From aa3bf94140dc78934c283cdc4c93be3d9bedf3c2 Mon Sep 17 00:00:00 2001
From: Stefan <stefan@freifunk-troisdorf.de>
Date: Sun, 8 May 2022 21:32:16 +0200
Subject: [PATCH] Changed to Wireguard VPN

---
 .DS_Store                                     | Bin 0 -> 6148 bytes
 handlers/main.yml                             |  29 ++++++
 host_vars/troisdorf7.yml                      |   5 +
 hosts.yml                                     |   2 +
 roles/.DS_Store                               | Bin 0 -> 6148 bytes
 roles/00-system-set-network/tasks/main.yml    |   4 +-
 .../templates/sn_startup.sh.j2                |  28 +++++-
 roles/21-install-wireguard/tasks/main.yml     |  91 ++++++++++++++++++
 .../21-install-wireguard/templates/wg.conf.j2 |  31 ++++++
 system-setup.yml                              |   3 +-
 10 files changed, 189 insertions(+), 4 deletions(-)
 create mode 100644 .DS_Store
 create mode 100644 handlers/main.yml
 create mode 100644 host_vars/troisdorf7.yml
 create mode 100644 roles/.DS_Store
 create mode 100644 roles/21-install-wireguard/tasks/main.yml
 create mode 100644 roles/21-install-wireguard/templates/wg.conf.j2

diff --git a/.DS_Store b/.DS_Store
new file mode 100644
index 0000000000000000000000000000000000000000..43d83e341cf680310df007ac20160faa83a4b2e1
GIT binary patch
literal 6148
zcmeHKO>fgc5S>la)>eh&14z9ft;98ykWeJliwWh>D@Jet6l`Kqi>)_`okmp@$!9q7
zL%8xw_&ee4N2^9jPn8g=W~A9So}IVWKHIxqA`*k?=qXV|L;>7jD@3!wOuz9pYx&F$
zP}nglI-m<WBXy$IsyXpLDqx;nNT;N!q8fhn{PdSh=?uN*)p!X%SXx6wv`rH*6y;Q%
zsFliJH&<q}YV61SosCsd)!ptN(b{Tn@9YM<!CvqwIn}eIPU~qkNGBi6)myDqb{VJH
zyCR<rqx-LPS*JyrPb{Gr<tX|1z9>g}Hqg^@R9SA~I)X3=htd9g-tQfDWdE?Y=*ant
zUbiEk^`9>mVesJ5lcP7oZ|bbn-|g&3;BB^c&*LThKyYpD=gFj0y8Mc)VMNgH!s?jg
z8+eQ;ho(~+Z&p=21n0V{Z91nE%5Kv1r&E8q1c!|kU<Fu#+bZB!xnS?M12LZ!U<K}+
z0%m=XaD%bO#-Uw0(AXmYu#L1e#O8<5aHPlBW8)A#FyW{`M-~2vAsiif>FZ*TjYCH#
z;SV3e-&yz*im-Rb_|le>h#hjv3a|pJ3T(N{$n5{GZ$AI8lK6@hU<K}!0-}AK91k!h
zzqhVU&g``k{uyq})HM#TC<yFUj9Rl5@58MjFHHc9JvI)Jf$@)km4O>p;GZh+7c*9Y
AwEzGB

literal 0
HcmV?d00001

diff --git a/handlers/main.yml b/handlers/main.yml
new file mode 100644
index 0000000..3a899e5
--- /dev/null
+++ b/handlers/main.yml
@@ -0,0 +1,29 @@
+---
+- name: restart wireguard
+  ansible.builtin.service:
+    name: "wg-quick@{{ wireguard_interface }}"
+    state: "{{ item }}"
+  loop:
+    - stopped
+    - started
+  when:
+    - wireguard__restart_interface
+    - not ansible_os_family == 'Darwin'
+    - wireguard_service_enabled == "yes"
+  listen: "reconfigure wireguard"
+
+- name: syncconf wireguard
+  ansible.builtin.shell: |
+    set -o errexit
+    set -o pipefail
+    set -o nounset
+    systemctl is-active wg-quick@{{ wireguard_interface|quote }} || systemctl start wg-quick@{{ wireguard_interface|quote }}
+    wg syncconf {{ wireguard_interface|quote }} <(wg-quick strip /etc/wireguard/{{ wireguard_interface|quote }}.conf)
+    exit 0
+  args:
+    executable: "/bin/bash"
+  when:
+    - not wireguard__restart_interface
+    - not ansible_os_family == 'Darwin'
+    - wireguard_service_enabled == "yes"
+  listen: "reconfigure wireguard"
\ No newline at end of file
diff --git a/host_vars/troisdorf7.yml b/host_vars/troisdorf7.yml
new file mode 100644
index 0000000..86299d6
--- /dev/null
+++ b/host_vars/troisdorf7.yml
@@ -0,0 +1,5 @@
+wireguard_unmanaged_peers:
+  vpn1-stefan:
+    public_key: Tkp/f1BlLSfl87+waTuZDRdrEgalBgy2oVg6fOluAx4=
+    allowed_ips: 10.255.1.2/32, 10.1.0.0/16
+    persistent_keepalive: 25
\ No newline at end of file
diff --git a/hosts.yml b/hosts.yml
index 333ba45..0b2d402 100644
--- a/hosts.yml
+++ b/hosts.yml
@@ -32,3 +32,5 @@ all:
               gre_bb_b_ix_dus_ipv6: 2a03:2260:0:311::2
               gre_bb_a_fra3_f_ipv6: 2a03:2260:0:30d::2
               gre_bb_b_fra3_f_ipv6: 2a03:2260:0:310::2
+              wireguard_address: 10.255.1.1
+              wireguard_port: 42001
diff --git a/roles/.DS_Store b/roles/.DS_Store
new file mode 100644
index 0000000000000000000000000000000000000000..c4168013c047a49fb42ab64a127b23344776c5c9
GIT binary patch
literal 6148
zcmeHKOHRWu5FM8;D%h0r5kf-B1%fCi2vu3I<^nWnR7yWVO+&>ld+xv$I3Fu`GqzCT
zmM#&XnaJ}T$MZ6NR_vIFOs^PriP}WeLSby~!fh~q&SlLSu7w{O;aE^g16sm|YrVBW
z6;K6!n*#jp9?%7@kP@nXzd02&qzvr^<@ll(H`6SMr&){$UM{Xs&OgLZBkDMooSxC2
z*MJ#fIdTb%X$<zE$MNQI9B<{gM>fnn#~L%Ew9aMDJg%dyTyx251;zzUJf;_q=@d*|
z8B29!W8}fv3}}igq({^en!u01oqL?`9_Kz7nX|4r-(}!^fRF18jgiODp-bcyLf3j8
z88S)H_5_^QIb_aWD|2=T4$i{oSjlXq7)gQgY@W9&4^mV6a|&S3W^3(PRIduC0;<55
z0=zy1D2$QA(xNOKaB>6yHqk7GI{zGSOyDqbSX#srn6aTi8*1DU!`N`N2d-b_u(W8y
z$+*LZac?&6gkt3F;18rbnaHAgRX`P}E3jj4+r0l@e}De32kD(EpbGpe1x&Ml+wWmW
zZf{*19PhOO${h+D_bV+*2%OuFrNUeB35pn=1zZ6}4oiz@f$5Kc$e>OY_)!Hu0aOu~
AfdBvi

literal 0
HcmV?d00001

diff --git a/roles/00-system-set-network/tasks/main.yml b/roles/00-system-set-network/tasks/main.yml
index 37d1069..6c5822b 100644
--- a/roles/00-system-set-network/tasks/main.yml
+++ b/roles/00-system-set-network/tasks/main.yml
@@ -15,7 +15,7 @@
     dest: /etc/networkd-dispatcher/off.d/50-ifdown-hooks.sh
     owner: root
     group: root
-    mode: '0775'
+    mode: '0755'
 
 - name: Add ifUP Scripts via networkd-dispatcher
   ansible.builtin.template:
@@ -23,4 +23,4 @@
     dest: /etc/networkd-dispatcher/routable.d/50-ifup-hooks.sh
     owner: root
     group: root
-    mode: '0775'
\ No newline at end of file
+    mode: '0755'
\ No newline at end of file
diff --git a/roles/11-create-cronjob/templates/sn_startup.sh.j2 b/roles/11-create-cronjob/templates/sn_startup.sh.j2
index 05e0056..ba64061 100644
--- a/roles/11-create-cronjob/templates/sn_startup.sh.j2
+++ b/roles/11-create-cronjob/templates/sn_startup.sh.j2
@@ -23,4 +23,30 @@ sleep 5
 
 # All from FF IPv4 via routing table 42
 /bin/ip rule add from {{ ffrl_ipv4 }}/32 lookup 42
-/bin/ip -6 rule add from {{ ffrl_ipv6_net }}/52 lookup 42
\ No newline at end of file
+/bin/ip -6 rule add from {{ ffrl_ipv6_net }}/52 lookup 42
+
+# Add NAT Rules manualy
+sleep 60
+iptables -t nat -A POSTROUTING -o gre-bb-a.ak.ber -j SNAT --to-source {{ ffrl_ipv4 }}
+iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o gre-bb-a.ak.ber -j TCPMSS --set-mss 1312
+ip6tables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o gre-bb-a.ak.ber -j TCPMSS --set-mss 1312
+
+iptables -t nat -A POSTROUTING -o gre-bb-a.fra3.f -j SNAT --to-source {{ ffrl_ipv4 }}
+iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o gre-bb-a.fra3.f -j TCPMSS --set-mss 1312
+ip6tables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o gre-bb-a.fra3.f -j TCPMSS --set-mss 1312
+
+iptables -t nat -A POSTROUTING -o gre-bb-a.ix.dus -j SNAT --to-source {{ ffrl_ipv4 }}
+iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o gre-bb-a.ix.dus -j TCPMSS --set-mss 1312
+ip6tables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o gre-bb-a.ix.dus -j TCPMSS --set-mss 1312
+
+iptables -t nat -A POSTROUTING -o gre-bb-b.ak.ber -j SNAT --to-source {{ ffrl_ipv4 }}
+iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o gre-bb-b.ak.ber -j TCPMSS --set-mss 1312
+ip6tables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o gre-bb-b.ak.ber -j TCPMSS --set-mss 1312
+
+iptables -t nat -A POSTROUTING -o gre-bb-b.fra3.f -j SNAT --to-source {{ ffrl_ipv4 }}
+iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o gre-bb-b.fra3.f -j TCPMSS --set-mss 1312
+ip6tables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o gre-bb-b.fra3.f -j TCPMSS --set-mss 1312
+
+iptables -t nat -A POSTROUTING -o gre-bb-b.ix.dus -j SNAT --to-source {{ ffrl_ipv4 }}
+iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o gre-bb-b.ix.dus -j TCPMSS --set-mss 1312
+ip6tables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o gre-bb-b.ix.dus -j TCPMSS --set-mss 1312
\ No newline at end of file
diff --git a/roles/21-install-wireguard/tasks/main.yml b/roles/21-install-wireguard/tasks/main.yml
new file mode 100644
index 0000000..13c7757
--- /dev/null
+++ b/roles/21-install-wireguard/tasks/main.yml
@@ -0,0 +1,91 @@
+- name: Install Wireguard
+  apt: name={{ item }} state=latest update_cache=yes
+  with_items:
+    - wireguard
+
+
+- name: Register if config/private key already exists on target host
+  ansible.builtin.stat:
+    path: /etc/wireguard/vpn01.conf
+  register: wireguard__register_config_file
+  tags:
+    - wg-generate-keys
+    - wg-config
+
+- name: WireGuard private key handling for new keys
+  block:
+    - name: Generate WireGuard private key
+      ansible.builtin.command: "wg genkey"
+      register: wireguard__register_private_key
+      changed_when: false
+      tags:
+        - wg-generate-keys
+
+    - name: Set private key fact
+      ansible.builtin.set_fact:
+        wireguard_private_key: "{{ wireguard__register_private_key.stdout }}"
