poc for tunnel provisioning

replace_gw-core01
Gregor Michels 2022-06-28 00:17:14 +02:00
parent 25e7a4c14f
commit 2de716a405
10 changed files with 166 additions and 0 deletions

16
files/gw-core01_frr.conf Normal file
View File

@ -0,0 +1,16 @@
password zebra
!
router ospf
redistribute connected
!
log syslog
!
interface wg0
ip ospf area 0
ip ospf network point-to-point
!
access-list vty permit 127.0.0.0/8
access-list vty deny any
!
line vty
access-class vty

31
files/ospfd.conf Normal file
View File

@ -0,0 +1,31 @@
# $OpenBSD: ospfd.conf,v 1.2 2018/08/07 07:06:20 claudio Exp $
# macros
# id="192.0.2.5"
# global configuration
# router-id $id
# fib-update no
# stub router no
# spf-delay 1
# spf-holdtime 5
# auth-key secret
# auth-type simple
# hello-interval 10
# metric 10
# retransmit-interval 5
# router-dead-time 40
# router-priority 1
# transmit-delay 1
# rtlabel "DMZ" external-tag 1
redistribute connected
# areas
area 0.0.0.0 {
interface wg0 {
type p2p
}
}

5
files/pf.wg0.conf Normal file
View File

@ -0,0 +1,5 @@
# allow incoming udp packets for wg0
pass in proto udp from any to self port 51820
# allow ospf on wg0
pass on wg0 proto ospf

Binary file not shown.

Binary file not shown.

View File

@ -0,0 +1,4 @@
R╠pк~╞еа Щ╕%nT%≤ОPН⌡┬╔C::╨Ьз╢Р/ M-IеZ-║Ч ЛУ╦E1? Rн╒╜В┴▓╕╘Vеу+╫╒
1≈╞T:Т·▓зэЬ(~_q╡Ay9FЗСFcЛ╒∙C╬└╤блK╤⌡ЯКл-Dю■xЮN╒[D╤ Гiz∙1Ёв─с≥║╙╚*@е;▀÷▒┐c∙чН
l╥Дwoт═VжF▒туQtПSю&ыJ╧М]═пю+ф╕eюOЫ╜L°QЦ█и Ё|.Н+$iи├ъl:И┤OРH÷Ia▒=Т Hх7Гx╣\C╓═┘ыт╬╩ДPцA≈/└═Ю;
°iG┴Шйfм╤╟kИЯ╛цд tbp│йuK1╡R2аvнGо≈Lйп(пы⌠тu╕ъw(tzFв╕dбг│Ф╖╠√z÷ПAл█~хб╨uaМ7▐Гл╟y/0▀╟=БJ =ьOу еЁ╛rы? ╤Ё,+\│║ y АЭЫyг▐*┴┼eСр^|≤!!D≥√зoqLj╚╗+m>9","ЪФly0╓Z г╒ ╗┌%:(╪т0y║#r▀лT╙В╘╖Уd}Я┼я8ъцk╢H▓вre:╟цз<╖Cp⌡©-вД 9

Binary file not shown.

Binary file not shown.

View File

@ -0,0 +1,105 @@
---
- name: configure tunnel on eae-adp-jump01
hosts: eae-adp-jump01
tasks:
- name: create wg0 interface file
template:
src: templates/hostname.wg0
dest: /etc/hostname.wg0
mode: 0600
notify:
- reload interfaces
- name: create pf.wg0.conf file
copy:
src: files/pf.wg0.conf
dest: /etc/pf.wg0.conf
mode: 0600
notify:
- reload firewall
- name: include pf.wg0.conf in pf.include.conf
lineinfile:
path: /etc/pf.include.conf
line: 'include "/etc/pf.wg0.conf"'
notify:
- reload firewall
- name: create ospfd.conf
copy:
src: files/ospfd.conf
dest: /etc/ospfd.conf
mode: 0600
validate: "/usr/sbin/ospfd -n -f %s"
notify:
- restart ospfd
- name: enable ospfd
service:
name: ospfd
state: started
enabled: yes
handlers:
- name: reload firewall
command: pfctl -vf /etc/pf.conf
- name: reload interfaces
command: sh /etc/netstart
- name: restart ospfd
service:
name: ospfd
state: restart
- name: configure tunnel on gw-core01
hosts: gw-core01
gather_facts: no
tasks:
- name: create wg0 interface
blockinfile:
path: /etc/config/network
content: |
config interface 'wg0'
option proto 'wireguard'
option private_key "{{ lookup('passwordstore', 'wg/wg0/gw-core01') }}"
option listen_port 51820
option mtu 1350
list addresses '10.84.254.1/31'
config wireguard_wg0 'eap_adp_jump01'
option public_key "{{ lookup('passwordstore', 'wg/wg0/eae-adp-jump01.pub') }}"
option preshared_key "{{ lookup('passwordstore', 'wg/wg0/psk') }}"
option endpoint_host '162.55.53.85'
option endpoint_port '51820'
option route_allowed_ips '0'
option persistent_keepalive 15
list allowed_ips '0.0.0.0/0'
notify:
- restart network
- name: configure frr (daemons)
lineinfile:
regexp: '^ospfd=.*$'
line: 'ospfd=yes'
path: /etc/frr/daemons
notify:
- restart frr
- name: configure frr (frr.conf)
copy:
src: files/gw-core01_frr.conf
dest: /etc/frr/frr.conf
notify:
- restart frr
handlers:
- name: restart network
service:
name: network
state: restarted
- name: restart frr
service:
name: frr
state: restarted

5
templates/hostname.wg0 Normal file
View File

@ -0,0 +1,5 @@
inet 10.84.254.0/31
mtu 1350
wgport 51820
wgkey {{ lookup('passwordstore', 'wg/wg0/eae-adp-jump01') }}
wgpeer {{ lookup('passwordstore', 'wg/wg0/gw-core01.pub') }} wgpsk {{ lookup('passwordstore', 'wg/wg0/psk') }} wgaip 0.0.0.0/0