From bf5e3990ebfb6e4a13707b993175baf6fc10d6c9 Mon Sep 17 00:00:00 2001 From: lijia Date: Tue, 23 Nov 2021 10:22:41 +0800 Subject: wannat支持四元组分流, 升级rpm包, 支持openvpn接入. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- deploy_env/group_vars/all.yml | 16 ++++---- .../libwire_graft-1.4.1.ec1bc7b-2.el7.x86_64.rpm | Bin 29204 -> 0 bytes .../libwire_graft-1.5.0.f3cadd2-2.el7.x86_64.rpm | Bin 0 -> 29608 bytes .../wannat_natgw-1.3.8.ed8832d-2.el7.x86_64.rpm | Bin 101484 -> 0 bytes .../wannat_natgw-1.4.0.88cdbce-2.el7.x86_64.rpm | Bin 0 -> 103476 bytes roles/natgw/tasks/main.yml | 4 +- roles/natgw/templates/monit_natgw.j2 | 1 + roles/natgw/templates/natgw.service.j2 | 2 +- roles/openvpn/tasks/main.yml | 8 ++-- .../openvpn/templates/openvpn_client_example.ovpn | 36 +++++++++++++++++ roles/openvpn/templates/server.conf.j2 | 10 ++--- .../openvpn/templates/windows_client_example.ovpn | 44 --------------------- .../rpm/toroad-1.2.5.ceffe93-2.el7.x86_64.rpm | Bin 185688 -> 0 bytes .../rpm/toroad-1.3.1.64c74cb-2.el7.x86_64.rpm | Bin 0 -> 185800 bytes wannat-install.yml | 12 +++--- 15 files changed, 63 insertions(+), 70 deletions(-) delete mode 100644 roles/libwire_graft/files/rpm/libwire_graft-1.4.1.ec1bc7b-2.el7.x86_64.rpm create mode 100644 roles/libwire_graft/files/rpm/libwire_graft-1.5.0.f3cadd2-2.el7.x86_64.rpm delete mode 100644 roles/natgw/files/rpm/wannat_natgw-1.3.8.ed8832d-2.el7.x86_64.rpm create mode 100644 roles/natgw/files/rpm/wannat_natgw-1.4.0.88cdbce-2.el7.x86_64.rpm create mode 100644 roles/openvpn/templates/openvpn_client_example.ovpn delete mode 100644 roles/openvpn/templates/windows_client_example.ovpn delete mode 100644 roles/toroad/files/rpm/toroad-1.2.5.ceffe93-2.el7.x86_64.rpm create mode 100644 roles/toroad/files/rpm/toroad-1.3.1.64c74cb-2.el7.x86_64.rpm diff --git a/deploy_env/group_vars/all.yml b/deploy_env/group_vars/all.yml index c1a65cb..f6dc4bd 100644 --- a/deploy_env/group_vars/all.yml +++ b/deploy_env/group_vars/all.yml @@ -10,6 +10,7 @@ wannat_global: bifang_db_password: "bifang!@#" bifang_radius_db_name: "tsg-bifang" vpn_client_ip_cidr: "10.10.120.0/24" + vpn_client_ip_mask: "10.10.120.0 255.255.255.0" vpn_server_ip_local: "10.10.120.1" vpn_client_ip_range: "10.10.120.2-254" sentry_upload_url: "https://sentry.mesalab.cn/api/3/minidump/?sentry_key=xxxxx" @@ -32,20 +33,19 @@ wannat_global: g_probe_retry_times: 5 max_item_number: 10000 lru_timeout: 60 - - pptp: - mtu: 2000 - dns1: "8.8.8.8" - dns2: "114.114.114.114" + + openvpn: + mtu: 1400 + mss: 1360 radius: shared_secret: "testing123" server_ip: "192.168.44.72" rpm_files: - natgw_rpm_file: "wannat_natgw-1.3.8.ed8832d-2.el7.x86_64.rpm" - wire_graft_rpm_file: "libwire_graft-1.4.1.ec1bc7b-2.el7.x86_64.rpm" - toroad_rpm_file: "toroad-1.2.5.ceffe93-2.el7.x86_64.rpm" + natgw_rpm_file: "wannat_natgw-1.4.0.88cdbce-2.el7.x86_64.rpm" + wire_graft_rpm_file: "libwire_graft-1.5.0.f3cadd2-2.el7.x86_64.rpm" + toroad_rpm_file: "toroad-1.3.1.64c74cb-2.el7.x86_64.rpm" ppp_rpm_file: "ppp-2.4.5-34.el7_7.x86_64.rpm" pptpd_rpm_file: "pptpd-1.4.0-2.el7.x86_64.rpm" openvpn_rpm_file: "openvpn-2.4.11-1.el7.x86_64.rpm" diff --git a/roles/libwire_graft/files/rpm/libwire_graft-1.4.1.ec1bc7b-2.el7.x86_64.rpm b/roles/libwire_graft/files/rpm/libwire_graft-1.4.1.ec1bc7b-2.el7.x86_64.rpm deleted file mode 100644 index a42f02a..0000000 Binary files a/roles/libwire_graft/files/rpm/libwire_graft-1.4.1.ec1bc7b-2.el7.x86_64.rpm and /dev/null differ diff --git a/roles/libwire_graft/files/rpm/libwire_graft-1.5.0.f3cadd2-2.el7.x86_64.rpm b/roles/libwire_graft/files/rpm/libwire_graft-1.5.0.f3cadd2-2.el7.x86_64.rpm new file mode 100644 index 0000000..771b413 Binary files /dev/null and b/roles/libwire_graft/files/rpm/libwire_graft-1.5.0.f3cadd2-2.el7.x86_64.rpm differ diff --git a/roles/natgw/files/rpm/wannat_natgw-1.3.8.ed8832d-2.el7.x86_64.rpm b/roles/natgw/files/rpm/wannat_natgw-1.3.8.ed8832d-2.el7.x86_64.rpm deleted file mode 100644 index 677e88e..0000000 Binary files a/roles/natgw/files/rpm/wannat_natgw-1.3.8.ed8832d-2.el7.x86_64.rpm and /dev/null differ diff --git a/roles/natgw/files/rpm/wannat_natgw-1.4.0.88cdbce-2.el7.x86_64.rpm b/roles/natgw/files/rpm/wannat_natgw-1.4.0.88cdbce-2.el7.x86_64.rpm new file mode 100644 index 0000000..427761b Binary files /dev/null and b/roles/natgw/files/rpm/wannat_natgw-1.4.0.88cdbce-2.el7.x86_64.rpm differ diff --git a/roles/natgw/tasks/main.yml b/roles/natgw/tasks/main.yml index d12431e..4d4b9f7 100644 --- a/roles/natgw/tasks/main.yml +++ b/roles/natgw/tasks/main.yml @@ -65,6 +65,4 @@ enabled: yes daemon_reload: yes state: started - - - + \ No newline at end of file diff --git a/roles/natgw/templates/monit_natgw.j2 b/roles/natgw/templates/monit_natgw.j2 index e15619d..13a46b6 100644 --- a/roles/natgw/templates/monit_natgw.j2 +++ b/roles/natgw/templates/monit_natgw.j2 @@ -13,6 +13,7 @@ while [ 1 ]; do # echo $PROCESS_NUM if [ $PROCESS_NUM -lt 1 ] then + ip tuntap del dev tun_natgw mod tun ./wannat_natgw & sleep 1 ifconfig tun_natgw 192.168.1.254/24 up diff --git a/roles/natgw/templates/natgw.service.j2 b/roles/natgw/templates/natgw.service.j2 index b131a11..d32c7e2 100644 --- a/roles/natgw/templates/natgw.service.j2 +++ b/roles/natgw/templates/natgw.service.j2 @@ -23,7 +23,7 @@ ExecStartPost=/bin/sh -c "ip route add default via 100.64.1.253 table 1001" ExecStartPost=/bin/sh -c "/opt/tsg/wannat/natgw/natgw_set_iptables_rule.sh {{wannat_global.natgw.ctrl_device_name}}" -TimeoutSec=300s +TimeoutSec=1000s RestartSec=10s Restart=always LimitNOFILE=524288 diff --git a/roles/openvpn/tasks/main.yml b/roles/openvpn/tasks/main.yml index eea50de..bec4503 100644 --- a/roles/openvpn/tasks/main.yml +++ b/roles/openvpn/tasks/main.yml @@ -81,8 +81,8 @@ - name: "template windows_client_example.ovpn to destination server" template: - src: "{{ role_path }}/templates/windows_client_example.ovpn" - dest: "/etc/openvpn/client/windows_client_example.ovpn" + src: "{{ role_path }}/templates/openvpn_client_example.ovpn" + dest: "/etc/openvpn/client/openvpn_client_example.ovpn" tags: template - name: "Template the openvpn server.conf config file" @@ -106,6 +106,8 @@ - name: "enable openvpn service" systemd: name: openvpn-server - enabled: yes daemon_reload: yes + enabled: yes + state: started + diff --git a/roles/openvpn/templates/openvpn_client_example.ovpn b/roles/openvpn/templates/openvpn_client_example.ovpn new file mode 100644 index 0000000..682487a --- /dev/null +++ b/roles/openvpn/templates/openvpn_client_example.ovpn @@ -0,0 +1,36 @@ +client +dev tun +proto tcp +;;;change remote server ipaddress or port for your environment +remote 192.168.1.1 1194 +resolv-retry infinite +nobind +persist-key +persist-tun +remote-cert-tls server +compress lz4-v2 +verb 3 +auth-user-pass + + +-----BEGIN CERTIFICATE----- +MIIDNTCCAh2gAwIBAgIJAKc5EuH/0f7oMA0GCSqGSIb3DQEBCwUAMBYxFDASBgNV +BAMMC0Vhc3ktUlNBIENBMB4XDTIxMDUyNDA5MzE0MFoXDTMxMDUyMjA5MzE0MFow +FjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw +ggEKAoIBAQCrJSQpFiTSiKb1ViGJ4DVFpdE8TNvA1GGJHaSZG6PH4aU57TX4ebSW +YmvOMitGBr8RcjV2FQkhsDzgLpb5Eaoz/ZPXNvFiLCclfxLwzIa/UcnnVcvIYDZp +sHhBR1xcuwyYQ9x9phlF3NOjEq9wIhl8zbzvJoVNEWn1eeFp6EwPpLJGeOJllqd5 +SIQYhu/uWHsgSOizgGlJl+CphLleacsaTWiPoynhY8sewFdwk+MOVsG+K+QigXfM +CawKlu/23pKteBC+lVZAoncsaCns2YvCm830I5vfbX7aMKa97UKFUNcPq5OFkRD1 +IzQVan7vuwjkGJWMZh63P5HUlxIEREIHAgMBAAGjgYUwgYIwHQYDVR0OBBYEFJZD +HSezPvx6TIroZIaNknuFwMC4MEYGA1UdIwQ/MD2AFJZDHSezPvx6TIroZIaNknuF +wMC4oRqkGDAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQYIJAKc5EuH/0f7oMAwGA1Ud +EwQFMAMBAf8wCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQCBlv31E16y +xr3zI43F89hmo1UkBPZxKzP4bFe3CSAiv9nZbungHm13l+hJybQ9XQWstf1I+HZL +SH9Ub1ygdf4+rfS5Lm1rusgCDWWdwRjJaD11FmwMg64/fE7f0PTGyBO/r0kGLsLL +XvQOQ4pjZbQghtHkG45yp63FRuHxjw3hFmrpxEYmdWFn/0ejHjyBBwFxsA4tiu0d +ZQWWAx+/dIZ8n6MVz5MQceaKpC+x/EL9wUcSHEVF5xEa9wm9B7daewrIprERNLSq +S0XRwXFrspwUIoL0KFm/HA25LjSYRU9OlKiCCP9JsxjhhW5ExcNAxVbI0HpZY5bV +RmQ4krnQ3hYS +-----END CERTIFICATE----- + diff --git a/roles/openvpn/templates/server.conf.j2 b/roles/openvpn/templates/server.conf.j2 index ef56947..2e88867 100644 --- a/roles/openvpn/templates/server.conf.j2 +++ b/roles/openvpn/templates/server.conf.j2 @@ -6,11 +6,11 @@ ca /etc/openvpn/server/ca.crt cert /etc/openvpn/server/server.crt key /etc/openvpn/server/server.key dh /etc/openvpn/server/dh.pem -server 10.10.130.0 255.255.255.0 +server {{wannat_global.common.vpn_client_ip_mask}} ifconfig-pool-persist ipp.txt -push "route 10.10.130.0 255.255.255.0" +push "route {{wannat_global.common.vpn_client_ip_mask}}" push "redirect-gateway def1" -push "remote-gateway 10.10.130.1" +;;;push "remote-gateway 10.10.130.1" ;client-to-client ;duplicate-cn keepalive 10 120 @@ -27,8 +27,8 @@ persist-tun status openvpn-status.log log /var/log/openvpn.log verb 9 -tun-mtu 1472 -mssfix 1400 +tun-mtu {{wannat_global.openvpn.mtu}} +mssfix {{wannat_global.openvpn.mss}} username-as-common-name client-cert-not-required #close cert, use username and password to radius for auth diff --git a/roles/openvpn/templates/windows_client_example.ovpn b/roles/openvpn/templates/windows_client_example.ovpn deleted file mode 100644 index 3cb77bc..0000000 --- a/roles/openvpn/templates/windows_client_example.ovpn +++ /dev/null @@ -1,44 +0,0 @@ -client -dev tun -proto tcp -;;;change remote ipaddress for your environment -remote 192.168.1.1 1194 -resolv-retry infinite -nobind -;user nobody -;group nobody -persist-key -persist-tun -;;;ca ca.crt -;;;cert client.crt -;;;key client.key -remote-cert-tls server -;;;tls-auth ta.key 1 -;;;;cipher AES-256-CBC -compress lz4-v2 -verb 3 -;mute 20 -auth-user-pass - - ------BEGIN CERTIFICATE----- -MIIDNTCCAh2gAwIBAgIJAKc5EuH/0f7oMA0GCSqGSIb3DQEBCwUAMBYxFDASBgNV -BAMMC0Vhc3ktUlNBIENBMB4XDTIxMDUyNDA5MzE0MFoXDTMxMDUyMjA5MzE0MFow -FjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw -ggEKAoIBAQCrJSQpFiTSiKb1ViGJ4DVFpdE8TNvA1GGJHaSZG6PH4aU57TX4ebSW -YmvOMitGBr8RcjV2FQkhsDzgLpb5Eaoz/ZPXNvFiLCclfxLwzIa/UcnnVcvIYDZp -sHhBR1xcuwyYQ9x9phlF3NOjEq9wIhl8zbzvJoVNEWn1eeFp6EwPpLJGeOJllqd5 -SIQYhu/uWHsgSOizgGlJl+CphLleacsaTWiPoynhY8sewFdwk+MOVsG+K+QigXfM -CawKlu/23pKteBC+lVZAoncsaCns2YvCm830I5vfbX7aMKa97UKFUNcPq5OFkRD1 -IzQVan7vuwjkGJWMZh63P5HUlxIEREIHAgMBAAGjgYUwgYIwHQYDVR0OBBYEFJZD -HSezPvx6TIroZIaNknuFwMC4MEYGA1UdIwQ/MD2AFJZDHSezPvx6TIroZIaNknuF -wMC4oRqkGDAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQYIJAKc5EuH/0f7oMAwGA1Ud -EwQFMAMBAf8wCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQCBlv31E16y -xr3zI43F89hmo1UkBPZxKzP4bFe3CSAiv9nZbungHm13l+hJybQ9XQWstf1I+HZL -SH9Ub1ygdf4+rfS5Lm1rusgCDWWdwRjJaD11FmwMg64/fE7f0PTGyBO/r0kGLsLL -XvQOQ4pjZbQghtHkG45yp63FRuHxjw3hFmrpxEYmdWFn/0ejHjyBBwFxsA4tiu0d -ZQWWAx+/dIZ8n6MVz5MQceaKpC+x/EL9wUcSHEVF5xEa9wm9B7daewrIprERNLSq -S0XRwXFrspwUIoL0KFm/HA25LjSYRU9OlKiCCP9JsxjhhW5ExcNAxVbI0HpZY5bV -RmQ4krnQ3hYS ------END CERTIFICATE----- - \ No newline at end of file diff --git a/roles/toroad/files/rpm/toroad-1.2.5.ceffe93-2.el7.x86_64.rpm b/roles/toroad/files/rpm/toroad-1.2.5.ceffe93-2.el7.x86_64.rpm deleted file mode 100644 index cb56420..0000000 Binary files a/roles/toroad/files/rpm/toroad-1.2.5.ceffe93-2.el7.x86_64.rpm and /dev/null differ diff --git a/roles/toroad/files/rpm/toroad-1.3.1.64c74cb-2.el7.x86_64.rpm b/roles/toroad/files/rpm/toroad-1.3.1.64c74cb-2.el7.x86_64.rpm new file mode 100644 index 0000000..bb020de Binary files /dev/null and b/roles/toroad/files/rpm/toroad-1.3.1.64c74cb-2.el7.x86_64.rpm differ diff --git a/wannat-install.yml b/wannat-install.yml index 0addbb8..0196d49 100644 --- a/wannat-install.yml +++ b/wannat-install.yml @@ -25,17 +25,17 @@ vars_files: - deploy_env/group_vars/all.yml -- hosts: pptpd - roles: - - pptpd - vars_files: - - deploy_env/group_vars/all.yml - - hosts: radius_server roles: - radius_server vars_files: - deploy_env/group_vars/all.yml + +- hosts: openvpn + roles: + - openvpn + vars_files: + - deploy_env/group_vars/all.yml -- cgit v1.2.3