]> git.openstreetmap.org Git - chef.git/commitdiff
projects / chef.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: d67b787)
Replace OpenVPN with wireguard for VPN tunnels
authorTom Hughes <tom@compton.nu>
Sun, 13 Sep 2020 23:36:11 +0000 (23:36 +0000)
committerTom Hughes <tom@compton.nu>
Mon, 14 Sep 2020 15:56:32 +0000 (16:56 +0100)
15 files changed:
cookbooks/munin/templates/default/munin-node.conf.erb patch | blob | history
cookbooks/networking/recipes/default.rb patch | blob | history
cookbooks/openvpn/README.md [deleted file] patch | blob | history
cookbooks/openvpn/attributes/default.rb [deleted file] patch | blob | history
cookbooks/openvpn/metadata.rb [deleted file] patch | blob | history
cookbooks/openvpn/recipes/default.rb [deleted file] patch | blob | history
cookbooks/openvpn/templates/default/tunnel.conf.erb [deleted file] patch | blob | history
roles/bytemark.rb patch | blob | history
roles/equinix.rb patch | blob | history
roles/gateway.rb patch | blob | history
roles/grisu.rb patch | blob | history
roles/ironbelly.rb patch | blob | history
roles/ridley.rb patch | blob | history
roles/shenron.rb patch | blob | history
roles/ucl.rb patch | blob | history

diff --git a/cookbooks/munin/templates/default/munin-node.conf.erb b/cookbooks/munin/templates/default/munin-node.conf.erb
index 8c88fd612560beb70ebf675fb11d009136bca39d..4f3580b563ba9e7a1eec94e333c6d8fdf43f39fb 100644 (file)
--- a/cookbooks/munin/templates/default/munin-node.conf.erb
+++ b/cookbooks/munin/templates/default/munin-node.conf.erb
@@ -35,9 +35,6 @@ allow ^127\.0\.0\.1$
 <% server.interfaces do |interface| -%>
 allow ^<%= Regexp.quote(interface[:address]) %>$
 <% end -%>
 <% server.interfaces do |interface| -%>
 allow ^<%= Regexp.quote(interface[:address]) %>$
 <% end -%>
-<% if server[:openvpn] -%>
-allow ^<%= Regexp.quote(server[:openvpn][:address]) %>$
-<% end -%>
 <% end -%>
 <% node[:munin][:allow].each do |address| -%>
 allow ^<%= Regexp.quote(address) %>$
 <% end -%>
 <% node[:munin][:allow].each do |address| -%>
 allow ^<%= Regexp.quote(address) %>$
diff --git a/cookbooks/networking/recipes/default.rb b/cookbooks/networking/recipes/default.rb
index c92ffc4bc7ce2bd82c0bee8de145f19d4ee5f0d2..d638d913217f5c1e4e7f7e3c863ed33c494c1abb 100644 (file)
--- a/cookbooks/networking/recipes/default.rb
+++ b/cookbooks/networking/recipes/default.rb
@@ -132,48 +132,12 @@ node[:networking][:interfaces].each do |name, interface|
           "scope" => "link"
         )
       end
           "scope" => "link"
         )
       end
-
-      if interface[:role] == "internal" && interface[:gateway] != interface[:address]
-        search(:node, "networking_interfaces*address:#{interface[:gateway]}") do |gateway|
-          next unless gateway[:openvpn]
-
-          gateway[:openvpn][:tunnels].each_value do |tunnel|
-            if tunnel[:peer][:address]
-              deviceplan["routes"].push(
-                "to" => "#{tunnel[:peer][:address]}/32",
-                "via" => interface[:gateway]
-              )
-
-              route tunnel[:peer][:address] do
-                netmask "255.255.255.255"
-                gateway interface[:gateway]
-                device interface[:interface]
-              end
-            end
-
-            next unless tunnel[:peer][:networks]
-
-            tunnel[:peer][:networks].each do |network|
-              prefix = IPAddr.new("#{network[:address]}/#{network[:netmask]}").prefix
-
-              deviceplan["routes"].push(
-                "to" => "#{network[:address]}/#{prefix}",
-                "via" => interface[:gateway]
-              )
-
-              route network[:address] do
-                netmask network[:netmask]
-                gateway interface[:gateway]
-                device interface[:interface]
-              end
-            end
-          end
-        end
-      end
     end
 
     if interface[:routes]
       interface[:routes].each do |to, parameters|
     end
 
     if interface[:routes]
       interface[:routes].each do |to, parameters|
+        next if parameters[:via] == interface[:address]
+
         route = {
           "to" => to
         }
         route = {
           "to" => to
         }
@@ -252,6 +216,23 @@ if node[:networking][:wireguard][:enabled]
     content keys["wireguard"]
   end
 
     content keys["wireguard"]
   end
 
+  if node[:roles].include?("gateway")
+    search(:node, "roles:gateway") do |gateway|
+      next if gateway.name == node.name
+      next unless gateway[:networking][:wireguard] && gateway[:networking][:wireguard][:enabled]
+
+      allowed_ips = gateway.interfaces(:role => :internal).map do |interface|
+        "#{interface[:network]}/#{interface[:metric]}"
+      end
+
+      node.default[:networking][:wireguard][:peers] << {
+        :public_key => gateway[:networking][:wireguard][:public_key],
+        :allowed_ips => allowed_ips,
+        :endpoint => "#{gateway.name}:51820"
+      }
+    end
+  end
+
   template "/etc/systemd/network/wireguard.netdev" do
     source "wireguard.netdev.erb"
     owner "root"
   template "/etc/systemd/network/wireguard.netdev" do
     source "wireguard.netdev.erb"
     owner "root"
@@ -452,17 +433,6 @@ firewall_rule "limit-icmp-echo" do
   rate_limit "s:1/sec:5"
 end
 
   rate_limit "s:1/sec:5"
 end
 
-%w[ucl ams bm].each do |zone|
-  firewall_rule "accept-openvpn-#{zone}" do
-    action :accept
-    source zone
-    dest "fw"
-    proto "udp"
-    dest_ports "1194:1197"
-    source_ports "1194:1197"
-  end
-end
-
 if node[:networking][:wireguard][:enabled]
   firewall_rule "accept-wireguard" do
     action :accept
 if node[:networking][:wireguard][:enabled]
   firewall_rule "accept-wireguard" do
     action :accept
diff --git a/cookbooks/openvpn/README.md b/cookbooks/openvpn/README.md
deleted file mode 100644 (file)
index 4936476..0000000
--- a/cookbooks/openvpn/README.md
+++ /dev/null
@@ -1,4 +0,0 @@
-# OpenVPN
-
-This cookbook installs and configures OpenVPN used for secure network
-connections between our datacentres.
diff --git a/cookbooks/openvpn/attributes/default.rb b/cookbooks/openvpn/attributes/default.rb
deleted file mode 100644 (file)
index af20e4e..0000000
--- a/cookbooks/openvpn/attributes/default.rb
+++ /dev/null
@@ -1,2 +0,0 @@
-default[:openvpn][:tunnels] = {}
-default[:openvpn][:keys] = {}
diff --git a/cookbooks/openvpn/metadata.rb b/cookbooks/openvpn/metadata.rb
deleted file mode 100644 (file)
index 15bee3b..0000000
--- a/cookbooks/openvpn/metadata.rb
+++ /dev/null
@@ -1,8 +0,0 @@
-name              "openvpn"
-maintainer        "OpenStreetMap Administrators"
-maintainer_email  "admins@openstreetmap.org"
-license           "Apache-2.0"
-description       "Installs and configures OpenVPN"
-
-version           "1.0.0"
-supports          "ubuntu"
diff --git a/cookbooks/openvpn/recipes/default.rb b/cookbooks/openvpn/recipes/default.rb
deleted file mode 100644 (file)
index c027466..0000000
--- a/cookbooks/openvpn/recipes/default.rb
+++ /dev/null
@@ -1,81 +0,0 @@
-#
-# Cookbook:: openvpn
-# Recipe:: default
-#
-# Copyright:: 2012, OpenStreetMap Foundation
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     https://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-
-package "openvpn"
-
-service "openvpn" do
-  action [:enable, :start]
-  supports :status => true, :restart => true, :reload => true
-  ignore_failure true
-end
-
-node[:openvpn][:tunnels].each do |name, details|
-  peer = search(:node, "fqdn:#{details[:peer][:host]}").first
-
-  if peer
-    if peer[:openvpn] && !details[:peer][:address]
-      node.default[:openvpn][:tunnels][name][:peer][:address] = peer[:openvpn][:address]
-    end
-
-    node.default[:openvpn][:tunnels][name][:peer][:networks] = peer.interfaces(:role => :internal).collect do |interface|
-      { :address => interface[:network], :netmask => interface[:netmask] }
-    end
-  else
-    node.default[:openvpn][:tunnels][name][:peer][:networks] = []
-  end
-
-  if details[:mode] == "client"
-    execute "openvpn-genkey-#{name}" do
-      command "openvpn --genkey --secret /etc/openvpn/#{name}.key"
-      user "root"
-      group "root"
-      creates "/etc/openvpn/#{name}.key"
-    end
-
-    if File.exist?("/etc/openvpn/#{name}.key")
-      node.default[:openvpn][:keys][name] = IO.read("/etc/openvpn/#{name}.key")
-    end
-  elsif peer && peer[:openvpn]
-    file "/etc/openvpn/#{name}.key" do
-      owner "root"
-      group "root"
-      mode "600"
-      content peer[:openvpn][:keys][name]
-    end
-  end
-
-  if node[:openvpn][:tunnels][name][:peer][:address]
-    template "/etc/openvpn/#{name}.conf" do
-      source "tunnel.conf.erb"
-      owner "root"
-      group "root"
-      mode "644"
-      variables :name => name,
-                :address => node[:openvpn][:address],
-                :port => node[:openvpn][:tunnels][name][:port],
-                :mode => node[:openvpn][:tunnels][name][:mode],
-                :peer => node[:openvpn][:tunnels][name][:peer]
-      notifies :restart, "service[openvpn]"
-    end
-  else
-    file "/etc/openvpn/#{name}.conf" do
-      action :delete
-    end
-  end
-end
diff --git a/cookbooks/openvpn/templates/default/tunnel.conf.erb b/cookbooks/openvpn/templates/default/tunnel.conf.erb
deleted file mode 100644 (file)
index e2fcc35..0000000
--- a/cookbooks/openvpn/templates/default/tunnel.conf.erb
+++ /dev/null
@@ -1,44 +0,0 @@
-# DO NOT EDIT - This file is being maintained by Chef
-
-# Set the local port to use
-port <%= @port %>
-
-# Use UDP
-proto udp
-
-# Use routed IP tunnels
-dev tun
-
-# Use shared secret authentication
-secret <%= @name %>.key
-
-# Run in peer-to-peer mode
-mode p2p
-<% if @mode == "client" -%>
-
-# Connect to the remote machine
-remote <%= @peer[:host] %> <%= @peer[:port] %>
-<% end -%>
-
-# Configure interface and routing
-ifconfig <%= @address %> <%= @peer[:address] %>
-<% @peer[:networks].each do |network| -%>
-route <%= network[:address] %> <%= network[:netmask] %>
-<% end -%>
-
-# Keepalive - check every 10 seconds and reset after 2 minutes
-keepalive 10 120
-
-# Use AES-128 as the cipher
-cipher AES-128-CBC
-
-# Run unprivileged
-user nobody
-group nogroup
-
-# Reuse resources on restart to avoid privilege problems
-persist-key
-persist-tun
-
-# Set log verbosity
-verb 3
diff --git a/roles/bytemark.rb b/roles/bytemark.rb
index 2289df6484e929e6b16b80556bbe2c9ae675c78f..4e80daa56f7098c42117b95c668ca9159d51bf77 100644 (file)
--- a/roles/bytemark.rb
+++ b/roles/bytemark.rb
@@ -10,7 +10,10 @@ default_attributes(
       :internal => {
         :inet => {
           :prefix => "20",
       :internal => {
         :inet => {
           :prefix => "20",
-          :gateway => "10.0.32.20"
+          :gateway => "10.0.32.20",
+          :routes => {
+            "10.0.0.0/8" => { :via => "10.0.32.20" }
+          }
         }
       },
       :external => {
         }
       },
       :external => {
diff --git a/roles/equinix.rb b/roles/equinix.rb
index 781772cb7f45f87f490ad21ac945a44cf42a52d9..625aa8f57d3e78be50170375d6933d4c8854eb90 100644 (file)
--- a/roles/equinix.rb
+++ b/roles/equinix.rb
@@ -8,7 +8,10 @@ default_attributes(
       :internal => {
         :inet => {
           :prefix => "20",
       :internal => {
         :inet => {
           :prefix => "20",
-          :gateway => "10.0.48.10"
+          :gateway => "10.0.48.10",
+          :routes => {
+            "10.0.0.0/8" => { :via => "10.0.48.10" }
+          }
         }
       },
       :external => {
         }
       },
       :external => {
diff --git a/roles/gateway.rb b/roles/gateway.rb
index b9007b86ece3163425243dcf5c324e6b4d810659..80ae347a5c414f585e8ca8f643952d774b62e80e 100644 (file)
--- a/roles/gateway.rb
+++ b/roles/gateway.rb
@@ -2,6 +2,9 @@ name "gateway"
 description "Role applied to all network gateways"
 
