From e683209e4f70c3ef4c859ebcd287544174cd760a Mon Sep 17 00:00:00 2001 From: Tom Hughes Date: Sun, 13 Sep 2020 23:36:11 +0000 Subject: [PATCH] Replace OpenVPN with wireguard for VPN tunnels --- .../templates/default/munin-node.conf.erb | 3 - cookbooks/networking/recipes/default.rb | 68 +++++----------- cookbooks/openvpn/README.md | 4 - cookbooks/openvpn/attributes/default.rb | 2 - cookbooks/openvpn/metadata.rb | 8 -- cookbooks/openvpn/recipes/default.rb | 81 ------------------- .../openvpn/templates/default/tunnel.conf.erb | 44 ---------- roles/bytemark.rb | 5 +- roles/equinix.rb | 5 +- roles/gateway.rb | 3 + roles/grisu.rb | 29 +------ roles/ironbelly.rb | 28 ------- roles/ridley.rb | 41 +--------- roles/shenron.rb | 15 +--- roles/ucl.rb | 8 +- 15 files changed, 40 insertions(+), 304 deletions(-) delete mode 100644 cookbooks/openvpn/README.md delete mode 100644 cookbooks/openvpn/attributes/default.rb delete mode 100644 cookbooks/openvpn/metadata.rb delete mode 100644 cookbooks/openvpn/recipes/default.rb delete mode 100644 cookbooks/openvpn/templates/default/tunnel.conf.erb diff --git a/cookbooks/munin/templates/default/munin-node.conf.erb b/cookbooks/munin/templates/default/munin-node.conf.erb index 8c88fd612..4f3580b56 100644 --- a/cookbooks/munin/templates/default/munin-node.conf.erb +++ b/cookbooks/munin/templates/default/munin-node.conf.erb @@ -35,9 +35,6 @@ allow ^127\.0\.0\.1$ <% server.interfaces do |interface| -%> allow ^<%= Regexp.quote(interface[:address]) %>$ <% end -%> -<% if server[:openvpn] -%> -allow ^<%= Regexp.quote(server[:openvpn][:address]) %>$ -<% end -%> <% end -%> <% node[:munin][:allow].each do |address| -%> allow ^<%= Regexp.quote(address) %>$ diff --git a/cookbooks/networking/recipes/default.rb b/cookbooks/networking/recipes/default.rb index c92ffc4bc..d638d9132 100644 --- a/cookbooks/networking/recipes/default.rb +++ b/cookbooks/networking/recipes/default.rb @@ -132,48 +132,12 @@ node[:networking][:interfaces].each do |name, interface| "scope" => "link" ) end - - if interface[:role] == "internal" && interface[:gateway] != interface[:address] - search(:node, "networking_interfaces*address:#{interface[:gateway]}") do |gateway| - next unless gateway[:openvpn] - - gateway[:openvpn][:tunnels].each_value do |tunnel| - if tunnel[:peer][:address] - deviceplan["routes"].push( - "to" => "#{tunnel[:peer][:address]}/32", - "via" => interface[:gateway] - ) - - route tunnel[:peer][:address] do - netmask "255.255.255.255" - gateway interface[:gateway] - device interface[:interface] - end - end - - next unless tunnel[:peer][:networks] - - tunnel[:peer][:networks].each do |network| - prefix = IPAddr.new("#{network[:address]}/#{network[:netmask]}").prefix - - deviceplan["routes"].push( - "to" => "#{network[:address]}/#{prefix}", - "via" => interface[:gateway] - ) - - route network[:address] do - netmask network[:netmask] - gateway interface[:gateway] - device interface[:interface] - end - end - end - end - end end if interface[:routes] interface[:routes].each do |to, parameters| + next if parameters[:via] == interface[:address] + route = { "to" => to } @@ -252,6 +216,23 @@ if node[:networking][:wireguard][:enabled] content keys["wireguard"] end + if node[:roles].include?