From 8c2e40bd56ab786a6b337c55bc1281db3b8948d0 Mon Sep 17 00:00:00 2001
From: Benjamin Graillot <graillot@crans.org>
Date: Mon, 24 Aug 2020 17:40:00 +0200
Subject: [PATCH] [wireguard] Use NDP and ARP proxy

---
 plays/wireguard.yml                           |  2 +-
 roles/wireguard/tasks/main.yml                | 26 -----------
 roles/wireguard/templates/nftables.conf       | 43 -------------------
 .../templates/wireguard/sputnik.conf.j2       | 11 +++--
 4 files changed, 6 insertions(+), 76 deletions(-)
 delete mode 100644 roles/wireguard/templates/nftables.conf

diff --git a/plays/wireguard.yml b/plays/wireguard.yml
index 3ddd0b27..e1875021 100755
--- a/plays/wireguard.yml
+++ b/plays/wireguard.yml
@@ -17,7 +17,7 @@
     debian_mirror: http://mirror.adm.crans.org/debian
     wireguard:
       sputnik: false
-      if: ens20
+      if: ens18
       private_key: "{{ vault_wireguard_boeing_private_key }}"
       peer_public_key: "{{ vault_wireguard_sputnik_public_key }}"
   roles:
diff --git a/roles/wireguard/tasks/main.yml b/roles/wireguard/tasks/main.yml
index 0cb16004..06b08d14 100644
--- a/roles/wireguard/tasks/main.yml
+++ b/roles/wireguard/tasks/main.yml
@@ -46,29 +46,3 @@
     name: wg-quick@sputnik
     state: started
     enabled: true
-
-- name: Install nftables
-  apt:
-    name: nftables
-    state: present
-    update_cache: true
-  register: apt_result
-  retries: 3
-  until: apt_result is succeeded
-  when: not wireguard.sputnik
-
-- name: Deploy nftables.conf
-  template:
-    src: nftables.conf
-    dest: /etc/nftables.conf
-    mode: 0644
-    owner: root
-    group: root
-  when: not wireguard.sputnik
-
-- name: Enable and start nftables
-  systemd:
-    name: nftables
-    enabled: true
-    state: started
-  when: not wireguard.sputnik
diff --git a/roles/wireguard/templates/nftables.conf b/roles/wireguard/templates/nftables.conf
deleted file mode 100644
index 58493072..00000000
--- a/roles/wireguard/templates/nftables.conf
+++ /dev/null
@@ -1,43 +0,0 @@
-#!/usr/sbin/nft -f
-
-flush ruleset
-
-{% set sputnik_ip = (query('ldap', 'ip', 'sputnik', 'adm') | ipv4)[0] %}
-table ip nat {
-	chain prerouting {
-		type nat hook prerouting priority 0; policy accept;
-		ip daddr {{ sputnik_ip }} dnat to 172.31.0.2
-	}
-	chain postrouting {
-		type nat hook postrouting priority 100; policy accept;
-		ip saddr 172.31.0.2 ip protocol icmp snat to {{ sputnik_ip }}
-		ip saddr 172.31.0.2 ip protocol tcp snat to {{ sputnik_ip }}
-		ip saddr 172.31.0.2 ip protocol udp snat to {{ sputnik_ip }}
-	}
-}
-
-{% set sputnik_ip6 = (query('ldap', 'ip', 'sputnik', 'adm') | ipv6)[0] %}
-table ip6 nat {
-	chain prerouting {
-		type nat hook prerouting priority 0; policy accept;
-		ip6 daddr {{ sputnik_ip6 }} dnat to fd0c:700:0:8::2
-	}
-	chain postrouting {
-		type nat hook postrouting priority 100; policy accept;
-		ip6 saddr fd0c:700:0:8::2 ip6 nexthdr icmpv6 snat to {{ sputnik_ip6 }}
-		ip6 saddr fd0c:700:0:8::2 ip6 nexthdr tcp snat to {{ sputnik_ip6 }}
-		ip6 saddr fd0c:700:0:8::2 ip6 nexthdr udp snat to {{ sputnik_ip6 }}
-	}
-}
-
-table inet filter {
-	chain input {
-		type filter hook input priority 0;
-	}
-	chain forward {
-		type filter hook forward priority 0;
-	}
-	chain output {
-		type filter hook output priority 0;
-	}
-}
diff --git a/roles/wireguard/templates/wireguard/sputnik.conf.j2 b/roles/wireguard/templates/wireguard/sputnik.conf.j2
index aa19a227..e1ed981a 100644
--- a/roles/wireguard/templates/wireguard/sputnik.conf.j2
+++ b/roles/wireguard/templates/wireguard/sputnik.conf.j2
@@ -1,7 +1,7 @@
 {{ ansible_header | comment }}
 {% if wireguard.sputnik %}
 [Interface]
-Address = 172.31.0.2/30, fd0c:700:0:8::2/64
+Address = 172.16.10.32/24, fd00::10:0:ff:fe00:3210/64
 ListenPort = 51820
 PrivateKey = {{ wireguard.private_key }}
 
