diff --git a/salt-pillar/top.sls b/salt-pillar/top.sls
index d6d4288..1dd363a 100644
--- a/salt-pillar/top.sls
+++ b/salt-pillar/top.sls
@@ -5,6 +5,9 @@ base:
- vlans
'*gw':
- dhcp
+ 'anon1':
+ - vpn.anon1
+ - upstream.anon1
'upstream1':
- upstream.upstream1
'server1':
diff --git a/salt-pillar/upstream/anon1.sls b/salt-pillar/upstream/anon1.sls
new file mode 100644
index 000000000..840ca2c
--- /dev/null
+++ b/salt-pillar/upstream/anon1.sls
@@ -0,0 +1,2 @@
+upstream:
+ interface: ipredator
diff --git a/salt-pillar/upstream/upstream1.sls b/salt-pillar/upstream/upstream1.sls
index 99fdb3e..7b370d6 100644
--- a/salt-pillar/upstream/upstream1.sls
+++ b/salt-pillar/upstream/upstream1.sls
@@ -1,2 +1,2 @@
upstream:
- dhcp_interface: up1
+ interface: up1
diff --git a/salt-pillar/vpn/anon1.sls b/salt-pillar/vpn/anon1.sls
new file mode 100644
index 000000000..d5951dd
--- /dev/null
+++ b/salt-pillar/vpn/anon1.sls
@@ -0,0 +1,84 @@
+#!yaml|gpg
+
+openvpn:
+ ipredator:
+ server: ipv6.openvpn.ipredator.se
+ user: |
+ -----BEGIN PGP MESSAGE-----
+
+ hQEMA2PKcvDMvlKLAQf9H1XFAYkM7XFoStSeqeDk9b6cG3kqqN9wXEprDg5lkXc8
+ yhL7tF79HzzY18MQ5Cn24LRkoZtwsJkJNOaDdySpiEh34SP0m64Tuwj8gPrFGpSK
+ phox6e4/vpWw0BnM1hJaaQxd86qng9Ptv3U1afz98kcU0kxAKcrQZN77sTMrTF8K
+ Kw/6rnPPKF72PqspLcL/Sxl49MaEg8aJMO+TT26IiML4cu7N+ZEykgsfmpaoVhIG
+ r2xO1FBAPGjyh71G7HJWcsrBTq+y4jRMapEbIrUOusULXcOffe+hqQcOGX09Uv1Q
+ 1B+ZkaNxwohhbrkpEqOhfL5U5JUNC9+vlSmOh5nWI9JEAcw4gMRgLjVFGgy5+txj
+ EkOPNYuXC/Z9HoMqKOOcGKRpgW2bvrwoJ4w+41S2RIVAKS9vbFTJ+Cbr7ID8ReJ4
+ mt82t1Q=
+ =7JHg
+ -----END PGP MESSAGE-----
+
+ password: |
+ -----BEGIN PGP MESSAGE-----
+
+ hQEMA2PKcvDMvlKLAQf+I2T0gFEzr26FxlYA8BefrAz0pNV4ReVMCU2TasW5NIaZ
+ GnOUPTDeP97M4fNfsWPIzZcyTNby83BZIY8fH7bqtC5pfhaTA0GHfJywuBVJF87b
+ ixiOICCd/e3r1mahqgcUWRd8NT1FbzmpVbI42AKphA8gpN6hOZds9JUx44ZE5YxJ
+ wg9u2koEAriaIVzUpg+BXTQr2So17H8fm/FzUgMVUWohDAmYmTxqShnrLANBqebE
+ 8glYJFOhV+Iasu2AoOT3FkZLDvW2STaOZisqMNx0tlQQG0px1zv63GTF7JZAac+l
+ toUzTvpdZpVTrW1y+VwNKntrouXBWvcFnvOtrY34m9JGAT78YEZ6QUSIKF1z5sf6
+ rI2I1ngv8fZZgO6hJhQFemxqzbLtUp2r1+GOzBhuKb/ilB0j0l/vd1P5sbvx7Bp3
+ c3bTeN+KJw==
+ =aZ9Y
+ -----END PGP MESSAGE-----
+
+ ca: |
+ -----BEGIN CERTIFICATE-----
+ MIIFJzCCBA+gAwIBAgIJAKee4ZMMpvhzMA0GCSqGSIb3DQEBBQUAMIG9MQswCQYD
+ VQQGEwJTRTESMBAGA1UECBMJQnJ5Z2dsYW5kMQ8wDQYDVQQHEwZPZWxkYWwxJDAi
+ BgNVBAoTG1JveWFsIFN3ZWRpc2ggQmVlciBTcXVhZHJvbjESMBAGA1UECxMJSW50
+ ZXJuZXR6MScwJQYDVQQDEx5Sb3lhbCBTd2VkaXNoIEJlZXIgU3F1YWRyb24gQ0Ex
+ JjAkBgkqhkiG9w0BCQEWF2hvc3RtYXN0ZXJAaXByZWRhdG9yLnNlMB4XDTEyMDgw
+ NDIxMTAyNVoXDTIyMDgwMjIxMTAyNVowgb0xCzAJBgNVBAYTAlNFMRIwEAYDVQQI
+ EwlCcnlnZ2xhbmQxDzANBgNVBAcTBk9lbGRhbDEkMCIGA1UEChMbUm95YWwgU3dl
+ ZGlzaCBCZWVyIFNxdWFkcm9uMRIwEAYDVQQLEwlJbnRlcm5ldHoxJzAlBgNVBAMT
+ HlJveWFsIFN3ZWRpc2ggQmVlciBTcXVhZHJvbiBDQTEmMCQGCSqGSIb3DQEJARYX
+ aG9zdG1hc3RlckBpcHJlZGF0b3Iuc2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ ggEKAoIBAQCp5M22fZtwtIh6Mu9IwC3N2tEFqyNTEP1YyXasjf+7VNISqSpFy+tf
+ DsHAkiE9Wbv8KFM9bOoVK1JjdDsetxArm/RNsUWm/SNyVbmY+5ezX/n95S7gQdMi
+ bA74/ID2+KsCXUY+HNNUQqFpyK67S09A6r0ZwPNUDbLgGnmCZRMDBPCHCbiK6e68
+ d75v6f/0nY4AyAAAyqwAELIAn6sy4rzoPbalxcO33eW0fUG/ir41qqo8BQrWKyEd
+ Q9gy8tGEqbLQ+B30bhIvBh10YtWq6fgFZJzWP6K8bBJGRvioFOyQHCaVH98UjwOm
+ /AqMTg7LwNrpRJGcKLHzUf3gNSHQGHfzAgMBAAGjggEmMIIBIjAdBgNVHQ4EFgQU
+ pRqJxaYdvv3XGEECUqj7DJJ8ptswgfIGA1UdIwSB6jCB54AUpRqJxaYdvv3XGEEC
+ Uqj7DJJ8ptuhgcOkgcAwgb0xCzAJBgNVBAYTAlNFMRIwEAYDVQQIEwlCcnlnZ2xh
+ bmQxDzANBgNVBAcTBk9lbGRhbDEkMCIGA1UEChMbUm95YWwgU3dlZGlzaCBCZWVy
+ IFNxdWFkcm9uMRIwEAYDVQQLEwlJbnRlcm5ldHoxJzAlBgNVBAMTHlJveWFsIFN3
+ ZWRpc2ggQmVlciBTcXVhZHJvbiBDQTEmMCQGCSqGSIb3DQEJARYXaG9zdG1hc3Rl
+ ckBpcHJlZGF0b3Iuc2WCCQCnnuGTDKb4czAMBgNVHRMEBTADAQH/MA0GCSqGSIb3
+ DQEBBQUAA4IBAQB8nxZJaTvMMoSG47jD2w31zt9o6nSx8XJKop/0rMMHKBe1QBUw
+ /n3clGwYxBW8mTnrXHhmJkwJzA0Vh525+dkF28E0I+DSigKUXEewIZtKjADYSxaG
+ M+4272enbJ86JeXUhN8oF9TT+LKgMBgtt9yX5o63Ek6QOKwovH5kemDOVJmwae9p
+ tXQEWfCPDFMc7VfSxS4BDBVinRWeMWZs+2AWeWu2CMsjcx7+B+kPbBCzfANanFDD
+ CZEQON4pEpfK2XErhOudKEJGCl7psH+9Ex//pqsUS43nVN/4sqydiwbi+wQuUI3P
+ BYtvqPnWdjIdf2ayAQQCWliAx9+P03vbef6y
+ -----END CERTIFICATE-----
+ key: |
+ -----BEGIN PGP MESSAGE-----
+
+ hQEMA2PKcvDMvlKLAQf/T4DHs16NJK69W91IS2CJWDZER8TJCeG56ArKucz+2A7I
+ hB6OFkf0bKINXRGSBuFYcPcTOUpQ1NrV9osCPTwChaHx7vk3S+q4tlT+CiHUygCk
+ nisAckkAQSSSZlSkm+zhw59afiAu3Rn0x3gffjE1W6GBnIFwkzEnmViWHO3beYqV
+ 2sOJ9BlFTo/aJS87MoEDk58xycPinFkLUciyozToUN/TDcU+OYVOXMLmIr41nG9+
+ GT1OlYALROo1sHpFP2KkwdpmqE2etc2lk3kDlVBiHMcQzLXcm3MO9N63Cec0cJEj
+ zzj4G8DWVsl1vU2n2l6dEiBCVQ5VqCC519mCHN//UdLA7AFEksPep/gm7ro3mbBG
+ SM3vuumroynP7QmKWTZeLuU+R6GLc1rdjicI2AQ5cNrIPfayzGirE7nnTRUfRHSX
+ 5nKsxJnM7M75ZOZVGWI986dQJ1pHNDqHkOIGL8QbRcrQmguZxAPgYaYbbqd9L8Yl
+ oHSVm2j5SKYW5Sgj6q7mlM5asZ0bbwAEL/NghwDNIV0fXQlS9ZZRzXsRxKP/PS/g
+ HPX41MsIPPHBoHB7Uwmpk7efjubcmvk26n/sW6UdhT4EjNNmk5lBtanqs6NpqZDb
+ fOSEnkIkgt9i3bwyHv1aTNf5ir4AWz/cQ7FuqJjUE6viNxap9DbY60dJgAoTtJ9v
+ p2nmzfGJiqi4PKYf9qrk2SlCkudb00a6b7aNZr+J7WbZyFD1Slo/tGOvFKbf2VzS
+ 2KXoXTDykRDVoq5BAAcm9tWTf11ZuDDxaOb24RP10CcD6BXdgdQ50bB91VnjitDC
+ YNwQWtFEvn3XuYB+Lq074zFW+gaCCEhviCMfP5u4BO5/NVJsVTCBFyOXIX0l+xwy
+ Rtyed/RP7AhmyFL9Ia2zdWbBjUR9eSkC7lyQXQG7
+ =vxru
+ -----END PGP MESSAGE-----
diff --git a/salt/dhcp/default b/salt/dhcp/default
new file mode 100644
index 000000000..2afae5d
--- /dev/null
+++ b/salt/dhcp/default
@@ -0,0 +1,9 @@
+{%- set ifaces = [] %}
+{%- for iface, ips in salt['grains.get']('ip_interfaces').items() %}
+{%- if iface not in ['core', 'lo'] %}
+{%- set ifaces = ifaces.append(iface) %}
+{%- endif %}
+{%- endfor %}
+
+INTERFACESv4="{{ ' '.join(ifaces) }}"
+INTERFACESv6=""
diff --git a/salt/dhcp/init.sls b/salt/dhcp/init.sls
index 9706599..6b2b9ba 100644
--- a/salt/dhcp/init.sls
+++ b/salt/dhcp/init.sls
@@ -5,3 +5,23 @@ isc-dhcp-server:
file.managed:
- source: salt://dhcp/dhcpd.conf
- template: 'jinja'
+
+/etc/default/isc-dhcp-server:
+ file.managed:
+ - source: salt://dhcp/default
+ - template: 'jinja'
+
+autostart-dhcpd:
+ service.enabled:
+ - name: isc-dhcp-server
+ require_in:
+ - file: /etc/dhcp/dhcpd.conf
+ - file: /etc/default/isc-dhcp-server
+
+start-dhcpd:
+ service.running:
+ - name: isc-dhcp-server
+ require_in:
+ - file: /etc/dhcp/dhcpd.conf
+ - file: /etc/default/isc-dhcp-server
+
diff --git a/salt/lxc-containers-1/config b/salt/lxc-containers-1/config
index 86db470..5d6f593 100644
--- a/salt/lxc-containers-1/config
+++ b/salt/lxc-containers-1/config
@@ -34,4 +34,7 @@ lxc.network.ipv4.gateway={{ pillar['hosts-inet'][net][gw] }}
{%- endfor %}
## TODO: limits + caps
-## TODO: include Debian.common.conf
\ No newline at end of file
+## TODO: include Debian.common.conf
+
+# tuntap
+lxc.cgroup.devices.allow = c 10:200 rw
diff --git a/salt/lxc-containers-1/init.sls b/salt/lxc-containers-1/init.sls
index 99f1a70..78e040a 100644
--- a/salt/lxc-containers-1/init.sls
+++ b/salt/lxc-containers-1/init.sls
@@ -22,6 +22,19 @@ lxc:
- require:
- cmd: /var/lib/lxc/{{ id }}
+/var/lib/lxc/{{ id }}/rootfs/dev/net:
+ file.directory:
+ - mode: 0755
+
+/var/lib/lxc/{{ id }}/rootfs/dev/net/tun:
+ file.mknod:
+ - ntype: 'c'
+ - major: 10
+ - minor: 200
+ - mode: 0666
+ - require:
+ - file: /var/lib/lxc/{{ id }}/rootfs/dev/net
+
/var/lib/lxc/{{ id }}/rootfs/etc/hosts:
file.managed:
- source: salt://lxc-containers-1/hosts
diff --git a/salt/top.sls b/salt/top.sls
index b063684..9969880 100644
--- a/salt/top.sls
+++ b/salt/top.sls
@@ -20,3 +20,5 @@ base:
- no-ssh
- forwarding
- ospf
+ - vpn.openvpn
+ - upstream.masquerade
diff --git a/salt/upstream/dhcp.sls b/salt/upstream/dhcp.sls
index b0b9238..63e98af 100644
--- a/salt/upstream/dhcp.sls
+++ b/salt/upstream/dhcp.sls
@@ -1,29 +1,19 @@
-{%- set dhcp_iface = pillar['upstream']['dhcp_interface'] %}
-{{ dhcp_iface }}:
+{%- set interface = pillar['upstream']['interface'] %}
+{{ interface }}:
network.managed:
- enabled: True
type: eth
proto: dhcp
-iptables:
- pkg.installed: []
-
-/etc/network/if-pre-up.d/masquerade:
- file.managed:
- - source: salt://upstream/masquerade
- - template: 'jinja'
- - context:
- upstream_iface: {{ dhcp_iface }}
- - mode: 744
- - require:
- - pkg: iptables
+include:
+ - upstream.masquerade
/etc/network/if-pre-up.d/iptables:
file.managed:
- source: salt://upstream/iptables
- template: 'jinja'
- context:
- upstream_iface: {{ dhcp_iface }}
+ interface: {{ interface }}
- mode: 744
- require:
- pkg: iptables
diff --git a/salt/upstream/iptables b/salt/upstream/iptables
index be963a1..500134c 100644
--- a/salt/upstream/iptables
+++ b/salt/upstream/iptables
@@ -1,6 +1,6 @@
#!/bin/sh
-if [ "$IFACE" = "{{ upstream_iface }}" ]; then
+if [ "$IFACE" = "{{ interface }}" ]; then
iptables -A INPUT -i "$IFACE" -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i "$IFACE" -j DROP
iptables -P INPUT ACCEPT
diff --git a/salt/upstream/masquerade b/salt/upstream/masquerade
index ae43fec..5722ba9 100644
--- a/salt/upstream/masquerade
+++ b/salt/upstream/masquerade
@@ -1,5 +1,5 @@
#!/bin/sh
-if [ "$IFACE" = "{{ upstream_iface }}" ]; then
+if [ "$IFACE" = "{{ interface }}" ]; then
iptables -t nat -A POSTROUTING -o "$IFACE" -j MASQUERADE
fi
diff --git a/salt/upstream/masquerade.sls b/salt/upstream/masquerade.sls
new file mode 100644
index 000000000..c39322e
--- /dev/null
+++ b/salt/upstream/masquerade.sls
@@ -0,0 +1,14 @@
+{%- set interface = pillar['upstream']['interface'] %}
+
+iptables:
+ pkg.installed: []
+
+/etc/network/if-pre-up.d/masquerade:
