commit
0e30fccd10
@ -0,0 +1,8 @@
|
||||
---
|
||||
|
||||
- name: generate ios client config
|
||||
hosts: dev #localhost
|
||||
tasks:
|
||||
- debug: msg="generate phone config"
|
||||
roles:
|
||||
- { name: wg_vpn }
|
@ -0,0 +1,8 @@
|
||||
---
|
||||
|
||||
- name: cloud wg config
|
||||
hosts: vpn
|
||||
tasks:
|
||||
- debug: msg="Deploying wg to cloud server"
|
||||
roles:
|
||||
- { name: wg_vpn }
|
@ -0,0 +1,22 @@
|
||||
$ANSIBLE_VAULT;1.1;AES256
|
||||
37626464343231323066306337616434313033366530356236336163353031396135333731306538
|
||||
3337343633343338383034636236393230396439346565390a343838643861363239326339613633
|
||||
33643363666233323631356661633164333538326566623736396138363063393366343261343932
|
||||
3165316631643363630a303830393962303732383439623938303364313937633338383333323564
|
||||
35646335313963373864646334336364386633326431393361393265306233343265303434613266
|
||||
33656636386432396431393034343738643366613163306530363562636564313863373138633738
|
||||
61376663303835333137653262393064396366316163373034646135633131336264343533313936
|
||||
64346163323930363266383863666139336337646232383135383635633064663334376532663439
|
||||
30306565643938323730373064353038306536646431623332623832326461663836656231346161
|
||||
34373563333363323364393135343234323334313462356234383563333566646339633935323037
|
||||
36663761366566633965336234323364376633343732396636363934613934666533343435616236
|
||||
31623934383462376637323637333039633536633336373662623430663337656461613437626330
|
||||
61626665643532393139383039393961316435626662313630343139386636343165303063616363
|
||||
30353261386639613563313233643538333134363235336263343634643833643538623065653264
|
||||
65396136373937663864326434656438323830393063313332623733383433333033613936393039
|
||||
64656537636161373033653231663631363661323361636637663234393634623738646263323035
|
||||
32323639653137643136313432396161346633343334616234393161366161323761626633636238
|
||||
39623161396235633138653736666164656465663733616238623136633934656162313936386666
|
||||
62396265323938633530383161643634303236346562336133663366333330623930313133653164
|
||||
64663638386261653763393338396637396539613366643637343361343838616561633033323037
|
||||
38373437613561303763383464626365333233303962363139373434306334393630
|
@ -0,0 +1,9 @@
|
||||
* setup from scratch:
|
||||
~ansible-playbook -i hosts.yml all.yml --ask-vault-pass --ask-become-pass~
|
||||
|
||||
|
||||
* wg
|
||||
|
||||
** clients
|
||||
you probably want to deploy clients individually most of the time. to do that, provide a tag, like:
|
||||
~ansible-playbook -i hosts.yml client_matrix.yml --ask-vault-pass --ask-become-pass --tags matrix_client~
|
@ -1 +1 @@
|
||||
sys_packages: [ 'curl', 'vim', 'git', '', 'emacs', 'build-essential' ]
|
||||
sys_packages: [ 'curl', 'vim', 'git', '', 'emacs', 'build-essential', 'mosh' ]
|
||||
|
@ -1,2 +1,5 @@
|
||||
---
|
||||
# defaults file for wg_vpn
|
||||
|
||||
wireguard_server_listen_port: 51820
|
||||
|
||||
wireguard_server_lan_interface: enp3s0
|
||||
|
@ -1,2 +1,5 @@
|
||||
---
|
||||
# handlers file for wg_vpn
|
||||
# handlers file for wg_vpn
|
||||
|
||||
- name: restart wireguard
|
||||
service: name=wg-quick@wg0.service state=restarted
|
||||
|
@ -1,19 +0,0 @@
|
||||
- name: (local) fill out the rest of the wg0.conf file
|
||||
blockinfile:
|
||||
path: /etc/wireguard/wg0.conf
|
||||
block: |
|
||||
Address = 10.200.219.2/32, fd86:ea04:1115::2/128
|
||||
DNS = 1.1.1.1
|
||||
|
||||
[Peer]
|
||||
PublicKey = {{ server_publickey.stdout }}
|
||||
Endpoint = vpn.awful.club:51820
|
||||
AllowedIPs = 0.0.0.0/0
|
||||
delegate_to: localhost
|
||||
become: yes
|
||||
|
||||
- name: (local) bring wg up on local
|
||||
shell: wg-quick up wg0
|
||||
delegate_to: localhost
|
||||
become: yes
|
||||
ignore_errors: True
|
@ -1,19 +0,0 @@
|
||||
- name: fill out the rest of the wg0.conf file
|
||||
blockinfile:
|
||||
path: /etc/wireguard/wg0.conf
|
||||
block: |
|
||||
Address = 10.200.219.1/24
|
||||
Address = fd86:ea04:1115::1/64
|
||||
ListenPort = 51820
|
||||
SaveConfig = true
|
||||
[Peer]
|
||||
# name = pvl
|
||||
PublicKey = {{ client_publickey.stdout }}
|
||||
AllowedIPs = 10.200.219.19/32, fd86:ea04:1115::19/128
|
||||
[Peer]
|
||||
# name = matrix
|
||||
PublicKey = {{ ios_publickey.stdout }}
|
||||
AllowedIPs = 10.200.219.10/32, fd86:ea04:1115::10/128
|
||||
|
||||
- name: bring wg up on the relay node
|
||||
shell: wg-quick up /etc/wireguard/wg0.conf
|
@ -1,11 +0,0 @@
|
||||
- name: (local) fill out the rest of the wg0.conf file
|
||||
blockinfile:
|
||||
path: ~/wireguard/ios.conf
|
||||
block: |
|
||||
Address = 10.200.219.10/32, fd86:ea04:1115::10/128
|
||||
DNS = 1.1.1.1
|
||||
|
||||
[Peer]
|
||||
PublicKey = {{ server_publickey.stdout }}
|
||||
Endpoint = vpn.awful.club:51820
|
||||
AllowedIPs = 0.0.0.0/0, ::/0
|
@ -1,15 +0,0 @@
|
||||
- name: (local) fill out the rest of the wg0.conf file
|
||||
blockinfile:
|
||||
path: ~/wireguard/wg0.conf
|
||||
block: |
|
||||
Address = 10.200.219.19/32, fd86:ea04:1115::19/128
|
||||
DNS = 1.1.1.1
|
||||
|
||||
[Peer]
|
||||
PublicKey = {{ server_publickey.stdout }}
|
||||
Endpoint = vpn.awful.club:51820
|
||||
AllowedIPs = 0.0.0.0/0, ::/0
|
||||
|
||||
# - name: (local) bring wg up on local
|
||||
# shell: wg-quick up wg0
|
||||
|
@ -1,36 +0,0 @@
|
||||
---
|
||||
# tasks file for wg_vpn
|
||||
# this is useful for running plays /from/ an arch machine that will join the wg net.
|
||||
|
||||
# install wg, generate keys, files on local machine
|
||||
- name: (local) install wg (i use) arch (btw)
|
||||
pacman:
|
||||
update_cache: yes
|
||||
name: wireguard-tools, wireguard-arch, wireguard-dkms
|
||||
state: present
|
||||
delegate_to: localhost
|
||||
become: yes
|
||||
# ansible has a hard time parsing the pacman files
|
||||
# ignore errors once you verify shit is installed / patched.
|
||||
ignore_errors: True
|
||||
|
||||
- name: (local) ensure /etc/wireguard/ exists
|
||||
file:
|
||||
path: /etc/wireguard/
|
||||
state: directory
|
||||
delegate_to: localhost
|
||||
|
||||
- name: (local) Generate keys
|
||||
shell: |
|
||||
printf "[Interface]\nPrivateKey = " > /etc/wireguard/wg0.conf
|
||||
wg genkey | tee -a /etc/wireguard/wg0.conf | wg pubkey > /etc/wireguard/publickey
|
||||
vars:
|
||||
umask: "077"
|
||||
delegate_to: localhost
|
||||
become: yes
|
||||
|
||||
- name: (local) register publickey for later use
|
||||
shell: cat /etc/wireguard/publickey
|
||||
register: client_publickey
|
||||
delegate_to: localhost
|
||||
become: yes
|
@ -1,47 +0,0 @@
|
||||
- name: add unstable to repos
|
||||
shell: |
|
||||
echo "deb http://deb.debian.org/debian/ unstable main" > /etc/apt/sources.list.d/unstable.list
|
||||
printf 'Package: *\nPin: release a=unstable\nPin-Priority: 90\n' > /etc/apt/preferences.d/limit-unstable
|
||||
- name: Update aptitude
|
||||
apt: update_cache=yes
|
||||
- name: install wireguard
|
||||
apt: name=wireguard state=latest
|
||||
- name: install linux headers (necessary on older cloud kernels (fuck u digitalocean))
|
||||
# the kernel version is hard coded because this is what DO currently uses
|
||||
# and that's what i use
|
||||
apt: name=linux-headers-4.19.0-6-cloud-amd64
|
||||
- name: install misc other things the internet says i need
|
||||
apt: name=build-essential
|
||||
- name: install misc other things the internet says i need
|
||||
apt: name=dkms
|
||||
- name: needed for handling dns requests
|
||||
apt: name=openresolv
|
||||
- name: enable kernel relay/forwarding
|
||||
shell: |
|
||||
echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
|
||||
echo "net.ipv4.conf.all.proxy_arp = 1" >> /etc/sysctl.conf
|
||||
sudo sysctl -p /etc/sysctl.conf
|
||||
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||
iptables -A FORWARD -i wg0 -o wg0 -m conntrack --ctstate NEW -j ACCEPT
|
||||
iptables -t nat -A POSTROUTING -s 10.200.219.0/24 -o eth0 -j MASQUERADE
|
||||
- name: ensure /etc/wireguard/ exists
|
||||
file:
|
||||
path: /etc/wireguard/
|
||||
state: directory
|
||||
|
||||
- name: Generate keys
|
||||
shell: |
|
||||
printf "[Interface]\nPrivateKey = " > /etc/wireguard/wg0.conf
|
||||
wg genkey | tee -a /etc/wireguard/wg0.conf | wg pubkey > /etc/wireguard/publickey
|
||||
vars:
|
||||
umask: "077"