+      tags:
+        - wg-generate-keys
+  when:
+    - not wireguard__register_config_file.stat.exists
+    - wireguard_private_key is not defined
+
+- name: WireGuard private key handling for existing keys
+  block:
+    - name: Read WireGuard config file
+      ansible.builtin.slurp:
+        src: /etc/wireguard/vpn01.conf
+      register: wireguard__register_config
+      tags:
+        - wg-config
+
+    - name: Set private key fact
+      ansible.builtin.set_fact:
+        wireguard_private_key: "{{ wireguard__register_config['content'] | b64decode | regex_findall('PrivateKey = (.*)') | first }}"
+      tags:
+        - wg-config
+  when:
+    - wireguard__register_config_file.stat.exists
+    - wireguard_private_key is not defined
+
+- name: Derive WireGuard public key
+  ansible.builtin.command: "wg pubkey"
+  args:
+    stdin: "{{ wireguard_private_key }}"
+  register: wireguard__register_public_key
+  changed_when: false
+  check_mode: false
+  tags:
+    - wg-config
+
+- name: Set public key fact
+  ansible.builtin.set_fact:
+    wireguard__fact_public_key: "{{ wireguard__register_public_key.stdout }}"
+  tags:
+    - wg-config
+
+- name: Create WireGuard configuration directory
+  ansible.builtin.file:
+    dest: /etc/wireguard/
+    state: directory
+    mode: 0700
+  tags:
+    - wg-config
+
+- name: Generate WireGuard configuration file
+  ansible.builtin.template:
+    src: wg.conf.j2
+    dest: /etc/wireguard/vpn01.conf
+    owner: root
+    group: root
+    mode: 755
+  tags:
+    - wg-config
+  notify:
+    - reconfigure wireguard
+
+- name: Start and enable WireGuard service
+  ansible.builtin.service:
+    name: "wg-quick@vpn01"
+    state: "started"
+    enabled: "yes"
\ No newline at end of file
diff --git a/roles/21-install-wireguard/templates/wg.conf.j2 b/roles/21-install-wireguard/templates/wg.conf.j2
new file mode 100644
index 0000000..1026b40
--- /dev/null
+++ b/roles/21-install-wireguard/templates/wg.conf.j2
@@ -0,0 +1,31 @@
+#jinja2: lstrip_blocks:"True",trim_blocks:"True"
+# {{ ansible_managed }}
+# PublicKey: {{ wireguard__register_public_key.stdout }}
+
+[Interface]
+# {{ inventory_hostname }}
+Address = {{ wireguard_address }}
+PrivateKey = {{ wireguard_private_key }}
+ListenPort = {{ wireguard_port }}
+
+
+{% if wireguard_unmanaged_peers is defined %}
+# Peers not managed by Ansible from "wireguard_unmanaged_peers" variable
+{% for peer in wireguard_unmanaged_peers.keys() %}
+[Peer]
+# {{ peer }}
+PublicKey = {{ wireguard_unmanaged_peers[peer].public_key }}
+{%     if wireguard_unmanaged_peers[peer].preshared_key is defined %}
+PresharedKey = {{ wireguard_unmanaged_peers[peer].preshared_key }}
+{%     endif %}
+{%     if wireguard_unmanaged_peers[peer].allowed_ips is defined %}
+AllowedIPs = {{ wireguard_unmanaged_peers[peer].allowed_ips }}
+{%     endif %}
+{%     if wireguard_unmanaged_peers[peer].endpoint is defined %}
+Endpoint = {{ wireguard_unmanaged_peers[peer].endpoint }}
+{%     endif %}
+{%     if wireguard_unmanaged_peers[peer].persistent_keepalive is defined %}
+PersistentKeepalive = {{ wireguard_unmanaged_peers[peer].persistent_keepalive }}
+{%     endif %}
+{%   endfor %}
+{% endif %}
\ No newline at end of file
diff --git a/system-setup.yml b/system-setup.yml
index 80d083b..aca1ab8 100644
--- a/system-setup.yml
+++ b/system-setup.yml
@@ -12,4 +12,5 @@
 - name: System preperation
   hosts: vpn-offloader
   roles:
-    - 20-install-openvpn
\ No newline at end of file
+#    - 20-install-openvpn
+     - 21-install-wireguard
\ No newline at end of file