Init

handlers/main.yml

@@ -0,0 +1,5 @@
+---
+- name: restart wireguard
+  systemd:
+    name: "wg-quick@{{ vpn_gateway.name }}.service"
+    state: restarted

tasks/main.yml

@@ -0,0 +1,72 @@
+---
+- name: Ensure wireguard is present
+  apt:
+    name: wireguard-tools
+    state: present
+    default_release: buster-backports
+  register: wireguard
+
+- name: Ensure wireguard configuration is present
+  template:
+    src: templates/wireguard.conf.j2
+    dest: "/etc/wireguard/{{ vpn_gateway.name }}.conf"
+    owner: root
+    group: root
+    mode: 0600
+  notify: restart wireguard
+
+- name: Enable IPv4 forwarding
+  sysctl:
+    name: net.ipv4.ip_forward
+    value: 1
+    reload: yes
+
+- name: Reboot to allow wireguard to start
+  reboot:
+  when: wireguard.changed
+
+- name: Ensure wireguard is enabled
+  systemd:
+    name: "wg-quick@{{ vpn_gateway.name }}.service"
+    state: started
+    enabled: yes
+
+- name: Ensure the route script to be present
+  template:
+    src: templates/routes.sh.j2
+    dest: "/usr/local/bin/routes_vpn_{{ vpn_gateway.name }}.sh"
+    owner: root
+    group: root
+    mode: 0700
+
+- name: Masquerade packets outgoing from vpn iface
+  iptables:
+    table: nat
+    chain: POSTROUTING
+    out_interface: "{{ vpn_gateway.iface }}"
+    jump: MASQUERADE
+
+- name: Allow packets from external iface to reach internal machine
+  iptables:
+    table: nat
+    chain: PREROUTING
+    in_interface: "{{ vpn_gateway.iface }}"
+    jump: DNAT
+    to_destination: "{{ vpn_gateway.peer.address }}"
+
+- name: Create the routes helper file
+  template:
+    src: templates/routes.sh.j2
+    dest: /usr/local/bin/vpn_routes.sh
+    owner: root
+    group: root
+    mode: 0700
+
+- name: Run the routes script
+  shell: /usr/local/bin/vpn_routes.sh
+
+# - name: Apply the needed routes
+#   shell: |
+#     ip rule add from {{ vpn_gateway.peer.address }} table {{ vpn_gateway.table|default(130) }} || true
+#     ip route add to default via {{ vpn_gateway.gateway_ip }} dev {{ vpn_gateway.iface }} table {{ vpn_gateway.table|default(130) }} || true
+#     ignore_errors: yes

templates/routes.sh.j2

@@ -0,0 +1,9 @@
+#!/usr/bin/env bash
+
+if ip rule | grep "lookup {{ vpn_gateway.table|default(130) }}" > /dev/null; then
+    ip rule delete table {{ vpn_gateway.table|default(130) }}
+fi
+ip rule add from {{ vpn_gateway.peer.address }} table {{ vpn_gateway.table|default(130) }} || true
+ip route add to default via {{ vpn_gateway.gateway_ip }} dev {{ vpn_gateway.iface }} table {{ vpn_gateway.table|default(130) }} || true
+
+# vim: set ft=sh et ts=2 sts=0:

templates/wireguard.conf.j2

@@ -0,0 +1,11 @@
+[Interface]
+Address = {{ vpn_gateway.this_ip }}/{{ vpn_gateway.net_size }}
+PrivateKey = {{ vpn_gateway.private_key }}
+ListenPort = {{ vpn_gateway.listen_port|default(1194) }}
+
+[Peer]
+AllowedIps = {{ vpn_gateway.peer.address }}/32
+PublicKey = {{ vpn_gateway.peer.public_key }}
+
+
+# vim: set ft=dosini: