From 49d9675b30f39b42650ae98d893cdbe305358aa0 Mon Sep 17 00:00:00 2001 From: Paweł Dybiec Date: Sun, 13 Oct 2019 00:39:31 +0200 Subject: Wireguard configuration --- wireguard.yml | 76 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 76 insertions(+) create mode 100644 wireguard.yml (limited to 'wireguard.yml') diff --git a/wireguard.yml b/wireguard.yml new file mode 100644 index 0000000..be40d5b --- /dev/null +++ b/wireguard.yml @@ -0,0 +1,76 @@ +--- +- name: Wireguard config + hosts: tamriel + remote_user: ansible_worker + become: yes + vars_files: + - secrets.yml + tasks: + - name: install wireguard + apt: + name: wireguard + - name: IPv4 forwarding + sysctl: + name: net.ipv4.ip_forward + value: "1" + state: present + - name: ARP proxy + sysctl: + name: net.ipv4.conf.all.proxy_arp + value: "1" + state: present + + - name: Enable systemd-networkd + systemd: + enabled: true + state: started + name: systemd-networkd + + - name: Generate wireguard config + template: + src: templates/wg.netdev.j2 + dest: /etc/systemd/network/30-wg0.netdev + owner: root + group: systemd-network + mode: "640" + - name: Generate networkd config + template: + src: templates/wg.network.j2 + dest: /etc/systemd/network/30-wg0.network + + - name: Remove interface #systemd-networkd doesn't reload netdev + shell: ip link del dev wg0 || true + + + - name: Restart systemd-networkd + systemd: + state: restarted + name: systemd-networkd + + - iptables: + chain: INPUT + match: conntrack + ctstate: ["RELATED","ESTABLISHED"] + jump: ACCEPT + - iptables: + chain: FORWARD + match: conntrack + ctstate: ["RELATED","ESTABLISHED"] + jump: ACCEPT + - iptables: + chain: FORWARD + in_interface: wg0 + out_interface: wg0 + match: conntrack + ctstate: ["NEW"] + jump: ACCEPT + + - iptables: + chain: FORWARD + in_interface: wg0 + jump: ACCEPT + - iptables: + table: nat + chain: POSTROUTING + out_interface: ens2 + jump: MASQUERADE -- cgit 1.4.1