @@ subnet 192.168.56.0 netmask 255.255.255.0 {
   option broadcast-address 192.168.56.255;
   option routers 192.168.56.2;
   option ntp-servers 192.168.56.1;
-  option rfc3442-routes 24, 10,177,86, 192,168,56,1, 0, 192,168,56,2;
+  option rfc3442-routes 24, 10,177,86, 192,168,56,1,
+                        24, 10,177,87, 192,168,56,1,
+                        0,             192,168,56,2;
 }
 
 host core {
@@ -2696,7 +2830,9 @@ acl "trusted" {
        {{ private_net_cidr }};
        {{ wild_net_cidr }};
        {{ public_vpn_net_cidr }};
+       {{ public_wg_net_cidr }};
        {{ campus_vpn_net_cidr }};
+       {{ campus_wg_net_cidr }};
        localhost;
 };
 
@@ -3043,7 +3179,9 @@ Core relays messages from any institute network.
   v: >-
      {{ private_net_cidr }}
      {{ public_vpn_net_cidr }}
+     {{ public_wg_net_cidr }}
      {{ campus_vpn_net_cidr }}
+     {{ campus_wg_net_cidr }}
      127.0.0.0/8
      [::ffff:127.0.0.0]/104
      [::1]/128
@@ -3725,6 +3863,67 @@ for Core.
     state: restarted
 #+END_SRC
 
+** Configure Core WireGuard™ Interface
+
+Core connects to Front's WireGuard™ service to provide members abroad
+with a route to the campus networks.  As described in [[*Configure Public WireGuard™][Configure
+Public WireGuard™]] for Front, Core is expected to forward packets from/to the
+private networks.
+
+The following example [[file:Secret/gate-wg0.conf][=Secret/gate-wg0.conf=]] configuration recognizes
+Front by its public key, ~S+6HaT~, looking for it at the institute's
+public IP address and a special port.
+
+#+CAPTION: [[file:Secret/core-wg0.conf][=Secret/core-wg0.conf=]]
+#+BEGIN_SRC conf :tangle Secret/core-wg0.conf
+[Interface]
+Address = 10.177.87.2
+PrivateKey = AI+KhwnsHzSPqyIyAObx7EBBTBXFZPiXb2/Qcts8zEI=
+
+# Front
+[Peer]
+EndPoint = 192.168.15.5:39608
+PublicKey = S+6HaTnOwwhWgUGXjSBcPAvifKw+j8BDTRfq534gNW4=
+AllowedIPs = 10.177.87.1
+AllowedIPs = 10.177.87.0/24
+#+END_SRC
+
+The following tasks install WireGuard™, configure it with
+=Secret/core-wg0.conf=, and enable the service.
+
+#+CAPTION: [[file:roles_t/core/tasks/main.yml][=roles_t/core/tasks/main.yml=]]
+#+BEGIN_SRC conf :tangle roles_t/core/tasks/main.yml
+
+- name: Install WireGuard™.
+  become: yes
+  apt: pkg=wireguard
+
+- name: Configure WireGuard™.
+  become: yes
+  copy:
+    src: ../Secret/core-wg0.conf
+    dest: /etc/wireguard/wg0.conf
+    mode: u=r,g=,o=
+    owner: root
+    group: root
+  notify: Reload WireGuard™.
+
+- name: Enable/Start WireGuard™ on boot.
+  become: yes
+  systemd:
+    service: wg-quick@wg0
+    enabled: yes
+    state: started
+#+END_SRC
+
+#+CAPTION: [[file:roles_t/core/handlers/main.yml][=roles_t/core/handlers/main.yml=]]
+#+BEGIN_SRC conf :tangle roles_t/core/handlers/main.yml
+
+- name: Reload WireGuard™.
+  become: yes
+  command: wg setconf wg0
+#+END_SRC
+
 ** Configure NAGIOS
 
 Core runs a ~nagios4~ server to monitor "services" on institute hosts.
@@ -4864,16 +5063,19 @@ If "the standard ~iptables-restore~ syntax" as it is described in the
 know!
 
 Forwarding rules are also needed to route packets from the campus VPN
-(the ~ovpn~ tunnel device) to the institute's LAN and back.  The
-public VPN on Front will also be included since its packets arrive at
-Gate's ~lan~ interface, coming from Core.  Thus forwarding between
-public and campus VPNs is also allowed.
+(the ~ovpn~ tunnel device) or WireGuard™ subnet (the ~wg0~ tunnel
+device) to the institute's LAN and back.  The public VPN on Front will
+also be included since its packets arrive at Gate's ~lan~ interface,
+coming from Core.  Thus forwarding between public and campus VPNs is
+also allowed.
 
 #+NAME: ufw-forward-private
 #+CAPTION: ~ufw-forward-private~
 #+BEGIN_SRC conf
 -A FORWARD -i lan  -o ovpn -j ACCEPT
 -A FORWARD -i ovpn -o lan  -j ACCEPT
+-A FORWARD -i lan  -o wg0  -j ACCEPT
+-A FORWARD -i wg0  -o lan  -j ACCEPT
 #+END_SRC
 
 Note that there are no forwarding rules to allow packets to pass from
@@ -5174,6 +5376,116 @@ configure the OpenVPN server on Gate.
     state: restarted
 #+END_SRC
 
+** Configure Campus WireGuard™
+
+Gate uses WireGuard™ to provide a campus VPN service.  Gate's routes
+and firewall rules allow packets to be forwarded to/from the
+institute's private networks: the private Ethernet and the public VPN.
+(It should /not/ forward packets to/from the wild Ethernet.)  The only
+additional route Gate needs is to the public VPN via Core.  The rest
+(private Ethernet and campus VPN) are directly connected.
+
+The following example [[file:Secret/gate-wg0.conf][=Secret/gate-wg0.conf=]] configuration recognizes
+a wired IoT appliance (public key ~LdsCsg~) and a member client,
+Dick's Notebook (public key ~4qd4xd~), assigning them the host numbers
+3 and 4 respectively.  (Dick's Notebook's host number is /not
+coincidentally/ 4 here as well as on Front's WireGuard™ subnet.)
+
+#+CAPTION: [[file:Secret/gate-wg0.conf][=Secret/gate-wg0.conf=]]
+#+BEGIN_SRC conf :tangle Secret/gate-wg0.conf
+[Interface]
+Address = 10.84.139.1/24
+PrivateKey = yOBdLbXh6KBwYQvvb5mhiku8Fxkqc5Cdyz6gNgjc/2U=
+ListenPort = 51820
+
+# IoT appliance
+[Peer]
+PublicKey = LdsCsgfjKCfd5+VKS+Q/dQhWO8NRNygByDO2VxbXlSQ=
+AllowedIPs = 10.84.139.3
+
+# dicks-note
+[Peer]
+PublicKey = 4qd4xdRztZBKhFrX9jI/b4fnMzpKQ5qhg691hwYSsX8=
+AllowedIPs = 10.84.139.4
+#+END_SRC
+
+The configuration used on the IoT appliance looks like this:
+
+#+CAPTION: WireGuard™ tunnel on an IoT appliance
+#+BEGIN_SRC conf
+[Interface]
+Address = 10.84.139.2
+PrivateKey = KIwQT5eGOl9w1qOa5I+2xx5kJH3z4xdpmirS/eGdsXY=
+
+# Gate
+[Peer]
+PublicKey = y3cjFnvQbylmH4lGTujpqc8rusIElmJ4Gu9hh6iR7QI=
+AllowedIPs = 10.84.139.1
+AllowedIPs = 10.84.139.0/24
+AllowedIPs = 192.168.56.0/24
+AllowedIPs = 10.177.86.0/24
+AllowedIPs = 10.177.87.0/24
+AllowedIPs = 10.84.138.0/24
+#+END_SRC
+
+And the configuration used on Dick's notebook when it is on campus
+looks like this:
+
+#+CAPTION: WireGuard™ tunnel on Dick's notebook, used on campus
+#+BEGIN_SRC conf
+[Interface]
+Address = 10.84.139.3
+PrivateKey = WAhrlGccPf/BaFS5bRtBE4hEyt3kDxCavmwZfVTsfGs=
+PostUp = resolvectl dns wg0 192.168.56.1
+PostUp = resolvectl domain wg0 small.private
+
+# Gate
+[Peer]
+PublicKey = y3cjFnvQbylmH4lGTujpqc8rusIElmJ4Gu9hh6iR7QI=
+AllowedIPs = 10.84.139.1
+AllowedIPs = 10.84.139.0/24
+AllowedIPs = 192.168.56.0/24
+AllowedIPs = 10.177.86.0/24
+AllowedIPs = 10.177.87.0/24
+AllowedIPs = 10.84.138.0/24
+#+END_SRC
+
+The following tasks install WireGuard™, configure it with
+=Secret/gate-wg0.conf=, and enable the service.
+
+#+CAPTION: [[file:roles_t/gate/tasks/main.yml][=roles_t/gate/tasks/main.yml=]]
+#+BEGIN_SRC conf :tangle roles_t/gate/tasks/main.yml
+
+- name: Install WireGuard™.
+  become: yes
+  apt: pkg=wireguard
+
+- name: Configure WireGuard™.
+  become: yes
+  copy:
+    src: ../Secret/gate-wg0.conf
+    dest: /etc/wireguard/wg0.conf
+    mode: u=r,g=,o=
+    owner: root
+    group: root
+  notify: Reload WireGuard™.
+
+- name: Enable/Start WireGuard™ on boot.
+  become: yes
+  systemd:
+    service: wg-quick@wg0
+    enabled: yes
+    state: started
+#+END_SRC
+
+#+CAPTION: [[file:roles_t/gate/handlers/main.yml][=roles_t/gate/handlers/main.yml=]]
+#+BEGIN_SRC conf :tangle roles_t/gate/handlers/main.yml
+
+- name: Reload WireGuard™.
+  become: yes
+  command: wg setconf wg0
+#+END_SRC
+
 