+ file.managed:
+ - source: salt://upstream/masquerade
+ - template: 'jinja'
+ - context:
+ interface: {{ interface }}
+ - mode: 744
+ - require:
+ - pkg: iptables
diff --git a/salt/vpn/auth b/salt/vpn/auth
new file mode 100644
index 000000000..42ff524
--- /dev/null
+++ b/salt/vpn/auth
@@ -0,0 +1,3 @@
+{%- set conf = pillar['openvpn'][name] -%}
+{{ conf['user'] }}
+{{ conf['password'] }}
diff --git a/salt/vpn/openvpn.conf b/salt/vpn/openvpn.conf
new file mode 100644
index 000000000..ed5c3ef
--- /dev/null
+++ b/salt/vpn/openvpn.conf
@@ -0,0 +1,51 @@
+{%- set conf = pillar['openvpn'][name] %}
+client
+dev {{ name }}
+dev-type tun
+tun-ipv6
+proto udp
+
+remote {{ conf['server'] }}
+resolv-retry infinite
+nobind
+
+user nobody
+group nogroup
+persist-key
+persist-tun
+
+log /var/log/openvpn-{{ name }}.log
+
+#ifconfig-noexec
+route 0.0.0.0 0.0.0.0
+#route-nopull
+#up /etc/openvpn/ipredator-up.sh
+script-security 2
+
+auth-user-pass /etc/openvpn/{{ name }}.auth
+auth-retry nointeract
+
+ca [inline]
+
+tls-client
+tls-auth [inline]
+ns-cert-type server
+
+keepalive 10 30
+cipher AES-256-CBC
+persist-key
+persist-tun
+comp-lzo
+
+
+passtos
+verb 0
+
+
+
+{{ conf['ca'] }}
+
+
+
+{{ conf['key'] }}
+
diff --git a/salt/vpn/openvpn.sls b/salt/vpn/openvpn.sls
new file mode 100644
index 000000000..e956acc
--- /dev/null
+++ b/salt/vpn/openvpn.sls
@@ -0,0 +1,47 @@
+openvpn:
+ pkg.installed: []
+
+{%- for name, conf in pillar['openvpn'].items() %}
+
+hostroutes-{{ name }}:
+ network.routes:
+ - name: core
+ - routes:
+{%- for a in salt.dnsutil.A(conf['server']) %}
+ - ipaddr: {{ a }}
+ netmask: 255.255.255.255
+ gateway: {{ pillar['hosts-inet']['core']['upstream1'] }}
+{%- endfor %}
+
+/etc/openvpn/{{ name }}.conf:
+ file.managed:
+ - source: salt://vpn/openvpn.conf
+ - template: 'jinja'
+ - context:
+ name: {{ name }}
+
+/etc/openvpn/{{ name }}.auth:
+ file.managed:
+ - source: salt://vpn/auth
+ - template: 'jinja'
+ - context:
+ name: {{ name }}
+ - mode: 600
+
+
+autostart-{{ name }}:
+ service.enabled:
+ - name: openvpn@{{ name }}
+ require_in:
+ - file: /etc/openvpn/{{ name }}.conf
+ - file: /etc/openvpn/{{ name }}.auth
+
+start-{{ name }}:
+ service.running:
+ - name: openvpn@{{ name }}
+ require_in:
+ - file: /etc/openvpn/{{ name }}.conf
+ - file: /etc/openvpn/{{ name }}.auth
+
+{%- endfor %}
+