 default_attributes(
 description "Role applied to all network gateways"
 
 default_attributes(
+  :networking => {
+    :wireguard => { :enabled => true }
+  },
   :sysctl => {
     :network_forwarding => {
       :comment => "Enable forwarding",
   :sysctl => {
     :network_forwarding => {
       :comment => "Enable forwarding",
diff --git a/roles/grisu.rb b/roles/grisu.rb
index 8e177a8ff49ea2781610271c2015f8c0236587d8..45df5c5f4fcd1cc6de050a5ca9188b03a3d2b659 100644 (file)
--- a/roles/grisu.rb
+++ b/roles/grisu.rb
@@ -30,32 +30,6 @@ default_attributes(
       }
     }
   },
       }
     }
   },
-  :openvpn => {
-    :address => "10.0.16.5",
-    :tunnels => {
-      :ic2bm => {
-        :port => "1194",
-        :mode => "server",
-        :peer => {
-          :host => "ironbelly.openstreetmap.org"
-        }
-      },
-      :aws2bm => {
-        :port => "1195",
-        :mode => "server",
-        :peer => {
-          :host => "fafnir.openstreetmap.org"
-        }
-      },
-      :ucl2bm => {
-        :port => "1196",
-        :mode => "server",
-        :peer => {
-          :host => "ridley.openstreetmap.org"
-        }
-      }
-    }
-  },
   :planet => {
     :replication => "disabled"
   }
   :planet => {
     :replication => "disabled"
   }
@@ -68,6 +42,5 @@ run_list(
   "role[web-storage]",
   "role[backup]",
   "role[planet]",
   "role[web-storage]",
   "role[backup]",
   "role[planet]",
-  # "role[planetdump]",
-  "recipe[openvpn]"
+  # "role[planetdump]"
 )
 )
diff --git a/roles/ironbelly.rb b/roles/ironbelly.rb
index cf511e4efa4f7d2c412df52358ef8967f7deed1d..5042c4dd0547547d9d01e28a8abbab4fc2afc662 100644 (file)
--- a/roles/ironbelly.rb
+++ b/roles/ironbelly.rb
@@ -55,33 +55,6 @@ default_attributes(
       }
     }
   },
       }
     }
   },
-  :openvpn => {
-    :address => "10.0.16.2",
-    :tunnels => {
-      :ic2ucl => {
-        :port => "1194",
-        :mode => "server",
-        :peer => {
-          :host => "ridley.openstreetmap.org"
-        }
-      },
-      :aws2ic => {
-        :port => "1195",
-        :mode => "server",
-        :peer => {
-          :host => "fafnir.openstreetmap.org"
-        }
-      },
-      :ic2bm => {
-        :port => "1196",
-        :mode => "client",
-        :peer => {
-          :host => "grisu.openstreetmap.org",
-          :port => "1194"
-        }
-      }
-    }
-  },
   :planet => {
     :replication => "enabled"
   },
   :planet => {
     :replication => "enabled"
   },
@@ -138,6 +111,5 @@ run_list(
   "role[planetdump]",
   "recipe[rsyncd]",
   "recipe[dhcpd]",
   "role[planetdump]",
   "recipe[rsyncd]",
   "recipe[dhcpd]",
-  "recipe[openvpn]",
   "recipe[tilelog]"
 )
   "recipe[tilelog]"
 )
diff --git a/roles/ridley.rb b/roles/ridley.rb
index 136cfd7d04af463512e509076bf3609b9098db67..d3ddde39d96ff9b6680ff11d6539ff07f4be38ea 100644 (file)
--- a/roles/ridley.rb
+++ b/roles/ridley.rb
@@ -34,44 +34,6 @@ default_attributes(
         :address => "10.0.0.3"
       }
     }
         :address => "10.0.0.3"
       }
     }
-  },
-  :openvpn => {
-    :address => "10.0.16.1",
-    :tunnels => {
-      :ic2ucl => {
-        :port => "1194",
-        :mode => "client",
-        :peer => {
-          :host => "ironbelly.openstreetmap.org",
-          :port => "1194"
-        }
-      },
-      :shenron2ucl => {
-        :port => "1195",
-        :mode => "client",
-        :peer => {
-          :host => "shenron.openstreetmap.org",
-          :port => "1194"
-        }
-      },
-      :ucl2bm => {
-        :port => "1196",
-        :mode => "client",
-        :peer => {
-          :host => "grisu.openstreetmap.org",
-          :port => "1196"
-        }
-      },
-      :firefishy => {
-        :port => "1197",
-        :mode => "client",
-        :peer => {
-          :host => "home.firefishy.com",
-          :port => "1194",
-          :address => "10.0.16.201"
-        }
-      }
-    }
   }
 )
 
   }
 )
 
@@ -87,6 +49,5 @@ run_list(
   "role[donate]",
   "recipe[hot]",
   "recipe[dmca]",
   "role[donate]",
   "recipe[hot]",
   "recipe[dmca]",
-  "recipe[dhcpd]",
-  "recipe[openvpn]"
+  "recipe[dhcpd]"
 )
 )
diff --git a/roles/shenron.rb b/roles/shenron.rb
index c3db86355878f4cb3b0f1e17c460b59b6daa7007..1caa61018bc23b0d0efd9a17ef9a3e15209bbf34 100644 (file)
--- a/roles/shenron.rb
+++ b/roles/shenron.rb
@@ -16,18 +16,6 @@ default_attributes(
     :modules => [
       "it87"
     ]
     :modules => [
       "it87"
     ]
-  },
-  :openvpn => {
-    :address => "10.0.16.3",
-    :tunnels => {
-      :shenron2ucl => {
-        :port => "1194",
-        :mode => "server",
-        :peer => {
-          :host => "ridley.openstreetmap.org"
-        }
-      }
-    }
   }
 )
 
   }
 )
 
@@ -63,6 +51,5 @@ run_list(
   "role[trac]",
   "role[osqa]",
   "role[irc]",
   "role[trac]",
   "role[osqa]",
   "role[irc]",
-  "recipe[blogs]",
-  "recipe[openvpn]"
+  "recipe[blogs]"
 )
 )
diff --git a/roles/ucl.rb b/roles/ucl.rb
index 7f74979a5e81070e07f963df9e3c2e0d72481209..b3220a9941ceb62d7b9c8a06bb338da12ea25969 100644 (file)
--- a/roles/ucl.rb
+++ b/roles/ucl.rb
@@ -8,7 +8,10 @@ default_attributes(
       :internal => {
         :inet => {
           :prefix => "20",
       :internal => {
         :inet => {
           :prefix => "20",
-          :gateway => "10.0.0.3"
+          :gateway => "10.0.0.3",
+          :routes => {
+            "10.0.0.0/8" => { :via => "10.0.0.3" }
+          }
         }
       },
       :external => {
         }
       },
       :external => {
@@ -18,6 +21,9 @@ default_attributes(
           :gateway => "193.60.236.254"
         }
       }
           :gateway => "193.60.236.254"
         }
       }
+    },
+    :wireguard => {
+      :keepalive => 180
     }
   }
 )
     }
   }
 )
Chef configuration management public repo for configuring & maintaining the OpenStreetMap servers.