working l2th-eth static tunnel

lexrus · Aug 2, 2015 · 3f57950 · 3f57950
1 parent 44bccb4
commit 3f57950
Show file tree

Hide file tree

Showing 6 changed files with 49 additions and 6 deletions.
diff --git a/ansible_hosts.example b/ansible_hosts.example
@@ -9,6 +9,15 @@ localhost              ansible_connection=local
 vpn.example.com  ansible_ssh_user=root  ansible_ssh_private_key_file=~/.ssh/some_key
 auth.example.com  ansible_ssh_user=root  ansible_ssh_private_key_file=~/.ssh/some_key
 
+test_cn1 ansible_ssh_host=test_cn1.example.com ansible_ssh_port=22 ansible_ssh_user=root l2tp_eth_client_remote_ip=test_us1.example.com
+test_us1 ansible_ssh_host=test_us1.example.com ansible_ssh_port=22 ansible_ssh_user=root
+
+[l2tp-eth-client]
+test_cn1
+
+[l2tp-eth-server]
+test_us1
+
 [l2tp]
 vpn.example.com
 

diff --git a/l2tp-eth.yml b/l2tp-eth.yml
@@ -0,0 +1,13 @@
+---
+#setup l2th eth tunnel 
+
+- hosts: l2tp-eth-server
+  roles:
+    - role: l2tp-eth
+      l2tp_eth_mode: 'server'
+    - role: nat
+
+- hosts: l2tp-eth-client
+  roles:
+    - role: l2tp-eth
+      l2tp_eth_mode: 'client'
diff --git a/roles/l2tp-eth/defaults/main.yml b/roles/l2tp-eth/defaults/main.yml
@@ -13,17 +13,19 @@ l2tp_eth_tunnel_server_ip: '10.53.0.1'
 l2tp_eth_tunnel_client_ip: '10.53.0.2'
 
 l2tp_eth_server_if: 'eth0'
+l2tp_eth_server_ip: "{{ hostvars[inventory_hostname]['ansible_' + l2tp_eth_server_if].ipv4.address }}"
 l2tp_eth_server_local_ip: "{{ l2tp_eth_tunnel_server_ip }}"
 l2tp_eth_server_peer_ip: "{{ l2tp_eth_tunnel_client_ip }}"
 l2tp_eth_server_snat_ip: 10.53.0.255
 
-l2th_eth_client_ip: "{{ ansible_default_ipv4.address }}"
+l2tp_eth_client_if: 'eth0'
+l2tp_eth_client_ip: "{{ hostvars[inventory_hostname]['ansible_' + l2tp_eth_client_if].ipv4.address }}"
 l2tp_eth_client_remote_ip: "127.0.0.1"
 l2tp_eth_client_remote_port: "{{ l2tp_eth_server_port }}"
 l2tp_eth_client_local_ip: "{{ l2tp_eth_tunnel_client_ip }}"
 l2tp_eth_client_peer_ip: "{{ l2tp_eth_tunnel_server_ip }}"
 
 
-l2tp_eth_working_dir: "/opt/l2tp-eth/{{ l2th_eth_name }}"
+l2tp_eth_working_dir: "/opt/l2tp-eth/{{ l2tp_eth_name }}"
 l2tp_eth_server_setup_script:  "{{ l2tp_eth_working_dir }}/setup-server.sh"
 l2tp_eth_client_setup_script:  "{{ l2tp_eth_working_dir }}/setup-client.sh"
diff --git a/roles/l2tp-eth/tasks/setup_server.yml b/roles/l2tp-eth/tasks/setup_server.yml
@@ -10,3 +10,15 @@
   notify: 
     - setup l2tp-eth server
 
+- name: make sure /opt/easynat exists
+  action: file path=/opt/easynat/ state=directory
+  tags: 
+    - nat
+
+- name: set network in easynat rule file
+  action: lineinfile dest=/opt/easynat/rules.cnf regexp="{{ l2tp_eth_server_peer_ip }}" line="{{ l2tp_eth_server_peer_ip }}" state=present create=yes
+  notify: 
+    - setup nat rules
+  tags: 
+    - nat
+
diff --git a/roles/l2tp-eth/templates/setup_client.sh b/roles/l2tp-eth/templates/setup_client.sh
@@ -5,11 +5,13 @@ SERVER_IP="{{ l2tp_eth_client_remote_ip }}"
 SERVER_PORT="{{ l2tp_eth_client_remote_port }}"
 LOCAL_IP="{{ l2tp_eth_client_local_ip }}"
 PEER_IP="{{ l2tp_eth_client_peer_ip }}"
-ETH_NAE="{{ l2tp_eth_name }}"
+ETH_NAME="{{ l2tp_eth_name }}"
 MTU="{{ l2tp_eth_mtu }}"
 SESSION="0x{{ l2tp_eth_session }}"
 COOKIE="{{ l2tp_eth_cookie }}"
 
+modprobe l2tp_eth
+ip l2tp del tunnel tunnel_id 1
 ip l2tp add tunnel local $CLIENT_IP remote $SERVER_IP tunnel_id 1 peer_tunnel_id 1 encap udp udp_sport $CLIENT_PORT udp_dport $SERVER_PORT
 ip l2tp add session tunnel_id 1 session_id $SESSION peer_session_id $SESSION cookie $COOKIE peer_cookie $COOKIE
 ip addr add $LOCAL_IP peer $PEER_IP dev $ETH_NAME

diff --git a/roles/l2tp-eth/templates/setup_server.sh b/roles/l2tp-eth/templates/setup_server.sh
@@ -1,17 +1,22 @@
 #!/bin/sh
-SNAT_IP="{{ l2tp_eth_snat_ip }}"
+SNAT_IP="{{ l2tp_eth_server_snat_ip }}"
 SNAT_PORT="{{ l2tp_eth_client_port }}"
 SERVER_PORT="{{ l2tp_eth_server_port }}"
 SERVER_IF="{{ l2tp_eth_server_if }}"
+SERVER_IP="{{ l2tp_eth_server_ip }}"
 LOCAL_IP="{{ l2tp_eth_server_local_ip }}"
 PEER_IP="{{ l2tp_eth_server_peer_ip }}"
-ETH_NAE="{{ l2tp_eth_name }}"
+ETH_NAME="{{ l2tp_eth_name }}"
 MTU="{{ l2tp_eth_mtu }}"
 SESSION="0x{{ l2tp_eth_session }}"
 COOKIE_HIGH="0x{{ l2tp_eth_cookie[:8] }}"
 COOKIE_LOW="0x{{ l2tp_eth_cookie[8:] }}"
+COOKIE="{{ l2tp_eth_cookie }}"
 
-iptables -t nat -A INPUT -i $SERVER_IF -p udp --dport $SERVER_PORT -m u32 --u32 "0>>22&0x3C@12 = $SESSION && 0>>22&0x3C@16 = $COOKIE_HIGH && 0>>22&0x3C@20 = $COOKIE_LOW' -j SNAT --to-source $SNAT_IP:$SNAT_PORT
+modprobe l2tp_eth
+iptables -t nat -D INPUT -i $SERVER_IF -p udp --dport $SERVER_PORT -m u32 --u32 "0>>22&0x3C@12 = $SESSION && 0>>22&0x3C@16 = $COOKIE_HIGH && 0>>22&0x3C@20 = $COOKIE_LOW" -j SNAT --to-source $SNAT_IP:$SNAT_PORT 2>/dev/null
+iptables -t nat -A INPUT -i $SERVER_IF -p udp --dport $SERVER_PORT -m u32 --u32 "0>>22&0x3C@12 = $SESSION && 0>>22&0x3C@16 = $COOKIE_HIGH && 0>>22&0x3C@20 = $COOKIE_LOW" -j SNAT --to-source $SNAT_IP:$SNAT_PORT
+ip l2tp del tunnel tunnel_id 1
 ip l2tp add tunnel local $SERVER_IP remote $SNAT_IP tunnel_id 1 peer_tunnel_id 1 encap udp udp_sport $SERVER_PORT udp_dport $SNAT_PORT
 ip l2tp add session tunnel_id 1 session_id $SESSION peer_session_id $SESSION cookie $COOKIE peer_cookie $COOKIE
 ip addr add $LOCAL_IP peer $PEER_IP dev $ETH_NAME