From 6cc9776c661547ecba446aab0d8ed51e663456e4 Mon Sep 17 00:00:00 2001 From: Tobias Hachmer Date: Mon, 25 Mar 2019 20:22:55 +0100 Subject: [PATCH] Use link-local IPv6 address for BGP Peering --- inventory/group_vars/all | 28 ------------------- .../templates/ffmwu-add-static-routes.sh.j2 | 2 -- .../templates/ffmwu-del-static-routes.sh.j2 | 2 -- .../templates/mwu_ipv6_peers.conf.j2 | 10 ++----- roles/wireguard/templates/wireguard.j2 | 2 -- 5 files changed, 3 insertions(+), 41 deletions(-) diff --git a/inventory/group_vars/all b/inventory/group_vars/all index 86cad3d..8fb5b0c 100644 --- a/inventory/group_vars/all +++ b/inventory/group_vars/all @@ -40,169 +40,141 @@ bgp_groups: wireguard_networks: - ipv4: 10.87.253.0/31 - ipv6: fd86:b4dc:4b1e:fd::/127 peers: - lotuswurzel - spinat port: 50000 - ipv4: 10.87.253.2/31 - ipv6: fd86:b4dc:4b1e:fd::2/127 peers: - lotuswurzel - wasserfloh port: 50001 - ipv4: 10.87.253.4/31 - ipv6: fd86:b4dc:4b1e:fd::4/127 peers: - lotuswurzel - uffschnitt port: 50002 - ipv4: 10.87.253.6/31 - ipv6: fd86:b4dc:4b1e:fd::6/127 peers: - lotuswurzel - ingwer port: 50003 - ipv4: 10.87.253.8/31 - ipv6: fd86:b4dc:4b1e:fd::8/127 peers: - spinat - wasserfloh port: 50004 - ipv4: 10.87.253.10/31 - ipv6: fd86:b4dc:4b1e:fd::a/127 peers: - spinat - uffschnitt port: 50005 - ipv4: 10.87.253.12/31 - ipv6: fd86:b4dc:4b1e:fd::c/127 peers: - spinat - ingwer port: 50006 - ipv4: 10.87.253.14/31 - ipv6: fd86:b4dc:4b1e:fd::e/127 peers: - ingwer - wasserfloh port: 50007 - ipv4: 10.87.253.16/31 - ipv6: fd86:b4dc:4b1e:fd::10/127 peers: - wasserfloh - uffschnitt port: 50008 - ipv4: 10.87.253.18/31 - ipv6: fd86:b4dc:4b1e:fd::12/127 peers: - ingwer - uffschnitt port: 50009 - ipv4: 10.87.253.20/31 - ipv6: fd86:b4dc:4b1e:fd::14/127 peers: - lotuswurzel - kichererbse port: 50010 - ipv4: 10.87.253.22/31 - ipv6: fd86:b4dc:4b1e:fd::16/127 peers: - spinat - kichererbse port: 50011 - ipv4: 10.87.253.24/31 - ipv6: fd86:b4dc:4b1e:fd::18/127 peers: - wasserfloh - kichererbse port: 50012 - ipv4: 10.87.253.26/31 - ipv6: fd86:b4dc:4b1e:fd::1a/127 peers: - uffschnitt - kichererbse port: 50013 - ipv4: 10.87.253.28/31 - ipv6: fd86:b4dc:4b1e:fd::1c/127 peers: - ingwer - kichererbse port: 50014 - ipv4: 10.87.253.30/31 - ipv6: fd86:b4dc:4b1e:fd::1e/127 peers: - lotuswurzel - suesskartoffel port: 50015 - ipv4: 10.87.253.32/31 - ipv6: fd86:b4dc:4b1e:fd::20/127 peers: - spinat - suesskartoffel port: 50016 - ipv4: 10.87.253.34/31 - ipv6: fd86:b4dc:4b1e:fd::22/127 peers: - ingwer - suesskartoffel port: 50017 - ipv4: 10.87.253.36/31 - ipv6: fd86:b4dc:4b1e:fd::24/127 peers: - wasserfloh - suesskartoffel port: 50018 - ipv4: 10.87.253.38/31 - ipv6: fd86:b4dc:4b1e:fd::26/127 peers: - uffschnitt - suesskartoffel port: 50019 - ipv4: 10.87.253.40/31 - ipv6: fd86:b4dc:4b1e:fd::28/127 peers: - kichererbse - suesskartoffel port: 50020 - ipv4: 10.87.253.42/31 - ipv6: fd86:b4dc:4b1e:fd::2a/127 peers: - ingwer - linse port: 50021 - ipv4: 10.87.253.44/31 - ipv6: fd86:b4dc:4b1e:fd::2c/127 peers: - lotuswurzel - linse port: 50022 - ipv4: 10.87.253.46/31 - ipv6: fd86:b4dc:4b1e:fd::2e/127 peers: - spinat - linse port: 50023 - ipv4: 10.87.253.48/31 - ipv6: fd86:b4dc:4b1e:fd::30/127 peers: - uffschnitt - linse port: 50024 - ipv4: 10.87.253.50/31 - ipv6: fd86:b4dc:4b1e:fd::32/127 peers: - wasserfloh - linse port: 50025 - ipv4: 10.87.253.52/31 - ipv6: fd86:b4dc:4b1e:fd::34/127 peers: - suesskartoffel - linse port: 50026 - ipv4: 10.87.253.54/31 - ipv6: fd86:b4dc:4b1e:fd::36/127 peers: - kichererbse - linse diff --git a/roles/network-routing/templates/ffmwu-add-static-routes.sh.j2 b/roles/network-routing/templates/ffmwu-add-static-routes.sh.j2 index 601db23..d226490 100644 --- a/roles/network-routing/templates/ffmwu-add-static-routes.sh.j2 +++ b/roles/network-routing/templates/ffmwu-add-static-routes.sh.j2 @@ -6,10 +6,8 @@ {% for network in my_wireguard_networks %} {% if magic < network.remote_magic %} /sbin/ip -4 route add {{ network.ipv4 | ipaddr('network/prefix') }} dev wg-{{ network.remote[:11] }} scope link src {{ network.ipv4 | ipaddr('address') }} table mwu -/sbin/ip -6 route add {{ network.ipv6 | ipaddr('network/prefix') }} dev wg-{{ network.remote[:11] }} scope link src {{ network.ipv6 | ipaddr('network') }} table mwu {% else %} /sbin/ip -4 route add {{ network.ipv4 | ipaddr('network/prefix') }} dev wg-{{ network.remote[:11] }} scope link src {{ network.ipv4 | ipaddr('1') | ipaddr('address') }} table mwu -/sbin/ip -6 route add {{ network.ipv6 | ipaddr('network/prefix') }} dev wg-{{ network.remote[:11] }} scope link src {{ network.ipv6 | ipaddr('1') | ipaddr('address') }} table mwu {% endif %} {% endfor %} {% if server_type == 'gateway' or server_type == 'monitoring' %} diff --git a/roles/network-routing/templates/ffmwu-del-static-routes.sh.j2 b/roles/network-routing/templates/ffmwu-del-static-routes.sh.j2 index eb653d2..b22c5ad 100644 --- a/roles/network-routing/templates/ffmwu-del-static-routes.sh.j2 +++ b/roles/network-routing/templates/ffmwu-del-static-routes.sh.j2 @@ -6,10 +6,8 @@ {% for network in my_wireguard_networks %} {% if magic < network.remote_magic %} /sbin/ip -4 route del {{ network.ipv4 | ipaddr('network/prefix') }} dev wg-{{ network.remote[:11] }} scope link src {{ network.ipv4 | ipaddr('address') }} table mwu -/sbin/ip -6 route del {{ network.ipv6 | ipaddr('network/prefix') }} dev wg-{{ network.remote[:11] }} scope link src {{ network.ipv6 | ipaddr('network') }} table mwu {% else %} /sbin/ip -4 route del {{ network.ipv4 | ipaddr('network/prefix') }} dev wg-{{ network.remote[:11] }} scope link src {{ network.ipv4 | ipaddr('1') | ipaddr('address') }} table mwu -/sbin/ip -6 route del {{ network.ipv6 | ipaddr('network/prefix') }} dev wg-{{ network.remote[:11] }} scope link src {{ network.ipv6 | ipaddr('1') | ipaddr('address') }} table mwu {% endif %} {% endfor %} {% if server_type == 'gateway' or server_type == 'monitoring' %} diff --git a/roles/service-bird/templates/mwu_ipv6_peers.conf.j2 b/roles/service-bird/templates/mwu_ipv6_peers.conf.j2 index 1f5d9b1..efddbbd 100644 --- a/roles/service-bird/templates/mwu_ipv6_peers.conf.j2 +++ b/roles/service-bird/templates/mwu_ipv6_peers.conf.j2 @@ -4,13 +4,9 @@ {% for network in my_wireguard_networks %} protocol bgp mwu_{{ network.remote }} from ibgp_mwu { -{% if magic < network.remote_magic %} - source address {{ network.ipv6 | ipaddr('network') }}; - neighbor {{ network.ipv6 | ipaddr('1') | ipaddr('address') }} as mwu_as; -{% else %} - source address {{ network.ipv6 | ipaddr('1') | ipaddr('address') }}; - neighbor {{ network.ipv6 | ipaddr('network') }} as mwu_as; -{% endif %} + interface "wg-{{ network.remote[:11] }}"; + source address {{ 'fe80::/64' | ipaddr(magic) | ipaddr('address') }}; + neighbor {{ 'fe80::/64' | ipaddr(network.remote_magic) | ipaddr('address') }} as mwu_as; }; {% endfor %} diff --git a/roles/wireguard/templates/wireguard.j2 b/roles/wireguard/templates/wireguard.j2 index c92e48e..28ac597 100644 --- a/roles/wireguard/templates/wireguard.j2 +++ b/roles/wireguard/templates/wireguard.j2 @@ -12,10 +12,8 @@ iface wg-{{ network.remote[:11] }} ipv6-addrgen off {% if magic < network.remote_magic %} address {{ network.ipv4 | ipaddr('ip/prefix') }} - address {{ network.ipv6 | ipaddr('ip/prefix') }} {% else %} address {{ network.ipv4 | ipaddr('1') | ipaddr('ip/prefix') }} - address {{ network.ipv6 | ipaddr('1') | ipaddr('ip/prefix') }} {% endif %} address {{ 'fe80::/64' | ipaddr(magic) | ipaddr('ip/prefix') }} pre-up ip link add dev $IFACE type wireguard