From f8641cb9126123987af3d9c05e5ed24d4f002b83 Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Sun, 20 May 2018 13:00:46 -0500
Subject: [PATCH] dch-gw: Host Pyrocufflink VPN locally

This commit adjusts the firewall and networking configuration on dc0 to
host the Pyrocufflink remote access IPsec VPN locally instead of
forwarding it to the internal VPN server.
---
 group_vars/dch-gw/dch-network.yml        |  6 ------
 host_vars/gw0/network.yml                | 10 ----------
 roles/dch-gw/templates/forward.nft.j2    |  6 ++++--
 roles/dch-gw/templates/incoming.nft.j2   |  3 ++-
 roles/dch-gw/templates/masquerade.nft.j2 | 12 ++++++++++++
 roles/dch-gw/templates/outgoing.nft.j2   |  2 +-
 6 files changed, 19 insertions(+), 20 deletions(-)

diff --git a/group_vars/dch-gw/dch-network.yml b/group_vars/dch-gw/dch-network.yml
index 4c3da5c..877fc62 100644
--- a/group_vars/dch-gw/dch-network.yml
+++ b/group_vars/dch-gw/dch-network.yml
@@ -74,12 +74,6 @@ nat_port_forwards:
 - protocol: udp
   port: 16881-16999
   destination: 172.31.0.5
-- protocol: udp
-  port: isakmp
-  destination: 172.31.0.2
-- protocol: udp
-  port: ipsec-nat-t
-  destination: 172.31.0.2
 
 
 allow_incoming:
diff --git a/host_vars/gw0/network.yml b/host_vars/gw0/network.yml
index 1418b81..9327b52 100644
--- a/host_vars/gw0/network.yml
+++ b/host_vars/gw0/network.yml
@@ -31,16 +31,6 @@ network:
     addr: 172.31.0.1
     prefix: 27
     addr6: fd99:8cd7:6528::1
-    routes:
-    - prefix: 172.31.0.64/28
-      nexthop:
-      - address: 172.31.0.2
-    - prefix: 192.168.0.0/16
-      nexthop:
-      - address: 172.31.0.2
-    - prefix: 172.28.33.0/24
-      nexthop:
-      - address: 172.31.0.2
   - ifname: vlan100
     enabled: true
     vlan_id: 100
diff --git a/roles/dch-gw/templates/forward.nft.j2 b/roles/dch-gw/templates/forward.nft.j2
index ef49d78..c5f386e 100644
--- a/roles/dch-gw/templates/forward.nft.j2
+++ b/roles/dch-gw/templates/forward.nft.j2
@@ -1,9 +1,10 @@
 {#- vim: set sw=4 ts=4 sts=4 et : #}
 table inet filter {
-    set firemon {
+    set vpn_subnets {
         type ipv4_addr
         flags interval
         elements = {
+            172.31.0.64/28,
 {% for prefix in firemon_networks %}
             {{ prefix }},
 {% endfor %}
@@ -15,7 +16,8 @@ table inet filter {
         iifname {{ dch_networks.guest.router_iface }} oif != {{ internet_iface }} drop
         iif != {{ internet_iface }} oifname {{ dch_networks.guest.router_iface }} drop
         iif != {{ internet_iface }} oif != {{ internet_iface }} counter accept
-        ip daddr @firemon counter accept
+        iif {{ internet_iface }} ip saddr @vpn_subnets counter accept
+        iif != {{ internet_iface }} ip daddr @vpn_subnets counter accept
         tcp dport smtp counter reject with icmpx type host-unreachable
         oif {{ internet_iface }} accept
     }
diff --git a/roles/dch-gw/templates/incoming.nft.j2 b/roles/dch-gw/templates/incoming.nft.j2
index e175bdc..eb036a6 100644
--- a/roles/dch-gw/templates/incoming.nft.j2
+++ b/roles/dch-gw/templates/incoming.nft.j2
@@ -24,8 +24,9 @@ table inet filter {
         ct state established,related accept
         iif lo accept
         ip6 nexthdr ipv6-icmp accept
-        ip protocol icmp accept
+        ip protocol { icmp, esp } accept
         udp sport dhcpv6-server counter accept
+        udp dport { isakmp, ipsec-nat-t } ct state new counter accept
         iif != {{ internet_iface }} tcp dport @allow_tcp_in ct state new counter accept
         iif != {{ internet_iface }} udp dport @allow_udp_in ct state new counter accept
         iif {{ internet_iface }} drop
diff --git a/roles/dch-gw/templates/masquerade.nft.j2 b/roles/dch-gw/templates/masquerade.nft.j2
index 082f787..2354d42 100644
--- a/roles/dch-gw/templates/masquerade.nft.j2
+++ b/roles/dch-gw/templates/masquerade.nft.j2
@@ -1,5 +1,17 @@
 table ip nat {
+    set vpn_subnets {
+        type ipv4_addr
+        flags interval
+        elements = {
+            172.31.0.64/28,
+{% for prefix in firemon_networks %}
+            {{ prefix }},
+{% endfor %}
+        }
+    }
+
     chain postrouting {
+        ip daddr @vpn_subnets counter accept
         oif {{ ansible_default_ipv4.interface }} masquerade
     }
 }
diff --git a/roles/dch-gw/templates/outgoing.nft.j2 b/roles/dch-gw/templates/outgoing.nft.j2
index 67c14fe..e1c6bdf 100644
--- a/roles/dch-gw/templates/outgoing.nft.j2
+++ b/roles/dch-gw/templates/outgoing.nft.j2
@@ -24,7 +24,7 @@ table inet filter {
         ct state established,related accept
         oif lo accept
         ip6 nexthdr ipv6-icmp accept
-        ip protocol icmp accept
+        ip protocol { icmp, esp } accept
         tcp dport @allow_tcp_out ct state new counter accept
         udp dport @allow_udp_out ct state new counter accept
     }