scripts

ansible/install.yaml

@@ -7,11 +7,7 @@
         state: directory
 
     - name: 'loop through list from a variable'
-      include_tasks: '{{item.protocol}}.yaml'
+      include_tasks: 'protocols/{{item.protocol}}/{{item.protocol}}.yaml'
       vars:
-        name: '{{item.name}}'
-        metric: '{{item.metric}}'
-        mark: '{{item.mark}}'
-        inbound: '{{item.inbound}}'
-        params: '{{item.params}}'
+        conn: '{{item}}'
       with_items: '{{ connections }}'

ansible/protocols/wg/postup.sh

+#!/usr/bin/env bash
+set -e
+
+ip addr add "$loadlPeerAddress" peer "$remotePeerAddress" dev %i
+
+if [ "$inbound" != true ] ; then
+  ip route add default dev %i table "$remoteMark"
+  ip rule add fwmark "$remoteMark" table "$remoteMark" pref 300
+fi
+
+if [ -z "${mtu}" ]; then
+    mtu=$(cat /sys/class/net/%i/mtu)
+fi
+
+mss=$((mtu - 40))
+
+iptables -t mangle -A FORWARD -i %i -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss $mss:1460 -j TCPMSS --set-mss $mss
+iptables -t mangle -A FORWARD -o %i -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss $mss:1460 -j TCPMSS --set-mss $mss
+
+iptables -t mangle -A PREROUTING -i %i -m set ! --match-set mycard src -j CONNMARK --set-xmark "$remoteMark"
+iptables -t mangle -A PREROUTING -m connmark --mark "$remoteMark" -j CONNMARK --restore-mark
+iptables -t mangle -A OUTPUT -m connmark --mark "$remoteMark" -j CONNMARK --restore-mark

ansible/protocols/wg/predown.sh

+#!/usr/bin/env bash
+set -e
+
+if [ "$inbound" != true ] ; then
+  ip rule del fwmark "$remoteMark" table "$remoteMark" pref 300
+fi
+
+if [ -z "${mtu}" ]; then
+    mtu=$(cat /sys/class/net/%i/mtu)
+fi
+
+mss=$((mtu - 40))
+
+iptables -t mangle -D FORWARD -i %i -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss $mss:1460 -j TCPMSS --set-mss $mss
+iptables -t mangle -D FORWARD -o %i -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss $mss:1460 -j TCPMSS --set-mss $mss
+
+iptables -t mangle -D PREROUTING -i %i -m set ! --match-set mycard src -j CONNMARK --set-xmark "$remoteMark"
+iptables -t mangle -D PREROUTING -m connmark --mark "$remoteMark" -j CONNMARK --restore-mark
+iptables -t mangle -D OUTPUT -m connmark --mark "$remoteMark" -j CONNMARK --restore-mark

ansible/protocols/wg/wg.conf.j2

+[Interface]
+Address = {{address}}
+PrivateKey = {{key}}
+ListenPort = {{conn.localPort}}
+{% if gwmark is defined %}
+FwMark = {{conn.localGatewayMark}}
+{% endif %}
+Table = off
+PostUp = "localPeerAddress='{{conn.localPeerAddress}}' remoteMark='{{conn.remoteMark}}' {% if conn.inbound is defined %}inbound='{{conn.inbound}}'{% endif %} {% if conn.mtu is defined %}mtu='{{conn.mtu}}'{% endif %} /tmp/nextgen/postup.sh"
+PreDown = "localPeerAddress='{{conn.localPeerAddress}}' remoteMark='{{conn.remoteMark}}' {% if conn.inbound is defined %}inbound='{{conn.inbound}}'{% endif %} {% if conn.mtu is defined %}mtu='{{conn.mtu}}'{% endif %} /tmp/nextgen/predown.sh"
+[Peer]
+PublicKey = {{conn.wgPublicKey}}
+AllowedIPs = 0.0.0.0/0, ::/0
+{% if endpoint is not defined %}
+Endpoint = {{conn.remoteAddress}}:{{conn.remotePort}}
+{% endif %}
+

ansible/protocols/wg/wg.yaml

+- name: conf
+  template:
+    src: wg.conf.j2
+    dest: '/tmp/nextgen/{{conn.name}}.conf'
+- name: postup
+  copy:
+    src: postup.sh
+    dest: '/tmp/nextgen/postup.sh'
+- name: predown
+  copy:
+    src: predown.sh
+    dest: '/tmp/nextgen/predown.sh'
\ No newline at end of file

ansible/wg.conf.j2

-[Interface]
-Address = {{address}}/24
-PrivateKey = {{key}}
-{% if listen_port is defined %}
-ListenPort = {{listen_port}}
-{% endif %}
-{% if listen_port is defined %}
-ListenPort = {{listen_port}}
-{% endif %}
-{% if params.if is defined %}
-FwMark = {{gateways[params.if].mark_gateway}}
-{% endif %}
-{% if inbound is not defined %}
-Table = {{table}}
-{% endif %}

ansible/wg.yaml

-- name: placeholder foo
-  template:
-    src: wg.conf.j2
-    dest: '/tmp/nextgen/{{name}}.conf'

package.json

@@ -3,7 +3,7 @@
   "version": "1.0.0",
   "description": "",
   "scripts": {
-    "inventory": "ts-node src/inventory.ts"
+    "inventory": "node -r ts-node/register --unhandled-rejections=strict src/inventory.ts "
   },
   "dependencies": {
     "@types/lodash": "^4.14.149",

src/inventory.ts

@@ -4,6 +4,7 @@ import fs from 'fs';
 import path from 'path';
 import YAML from 'yaml';
 import _ from 'lodash';
+import * as child_process from 'child_process';
 
 class InventoryBuilder {
   hosts: { [key: string]: any };
@@ -20,7 +21,9 @@ class InventoryBuilder {
     this.hosts = _.keyBy(await this.load('nextgen links'), 'name');
     this.gateways = _.mapValues(_.groupBy(await this.load('gateways'), 'name'), g => _.keyBy(g, 'isp'));
     this.connections = _.intersection(Object.keys(this.hosts), Object.keys(_.find(this.hosts)));
-
+    for (const host of Object.values(this.hosts)) {
+      host.wgPublickey = await this.wgPublickey(host.wgPrivateKey);
+    }
     console.log(Object.values(this.hosts));
     const hosts = Object.fromEntries(Object.values(this.hosts).map(h => [h.host, this.host_vars(h)]));
     console.log(hosts);
@@ -36,11 +39,11 @@ class InventoryBuilder {
         const from = this.hosts[h][host.name];
         if (from && to) {
           // 非对称连接
-          connections.push(this.parse_connection(h, from, true));
-          connections.push(this.parse_connection(h, to));
+          connections.push(this.parse_connection(host, this.hosts[h], to, false));
+          connections.push(this.parse_connection(host, this.hosts[h], from, false, true));
         } else if (from || to) {
           // 对称连接
-          connections.push(this.parse_connection(h, from || to));
+          connections.push(this.parse_connection(host, this.hosts[h], from || to, !!to));
         }
         // 不连接
       }
@@ -55,14 +58,63 @@ class InventoryBuilder {
     };
   }
 
-  parse_connection(_name: string, str: string, inbound = false) {
-    const [_metric, protocol, _params] = str.split(',');
+  parse_connection(local: any, remote: any, connstr: string, mirror = false, inbound = false) {
+    const [_metric, protocol, _params] = connstr.split(',');
     const metric = parseInt(_metric);
     const params = Object.fromEntries(new URLSearchParams(_params).entries());
-    const mark = this.hosts[_name].mark;
-    const name = inbound ? `${_name}-in` : _name;
-    return { name, metric, protocol, params, mark, inbound };
+    const name = inbound ? `${remote.name}-in` : remote.name;
+    const localGatewayName = (mirror ? params.rif : params.lif) || params.if;
+    const localGateway = localGatewayName ? this.gateways[local.name][localGatewayName] : undefined;
+    const localGatewayMark = localGatewayName ? localGateway.mark : undefined;
+    const remoteGatewayName = (mirror ? params.lif : params.rif) || params.if;
+    const remoteGateway = remoteGatewayName ? this.gateways[remote.name][remoteGatewayName] : _.find(this.gateways[remote.name]);
+    const remoteAddress = remoteGateway.address;
+    const remoteMark = remote.mark;
+    const localPort = inbound ? remote.port2 : remote.port;
+    const remotePort = inbound ? local.port2 : local.port;
+    const wgPublicKey = remote.wgPublickey;
+    const localPeerAddress = inbound ? local.peerAddress2 : local.peerAddress;
+    const remotePeerAddress = inbound ? remote.peerAddress2 : remote.peerAddress;
+    return {
+      name,
+      metric,
+      protocol,
+      params,
+      localGatewayMark,
+      remoteMark,
+      remoteAddress,
+      localPort,
+      remotePort,
+      wgPublicKey,
+      localPeerAddress,
+      remotePeerAddress,
+      inbound
+    };
+  }
+
+  async wgPublickey(privateKey) {
+    return new Promise((resolve, reject) => {
+      const child = child_process.execFile('wg', ['pubkey'], { encoding: 'utf8' }, (error, stdout, stderr) => {
+        if (stderr) {
+          console.warn(stderr);
+        }
+        if (error) {
+          reject(error);
+        } else {
+          resolve(stdout.trimEnd());
+        }
+      });
+      child.stdin.end(privateKey);
+    });
   }
 }
 
 new InventoryBuilder().main();
+
+// export interface Host {
+//
+// }
+
+// export interface Interface {
+//
+// }