master
blallo 2021-02-23 18:51:59 +01:00
commit c2ec6d715d
Signed by: blallo
GPG Key ID: 0CBE577C9B72DC3F
4 changed files with 97 additions and 0 deletions

View File

@ -0,0 +1,5 @@
---
- name: restart wireguard
systemd:
name: "wg-quick@{{ vpn_gateway.name }}.service"
state: restarted

72
tasks/main.yml 100644
View File

@ -0,0 +1,72 @@
---
- name: Ensure wireguard is present
apt:
name: wireguard-tools
state: present
default_release: buster-backports
register: wireguard
- name: Ensure wireguard configuration is present
template:
src: templates/wireguard.conf.j2
dest: "/etc/wireguard/{{ vpn_gateway.name }}.conf"
owner: root
group: root
mode: 0600
notify: restart wireguard
- name: Enable IPv4 forwarding
sysctl:
name: net.ipv4.ip_forward
value: 1
reload: yes
- name: Reboot to allow wireguard to start
reboot:
when: wireguard.changed
- name: Ensure wireguard is enabled
systemd:
name: "wg-quick@{{ vpn_gateway.name }}.service"
state: started
enabled: yes
- name: Ensure the route script to be present
template:
src: templates/routes.sh.j2
dest: "/usr/local/bin/routes_vpn_{{ vpn_gateway.name }}.sh"
owner: root
group: root
mode: 0700
- name: Masquerade packets outgoing from vpn iface
iptables:
table: nat
chain: POSTROUTING
out_interface: "{{ vpn_gateway.iface }}"
jump: MASQUERADE
- name: Allow packets from external iface to reach internal machine
iptables:
table: nat
chain: PREROUTING
in_interface: "{{ vpn_gateway.iface }}"
jump: DNAT
to_destination: "{{ vpn_gateway.peer.address }}"
- name: Create the routes helper file
template:
src: templates/routes.sh.j2
dest: /usr/local/bin/vpn_routes.sh
owner: root
group: root
mode: 0700
- name: Run the routes script
shell: /usr/local/bin/vpn_routes.sh
# - name: Apply the needed routes
# shell: |
# ip rule add from {{ vpn_gateway.peer.address }} table {{ vpn_gateway.table|default(130) }} || true
# ip route add to default via {{ vpn_gateway.gateway_ip }} dev {{ vpn_gateway.iface }} table {{ vpn_gateway.table|default(130) }} || true
# ignore_errors: yes

View File

@ -0,0 +1,9 @@
#!/usr/bin/env bash
if ip rule | grep "lookup {{ vpn_gateway.table|default(130) }}" > /dev/null; then
ip rule delete table {{ vpn_gateway.table|default(130) }}
fi
ip rule add from {{ vpn_gateway.peer.address }} table {{ vpn_gateway.table|default(130) }} || true
ip route add to default via {{ vpn_gateway.gateway_ip }} dev {{ vpn_gateway.iface }} table {{ vpn_gateway.table|default(130) }} || true
# vim: set ft=sh et ts=2 sts=0:

View File

@ -0,0 +1,11 @@
[Interface]
Address = {{ vpn_gateway.this_ip }}/{{ vpn_gateway.net_size }}
PrivateKey = {{ vpn_gateway.private_key }}
ListenPort = {{ vpn_gateway.listen_port|default(1194) }}
[Peer]
AllowedIps = {{ vpn_gateway.peer.address }}/32
PublicKey = {{ vpn_gateway.peer.public_key }}
# vim: set ft=dosini: