Browse Source

fix: wireguard ansible setup

pull/3/head
Karan Sharma 2 years ago
parent
commit
52a8ba092a
  1. 12
      digitalocean-infra/firewalls.tf
  2. 36
      wireguard/README.md
  3. 18
      wireguard/roles/wireguard/defaults/main.yml
  4. 16
      wireguard/roles/wireguard/handlers/main.yml
  5. 15
      wireguard/roles/wireguard/tasks/main.yml

12
digitalocean-infra/firewalls.tf

@ -16,6 +16,18 @@ resource "digitalocean_firewall" "web" {
}
}
resource "digitalocean_firewall" "vpn" {
name = "vpn-inbound"
droplet_ids = [digitalocean_droplet.alphard.id]
inbound_rule {
protocol = "udp"
port_range = "51820"
source_addresses = ["0.0.0.0/0", "::/0"]
}
}
resource "digitalocean_firewall" "ssh" {
name = "ssh-inbound"

36
wireguard/README.md

@ -0,0 +1,36 @@
# Wireguard setup using Ansible
Ansible playbook to install `Wireguard` on `Ubuntu` server. This playbook handles the creation of Wireguard public and private key _securely_. It can be used to setup a mesh VPN between multiple hosts or it can also be used to simply add more peers to existing Wireguard configuration.
## Getting Started
```shell
ansible-playbook playbook.yml -i inventory
```
## Inventory Format
```yaml
vpn:
hosts:
alphard:
ansible_user: root
ansible_host: alphard
wireguard_address: 10.9.0.1/32
wireguard_allowed_ips: "10.9.0.1/32, 192.168.2.0/24"
wireguard_endpoint: multi.exemple.com
peers:
laptop-personal:
public_key: lol
wireguard_address: 10.9.0.2/32
wireguard_allowed_ips: "10.9.0.2/32, 192.168.3.0/24"
wireguard_persistent_keepalive: 15
wireguard_endpoint: nated.exemple.com
```
- `hosts.<name>.peers` configures additional peers for the `<name>` wireguard server.
## References
- [My Personal Networking Setup](https://mrkaran.dev/posts/personal-networking-setup/)
- [ansible-role-wireguard](https://github.com/githubixx/ansible-role-wireguard) - I tweaked this Ansible script to add `peers` variable in the host group. This can be helpful to add devices like mobile phones etc where you can't use Ansible to `SSH` and create a _mesh_ VPN but still want to use the VPN for browsing etc.

18
wireguard/roles/wireguard/defaults/main.yml

@ -10,21 +10,3 @@ wireguard_interface: "wg0"
# The default address for wireguard server for other peers to connect to.
wireguard_address: "10.200.200.1/24"
# wireguard_preup:
# - echo 1 > /proc/sys/net/ipv4/ip_forward
# - ufw allow 51820/udp
wireguard_postup:
# Configure iptables to setup a NAT on eth0 and forward the packets (ipv4 and ipv6) on interface wg0 to eth0
- iptables -A FORWARD -i wg0 -j ACCEPT
- iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
- ip6tables -A FORWARD -i wg0 -j ACCEPT
- ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
wireguard_postdown:
# Delete the rule since when wireguard is down, wg0 doesn't exist
- iptables -D FORWARD -i wg0 -j ACCEPT
- iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
- ip6tables -D FORWARD -i wg0 -j ACCEPT
- ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

16
wireguard/roles/wireguard/handlers/main.yml

@ -1,6 +1,12 @@
---
- name: restart wireguard
service:
name: "[email protected]{{ wireguard_interface }}"
state: restarted
- name: syncconf wireguard
shell: |
set -o errexit
set -o pipefail
set -o nounset
systemctl is-active [email protected]@{{ wireguard_interface|quote }} || systemctl start [email protected]{{ wireguard_interface|quote }}
wg syncconf {{ wireguard_interface|quote }} <(wg-quick strip /etc/wireguard/{{ wireguard_interface|quote }}.conf)
exit 0
args:
executable: "/bin/bash"
listen: "reconfigure wireguard"

15
wireguard/roles/wireguard/tasks/main.yml

@ -77,6 +77,21 @@
notify:
- restart wireguard
- name: Check if reload-module-on-update is set
stat:
path: "{{ wireguard_remote_directory }}/.reload-module-on-update"
register: reload_module_on_update
tags:
- wg-config
- name: Set WireGuard reload-module-on-update
file:
dest: "{{ wireguard_remote_directory }}/.reload-module-on-update"
state: touch
when: not reload_module_on_update.stat.exists
tags:
- wg-config
- name: Start and enable WireGuard service
service:
name: "[email protected]{{ wireguard_interface }}"

Loading…
Cancel
Save