From 1d009dc0fd8e4f68d2c0ed9a8e6cf2d8b6ede08d Mon Sep 17 00:00:00 2001 From: jowj Date: Wed, 8 Jan 2020 17:00:45 -0600 Subject: [PATCH 01/19] Remove old giant messy way of grouping files. --- ansible/roles/wg_vpn/tasks/posttasks_arch.yml | 19 -------- .../roles/wg_vpn/tasks/posttasks_debian.yml | 19 -------- ansible/roles/wg_vpn/tasks/posttasks_ios.yml | 11 ----- ansible/roles/wg_vpn/tasks/posttasks_mac.yml | 15 ------ ansible/roles/wg_vpn/tasks/pretasks_arch.yml | 36 -------------- .../roles/wg_vpn/tasks/pretasks_debian.yml | 47 ------------------- ansible/roles/wg_vpn/tasks/pretasks_ios.yml | 15 ------ ansible/roles/wg_vpn/tasks/pretasks_mac.yml | 21 --------- 8 files changed, 183 deletions(-) delete mode 100644 ansible/roles/wg_vpn/tasks/posttasks_arch.yml delete mode 100644 ansible/roles/wg_vpn/tasks/posttasks_debian.yml delete mode 100644 ansible/roles/wg_vpn/tasks/posttasks_ios.yml delete mode 100644 ansible/roles/wg_vpn/tasks/posttasks_mac.yml delete mode 100644 ansible/roles/wg_vpn/tasks/pretasks_arch.yml delete mode 100644 ansible/roles/wg_vpn/tasks/pretasks_debian.yml delete mode 100644 ansible/roles/wg_vpn/tasks/pretasks_ios.yml delete mode 100644 ansible/roles/wg_vpn/tasks/pretasks_mac.yml diff --git a/ansible/roles/wg_vpn/tasks/posttasks_arch.yml b/ansible/roles/wg_vpn/tasks/posttasks_arch.yml deleted file mode 100644 index ef06df4..0000000 --- a/ansible/roles/wg_vpn/tasks/posttasks_arch.yml +++ /dev/null @@ -1,19 +0,0 @@ -- name: (local) fill out the rest of the wg0.conf file - blockinfile: - path: /etc/wireguard/wg0.conf - block: | - Address = 10.200.219.2/32, fd86:ea04:1115::2/128 - DNS = 1.1.1.1 - - [Peer] - PublicKey = {{ server_publickey.stdout }} - Endpoint = vpn.awful.club:51820 - AllowedIPs = 0.0.0.0/0 - delegate_to: localhost - become: yes - -- name: (local) bring wg up on local - shell: wg-quick up wg0 - delegate_to: localhost - become: yes - ignore_errors: True diff --git a/ansible/roles/wg_vpn/tasks/posttasks_debian.yml b/ansible/roles/wg_vpn/tasks/posttasks_debian.yml deleted file mode 100644 index 11b82be..0000000 --- a/ansible/roles/wg_vpn/tasks/posttasks_debian.yml +++ /dev/null @@ -1,19 +0,0 @@ -- name: fill out the rest of the wg0.conf file - blockinfile: - path: /etc/wireguard/wg0.conf - block: | - Address = 10.200.219.1/24 - Address = fd86:ea04:1115::1/64 - ListenPort = 51820 - SaveConfig = true - [Peer] - # name = pvl - PublicKey = {{ client_publickey.stdout }} - AllowedIPs = 10.200.219.19/32, fd86:ea04:1115::19/128 - [Peer] - # name = matrix - PublicKey = {{ ios_publickey.stdout }} - AllowedIPs = 10.200.219.10/32, fd86:ea04:1115::10/128 - -- name: bring wg up on the relay node - shell: wg-quick up /etc/wireguard/wg0.conf diff --git a/ansible/roles/wg_vpn/tasks/posttasks_ios.yml b/ansible/roles/wg_vpn/tasks/posttasks_ios.yml deleted file mode 100644 index 5e89c7f..0000000 --- a/ansible/roles/wg_vpn/tasks/posttasks_ios.yml +++ /dev/null @@ -1,11 +0,0 @@ -- name: (local) fill out the rest of the wg0.conf file - blockinfile: - path: ~/wireguard/ios.conf - block: | - Address = 10.200.219.10/32, fd86:ea04:1115::10/128 - DNS = 1.1.1.1 - - [Peer] - PublicKey = {{ server_publickey.stdout }} - Endpoint = vpn.awful.club:51820 - AllowedIPs = 0.0.0.0/0, ::/0 diff --git a/ansible/roles/wg_vpn/tasks/posttasks_mac.yml b/ansible/roles/wg_vpn/tasks/posttasks_mac.yml deleted file mode 100644 index a17d7fb..0000000 --- a/ansible/roles/wg_vpn/tasks/posttasks_mac.yml +++ /dev/null @@ -1,15 +0,0 @@ -- name: (local) fill out the rest of the wg0.conf file - blockinfile: - path: ~/wireguard/wg0.conf - block: | - Address = 10.200.219.19/32, fd86:ea04:1115::19/128 - DNS = 1.1.1.1 - - [Peer] - PublicKey = {{ server_publickey.stdout }} - Endpoint = vpn.awful.club:51820 - AllowedIPs = 0.0.0.0/0, ::/0 - -# - name: (local) bring wg up on local -# shell: wg-quick up wg0 - diff --git a/ansible/roles/wg_vpn/tasks/pretasks_arch.yml b/ansible/roles/wg_vpn/tasks/pretasks_arch.yml deleted file mode 100644 index 51b9936..0000000 --- a/ansible/roles/wg_vpn/tasks/pretasks_arch.yml +++ /dev/null @@ -1,36 +0,0 @@ ---- -# tasks file for wg_vpn -# this is useful for running plays /from/ an arch machine that will join the wg net. - -# install wg, generate keys, files on local machine -- name: (local) install wg (i use) arch (btw) - pacman: - update_cache: yes - name: wireguard-tools, wireguard-arch, wireguard-dkms - state: present - delegate_to: localhost - become: yes - # ansible has a hard time parsing the pacman files - # ignore errors once you verify shit is installed / patched. - ignore_errors: True - -- name: (local) ensure /etc/wireguard/ exists - file: - path: /etc/wireguard/ - state: directory - delegate_to: localhost - -- name: (local) Generate keys - shell: | - printf "[Interface]\nPrivateKey = " > /etc/wireguard/wg0.conf - wg genkey | tee -a /etc/wireguard/wg0.conf | wg pubkey > /etc/wireguard/publickey - vars: - umask: "077" - delegate_to: localhost - become: yes - -- name: (local) register publickey for later use - shell: cat /etc/wireguard/publickey - register: client_publickey - delegate_to: localhost - become: yes diff --git a/ansible/roles/wg_vpn/tasks/pretasks_debian.yml b/ansible/roles/wg_vpn/tasks/pretasks_debian.yml deleted file mode 100644 index e39dd9c..0000000 --- a/ansible/roles/wg_vpn/tasks/pretasks_debian.yml +++ /dev/null @@ -1,47 +0,0 @@ -- name: add unstable to repos - shell: | - echo "deb http://deb.debian.org/debian/ unstable main" > /etc/apt/sources.list.d/unstable.list - printf 'Package: *\nPin: release a=unstable\nPin-Priority: 90\n' > /etc/apt/preferences.d/limit-unstable -- name: Update aptitude - apt: update_cache=yes -- name: install wireguard - apt: name=wireguard state=latest -- name: install linux headers (necessary on older cloud kernels (fuck u digitalocean)) - # the kernel version is hard coded because this is what DO currently uses - # and that's what i use - apt: name=linux-headers-4.19.0-6-cloud-amd64 -- name: install misc other things the internet says i need - apt: name=build-essential -- name: install misc other things the internet says i need - apt: name=dkms -- name: needed for handling dns requests - apt: name=openresolv -- name: enable kernel relay/forwarding - shell: | - echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf - echo "net.ipv4.conf.all.proxy_arp = 1" >> /etc/sysctl.conf - sudo sysctl -p /etc/sysctl.conf - iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT - iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT - iptables -A FORWARD -i wg0 -o wg0 -m conntrack --ctstate NEW -j ACCEPT - iptables -t nat -A POSTROUTING -s 10.200.219.0/24 -o eth0 -j MASQUERADE -- name: ensure /etc/wireguard/ exists - file: - path: /etc/wireguard/ - state: directory - -- name: Generate keys - shell: | - printf "[Interface]\nPrivateKey = " > /etc/wireguard/wg0.conf - wg genkey | tee -a /etc/wireguard/wg0.conf | wg pubkey > /etc/wireguard/publickey - vars: - umask: "077" -- name: register publickey for later use - shell: cat /etc/wireguard/publickey - register: server_publickey - -# do this to avoid idiot "hey you can't start, u already started!!!" erros. -# fucker. -- name: register publickey for later use - shell: wg-quick down /etc/wireguard/wg0.conf - ignore_errors: True diff --git a/ansible/roles/wg_vpn/tasks/pretasks_ios.yml b/ansible/roles/wg_vpn/tasks/pretasks_ios.yml deleted file mode 100644 index 8c6bcb8..0000000 --- a/ansible/roles/wg_vpn/tasks/pretasks_ios.yml +++ /dev/null @@ -1,15 +0,0 @@ -- name: make wg dir since macs are now weird about /etc/anything - file: - path: ~/wireguard/ - state: directory - -- name: Generate keys - shell: | - printf "[Interface]\nPrivateKey = " > ~/wireguard/ios.conf - wg genkey | tee -a ~/wireguard/ios.conf | wg pubkey > ~/wireguard/ios_publickey - vars: - umask: "077" - -- name: register publickey for later use - shell: cat ~/wireguard/ios_publickey - register: ios_publickey diff --git a/ansible/roles/wg_vpn/tasks/pretasks_mac.yml b/ansible/roles/wg_vpn/tasks/pretasks_mac.yml deleted file mode 100644 index 82d6ded..0000000 --- a/ansible/roles/wg_vpn/tasks/pretasks_mac.yml +++ /dev/null @@ -1,21 +0,0 @@ -- name: Update brew - homebrew: update_homebrew=yes - -- name: install wireguard - homebrew: name=wireguard-tools state=latest - -- name: make wg dir since macs are now weird about /etc/anything - file: - path: ~/wireguard/ - state: directory - -- name: Generate keys - shell: | - printf "[Interface]\nPrivateKey = " > ~/wireguard/wg0.conf - wg genkey | tee -a ~/wireguard/wg0.conf | wg pubkey > ~/wireguard/publickey - vars: - umask: "077" - -- name: register publickey for later use - shell: cat ~/wireguard/publickey - register: client_publickey -- 2.36.4 From eda36e89ebec3ce5481ef09125aa02ddb61c77fb Mon Sep 17 00:00:00 2001 From: jowj Date: Wed, 8 Jan 2020 17:01:02 -0600 Subject: [PATCH 02/19] Rename ansible.cfg because i fat fingered it. --- ansible/{anisble.cfg => ansible.cfg} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename ansible/{anisble.cfg => ansible.cfg} (100%) diff --git a/ansible/anisble.cfg b/ansible/ansible.cfg similarity index 100% rename from ansible/anisble.cfg rename to ansible/ansible.cfg -- 2.36.4 From 9e172580bc134fdeb142f03ccd572f585c37e0d2 Mon Sep 17 00:00:00 2001 From: jowj Date: Wed, 8 Jan 2020 17:01:37 -0600 Subject: [PATCH 03/19] add whitespace. --- ansible/roles/wg_vpn/vars/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/roles/wg_vpn/vars/main.yml b/ansible/roles/wg_vpn/vars/main.yml index d9f42d1..78e1a71 100644 --- a/ansible/roles/wg_vpn/vars/main.yml +++ b/ansible/roles/wg_vpn/vars/main.yml @@ -1,2 +1,2 @@ --- -# vars file for wg_vpn \ No newline at end of file +# vars file for wg_vpn -- 2.36.4 From 7e62efcbb95fdd209f103f090af7f812a1eb8d89 Mon Sep 17 00:00:00 2001 From: jowj Date: Wed, 8 Jan 2020 17:02:02 -0600 Subject: [PATCH 04/19] Add role specific declarations. --- ansible/roles/wg_vpn/defaults/main.yml | 5 +- ansible/roles/wg_vpn/handlers/main.yml | 5 +- ansible/roles/wg_vpn/tasks/main.yml | 84 ++++++++----------------- ansible/roles/wg_vpn/templates/wg0.conf | 30 +++++++++ 4 files changed, 65 insertions(+), 59 deletions(-) create mode 100644 ansible/roles/wg_vpn/templates/wg0.conf diff --git a/ansible/roles/wg_vpn/defaults/main.yml b/ansible/roles/wg_vpn/defaults/main.yml index 90d58e7..28764b6 100644 --- a/ansible/roles/wg_vpn/defaults/main.yml +++ b/ansible/roles/wg_vpn/defaults/main.yml @@ -1,2 +1,5 @@ --- -# defaults file for wg_vpn \ No newline at end of file + +wireguard_server_listen_port: 51820 + +wireguard_server_lan_interface: enp3s0 diff --git a/ansible/roles/wg_vpn/handlers/main.yml b/ansible/roles/wg_vpn/handlers/main.yml index c5cf63f..94cb9dd 100644 --- a/ansible/roles/wg_vpn/handlers/main.yml +++ b/ansible/roles/wg_vpn/handlers/main.yml @@ -1,2 +1,5 @@ --- -# handlers file for wg_vpn \ No newline at end of file +# handlers file for wg_vpn + +- name: restart wireguard + service: name=wg-quick@wg0.service state=restarted diff --git a/ansible/roles/wg_vpn/tasks/main.yml b/ansible/roles/wg_vpn/tasks/main.yml index fbb728e..60ebb53 100644 --- a/ansible/roles/wg_vpn/tasks/main.yml +++ b/ansible/roles/wg_vpn/tasks/main.yml @@ -2,65 +2,35 @@ # tasks file for wg_vpn # playbook to go from a "base configured" server to a wg vpn peer -- name: "generating config on relay server" - debug: - msg: "config on relay is starting" - verbosity: 