sax-rgs-gw-core01: add laundering client network

v4 works, v6 is still a work in progress launder: * v4 through mullvad * v6 through mowoe
2023-01-18 00:35:25 +01:00 · 2023-01-18 00:35:25 +01:00 · 473d7aa05a
parent c7989547aa
commit 473d7aa05a
8 changed files with 111 additions and 0 deletions
--- a/password-store/wg/wg4/core.mowoe.com.pub.gpg
+++ b/password-store/wg/wg4/core.mowoe.com.pub.gpg
--- a/password-store/wg/wg4/sax-rgs-gw-core01.gpg
+++ b/password-store/wg/wg4/sax-rgs-gw-core01.gpg
--- a/password-store/wg/wg5/mullvad.pub.gpg
+++ b/password-store/wg/wg5/mullvad.pub.gpg
--- a/password-store/wg/wg5/sax-rgs-gw-core01.gpg
+++ b/password-store/wg/wg5/sax-rgs-gw-core01.gpg
--- a/templates/gateways/sax-rgs-gw-core01/etc/config/dhcp
+++ b/templates/gateways/sax-rgs-gw-core01/etc/config/dhcp
@ -30,6 +30,22 @@ config dhcp 'mgmt'
 	list ra_flags 'managed-config'
 	list ra_flags 'other-config'

+config dhcp 'clients'
+        option interface 'clients'
+        # from: 10.86.4.2
+        # to: 10.86.7.254
+        # start: 2
+        # limit: 1020
+        option start '2'
+        option limit '1020'
+        option leasetime '12h'
+        option dhcpv4 'server'
+        option dhcpv6 'server'
+        option ra 'server'
+        option ra_slaac '1'
+        list ra_flags 'managed-config'
+        list ra_flags 'other-config'
+
 config dhcp 'backoffice'
 	option interface 'backoffice'
 	option start '100'
--- a/templates/gateways/sax-rgs-gw-core01/etc/config/firewall
+++ b/templates/gateways/sax-rgs-gw-core01/etc/config/firewall
@ -13,6 +13,13 @@ config zone
 	option output		ACCEPT
 	option forward		REJECT

+config zone
+	option name		clients
+	list network		clients
+	option input		REJECT
+	option output		ACCEPT
+	option forward		REJECT
+
 config zone
 	option name		backoffice
 	list   network		'backoffice'
@ -20,6 +27,20 @@ config zone
 	option output		ACCEPT
 	option forward		REJECT

+config zone
+	option name		launder
+	list network		wg4
+	list network		wg5
+	option input		REJECT
+	option output		ACCEPT
+	option forward		REJECT
+	option masq 		1
+	option mtu_fix		1
+
+config forwarding
+	option src		clients
+	option dest		launder
+
 config zone
 	option name		backbone
 	list network		wg3
@ -27,6 +48,21 @@ config zone
 	option output 		ACCEPT
 	option forward		REJECT

+ config rule
+        option name             CLIENTS_Allow-DHCP
+        option src              clients
+        option proto            udp
+        option dest_port        67-68
+        option target           ACCEPT
+        option family           ipv4
+
+config rule
+        option name             CLIENTS_Allow-DNS
+        option src              clients
+        option proto            udp
+        option dest_port        53
+        option target           ACCEPT
+
 config rule
 	option name		From-BACKBONE-Allow-OSPF
 	option src		backbone
--- a/templates/gateways/sax-rgs-gw-core01/etc/config/network
+++ b/templates/gateways/sax-rgs-gw-core01/etc/config/network
@ -71,6 +71,12 @@ config interface 'wan6'
        option device 'switch.3'
        option proto 'dhcpv6'

+config interface 'clients'
+        option device 'switch.2'
+        option proto 'static'
+        option ipaddr '10.86.4.1'
+        option netmask '255.255.252.0'
+
 config interface 'backoffice'
        option device 'switch.8'
        option proto 'static'
@ -93,3 +99,43 @@ config wireguard_wg3 'eap_adp_jump01'
        option route_allowed_ips '0'
        option persistent_keepalive 15
        list allowed_ips '0.0.0.0/0'
+
+config interface 'wg4'
+        option proto 'wireguard'
+        option private_key "{{ lookup('passwordstore', 'wg/wg4/sax-rgs-gw-core01') }}"
+        list addresses 'fe80:2131:27:189::2/64'
+        option disabled '0'
+
+# routes 2a0e:8f02:f000:2e61::1/64 to the link-local of wg4
+config wireguard_wg4 'core_mowoe_com'
+        option public_key "{{ lookup('passwordstore', 'wg/wg4/core.mowoe.com.pub') }}"
+        option endpoint_host 'core.mowoe.com'
+        option endpoint_port '51821'
+        option route_allowed_ips '0'
+        option persistent_keepalive 15
+        list allowed_ips '::/0'
+
+config interface 'wg5'
+        option ip4table 'launder'
+        option proto 'wireguard'
+        option private_key "{{ lookup('passwordstore', 'wg/wg5/sax-rgs-gw-core01') }}"
+        list addresses '10.67.171.28'
+        option disabled '0'
+
+config wireguard_wg5 'mullvad'
+        option public_key "{{ lookup('passwordstore', 'wg/wg5/mullvad.pub') }}"
+        option endpoint_host '146.70.117.162'
+        option endpoint_port '51820'
+        option route_allowed_ips '1'
+        option persistent_keepalive 15
+        list allowed_ips '0.0.0.0/0'
+
+config rule
+        option in 'clients'
+        option lookup 'launder'
+        option priority 50
+
+config rule
+        option in 'clients'
+        option action prohibit
+        option priority 51
--- a/templates/gateways/sax-rgs-gw-core01/etc/iproute2/rt_tables
+++ b/templates/gateways/sax-rgs-gw-core01/etc/iproute2/rt_tables
@ -0,0 +1,13 @@
+#
+# reserved values
+#
+128	prelocal
+255	local
+254	main
+253	default
+0	unspec
+20	launder
+#
+# local
+#
+#1	inr.ruhep