From: Matt Birkholz Date: Wed, 11 Jun 2025 19:27:04 +0000 (-0600) Subject: Configure WireGuard™ subnets on Gate and Front. X-Git-Url: https://birchwood-abbey.net/git?a=commitdiff_plain;h=944eb9e30a156549a4d6dac8762cdaa0bc55abf3;p=Institute Configure WireGuard™ subnets on Gate and Front. And a peer, Core, on Front's wg0. This is a little awkward while OpenVPN is "in the way". --- diff --git a/README.org b/README.org index 3c14eb8..a15018b 100644 --- a/README.org +++ b/README.org @@ -814,7 +814,9 @@ configuration using mostly-default VirtualBoxes (described [[*Testing][here]]). private_net_cidr: 192.168.56.0/24 wild_net_cidr: 192.168.57.0/24 public_vpn_net_cidr: 10.177.86.0/24 +public_wg_net_cidr: 10.177.87.0/24 campus_vpn_net_cidr: 10.84.138.0/24 +campus_wg_net_cidr: 10.84.139.0/24 #+END_SRC The network addresses are needed in several additional formats, e.g. @@ -830,24 +832,36 @@ private_net: private_net_mask: "{{ private_net_cidr | ansible.utils.ipaddr('netmask') }}" private_net_and_mask: "{{ private_net }} {{ private_net_mask }}" +wild_net: "{{ wild_net_cidr | ansible.utils.ipaddr('network') }}" +wild_net_mask: + "{{ wild_net_cidr | ansible.utils.ipaddr('netmask') }}" +wild_net_and_mask: "{{ wild_net }} {{ wild_net_mask }}" +wild_net_broadcast: + "{{ wild_net_cidr | ansible.utils.ipaddr('broadcast') }}" public_vpn_net: "{{ public_vpn_net_cidr | ansible.utils.ipaddr('network') }}" public_vpn_net_mask: "{{ public_vpn_net_cidr | ansible.utils.ipaddr('netmask') }}" public_vpn_net_and_mask: "{{ public_vpn_net }} {{ public_vpn_net_mask }}" +public_wg_net: + "{{ public_wg_net_cidr | ansible.utils.ipaddr('network') }}" +public_wg_net_mask: + "{{ public_wg_net_cidr | ansible.utils.ipaddr('netmask') }}" +public_wg_net_and_mask: + "{{ public_wg_net }} {{ public_wg_net_mask }}" campus_vpn_net: "{{ campus_vpn_net_cidr | ansible.utils.ipaddr('network') }}" campus_vpn_net_mask: "{{ campus_vpn_net_cidr | ansible.utils.ipaddr('netmask') }}" campus_vpn_net_and_mask: "{{ campus_vpn_net }} {{ campus_vpn_net_mask }}" -wild_net: "{{ wild_net_cidr | ansible.utils.ipaddr('network') }}" -wild_net_mask: - "{{ wild_net_cidr | ansible.utils.ipaddr('netmask') }}" -wild_net_and_mask: "{{ wild_net }} {{ wild_net_mask }}" -wild_net_broadcast: - "{{ wild_net_cidr | ansible.utils.ipaddr('broadcast') }}" +campus_wg_net: + "{{ campus_wg_net_cidr | ansible.utils.ipaddr('network') }}" +campus_wg_net_mask: + "{{ campus_wg_net_cidr | ansible.utils.ipaddr('netmask') }}" +campus_wg_net_and_mask: + "{{ campus_wg_net }} {{ campus_wg_net_mask }}" #+END_SRC The institute prefers to configure its services with IP addresses @@ -885,6 +899,20 @@ gate_wild_addr_cidr: wifi_wan_addr_cidr: "{{ wild_net_cidr | ansible.utils.ipaddr('2') }}" front_vpn_addr_cidr: "{{ public_vpn_net_cidr | ansible.utils.ipaddr('1') }}" +front_wg_port: 39608 +front_wg_addr_cidr: + "{{ public_wg_net_cidr | ansible.utils.ipaddr('1') }}" +core_wg_addr_cidr: + "{{ public_wg_net_cidr | ansible.utils.ipaddr('2') }}" +wg_client_front_addr_cidr: + "{{ public_wg_net_cidr | ansible.utils.ipaddr('3') }}" +campus_wg_port: 51820 +campus_wg_addr_cidr: + "{{ campus_wg_net_cidr | ansible.utils.ipaddr('1') }}" +wg_appl_addr_cidr: + "{{ campus_wg_net_cidr | ansible.utils.ipaddr('2') }}" +wg_client_gate_addr_cidr: + "{{ campus_wg_net_cidr | ansible.utils.ipaddr('3') }}" core_addr: "{{ core_addr_cidr | ansible.utils.ipaddr('address') }}" gate_addr: "{{ gate_addr_cidr | ansible.utils.ipaddr('address') }}" @@ -894,6 +922,18 @@ wifi_wan_addr: "{{ wifi_wan_addr_cidr | ansible.utils.ipaddr('address') }}" front_vpn_addr: "{{ front_vpn_addr_cidr | ansible.utils.ipaddr('address') }}" +front_wg_addr: + "{{ front_wg_addr_cidr | ansible.utils.ipaddr('address') }}" +core_wg_addr: + "{{ core_wg_addr_cidr | ansible.utils.ipaddr('address') }}" +wg_client_front_addr: + "{{ wg_client_front_addr_cidr | ansible.utils.ipaddr('address') }}" +gate_wg_addr: + "{{ campus_wg_addr_cidr | ansible.utils.ipaddr('address') }}" +wg_appl_addr: + "{{ wg_appl_addr_cidr | ansible.utils.ipaddr('address') }}" +wg_client_gate_addr: + "{{ wg_client_gate_addr_cidr | ansible.utils.ipaddr('address') }}" #+END_SRC @@ -1071,7 +1111,7 @@ modem and installed them as shown below. : $ sudo apt install netplan.io systemd-resolved unattended-upgrades \ : _ ntp isc-dhcp-server bind9 apache2 openvpn \ : _ postfix dovecot-imapd fetchmail expect rsync \ -: _ gnupg openssh-server +: _ gnupg openssh-server wireguard The Nextcloud configuration requires Apache2, MariaDB and a number of PHP modules. Installing them while Core was on a cable modem sped up @@ -1224,7 +1264,7 @@ cable modem and installed them as shown below. : $ sudo apt install netplan.io systemd-resolved unattended-upgrades \ : _ ufw isc-dhcp-server postfix openvpn \ -: _ openssh-server +: _ openssh-server wireguard Next, the administrator concatenated a personal public ssh key and the key found in [[file:Secret/ssh_admin/][=Secret/ssh_admin/=]] (created by [[*The CA Command][The CA Command]]) into an @@ -1654,6 +1694,7 @@ relays messages from the campus. - p: mynetworks v: >- {{ public_vpn_net_cidr }} + {{ public_wg_net_cidr }} 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 @@ -2280,6 +2321,96 @@ configure the OpenVPN server on Front. state: restarted #+END_SRC +** Configure Public WireGuard™ + +Front uses WireGuard™ to provide a public VPN service. Core has an +interface on this VPN (address: ~core_wg_addr~) and is expected to +forward packets between it and the institute's other private networks. + +The following example [[file:Secret/front-wg0.conf][=Secret/front-wg0.conf=]] configuration recognizes +Core by its public key, ~lGhC51~, and routes the institute's private +networks to it. It also recognizes a member client, Dick's Notebook, +by its public key ~4qd4xd...~ assigning it host number 4 on the VPN. + +#+CAPTION: [[file:Secret/front-wg0.conf][=Secret/front-wg0.conf=]] +#+BEGIN_SRC conf :tangle Secret/front-wg0.conf +[Interface] +Address = 10.177.87.1/24 +PrivateKey = AJkzVxfTm/KvRjzTN/9X2jYy+CAugiwZfN5F3JTegms= +ListenPort = 39608 +PostUp = resolvectl dns wg0 192.168.56.1 +PostUp = resolvectl domain wg0 small.private + +# Core +[Peer] +PublicKey = lGhC51IBgZtlq4H2bsYFuKvPtV0VAEwUvVIn5fW7D0c= +AllowedIPs = 10.177.87.2 +# AllowedIPs = 192.168.56.0/24 OpenVPN has this route. +AllowedIPs = 10.84.138.0/24, 10.84.139.0/24 + +# dicks-note +[Peer] +PublicKey = 4qd4xdRztZBKhFrX9jI/b4fnMzpKQ5qhg691hwYSsX8= +AllowedIPs = 10.177.87.4 +#+END_SRC + +The configuration used on Dick's notebook when it is abroad looks like +this: + +#+CAPTION: WireGuard™ tunnel on Dick's notebook, used abroad +#+BEGIN_SRC conf +[Interface] +Address = 10.177.87.3 +PrivateKey = WAhrlGccPf/BaFS5bRtBE4hEyt3kDxCavmwZfVTsfGs= +PostUp = resolvectl dns wg0 192.168.56.1 +PostUp = resolvectl domain wg0 small.private + +# Front +[Peer] +PublicKey = S+6HaTnOwwhWgUGXjSBcPAvifKw+j8BDTRfq534gNW4= +AllowedIPs = 10.177.87.1 +AllowedIPs = 10.177.87.0/24 +AllowedIPs = 192.168.56.0/24 +AllowedIPs = 10.84.138.0/24, 10.84.139.0/24 +AllowedIPs = 10.177.86.0/24 +#+END_SRC + +The following tasks install WireGuard™, configure it with +=Secret/front-wg0.conf=, and enable the service. + +#+CAPTION: [[file:roles_t/front/tasks/main.yml][=roles_t/front/tasks/main.yml=]] +#+BEGIN_SRC conf :tangle roles_t/front/tasks/main.yml + +- name: Install WireGuard™. + become: yes + apt: pkg=wireguard + +- name: Configure WireGuard™. + become: yes + copy: + src: ../Secret/front-wg0.conf + dest: /etc/wireguard/wg0.conf + mode: u=r,g=,o= + owner: root + group: root + notify: Reload WireGuard™. + +- name: Enable/Start WireGuard™ on boot. + become: yes + systemd: + service: wg-quick@wg0 + enabled: yes + state: started +#+END_SRC + +#+CAPTION: [[file:roles_t/front/handlers/main.yml][=roles_t/front/handlers/main.yml=]] +#+BEGIN_SRC conf :tangle roles_t/front/handlers/main.yml + +- name: Reload WireGuard™. + become: yes + command: wg setconf wg0 +#+END_SRC + ** Configure Kamailio Front uses Kamailio to provide a SIP service on the public VPN so that @@ -2301,6 +2432,7 @@ specifies the actual IP, known here as ~front_vpn_addr~. #+CAPTION: ~kamailio~ #+BEGIN_SRC conf listen=udp:{{ front_vpn_addr }}:5060 +listen=udp:{{ front_wg_addr }}:5060 #+END_SRC The Ansible tasks that install and configure Kamailio follow, but @@ -2573,7 +2705,9 @@ subnet 192.168.56.0 netmask 255.255.255.0 { option broadcast-address 192.168.56.255; option routers 192.168.56.2; option ntp-servers 192.168.56.1; - option rfc3442-routes 24, 10,177,86, 192,168,56,1, 0, 192,168,56,2; + option rfc3442-routes 24, 10,177,86, 192,168,56,1, + 24, 10,177,87, 192,168,56,1, + 0, 192,168,56,2; } host core { @@ -2696,7 +2830,9 @@ acl "trusted" { {{ private_net_cidr }}; {{ wild_net_cidr }}; {{ public_vpn_net_cidr }}; + {{ public_wg_net_cidr }}; {{ campus_vpn_net_cidr }}; + {{ campus_wg_net_cidr }}; localhost; }; @@ -3043,7 +3179,9 @@ Core relays messages from any institute network. v: >- {{ private_net_cidr }} {{ public_vpn_net_cidr }} + {{ public_wg_net_cidr }} {{ campus_vpn_net_cidr }} + {{ campus_wg_net_cidr }} 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 @@ -3725,6 +3863,67 @@ for Core. state: restarted #+END_SRC +** Configure Core WireGuard™ Interface + +Core connects to Front's WireGuard™ service to provide members abroad +with a route to the campus networks. As described in [[*Configure Public WireGuard™][Configure +Public WireGuard™]] for Front, Core is expected to forward packets from/to the +private networks. + +The following example [[file:Secret/gate-wg0.conf][=Secret/gate-wg0.conf=]] configuration recognizes +Front by its public key, ~S+6HaT~, looking for it at the institute's +public IP address and a special port. + +#+CAPTION: [[file:Secret/core-wg0.conf][=Secret/core-wg0.conf=]] +#+BEGIN_SRC conf :tangle Secret/core-wg0.conf +[Interface] +Address = 10.177.87.2 +PrivateKey = AI+KhwnsHzSPqyIyAObx7EBBTBXFZPiXb2/Qcts8zEI= + +# Front +[Peer] +EndPoint = 192.168.15.5:39608 +PublicKey = S+6HaTnOwwhWgUGXjSBcPAvifKw+j8BDTRfq534gNW4= +AllowedIPs = 10.177.87.1 +AllowedIPs = 10.177.87.0/24 +#+END_SRC + +The following tasks install WireGuard™, configure it with +=Secret/core-wg0.conf=, and enable the service. + +#+CAPTION: [[file:roles_t/core/tasks/main.yml][=roles_t/core/tasks/main.yml=]] +#+BEGIN_SRC conf :tangle roles_t/core/tasks/main.yml + +- name: Install WireGuard™. + become: yes + apt: pkg=wireguard + +- name: Configure WireGuard™. + become: yes + copy: + src: ../Secret/core-wg0.conf + dest: /etc/wireguard/wg0.conf + mode: u=r,g=,o= + owner: root + group: root + notify: Reload WireGuard™. + +- name: Enable/Start WireGuard™ on boot. + become: yes + systemd: + service: wg-quick@wg0 + enabled: yes + state: started +#+END_SRC + +#+CAPTION: [[file:roles_t/core/handlers/main.yml][=roles_t/core/handlers/main.yml=]] +#+BEGIN_SRC conf :tangle roles_t/core/handlers/main.yml + +- name: Reload WireGuard™. + become: yes + command: wg setconf wg0 +#+END_SRC + ** Configure NAGIOS Core runs a ~nagios4~ server to monitor "services" on institute hosts. @@ -4864,16 +5063,19 @@ If "the standard ~iptables-restore~ syntax" as it is described in the know! Forwarding rules are also needed to route packets from the campus VPN -(the ~ovpn~ tunnel device) to the institute's LAN and back. The -public VPN on Front will also be included since its packets arrive at -Gate's ~lan~ interface, coming from Core. Thus forwarding between -public and campus VPNs is also allowed. +(the ~ovpn~ tunnel device) or WireGuard™ subnet (the ~wg0~ tunnel +device) to the institute's LAN and back. The public VPN on Front will +also be included since its packets arrive at Gate's ~lan~ interface, +coming from Core. Thus forwarding between public and campus VPNs is +also allowed. #+NAME: ufw-forward-private #+CAPTION: ~ufw-forward-private~ #+BEGIN_SRC conf -A FORWARD -i lan -o ovpn -j ACCEPT -A FORWARD -i ovpn -o lan -j ACCEPT +-A FORWARD -i lan -o wg0 -j ACCEPT +-A FORWARD -i wg0 -o lan -j ACCEPT #+END_SRC Note that there are no forwarding rules to allow packets to pass from @@ -5174,6 +5376,116 @@ configure the OpenVPN server on Gate. state: restarted #+END_SRC +** Configure Campus WireGuard™ + +Gate uses WireGuard™ to provide a campus VPN service. Gate's routes +and firewall rules allow packets to be forwarded to/from the +institute's private networks: the private Ethernet and the public VPN. +(It should /not/ forward packets to/from the wild Ethernet.) The only +additional route Gate needs is to the public VPN via Core. The rest +(private Ethernet and campus VPN) are directly connected. + +The following example [[file:Secret/gate-wg0.conf][=Secret/gate-wg0.conf=]] configuration recognizes +a wired IoT appliance (public key ~LdsCsg~) and a member client, +Dick's Notebook (public key ~4qd4xd~), assigning them the host numbers +3 and 4 respectively. (Dick's Notebook's host number is /not +coincidentally/ 4 here as well as on Front's WireGuard™ subnet.) + +#+CAPTION: [[file:Secret/gate-wg0.conf][=Secret/gate-wg0.conf=]] +#+BEGIN_SRC conf :tangle Secret/gate-wg0.conf +[Interface] +Address = 10.84.139.1/24 +PrivateKey = yOBdLbXh6KBwYQvvb5mhiku8Fxkqc5Cdyz6gNgjc/2U= +ListenPort = 51820 + +# IoT appliance +[Peer] +PublicKey = LdsCsgfjKCfd5+VKS+Q/dQhWO8NRNygByDO2VxbXlSQ= +AllowedIPs = 10.84.139.3 + +# dicks-note +[Peer] +PublicKey = 4qd4xdRztZBKhFrX9jI/b4fnMzpKQ5qhg691hwYSsX8= +AllowedIPs = 10.84.139.4 +#+END_SRC + +The configuration used on the IoT appliance looks like this: + +#+CAPTION: WireGuard™ tunnel on an IoT appliance +#+BEGIN_SRC conf +[Interface] +Address = 10.84.139.2 +PrivateKey = KIwQT5eGOl9w1qOa5I+2xx5kJH3z4xdpmirS/eGdsXY= + +# Gate +[Peer] +PublicKey = y3cjFnvQbylmH4lGTujpqc8rusIElmJ4Gu9hh6iR7QI= +AllowedIPs = 10.84.139.1 +AllowedIPs = 10.84.139.0/24 +AllowedIPs = 192.168.56.0/24 +AllowedIPs = 10.177.86.0/24 +AllowedIPs = 10.177.87.0/24 +AllowedIPs = 10.84.138.0/24 +#+END_SRC + +And the configuration used on Dick's notebook when it is on campus +looks like this: + +#+CAPTION: WireGuard™ tunnel on Dick's notebook, used on campus +#+BEGIN_SRC conf +[Interface] +Address = 10.84.139.3 +PrivateKey = WAhrlGccPf/BaFS5bRtBE4hEyt3kDxCavmwZfVTsfGs= +PostUp = resolvectl dns wg0 192.168.56.1 +PostUp = resolvectl domain wg0 small.private + +# Gate +[Peer] +PublicKey = y3cjFnvQbylmH4lGTujpqc8rusIElmJ4Gu9hh6iR7QI= +AllowedIPs = 10.84.139.1 +AllowedIPs = 10.84.139.0/24 +AllowedIPs = 192.168.56.0/24 +AllowedIPs = 10.177.86.0/24 +AllowedIPs = 10.177.87.0/24 +AllowedIPs = 10.84.138.0/24 +#+END_SRC + +The following tasks install WireGuard™, configure it with +=Secret/gate-wg0.conf=, and enable the service. + +#+CAPTION: [[file:roles_t/gate/tasks/main.yml][=roles_t/gate/tasks/main.yml=]] +#+BEGIN_SRC conf :tangle roles_t/gate/tasks/main.yml + +- name: Install WireGuard™. + become: yes + apt: pkg=wireguard + +- name: Configure WireGuard™. + become: yes + copy: + src: ../Secret/gate-wg0.conf + dest: /etc/wireguard/wg0.conf + mode: u=r,g=,o= + owner: root + group: root + notify: Reload WireGuard™. + +- name: Enable/Start WireGuard™ on boot. + become: yes + systemd: + service: wg-quick@wg0 + enabled: yes + state: started +#+END_SRC + +#+CAPTION: [[file:roles_t/gate/handlers/main.yml][=roles_t/gate/handlers/main.yml=]] +#+BEGIN_SRC conf :tangle roles_t/gate/handlers/main.yml + +- name: Reload WireGuard™. + become: yes + command: wg setconf wg0 +#+END_SRC + * The Campus Role diff --git a/Secret/core-wg0.conf b/Secret/core-wg0.conf new file mode 100644 index 0000000..0b2a980 --- /dev/null +++ b/Secret/core-wg0.conf @@ -0,0 +1,14 @@ +[Interface] +Address = 10.177.87.2 +PrivateKey = AI+KhwnsHzSPqyIyAObx7EBBTBXFZPiXb2/Qcts8zEI= +PostUp = iptables -A FORWARD -i %i -j ACCEPT +PostUp = iptables -A FORWARD -o %i -j ACCEPT +PostDown = iptables -D FORWARD -i %i -j ACCEPT +PostDown = iptables -D FORWARD -o %i -j ACCEPT + +# Front +[Peer] +PublicKey = S+6HaTnOwwhWgUGXjSBcPAvifKw+j8BDTRfq534gNW4= +AllowedIPs = 10.177.87.1 +AllowedIPs = 10.177.87.0/24 +EndPoint = 192.168.15.5:39608 diff --git a/Secret/front-wg0.conf b/Secret/front-wg0.conf new file mode 100644 index 0000000..f73fdd6 --- /dev/null +++ b/Secret/front-wg0.conf @@ -0,0 +1,21 @@ +[Interface] +Address = 10.177.87.1/24 +PrivateKey = AJkzVxfTm/KvRjzTN/9X2jYy+CAugiwZfN5F3JTegms= +ListenPort = 39608 +PostUp = iptables -A FORWARD -i %i -j ACCEPT +PostUp = iptables -A FORWARD -o %i -j ACCEPT +PostDown = iptables -D FORWARD -i %i -j ACCEPT +PostDown = iptables -D FORWARD -o %i -j ACCEPT + +# Core +[Peer] +PublicKey = lGhC51IBgZtlq4H2bsYFuKvPtV0VAEwUvVIn5fW7D0c= +AllowedIPs = 10.177.87.2 +AllowedIPs = 10.177.87.0/24 +AllowedIPs = 192.168.56.0/24 +AllowedIPs = 10.84.138.0/24, 10.84.139.0/24 + +# dicks-note +[Peer] +PublicKey = 4qd4xdRztZBKhFrX9jI/b4fnMzpKQ5qhg691hwYSsX8= +AllowedIPs = 10.177.87.4 diff --git a/Secret/gate-wg0.conf b/Secret/gate-wg0.conf new file mode 100644 index 0000000..41f6f70 --- /dev/null +++ b/Secret/gate-wg0.conf @@ -0,0 +1,18 @@ +[Interface] +Address = 10.84.139.1/24 +PrivateKey = yOBdLbXh6KBwYQvvb5mhiku8Fxkqc5Cdyz6gNgjc/2U= +ListenPort = 51820 +PostUp = iptables -A FORWARD -i %i -j ACCEPT +PostUp = iptables -A FORWARD -o %i -j ACCEPT +PostDown = iptables -D FORWARD -i %i -j ACCEPT +PostDown = iptables -D FORWARD -o %i -j ACCEPT + +# IoT appliance +[Peer] +PublicKey = LdsCsgfjKCfd5+VKS+Q/dQhWO8NRNygByDO2VxbXlSQ= +AllowedIPs = 10.84.139.3 + +# dicks-note +[Peer] +PublicKey = 4qd4xdRztZBKhFrX9jI/b4fnMzpKQ5qhg691hwYSsX8= +AllowedIPs = 10.84.139.4 diff --git a/private/core-dhcpd.conf b/private/core-dhcpd.conf index 6ff58eb..72601a8 100644 --- a/private/core-dhcpd.conf +++ b/private/core-dhcpd.conf @@ -17,7 +17,9 @@ subnet 192.168.56.0 netmask 255.255.255.0 { option broadcast-address 192.168.56.255; option routers 192.168.56.2; option ntp-servers 192.168.56.1; - option rfc3442-routes 24, 10,177,86, 192,168,56,1, 0, 192,168,56,2; + option rfc3442-routes 24, 10,177,86, 192,168,56,1, + 24, 10,177,87, 192,168,56,1, + 0, 192,168,56,2; } host core { diff --git a/private/vars.yml b/private/vars.yml index 41a070b..d8e7e72 100644 --- a/private/vars.yml +++ b/private/vars.yml @@ -4,31 +4,45 @@ domain_priv: small.private private_net_cidr: 192.168.56.0/24 wild_net_cidr: 192.168.57.0/24 public_vpn_net_cidr: 10.177.86.0/24 +public_wg_net_cidr: 10.177.87.0/24 campus_vpn_net_cidr: 10.84.138.0/24 +campus_wg_net_cidr: 10.84.139.0/24 private_net: "{{ private_net_cidr | ansible.utils.ipaddr('network') }}" private_net_mask: "{{ private_net_cidr | ansible.utils.ipaddr('netmask') }}" private_net_and_mask: "{{ private_net }} {{ private_net_mask }}" +wild_net: "{{ wild_net_cidr | ansible.utils.ipaddr('network') }}" +wild_net_mask: + "{{ wild_net_cidr | ansible.utils.ipaddr('netmask') }}" +wild_net_and_mask: "{{ wild_net }} {{ wild_net_mask }}" +wild_net_broadcast: + "{{ wild_net_cidr | ansible.utils.ipaddr('broadcast') }}" public_vpn_net: "{{ public_vpn_net_cidr | ansible.utils.ipaddr('network') }}" public_vpn_net_mask: "{{ public_vpn_net_cidr | ansible.utils.ipaddr('netmask') }}" public_vpn_net_and_mask: "{{ public_vpn_net }} {{ public_vpn_net_mask }}" +public_wg_net: + "{{ public_wg_net_cidr | ansible.utils.ipaddr('network') }}" +public_wg_net_mask: + "{{ public_wg_net_cidr | ansible.utils.ipaddr('netmask') }}" +public_wg_net_and_mask: + "{{ public_wg_net }} {{ public_wg_net_mask }}" campus_vpn_net: "{{ campus_vpn_net_cidr | ansible.utils.ipaddr('network') }}" campus_vpn_net_mask: "{{ campus_vpn_net_cidr | ansible.utils.ipaddr('netmask') }}" campus_vpn_net_and_mask: "{{ campus_vpn_net }} {{ campus_vpn_net_mask }}" -wild_net: "{{ wild_net_cidr | ansible.utils.ipaddr('network') }}" -wild_net_mask: - "{{ wild_net_cidr | ansible.utils.ipaddr('netmask') }}" -wild_net_and_mask: "{{ wild_net }} {{ wild_net_mask }}" -wild_net_broadcast: - "{{ wild_net_cidr | ansible.utils.ipaddr('broadcast') }}" +campus_wg_net: + "{{ campus_wg_net_cidr | ansible.utils.ipaddr('network') }}" +campus_wg_net_mask: + "{{ campus_wg_net_cidr | ansible.utils.ipaddr('netmask') }}" +campus_wg_net_and_mask: + "{{ campus_wg_net }} {{ campus_wg_net_mask }}" core_addr_cidr: "{{ private_net_cidr | ansible.utils.ipaddr('1') }}" gate_addr_cidr: "{{ private_net_cidr | ansible.utils.ipaddr('2') }}" @@ -37,6 +51,20 @@ gate_wild_addr_cidr: wifi_wan_addr_cidr: "{{ wild_net_cidr | ansible.utils.ipaddr('2') }}" front_vpn_addr_cidr: "{{ public_vpn_net_cidr | ansible.utils.ipaddr('1') }}" +front_wg_port: 39608 +front_wg_addr_cidr: + "{{ public_wg_net_cidr | ansible.utils.ipaddr('1') }}" +core_wg_addr_cidr: + "{{ public_wg_net_cidr | ansible.utils.ipaddr('2') }}" +wg_client_front_addr_cidr: + "{{ public_wg_net_cidr | ansible.utils.ipaddr('3') }}" +campus_wg_port: 51820 +campus_wg_addr_cidr: + "{{ campus_wg_net_cidr | ansible.utils.ipaddr('1') }}" +wg_appl_addr_cidr: + "{{ campus_wg_net_cidr | ansible.utils.ipaddr('2') }}" +wg_client_gate_addr_cidr: + "{{ campus_wg_net_cidr | ansible.utils.ipaddr('3') }}" core_addr: "{{ core_addr_cidr | ansible.utils.ipaddr('address') }}" gate_addr: "{{ gate_addr_cidr | ansible.utils.ipaddr('address') }}" @@ -44,8 +72,20 @@ gate_wild_addr: "{{ gate_wild_addr_cidr | ansible.utils.ipaddr('address') }}" wifi_wan_addr: "{{ wifi_wan_addr_cidr | ansible.utils.ipaddr('address') }}" -front_private_addr: - "{{ front_private_addr_cidr | ansible.utils.ipaddr('address') }}" +front_vpn_addr: + "{{ front_vpn_addr_cidr | ansible.utils.ipaddr('address') }}" +front_wg_addr: + "{{ front_wg_addr_cidr | ansible.utils.ipaddr('address') }}" +core_wg_addr: + "{{ core_wg_addr_cidr | ansible.utils.ipaddr('address') }}" +wg_client_front_addr: + "{{ wg_client_front_addr_cidr | ansible.utils.ipaddr('address') }}" +gate_wg_addr: + "{{ campus_wg_addr_cidr | ansible.utils.ipaddr('address') }}" +wg_appl_addr: + "{{ wg_appl_addr_cidr | ansible.utils.ipaddr('address') }}" +wg_client_gate_addr: + "{{ wg_client_gate_addr_cidr | ansible.utils.ipaddr('address') }}" core_ethernet: enp0s3 diff --git a/roles_t/core/handlers/main.yml b/roles_t/core/handlers/main.yml index 8b8bd1c..3fd628e 100644 --- a/roles_t/core/handlers/main.yml +++ b/roles_t/core/handlers/main.yml @@ -65,6 +65,10 @@ service: openvpn@front state: restarted +- name: Reload WireGuard™. + become: yes + command: wg setconf wg0 + - name: Reload NAGIOS4. become: yes systemd: diff --git a/roles_t/core/tasks/main.yml b/roles_t/core/tasks/main.yml index fe15e91..e4ba27d 100644 --- a/roles_t/core/tasks/main.yml +++ b/roles_t/core/tasks/main.yml @@ -95,7 +95,9 @@ {{ private_net_cidr }}; {{ wild_net_cidr }}; {{ public_vpn_net_cidr }}; + {{ public_wg_net_cidr }}; {{ campus_vpn_net_cidr }}; + {{ campus_wg_net_cidr }}; localhost; }; @@ -305,7 +307,9 @@ v: >- {{ private_net_cidr }} {{ public_vpn_net_cidr }} + {{ public_wg_net_cidr }} {{ campus_vpn_net_cidr }} + {{ campus_wg_net_cidr }} 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 @@ -655,6 +659,27 @@ state: started enabled: yes +- name: Install WireGuard™. + become: yes + apt: pkg=wireguard + +- name: Configure WireGuard™. + become: yes + copy: + src: ../Secret/core-wg0.conf + dest: /etc/wireguard/wg0.conf + mode: u=r,g=,o= + owner: root + group: root + notify: Reload WireGuard™. + +- name: Enable/Start WireGuard™ on boot. + become: yes + systemd: + service: wg-quick@wg0 + enabled: yes + state: started + - name: Install NAGIOS4. become: yes apt: diff --git a/roles_t/front/handlers/main.yml b/roles_t/front/handlers/main.yml index d34e472..b5aa9de 100644 --- a/roles_t/front/handlers/main.yml +++ b/roles_t/front/handlers/main.yml @@ -44,6 +44,10 @@ service: openvpn@server state: restarted +- name: Reload WireGuard™. + become: yes + command: wg setconf wg0 + - name: Reload Systemd. become: yes systemd: diff --git a/roles_t/front/tasks/main.yml b/roles_t/front/tasks/main.yml index ed06a63..95f52ec 100644 --- a/roles_t/front/tasks/main.yml +++ b/roles_t/front/tasks/main.yml @@ -134,6 +134,7 @@ - p: mynetworks v: >- {{ public_vpn_net_cidr }} + {{ public_wg_net_cidr }} 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 @@ -454,6 +455,27 @@ enabled: yes state: started +- name: Install WireGuard™. + become: yes + apt: pkg=wireguard + +- name: Configure WireGuard™. + become: yes + copy: + src: ../Secret/front-wg0.conf + dest: /etc/wireguard/wg0.conf + mode: u=r,g=,o= + owner: root + group: root + notify: Reload WireGuard™. + +- name: Enable/Start WireGuard™ on boot. + become: yes + systemd: + service: wg-quick@wg0 + enabled: yes + state: started + - name: Install Kamailio. become: yes apt: pkg=kamailio @@ -479,6 +501,7 @@ copy: content: | listen=udp:{{ front_vpn_addr }}:5060 + listen=udp:{{ front_wg_addr }}:5060 dest: /etc/kamailio/kamailio-local.cfg notify: Restart Kamailio. diff --git a/roles_t/gate/handlers/main.yml b/roles_t/gate/handlers/main.yml index a65da25..bcb43a3 100644 --- a/roles_t/gate/handlers/main.yml +++ b/roles_t/gate/handlers/main.yml @@ -19,3 +19,7 @@ systemd: service: openvpn@server state: restarted + +- name: Reload WireGuard™. + become: yes + command: wg setconf wg0 diff --git a/roles_t/gate/tasks/main.yml b/roles_t/gate/tasks/main.yml index c6521f0..908fa09 100644 --- a/roles_t/gate/tasks/main.yml +++ b/roles_t/gate/tasks/main.yml @@ -97,6 +97,8 @@ -A FORWARD -i isp -o wild {{ ACCEPT_RELATED }} -A FORWARD -i lan -o ovpn -j ACCEPT -A FORWARD -i ovpn -o lan -j ACCEPT + -A FORWARD -i lan -o wg0 -j ACCEPT + -A FORWARD -i wg0 -o lan -j ACCEPT COMMIT insertafter: EOF @@ -219,3 +221,24 @@ dest: /etc/openvpn/server.conf mode: u=r,g=r,o= notify: Restart OpenVPN. + +- name: Install WireGuard™. + become: yes + apt: pkg=wireguard + +- name: Configure WireGuard™. + become: yes + copy: + src: ../Secret/gate-wg0.conf + dest: /etc/wireguard/wg0.conf + mode: u=r,g=,o= + owner: root + group: root + notify: Reload WireGuard™. + +- name: Enable/Start WireGuard™ on boot. + become: yes + systemd: + service: wg-quick@wg0 + enabled: yes + state: started