Compare commits
3 Commits
70809c7573
...
58a2a1526b
Author | SHA1 | Date | |
---|---|---|---|
58a2a1526b | |||
35088cf849 | |||
03177a1ee7 |
@ -16,6 +16,7 @@ The following services are managed completely automatically:
|
|||||||
- [Paperless-ngx](https://docs.paperless-ngx.com/)
|
- [Paperless-ngx](https://docs.paperless-ngx.com/)
|
||||||
- [Exim](https://www.exim.org/) mail (internal use only)
|
- [Exim](https://www.exim.org/) mail (internal use only)
|
||||||
- [Caddy](https://caddyserver.com/) reverse proxy
|
- [Caddy](https://caddyserver.com/) reverse proxy
|
||||||
|
- [WireGuard](https://www.wireguard.com/) VPN server.
|
||||||
|
|
||||||
## misc features
|
## misc features
|
||||||
|
|
||||||
|
@ -26,3 +26,18 @@ form_secret: ""
|
|||||||
|
|
||||||
# paperless secret key
|
# paperless secret key
|
||||||
paperless_secret: ""
|
paperless_secret: ""
|
||||||
|
|
||||||
|
wireguard_secret:
|
||||||
|
# server secret
|
||||||
|
# generate with `wg genkey`, available in the 'wireguard-tools' package
|
||||||
|
server_key: ""
|
||||||
|
# pipe the secret key (see secret_template in group_vars/) into `wg pubkey` to get this
|
||||||
|
server_pub_key: ""
|
||||||
|
|
||||||
|
# list of clients to generate configs for
|
||||||
|
peers:
|
||||||
|
# name of the client
|
||||||
|
- name: test_client
|
||||||
|
addr: "10.66.77.2"
|
||||||
|
priv_key: ""
|
||||||
|
pub_key: ""
|
||||||
|
@ -62,6 +62,9 @@ all:
|
|||||||
haproxy:
|
haproxy:
|
||||||
hosts:
|
hosts:
|
||||||
your_bastion_host:
|
your_bastion_host:
|
||||||
|
wireguard:
|
||||||
|
hosts:
|
||||||
|
your_bastion_host:
|
||||||
sshd:
|
sshd:
|
||||||
hosts:
|
hosts:
|
||||||
your_bastion_host:
|
your_bastion_host:
|
||||||
|
@ -61,6 +61,11 @@
|
|||||||
proto: any
|
proto: any
|
||||||
src: "{{ local_subnet }}"
|
src: "{{ local_subnet }}"
|
||||||
|
|
||||||
|
- name: "wireguard"
|
||||||
|
port: "{{ wireguard.ip.port | default('51820') }}"
|
||||||
|
proto: udp
|
||||||
|
src: any
|
||||||
|
|
||||||
- name: Deny all ports by default
|
- name: Deny all ports by default
|
||||||
community.general.ufw:
|
community.general.ufw:
|
||||||
state: enabled
|
state: enabled
|
||||||
|
@ -9,5 +9,4 @@ $TTL 604800
|
|||||||
ns IN A {{ local_ip }}
|
ns IN A {{ local_ip }}
|
||||||
@ IN NS localhost.
|
@ IN NS localhost.
|
||||||
@ IN A {{ local_ip }}
|
@ IN A {{ local_ip }}
|
||||||
@ IN AAAA ::1
|
|
||||||
{{ dyndns_domain }} IN A {{ local_ip }}
|
{{ dyndns_domain }} IN A {{ local_ip }}
|
||||||
|
@ -1,6 +1,12 @@
|
|||||||
// vim:set ts=4 sw=4 et:
|
// vim:set ts=4 sw=4 et:
|
||||||
|
|
||||||
acl internals { 127.0.0.0/8; {{ local_subnet }}; };
|
acl internals {
|
||||||
|
127.0.0.0/8;
|
||||||
|
{{ local_subnet }};
|
||||||
|
{% if wireguard is defined %}
|
||||||
|
{{ wireguard.ip.cidr }};
|
||||||
|
{% endif %}
|
||||||
|
};
|
||||||
|
|
||||||
options {
|
options {
|
||||||
directory "/var/named";
|
directory "/var/named";
|
||||||
|
24
roles/wireguard/defaults/main.yml
Normal file
24
roles/wireguard/defaults/main.yml
Normal file
@ -0,0 +1,24 @@
|
|||||||
|
---
|
||||||
|
# these are defaults
|
||||||
|
# change these in group/host vars
|
||||||
|
|
||||||
|
# NOTE: copy the *entire* wireguard config if you wish to override it (all or nothing)
|
||||||
|
|
||||||
|
# also see group_vars/all/00-secret-template.yml
|
||||||
|
|
||||||
|
wireguard:
|
||||||
|
dns_servers:
|
||||||
|
- "{{ dns_forward }}"
|
||||||
|
interface: "wg0"
|
||||||
|
ip:
|
||||||
|
# address for the server
|
||||||
|
address: "10.66.77.1/32"
|
||||||
|
# cidr range in tunnel
|
||||||
|
cidr: "10.66.77.0/24"
|
||||||
|
|
||||||
|
server_public: "www.{{ domain }}"
|
||||||
|
# UDP port
|
||||||
|
port: 51820
|
||||||
|
|
||||||
|
# place to output client configs
|
||||||
|
client_folder: "/tmp/wireguard-clients"
|
9
roles/wireguard/handlers/main.yml
Normal file
9
roles/wireguard/handlers/main.yml
Normal file
@ -0,0 +1,9 @@
|
|||||||
|
---
|
||||||
|
|
||||||
|
- name: Start wireguard
|
||||||
|
systemd:
|
||||||
|
name: "wg-quick@{{ wireguard.interface }}.service"
|
||||||
|
enabled: yes
|
||||||
|
daemon_reload: yes
|
||||||
|
state: restarted
|
||||||
|
|
57
roles/wireguard/tasks/main.yml
Normal file
57
roles/wireguard/tasks/main.yml
Normal file
@ -0,0 +1,57 @@
|
|||||||
|
---
|
||||||
|
|
||||||
|
- name: Install wireguard packages
|
||||||
|
community.general.pacman:
|
||||||
|
name:
|
||||||
|
- wireguard-tools
|
||||||
|
# for encoding .conf as a qr code
|
||||||
|
- qrencode
|
||||||
|
notify:
|
||||||
|
- Start wireguard
|
||||||
|
|
||||||
|
- name: Enable IP forwarding
|
||||||
|
sysctl:
|
||||||
|
name: net.ipv4.ip_forward
|
||||||
|
value: 1
|
||||||
|
state: present
|
||||||
|
reload: yes
|
||||||
|
|
||||||
|
- name: Setup UFW rules to accept VPN traffic
|
||||||
|
community.general.ufw:
|
||||||
|
rule: allow
|
||||||
|
direction: in
|
||||||
|
src: "{{ wireguard.ip.cidr }}"
|
||||||
|
dest: any
|
||||||
|
|
||||||
|
- name: Deploy wireguard server config
|
||||||
|
template:
|
||||||
|
src: server.conf.j2
|
||||||
|
dest: "/etc/wireguard/{{ wireguard.interface }}.conf"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: 0600
|
||||||
|
lstrip_blocks: true
|
||||||
|
no_log: true
|
||||||
|
notify:
|
||||||
|
- Start wireguard
|
||||||
|
|
||||||
|
- name: Create wireguard client config output folder
|
||||||
|
file:
|
||||||
|
path: "{{ wireguard.client_folder }}"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: 0700
|
||||||
|
state: directory
|
||||||
|
|
||||||
|
- name: Create wireguard client configs
|
||||||
|
template:
|
||||||
|
src: client.conf.j2
|
||||||
|
dest: "{{ wireguard.client_folder }}/wg-{{ item.name }}.conf"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: 0600
|
||||||
|
lstrip_blocks: true
|
||||||
|
no_log: true
|
||||||
|
with_items: "{{ wireguard_secret.peers }}"
|
||||||
|
notify:
|
||||||
|
- Start wireguard
|
16
roles/wireguard/templates/client.conf.j2
Normal file
16
roles/wireguard/templates/client.conf.j2
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
[Interface]
|
||||||
|
# device's address in the VPN
|
||||||
|
Address = {{ item.addr }}
|
||||||
|
# device privkey
|
||||||
|
PrivateKey = {{ item.priv_key }}
|
||||||
|
DNS = {{ wireguard.ip.address }}
|
||||||
|
|
||||||
|
[Peer]
|
||||||
|
# server stuff
|
||||||
|
PublicKey = {{ wireguard_secret.server_pub_key }}
|
||||||
|
Endpoint = {{ wireguard.ip.server_public }}:{{ wireguard.ip.port }}
|
||||||
|
|
||||||
|
# allow traffic for all subnets into the VPN
|
||||||
|
AllowedIPs = 0.0.0.0/0
|
||||||
|
|
||||||
|
PersistentKeepalive = 25
|
14
roles/wireguard/templates/server.conf.j2
Normal file
14
roles/wireguard/templates/server.conf.j2
Normal file
@ -0,0 +1,14 @@
|
|||||||
|
[Interface]
|
||||||
|
Address = {{ wireguard.ip.address }}
|
||||||
|
PrivateKey = {{ wireguard_secret.server_key }}
|
||||||
|
ListenPort = {{ wireguard.ip.port }}
|
||||||
|
|
||||||
|
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o {{ net_interface }} -j MASQUERADE
|
||||||
|
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o {{ net_interface }} -j MASQUERADE
|
||||||
|
SaveConfig = false
|
||||||
|
|
||||||
|
{% for peer in wireguard_secret.peers %}
|
||||||
|
[Peer]
|
||||||
|
PublicKey = {{ peer.pub_key }}
|
||||||
|
AllowedIPs = {{ peer.addr }}
|
||||||
|
{% endfor %}
|
Loading…
Reference in New Issue
Block a user