diff --git a/README.md b/README.md index 970c730..c503eb7 100644 --- a/README.md +++ b/README.md @@ -41,16 +41,20 @@ __network.tjo.cloud__ establishes Tailscale VPN connection between other network ### 2. Manually configure vmbr0 and use import to import it. -### 3. Deploy terraform and manually install OPNsense via console. +### 3. Deploy terraform. ### 4. Manually configure Tailscale. -Ref: https://tailscale.com/kb/1097/install-opnsense +Ref: https://github.com/adyanth/openwrt-tailscale-enabler ``` -opnsense-code ports -cd /usr/ports/security/tailscale -make install -tailscale up --accept-routes --advertise-routes=$(ipv4_subnet),$(ipv6_subnet) --accept-dns=false +tailscale up --accept-routes --advertise-routes=$IPV4_SUBNET,$IPV6_SUBNET --accept-dns=false --ssh ``` ### 5. Configure `NAT`, `DHCP`. + + +# TODO + +## IPv6 Connectivity. + +As we assign private ipv6 addresses, we would have to ise ipv6 nat to translate those to real ipv6 addresses. diff --git a/docs/arhitecture.excalidraw.svg b/docs/arhitecture.excalidraw.svg index d966dff..8a45b86 100644 --- a/docs/arhitecture.excalidraw.svg +++ b/docs/arhitecture.excalidraw.svg @@ -1,10 +1,10 @@ - + - eyJ2ZXJzaW9uIjoiMSIsImVuY29kaW5nIjoiYnN0cmluZyIsImNvbXByZXNzZWQiOnRydWUsImVuY29kZWQiOiJ4nO1cXFlX4khcdTAwMTR+71/BcV6HTO1Lv6Fii1x1MDAwYtqK6/RcdTAwMWNPTFx1MDAwMkRCgiFcYjqn//tUUMnKXHUwMDEyxK2n6XNaqSSVW5X7fferWzf++6VUWlx1MDAwYu571trX0po1MnTHNn19uPZn2H5n+X3bc9UhNP7e91x1MDAwNr4xPrNcdTAwMWRcdTAwMDS9/te//oqu0Fxmr/t4leVYXctccvrqvL/V91Lp3/H/6ohthtdcdTAwMDZGdfNcdTAwMDHrZ9XW5ZZ5rG+TVv9Gji9cdTAwMWSf9GyMb1x1MDAxOYHutlx1MDAxYys6NFLtXHUwMDA0wsn3+9AyhDU6aVx1MDAxOdpm0Fx1MDAwZVtcdTAwMDWbtLUtu9VcdTAwMGVUI8N40vjY89dcdTAwMTKYtPRcdTAwMDPf61hcdTAwMWKe4/nh7f+AVvgvuvm1bnRavjdwzck5ga+7/Z7uq9FG5zVtxzlcdTAwMGXux72rXHUwMDE5U7OzlrrH2bORqfZpV6mbttqu1Vx1MDAwZmc0XHUwMDFhvNfTXHI7XGKnXHUwMDAwgmhcdTAwMTShhb2aOZ78f1wim3y9a9XC2XdcdTAwMDeOM2m2XdNcbud0TYeJu7nm092en1xc9FjwU8vPyHbLXG47hpJIiClikS2R+0DA0q11z1x1MDAxZLtcdTAwMTKEmFx1MDAxMUxcdTAwMDWPzrD7m8qHgnG3Td3pW9EzXGJtq8b8K1x1MDAxYeKgZ+qPl0COXHUwMDAxQ0RAgXHUqWO7nfT4XHUwMDFkz+hEd/lcdTAwMTJcdTAwMWJXymWNXVx1MDAxM7q7t3r9flhcdTAwMWTSKrr3z0+OXHUwMDE3dlksQdJlXHR+J4f9ozn+fHZnPX25t3KOIUNcdTAwMDCiXHUwMDFjb8268MRZKZSYYiHRMs46MS8ydOJh1lx1MDAxNTq4pdXKPofB4HRcdTAwMWbu7o2G+mSYXHQv033fXHUwMDFirk2O/Hz6bTpcdTAwMTSoMlx1MDAxYkm4XHUwMDFhKDjdzlXLrNTv6cA7qNxd7Fx1MDAxZFx1MDAxOTuNxaHAU1Cg8t3Y+9dcdTAwMDBcdTAwMDN6MVx1MDAxNlx1MDAxOOIhbdM8KCh3n4ZcdTAwMDVcdTAwMDRcdTAwMTCigjG6Qiw8e09gjYKk8z8631x1MDAwZWHYPOjt2sb5UVx1MDAxYuzsVfbuKnohKFx1MDAwMMFcdTAwMDBHq4FCvjVcdTAwMTkoJFx1MDAwNvOEXHUwMDAymkRcdTAwMDEjOShQgVFjiU9cdTAwMTZcdTAwMTSIrlx1MDAxNlx1MDAxM7+OokEkXHUwMDFmXHUwMDE4idOfo4HAnDOOXHUwMDExyYFcdTAwMDCZXHUwMDFlXHKQxFLFgqWkS8KOl7tp5HWht6lcdDj0vVHXXHUwMDFilba9fvxRem5wbD884jfRuqV3bSece5roquLYLXfM+1Yz1o+aicBW0n9yOPB60VFD9afbruXXXHUwMDE2XHRcdTAwMTmeb7dsV3dcdTAwMWEzLddcdTAwMDeBd2T1XHUwMDFmbVx1MDAwZvyBXHUwMDE1n1x1MDAxY2v7XHUwMDE5XHUwMDEwUEN0XHUwMDA2ZK9qh9+7h/WgXHUwMDA2T8pux240bftcXFx1MDAxNFx1MDAxMHJJ3GJcdTAwMTQ57yR2oYgxJzCFiGoy/uFFYCs5NNBnhm1cdTAwMTSLnPa3043j1jZsN6ujq2DwcO6W+89cdTAwMDReXHUwMDAw3XRcdTAwMDVcdTAwMTKQQiBcdTAwMTlhJFx1MDAwZvRCTlxye5hcdTAwMTLM4lTx6lFv98A9lj1cdTAwMTB4VefS275nOzv7W91Y1Pszv9vHi+3K0UZfXHUwMDFjnXs3XHUwMDAxXHUwMDFjnoiWe3q3cbaYsJzZ76dcdTAwMTGs+bO3QJQmXHUwMDAwpNDOsmhcdTAwMDdYgzj+yYKfgt9gf1x1MDAxMdjZ4pGcUIFcYlRLu1x1MDAxY0zzqZjGXHUwMDEwU6AkwDJKdnZcdTAwMWOHXHUwMDAws9iSZ4k47lrB0PM7WnDjaYbjXHLM0un+XHUwMDBm9+Cw3rfcvvXOkX1OOE1H9kXHsppYb3BkXHUwMDA25duOXWnsUX3n5OLS31xmXHUwMDE2XHUwMDAyPqSaXHUwMDEweZhcdTAwMWXTgMhcdTAwMTPrTGhopTzw6bX6K/DAt1x1MDAwMpKeck7VylaIvFUtnKHpXHUwMDA1UME9XHUwMDA2oVx1MDAxNSV4ek2zTS3u351cXLdcdTAwMWE9XHRH7GhIV1x1MDAxNS9cdTAwMTFcdTAwMTQ8pjuXoFx1MDAxOTgqnVXqP1xc9XOvUl9cdTAwMDWtXHUwMDE4alYsf1x1MDAwNrF0bdOMK+wktySMT1x1MDAxM8k0a1dDXHUwMDFj91x1MDAwZnhcdTAwMDSdPbC+V3ZuTas3sHWjlyWOaVx1MDAxYlx1MDAxNChC1nh68jcoINZA/JO3aph+znxcdTAwMDJBTWlcdTAwMTHya1x1MDAxMMgm73Xcc+9cdTAwMTbinavGXHLavsGnfnlcdTAwMTlcdTAwMDJ5+aqBXHUwMDAyqZZccjSbXHUwMDE0XHUwMDE4L1xyptNcboSMcYLxXHUwMDFiJsvu6WmgX3y7uDk+//7dUavuh3r1bFF5/3C77TTWb9qVy+P2RcDYaL/hXHUwMDFkrIyuMGeYxrG5vLzPXHUwMDFm5VwiUVx1MDAxZfFcdTAwMTRORV5cdTAwMTKO8iwwXHUwMDBiRfLfQMxcdTAwMDKRXHUwMDE3XGLkXFxcdTAwMTGq8lx1MDAxYpG7r1x1MDAxOFskpjU9QZDR5XJzM7ZcdTAwMTUpXHUwMDAykmNZwHczodZ2W75cdTAwMWFvpIJ/uPVvtfr5O2v5OVEvXHUwMDFkguePYjXBmJTL112MxNZ95Wrr+PSQU9o4X1xi35hrIes+f5JoZ1x1MDAwMOapeKrxeMI9XHUwMDA3+/+zjPvqsS9cbmBfSCSZpCBPxKvF9dRoiyXmVLDVq/jXXHKLRIpYNnI5XHUwMDE1/znU+yuo9uv6XHUwMDE2umUsOCPNnVx1MDAxYl5cdTAwMWVeXFxcdTAwMTmyXFygrCjFXHUwMDBmMndjOpb2jcl0tHxyX1x1MDAxYZhd01+DIc5qm43a+pG/eVx0ROW2XGYsXHQvq0swhMxniFwiuX3AMFTBX+blXHUwMDAxXHUwMDExztDJM3FIXHUwMDA2MGRcdTAwMDIvJVx1MDAxYZZT6ftOp79+/HBcbst73vpWJTjZ/T4wXHUwMDE3VelcdTAwMWYrqTBcdTAwMDOc+aNcXEilJ1fTXHUwMDFj5G6VS6qFXHQ7JFx1MDAxMOGA5y2mXHUwMDBiafbfqMyislIgbkPImYCS5MZtPL1cdTAwMTaQIcTwsnF7pitcdTAwMDMpiuwnZVwia2dwbfmuMiSheHcnraW6Z753Nn5OXHUwMDA0TIfhgkNakZxfL9dccv9cdTAwMWLdNGqbjr1Bt3e6/e3F5LycIec5y0uy/ZbzpVenhfVcIkt5yVx1MDAwNWFcdTAwMDTly/nptCAh4Vx1MDAxNMZWXHUwMDAxn1wiJ69cIlFs9+G3mi/EXHUwMDEzs8tcdTAwMTZSjyVBXHUwMDE0QiapgcQ0+0THx/aCJ1RcdTAwMTCdNp9cdDDBOlx1MDAwMe/CXHUwMDA0pt5vW29bS7exqCBHU1x1MDAwNbngYUG+zM3iIZApwZlAn3NcdTAwMDEpR/BccvPmXHUwMDA3zj25glV5yjq3+/tS75iN5kYh6EuBiVxcKkfY8+y07X/HLFx1MDAwNHFzweT3f/7MPbssXHUwMDEy55fh3Fx1MDAwYmK4XHUwMDE4fyfRXHUwMDE1mVE7ej/Y8LpdO1BjP1xm7c7QfqD7wbpyI9ttpY9Zrlx1MDAxOVx1MDAxZIk50tPLQ4uUXHUwMDE3jLnPXHUwMDE4hLNcdTAwMDU0ilx1MDAwMZVAXHUwMDEwgJAgMFrMh06v9+LQXHUwMDE4o3CUNDnrtqHplZBcXNqWnkGGMj5+LM1ClnPtXHJcdTAwMTdaXHUwMDE25bvaXHUwMDAyaojHXHUwMDAywJjkXHUwMDAwz928yKG5Qorn/8Vzm4trXHUwMDE5XHUwMDA0lCghXHUwMDEy5pZcZqPp+4Bqlap8lLFlVjhzSo0wXHUwMDA07EV6ozpSXCJBRfZSw9ebTdv4XHUwMDAwymOeXHUwMDBlSIuR6UNYjSyZXfU4S5YwXHUwMDE4PZtxXHUwMDE5XHUwMDExXHUwMDA3mqRcdTAwMDCDMGfBXGIg2eJCyISGoVxugGpdTDklOfX/XHUwMDFjaVx1MDAxMFx1MDAwYsyIkJRcdTAwMDNQbDXzfqWG74DtrVx1MDAxN2tcdTAwMTikXHUwMDEwRrmUOO9FXHUwMDE5nF3URC+NXHUwMDAxXHUwMDFjvl3wlnv/NYibXHUwMDFlrp32alu9dWe9vXezW21cdTAwMTfTMFLFlKUqXHUwMDE3i2iYMtSYXHUwMDEy7Fx1MDAxMlxuhqWCgnLyeVwiXHUwMDA1MqZhgVx1MDAwMKYq0NPYhsn4IE7hYX5vUzA2to5SXHJCQlx1MDAxOYJMkTZhYG5/Qlx1MDAxMVxiwlx1MDAxMKt7XHUwMDBiXHUwMDBlOKTJ/uQqXHUwMDA11YtlU1x1MDAxOWhYzVx1MDAxNmKQQMSB5Cx63WtJ4bSQrpv9Om3SQC6kipaUcywpVVx1MDAwZiljXHUwMDFmwslcdTAwMTmPP8KPo/TyXHUwMDAxuYjSXHUwMDAzTFPjXHUwMDAynFOgJC5MpsNxWFxcJlx1MDAxNDFBgDijSGbfLIaSaSysSIVIXG6BRKyHT1ei/lx1MDAwZXGjSM2pZGFxXGLLLmfDKc5Ejef4oFiHo8R7KCuThEKSQnVWXHUwMDE5SdjQbaev5JpV2vBcXNcyXHUwMDAyZfdcdTAwMGb32lxuhpblltpeX1nxXHUwMDAxVOJcdTAwMWNZllaJeaMqTVx1MDAxOdRqdOPsTOMs3Zj+e1x1MDAxN3npLJyT2MYxh/vQmH77V0O3XyxcdTAwMDUxopRKnluXgtnURDZcdTAwMDLKekDpckpwVq6ZSlx1MDAxMCtUfLeEXHUwMDEzwvHzMeBz5VdCvSmffVx1MDAwYn00+8WQmPyAXHUwMDFhoJgwiDDAQkBcdTAwMGWz6oMk31x1MDAxNEHFxMdCamn2lllcXC0pe0VI+VxiU4k5XHUwMDA38dl9VnMksYvGOClk8Fx1MDAxYqml2WVWs+hcdTAwMTKnsv8sVtczocu8WvvfZJlPlrVcdTAwMTeTJVx1MDAwNVx1MDAwNFx1MDAwMixZniqSUzP/Ku6pZyfp6t+tXHUwMDFmV7YslShbKVniXHUwMDA0V8aT86/HfLNrfEuJhHpYO02BxEKJWpElXHUwMDEyROOXrYjpZtb6JteFgFxuzFx1MDAxNX9JpKxUz1RkLORcdTAwMWaM6b48PdI1vdc7XHUwMDBllE9OZmLtzraG69P/Qs2XJ8NCXHUwMDA2scbo+/nl539cdTAwMDBMKlQifQ== + eyJ2ZXJzaW9uIjoiMSIsImVuY29kaW5nIjoiYnN0cmluZyIsImNvbXByZXNzZWQiOnRydWUsImVuY29kZWQiOiJ4nO1cXFtX4khcdTAwMTB+n1/BcV+XbN8v84aK491cdTAwMTnF685cdTAwMWVPhFx1MDAwMJGQYFxiXHUwMDAy7pn/vlx1MDAxNVSSkIDcXHUwMDE0nTVzRqWTdKq766v6qlLNv19yubWg37LWvubWrF7ZdOyKb3bX/lxm2+8tv217LpxcIoPPba/jl1x1MDAwN1fWg6DV/vrXX9FcdTAwMWRG2Ws+3mU5VtNygzZcXPc3fM7l/lx1MDAxZPyEM3YlvDcoXHUwMDE3N1x1MDAxZqh5XqxdbVVOzG1Wa9/qwa2Di56F8a1yYLo1x4pO9aCdYTz83Fx1MDAwZiUj1ODDlq5dXHTqYatcdTAwMTLDtrpl1+pcdTAwMDE0XG5Kh42PPX/NoWFLO/C9hrXhOZ5cdTAwMWY+/lx1MDAwZmyF/6KH35jlRs33Om5leE3gm267Zfow2ui6qu04J0F/0DvMXHUwMDE4zM7ayDPOn4VcdTAwMWNpXHUwMDFmd1x1MDAxNzy0Vnetdjij0eC9llm2g3BcbjCKRlx1MDAxMUrY2qlcZib/n0gm32xaO+Hsu1x1MDAxZMdcdTAwMTk2227