@@ -9,20 +9,19 @@ PostUp = /sbin/ip link set sputnik alias adm
 
 [Peer]
 PublicKey = {{ wireguard.peer_public_key }}
-AllowedIPs = 172.31.0.1/32, fd0c:700:0:8::1/128, {{ query('ldap', 'network', 'adm') }}, fd00:0:0:{{ query('ldap', 'vlanid', 'adm') }}::/64
+AllowedIPs = {{ query('ldap', 'network', 'adm') }}, fd00:0:0:{{ query('ldap', 'vlanid', 'adm') }}::/64
 Endpoint = {{ (query('ldap', 'ip', 'boeing', 'srv') | ipv4)[0]Â }}:51820
 {% else %}
 [Interface]
-Address = 172.31.0.1/30, fd0c:700:0:8::1/64
 ListenPort = 51820
 PrivateKey = {{ wireguard.private_key }}
 
-PostUp =   ifup   {{ wireguard.if }}; systemctl start nftables
-PostDown = ifdown {{ wireguard.if }}; systemctl stop nftables
+PostUp =   sysctl -w net.ipv4.conf.{{ wireguard.if }}.proxy_arp=1; sysctl -w net.ipv4.conf.sputnik.proxy_arp=1; sysctl -w net.ipv6.conf.{{ wireguard.if }}.proxy_ndp=1; sysctl -w net.ipv6.conf.sputnik.proxy_ndp=1; ip neigh add proxy {{ (query('ldap', 'ip', 'sputnik', 'adm') | ipv6)[0] }} dev {{ wireguard.if }}
+PostDown = sysctl -w net.ipv4.conf.{{ wireguard.if }}.proxy_arp=0; sysctl -w net.ipv4.conf.sputnik.proxy_arp=0; sysctl -w net.ipv6.conf.{{ wireguard.if }}.proxy_ndp=0; sysctl -w net.ipv6.conf.sputnik.proxy_ndp=0; ip neigh delete proxy {{ (query('ldap', 'ip', 'sputnik', 'adm') | ipv6)[0] }} dev {{ wireguard.if }}
 
 [Peer]
 PublicKey = {{ wireguard.peer_public_key }}
-AllowedIPs = 172.31.0.2/32, fd0c:700:0:8::2/128
+AllowedIPs = {{ (query('ldap', 'ip', 'sputnik', 'adm') | ipv4)[0] }}/32, {{ (query('ldap', 'ip', 'sputnik', 'adm') | ipv6)[0] }}/128
 Endpoint = {{ (query('ldap', 'ip', 'sputnik', 'srv') | ipv4)[0] }}:51820
 {% endif %}
 
-- 
GitLab