add tinc config for IC vpn
This commit is contained in:
parent
2f716a1d6e
commit
ed0e497765
3 changed files with 110 additions and 3 deletions
|
@ -95,6 +95,13 @@ class { 'ff_gw':
|
|||
dhcprange_start => '10.112.30.2',
|
||||
dhcprange_end => '10.112.31.254',
|
||||
|
||||
# only for inter-city VPN hosts
|
||||
gw_do_ic_peering => true,
|
||||
tinc_name => 'hamburg01',
|
||||
tinc_keyfile => '/etc/tinc/rsa_key.priv',
|
||||
ic_vpn_ip4 => '10.207.X.Y',
|
||||
ic_vpn_ip6 => 'fec0::a:cf:X:Y',
|
||||
|
||||
# secret credentials for fastd and vpn
|
||||
secret_key => '...',
|
||||
vpn_ca_crt => '-----BEGIN CERTIFICATE-----
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
class ff_gw($ff_net, $ff_mesh_net, $ff_as, $mesh_mac, $gw_ipv4, $gw_ipv6, $secret_key, $vpn_ca_crt, $vpn_usr_crt, $vpn_usr_key, $dhcprange_start, $dhcprange_end, $gw_do_ic_peering = false) {
|
||||
class ff_gw($ff_net, $ff_mesh_net, $ff_as, $mesh_mac, $gw_ipv4, $gw_ipv6, $secret_key, $vpn_ca_crt, $vpn_usr_crt, $vpn_usr_key, $dhcprange_start, $dhcprange_end, $gw_do_ic_peering = false, $tinc_name, $tinc_keyfile, $ic_vpn_ip4, $ic_vpn_ip6) {
|
||||
class { 'ff_gw::software': }
|
||||
->
|
||||
class { 'ff_gw::fastd':
|
||||
|
@ -19,8 +19,8 @@ class ff_gw($ff_net, $ff_mesh_net, $ff_as, $mesh_mac, $gw_ipv4, $gw_ipv6, $secre
|
|||
}
|
||||
->
|
||||
class { 'ff_gw::vpn':
|
||||
usr_crt => $vpn_usr_crt,
|
||||
usr_key => $vpn_usr_key,
|
||||
usr_crt => $vpn_usr_crt,
|
||||
usr_key => $vpn_usr_key,
|
||||
ca_crt => $vpn_ca_crt,
|
||||
}
|
||||
->
|
||||
|
@ -36,6 +36,15 @@ class ff_gw($ff_net, $ff_mesh_net, $ff_as, $mesh_mac, $gw_ipv4, $gw_ipv6, $secre
|
|||
own_ipv6 => $gw_ipv6,
|
||||
gw_do_ic_peering => $gw_do_ic_peering,
|
||||
}
|
||||
|
||||
if $gw_do_ic_peering {
|
||||
class { 'ff_gw::tinc':
|
||||
tinc_name => $tinc_name,
|
||||
tinc_keyfile => $tinc_keyfile,
|
||||
ic_vpn_ip4 => $ic_vpn_ip4,
|
||||
ic_vpn_ip4 => $ic_vpn_ip6
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
class ff_gw::software {
|
||||
|
@ -69,6 +78,7 @@ class ff_gw::fastd($mesh_mac, $gw_ipv4, $gw_ipv6, $secret_key) {
|
|||
content => template('ff_gw/etc/fastd/ffhh-mesh-vpn/fastd.conf.erb');
|
||||
'/etc/fastd/ffhh-mesh-vpn/secret.conf':
|
||||
ensure => file,
|
||||
mode => '0600',
|
||||
content => inline_template('secret "<%= @secret_key %>";');
|
||||
'/root/bin':
|
||||
ensure => directory;
|
||||
|
@ -462,3 +472,45 @@ class ff_gw::bird($ff_net, $ff_mesh_net, $ff_as, $own_ipv4, $own_ipv6, $gw_do_ic
|
|||
require => Service['openvpn'],
|
||||
}
|
||||
}
|
||||
|
||||
class ff_gw::tinc($tinc_name, $tinc_keyfile = '/etc/tinc/rsa_key.priv', $ic_vpn_ip4, $ic_vpn_ip6, $version = 'present') {
|
||||
package {
|
||||
'tinc':
|
||||
ensure => $version,
|
||||
}
|
||||
->
|
||||
vcsrepo { '/etc/tinc/icvpn':
|
||||
ensure => present,
|
||||
provider => git,
|
||||
source => 'https://github.com/freifunk/icvpn',
|
||||
}
|
||||
->
|
||||
file {
|
||||
'/etc/tinc/icvpn/tinc.conf':
|
||||
ensure => file,
|
||||
content => template('ff_gw/etc/tinc/icvpn/tinc.conf.erb');
|
||||
'/etc/tinc/icvpn/tinc-up':
|
||||
ensure => file,
|
||||
mode => '0755';
|
||||
content => inline_template('#!/bin/sh
|
||||
/sbin/ip link set dev $INTERFACE up
|
||||
/sbin/ip addr add dev $INTERFACE <%= @ic_vpn_ip4 %>/16 broadcast 10.207.255.255
|
||||
/sbin/ip -6 addr add dev $INTERFACE <%= @ic_vpn_ip6 %>/96 preferred_lft 0
|
||||
');
|
||||
'/etc/tinc/icvpn/tinc-down':
|
||||
ensure => file,
|
||||
mode => '0755';
|
||||
content => inline_template('#!/bin/sh
|
||||
/sbin/ip addr del dev $INTERFACE <%= @ic_vpn_ip4 %>/16 broadcast 10.207.255.255
|
||||
/sbin/ip -6 addr del dev $INTERFACE <%= @ic_vpn_ip6 %>/96
|
||||
/sbin/ip link set dev $INTERFACE down
|
||||
');
|
||||
}
|
||||
~>
|
||||
service {
|
||||
'tinc':
|
||||
ensure => running,
|
||||
enable => true,
|
||||
require => Service['openvpn'],
|
||||
}
|
||||
}
|
||||
|
|
48
templates/etc/tinc/icvpn/tinc.conf.erb
Normal file
48
templates/etc/tinc/icvpn/tinc.conf.erb
Normal file
|
@ -0,0 +1,48 @@
|
|||
Name = <%= @tinc_name %>
|
||||
PrivateKeyFile = <%= @tinc_keyfile %>
|
||||
Mode = Switch
|
||||
PingTimeout = 30
|
||||
Port = 656
|
||||
Hostnames = yes
|
||||
|
||||
ConnectTo = augsburg1
|
||||
ConnectTo = augsburg2
|
||||
ConnectTo = bayreuth1
|
||||
ConnectTo = berlin1
|
||||
ConnectTo = bielefeld1
|
||||
ConnectTo = bielefeld2
|
||||
ConnectTo = bremen2
|
||||
ConnectTo = chemnitz1
|
||||
ConnectTo = diac24_sbc
|
||||
ConnectTo = diac24_sbz
|
||||
ConnectTo = dresden1
|
||||
ConnectTo = ffhallevpn1
|
||||
ConnectTo = franken1
|
||||
ConnectTo = franken2
|
||||
ConnectTo = franken3
|
||||
ConnectTo = franken_ro1
|
||||
ConnectTo = Frankfurt1
|
||||
ConnectTo = freiburg1
|
||||
ConnectTo = gronau1
|
||||
ConnectTo = gronau2
|
||||
ConnectTo = halle1
|
||||
ConnectTo = halle2
|
||||
ConnectTo = jena1
|
||||
ConnectTo = jena2
|
||||
ConnectTo = kiel1
|
||||
ConnectTo = kiel13
|
||||
ConnectTo = kiel3
|
||||
ConnectTo = kiel4
|
||||
ConnectTo = koeln1
|
||||
ConnectTo = leipzig1
|
||||
ConnectTo = leipzig2
|
||||
ConnectTo = ljubljana1
|
||||
ConnectTo = luebeck1
|
||||
ConnectTo = luebeck2
|
||||
ConnectTo = mainz1
|
||||
ConnectTo = nrw2
|
||||
ConnectTo = oldenburg1
|
||||
ConnectTo = weimar1
|
||||
ConnectTo = weimar2
|
||||
ConnectTo = wermelskirchen1
|
||||
|
Loading…
Reference in a new issue