From 17dddde25237fadaf5ec34c667ea5a05ccf15f03 Mon Sep 17 00:00:00 2001
From: Benjamin Graillot <graillot@crans.org>
Date: Mon, 24 Aug 2020 13:46:07 +0200
Subject: [PATCH] [wireguard] Use nftables on boeing
---
plays/wireguard.yml | 6 ++--
roles/wireguard/tasks/main.yml | 26 +++++++++++++++++
roles/wireguard/templates/nftables.conf | 29 +++++++++++++++++++
.../templates/wireguard/sputnik.conf.j2 | 4 +--
4 files changed, 61 insertions(+), 4 deletions(-)
create mode 100644 roles/wireguard/templates/nftables.conf
diff --git a/plays/wireguard.yml b/plays/wireguard.yml
index 2de147e1..3ddd0b27 100755
--- a/plays/wireguard.yml
+++ b/plays/wireguard.yml
@@ -8,7 +8,8 @@
sputnik: true
private_key: "{{ vault_wireguard_sputnik_private_key }}"
peer_public_key: "{{ vault_wireguard_boeing_public_key }}"
- roles: ["wireguard"]
+ roles:
+ - wireguard
- hosts: boeing.adm.crans.org
vars:
@@ -19,4 +20,5 @@
if: ens20
private_key: "{{ vault_wireguard_boeing_private_key }}"
peer_public_key: "{{ vault_wireguard_sputnik_public_key }}"
- roles: ["wireguard"]
+ roles:
+ - wireguard
diff --git a/roles/wireguard/tasks/main.yml b/roles/wireguard/tasks/main.yml
index 06b08d14..0cb16004 100644
--- a/roles/wireguard/tasks/main.yml
+++ b/roles/wireguard/tasks/main.yml
@@ -46,3 +46,29 @@
name: wg-quick@sputnik
state: started
enabled: true
+
+- name: Install nftables
+ apt:
+ name: nftables
+ state: present
+ update_cache: true
+ register: apt_result
+ retries: 3
+ until: apt_result is succeeded
+ when: not wireguard.sputnik
+
+- name: Deploy nftables.conf
+ template:
+ src: nftables.conf
+ dest: /etc/nftables.conf
+ mode: 0644
+ owner: root
+ group: root
+ when: not wireguard.sputnik
+
+- name: Enable and start nftables
+ systemd:
+ name: nftables
+ enabled: true
+ state: started
+ when: not wireguard.sputnik
diff --git a/roles/wireguard/templates/nftables.conf b/roles/wireguard/templates/nftables.conf
new file mode 100644
index 00000000..107c269e
--- /dev/null
+++ b/roles/wireguard/templates/nftables.conf
@@ -0,0 +1,29 @@
+#!/usr/sbin/nft -f
+
+flush ruleset
+
+{% set sputnik_ip = query('ldap', 'ip', 'sputnik', 'adm') %}
+table ip nat {
+ chain prerouting {
+ type nat hook prerouting priority 0; policy accept;
+ ip daddr {{ sputnik_ip }} dnat 172.31.0.2
+ }
+ chain postrouting {
+ type nat hook postrouting priority 100; policy accept;
+ ip saddr 172.31.0.2 ip protocol icmp snat {{ sputnik_ip }}
+ ip saddr 172.31.0.2 ip protocol tcp snat {{ sputnik_ip }}
+ ip saddr 172.31.0.2 ip protocol udp snat {{ sputnik_ip }}
+ }
+}
+
+table inet filter {
+ chain input {
+ type filter hook input priority 0;
+ }
+ chain forward {
+ type filter hook forward priority 0;
+ }
+ chain output {
+ type filter hook output priority 0;
+ }
+}
diff --git a/roles/wireguard/templates/wireguard/sputnik.conf.j2 b/roles/wireguard/templates/wireguard/sputnik.conf.j2
index 4f0ec94a..aa19a227 100644
--- a/roles/wireguard/templates/wireguard/sputnik.conf.j2
+++ b/roles/wireguard/templates/wireguard/sputnik.conf.j2
@@ -17,8 +17,8 @@ Address = 172.31.0.1/30, fd0c:700:0:8::1/64
ListenPort = 51820
PrivateKey = {{ wireguard.private_key }}
-# PostUp = ifup {{ wireguard.if }}; iptables -t nat -A PREROUTING -d 10.231.136.21 -j DNAT --to-destination 172.31.0.2; iptables -t nat -A POSTROUTING -j MASQUERADE; ip6tables -t nat -A PREROUTING -d 2a0c:700:0:2:73:70ff:fe75:7402/128 -j DNAT --to-destination fd0c:700:0:8::2; ip6tables -t nat -A POSTROUTING -j MASQUERADE
-# PostDown = ifdown {{ wireguard.if }}; iptables -t nat -D PREROUTING -d 10.231.136.21 -j DNAT --to-destination 172.31.0.2; iptables -t nat -D POSTROUTING -j MASQUERADE; ip6tables -t nat -D PREROUTING -d 2a0c:700:0:2:73:70ff:fe75:7402/128 -j DNAT --to-destination fd0c:700:0:8::2; ip6tables -t nat -D POSTROUTING -j MASQUERADE
+PostUp = ifup {{ wireguard.if }}; systemctl start nftables
+PostDown = ifdown {{ wireguard.if }}; systemctl stop nftables
[Peer]
PublicKey = {{ wireguard.peer_public_key }}
--
GitLab