summaryrefslogtreecommitdiffstats
path: root/roles/common/templates/etc/network
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2016-05-20 01:19:27 +0200
committerGuilhem Moulin <guilhem@fripost.org>2016-05-22 17:53:52 +0200
commit3fafa03aeb3640a86d9cd8c639d085df6a8d085d (patch)
treeba1bc3707aa20e3a80c08b1dd2726524333b3d21 /roles/common/templates/etc/network
parent1bdc6a1202f9cabea5f907c4213f2a6f902443b6 (diff)
Set up IPSec tunnels between each pair of hosts.
We use a dedicated, non-routable, IPv4 subnet for IPSec. Furthermore the subnet is nullrouted in the absence of xfrm lookup (i.e., when there is no matching IPSec Security Association) to avoid data leaks. Each host is associated with an IP in that subnet (thus only reachble within that subnet, either by the host itself or by its IPSec peers). The peers authenticate each other using RSA public key authentication. Kernel traps are used to ensure that connections are only established when traffic is detected between the peers; after 30m of inactivity (this value needs to be less than the rekeying period) the connection is brought down and a kernel trap is installed.
Diffstat (limited to 'roles/common/templates/etc/network')
-rwxr-xr-xroles/common/templates/etc/network/if-up.d/ipsec.j247
1 files changed, 47 insertions, 0 deletions
diff --git a/roles/common/templates/etc/network/if-up.d/ipsec.j2 b/roles/common/templates/etc/network/if-up.d/ipsec.j2
new file mode 100755
index 0000000..7dd41d4
--- /dev/null
+++ b/roles/common/templates/etc/network/if-up.d/ipsec.j2
@@ -0,0 +1,47 @@
+#!/bin/sh
+
+# A post-up/down hook to automatically create/delete a virtual subnet
+# for IPSec (inet4 only).
+# Copyright © 2016 Guilhem Moulin <guilhem@fripost.org>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+set -ue
+PATH=/usr/sbin:/usr/bin:/sbin:/bin
+
+# Ignore the loopback interface and non inet4 families.
+[ "$IFACE" != lo -a "$ADDRFAM" = inet ] || exit 0
+
+# Only the device with the default, globally-scoped route, is of
+# interest here.
+ip="$( ip -4 -o route show to default scope global \
+ | sed -nr '/^default via (\S+) dev (\S+).*/ {s//\2 \1/p;q}' )"
+[ "${ip% *}" = "$IFACE" ] || exit 0
+ip="${ip##* }"
+
+vip="{{ ipsec[inventory_hostname_short] }}"
+vsubnet="{{ ipsec_subnet }}"
+
+case "$MODE" in
+ start) ip address add "$vip/32" dev "$IFACE" scope global || true
+ # Nullroute the subnet used for IPSec to avoid data leaks
+ # in the absence of xfrm lookup (i.e., when there is no
+ # matching IPSec Security Association).
+ ip route replace prohibit "$vsubnet" proto static || true
+ ip route replace table 220 to "$vsubnet" via "$ip" dev "$IFACE" proto static src "$vip" || true
+ ;;
+ stop) ip route del table 220 to "$vsubnet" via "$ip" dev "$IFACE" proto static src "$vip" || true
+ ip route del prohibit "$vsubnet" proto static || true
+ ip address del "$vip/32" dev "$IFACE" scope global || true
+esac