Wireguard configuration

author: Paweł Dybiec <pdybiec@stud.cs.uni.wroc.pl> 2019-10-13 00:39:31 +0200
committer: Paweł Dybiec <pdybiec@stud.cs.uni.wroc.pl> 2019-10-13 00:39:31 +0200
commit: 49d9675b30f39b42650ae98d893cdbe305358aa0 (patch)
tree: 6b56450f5654675c771769094032ee9a88222338
parent: Fixed git ssh port, disabled restarting of disabled services (diff)
4 files changed, 114 insertions, 9 deletions
diff --git a/secrets.yml b/secrets.yml
index b9c081a..4fcd705 100644
--- a/secrets.yml
+++ b/secrets.yml
@@ -1,10 +1,13 @@
 $ANSIBLE_VAULT;1.1;AES256
-37613965643962623638373336343164323736653231346132376436656531396235303763646231
-3734373838356437663031383835363162653562376561620a373034353833323434383165323431
-37656331306438346231653334623433383961343038343931363936373561393866633335616639
-3961353062376238640a323736633630303762643338643539663630646633383961626163323762
-65346439373539316333313738613133646561383237346265613764613139633766326638323631
-36626466643934643934343465313062643161353035663565323664343431363937663738636432
-66363564306236343866643365396335313838353962646663383030613039353965393532643736
-39643436303861383136356638396438623035656262646137646139373030653939363632323763
-3766
+35636664323332313963396366383039393539653064353664646532646661633430653636356665
+6338623834666665613532396665613031316532366535350a313062326661343561313031653735
+30396362323732616134623565393933343366303762653936393639653635653638313931666561
+3837623366646330630a333337343433616233626265643033636130316239636662343635636531
+62353139623839363632333431666138636264353366616666386461326433663137343832306333
+36373664636566376363623239646436643661323430343330653830636334333635383037633866
+31396264366438386133356539373562323064636366316535353163626337303431313666636165
+33316334663230353434613963396664326461313830316661356536396135383064396231303231
+63323936613934336436373466326438653239643336623038363737353536626637353731333162
+33346165636266303039363066383366316533306432343530323731653332393134346432656439
+30653238356339323437396663336130363736346563656133356534653565643961333339366132
+31313066353939323661
diff --git a/templates/wg.netdev.j2 b/templates/wg.netdev.j2
new file mode 100644
index 0000000..5d0bf5f
--- /dev/null
+++ b/templates/wg.netdev.j2
@@ -0,0 +1,21 @@
+[NetDev]
+Name = wg0
+Kind = wireguard
+Description = Wireguard
+
+#tamriel 10.0.27.1
+[WireGuard]
+ListenPort = 48574
+PrivateKey = {{ wireguard_private_key }}
+
+# balmora 10.0.27.2
+[WireGuardPeer]
+PublicKey = 6dbkVQAQPkbk0+wt6f+wge5cPW6THe0Kua830jio528= 
+AllowedIPs = 10.0.27.2/32
+PersistentKeepalive = 20
+
+# motorola g6 10.0.27.3
+[WireGuardPeer]
+PublicKey = pqSY7SCKuRkHBTMWVhYAASrx/A1HF8Nlb3emnO8WqAc=
+AllowedIPs = 10.0.27.3/32
+PersistentKeepalive = 20
diff --git a/templates/wg.network.j2 b/templates/wg.network.j2
new file mode 100644
index 0000000..31fef48
--- /dev/null
+++ b/templates/wg.network.j2
@@ -0,0 +1,5 @@
+[Match]
+Name = wg0
+
+[Network]
+Address = 10.0.27.1/24
diff --git a/wireguard.yml b/wireguard.yml
new file mode 100644
index 0000000..be40d5b
--- /dev/null
+++ b/wireguard.yml
@@ -0,0 +1,76 @@
+---
+- name: Wireguard config
+  hosts: tamriel
+  remote_user: ansible_worker
+  become: yes
+  vars_files:
+  - secrets.yml
+  tasks:
+  - name: install wireguard
+    apt:
+      name: wireguard
+  - name: IPv4 forwarding
+    sysctl:
+      name: net.ipv4.ip_forward
+      value: "1"
+      state: present
+  - name: ARP proxy
+    sysctl:
+      name: net.ipv4.conf.all.proxy_arp
+      value: "1"
+      state: present
+
+  - name: Enable systemd-networkd
+    systemd:
+      enabled: true
+      state: started
+      name: systemd-networkd
+
+  - name: Generate wireguard config
+    template:
+      src: templates/wg.netdev.j2
+      dest: /etc/systemd/network/30-wg0.netdev
+      owner: root
+      group: systemd-network
+      mode: "640"
+  - name: Generate networkd config
+    template:
+      src: templates/wg.network.j2
+      dest: /etc/systemd/network/30-wg0.network
+
+  - name: Remove interface #systemd-networkd doesn't reload netdev
+    shell: ip link del dev wg0 || true
+
+      
+  - name: Restart systemd-networkd
+    systemd:
+      state: restarted
+      name: systemd-networkd
+
+  - iptables:
+      chain: INPUT
+      match: conntrack
+      ctstate: ["RELATED","ESTABLISHED"]
+      jump: ACCEPT
+  - iptables:
+      chain: FORWARD
+      match: conntrack
+      ctstate: ["RELATED","ESTABLISHED"]
+      jump: ACCEPT
+  - iptables:
+      chain: FORWARD
+      in_interface: wg0
+      out_interface: wg0
+      match: conntrack
+      ctstate: ["NEW"]
+      jump: ACCEPT
+      
+  - iptables:
+      chain: FORWARD
+      in_interface: wg0
+      jump: ACCEPT
+  - iptables:
+      table: nat
+      chain: POSTROUTING
+      out_interface: ens2
+      jump: MASQUERADE
author	Paweł Dybiec <pdybiec@stud.cs.uni.wroc.pl>	2019-10-13 00:39:31 +0200
committer	Paweł Dybiec <pdybiec@stud.cs.uni.wroc.pl>	2019-10-13 00:39:31 +0200
commit	49d9675b30f39b42650ae98d893cdbe305358aa0 (patch)
tree	6b56450f5654675c771769094032ee9a88222338
parent	Fixed git ssh port, disabled restarting of disabled services (diff)