 * The Campus Role
 

diff --git a/Secret/core-wg0.conf b/Secret/core-wg0.conf
new file mode 100644 (file)
index 0000000..0b2a980
--- /dev/null
+++ b/Secret/core-wg0.conf
@@ -0,0 +1,14 @@
+[Interface]
+Address = 10.177.87.2
+PrivateKey = AI+KhwnsHzSPqyIyAObx7EBBTBXFZPiXb2/Qcts8zEI=
+PostUp   = iptables -A FORWARD -i %i -j ACCEPT
+PostUp   = iptables -A FORWARD -o %i -j ACCEPT
+PostDown = iptables -D FORWARD -i %i -j ACCEPT
+PostDown = iptables -D FORWARD -o %i -j ACCEPT
+
+# Front
+[Peer]
+PublicKey = S+6HaTnOwwhWgUGXjSBcPAvifKw+j8BDTRfq534gNW4=
+AllowedIPs = 10.177.87.1
+AllowedIPs = 10.177.87.0/24
+EndPoint = 192.168.15.5:39608

diff --git a/Secret/front-wg0.conf b/Secret/front-wg0.conf
new file mode 100644 (file)
index 0000000..f73fdd6
--- /dev/null
+++ b/Secret/front-wg0.conf
@@ -0,0 +1,21 @@
+[Interface]
+Address = 10.177.87.1/24
+PrivateKey = AJkzVxfTm/KvRjzTN/9X2jYy+CAugiwZfN5F3JTegms=
+ListenPort = 39608
+PostUp   = iptables -A FORWARD -i %i -j ACCEPT
+PostUp   = iptables -A FORWARD -o %i -j ACCEPT
+PostDown = iptables -D FORWARD -i %i -j ACCEPT
+PostDown = iptables -D FORWARD -o %i -j ACCEPT
+
+# Core
+[Peer]
+PublicKey = lGhC51IBgZtlq4H2bsYFuKvPtV0VAEwUvVIn5fW7D0c=
+AllowedIPs = 10.177.87.2
+AllowedIPs = 10.177.87.0/24
+AllowedIPs = 192.168.56.0/24
+AllowedIPs = 10.84.138.0/24, 10.84.139.0/24
+
+# dicks-note
+[Peer]
+PublicKey = 4qd4xdRztZBKhFrX9jI/b4fnMzpKQ5qhg691hwYSsX8=
+AllowedIPs = 10.177.87.4

diff --git a/Secret/gate-wg0.conf b/Secret/gate-wg0.conf
new file mode 100644 (file)
index 0000000..41f6f70
--- /dev/null
+++ b/Secret/gate-wg0.conf
@@ -0,0 +1,18 @@
+[Interface]
+Address = 10.84.139.1/24
+PrivateKey = yOBdLbXh6KBwYQvvb5mhiku8Fxkqc5Cdyz6gNgjc/2U=
+ListenPort = 51820
+PostUp   = iptables -A FORWARD -i %i -j ACCEPT
+PostUp   = iptables -A FORWARD -o %i -j ACCEPT
+PostDown = iptables -D FORWARD -i %i -j ACCEPT
+PostDown = iptables -D FORWARD -o %i -j ACCEPT
+
+# IoT appliance
+[Peer]
+PublicKey = LdsCsgfjKCfd5+VKS+Q/dQhWO8NRNygByDO2VxbXlSQ=
+AllowedIPs = 10.84.139.3
+
+# dicks-note
+[Peer]
+PublicKey = 4qd4xdRztZBKhFrX9jI/b4fnMzpKQ5qhg691hwYSsX8=
+AllowedIPs = 10.84.139.4

diff --git a/private/core-dhcpd.conf b/private/core-dhcpd.conf
index 6ff58eb5c92467afdb33e6883c2a3cdb1016c596..72601a8182677ca265be7701f6e84d5aa9ef073d 100644 (file)
--- a/private/core-dhcpd.conf
+++ b/private/core-dhcpd.conf
@@ -17,7 +17,9 @@ subnet 192.168.56.0 netmask 255.255.255.0 {
   option broadcast-address 192.168.56.255;
   option routers 192.168.56.2;
   option ntp-servers 192.168.56.1;
-  option rfc3442-routes 24, 10,177,86, 192,168,56,1, 0, 192,168,56,2;
+  option rfc3442-routes 24, 10,177,86, 192,168,56,1,
+                        24, 10,177,87, 192,168,56,1,
+                        0,             192,168,56,2;
 }
 
 host core {

diff --git a/private/vars.yml b/private/vars.yml
index 41a070bb9bac36522c17066fd1a476c001afd134..d8e7e7232077bf7d75d0770cb19c3049d0c866a6 100644 (file)
--- a/private/vars.yml
+++ b/private/vars.yml
@@ -4,31 +4,45 @@ domain_priv: small.private
 private_net_cidr:           192.168.56.0/24
 wild_net_cidr:              192.168.57.0/24
 public_vpn_net_cidr:        10.177.86.0/24
+public_wg_net_cidr:         10.177.87.0/24
 campus_vpn_net_cidr:        10.84.138.0/24
+campus_wg_net_cidr:         10.84.139.0/24
 