FXG7ndM3Eiae5laenPa9cXLQs9KnlVyS7ZYVcdTAwMWRjzTSmnIhIlkh9MFx1MDAxMqOth547UCWMqWCUK1x1MDAxOV1htzdBh4JBt1XTaVvRXHUwMDFhhLJcdTAwMTVj+lx1MDAxNVxysdOqmI+3YEmRIExhRWnUqWO7jdHxO165XHUwMDExPeVLbFxcIypb3qtgd+/OPOx3i11eJH3/4vRkapWlXHUwMDFhJVWW0Vx1MDAxNSnsXHUwMDFm1cHx0ZX1bHFtlZJiQVx1MDAxMCZcdTAwMTnamlbhobJyrCmnSpN5lHUoXiToUMOsa3J0x4uFXHUwMDAziYPO2Vx1MDAwMd7b73XN4TBcdTAwMTNaZvq+111cdTAwMWKe+fX013gocFx1MDAxMJtovFx1MDAxYyg4zcZ1rVI47POOd1S4v9w/Lu+WpoeCXHUwMDFjgVx1MDAwMtcrs96/XHUwMDA3XHUwMDE4yMJYXHUwMDEwRIZmm2dBXHUwMDAxrPo4LFx1MDAxMKS5REIwvDwsPGtPYPWCpPI/Kt8uXHUwMDEztHLU2rPLXHUwMDE3x3W0u1/Yvy+YMSj8md3t481cdTAwMGZ3205p/bZeuDqpX1x1MDAwNkL0XHUwMDBlSt7RciDGuVx1MDAwNGtcIulyIJY9ylx1MDAxNMRcdTAwMTKT9IQunkSXYFx1MDAxOehcdTAwMDKHa4jEkVx1MDAwNlx1MDAxYuHLxdrvw5RcYstcdTAwMDZcXOLyZy+jqJRCUpJcdTAwMDJRSGTHe1x1MDAxOaKpXHUwMDA2XHUwMDFms2xKxJFcdTAwMTJIklx1MDAxOZQ00rlQ12D4332v1/R6uW2vXHUwMDFkX0jPXHJO7IdHq5Bo3TKbtlx1MDAxM848T3RVcOyaO/AmVjXWXHUwMDBmzENgQ0AxPFx1MDAxZHit6GxcdTAwMTn6M23X8nemcUSeb9ds13RKXHUwMDEzJTc7gXdstVx1MDAxZmVcdTAwMGb8jlx1MDAxNZ9cdTAwMWNr+1x1MDAxOVx1MDAwZdggfFx1MDAwMmCvd77/aH4/XGZ28Gnebdilqm1fqFx1MDAxOehhXHUwMDEytZREqjv0iCSyLUOQYsJcclx1MDAxZD/kLKDVXHUwMDEyl8lHXHUwMDA2beThnPq3s42T2jauV4u966DzcOHm28/me1x1MDAwNmzzJVx1MDAxMEuOkVx1MDAxNkywLMhrOto4hDxTQofxk347Z7p35J7oXHUwMDE2XG68onPlbffF7u7BVnNaZ2pcdTAwMTeON9rq+MK7XHJw91TV3LP7jfPpnOnEfl+RXHUwMDA3g5NGUosl8eDs2ZvCSTOERuAu0nBH1MA0fqTRz9En2lx1MDAxN0K7mN6RM65cYsNcdTAwMTAxZlFkNJZcImNcdTAwMDQ+lzKp6DyonqTIRGDMZlDklCN3raDr+VxyI7j1jLLjdSq5s4OfLsxDYPkrduwveNNRxz7dSJbj6MuSVIL8XcMulPa5uXt6eeVvXHUwMDA2U4FcdTAwMWVzQ6ksPFx1MDAwZkyAyuLpQlx1MDAxOWSpNuDD0/RXsFx1MDAwMd9mYPNcXEpcdTAwMGVRnlJZVlx1MDAwME+g81xuQVxiXHUwMDEwXHUwMDAz0JJyRq1qpc4t6d+f3tRKLY174rjLl5UzXCJYSTJLQJsyMbiXOy9cdTAwMWP+dOH3fuFwXHUwMDE5RqVcZrNcdTAwMTJcdTAwMDd1yqw07UolTq+TliUh/KhcdTAwMTlcdTAwMTkn7XJcZkf/gfaws4/W9/POXcVqdWyz3EpcdTAwMWKOce88SNJecCD+XHUwMDE5WTNMXHJcdTAwMTQ/skKG8de8bEBIVVuM/Vx1MDAxZVx1MDAwNmRTtlx1MDAxYe6Fd4fp7nXplmzf0jM/P49cdTAwMDFZPGTgSEPMwNP5gHBCKFx1MDAxZm2NQlx1MDAwNik1Upy8YcjQ52eBefnt8vbk4sdcdTAwMGZcdTAwMDdC7ofD4vn7yL9cdTAwMTGlsIpjc35qnz3Kabw8UUmcUpSVf+MyXHLMmTz5J1x1MDAxMNNAlDM4cslcYlx1MDAwMb1RmYhDY4N0SYjkmPO5XHUwMDEy3pN0l4JKoFx1MDAxOXQ35Wptt+bDeCNcdTAwMGX80235Xq+/Yib/gtdcdTAwMWJ1wS+PYjnOmOXzN01K1Fa/cL11cvZdcl66mFxu31RcdTAwMThcdTAwMThHefNcYsfh/Fx0lFWJILgh47n2XGbs/8+S7cvHvppcdTAwMDH7Slx1MDAxMy00R1kknvDxobygWlx1MDAxM0bnXHUwMDBi5VfoXHUwMDE2hVJcdTAwMGIlXG4+XGZ7f1x1MDAwNdZ+c7hF7oRcYs5ZdfdW5ruX12Wdn6FSacQ+6Mx33bGXQzGaTubP7OsyXHUwMDE1N/z3sFx1MDAxMOc7m6Wd9WN/81xuqcJdXHUwMDFlWVx1MDAxYV9cdTAwMTXnsFx1MDAxMDrbQsyS2EdcdTAwMDLcNJE6K