fix: Fixes to the routing, dynamic interface name, fixed disappearing public key

blackandred · blackandred · commit 31edb0660fcc · 2022-08-03T21:56:07.000+02:00
diff --git a/README.md b/README.md
@@ -7,3 +7,4 @@ Purpose of this setup is to expose private subnets behind `Gateway node` to the
 - Access to private subnets behind gateway
 - Automatic client configuration generation
 - Optional support for TOR (allows to hide administrator identity of a hidden service)
+- Systemd support
diff --git a/tasks/client.single.yaml b/tasks/client.single.yaml
@@ -1,3 +1,15 @@
+## Retrieve gateway public key ###
+
+- name: Retrieve gateway key
+  shell: "/usr/local/bin/key-extractor /etc/tinc/{{ network_name }}/hosts/{{ gateway_name }}"
+  register: gateway_key_stdout
+
+- name: Set gateway key as fact
+  set_fact:
+      gateway_key: "{{ gateway_key_stdout.stdout }}"
+
+### Prepare directories ###
+
 - name: Create client temporary directory path
   set_fact:
       client_temp_path: "{{ local_clients_configs_path }}/{{ client.name }}/etc/tinc/{{ network_name }}"
@@ -12,17 +24,22 @@
       - "{{ client_temp_path }}/"
       - "{{ client_temp_path }}/hosts"
 
+### Create client configuration ###
+
 - name: Create tinc.conf
   template:
       src: client/etc/tinc/my-network/tinc.conf
       dest: "{{ client_temp_path }}/tinc.conf"
       mode: "u+rw,g+r,o"
 
-- name: Create tinc-up script
+- name: Create tinc scripts
   template:
-      src: client/etc/tinc/my-network/tinc-up
-      dest: "{{ client_temp_path }}/tinc-up"
+      src: "client/etc/tinc/my-network/{{ item }}"
+      dest: "{{ client_temp_path }}/{{ item }}"
       mode: "u+rwx,g+rx,o"
+  with_items:
+      - tinc-up
+      - tinc-down
 
 - name: Create a gateway host file
   template:
@@ -47,7 +64,13 @@
   set_fact:
       client_key: "{{ client_key_stdout.stdout }}"
 
-# Copy key to the gateway node
+### Generate the client config ###
+- name: Create client (self) host file
+  template:
+      src: client/etc/tinc/my-network/hosts/client
+      dest: "{{ client_temp_path }}/hosts/{{ client.name }}"
+
+### Copy key to the gateway node ###
 - name: Create client host file on gateway node
   template:
       src: server/etc/tinc/my-network/hosts/client-template
diff --git a/tasks/clients.yaml b/tasks/clients.yaml
@@ -2,4 +2,4 @@
   loop: "{{ clients }}"
   loop_control:
       loop_var: client
-  include: client.single.yaml
+  include_tasks: client.single.yaml
diff --git a/tasks/server.yaml b/tasks/server.yaml
@@ -18,6 +18,23 @@
       dest: "/etc/tinc/{{ network_name }}/tinc-up"
       mode: "u+rwx,g+rx,o"
 
+- set_fact:
+      gateway_key: ""
+
+- name: Check if gateway host file already exists - to extract public key from it
+  register: public_key_exists
+  stat:
+      path: "/etc/tinc/{{ network_name }}/hosts/{{ gateway_name }}"
+
+- name: Extract existing public key to not delete it
+  when: public_key_exists.stat.exists
+  block:
+      - name: Extract key
+        shell: "/usr/local/bin/key-extractor /etc/tinc/{{ network_name }}/hosts/{{ gateway_name }}"
+        register: gateway_key_stdout
+      - set_fact:
+            gateway_key: "{{ gateway_key_stdout.stdout }}"
+
 - name: Create a gateway host file
   template:
       src: server/etc/tinc/my-network/hosts/gateway
diff --git a/templates/client/etc/tinc/my-network/hosts/client b/templates/client/etc/tinc/my-network/hosts/client
@@ -1,4 +1,5 @@
-# VPN address
+# VPN address. Must be on both sides, without this line the nodes wont be able to ping each other
 Subnet = {{ client.ip }}/32
 
+# My public key, should be propagated to other VPN peers, including gateway
 {{ client_key }}
diff --git a/templates/client/etc/tinc/my-network/tinc-down b/templates/client/etc/tinc/my-network/tinc-down
@@ -1,4 +1,4 @@
 #!/bin/bash
 {% for subnet in subnets_to_expose %}
-ip -4 route del {{ subnet }} dev {{ dev_interface | default("tun0") }} || true
+ip -4 route del {{ subnet }} dev $INTERFACE || true
 {% endfor %}
diff --git a/templates/client/etc/tinc/my-network/tinc-up b/templates/client/etc/tinc/my-network/tinc-up
@@ -1,7 +1,7 @@
 #!/bin/sh
-ifconfig $INTERFACE hw ether {{ client.hw_ether }}
+ifconfig $INTERFACE hw ether {{ client.hw_ether }} || true
 ifconfig $INTERFACE {{ client.ip }} netmask {{ netmask | default("255.255.255.0") }} -arp
 
 {% for subnet in subnets_to_expose %}
-ip -4 route add {{ subnet }} dev {{ dev_interface | default("tun0") }}
+ip -4 route add {{ subnet }} dev $INTERFACE
 {% endfor %}
diff --git a/templates/server/etc/tinc/my-network/hosts/gateway b/templates/server/etc/tinc/my-network/hosts/gateway
@@ -5,3 +5,6 @@ Subnet = {{ gateway_ip }}/32
 {% for subnet in subnets_to_expose %}
 Subnet = {{ subnet }}
 {% endfor %}
+
+# Public key of the gateway
+{{ gateway_key }}
diff --git a/templates/server/etc/tinc/my-network/tinc-up b/templates/server/etc/tinc/my-network/tinc-up
@@ -1,3 +1,3 @@
 #!/bin/sh
-ifconfig $INTERFACE hw ether {{ gateway_hw_ether }}
+ifconfig $INTERFACE hw ether {{ gateway_hw_ether }} || true
 ifconfig $INTERFACE {{ gateway_ip }} netmask {{ gateway_mask }} -arp
