poc for tunnel provisioning
parent
25e7a4c14f
commit
2de716a405
|
@ -0,0 +1,16 @@
|
||||||
|
password zebra
|
||||||
|
!
|
||||||
|
router ospf
|
||||||
|
redistribute connected
|
||||||
|
!
|
||||||
|
log syslog
|
||||||
|
!
|
||||||
|
interface wg0
|
||||||
|
ip ospf area 0
|
||||||
|
ip ospf network point-to-point
|
||||||
|
!
|
||||||
|
access-list vty permit 127.0.0.0/8
|
||||||
|
access-list vty deny any
|
||||||
|
!
|
||||||
|
line vty
|
||||||
|
access-class vty
|
|
@ -0,0 +1,31 @@
|
||||||
|
# $OpenBSD: ospfd.conf,v 1.2 2018/08/07 07:06:20 claudio Exp $
|
||||||
|
|
||||||
|
# macros
|
||||||
|
# id="192.0.2.5"
|
||||||
|
|
||||||
|
# global configuration
|
||||||
|
# router-id $id
|
||||||
|
# fib-update no
|
||||||
|
# stub router no
|
||||||
|
# spf-delay 1
|
||||||
|
# spf-holdtime 5
|
||||||
|
|
||||||
|
# auth-key secret
|
||||||
|
# auth-type simple
|
||||||
|
# hello-interval 10
|
||||||
|
# metric 10
|
||||||
|
# retransmit-interval 5
|
||||||
|
# router-dead-time 40
|
||||||
|
# router-priority 1
|
||||||
|
# transmit-delay 1
|
||||||
|
|
||||||
|
# rtlabel "DMZ" external-tag 1
|
||||||
|
|
||||||
|
redistribute connected
|
||||||
|
|
||||||
|
# areas
|
||||||
|
area 0.0.0.0 {
|
||||||
|
interface wg0 {
|
||||||
|
type p2p
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1,5 @@
|
||||||
|
# allow incoming udp packets for wg0
|
||||||
|
pass in proto udp from any to self port 51820
|
||||||
|
|
||||||
|
# allow ospf on wg0
|
||||||
|
pass on wg0 proto ospf
|
Binary file not shown.
Binary file not shown.
|
@ -0,0 +1,4 @@
|
||||||
|
┘▄R╠pк~╞еаЩ╕%nT%≤ОPН⌡┬╔C::╨Ьз╢Р/M-IеZ-║Ч
ЛУ╦E1?Rн╒╜В┴▓╕╘Vеу┤+╫╒
|
||||||
|
1≈╞T:Т·▓зэЬ(~_q╡Ay9FЗСFcЛ╒∙C╬└╤блK╤⌡ЯКл-Dю■xЮN╒[D╤ Гiz∙1Ёв─с≥║╙╚*@е;▀÷▒┐c∙чН_Я
|
||||||
|
l╥Дwoт═VжF▒туQtПSю&ыJ╧М]═пю+ф╕eюOЫ╜L°QЦ█и Ё|.Н+$iи├ъl:И┤OРH÷Ia▒=ТHх7Гx╣\C╓═┘ыт╬╩ДPцA≈/└═Ю;
|
||||||
|
°iG┴Шйfм╤╟kИЯ╛цд tbp│йuK1╡R2аvнGо≈Lйп(пы⌠тu╕ъw(tzFв╕dбг│Ф╖╠√z÷ПAл█~хб╨uaМ╞7▐Гл╟y/0▀╟=БJ=ьOу еЁ╛rы? ╤Ё,+\│║ y АЭЫyг▐*┴┼eСр^|≤!!D≥√зoqLj╚╗+m>9","ЪФly0╓Zг╒
╗┌%:(╪т0y║#r▀лT╙В╘╖Уd}Я┼я8ъцk╢H▓вre:╟цз<╖Cp⌡©-вД 9
|
Binary file not shown.
