73 lines
1.8 KiB
YAML
73 lines
1.8 KiB
YAML
---
|
|
- name: Ensure wireguard is present
|
|
apt:
|
|
name: wireguard-tools
|
|
state: present
|
|
default_release: buster-backports
|
|
register: wireguard
|
|
|
|
- name: Ensure wireguard configuration is present
|
|
template:
|
|
src: templates/wireguard.conf.j2
|
|
dest: "/etc/wireguard/{{ vpn_gateway.name }}.conf"
|
|
owner: root
|
|
group: root
|
|
mode: 0600
|
|
notify: restart wireguard
|
|
|
|
- name: Enable IPv4 forwarding
|
|
sysctl:
|
|
name: net.ipv4.ip_forward
|
|
value: 1
|
|
reload: yes
|
|
|
|
- name: Reboot to allow wireguard to start
|
|
reboot:
|
|
when: wireguard.changed
|
|
|
|
- name: Ensure wireguard is enabled
|
|
systemd:
|
|
name: "wg-quick@{{ vpn_gateway.name }}.service"
|
|
state: started
|
|
enabled: yes
|
|
|
|
- name: Ensure the route script to be present
|
|
template:
|
|
src: templates/routes.sh.j2
|
|
dest: "/usr/local/bin/routes_vpn_{{ vpn_gateway.name }}.sh"
|
|
owner: root
|
|
group: root
|
|
mode: 0700
|
|
|
|
- name: Masquerade packets outgoing from vpn iface
|
|
iptables:
|
|
table: nat
|
|
chain: POSTROUTING
|
|
out_interface: "{{ vpn_gateway.iface }}"
|
|
jump: MASQUERADE
|
|
|
|
- name: Allow packets from external iface to reach internal machine
|
|
iptables:
|
|
table: nat
|
|
chain: PREROUTING
|
|
in_interface: "{{ vpn_gateway.iface }}"
|
|
jump: DNAT
|
|
to_destination: "{{ vpn_gateway.peer.address }}"
|
|
|
|
- name: Create the routes helper file
|
|
template:
|
|
src: templates/routes.sh.j2
|
|
dest: /usr/local/bin/vpn_routes.sh
|
|
owner: root
|
|
group: root
|
|
mode: 0700
|
|
|
|
- name: Run the routes script
|
|
shell: /usr/local/bin/vpn_routes.sh
|
|
|
|
# - name: Apply the needed routes
|
|
# shell: |
|
|
# ip rule add from {{ vpn_gateway.peer.address }} table {{ vpn_gateway.table|default(130) }} || true
|
|
# ip route add to default via {{ vpn_gateway.gateway_ip }} dev {{ vpn_gateway.iface }} table {{ vpn_gateway.table|default(130) }} || true
|
|
# ignore_errors: yes
|