Changed to Wireguard VPN

handlers/main.yml

@@ -0,0 +1,29 @@
+---
+- name: restart wireguard
+  ansible.builtin.service:
+    name: "wg-quick@{{ wireguard_interface }}"
+    state: "{{ item }}"
+  loop:
+    - stopped
+    - started
+  when:
+    - wireguard__restart_interface
+    - not ansible_os_family == 'Darwin'
+    - wireguard_service_enabled == "yes"
+  listen: "reconfigure wireguard"
+
+- name: syncconf wireguard
+  ansible.builtin.shell: |
+    set -o errexit
+    set -o pipefail
+    set -o nounset
+    systemctl is-active wg-quick@{{ wireguard_interface|quote }} || systemctl start wg-quick@{{ wireguard_interface|quote }}
+    wg syncconf {{ wireguard_interface|quote }} <(wg-quick strip /etc/wireguard/{{ wireguard_interface|quote }}.conf)
+    exit 0
+  args:
+    executable: "/bin/bash"
+  when:
+    - not wireguard__restart_interface
+    - not ansible_os_family == 'Darwin'
+    - wireguard_service_enabled == "yes"
+  listen: "reconfigure wireguard"

host_vars/troisdorf7.yml

@@ -0,0 +1,5 @@
+wireguard_unmanaged_peers:
+  vpn1-stefan:
+    public_key: Tkp/f1BlLSfl87+waTuZDRdrEgalBgy2oVg6fOluAx4=
+    allowed_ips: 10.255.1.2/32, 10.1.0.0/16
+    persistent_keepalive: 25

hosts.yml

@@ -32,3 +32,5 @@ all:
               gre_bb_b_ix_dus_ipv6: 2a03:2260:0:311::2
               gre_bb_a_fra3_f_ipv6: 2a03:2260:0:30d::2
               gre_bb_b_fra3_f_ipv6: 2a03:2260:0:310::2
+              wireguard_address: 10.255.1.1
+              wireguard_port: 42001

roles/00-system-set-network/tasks/main.yml

@@ -15,7 +15,7 @@
     dest: /etc/networkd-dispatcher/off.d/50-ifdown-hooks.sh
     owner: root
     group: root
-    mode: '0775'
+    mode: '0755'
 
 - name: Add ifUP Scripts via networkd-dispatcher
   ansible.builtin.template:
@@ -23,4 +23,4 @@
     dest: /etc/networkd-dispatcher/routable.d/50-ifup-hooks.sh
     owner: root
     group: root
-    mode: '0775'
+    mode: '0755'

roles/11-create-cronjob/templates/sn_startup.sh.j2

@@ -24,3 +24,29 @@ sleep 5
 # All from FF IPv4 via routing table 42
 /bin/ip rule add from {{ ffrl_ipv4 }}/32 lookup 42
 /bin/ip -6 rule add from {{ ffrl_ipv6_net }}/52 lookup 42
+
+# Add NAT Rules manualy
+sleep 60
+iptables -t nat -A POSTROUTING -o gre-bb-a.ak.ber -j SNAT --to-source {{ ffrl_ipv4 }}
+iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o gre-bb-a.ak.ber -j TCPMSS --set-mss 1312
+ip6tables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o gre-bb-a.ak.ber -j TCPMSS --set-mss 1312
+
+iptables -t nat -A POSTROUTING -o gre-bb-a.fra3.f -j SNAT --to-source {{ ffrl_ipv4 }}
+iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o gre-bb-a.fra3.f -j TCPMSS --set-mss 1312
+ip6tables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o gre-bb-a.fra3.f -j TCPMSS --set-mss 1312
+
+iptables -t nat -A POSTROUTING -o gre-bb-a.ix.dus -j SNAT --to-source {{ ffrl_ipv4 }}
+iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o gre-bb-a.ix.dus -j TCPMSS --set-mss 1312
+ip6tables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o gre-bb-a.ix.dus -j TCPMSS --set-mss 1312
+
+iptables -t nat -A POSTROUTING -o gre-bb-b.ak.ber -j SNAT --to-source {{ ffrl_ipv4 }}
+iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o gre-bb-b.ak.ber -j TCPMSS --set-mss 1312
+ip6tables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o gre-bb-b.ak.ber -j TCPMSS --set-mss 1312
+
+iptables -t nat -A POSTROUTING -o gre-bb-b.fra3.f -j SNAT --to-source {{ ffrl_ipv4 }}
+iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o gre-bb-b.fra3.f -j TCPMSS --set-mss 1312
+ip6tables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o gre-bb-b.fra3.f -j TCPMSS --set-mss 1312
+
+iptables -t nat -A POSTROUTING -o gre-bb-b.ix.dus -j SNAT --to-source {{ ffrl_ipv4 }}
+iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o gre-bb-b.ix.dus -j TCPMSS --set-mss 1312
+ip6tables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o gre-bb-b.ix.dus -j TCPMSS --set-mss 1312