Binary file not shown.
|
@ -0,0 +1,105 @@
|
||||||
|
---
|
||||||
|
- name: configure tunnel on eae-adp-jump01
|
||||||
|
hosts: eae-adp-jump01
|
||||||
|
tasks:
|
||||||
|
- name: create wg0 interface file
|
||||||
|
template:
|
||||||
|
src: templates/hostname.wg0
|
||||||
|
dest: /etc/hostname.wg0
|
||||||
|
mode: 0600
|
||||||
|
notify:
|
||||||
|
- reload interfaces
|
||||||
|
|
||||||
|
- name: create pf.wg0.conf file
|
||||||
|
copy:
|
||||||
|
src: files/pf.wg0.conf
|
||||||
|
dest: /etc/pf.wg0.conf
|
||||||
|
mode: 0600
|
||||||
|
notify:
|
||||||
|
- reload firewall
|
||||||
|
|
||||||
|
- name: include pf.wg0.conf in pf.include.conf
|
||||||
|
lineinfile:
|
||||||
|
path: /etc/pf.include.conf
|
||||||
|
line: 'include "/etc/pf.wg0.conf"'
|
||||||
|
notify:
|
||||||
|
- reload firewall
|
||||||
|
|
||||||
|
- name: create ospfd.conf
|
||||||
|
copy:
|
||||||
|
src: files/ospfd.conf
|
||||||
|
dest: /etc/ospfd.conf
|
||||||
|
mode: 0600
|
||||||
|
validate: "/usr/sbin/ospfd -n -f %s"
|
||||||
|
notify:
|
||||||
|
- restart ospfd
|
||||||
|
|
||||||
|
- name: enable ospfd
|
||||||
|
service:
|
||||||
|
name: ospfd
|
||||||
|
state: started
|
||||||
|
enabled: yes
|
||||||
|
|
||||||
|
handlers:
|
||||||
|
- name: reload firewall
|
||||||
|
command: pfctl -vf /etc/pf.conf
|
||||||
|
|
||||||
|
- name: reload interfaces
|
||||||
|
command: sh /etc/netstart
|
||||||
|
|
||||||
|
- name: restart ospfd
|
||||||
|
service:
|
||||||
|
name: ospfd
|
||||||
|
state: restart
|
||||||
|
|
||||||
|
- name: configure tunnel on gw-core01
|
||||||
|
hosts: gw-core01
|
||||||
|
gather_facts: no
|
||||||
|
tasks:
|
||||||
|
- name: create wg0 interface
|
||||||
|
blockinfile:
|
||||||
|
path: /etc/config/network
|
||||||
|
content: |
|
||||||
|
config interface 'wg0'
|
||||||
|
option proto 'wireguard'
|
||||||
|
option private_key "{{ lookup('passwordstore', 'wg/wg0/gw-core01') }}"
|
||||||
|
option listen_port 51820
|
||||||
|
option mtu 1350
|
||||||
|
list addresses '10.84.254.1/31'
|
||||||
|
|
||||||
|
config wireguard_wg0 'eap_adp_jump01'
|
||||||
|
option public_key "{{ lookup('passwordstore', 'wg/wg0/eae-adp-jump01.pub') }}"
|
||||||
|
option preshared_key "{{ lookup('passwordstore', 'wg/wg0/psk') }}"
|
||||||
|
option endpoint_host '162.55.53.85'
|
||||||
|
option endpoint_port '51820'
|
||||||
|
option route_allowed_ips '0'
|
||||||
|
option persistent_keepalive 15
|
||||||
|
list allowed_ips '0.0.0.0/0'
|
||||||
|
notify:
|
||||||
|
- restart network
|
||||||
|
|
||||||
|
- name: configure frr (daemons)
|
||||||
|
lineinfile:
|
||||||
|
regexp: '^ospfd=.*$'
|
||||||
|
line: 'ospfd=yes'
|
||||||
|
path: /etc/frr/daemons
|
||||||
|
notify:
|
||||||
|
- restart frr
|
||||||
|
|
||||||
|
- name: configure frr (frr.conf)
|
||||||
|
copy:
|
||||||
|
src: files/gw-core01_frr.conf
|
||||||
|
dest: /etc/frr/frr.conf
|
||||||
|
notify:
|
||||||
|
- restart frr
|
||||||
|
|
||||||
|
handlers:
|
||||||
|
- name: restart network
|
||||||
|
service:
|
||||||
|
name: network
|
||||||
|
state: restarted
|
||||||
|
|
||||||
|
- name: restart frr
|
||||||
|
service:
|
||||||
|
name: frr
|
||||||
|
state: restarted
|
|
@ -0,0 +1,5 @@
|
||||||
|
inet 10.84.254.0/31
|
||||||
|
mtu 1350
|
||||||
|
wgport 51820
|
||||||
|
wgkey {{ lookup('passwordstore', 'wg/wg0/eae-adp-jump01') }}
|
||||||
|
wgpeer {{ lookup('passwordstore', 'wg/wg0/gw-core01.pub') }} wgpsk {{ lookup('passwordstore', 'wg/wg0/psk') }} wgaip 0.0.0.0/0
|
Loading…
Reference in New Issue