Compare commits
3 Commits
70809c7573
...
58a2a1526b
Author | SHA1 | Date | |
---|---|---|---|
58a2a1526b | |||
35088cf849 | |||
03177a1ee7 |
@ -16,6 +16,7 @@ The following services are managed completely automatically:
|
||||
- [Paperless-ngx](https://docs.paperless-ngx.com/)
|
||||
- [Exim](https://www.exim.org/) mail (internal use only)
|
||||
- [Caddy](https://caddyserver.com/) reverse proxy
|
||||
- [WireGuard](https://www.wireguard.com/) VPN server.
|
||||
|
||||
## misc features
|
||||
|
||||
|
@ -26,3 +26,18 @@ form_secret: ""
|
||||
|
||||
# paperless secret key
|
||||
paperless_secret: ""
|
||||
|
||||
wireguard_secret:
|
||||
# server secret
|
||||
# generate with `wg genkey`, available in the 'wireguard-tools' package
|
||||
server_key: ""
|
||||
# pipe the secret key (see secret_template in group_vars/) into `wg pubkey` to get this
|
||||
server_pub_key: ""
|
||||
|
||||
# list of clients to generate configs for
|
||||
peers:
|
||||
# name of the client
|
||||
- name: test_client
|
||||
addr: "10.66.77.2"
|
||||
priv_key: ""
|
||||
pub_key: ""
|
||||
|
@ -62,6 +62,9 @@ all:
|
||||
haproxy:
|
||||
hosts:
|
||||
your_bastion_host:
|
||||
wireguard:
|
||||
hosts:
|
||||
your_bastion_host:
|
||||
sshd:
|
||||
hosts:
|
||||
your_bastion_host:
|
||||
|
@ -61,6 +61,11 @@
|
||||
proto: any
|
||||
src: "{{ local_subnet }}"
|
||||
|
||||
- name: "wireguard"
|
||||
port: "{{ wireguard.ip.port | default('51820') }}"
|
||||
proto: udp
|
||||
src: any
|
||||
|
||||
- name: Deny all ports by default
|
||||
community.general.ufw:
|
||||
state: enabled
|
||||
|
@ -9,5 +9,4 @@ $TTL 604800
|
||||
ns IN A {{ local_ip }}
|
||||
@ IN NS localhost.
|
||||
@ IN A {{ local_ip }}
|
||||
@ IN AAAA ::1
|
||||
{{ dyndns_domain }} IN A {{ local_ip }}
|
||||
|
@ -1,6 +1,12 @@
|
||||
// vim:set ts=4 sw=4 et:
|
||||
|
||||
acl internals { 127.0.0.0/8; {{ local_subnet }}; };
|
||||
acl internals {
|
||||
127.0.0.0/8;
|
||||
{{ local_subnet }};
|
||||
{% if wireguard is defined %}
|
||||
{{ wireguard.ip.cidr }};
|
||||
{% endif %}
|
||||
};
|
||||
|
||||
options {
|
||||
directory "/var/named";
|
||||
|
24
roles/wireguard/defaults/main.yml
Normal file
24
roles/wireguard/defaults/main.yml
Normal file
@ -0,0 +1,24 @@
|
||||
---
|
||||
# these are defaults
|
||||
# change these in group/host vars
|
||||
|
||||
# NOTE: copy the *entire* wireguard config if you wish to override it (all or nothing)
|
||||
|
||||
# also see group_vars/all/00-secret-template.yml
|
||||
|
||||
wireguard:
|
||||
dns_servers:
|
||||
- "{{ dns_forward }}"
|
||||
interface: "wg0"
|
||||
ip:
|
||||
# address for the server
|
||||
address: "10.66.77.1/32"
|
||||
# cidr range in tunnel
|
||||
cidr: "10.66.77.0/24"
|
||||
|
||||
server_public: "www.{{ domain }}"
|
||||
# UDP port
|
||||
port: 51820
|
||||
|
||||
# place to output client configs
|
||||
client_folder: "/tmp/wireguard-clients"
|
9
roles/wireguard/handlers/main.yml
Normal file
9
roles/wireguard/handlers/main.yml
Normal file
@ -0,0 +1,9 @@
|
||||
---
|
||||
|
||||
- name: Start wireguard
|
||||
systemd:
|
||||
name: "wg-quick@{{ wireguard.interface }}.service"
|
||||
enabled: yes
|
||||
daemon_reload: yes
|
||||
state: restarted
|
||||
|
57
roles/wireguard/tasks/main.yml
Normal file
57
roles/wireguard/tasks/main.yml
Normal file
@ -0,0 +1,57 @@
|
||||
---
|
||||
|
||||
- name: Install wireguard packages
|
||||
community.general.pacman:
|
||||
name:
|
||||
- wireguard-tools
|
||||
# for encoding .conf as a qr code
|
||||
- qrencode
|
||||
notify:
|
||||
- Start wireguard
|
||||
|
||||
- name: Enable IP forwarding
|
||||
sysctl:
|
||||
name: net.ipv4.ip_forward
|
||||
value: 1
|
||||
state: present
|
||||
reload: yes
|
||||
|
||||
- name: Setup UFW rules to accept VPN traffic
|
||||
community.general.ufw:
|
||||
rule: allow
|
||||
direction: in
|
||||
src: "{{ wireguard.ip.cidr }}"
|
||||
dest: any
|
||||
|
||||
- name: Deploy wireguard server config
|
||||
template:
|
||||
src: server.conf.j2
|
||||
dest: "/etc/wireguard/{{ wireguard.interface }}.conf"
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0600
|
||||
lstrip_blocks: true
|
||||
no_log: true
|
||||
notify:
|
||||
- Start wireguard
|
||||
|
||||
- name: Create wireguard client config output folder
|
||||
file:
|
||||
path: "{{ wireguard.client_folder }}"
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0700
|
||||
state: directory
|
||||
|
||||
- name: Create wireguard client configs
|
||||
template:
|
||||
src: client.conf.j2
|
||||
dest: "{{ wireguard.client_folder }}/wg-{{ item.name }}.conf"
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0600
|
||||
lstrip_blocks: true
|
||||
no_log: true
|
||||
with_items: "{{ wireguard_secret.peers }}"
|
||||
notify:
|
||||
- Start wireguard
|
16
roles/wireguard/templates/client.conf.j2
Normal file
16
roles/wireguard/templates/client.conf.j2
Normal file
@ -0,0 +1,16 @@
|
||||
[Interface]
|
||||
# device's address in the VPN
|
||||
Address = {{ item.addr }}
|
||||
# device privkey
|
||||
PrivateKey = {{ item.priv_key }}
|
||||
DNS = {{ wireguard.ip.address }}
|
||||
|
||||
[Peer]
|
||||
# server stuff
|
||||
PublicKey = {{ wireguard_secret.server_pub_key }}
|
||||
Endpoint = {{ wireguard.ip.server_public }}:{{ wireguard.ip.port }}
|
||||
|
||||
# allow traffic for all subnets into the VPN
|
||||
AllowedIPs = 0.0.0.0/0
|
||||
|
||||
PersistentKeepalive = 25
|
14
roles/wireguard/templates/server.conf.j2
Normal file
14
roles/wireguard/templates/server.conf.j2
Normal file
@ -0,0 +1,14 @@
|
||||
[Interface]
|
||||
Address = {{ wireguard.ip.address }}
|
||||
PrivateKey = {{ wireguard_secret.server_key }}
|
||||
ListenPort = {{ wireguard.ip.port }}
|
||||
|
||||
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o {{ net_interface }} -j MASQUERADE
|
||||
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o {{ net_interface }} -j MASQUERADE
|
||||
SaveConfig = false
|
||||
|
||||
{% for peer in wireguard_secret.peers %}
|
||||
[Peer]
|
||||
PublicKey = {{ peer.pub_key }}
|
||||
AllowedIPs = {{ peer.addr }}
|
||||
{% endfor %}
|
Loading…
Reference in New Issue
Block a user