Changed to Wireguard VPN
This commit is contained in:
parent
bf10300e30
commit
aa3bf94140
29
handlers/main.yml
Normal file
29
handlers/main.yml
Normal file
@ -0,0 +1,29 @@
|
||||
---
|
||||
- name: restart wireguard
|
||||
ansible.builtin.service:
|
||||
name: "wg-quick@{{ wireguard_interface }}"
|
||||
state: "{{ item }}"
|
||||
loop:
|
||||
- stopped
|
||||
- started
|
||||
when:
|
||||
- wireguard__restart_interface
|
||||
- not ansible_os_family == 'Darwin'
|
||||
- wireguard_service_enabled == "yes"
|
||||
listen: "reconfigure wireguard"
|
||||
|
||||
- name: syncconf wireguard
|
||||
ansible.builtin.shell: |
|
||||
set -o errexit
|
||||
set -o pipefail
|
||||
set -o nounset
|
||||
systemctl is-active wg-quick@{{ wireguard_interface|quote }} || systemctl start wg-quick@{{ wireguard_interface|quote }}
|
||||
wg syncconf {{ wireguard_interface|quote }} <(wg-quick strip /etc/wireguard/{{ wireguard_interface|quote }}.conf)
|
||||
exit 0
|
||||
args:
|
||||
executable: "/bin/bash"
|
||||
when:
|
||||
- not wireguard__restart_interface
|
||||
- not ansible_os_family == 'Darwin'
|
||||
- wireguard_service_enabled == "yes"
|
||||
listen: "reconfigure wireguard"
|
5
host_vars/troisdorf7.yml
Normal file
5
host_vars/troisdorf7.yml
Normal file
@ -0,0 +1,5 @@
|
||||
wireguard_unmanaged_peers:
|
||||
vpn1-stefan:
|
||||
public_key: Tkp/f1BlLSfl87+waTuZDRdrEgalBgy2oVg6fOluAx4=
|
||||
allowed_ips: 10.255.1.2/32, 10.1.0.0/16
|
||||
persistent_keepalive: 25
|
@ -32,3 +32,5 @@ all:
|
||||
gre_bb_b_ix_dus_ipv6: 2a03:2260:0:311::2
|
||||
gre_bb_a_fra3_f_ipv6: 2a03:2260:0:30d::2
|
||||
gre_bb_b_fra3_f_ipv6: 2a03:2260:0:310::2
|
||||
wireguard_address: 10.255.1.1
|
||||
wireguard_port: 42001
|
||||
|
BIN
roles/.DS_Store
vendored
Normal file
BIN
roles/.DS_Store
vendored
Normal file
Binary file not shown.
@ -15,7 +15,7 @@
|
||||
dest: /etc/networkd-dispatcher/off.d/50-ifdown-hooks.sh
|
||||
owner: root
|
||||
group: root
|
||||
mode: '0775'
|
||||
mode: '0755'
|
||||
|
||||
- name: Add ifUP Scripts via networkd-dispatcher
|
||||
ansible.builtin.template:
|
||||
@ -23,4 +23,4 @@
|
||||
dest: /etc/networkd-dispatcher/routable.d/50-ifup-hooks.sh
|
||||
owner: root
|
||||
group: root
|
||||
mode: '0775'
|
||||
mode: '0755'
|
@ -23,4 +23,30 @@ sleep 5
|
||||
|
||||
# All from FF IPv4 via routing table 42
|
||||
/bin/ip rule add from {{ ffrl_ipv4 }}/32 lookup 42
|
||||
/bin/ip -6 rule add from {{ ffrl_ipv6_net }}/52 lookup 42
|
||||
/bin/ip -6 rule add from {{ ffrl_ipv6_net }}/52 lookup 42
|
||||
|
||||
# Add NAT Rules manualy
|
||||
sleep 60
|
||||
iptables -t nat -A POSTROUTING -o gre-bb-a.ak.ber -j SNAT --to-source {{ ffrl_ipv4 }}
|
||||
iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o gre-bb-a.ak.ber -j TCPMSS --set-mss 1312
|
||||
ip6tables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o gre-bb-a.ak.ber -j TCPMSS --set-mss 1312
|
||||
|
||||
iptables -t nat -A POSTROUTING -o gre-bb-a.fra3.f -j SNAT --to-source {{ ffrl_ipv4 }}
|
||||
iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o gre-bb-a.fra3.f -j TCPMSS --set-mss 1312
|
||||
ip6tables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o gre-bb-a.fra3.f -j TCPMSS --set-mss 1312
|
||||
|
||||
iptables -t nat -A POSTROUTING -o gre-bb-a.ix.dus -j SNAT --to-source {{ ffrl_ipv4 }}
|
||||
iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o gre-bb-a.ix.dus -j TCPMSS --set-mss 1312
|
||||
ip6tables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o gre-bb-a.ix.dus -j TCPMSS --set-mss 1312
|
||||
|
||||
iptables -t nat -A POSTROUTING -o gre-bb-b.ak.ber -j SNAT --to-source {{ ffrl_ipv4 }}
|
||||
iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o gre-bb-b.ak.ber -j TCPMSS --set-mss 1312
|
||||
ip6tables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o gre-bb-b.ak.ber -j TCPMSS --set-mss 1312
|
||||
|
||||
iptables -t nat -A POSTROUTING -o gre-bb-b.fra3.f -j SNAT --to-source {{ ffrl_ipv4 }}
|
||||
iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o gre-bb-b.fra3.f -j TCPMSS --set-mss 1312
|
||||
ip6tables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o gre-bb-b.fra3.f -j TCPMSS --set-mss 1312
|
||||
|
||||
iptables -t nat -A POSTROUTING -o gre-bb-b.ix.dus -j SNAT --to-source {{ ffrl_ipv4 }}
|
||||
iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o gre-bb-b.ix.dus -j TCPMSS --set-mss 1312
|
||||
ip6tables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o gre-bb-b.ix.dus -j TCPMSS --set-mss 1312
|
91
roles/21-install-wireguard/tasks/main.yml
Normal file
91
roles/21-install-wireguard/tasks/main.yml
Normal file
@ -0,0 +1,91 @@
|
||||
- name: Install Wireguard
|
||||
apt: name={{ item }} state=latest update_cache=yes
|
||||
with_items:
|
||||
- wireguard
|
||||
|
||||
|
||||
- name: Register if config/private key already exists on target host
|
||||
ansible.builtin.stat:
|
||||
path: /etc/wireguard/vpn01.conf
|
||||
register: wireguard__register_config_file
|
||||
tags:
|
||||
- wg-generate-keys
|
||||
- wg-config
|
||||
|
||||
- name: WireGuard private key handling for new keys
|
||||
block:
|
||||
- name: Generate WireGuard private key
|
||||
ansible.builtin.command: "wg genkey"
|
||||
register: wireguard__register_private_key
|
||||
changed_when: false
|
||||
tags:
|
||||
- wg-generate-keys
|
||||
|
||||
- name: Set private key fact
|
||||
ansible.builtin.set_fact:
|
||||
wireguard_private_key: "{{ wireguard__register_private_key.stdout }}"
|
||||
tags:
|
||||
- wg-generate-keys
|
||||
when:
|
||||
- not wireguard__register_config_file.stat.exists
|
||||
- wireguard_private_key is not defined
|
||||
|
||||
- name: WireGuard private key handling for existing keys
|
||||
block:
|
||||
- name: Read WireGuard config file
|
||||
ansible.builtin.slurp:
|
||||
src: /etc/wireguard/vpn01.conf
|
||||
register: wireguard__register_config
|
||||
tags:
|
||||
- wg-config
|
||||
|
||||
- name: Set private key fact
|
||||
ansible.builtin.set_fact:
|
||||
wireguard_private_key: "{{ wireguard__register_config['content'] | b64decode | regex_findall('PrivateKey = (.*)') | first }}"
|
||||
tags:
|
||||
- wg-config
|
||||
when:
|
||||
- wireguard__register_config_file.stat.exists
|
||||
- wireguard_private_key is not defined
|
||||
|
||||
- name: Derive WireGuard public key
|
||||
ansible.builtin.command: "wg pubkey"
|
||||
args:
|
||||
stdin: "{{ wireguard_private_key }}"
|
||||
register: wireguard__register_public_key
|
||||
changed_when: false
|
||||
check_mode: false
|
||||
tags:
|
||||
- wg-config
|
||||
|
||||
- name: Set public key fact
|
||||
ansible.builtin.set_fact:
|
||||
wireguard__fact_public_key: "{{ wireguard__register_public_key.stdout }}"
|
||||
tags:
|
||||
- wg-config
|
||||
|
||||
- name: Create WireGuard configuration directory
|
||||
ansible.builtin.file:
|
||||
dest: /etc/wireguard/
|
||||
state: directory
|
||||
mode: 0700
|
||||
tags:
|
||||
- wg-config
|
||||
|
||||
- name: Generate WireGuard configuration file
|
||||
ansible.builtin.template:
|
||||
src: wg.conf.j2
|
||||
dest: /etc/wireguard/vpn01.conf
|
||||
owner: root
|
||||
group: root
|
||||
mode: 755
|
||||
tags:
|
||||
- wg-config
|
||||
notify:
|
||||
- reconfigure wireguard
|
||||
|
||||
- name: Start and enable WireGuard service
|
||||
ansible.builtin.service:
|
||||
name: "wg-quick@vpn01"
|
||||
state: "started"
|
||||
enabled: "yes"
|
31
roles/21-install-wireguard/templates/wg.conf.j2
Normal file
31
roles/21-install-wireguard/templates/wg.conf.j2
Normal file
@ -0,0 +1,31 @@
|
||||
#jinja2: lstrip_blocks:"True",trim_blocks:"True"
|
||||
# {{ ansible_managed }}
|
||||
# PublicKey: {{ wireguard__register_public_key.stdout }}
|
||||
|
||||
[Interface]
|
||||
# {{ inventory_hostname }}
|
||||
Address = {{ wireguard_address }}
|
||||
PrivateKey = {{ wireguard_private_key }}
|
||||
ListenPort = {{ wireguard_port }}
|
||||
|
||||
|
||||
{% if wireguard_unmanaged_peers is defined %}
|
||||
# Peers not managed by Ansible from "wireguard_unmanaged_peers" variable
|
||||
{% for peer in wireguard_unmanaged_peers.keys() %}
|
||||
[Peer]
|
||||
# {{ peer }}
|
||||
PublicKey = {{ wireguard_unmanaged_peers[peer].public_key }}
|
||||
{% if wireguard_unmanaged_peers[peer].preshared_key is defined %}
|
||||
PresharedKey = {{ wireguard_unmanaged_peers[peer].preshared_key }}
|
||||
{% endif %}
|
||||
{% if wireguard_unmanaged_peers[peer].allowed_ips is defined %}
|
||||
AllowedIPs = {{ wireguard_unmanaged_peers[peer].allowed_ips }}
|
||||
{% endif %}
|
||||
{% if wireguard_unmanaged_peers[peer].endpoint is defined %}
|
||||
Endpoint = {{ wireguard_unmanaged_peers[peer].endpoint }}
|
||||
{% endif %}
|
||||
{% if wireguard_unmanaged_peers[peer].persistent_keepalive is defined %}
|
||||
PersistentKeepalive = {{ wireguard_unmanaged_peers[peer].persistent_keepalive }}
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
{% endif %}
|
@ -12,4 +12,5 @@
|
||||
- name: System preperation
|
||||
hosts: vpn-offloader
|
||||
roles:
|
||||
- 20-install-openvpn
|
||||
# - 20-install-openvpn
|
||||
- 21-install-wireguard
|
Loading…
Reference in New Issue
Block a user