diff options
author | Paweł Dybiec <pdybiec@stud.cs.uni.wroc.pl> | 2019-10-13 00:39:31 +0200 |
---|---|---|
committer | Paweł Dybiec <pdybiec@stud.cs.uni.wroc.pl> | 2019-10-13 00:39:31 +0200 |
commit | 49d9675b30f39b42650ae98d893cdbe305358aa0 (patch) | |
tree | 6b56450f5654675c771769094032ee9a88222338 /wireguard.yml | |
parent | Fixed git ssh port, disabled restarting of disabled services (diff) |
Wireguard configuration
Diffstat (limited to 'wireguard.yml')
-rw-r--r-- | wireguard.yml | 76 |
1 files changed, 76 insertions, 0 deletions
diff --git a/wireguard.yml b/wireguard.yml new file mode 100644 index 0000000..be40d5b --- /dev/null +++ b/wireguard.yml @@ -0,0 +1,76 @@ +--- +- name: Wireguard config + hosts: tamriel + remote_user: ansible_worker + become: yes + vars_files: + - secrets.yml + tasks: + - name: install wireguard + apt: + name: wireguard + - name: IPv4 forwarding + sysctl: + name: net.ipv4.ip_forward + value: "1" + state: present + - name: ARP proxy + sysctl: + name: net.ipv4.conf.all.proxy_arp + value: "1" + state: present + + - name: Enable systemd-networkd + systemd: + enabled: true + state: started + name: systemd-networkd + + - name: Generate wireguard config + template: + src: templates/wg.netdev.j2 + dest: /etc/systemd/network/30-wg0.netdev + owner: root + group: systemd-network + mode: "640" + - name: Generate networkd config + template: + src: templates/wg.network.j2 + dest: /etc/systemd/network/30-wg0.network + + - name: Remove interface #systemd-networkd doesn't reload netdev + shell: ip link del dev wg0 || true + + + - name: Restart systemd-networkd + systemd: + state: restarted + name: systemd-networkd + + - iptables: + chain: INPUT + match: conntrack + ctstate: ["RELATED","ESTABLISHED"] + jump: ACCEPT + - iptables: + chain: FORWARD + match: conntrack + ctstate: ["RELATED","ESTABLISHED"] + jump: ACCEPT + - iptables: + chain: FORWARD + in_interface: wg0 + out_interface: wg0 + match: conntrack + ctstate: ["NEW"] + jump: ACCEPT + + - iptables: + chain: FORWARD + in_interface: wg0 + jump: ACCEPT + - iptables: + table: nat + chain: POSTROUTING + out_interface: ens2 + jump: MASQUERADE |