roles/21-install-wireguard/tasks/main.yml

@@ -0,0 +1,91 @@
+- name: Install Wireguard
+  apt: name={{ item }} state=latest update_cache=yes
+  with_items:
+    - wireguard
+
+
+- name: Register if config/private key already exists on target host
+  ansible.builtin.stat:
+    path: /etc/wireguard/vpn01.conf
+  register: wireguard__register_config_file
+  tags:
+    - wg-generate-keys
+    - wg-config
+
+- name: WireGuard private key handling for new keys
+  block:
+    - name: Generate WireGuard private key
+      ansible.builtin.command: "wg genkey"
+      register: wireguard__register_private_key
+      changed_when: false
+      tags:
+        - wg-generate-keys
+
+    - name: Set private key fact
+      ansible.builtin.set_fact:
+        wireguard_private_key: "{{ wireguard__register_private_key.stdout }}"
+      tags:
+        - wg-generate-keys
+  when:
+    - not wireguard__register_config_file.stat.exists
+    - wireguard_private_key is not defined
+
+- name: WireGuard private key handling for existing keys
+  block:
+    - name: Read WireGuard config file
+      ansible.builtin.slurp:
+        src: /etc/wireguard/vpn01.conf
+      register: wireguard__register_config
+      tags:
+        - wg-config
+
+    - name: Set private key fact
+      ansible.builtin.set_fact:
+        wireguard_private_key: "{{ wireguard__register_config['content'] | b64decode | regex_findall('PrivateKey = (.*)') | first }}"
+      tags:
+        - wg-config
+  when:
+    - wireguard__register_config_file.stat.exists
+    - wireguard_private_key is not defined
+
+- name: Derive WireGuard public key
+  ansible.builtin.command: "wg pubkey"
+  args:
+    stdin: "{{ wireguard_private_key }}"
+  register: wireguard__register_public_key
+  changed_when: false
+  check_mode: false
+  tags:
+    - wg-config
+
+- name: Set public key fact
+  ansible.builtin.set_fact:
+    wireguard__fact_public_key: "{{ wireguard__register_public_key.stdout }}"
+  tags:
+    - wg-config
+
+- name: Create WireGuard configuration directory
+  ansible.builtin.file:
+    dest: /etc/wireguard/
+    state: directory
+    mode: 0700
+  tags:
+    - wg-config
+
+- name: Generate WireGuard configuration file
+  ansible.builtin.template:
+    src: wg.conf.j2
+    dest: /etc/wireguard/vpn01.conf
+    owner: root
+    group: root
+    mode: 755
+  tags:
+    - wg-config
+  notify:
+    - reconfigure wireguard
+
+- name: Start and enable WireGuard service
+  ansible.builtin.service:
+    name: "wg-quick@vpn01"
+    state: "started"
+    enabled: "yes"

roles/21-install-wireguard/templates/wg.conf.j2

@@ -0,0 +1,31 @@
+#jinja2: lstrip_blocks:"True",trim_blocks:"True"
+# {{ ansible_managed }}
+# PublicKey: {{ wireguard__register_public_key.stdout }}
+
+[Interface]
+# {{ inventory_hostname }}
+Address = {{ wireguard_address }}
+PrivateKey = {{ wireguard_private_key }}
+ListenPort = {{ wireguard_port }}
+
+
+{% if wireguard_unmanaged_peers is defined %}
+# Peers not managed by Ansible from "wireguard_unmanaged_peers" variable
+{% for peer in wireguard_unmanaged_peers.keys() %}
+[Peer]
+# {{ peer }}
+PublicKey = {{ wireguard_unmanaged_peers[peer].public_key }}
+{%     if wireguard_unmanaged_peers[peer].preshared_key is defined %}
+PresharedKey = {{ wireguard_unmanaged_peers[peer].preshared_key }}
+{%     endif %}
+{%     if wireguard_unmanaged_peers[peer].allowed_ips is defined %}
+AllowedIPs = {{ wireguard_unmanaged_peers[peer].allowed_ips }}
+{%     endif %}
+{%     if wireguard_unmanaged_peers[peer].endpoint is defined %}
+Endpoint = {{ wireguard_unmanaged_peers[peer].endpoint }}
+{%     endif %}
+{%     if wireguard_unmanaged_peers[peer].persistent_keepalive is defined %}
+PersistentKeepalive = {{ wireguard_unmanaged_peers[peer].persistent_keepalive }}
+{%     endif %}
+{%   endfor %}
+{% endif %}

system-setup.yml

@@ -12,4 +12,5 @@
 - name: System preperation
   hosts: vpn-offloader
   roles:
-    - 20-install-openvpn
+#    - 20-install-openvpn
+     - 21-install-wireguard