|
||||
- name: register publickey for later use
|
||||
shell: cat /etc/wireguard/publickey
|
||||
register: server_publickey
|
||||
|
||||
# do this to avoid idiot "hey you can't start, u already started!!!" erros.
|
||||
# fucker.
|
||||
- name: register publickey for later use
|
||||
shell: wg-quick down /etc/wireguard/wg0.conf
|
||||
ignore_errors: True
|
@ -1,15 +0,0 @@
|
||||
- name: make wg dir since macs are now weird about /etc/anything
|
||||
file:
|
||||
path: ~/wireguard/
|
||||
state: directory
|
||||
|
||||
- name: Generate keys
|
||||
shell: |
|
||||
printf "[Interface]\nPrivateKey = " > ~/wireguard/ios.conf
|
||||
wg genkey | tee -a ~/wireguard/ios.conf | wg pubkey > ~/wireguard/ios_publickey
|
||||
vars:
|
||||
umask: "077"
|
||||
|
||||
- name: register publickey for later use
|
||||
shell: cat ~/wireguard/ios_publickey
|
||||
register: ios_publickey
|
@ -1,21 +0,0 @@
|
||||
- name: Update brew
|
||||
homebrew: update_homebrew=yes
|
||||
|
||||
- name: install wireguard
|
||||
homebrew: name=wireguard-tools state=latest
|
||||
|
||||
- name: make wg dir since macs are now weird about /etc/anything
|
||||
file:
|
||||
path: ~/wireguard/
|
||||
state: directory
|
||||
|
||||
- name: Generate keys
|
||||
shell: |
|
||||
printf "[Interface]\nPrivateKey = " > ~/wireguard/wg0.conf
|
||||
wg genkey | tee -a ~/wireguard/wg0.conf | wg pubkey > ~/wireguard/publickey
|
||||
vars:
|
||||
umask: "077"
|
||||
|
||||
- name: register publickey for later use
|
||||
shell: cat ~/wireguard/publickey
|
||||
register: client_publickey
|
@ -0,0 +1,9 @@
|
||||
[Interface]
|
||||
PrivateKey = {{ wireguard_clients[0]['privkey'] }}
|
||||
Address = {{ wireguard_vpn_network | ipsubnet(32, wireguard_clients[0]['offset']) }}
|
||||
DNS = 1.1.1.1
|
||||
|
||||
[Peer]
|
||||
PublicKey = {{ wireguard_server_pubkey }}
|
||||
Endpoint = vpn.awful.club:51820
|
||||
AllowedIPs = 0.0.0.0/0
|
@ -0,0 +1,9 @@
|
||||
[Interface]
|
||||
PrivateKey = <ios private key>
|
||||
Address = 10.200.219.10/32
|
||||
DNS = 1.1.1.1
|
||||
|
||||
[Peer]
|
||||
PublicKey = e49UyNg/kqPETyT9K6nqIYjtTwlR8hY8Brm/P66xnmo=
|
||||
Endpoint = vpn.awful.club:51820
|
||||
AllowedIPs = 0.0.0.0/0
|
@ -0,0 +1,33 @@
|
||||
[Interface]
|
||||
PrivateKey = {{ wireguard_server_privkey }}
|
||||
{#
|
||||
We want the Address field here to be an IP address
|
||||
with the whole network in CIDR notation, like 10.0.0.1/24.
|
||||
|
||||
If wireguard_vpn_network is a CIDR network like 10.0.0.0/24,
|
||||
and wireguard_server_offset is an integer like 1,
|
||||
this will produce an offset of the start of the network + CIDR prefix,
|
||||
which in this case will be the desired 10.0.0.1/24.
|
||||
#}
|
||||
Address = {{ wireguard_vpn_network | ipaddr(wireguard_server_offset) }}
|
||||
ListenPort = {{ wireguard_server_listen_port }}
|
||||
|
||||
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
|
||||
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
|
||||
|
||||
{% for client in wireguard_clients %}
|
||||
[Peer]
|
||||
# {{ client.name }}
|
||||
PublicKey = {{ client.pubkey }}
|
||||
{#
|
||||
We want the Address field here to be an IP address
|
||||
withOUT the whole network in CIDR notation, like 10.0.0.15/32.
|
||||
|
||||
If wireguard_vpn_network is a CIDR network like 10.0.0.0/24,
|
||||
and client.offset is an integer like 15,
|
||||
this will produce an offset of the start of the network with a /32 CIDR prefix
|
||||
which in this case will be the desired 10.0.0.15/32.
|
||||
#}
|
||||
AllowedIPs = {{ wireguard_vpn_network | ipsubnet(32, client.offset) }}
|
||||
|
||||
{% endfor %}
|
@ -1,2 +1,2 @@
|
||||
---
|
||||
# vars file for wg_vpn
|
||||
# vars file for wg_vpn
|
||||
|
Loading…
Reference in new issue