Add raccoon to wireguard #173

rarias · 2025-09-22T17:01:59+02:00

rarias commented

2025-09-22 17:01:59 +02:00

Allows reaching the gitea and gitlab servers directly from compute machines, without the need of extra SSH configuration. It removes the need for users to have an SSH account in jump machines. It also allows us to mount the NFS home in raccoon.

# Example from hut:
hut% ping -c1 raccoon
PING raccoon (10.106.0.236) 56(84) bytes of data.
64 bytes from raccoon (10.106.0.236): icmp_seq=1 ttl=63 time=1.02 ms

--- raccoon ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.020/1.020/1.020/0.000 ms


hut% ping -c1 tent
PING tent (10.0.44.4) 56(84) bytes of data.
64 bytes from tent (10.0.44.4): icmp_seq=1 ttl=62 time=1.41 ms

--- tent ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.413/1.413/1.413/0.000 ms


hut% ping -c1 bscpm04.bsc.es
PING bscpm04.bsc.es (192.168.11.12) 56(84) bytes of data.
64 bytes from bscpm04.bsc.es (192.168.11.12): icmp_seq=1 ttl=61 time=1.34 ms

--- bscpm04.bsc.es ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.340/1.340/1.340/0.000 ms


hut% ssh git@bscpm04.bsc.es
PTY allocation request failed on channel 0
Welcome to GitLab, @rarias!
Connection to bscpm04.bsc.es closed.

The link is also quite fast even if we are passing through two hops:

hut% ssh tent dd if=/dev/zero bs=1M count=1024 status=progress > /dev/null
1007681536 bytes (1,0 GB, 961 MiB) copied, 9 s, 112 MB/s
1024+0 records in
1024+0 records out
1073741824 bytes (1,1 GB, 1,0 GiB) copied, 9,58982 s, 112 MB/s

Fixes #170

Allows reaching the gitea and gitlab servers directly from compute machines, without the need of extra SSH configuration. It removes the need for users to have an SSH account in jump machines. It also allows us to mount the NFS home in raccoon. ``` # Example from hut: hut% ping -c1 raccoon PING raccoon (10.106.0.236) 56(84) bytes of data. 64 bytes from raccoon (10.106.0.236): icmp_seq=1 ttl=63 time=1.02 ms --- raccoon ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 1.020/1.020/1.020/0.000 ms hut% ping -c1 tent PING tent (10.0.44.4) 56(84) bytes of data. 64 bytes from tent (10.0.44.4): icmp_seq=1 ttl=62 time=1.41 ms --- tent ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 1.413/1.413/1.413/0.000 ms hut% ping -c1 bscpm04.bsc.es PING bscpm04.bsc.es (192.168.11.12) 56(84) bytes of data. 64 bytes from bscpm04.bsc.es (192.168.11.12): icmp_seq=1 ttl=61 time=1.34 ms --- bscpm04.bsc.es ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 1.340/1.340/1.340/0.000 ms hut% ssh git@bscpm04.bsc.es PTY allocation request failed on channel 0 Welcome to GitLab, @rarias! Connection to bscpm04.bsc.es closed. ``` The link is also quite fast even if we are passing through two hops: ``` hut% ssh tent dd if=/dev/zero bs=1M count=1024 status=progress > /dev/null 1007681536 bytes (1,0 GB, 961 MiB) copied, 9 s, 112 MB/s 1024+0 records in 1024+0 records out 1073741824 bytes (1,1 GB, 1,0 GiB) copied, 9,58982 s, 112 MB/s ``` Fixes #170

rarias added 21 commits 2025-09-22 17:01:59 +02:00

Use lowercase peer hostnames 3160415793

Restrict fox peer to a single IP 93586bb12b

Add raccoon host key 4a97ca2e18

Add raccoon peer to wireguard bb2c3345a0

Mount apex /home via NFS in raccoon 2892942fe9

Forward traffic from apex to ethernet via NAT 97067691f3

WIP: Route raccoon via wireguard in apex 614245b81b

Allow direct access to git repositories via SSH 091ecf899a

Remove intranet route from apex peer in raccoon 1007de7c84

We only need apex to reach the intranet so it will be raccoon the only
peer that uses intranet IPs as source. All other peers must accept them
from raccoon, but not the other way around.

SQ Rename raccoon host in fox bba30636e0

Move gitlab hosts to common configuration 85a49d1763

Accept intranet traffic from raccoon in fox bfe4379804

SQ Remove jumps to reach gitlab and apex cf98b844f1

Add route to tent in fox and apex via wg0 aabc6eea9c

Add keepalive to fox in raccoon 1c8e6d7e73

Needed as we can only reach one side.

Accept traffic from jungle subnet into raccoon 052b8efc2c

Include ssf hosts in tent 3eac62140e

Add raccoon host to tent b643330ce3

Drop external jump to access hut from tent 6555124a77

Remove ssh jumps to raccoon or tent 81ae35ccfd

Add raccoon and tent to ssf hosts 17b788a06e

rarias added 1 commit 2025-09-22 17:22:47 +02:00

Add direct ssf hosts to raccoon de94eb5d4c

rarias force-pushed raccoon-wg from de94eb5d4c to 8e1766db57

2025-09-25 15:22:20 +02:00

Compare

rarias changed title from ~~WIP: Add raccoon to wireguard~~ to Add raccoon to wireguard

2025-09-25 15:34:44 +02:00

rarias requested review from abonerib 2025-09-25 15:34:53 +02:00

rarias requested review from arocanon 2025-09-25 15:34:53 +02:00

rarias added the net label 2025-09-25 15:34:59 +02:00

abonerib approved these changes 2025-09-25 16:54:28 +02:00

abonerib left a comment

LGTM

Connecting from the different nodes (except fox, which is currently allocated) seems to work and ip route ; ip addr seem to make sense.

Now that we have visibility of hut/tent from fox and raccoon, we can clean up the binary substituters. I'll do a follow-up MR once this is merged.

LGTM Connecting from the different nodes (except fox, which is currently allocated) seems to work and `ip route ; ip addr` seem to make sense. Now that we have visibility of hut/tent from fox and raccoon, we can clean up the binary substituters. I'll do a follow-up MR once this is merged.

👍 1

rarias force-pushed raccoon-wg from 8e1766db57 to 9c3fbc0ec9

2025-09-26 12:29:11 +02:00

Compare

rarias manually merged commit 9c3fbc0ec9 into master

2025-09-26 12:31:10 +02:00

Sign in to join this conversation.

2 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: rarias/jungle#173