Commit 69019f1c authored by Cool Fire's avatar Cool Fire

Test IPv6 over openvpn

parent aff92777
Pipeline #2234 passed with stages
in 4 minutes and 32 seconds
......@@ -4,6 +4,7 @@
class profile::openvpn::client (
Array $routes = [],
Array $routes6 = [],
String $proto = 'tcp-client',
Boolean $isserver = false,
String $key = $::profile::openvpn::params::key,
......@@ -11,6 +12,7 @@ class profile::openvpn::client (
Integer $port = $::profile::openvpn::params::port,
String $keyfile = $::profile::openvpn::params::keyfile,
String $ifrange = $::profile::openvpn::params::ifrange,
String $ifrange6 = $::profile::openvpn::params::ifrange6,
String $cipher = $::profile::openvpn::params::cipher,
String $auth = $::profile::openvpn::params::auth,
String $logfile = $::profile::openvpn::params::logfile,
......
......@@ -7,6 +7,7 @@ class profile::openvpn::params (
Integer $port = 11011,
String $keyfile = '/etc/openvpn/secret.key',
String $ifrange = '192.168.221',
String $ifrange6 = 'fd5d:12c9:4221',
String $cipher = 'AES-128-CBC',
String $auth = 'SHA256',
String $logfile = '/var/log/openvpn.log',
......
......@@ -3,6 +3,7 @@
#
class profile::openvpn::server (
String $publicip,
String $publicip6,
String $proto = 'tcp-server',
Boolean $isserver = true,
String $key = $::profile::openvpn::params::key,
......@@ -10,6 +11,7 @@ class profile::openvpn::server (
Integer $port = $::profile::openvpn::params::port,
String $keyfile = $::profile::openvpn::params::keyfile,
String $ifrange = $::profile::openvpn::params::ifrange,
String $ifrange6 = $::profile::openvpn::params::ifrange6,
String $cipher = $::profile::openvpn::params::cipher,
String $auth = $::profile::openvpn::params::auth,
String $logfile = $::profile::openvpn::params::logfile,
......@@ -39,31 +41,52 @@ class profile::openvpn::server (
-> File['/etc/openvpn/server.conf']
# The network config bit
sysctl { 'net.ipv4.ip_forward': value => '1' }
sysctl {
'net.ipv4.ip_forward':
value => '1';
'net.ipv6.conf.all.forwarding':
value => '1';
}
firewall { '100 DNAT to tunnel':
table => 'nat',
chain => 'PREROUTING',
proto => 'all',
jump => 'DNAT',
destination => $publicip,
todest => "${ifrange}.10",
firewall {
default:
table => 'nat',
chain => 'PREROUTING',
proto => 'all',
jump => 'DNAT';
'100 DNAT to tunnel':
destination => $publicip,
todest => "${ifrange}.10";
'100 DNAT to tunnel v6':
destination => $publicip6,
todest => "${ifrange6}::10",
provider => 'ip6tables';
}
firewall { '100 SNAT to internet':
table => 'nat',
chain => 'POSTROUTING',
proto => 'all',
jump => 'SNAT',
source => "${ifrange}.10",
outiface => '! tun+',
tosource => $publicip,
firewall {
default:
table => 'nat',
chain => 'POSTROUTING',
proto => 'all',
jump => 'SNAT',
outiface => '! tun+';
'100 SNAT to internet':
source => "${ifrange}.10",
tosource => $publicip;
'100 SNAT to internet v6':
source => "${ifrange6}::10",
tosource => $publicip6,
provider => 'ip6tables';
}
firewall { '110 forward related and established':
chain => 'FORWARD',
ctstate => ['RELATED', 'ESTABLISHED'],
proto => 'all',
action => 'accept',
firewall {
default:
chain => 'FORWARD',
ctstate => ['RELATED', 'ESTABLISHED'],
proto => 'all',
action => 'accept';
'110 forward related and established':;
'110 forward related and established v6':
provider => 'ip6tables';
}
}
......@@ -15,12 +15,17 @@ log-append <%= @logfile %>
verb 3
<% if @isserver -%>
ifconfig <%= @ifrange %>.11 <%= @ifrange %>.10
ifconfig-ipv6 <%= @ifrange6 %>::11 <%= @ifrange6 %>::10
local <%= @srvip %>
<% else -%>
ifconfig <%= @ifrange %>.10 <%= @ifrange %>.11
ifconfig-ipv6 <%= @ifrange6 %>::10 <%= @ifrange6 %>::11
remote <%= @srvip %>
redirect-gateway local
<% @routes.each do |route| -%>
route <%= route %>
<% end -%>
<% @routes6.each do |route| -%>
route-ipv6 <%= route %>
<% end -%>
<% end -%>
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment