From c2ec6d715d0a10c8fd991b52069ed8c77edec377 Mon Sep 17 00:00:00 2001 From: Blallo Date: Tue, 23 Feb 2021 18:51:59 +0100 Subject: [PATCH] Init --- handlers/main.yml | 5 +++ tasks/main.yml | 72 +++++++++++++++++++++++++++++++++++++ templates/routes.sh.j2 | 9 +++++ templates/wireguard.conf.j2 | 11 ++++++ 4 files changed, 97 insertions(+) create mode 100644 handlers/main.yml create mode 100644 tasks/main.yml create mode 100755 templates/routes.sh.j2 create mode 100644 templates/wireguard.conf.j2 diff --git a/handlers/main.yml b/handlers/main.yml new file mode 100644 index 0000000..3120c47 --- /dev/null +++ b/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: restart wireguard + systemd: + name: "wg-quick@{{ vpn_gateway.name }}.service" + state: restarted diff --git a/tasks/main.yml b/tasks/main.yml new file mode 100644 index 0000000..b6593e6 --- /dev/null +++ b/tasks/main.yml @@ -0,0 +1,72 @@ +--- +- name: Ensure wireguard is present + apt: + name: wireguard-tools + state: present + default_release: buster-backports + register: wireguard + +- name: Ensure wireguard configuration is present + template: + src: templates/wireguard.conf.j2 + dest: "/etc/wireguard/{{ vpn_gateway.name }}.conf" + owner: root + group: root + mode: 0600 + notify: restart wireguard + +- name: Enable IPv4 forwarding + sysctl: + name: net.ipv4.ip_forward + value: 1 + reload: yes + +- name: Reboot to allow wireguard to start + reboot: + when: wireguard.changed + +- name: Ensure wireguard is enabled + systemd: + name: "wg-quick@{{ vpn_gateway.name }}.service" + state: started + enabled: yes + +- name: Ensure the route script to be present + template: + src: templates/routes.sh.j2 + dest: "/usr/local/bin/routes_vpn_{{ vpn_gateway.name }}.sh" + owner: root + group: root + mode: 0700 + +- name: Masquerade packets outgoing from vpn iface + iptables: + table: nat + chain: POSTROUTING + out_interface: "{{ vpn_gateway.iface }}" + jump: MASQUERADE + +- name: Allow packets from external iface to reach internal machine + iptables: + table: nat + chain: PREROUTING + in_interface: "{{ vpn_gateway.iface }}" + jump: DNAT + to_destination: "{{ vpn_gateway.peer.address }}" + +- name: Create the routes helper file + template: + src: templates/routes.sh.j2 + dest: /usr/local/bin/vpn_routes.sh + owner: root + group: root + mode: 0700 + +- name: Run the routes script + shell: /usr/local/bin/vpn_routes.sh + +# - name: Apply the needed routes +# shell: | +# ip rule add from {{ vpn_gateway.peer.address }} table {{ vpn_gateway.table|default(130) }} || true +# ip route add to default via {{ vpn_gateway.gateway_ip }} dev {{ vpn_gateway.iface }} table {{ vpn_gateway.table|default(130) }} || true +# ignore_errors: yes diff --git a/templates/routes.sh.j2 b/templates/routes.sh.j2 new file mode 100755 index 0000000..7aa7405 --- /dev/null +++ b/templates/routes.sh.j2 @@ -0,0 +1,9 @@ +#!/usr/bin/env bash + +if ip rule | grep "lookup {{ vpn_gateway.table|default(130) }}" > /dev/null; then + ip rule delete table {{ vpn_gateway.table|default(130) }} +fi +ip rule add from {{ vpn_gateway.peer.address }} table {{ vpn_gateway.table|default(130) }} || true +ip route add to default via {{ vpn_gateway.gateway_ip }} dev {{ vpn_gateway.iface }} table {{ vpn_gateway.table|default(130) }} || true + +# vim: set ft=sh et ts=2 sts=0: diff --git a/templates/wireguard.conf.j2 b/templates/wireguard.conf.j2 new file mode 100644 index 0000000..ce55b6c --- /dev/null +++ b/templates/wireguard.conf.j2 @@ -0,0 +1,11 @@ +[Interface] +Address = {{ vpn_gateway.this_ip }}/{{ vpn_gateway.net_size }} +PrivateKey = {{ vpn_gateway.private_key }} +ListenPort = {{ vpn_gateway.listen_port|default(1194) }} + +[Peer] +AllowedIps = {{ vpn_gateway.peer.address }}/32 +PublicKey = {{ vpn_gateway.peer.public_key }} + + +# vim: set ft=dosini: