From d67b78773673b939831588836bee081d1360fd3c Mon Sep 17 00:00:00 2001 From: Tom Hughes Date: Sat, 12 Sep 2020 14:29:52 +0000 Subject: [PATCH] Add basic infrastructure for wireguard tunnels --- cookbooks/networking/attributes/default.rb | 6 ++ cookbooks/networking/recipes/default.rb | 74 +++++++++++++++++++ .../default/shorewall-interfaces.erb | 1 + .../templates/default/wireguard.netdev.erb | 20 +++++ .../templates/default/wireguard.network.erb | 8 ++ test/data_bags/networking/keys.json | 4 + 6 files changed, 113 insertions(+) create mode 100644 cookbooks/networking/templates/default/wireguard.netdev.erb create mode 100644 cookbooks/networking/templates/default/wireguard.network.erb create mode 100644 test/data_bags/networking/keys.json diff --git a/cookbooks/networking/attributes/default.rb b/cookbooks/networking/attributes/default.rb index 8edc93279..d2ec5957d 100644 --- a/cookbooks/networking/attributes/default.rb +++ b/cookbooks/networking/attributes/default.rb @@ -1,3 +1,5 @@ +wireguard_id = %x(systemd-id128 machine-id -a 3f36688c233848dfa84e4b176195622e) + default[:networking][:firewall][:enabled] = true default[:networking][:firewall][:inet] = [] default[:networking][:firewall][:inet6] = [] @@ -12,3 +14,7 @@ default[:networking][:nameservers] = [] default[:networking][:search] = [] default[:networking][:dnssec] = "allow-downgrade" default[:networking][:hostname] = node.name +default[:networking][:wireguard][:enabled] = false +default[:networking][:wireguard][:address] = "fd43:e709:ea6d:1:#{wireguard_id[0,4]}:#{wireguard_id[4,4]}:#{wireguard_id[8,4]}:#{wireguard_id[12,4]}" +default[:networking][:wireguard][:keepalive] = false +default[:networking][:wireguard][:peers] = [] diff --git a/cookbooks/networking/recipes/default.rb b/cookbooks/networking/recipes/default.rb index 20a696cec..c92ffc4bc 100644 --- a/cookbooks/networking/recipes/default.rb +++ b/cookbooks/networking/recipes/default.rb @@ -23,6 +23,8 @@ require "ipaddr" require "yaml" +keys = data_bag_item("networking", "keys") + package "netplan.io" netplan = { @@ -219,6 +221,67 @@ package "cloud-init" do action :purge end +if node[:networking][:wireguard][:enabled] + package "wireguard-tools" do + compile_time true + end + + directory "/var/lib/systemd/wireguard" do + owner "root" + group "systemd-network" + mode "750" + compile_time true + end + + file "/var/lib/systemd/wireguard/private.key" do + action :create_if_missing + owner "root" + group "systemd-network" + mode "640" + content %x{wg genkey} + compile_time true + end + + node.default[:networking][:wireguard][:public_key] = %x{wg pubkey < /var/lib/systemd/wireguard/private.key} + + file "/var/lib/systemd/wireguard/preshared.key" do + action :create_if_missing + owner "root" + group "systemd-network" + mode "640" + content keys["wireguard"] + end + + template "/etc/systemd/network/wireguard.netdev" do + source "wireguard.netdev.erb" + owner "root" + group "root" + mode "644" + end + + template "/etc/systemd/network/wireguard.network" do + source "wireguard.network.erb" + owner "root" + group "root" + mode "644" + end + + execute "ip-link-delete-wg0" do + action :nothing + command "ip link delete wg0" + subscribes :run, "template[/etc/systemd/network/wireguard.netdev]" + only_if { ::File.exist?("/sys/class/net/wg0") } + end + + execute "networkctl-reload" do + action :nothing + command "networkctl reload" + subscribes :run, "template[/etc/systemd/network/wireguard.netdev]" + subscribes :run, "template[/etc/systemd/network/wireguard.network]" + not_if { ENV.key?("TEST_KITCHEN") } + end +end + ohai "reload-hostname" do action :nothing plugin "hostname" @@ -400,6 +463,17 @@ end end end +if node[:networking][:wireguard][:enabled] + firewall_rule "accept-wireguard" do + action :accept + source "osm" + dest "fw" + proto "udp" + dest_ports "51820" + source_ports "51820" + end +end + if node[:roles].include?("gateway") template "/etc/shorewall/masq" do source "shorewall-masq.erb" diff --git a/cookbooks/networking/templates/default/shorewall-interfaces.erb b/cookbooks/networking/templates/default/shorewall-interfaces.erb index 4701b9641..74d88122f 100644 --- a/cookbooks/networking/templates/default/shorewall-interfaces.erb +++ b/cookbooks/networking/templates/default/shorewall-interfaces.erb @@ -13,3 +13,4 @@ net <%= interface[:interface] %> nosmurfs,tcpflags <% end -%> <% end -%> loc tun+ nosmurfs,tcpflags +loc wg+ nosmurfs,tcpflags diff --git a/cookbooks/networking/templates/default/wireguard.netdev.erb b/cookbooks/networking/templates/default/wireguard.netdev.erb new file mode 100644 index 000000000..7f7ef3114 --- /dev/null +++ b/cookbooks/networking/templates/default/wireguard.netdev.erb @@ -0,0 +1,20 @@ +[NetDev] +Name=wg0 +Kind=wireguard + +[WireGuard] +PrivateKeyFile=/var/lib/systemd/wireguard/private.key +ListenPort=51820 +<% node[:networking][:wireguard][:peers].each do |peer| -%> + +[WireGuardPeer] +PublicKey=<%= peer[:public_key] %> +PresharedKeyFile=/var/lib/systemd/wireguard/preshared.key +AllowedIPs=<%= Array(peer[:allowed_ips]).sort.join(",") %> +<% if peer[:endpoint] -%> +Endpoint=<%= peer[:endpoint] %> +<% end -%> +<% if node[:networking][:wireguard][:keepalive] -%> +PersistentKeepalive=<%= node[:networking][:wireguard][:keepalive] %> +<% end -%> +<% end -%> diff --git a/cookbooks/networking/templates/default/wireguard.network.erb b/cookbooks/networking/templates/default/wireguard.network.erb new file mode 100644 index 000000000..636f2867a --- /dev/null +++ b/cookbooks/networking/templates/default/wireguard.network.erb @@ -0,0 +1,8 @@ +[Match] +Name=wg0 + +[Network] +Address=<%= node[:networking][:wireguard][:address] %>/128 + +[Route] +Destination=fd43:e709:ea6d:1::/64 diff --git a/test/data_bags/networking/keys.json b/test/data_bags/networking/keys.json new file mode 100644 index 000000000..de1f901f4 --- /dev/null +++ b/test/data_bags/networking/keys.json @@ -0,0 +1,4 @@ +{ + "id": "keys", + "wireguard": "cQzuTMFj9LwSTdv7YqZhwsnbP2ZYzlSiK/Bgj4A9D/o=" +} -- 2.39.5