 private_net:
            "{{ private_net_cidr | ansible.utils.ipaddr('network') }}"
 private_net_mask:
            "{{ private_net_cidr | ansible.utils.ipaddr('netmask') }}"
 private_net_and_mask:      "{{ private_net }} {{ private_net_mask }}"
+wild_net:     "{{ wild_net_cidr | ansible.utils.ipaddr('network') }}"
+wild_net_mask:
+              "{{ wild_net_cidr | ansible.utils.ipaddr('netmask') }}"
+wild_net_and_mask:               "{{ wild_net }} {{ wild_net_mask }}"
+wild_net_broadcast:
+            "{{ wild_net_cidr | ansible.utils.ipaddr('broadcast') }}"
 public_vpn_net:
         "{{ public_vpn_net_cidr | ansible.utils.ipaddr('network') }}"
 public_vpn_net_mask:
         "{{ public_vpn_net_cidr | ansible.utils.ipaddr('netmask') }}"
 public_vpn_net_and_mask:
                      "{{ public_vpn_net }} {{ public_vpn_net_mask }}"
+public_wg_net:
+         "{{ public_wg_net_cidr | ansible.utils.ipaddr('network') }}"
+public_wg_net_mask:
+         "{{ public_wg_net_cidr | ansible.utils.ipaddr('netmask') }}"
+public_wg_net_and_mask:
+                       "{{ public_wg_net }} {{ public_wg_net_mask }}"
 campus_vpn_net:
         "{{ campus_vpn_net_cidr | ansible.utils.ipaddr('network') }}"
 campus_vpn_net_mask:
         "{{ campus_vpn_net_cidr | ansible.utils.ipaddr('netmask') }}"
 campus_vpn_net_and_mask:
                      "{{ campus_vpn_net }} {{ campus_vpn_net_mask }}"
-wild_net:     "{{ wild_net_cidr | ansible.utils.ipaddr('network') }}"
-wild_net_mask:
-              "{{ wild_net_cidr | ansible.utils.ipaddr('netmask') }}"
-wild_net_and_mask:               "{{ wild_net }} {{ wild_net_mask }}"
-wild_net_broadcast:
-            "{{ wild_net_cidr | ansible.utils.ipaddr('broadcast') }}"
+campus_wg_net:
+         "{{ campus_wg_net_cidr | ansible.utils.ipaddr('network') }}"
+campus_wg_net_mask:
+         "{{ campus_wg_net_cidr | ansible.utils.ipaddr('netmask') }}"
+campus_wg_net_and_mask:
+    "{{ campus_wg_net }} {{ campus_wg_net_mask }}"
 
 core_addr_cidr:  "{{ private_net_cidr | ansible.utils.ipaddr('1') }}"
 gate_addr_cidr:  "{{ private_net_cidr | ansible.utils.ipaddr('2') }}"
@@ -37,6 +51,20 @@ gate_wild_addr_cidr:
 wifi_wan_addr_cidr: "{{ wild_net_cidr | ansible.utils.ipaddr('2') }}"
 front_vpn_addr_cidr:
               "{{ public_vpn_net_cidr | ansible.utils.ipaddr('1') }}"
+front_wg_port: 39608
+front_wg_addr_cidr:
+               "{{ public_wg_net_cidr | ansible.utils.ipaddr('1') }}"
+core_wg_addr_cidr:
+               "{{ public_wg_net_cidr | ansible.utils.ipaddr('2') }}"
+wg_client_front_addr_cidr:
+               "{{ public_wg_net_cidr | ansible.utils.ipaddr('3') }}"
+campus_wg_port: 51820
+campus_wg_addr_cidr:
+               "{{ campus_wg_net_cidr | ansible.utils.ipaddr('1') }}"
+wg_appl_addr_cidr:
+               "{{ campus_wg_net_cidr | ansible.utils.ipaddr('2') }}"
+wg_client_gate_addr_cidr:
+               "{{ campus_wg_net_cidr | ansible.utils.ipaddr('3') }}"
 
 core_addr:   "{{ core_addr_cidr | ansible.utils.ipaddr('address') }}"
 gate_addr:   "{{ gate_addr_cidr | ansible.utils.ipaddr('address') }}"
@@ -44,8 +72,20 @@ gate_wild_addr:
         "{{ gate_wild_addr_cidr | ansible.utils.ipaddr('address') }}"
 wifi_wan_addr:
          "{{ wifi_wan_addr_cidr | ansible.utils.ipaddr('address') }}"
-front_private_addr:
-    "{{ front_private_addr_cidr | ansible.utils.ipaddr('address') }}"
+front_vpn_addr:
+        "{{ front_vpn_addr_cidr | ansible.utils.ipaddr('address') }}"
+front_wg_addr:
+         "{{ front_wg_addr_cidr | ansible.utils.ipaddr('address') }}"
+core_wg_addr:
+          "{{ core_wg_addr_cidr | ansible.utils.ipaddr('address') }}"
+wg_client_front_addr:
+  "{{ wg_client_front_addr_cidr | ansible.utils.ipaddr('address') }}"
+gate_wg_addr:
+        "{{ campus_wg_addr_cidr | ansible.utils.ipaddr('address') }}"
+wg_appl_addr:
+          "{{ wg_appl_addr_cidr | ansible.utils.ipaddr('address') }}"
+wg_client_gate_addr:
+   "{{ wg_client_gate_addr_cidr | ansible.utils.ipaddr('address') }}"
 
 core_ethernet:              enp0s3
 

diff --git a/roles_t/core/handlers/main.yml b/roles_t/core/handlers/main.yml
index 8b8bd1c85daca9981cccbd0659f8871478fe36fb..3fd628ef2e8745452ca98a2241cc757f522ee26e 100644 (file)
--- a/roles_t/core/handlers/main.yml
+++ b/roles_t/core/handlers/main.yml
@@ -65,6 +65,10 @@
     service: openvpn@front
     state: restarted
 
+- name: Reload WireGuard™.
+  become: yes
+  command: wg setconf wg0
+
 - name: Reload NAGIOS4.
   become: yes
   systemd:

diff --git a/roles_t/core/tasks/main.yml b/roles_t/core/tasks/main.yml
index fe15e9105189dc94889d2b7526fce484f8c115ea..e4ba27d3e79a30238104e4ee209a16afe15a5850 100644 (file)
--- a/roles_t/core/tasks/main.yml
+++ b/roles_t/core/tasks/main.yml
@@ -95,7 +95,9 @@
        {{ private_net_cidr }};
        {{ wild_net_cidr }};
        {{ public_vpn_net_cidr }};
+       {{ public_wg_net_cidr }};
        {{ campus_vpn_net_cidr }};
+       {{ campus_wg_net_cidr }};
        localhost;
       };
       
@@ -305,7 +307,9 @@
     v: >-
        {{ private_net_cidr }}
        {{ public_vpn_net_cidr }}
+       {{ public_wg_net_cidr }}
        {{ campus_vpn_net_cidr }}
+       {{ campus_wg_net_cidr }}
        127.0.0.0/8
        [::ffff:127.0.0.0]/104
        [::1]/128
@@ -655,6 +659,27 @@
     state: started
     enabled: yes
 
+- name: Install WireGuard™.
+  become: yes
+  apt: pkg=wireguard
+
+- name: Configure WireGuard™.
+  become: yes
+  copy:
+    src: ../Secret/core-wg0.conf
+    dest: /etc/wireguard/wg0.conf
+    mode: u=r,g=,o=
+    owner: root
+    group: root
+  notify: Reload WireGuard™.
+
+- name: Enable/Start WireGuard™ on boot.
+  become: yes
+  systemd:
+    service: wg-quick@wg0
+    enabled: yes
+    state: started
+
 - name: Install NAGIOS4.
   become: yes
   apt:

diff --git a/roles_t/front/handlers/main.yml b/roles_t/front/handlers/main.yml
index d34e472397e98818c2fe0d18882a6178fa7ddbaa..b5aa9def976a7a306ba435159459ff974c2818d9 100644 (file)
--- a/roles_t/front/handlers/main.yml
+++ b/roles_t/front/handlers/main.yml
@@ -44,6 +44,10 @@
     service: openvpn@server
     state: restarted
 
+- name: Reload WireGuard™.
+  become: yes
+  command: wg setconf wg0
+
 - name: Reload Systemd.
   become: yes
   systemd:

diff --git a/roles_t/front/tasks/main.yml b/roles_t/front/tasks/main.yml
index ed06a639f3a42b103b709bd6793663d221f6834c..95f52eca44f83870e2903721214f38f7b1b44771 100644 (file)
--- a/roles_t/front/tasks/main.yml
+++ b/roles_t/front/tasks/main.yml
@@ -134,6 +134,7 @@
   - p: mynetworks
     v: >-
        {{ public_vpn_net_cidr }}
+       {{ public_wg_net_cidr }}
        127.0.0.0/8
        [::ffff:127.0.0.0]/104
        [::1]/128
@@ -454,6 +455,27 @@
     enabled: yes
     state: started
 
+- name: Install WireGuard™.
+  become: yes
+  apt: pkg=wireguard
+
+- name: Configure WireGuard™.
+  become: yes
+  copy:
+    src: ../Secret/front-wg0.conf
+    dest: /etc/wireguard/wg0.conf
+    mode: u=r,g=,o=
+    owner: root
+    group: root
+  notify: Reload WireGuard™.
+
+- name: Enable/Start WireGuard™ on boot.
+  become: yes
+  systemd:
+    service: wg-quick@wg0
+    enabled: yes
+    state: started
+
 - name: Install Kamailio.
   become: yes
   apt: pkg=kamailio
@@ -479,6 +501,7 @@
   copy:
     content: |
       listen=udp:{{ front_vpn_addr }}:5060
+      listen=udp:{{ front_wg_addr }}:5060
     dest: /etc/kamailio/kamailio-local.cfg
   notify: Restart Kamailio.
 

diff --git a/roles_t/gate/handlers/main.yml b/roles_t/gate/handlers/main.yml
index a65da2537b2905f80196d7ffdc0753f47dba16cb..bcb43a323e12a40c8f0673c70b0f75a61c3124c8 100644 (file)
--- a/roles_t/gate/handlers/main.yml
+++ b/roles_t/gate/handlers/main.yml
@@ -19,3 +19,7 @@
   systemd:
     service: openvpn@server
     state: restarted
+
+- name: Reload WireGuard™.
+  become: yes
+  command: wg setconf wg0

diff --git a/roles_t/gate/tasks/main.yml b/roles_t/gate/tasks/main.yml
index c6521f09819421f34721dae2114214efa1aaf99e..908fa094d41dd25df5d0804e5efbbe6c3c9176d3 100644 (file)
--- a/roles_t/gate/tasks/main.yml
+++ b/roles_t/gate/tasks/main.yml
@@ -97,6 +97,8 @@
       -A FORWARD -i isp  -o wild {{ ACCEPT_RELATED }}
       -A FORWARD -i lan  -o ovpn -j ACCEPT
       -A FORWARD -i ovpn -o lan  -j ACCEPT
+      -A FORWARD -i lan  -o wg0  -j ACCEPT
+      -A FORWARD -i wg0  -o lan  -j ACCEPT
       COMMIT
     insertafter: EOF
 
@@ -219,3 +221,24 @@
     dest: /etc/openvpn/server.conf
     mode: u=r,g=r,o=
   notify: Restart OpenVPN.
+
+- name: Install WireGuard™.
+  become: yes
+  apt: pkg=wireguard
+
+- name: Configure WireGuard™.
+  become: yes
+  copy:
+    src: ../Secret/gate-wg0.conf
+    dest: /etc/wireguard/wg0.conf
+    mode: u=r,g=,o=
+    owner: root
+    group: root
+  notify: Reload WireGuard™.
+
+- name: Enable/Start WireGuard™ on boot.
+  become: yes
+  systemd:
+    service: wg-quick@wg0
+    enabled: yes
+    state: started