1x1MDAwN0hoypw8XHUwMDFiXHUwMDBlXHJuXHUwMDAxXHUwMDBiRed6lzdcdTAwMWZLP3BcdTAwMWHt9ZOHM5zf99a3XG7B6d6PTmValv6+klxuXHUwMDEzwJk9yqlYOkngUqLMt+SaXHUwMDFiYcKOKMIkklnB9Eyc/Vx1MDAxM5VpVFx1MDAxNmbw21x1MDAxOEuhsGaZfpulaleiiq3wbZwkMVu8LNKusV6ItDc6N5bvgiBcdMZcdTAwMWK15lxcr2Itw/EuwOBf8ICjbnjGIS2Jzq/nXHUwMDBmy/43vlne2XTsXHK+vdtsb09H5/VcdTAwMDQ6L8UnnV+NWVifJZTXUjFcdTAwMTFPvMTp/PiqY41cdTAwMTnE8rEo4EPk5MFcdTAwMTOpWZJcXJ9sPrY0k0tcdTAwMTZGliVhKJROmlx1MDAwNlx1MDAxNuPsQ1x1MDAxZS+jhVx1MDAxOZpcdTAwMDJqaMUgbFx1MDAxNIRizMVM2XbKqMnQSixDxWzXrbctq9uYlqCTsVx1MDAwNF3JsOZfZ2f1YrtGUnl0joBcdTAwMTLGrParXHUwMDEz9COnz65xUZ+Jxt3BgTZcdTAwMWKVUnXjdStZhs0tz1x1MDAxZZX975iEKC4uXHUwMDFh/v3Pn5lX51Xi+jx+8YZcdTAwMThMXHUwMDA2n1NcYol6SM2CY7aDXHKv2bRcdTAwMDOYi+/hOFJeITD9YFx1MDAxZLTKdmuj5yy3XHUwMDEynYnp1dN2pWlqXHUwMDBmXHUwMDA2prHcXHRnXHUwMDBmXHUwMDE5nFwirpFiiFx1MDAxMMVwxC9DXGaYrThSXHUwMDA2oOwlRU5rcSh6IbQ9dctMXHUwMDAxXHUwMDA1hI+fXHUwMDFiNVKWc+N1p4qaslVvXG6yJKk0knWKXGZnv92I3kfNR4n+X4Zvc3qyQ1x1MDAxMLBcdTAwMTamcWY5MVx1MDAxOW/gdLhcdTAwMDOEsLneXHUwMDEzTrRBXHUwMDFj8YXYSLFcdTAwMDdcdTAwMTRcdTAwMDL8fq7km9WqXX5cdTAwMDe85CWWMEpVxlx1MDAwZmE5pGVyPeQk0lwicLTgg1wiI6Fccsq0oFx1MDAwNCOMqExTXHUwMDE4LKRBsVRcdTAwMTBcdTAwMTNcdTAwMTEuOcvYXHUwMDE3IImBqaKCqXDzXHUwMDA3mi3UWV1ccuJcbnC9tTChITh8L6g1zdqYQ8dcdTAwMTdcdTAwMDZwXG7gREy/IaHZwbTq0Z2z1s5Wa91Zr+/f7lx1MDAxNetcdTAwMWaR0GCI76lcIohy8Onwn8XvxsyQVMM5gFx1MDAxNkWUUvlyd2NcdTAwMTBcdTAwMTVcdTAwMWV5TlxyXHUwMDBlaFx1MDAwMqNOhVx1MDAxMGCiX+pOIYNcdTAwMDBPolx1MDAwMDxcdTAwMDVcdTAwMTOGebI7eFaoLeHGXHUwMDExqoWOkbHFqdTChCmPXGZcbpaDXGLMMJFIS1x1MDAxMVXDz0mZpmJ0k7fuJlx1MDAwNZRKXHUwMDBigbiEVeZcdTAwMWOWLCVcdTAwMWahyVx1MDAwNYgv6PvheNlonIbjIWrA2MA3sDDboJM77WHtXGZBIVxc0pQyXHUwMDAyepbhQXR4XHRcdTAwMWOYaKWIim2v/XB16yvwXHUwMDE5s1x1MDAxNKNqXHUwMDAxXHUwMDE4olwiXXxcdTAwMWVO8VjfIDBRXHUwMDAwQTmXb3hcdTAwMTXz/cxcdTAwMDVLpu20gadZuVxyz3Wtclx1MDAwMFL/dG+soGtZbq7utUGGd0BcdTAwMGZf4GOj9DBrVLkxg1pcdTAwMGVhnJyAnERcdTAwMThHv1kjK8tFM/LdNLZz+F0j+u03i24vTFx1MDAwMinhnGuZWa5Cxdj8Nlx1MDAwMYqPXHUwMDEw53SuLyqYlILmXHUwMDFhxepcdTAwMTdXlnhcIjR+PUUvU7FcdTAwMDSVo3Gy9XrsaPJ+kVx1MDAxOPnAXHUwMDA24pSBdVx1MDAwNl6pXHUwMDE0ljjNPVhyXHUwMDAzXHSZjXpMxZUmv0mLcyWQVynNKKHAXHUwMDA2pETx2X3mcizxck1INpPAb8SVJldfTTKXVGPgOoiDM4U1i399wmMxYPiiUElJwFMrnvGNL4xcdTAwMWFMXHUwMDAxXHUwMDFi1kA0w99Z2/AxgnBcdTAwMWL8NSw3RCMoVmXyaWhcdTAwMTOGdmdhQ1x1MDAwYlx1MDAxMTNGXHUwMDEwNmXn1sbXXHUwMDE3KMGA+8Cdy2ZUc1fuLdXQjtfS8Ejp51tcdTAwMTjVyVx1MDAxYv9z8Vx1MDAxYz2GqFozXHUwMDE2hlwiUkomYlx1MDAwMfPrRZyTy4uTXHUwMDExJ1VCKFxyV0DIhVx1MDAwNVx1MDAxNVx1MDAxOWZ0xVbzy9NcdTAwMWGuma3WSVx1MDAwMDo6XHUwMDFj+dq9bXXXx3+vzpcnwUKLYlxy0Pjry6//XHUwMDAwVypQbCJ9 - Proxmox Hostnetwork.tjo.cloud VMOPNsense1x WAN1x LANingress.tjo.cloudNGINX1x LANkubernetes.tjo.cloudKubernetes Node1x LANExternal TrafficTailscale Connectionbetween hosts \ No newline at end of file + Proxmox Hostnetwork.tjo.cloud VMrouter1x WAN1x LANingress.tjo.cloudproxy1x LANkubernetes.tjo.cloudkubernetes node1x LANExternal TrafficTailscale Connectionbetween hosts \ No newline at end of file diff --git a/openwrt/etc/config/dhcp b/openwrt/etc/config/dhcp new file mode 100644 index 0000000..ae0055b --- /dev/null +++ b/openwrt/etc/config/dhcp @@ -0,0 +1,40 @@ +config dnsmasq + option domainneeded '1' + option boguspriv '1' + option filterwin2k '0' + option localise_queries '1' + option rebind_protection '1' + option rebind_localhost '1' + option expandhosts '1' + option nonegcache '0' + option cachesize '1000' + option authoritative '1' + option readethers '1' + option leasefile '/tmp/dhcp.leases' + option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto' + option nonwildcard '1' + option localservice '1' + option ednspacket_max '1232' + list interface 'lan' + +config dhcp 'lan' + option interface 'lan' + option start '1' + option limit '254' + option leasetime '24h' + option dhcpv4 'server' + option dhcpv6 'server' + option ra 'server' + option ra_slaac '1' + list ra_flags 'managed-config' + list ra_flags 'other-config' + +config dhcp 'wan' + option interface 'wan' + option ignore '1' + +config odhcpd 'odhcpd' + option maindhcp '0' + option leasefile '/tmp/hosts/odhcpd' + option leasetrigger '/usr/sbin/odhcpd-update' + option loglevel '4' diff --git a/openwrt/etc/config/firewall b/openwrt/etc/config/firewall new file mode 100644 index 0000000..4b63a51 --- /dev/null +++ b/openwrt/etc/config/firewall @@ -0,0 +1,120 @@ +config defaults + option syn_flood '1' + option input 'REJECT' + option output 'ACCEPT' + option forward 'REJECT' + +config zone + option name 'lan' + option input 'ACCEPT' + option output 'ACCEPT' + option forward 'ACCEPT' + list network 'lan' + list network 'tailscale' + +config zone + option name 'wan' + list network 'wan' + list network 'wan6' + option input 'REJECT' + option output 'ACCEPT' + option forward 'REJECT' + option masq '1' + option mtu_fix '1' + +config forwarding + option src 'lan' + option dest 'wan' + +config rule + option name 'Allow-DHCP-Renew' + option src 'wan' + option proto 'udp' + option dest_port '68' + option target 'ACCEPT' + option family 'ipv4' + +config rule + option name 'Allow-Ping' + option src 'wan' + option proto 'icmp' + option icmp_type 'echo-request' + option family 'ipv4' + option target 'ACCEPT' + +config rule + option name 'Allow-IGMP' + option src 'wan' + option proto 'igmp' + option family 'ipv4' + option target 'ACCEPT' + +config rule + option name 'Allow-DHCPv6' + option src 'wan' + option proto 'udp' + option dest_port '546' + option family 'ipv6' + option target 'ACCEPT' + +config rule + option name 'Allow-MLD' + option src 'wan' + option proto 'icmp' + option src_ip 'fe80::/10' + list icmp_type '130/0' + list icmp_type '131/0' + list icmp_type '132/0' + list icmp_type '143/0' + option family 'ipv6' + option target 'ACCEPT' + +config rule + option name 'Allow-ICMPv6-Input' + option src 'wan' + option proto 'icmp' + list icmp_type 'echo-request' + list icmp_type 'echo-reply' + list icmp_type 'destination-unreachable' + list icmp_type 'packet-too-big' + list icmp_type 'time-exceeded' + list icmp_type 'bad-header' + list icmp_type 'unknown-header-type' + list icmp_type 'router-solicitation' + list icmp_type 'neighbour-solicitation' + list icmp_type 'router-advertisement' + list icmp_type 'neighbour-advertisement' + option limit '1000/sec' + option family 'ipv6' + option target 'ACCEPT' + +config rule + option name 'Allow-ICMPv6-Forward' + option src 'wan' + option dest '*' + option proto 'icmp' + list icmp_type 'echo-request' + list icmp_type 'echo-reply' + list icmp_type 'destination-unreachable' + list icmp_type 'packet-too-big' + list icmp_type 'time-exceeded' + list icmp_type 'bad-header' + list icmp_type 'unknown-header-type' + option limit '1000/sec' + option family 'ipv6' + option target 'ACCEPT' + +config rule + option name 'Allow-IPSec-ESP' + option src 'wan' + option dest 'lan' + option proto 'esp' + option target 'ACCEPT' + +config rule + option name 'Allow-ISAKMP' + option src 'wan' + option dest 'lan' + option dest_port '500' + option proto 'udp' + option target 'ACCEPT' diff --git a/openwrt/etc/config/network b/openwrt/etc/config/network new file mode 100644 index 0000000..55fa3ea --- /dev/null +++ b/openwrt/etc/config/network @@ -0,0 +1,35 @@ +config interface 'loopback' + option device 'lo' + option proto 'static' + option ipaddr '127.0.0.1' + option netmask '255.0.0.0' + +config device + option name 'br-lan' + option type 'bridge' + list ports 'eth1' + +# LAN +config globals 'globals' + option ula_prefix '${IPV6_SUBNET}/52' + +config interface 'lan' + option device 'br-lan' + option proto 'static' + option ipaddr '${IPV4_SUBNET}' + option netmask '255.255.240.0' + option ip6assign '64' + +# WAN +config interface 'wan' + option device 'eth0' + option proto 'dhcp' + +config interface 'wan6' + option device 'eth0' + option proto 'dhcpv6' + +# TAILSCALE +config interface 'tailscale' + option proto 'none' + option device 'tailscale0' diff --git a/terraform/node.tf b/terraform/node.tf index 24ed926..98e094a 100644 --- a/terraform/node.tf +++ b/terraform/node.tf @@ -42,7 +42,7 @@ resource "proxmox_virtual_environment_file" "iso" { node_name = each.value.host source_file { - path = "${path.module}/../iso/OPNsense-24.7-dvd-amd64.iso" + path = "${path.module}/../iso/openwrt-23.05.5-x86-64-generic-ext4-combined-efi.img" } } @@ -53,7 +53,7 @@ resource "proxmox_virtual_environment_vm" "nodes" { name = "${each.value.host}.${each.value.domain}" node_name = each.value.host - description = "OPNsense instance for ${each.value.host}." + description = "OpenWRT instance for ${each.value.host}." tags = [each.value.domain] stop_on_destroy = true @@ -85,7 +85,7 @@ resource "proxmox_virtual_environment_vm" "nodes" { } network_device { - bridge = "vmbr0" + bridge = proxmox_virtual_environment_network_linux_bridge.vmbr0[each.key].name mac_address = each.value.wan_mac_address } @@ -95,21 +95,12 @@ resource "proxmox_virtual_environment_vm" "nodes" { } scsi_hardware = "virtio-scsi-single" - - dynamic "cdrom" { - for_each = each.value.iso_enabled ? [1] : [] - content { - file_id = proxmox_virtual_environment_file.iso[each.key].id - interface = "ide0" - } - } - disk { + file_id = proxmox_virtual_environment_file.iso[each.key].id interface = "scsi0" datastore_id = each.value.boot_storage - size = 16 + size = 8 backup = true - cache = "none" iothread = true file_format = "raw" } diff --git a/terraform/terraform.tfvars b/terraform/terraform.tfvars index bd1ab56..8320481 100644 --- a/terraform/terraform.tfvars +++ b/terraform/terraform.tfvars @@ -7,8 +7,6 @@ nodes = { bridge_ports = ["enp1s0", "enp2s0"] gateway = "192.168.1.1" address = "192.168.1.161/24" - - iso_enabled = false } jakku = { host = "jakku" @@ -18,8 +16,6 @@ nodes = { bridge_ports = ["enp1s0", "enp2s0"] gateway = "192.168.1.1" address = "192.168.1.187/24" - - iso_enabled = false } nevaroo = { host = "nevaroo" @@ -30,7 +26,5 @@ nodes = { bridge_ports = ["eno1"] gateway = "178.63.49.193" address = "178.63.49.225/26" - - iso_enabled = false } } diff --git a/terraform/variables.tf b/terraform/variables.tf index 550dc92..ebdcd3a 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -12,8 +12,6 @@ variable "nodes" { iso_storage = string boot_storage = string - - iso_enabled = bool })) }