feat: switch to openwrt

README.md

@@ -41,16 +41,20 @@ __network.tjo.cloud__ establishes Tailscale VPN connection between other network
 
 ### 2. Manually configure vmbr0 and use import to import it.
 
-### 3. Deploy terraform and manually install OPNsense via console.
+### 3. Deploy terraform.
 
 ### 4. Manually configure Tailscale.
-Ref: https://tailscale.com/kb/1097/install-opnsense
+Ref: https://github.com/adyanth/openwrt-tailscale-enabler
 
 ```
-opnsense-code ports
+tailscale up --accept-routes --advertise-routes=$IPV4_SUBNET,$IPV6_SUBNET --accept-dns=false --ssh
-cd /usr/ports/security/tailscale
-make install
-tailscale up --accept-routes --advertise-routes=$(ipv4_subnet),$(ipv6_subnet) --accept-dns=false
 ```
 
 ### 5. Configure `NAT`, `DHCP`.
+
+
+# TODO
+
+## IPv6 Connectivity.
+
+As we assign private ipv6 addresses, we would have to ise ipv6 nat to translate those to real ipv6 addresses.

openwrt/etc/config/dhcp

@@ -0,0 +1,40 @@
+config dnsmasq
+	option domainneeded '1'
+	option boguspriv '1'
+	option filterwin2k '0'
+	option localise_queries '1'
+	option rebind_protection '1'
+	option rebind_localhost '1'
+	option expandhosts '1'
+	option nonegcache '0'
+	option cachesize '1000'
+	option authoritative '1'
+	option readethers '1'
+	option leasefile '/tmp/dhcp.leases'
+	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
+	option nonwildcard '1'
+	option localservice '1'
+	option ednspacket_max '1232'
+  list interface 'lan'
+
+config dhcp 'lan'
+	option interface 'lan'
+	option start '1'
+	option limit '254'
+	option leasetime '24h'
+	option dhcpv4 'server'
+	option dhcpv6 'server'
+	option ra 'server'
+	option ra_slaac '1'
+	list ra_flags 'managed-config'
+	list ra_flags 'other-config'
+
+config dhcp 'wan'
+	option interface 'wan'
+	option ignore '1'
+
+config odhcpd 'odhcpd'
+	option maindhcp '0'
+	option leasefile '/tmp/hosts/odhcpd'
+	option leasetrigger '/usr/sbin/odhcpd-update'
+	option loglevel '4'

openwrt/etc/config/firewall

@@ -0,0 +1,120 @@
+config defaults
+	option syn_flood '1'
+	option input 'REJECT'
+	option output 'ACCEPT'
+	option forward 'REJECT'
+
+config zone
+	option name 'lan'
+	option input 'ACCEPT'
+	option output 'ACCEPT'
+	option forward 'ACCEPT'
+	list network 'lan'
+	list network 'tailscale'
+
+config zone
+	option name 'wan'
+	list network 'wan'
+	list network 'wan6'
+	option input 'REJECT'
+	option output 'ACCEPT'
+	option forward 'REJECT'
+	option masq '1'
+	option mtu_fix '1'
+
+config forwarding
+	option src 'lan'
+	option dest 'wan'
+
+config rule
+	option name 'Allow-DHCP-Renew'
+	option src 'wan'
+	option proto 'udp'
+	option dest_port '68'
+	option target 'ACCEPT'
+	option family 'ipv4'
+
+config rule
+	option name 'Allow-Ping'
+	option src 'wan'
+	option proto 'icmp'
+	option icmp_type 'echo-request'
+	option family 'ipv4'
+	option target 'ACCEPT'
+
+config rule
+	option name 'Allow-IGMP'
+	option src 'wan'
+	option proto 'igmp'
+	option family 'ipv4'
+	option target 'ACCEPT'
+
+config rule
+	option name 'Allow-DHCPv6'
+	option src 'wan'
+	option proto 'udp'
+	option dest_port '546'
+	option family 'ipv6'
+	option target 'ACCEPT'
+
+config rule
+	option name 'Allow-MLD'
+	option src 'wan'
+	option proto 'icmp'
+	option src_ip 'fe80::/10'
+	list icmp_type '130/0'
+	list icmp_type '131/0'
+	list icmp_type '132/0'
+	list icmp_type '143/0'
+	option family 'ipv6'
+	option target 'ACCEPT'
+
+config rule
+	option name 'Allow-ICMPv6-Input'
+	option src 'wan'
+	option proto 'icmp'
+	list icmp_type 'echo-request'
+	list icmp_type 'echo-reply'
+	list icmp_type 'destination-unreachable'
+	list icmp_type 'packet-too-big'
+	list icmp_type 'time-exceeded'
+	list icmp_type 'bad-header'
+	list icmp_type 'unknown-header-type'
+	list icmp_type 'router-solicitation'
+	list icmp_type 'neighbour-solicitation'
+	list icmp_type 'router-advertisement'
+	list icmp_type 'neighbour-advertisement'
+	option limit '1000/sec'
+	option family 'ipv6'
+	option target 'ACCEPT'
+
+config rule
+	option name 'Allow-ICMPv6-Forward'
+	option src 'wan'
+	option dest '*'
+	option proto 'icmp'
+	list icmp_type 'echo-request'
+	list icmp_type 'echo-reply'
+	list icmp_type 'destination-unreachable'
+	list icmp_type 'packet-too-big'
+	list icmp_type 'time-exceeded'
+	list icmp_type 'bad-header'
+	list icmp_type 'unknown-header-type'
+	option limit '1000/sec'
+	option family 'ipv6'
+	option target 'ACCEPT'
+
+config rule
+	option name 'Allow-IPSec-ESP'
+	option src 'wan'
+	option dest 'lan'
+	option proto 'esp'
+	option target 'ACCEPT'
+
+config rule
+	option name 'Allow-ISAKMP'
+	option src 'wan'
+	option dest 'lan'
+	option dest_port '500'
+	option proto 'udp'
+	option target 'ACCEPT'

openwrt/etc/config/network

@@ -0,0 +1,35 @@
+config interface 'loopback'
+	option device 'lo'
+	option proto 'static'
+	option ipaddr '127.0.0.1'
+	option netmask '255.0.0.0'
+
+config device
+	option name 'br-lan'
+	option type 'bridge'
+	list ports 'eth1'
+
+# LAN
+config globals 'globals'
+	option ula_prefix '${IPV6_SUBNET}/52'
+
+config interface 'lan'
+	option device 'br-lan'
+	option proto 'static'
+	option ipaddr '${IPV4_SUBNET}'
+	option netmask '255.255.240.0'
+	option ip6assign '64'
+
+# WAN
+config interface 'wan'
+	option device 'eth0'
+	option proto 'dhcp'
+
+config interface 'wan6'
+	option device 'eth0'
+	option proto 'dhcpv6'
+
+# TAILSCALE
+config interface 'tailscale'
+	option proto 'none'
+	option device 'tailscale0'

terraform/node.tf

@@ -42,7 +42,7 @@ resource "proxmox_virtual_environment_file" "iso" {
   node_name    = each.value.host
 
   source_file {
-    path = "${path.module}/../iso/OPNsense-24.7-dvd-amd64.iso"
+    path = "${path.module}/../iso/openwrt-23.05.5-x86-64-generic-ext4-combined-efi.img"
   }
 }
 
@@ -53,7 +53,7 @@ resource "proxmox_virtual_environment_vm" "nodes" {
   name      = "${each.value.host}.${each.value.domain}"
   node_name = each.value.host
 
-  description = "OPNsense instance for ${each.value.host}."
+  description = "OpenWRT instance for ${each.value.host}."
   tags        = [each.value.domain]
 
   stop_on_destroy     = true
@@ -85,7 +85,7 @@ resource "proxmox_virtual_environment_vm" "nodes" {
   }
 
   network_device {
-    bridge      = "vmbr0"
+    bridge      = proxmox_virtual_environment_network_linux_bridge.vmbr0[each.key].name
     mac_address = each.value.wan_mac_address
   }
 
@@ -95,21 +95,12 @@ resource "proxmox_virtual_environment_vm" "nodes" {
   }
 
   scsi_hardware = "virtio-scsi-single"
-
-  dynamic "cdrom" {
-    for_each = each.value.iso_enabled ? [1] : []
-    content {
-      file_id   = proxmox_virtual_environment_file.iso[each.key].id
-      interface = "ide0"
-    }
-  }
-
   disk {
+    file_id      = proxmox_virtual_environment_file.iso[each.key].id
     interface    = "scsi0"
     datastore_id = each.value.boot_storage
-    size         = 16
+    size         = 8
     backup       = true
-    cache        = "none"
     iothread     = true
     file_format  = "raw"
   }

terraform/terraform.tfvars

@@ -7,8 +7,6 @@ nodes = {
     bridge_ports = ["enp1s0", "enp2s0"]
     gateway = "192.168.1.1"
     address = "192.168.1.161/24"
-
-    iso_enabled = false
   }
   jakku = {
     host      = "jakku"
@@ -18,8 +16,6 @@ nodes = {
     bridge_ports = ["enp1s0", "enp2s0"]
     gateway = "192.168.1.1"
     address = "192.168.1.187/24"
-
-    iso_enabled = false
   }
   nevaroo = {
     host      = "nevaroo"
@@ -30,7 +26,5 @@ nodes = {
     bridge_ports = ["eno1"]
     gateway = "178.63.49.193"
     address = "178.63.49.225/26"
-
-    iso_enabled = false
   }
 }

terraform/variables.tf

@@ -12,8 +12,6 @@ variable "nodes" {
 
     iso_storage  = string
     boot_storage = string
-
-    iso_enabled = bool
   }))
 }