Changed to Wireguard VPN

This commit is contained in:
Stefan Hoffmann 2022-05-08 21:32:16 +02:00
parent bf10300e30
commit aa3bf94140
10 changed files with 189 additions and 4 deletions

BIN
.DS_Store vendored Normal file

Binary file not shown.

29
handlers/main.yml Normal file
View File

@ -0,0 +1,29 @@
---
- name: restart wireguard
ansible.builtin.service:
name: "wg-quick@{{ wireguard_interface }}"
state: "{{ item }}"
loop:
- stopped
- started
when:
- wireguard__restart_interface
- not ansible_os_family == 'Darwin'
- wireguard_service_enabled == "yes"
listen: "reconfigure wireguard"
- name: syncconf wireguard
ansible.builtin.shell: |
set -o errexit
set -o pipefail
set -o nounset
systemctl is-active wg-quick@{{ wireguard_interface|quote }} || systemctl start wg-quick@{{ wireguard_interface|quote }}
wg syncconf {{ wireguard_interface|quote }} <(wg-quick strip /etc/wireguard/{{ wireguard_interface|quote }}.conf)
exit 0
args:
executable: "/bin/bash"
when:
- not wireguard__restart_interface
- not ansible_os_family == 'Darwin'
- wireguard_service_enabled == "yes"
listen: "reconfigure wireguard"

5
host_vars/troisdorf7.yml Normal file
View File

@ -0,0 +1,5 @@
wireguard_unmanaged_peers:
vpn1-stefan:
public_key: Tkp/f1BlLSfl87+waTuZDRdrEgalBgy2oVg6fOluAx4=
allowed_ips: 10.255.1.2/32, 10.1.0.0/16
persistent_keepalive: 25

View File

@ -32,3 +32,5 @@ all:
gre_bb_b_ix_dus_ipv6: 2a03:2260:0:311::2 gre_bb_b_ix_dus_ipv6: 2a03:2260:0:311::2
gre_bb_a_fra3_f_ipv6: 2a03:2260:0:30d::2 gre_bb_a_fra3_f_ipv6: 2a03:2260:0:30d::2
gre_bb_b_fra3_f_ipv6: 2a03:2260:0:310::2 gre_bb_b_fra3_f_ipv6: 2a03:2260:0:310::2
wireguard_address: 10.255.1.1
wireguard_port: 42001

BIN
roles/.DS_Store vendored Normal file

Binary file not shown.

View File

@ -15,7 +15,7 @@
dest: /etc/networkd-dispatcher/off.d/50-ifdown-hooks.sh dest: /etc/networkd-dispatcher/off.d/50-ifdown-hooks.sh
owner: root owner: root
group: root group: root
mode: '0775' mode: '0755'
- name: Add ifUP Scripts via networkd-dispatcher - name: Add ifUP Scripts via networkd-dispatcher
ansible.builtin.template: ansible.builtin.template:
@ -23,4 +23,4 @@
dest: /etc/networkd-dispatcher/routable.d/50-ifup-hooks.sh dest: /etc/networkd-dispatcher/routable.d/50-ifup-hooks.sh
owner: root owner: root
group: root group: root
mode: '0775' mode: '0755'

View File

@ -23,4 +23,30 @@ sleep 5
# All from FF IPv4 via routing table 42 # All from FF IPv4 via routing table 42
/bin/ip rule add from {{ ffrl_ipv4 }}/32 lookup 42 /bin/ip rule add from {{ ffrl_ipv4 }}/32 lookup 42
/bin/ip -6 rule add from {{ ffrl_ipv6_net }}/52 lookup 42 /bin/ip -6 rule add from {{ ffrl_ipv6_net }}/52 lookup 42
# Add NAT Rules manualy
sleep 60
iptables -t nat -A POSTROUTING -o gre-bb-a.ak.ber -j SNAT --to-source {{ ffrl_ipv4 }}
iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o gre-bb-a.ak.ber -j TCPMSS --set-mss 1312
ip6tables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o gre-bb-a.ak.ber -j TCPMSS --set-mss 1312
iptables -t nat -A POSTROUTING -o gre-bb-a.fra3.f -j SNAT --to-source {{ ffrl_ipv4 }}
iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o gre-bb-a.fra3.f -j TCPMSS --set-mss 1312
ip6tables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o gre-bb-a.fra3.f -j TCPMSS --set-mss 1312
iptables -t nat -A POSTROUTING -o gre-bb-a.ix.dus -j SNAT --to-source {{ ffrl_ipv4 }}
iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o gre-bb-a.ix.dus -j TCPMSS --set-mss 1312
ip6tables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o gre-bb-a.ix.dus -j TCPMSS --set-mss 1312
iptables -t nat -A POSTROUTING -o gre-bb-b.ak.ber -j SNAT --to-source {{ ffrl_ipv4 }}
iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o gre-bb-b.ak.ber -j TCPMSS --set-mss 1312
ip6tables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o gre-bb-b.ak.ber -j TCPMSS --set-mss 1312
iptables -t nat -A POSTROUTING -o gre-bb-b.fra3.f -j SNAT --to-source {{ ffrl_ipv4 }}
iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o gre-bb-b.fra3.f -j TCPMSS --set-mss 1312
ip6tables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o gre-bb-b.fra3.f -j TCPMSS --set-mss 1312
iptables -t nat -A POSTROUTING -o gre-bb-b.ix.dus -j SNAT --to-source {{ ffrl_ipv4 }}
iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o gre-bb-b.ix.dus -j TCPMSS --set-mss 1312
ip6tables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o gre-bb-b.ix.dus -j TCPMSS --set-mss 1312

View File

@ -0,0 +1,91 @@
- name: Install Wireguard
apt: name={{ item }} state=latest update_cache=yes
with_items:
- wireguard
- name: Register if config/private key already exists on target host
ansible.builtin.stat:
path: /etc/wireguard/vpn01.conf
register: wireguard__register_config_file
tags:
- wg-generate-keys
- wg-config
- name: WireGuard private key handling for new keys
block:
- name: Generate WireGuard private key
ansible.builtin.command: "wg genkey"
register: wireguard__register_private_key
changed_when: false
tags:
- wg-generate-keys
- name: Set private key fact
ansible.builtin.set_fact:
wireguard_private_key: "{{ wireguard__register_private_key.stdout }}"
tags:
- wg-generate-keys
when:
- not wireguard__register_config_file.stat.exists
- wireguard_private_key is not defined
- name: WireGuard private key handling for existing keys
block:
- name: Read WireGuard config file
ansible.builtin.slurp:
src: /etc/wireguard/vpn01.conf
register: wireguard__register_config
tags:
- wg-config
- name: Set private key fact
ansible.builtin.set_fact:
wireguard_private_key: "{{ wireguard__register_config['content'] | b64decode | regex_findall('PrivateKey = (.*)') | first }}"
tags:
- wg-config
when:
- wireguard__register_config_file.stat.exists
- wireguard_private_key is not defined
- name: Derive WireGuard public key
ansible.builtin.command: "wg pubkey"
args:
stdin: "{{ wireguard_private_key }}"
register: wireguard__register_public_key
changed_when: false
check_mode: false
tags:
- wg-config
- name: Set public key fact
ansible.builtin.set_fact:
wireguard__fact_public_key: "{{ wireguard__register_public_key.stdout }}"
tags:
- wg-config
- name: Create WireGuard configuration directory
ansible.builtin.file:
dest: /etc/wireguard/
state: directory
mode: 0700
tags:
- wg-config
- name: Generate WireGuard configuration file
ansible.builtin.template:
src: wg.conf.j2
dest: /etc/wireguard/vpn01.conf
owner: root
group: root
mode: 755
tags:
- wg-config
notify:
- reconfigure wireguard
- name: Start and enable WireGuard service
ansible.builtin.service:
name: "wg-quick@vpn01"
state: "started"
enabled: "yes"

View File

@ -0,0 +1,31 @@
#jinja2: lstrip_blocks:"True",trim_blocks:"True"
# {{ ansible_managed }}
# PublicKey: {{ wireguard__register_public_key.stdout }}
[Interface]
# {{ inventory_hostname }}
Address = {{ wireguard_address }}
PrivateKey = {{ wireguard_private_key }}
ListenPort = {{ wireguard_port }}
{% if wireguard_unmanaged_peers is defined %}
# Peers not managed by Ansible from "wireguard_unmanaged_peers" variable
{% for peer in wireguard_unmanaged_peers.keys() %}
[Peer]
# {{ peer }}
PublicKey = {{ wireguard_unmanaged_peers[peer].public_key }}
{% if wireguard_unmanaged_peers[peer].preshared_key is defined %}
PresharedKey = {{ wireguard_unmanaged_peers[peer].preshared_key }}
{% endif %}
{% if wireguard_unmanaged_peers[peer].allowed_ips is defined %}
AllowedIPs = {{ wireguard_unmanaged_peers[peer].allowed_ips }}
{% endif %}
{% if wireguard_unmanaged_peers[peer].endpoint is defined %}
Endpoint = {{ wireguard_unmanaged_peers[peer].endpoint }}
{% endif %}
{% if wireguard_unmanaged_peers[peer].persistent_keepalive is defined %}
PersistentKeepalive = {{ wireguard_unmanaged_peers[peer].persistent_keepalive }}
{% endif %}
{% endfor %}
{% endif %}

View File

@ -12,4 +12,5 @@
- name: System preperation - name: System preperation
hosts: vpn-offloader hosts: vpn-offloader
roles: roles:
- 20-install-openvpn # - 20-install-openvpn
- 21-install-wireguard