("gateway") + search(:node, "roles:gateway") do |gateway| + next if gateway.name == node.name + next unless gateway[:networking][:wireguard] && gateway[:networking][:wireguard][:enabled] + + allowed_ips = gateway.interfaces(:role => :internal).map do |interface| + "#{interface[:network]}/#{interface[:metric]}" + end + + node.default[:networking][:wireguard][:peers] << { + :public_key => gateway[:networking][:wireguard][:public_key], + :allowed_ips => allowed_ips, + :endpoint => "#{gateway.name}:51820" + } + end + end + template "/etc/systemd/network/wireguard.netdev" do source "wireguard.netdev.erb" owner "root" @@ -452,17 +433,6 @@ firewall_rule "limit-icmp-echo" do rate_limit "s:1/sec:5" end -%w[ucl ams bm].each do |zone| - firewall_rule "accept-openvpn-#{zone}" do - action :accept - source zone - dest "fw" - proto "udp" - dest_ports "1194:1197" - source_ports "1194:1197" - end -end - if node[:networking][:wireguard][:enabled] firewall_rule "accept-wireguard" do action :accept diff --git a/cookbooks/openvpn/README.md b/cookbooks/openvpn/README.md deleted file mode 100644 index 4936476c5..000000000 --- a/cookbooks/openvpn/README.md +++ /dev/null @@ -1,4 +0,0 @@ -# OpenVPN - -This cookbook installs and configures OpenVPN used for secure network -connections between our datacentres. diff --git a/cookbooks/openvpn/attributes/default.rb b/cookbooks/openvpn/attributes/default.rb deleted file mode 100644 index af20e4e4c..000000000 --- a/cookbooks/openvpn/attributes/default.rb +++ /dev/null @@ -1,2 +0,0 @@ -default[:openvpn][:tunnels] = {} -default[:openvpn][:keys] = {} diff --git a/cookbooks/openvpn/metadata.rb b/cookbooks/openvpn/metadata.rb deleted file mode 100644 index 15bee3b88..000000000 --- a/cookbooks/openvpn/metadata.rb +++ /dev/null @@ -1,8 +0,0 @@ -name "openvpn" -maintainer "OpenStreetMap Administrators" -maintainer_email "admins@openstreetmap.org" -license "Apache-2.0" -description "Installs and configures OpenVPN" - -version "1.0.0" -supports "ubuntu" diff --git a/cookbooks/openvpn/recipes/default.rb b/cookbooks/openvpn/recipes/default.rb deleted file mode 100644 index c027466f1..000000000 --- a/cookbooks/openvpn/recipes/default.rb +++ /dev/null @@ -1,81 +0,0 @@ -# -# Cookbook:: openvpn -# Recipe:: default -# -# Copyright:: 2012, OpenStreetMap Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# - -package "openvpn" - -service "openvpn" do - action [:enable, :start] - supports :status => true, :restart => true, :reload => true - ignore_failure true -end - -node[:openvpn][:tunnels].each do |name, details| - peer = search(:node, "fqdn:#{details[:peer][:host]}").first - - if peer - if peer[:openvpn] && !details[:peer][:address] - node.default[:openvpn][:tunnels][name][:peer][:address] = peer[:openvpn][:address] - end - - node.default[:openvpn][:tunnels][name][:peer][:networks] = peer.interfaces(:role => :internal).collect do |interface| - { :address => interface[:network], :netmask => interface[:netmask] } - end - else - node.default[:openvpn][:tunnels][name][:peer][:networks] = [] - end - - if details[:mode] == "client" - execute "openvpn-genkey-#{name}" do - command "openvpn --genkey --secret /etc/openvpn/#{name}.key" - user "root" - group "root" - creates "/etc/openvpn/#{name}.key" - end - - if File.exist?("/etc/openvpn/#{name}.key") - node.default[:openvpn][:keys][name] = IO.read("/etc/openvpn/#{name}.key") - end - elsif peer && peer[:openvpn] - file "/etc/openvpn/#{name}.key" do - owner "root" - group "root" - mode "600" - content peer[:openvpn][:keys][name] - end - end - - if node[:openvpn][:tunnels][name][:peer][:address] - template "/etc/openvpn/#{name}.conf" do - source "tunnel.conf.erb" - owner "root" - group "root" - mode "644" - variables :name => name, - :address => node[:openvpn][:address], - :port => node[:openvpn][:tunnels][name][:port], - :mode => node[:openvpn][:tunnels][name][:mode], - :peer => node[:openvpn][:tunnels][name][:peer] - notifies :restart, "service[openvpn]" - end - else - file "/etc/openvpn/#{name}.conf" do - action :delete - end - end -end diff --git a/cookbooks/openvpn/templates/default/tunnel.conf.erb b/cookbooks/openvpn/templates/default/tunnel.conf.erb deleted file mode 100644 index e2fcc3590..000000000 --- a/cookbooks/openvpn/templates/default/tunnel.conf.erb +++ /dev/null @@ -1,44 +0,0 @@ -# DO NOT EDIT - This file is being maintained by Chef - -# Set the local port to use -port <%= @port %> - -# Use UDP -proto udp - -# Use routed IP tunnels -dev tun - -# Use shared secret authentication -secret <%= @name %>.key - -# Run in peer-to-peer mode -mode p2p -<% if @mode == "client" -%> - -# Connect to the remote machine -remote <%= @peer[:host] %> <%= @peer[:port] %> -<% end -%> - -# Configure interface and routing -ifconfig <%= @address %> <%= @peer[:address] %> -<% @peer[:networks].each do |network| -%> -route <%= network[:address] %> <%= network[:netmask] %> -<% end -%> - -# Keepalive - check every 10 seconds and reset after 2 minutes -keepalive 10 120 - -# Use AES-128 as the cipher -cipher AES-128-CBC - -# Run unprivileged -user nobody -group nogroup - -# Reuse resources on restart to avoid privilege problems -persist-key -persist-tun - -# Set log verbosity -verb 3 diff --git a/roles/bytemark.rb b/roles/bytemark.rb index 2289df648..4e80daa56 100644 --- a/roles/bytemark.rb +++ b/roles/bytemark.rb @@ -10,7 +10,10 @@ default_attributes( :internal => { :inet => { :prefix => "20", - :gateway => "10.0.32.20" + :gateway => "10.0.32.20", + :routes => { + "10.0.0.0/8" => { :via => "10.0.32.20" } + } } }, :external => { diff --git a/roles/equinix.rb b/roles/equinix.rb index 781772cb7..625aa8f57 100644 --- a/roles/equinix.rb +++ b/roles/equinix.rb @@ -8,7 +8,10 @@ default_attributes( :internal => { :inet => { :prefix => "20", - :gateway => "10.0.48.10" + :gateway => "10.0.48.10", + :routes => { + "10.0.0.0/8" => { :via => "10.0.48.10" } + } } }, :external => { diff --git a/roles/gateway.rb b/roles/gateway.rb index b9007b86e..80ae347a5 100644 --- a/roles/gateway.rb +++ b/roles/gateway.rb @@ -2,6 +2,9 @@ name "gateway" description "Role applied to all network gateways" default_attributes( + :networking => { + :wireguard => { :enabled => true } + }, :sysctl => { :network_forwarding => { :comment => "Enable forwarding", diff --git a/roles/grisu.rb b/roles/grisu.rb index 8e177a8ff..45df5c5f4 100644 --- a/roles/grisu.rb +++ b/roles/grisu.rb @@ -30,32 +30,6 @@ default_attributes( } } }, - :openvpn => { - :address => "10.0.16.5", - :tunnels => { - :ic2bm => { - :port => "1194", - :mode => "server", - :peer => { - :host => "ironbelly.openstreetmap.org" - } - }, - :aws2bm => { - :port => "1195", - :mode => "server", - :peer => { - :host => "fafnir.openstreetmap.org" - } - }, - :ucl2bm => { - :port => "1196", - :mode => "server", - :peer => { - :host => "ridley.openstreetmap.org" - } - } - } - }, :planet => { :replication => "disabled" } @@ -68,6 +42,5 @@ run_list( "role[web-storage]", "role[backup]", "role[planet]", - # "role[planetdump]", - "recipe[openvpn]" + # "role[planetdump]" ) diff --git a/roles/ironbelly.rb b/roles/ironbelly.rb index cf511e4ef..5042c4dd0 100644 --- a/roles/ironbelly.rb +++ b/roles/ironbelly.rb @@ -55,33 +55,6 @@ default_attributes( } } }, - :openvpn => { - :address => "10.0.16.2", - :tunnels => { - :ic2ucl => { - :port => "1194", - :mode => "server", - :peer => { - :host => "ridley.openstreetmap.org" - } - }, - :aws2ic => { - :port => "1195", - :mode => "server", - :peer => { - :host => "fafnir.openstreetmap.org" - } - }, - :ic2bm => { - :port => "1196", - :mode => "client", - :peer => { - :host => "grisu.openstreetmap.org", - :port => "1194" - } - } - } - }, :planet => { :replication => "enabled" }, @@ -138,6 +111,5 @@ run_list( "role[planetdump]", "recipe[rsyncd]", "recipe[dhcpd]", - "recipe[openvpn]", "recipe[tilelog]" ) diff --git a/roles/ridley.rb b/roles/ridley.rb index 136cfd7d0..d3ddde39d 100644 --- a/roles/ridley.rb +++ b/roles/ridley.rb @@ -34,44 +34,6 @@ default_attributes( :address => "10.0.0.3" } } - }, - :openvpn => { - :address => "10.0.16.1", - :tunnels => { - :ic2ucl => { - :port => "1194", - :mode => "client", - :peer => { - :host => "ironbelly.openstreetmap.org", - :port => "1194" - } - }, - :shenron2ucl => { - :port => "1195", - :mode => "client", - :peer => { - :host => "shenron.openstreetmap.org", - :port => "1194" - } - }, - :ucl2bm => { - :port => "1196", - :mode => "client", - :peer => { - :host => "grisu.openstreetmap.org", - :port => "1196" - } - }, - :firefishy => { - :port => "1197", - :mode => "client", - :peer => { - :host => "home.firefishy.com", - :port => "1194", - :address => "10.0.16.201" - } - } - } } ) @@ -87,6 +49,5 @@ run_list( "role[donate]", "recipe[hot]", "recipe[dmca]", - "recipe[dhcpd]", - "recipe[openvpn]" + "recipe[dhcpd]" ) diff --git a/roles/shenron.rb b/roles/shenron.rb index c3db86355..1caa61018 100644 --- a/roles/shenron.rb +++ b/roles/shenron.rb @@ -16,18 +16,6 @@ default_attributes( :modules => [ "it87" ] - }, - :openvpn => { - :address => "10.0.16.3", - :tunnels => { - :shenron2ucl => { - :port => "1194", - :mode => "server", - :peer => { - :host => "ridley.openstreetmap.org" - } - } - } } ) @@ -63,6 +51,5 @@ run_list( "role[trac]", "role[osqa]", "role[irc]", - "recipe[blogs]", - "recipe[openvpn]" + "recipe[blogs]" ) diff --git a/roles/ucl.rb b/roles/ucl.rb index 7f74979a5..b3220a994 100644 --- a/roles/ucl.rb +++ b/roles/ucl.rb @@ -8,7 +8,10 @@ default_attributes( :internal => { :inet => { :prefix => "20", - :gateway => "10.0.0.3" + :gateway => "10.0.0.3", + :routes => { + "10.0.0.0/8" => { :via => "10.0.0.3" } + } } }, :external => { @@ -18,6 +21,9 @@ default_attributes( :gateway => "193.60.236.254" } } + }, + :wireguard => { + :keepalive => 180 } } ) -- 2.39.5