tjo-cloud/network
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Networking
12 commits 1 branch 0 tags 119 KiB
HCL 80.6%
Just 19.4%
Find a file
Tine 30d762f151
docs: tailscale acl example
2024-11-03 23:06:34 +01:00
docs feat: switch to openwrt 2024-11-03 18:43:15 +01:00
openwrt/etc/config feat: openwrt config 2024-11-03 22:33:24 +01:00
tailscale docs: tailscale acl example 2024-11-03 23:06:34 +01:00
terraform feat: switch to openwrt 2024-11-03 18:43:15 +01:00
.envrc feat: initial deployment 2024-11-02 19:53:21 +01:00
.gitignore feat: initial deployment 2024-11-02 19:53:21 +01:00
devbox.json feat: initial deployment 2024-11-02 19:53:21 +01:00
devbox.lock feat: initial deployment 2024-11-02 19:53:21 +01:00
justfile docs: tailscale acl example 2024-11-03 23:06:34 +01:00
LICENSE Initial commit 2024-11-02 14:27:31 +00:00
README.md docs: tailscale acl example 2024-11-03 23:06:34 +01:00

README.md

network.tjo.cloud

Handling networking between nodes and between virtual machines.

Architecture

WAN interface either represents an actual public interface (on Hetzner) or an interface in home LAN that has port-forwarded ports to it from home router.

LAN interface is an ordinary lan network.

ingress.tjo.cloud has port-forwarded all public ports to it (22, 25, 80, 443, 587 etc.). No other VM is accessible from the internet.

network.tjo.cloud establishes Tailscale VPN connection between other network.tjo.cloud VMs. Using subnet routing it makes it possible that each VM can connect to all other VMs on any Proxmox host.

Subnets

Host IPv4 IPv6
reserved 10.0.0.0/20 fd9b:5314:0:0000::/52
batuu 10.0.16.0/20 fd9b:5314:0:1000::/52
jakku 10.0.32.0/20 fd9b:5314:0:2000::/52
nevaroo 10.0.48.0/20 fd9b:5314:0:3000::/52
10.0.64.0/20 fd9b:5314:0:4000::/52
10.0.80.0/20 fd9b:5314:0:5000::/52
10.0.96.0/20 fd9b:5314:0:6000::/52
10.0.112.0/20 fd9b:5314:0:7000::/52
10.0.128.0/20 fd9b:5314:0:8000::/52
10.0.144.0/20 fd9b:5314:0:9000::/52
10.0.160.0/20 fd9b:5314:0:a000::/52
10.0.176.0/20 fd9b:5314:0:b000::/52
10.0.192.0/20 fd9b:5314:0:c000::/52
10.0.208.0/20 fd9b:5314:0:d000::/52
10.0.224.0/20 fd9b:5314:0:e000::/52
10.0.240.0/20 fd9b:5314:0:f000::/52

Setting up new Host

1. Add new device to terraform.tfvars.

2. Manually configure vmbr0 and use import to import it.

3. Deploy terraform.

4. Set Password (see bitwarden)

5. Setup Tailscale.

Ref: https://github.com/adyanth/openwrt-tailscale-enabler

opkg update
opkg install ca-bundle kmod-tun iptables-nft kmod-ipt-conntrack kmod-ipt-conntrack-extra kmod-ipt-conntrack-label kmod-ipt-nat kmod-nft-nat
/etc/init.d/tailscale start
/etc/init.d/tailscale enable
tailscale up --accept-routes --advertise-routes=$IPV4_SUBNET,$IPV6_SUBNET --accept-dns=false --ssh

6. Configure.

Once tailscale is up and manually configured (see the config files for guide). We can use automated way of maintaining config.

just deploy-config batuu 10.0.16.1 fd9b:5314:0:1000::
just deploy-config jakku 10.0.32.1 fd9b:5314:0:2000::
just deploy-config nevaroo 10.0.48.1 fd9b:5314:0:3000::

TODO

Use gitops for tailscale ACL.

Current version is an snapshot in time, more as an example then actual version used.

IPv6 Connectivity.

As we assign private ipv6 addresses, we would have to ise ipv6 nat to translate those to real ipv6 addresses.