Ansible playbook for creating secure networks with double firewalls and load balancing behind internal networks. Approach is based on proxying ingress and egress traffic using reverse-proxy, SOCKSv5 and HTTP Proxy methods.
Advantages:
- Hide real nodes behind two layers of firewall nodes
- Anytime you can disconnect the middle node (
firewalltype) in case whenexitnode was hacked/compromised. No any trace on the node would persist, so the attacker will not even knowinternalnode IP - Introduce additional L4 security e.g. against DoS
- Hide your internal nodes public IP by redirecting traffic through egress proxy (traffic exits on
exittype nodes) - Possibility to create a honeypot on exit nodes and then ban intruders on firewall nodes
Every node is connected with a VPN. There is a peer list defined for each node - only selected nodes can communicate with each other.
For example:
Exit nodetalks only toFirewall nodeFirewall nodetalks toExit nodeandInternal node
Exit nodes: Nodes hitting the internet. DNS should point at exit nodesFirewall nodes: Relay nodes betweenExit nodesandInternal nodes, does as a pure bridge that can be shut down anytime to hide yourInternal nodesfrom attackersInternal nodes: Your secure zone. Nodes should not be directly exposed to the internet
node_role: exit
wg_internal_ip: 10.100.0.1
peers:
- name: firewall-node-1
relation: ["forward-ingress"]node_role: firewall
wg_internal_ip: 10.100.0.2
peers:
- name: exit-1
externalIp: 1.2.3.4
relation: ["forward-egress"] # `firewall-1` is tunneling SOCKS5v5 egress
- name: internal-1
relation: ["forward-ingress"] # `firewall-node-1` is tunneling TLS+HTTP ingressnode_role: internal
wg_internal_ip: 10.100.0.3
#wg_port: 51826
# egress proxy accessible for Pods
#setup_egress_proxy: true
#haproxy_bind_ip: 10.50.0.1
peers:
- name: firewall-1
externalIp: 5.4.3.2 # `internal-1` knows the internet IP of `firewall-1`
#persistentKeepAlive: 50
#relation: ["forward-egress"] # use with setup_egress_proxy=true