From 2de716a405710838cb8f7bfff5df1847b4d7bba3 Mon Sep 17 00:00:00 2001 From: Gregor Michels Date: Tue, 28 Jun 2022 00:17:14 +0200 Subject: [PATCH] poc for tunnel provisioning --- files/gw-core01_frr.conf | 16 +++ files/ospfd.conf | 31 ++++++ files/pf.wg0.conf | 5 + password-store/wg/wg0/eae-adp-jump01.gpg | Bin 0 -> 495 bytes password-store/wg/wg0/eae-adp-jump01.pub.gpg | Bin 0 -> 495 bytes password-store/wg/wg0/gw-core01.gpg | 4 + password-store/wg/wg0/gw-core01.pub.gpg | Bin 0 -> 495 bytes password-store/wg/wg0/psk.gpg | Bin 0 -> 495 bytes playbook_provision_backbone.yml | 105 +++++++++++++++++++ templates/hostname.wg0 | 5 + 10 files changed, 166 insertions(+) create mode 100644 files/gw-core01_frr.conf create mode 100644 files/ospfd.conf create mode 100644 files/pf.wg0.conf create mode 100644 password-store/wg/wg0/eae-adp-jump01.gpg create mode 100644 password-store/wg/wg0/eae-adp-jump01.pub.gpg create mode 100644 password-store/wg/wg0/gw-core01.gpg create mode 100644 password-store/wg/wg0/gw-core01.pub.gpg create mode 100644 password-store/wg/wg0/psk.gpg create mode 100644 playbook_provision_backbone.yml create mode 100644 templates/hostname.wg0 diff --git a/files/gw-core01_frr.conf b/files/gw-core01_frr.conf new file mode 100644 index 0000000..39077d2 --- /dev/null +++ b/files/gw-core01_frr.conf @@ -0,0 +1,16 @@ +password zebra +! +router ospf + redistribute connected +! +log syslog +! +interface wg0 + ip ospf area 0 + ip ospf network point-to-point +! +access-list vty permit 127.0.0.0/8 +access-list vty deny any +! +line vty + access-class vty diff --git a/files/ospfd.conf b/files/ospfd.conf new file mode 100644 index 0000000..d7b71a2 --- /dev/null +++ b/files/ospfd.conf @@ -0,0 +1,31 @@ +# $OpenBSD: ospfd.conf,v 1.2 2018/08/07 07:06:20 claudio Exp $ + +# macros +# id="192.0.2.5" + +# global configuration +# router-id $id +# fib-update no +# stub router no +# spf-delay 1 +# spf-holdtime 5 + +# auth-key secret +# auth-type simple +# hello-interval 10 +# metric 10 +# retransmit-interval 5 +# router-dead-time 40 +# router-priority 1 +# transmit-delay 1 + +# rtlabel "DMZ" external-tag 1 + +redistribute connected + +# areas +area 0.0.0.0 { + interface wg0 { + type p2p + } +} diff --git a/files/pf.wg0.conf b/files/pf.wg0.conf new file mode 100644 index 0000000..ad8e828 --- /dev/null +++ b/files/pf.wg0.conf @@ -0,0 +1,5 @@ +# allow incoming udp packets for wg0 +pass in proto udp from any to self port 51820 + +# allow ospf on wg0 +pass on wg0 proto ospf diff --git a/password-store/wg/wg0/eae-adp-jump01.gpg b/password-store/wg/wg0/eae-adp-jump01.gpg new file mode 100644 index 0000000000000000000000000000000000000000..c85dee709a1f0438ab2a3cbaec538b9f072280cf GIT binary patch literal 495 zcmVHT(NUWX5o3QNvgTs8Xpj?nx_P%O9ydbYbkkGRVGx|TLcklO&&in!Yomd@y@>sxOd z(|KFvv-K90vd{|A(%Gd9*XVCnV$tId{XuS*XDX++n)|!$l;42iZ(p*e#N-kj7GYm} zT^q)IjxByG=!OwLi@&Rl_z|J3t$Bzyi>k~GwEW;6`8+|QOYF26M5lRbEcw2TH4Qv&+kl-B9%j?>DH5M2HNe&JS=L zv(DvMAieYbN{~eBvnGp-*|z>3akTs;Ej(dC2dImqMv|ifG=7Ri9i+6zFS3zc39i@C z6}yL31Wx~hqt7A@75N*xwVx$narJ8S7BiXYIR5mzu-UO-(>A8Qez!;m1w>csdsj!7 znlb8A8NO{}C-2T21ZS_P46gU>s{- zW_{yjkGHpauGFXC@C8LV_|`VWx_!sn`wwIexUT`F;yGLLAG-jLPBa}hCw;^&&HIpd lbVo~&I%h3sv~*~UD9h%iuB-V`X7XJNoYX!vN3SLgYXD_2{`CL= literal 0 HcmV?d00001 diff --git a/password-store/wg/wg0/eae-adp-jump01.pub.gpg b/password-store/wg/wg0/eae-adp-jump01.pub.gpg new file mode 100644 index 0000000000000000000000000000000000000000..5442489e2926c198d0de23696f651659ae568ccd GIT binary patch literal 495 zcmV{?Wiwr{wcMcvcTWBY(tna&SPoDWUkS>2p^zq9SC-uS7?Vq(4uV!LFt}HmSw7cQaU> z{BmdO;qiXd^82kcUNrf2s36}Asl{p!Wqz}5AIr$)#>D-|PgQtwh6@ukx^f3BGS)O{ zE7i#RTj79MC~zPXqzpsm^1RZ}psc7^z+}ET7&*VN4sS(!+Dc*H7MlwjqXSu@I@Z-7 zh|N{38M!E7vB^36aQ>wLX0x_t=4T8E9Q0$5ev~_A!_rpuaXl2Q^0V!M@5fyIV&AZJ zN6)|Wa%gvFuPz9U`z3I9Bvp&KV|Y+JO-6odp0LUDlR8PbIbXPEhR>6O7o3Q%cDvZ5 zgR{_$XQg@MWX!7pK*BNWgGGb@unC{ajvn{tE$<<2SppW8Y~UY11_jby0ph~c8GW`K zg}<79@CH?~`#6_@!^!lCXKw0|1X|G)-g$SH!ZO=pJLzj;R(qiE(a&VSItixp*u*N> l34&Tg)%pe|JhI-JL*cudR>IWn!FMH@P+Q9UQxmXZ|Np$L{dfQX literal 0 HcmV?d00001 diff --git a/password-store/wg/wg0/gw-core01.gpg b/password-store/wg/wg0/gw-core01.gpg new file mode 100644 index 0000000..a462155 --- /dev/null +++ b/password-store/wg/wg0/gw-core01.gpg @@ -0,0 +1,4 @@ +Rp~ %nT%PC::ڴ/ M-IZ- E1? R΢VՇ+ +1T:(~_qAy9FFc좕CK-DxN[D iz1׀ә*@;c_ +lwoԠVFQtS&J]+ƦeOLQ |.+$iɆl:OHIa= H7x\CԾPA/; + iGfͶkĚtbpuK1R2vGϗL(ٓuw(tzFצdǁzA̍~ºua7̰y/0=J =O ųr? ,+\y yǏ*e^|!!DoqLj+m>9","ly0Z Ǣ %:(0y#rTd}8kHre:5++Be!FuNuRhU53cs6kWJ)A_~mOwyE|HkjxF*847at?n7YSIEF7tasKvnPb4+H(k>$pL(D)L|D`y5bVeAt!^ z@W5?`jo+z-lQHa4_%lE!-x6sRU7#ZUvys*=J=(K-nq)sloO4}~De9{TA6vF;$w;V4Tc$h$+>d1R5`$)1

zux7NT2s3^Ge_z&6dHS^IiFz-E{I|xn(T$~u4cd>D&)|;k4%0&PyZ+K%0b$L<$#z7H z3I$Q8#u7@etu0!o0_w@kkMExzXK+I*2UgnXbd<6=!|K>P^dWW?yn8hw9&hO;heZnD lvwaN}=@NSCU$B-y_a%}@=gMn3*QLPXQY%Ae#X>$$yHopQ`gH&R literal 0 HcmV?d00001 diff --git a/password-store/wg/wg0/psk.gpg b/password-store/wg/wg0/psk.gpg new file mode 100644 index 0000000000000000000000000000000000000000..06407693e44e38d2bec002154e5f5cb503de7854 GIT binary patch literal 495 zcmV6UZl3MFA7w#4eo4ZF!GF!&Zi?BWIb zPR`ATnkE3x3hqd)4b!ps8*u6YBqqx81`QcXiu%_Is)1|l{zdVA^yr$$eocc}P8Y|; z^YUOQ<`z%=r&Uy{eM%bLj3(I+oDZ*9@0zM^$_u&8l literal 0 HcmV?d00001 diff --git a/playbook_provision_backbone.yml b/playbook_provision_backbone.yml new file mode 100644 index 0000000..6948f32 --- /dev/null +++ b/playbook_provision_backbone.yml @@ -0,0 +1,105 @@ +--- +- name: configure tunnel on eae-adp-jump01 + hosts: eae-adp-jump01 + tasks: + - name: create wg0 interface file + template: + src: templates/hostname.wg0 + dest: /etc/hostname.wg0 + mode: 0600 + notify: + - reload interfaces + + - name: create pf.wg0.conf file + copy: + src: files/pf.wg0.conf + dest: /etc/pf.wg0.conf + mode: 0600 + notify: + - reload firewall + + - name: include pf.wg0.conf in pf.include.conf + lineinfile: + path: /etc/pf.include.conf + line: 'include "/etc/pf.wg0.conf"' + notify: + - reload firewall + + - name: create ospfd.conf + copy: + src: files/ospfd.conf + dest: /etc/ospfd.conf + mode: 0600 + validate: "/usr/sbin/ospfd -n -f %s" + notify: + - restart ospfd + + - name: enable ospfd + service: + name: ospfd + state: started + enabled: yes + + handlers: + - name: reload firewall + command: pfctl -vf /etc/pf.conf + + - name: reload interfaces + command: sh /etc/netstart + + - name: restart ospfd + service: + name: ospfd + state: restart + +- name: configure tunnel on gw-core01 + hosts: gw-core01 + gather_facts: no + tasks: + - name: create wg0 interface + blockinfile: + path: /etc/config/network + content: | + config interface 'wg0' + option proto 'wireguard' + option private_key "{{ lookup('passwordstore', 'wg/wg0/gw-core01') }}" + option listen_port 51820 + option mtu 1350 + list addresses '10.84.254.1/31' + + config wireguard_wg0 'eap_adp_jump01' + option public_key "{{ lookup('passwordstore', 'wg/wg0/eae-adp-jump01.pub') }}" + option preshared_key "{{ lookup('passwordstore', 'wg/wg0/psk') }}" + option endpoint_host '162.55.53.85' + option endpoint_port '51820' + option route_allowed_ips '0' + option persistent_keepalive 15 + list allowed_ips '0.0.0.0/0' + notify: + - restart network + + - name: configure frr (daemons) + lineinfile: + regexp: '^ospfd=.*$' + line: 'ospfd=yes' + path: /etc/frr/daemons + notify: + - restart frr + + - name: configure frr (frr.conf) + copy: + src: files/gw-core01_frr.conf + dest: /etc/frr/frr.conf + notify: + - restart frr + + handlers: + - name: restart network + service: + name: network + state: restarted + + - name: restart frr + service: + name: frr + state: restarted diff --git a/templates/hostname.wg0 b/templates/hostname.wg0 new file mode 100644 index 0000000..3a3125f --- /dev/null +++ b/templates/hostname.wg0 @@ -0,0 +1,5 @@ +inet 10.84.254.0/31 +mtu 1350 +wgport 51820 +wgkey {{ lookup('passwordstore', 'wg/wg0/eae-adp-jump01') }} +wgpeer {{ lookup('passwordstore', 'wg/wg0/gw-core01.pub') }} wgpsk {{ lookup('passwordstore', 'wg/wg0/psk') }} wgaip 0.0.0.0/0