1 -- name: generate config on relay server - include: pretasks_debian.yml - become: yes +- name: add unstable to repos + shell: | + echo "deb http://deb.debian.org/debian/ unstable main" > /etc/apt/sources.list.d/unstable.list + printf 'Package: *\nPin: release a=unstable\nPin-Priority: 90\n' > /etc/apt/preferences.d/limit-unstable -- name: "generating config on local mac" - debug: - msg: "config on mac is starting" - verbosity: 1 - when: source_os == 'macos' -- name: generate config on local mac - include: pretasks_mac.yml - delegate_to: localhost - when: source_os == 'macos' +- name: install wireguard + apt: + # hardcoded header here is for digital oceans :( + name: + - wireguard + - build-essential + - dkms + - linux-headers-4.19.0-6-cloud-amd64 + update_cache: yes + state: latest -- name: "generating config on local arch" - debug: - msg: "config on arch is starting" - verbosity: 1 - when: source_os == 'arch' -- name: generate config on local arch - include: pretasks_arch.yml - delegate_to: localhost - when: source_os == 'arch' + +- name: Enable IP forwarding + sysctl: name={{ item }} value=1 state=present + with_items: + - net.ipv4.ip_forward + - net.ipv6.conf.all.forwarding -- name: generate config for IOS on local machine - include: pretasks_ios.yml - delegate_to: localhost +- name: Create wireguard config directory + file: state=directory path=/etc/wireguard owner=root group=root mode=0700 -- name: "completing config on server" - debug: - msg: "config on relay is resuming" - verbosity: 1 -- name: complete config, wg up on relay server - include: posttasks_debian.yml - become: yes - -- name: complete config, wg up on local mac - include: posttasks_mac.yml - delegate_to: localhost - when: source_os == 'macos' +- name: Install wireguard configuration + template: src=wg0.conf dest=/etc/wireguard/wg0.conf owner=root group=root mode=0600 + notify: restart wireguard -- name: "generating config on local arch" - debug: - msg: "config on arch is completing" - verbosity: 1 - when: source_os == 'arch' -- name: complete config on local arch - include: posttasks_arch.yml - delegate_to: localhost - when: source_os == 'arch' - -- name: "generating config for iOS" - debug: - msg: "config for IOS is completing" - verbosity: 1 -- name: complete config for IOS on local machine - include: posttasks_ios.yml - delegate_to: localhost +- name: Start wireguard + service: name=wg-quick@wg0.service enabled=yes state=started diff --git a/ansible/roles/wg_vpn/templates/wg0.conf b/ansible/roles/wg_vpn/templates/wg0.conf new file mode 100644 index 0000000..8fee6e8 --- /dev/null +++ b/ansible/roles/wg_vpn/templates/wg0.conf @@ -0,0 +1,30 @@ +[Interface] +PrivateKey = {{ wireguard_server_privkey }} +{# + We want the Address field here to be an IP address + with the whole network in CIDR notation, like 10.0.0.1/24. + + If wireguard_vpn_network is a CIDR network like 10.0.0.0/24, + and wireguard_server_offset is an integer like 1, + this will produce an offset of the start of the network + CIDR prefix, + which in this case will be the desired 10.0.0.1/24. +#} +Address = {{ wireguard_vpn_network | ipaddr(wireguard_server_offset) }} +ListenPort = {{ wireguard_server_listen_port }} + +{% for client in wireguard_clients %} +[Peer] +# {{ client.name }} +PublicKey = {{ client.pubkey }} +{# + We want the Address field here to be an IP address + withOUT the whole network in CIDR notation, like 10.0.0.15/32. + + If wireguard_vpn_network is a CIDR network like 10.0.0.0/24, + and client.offset is an integer like 15, + this will produce an offset of the start of the network with a /32 CIDR prefix + which in this case will be the desired 10.0.0.15/32. +#} +AllowedIPs = {{ wireguard_vpn_network | ipsubnet(32, client.offset) }} + +{% endfor %} -- 2.36.4 From 8853fa51c51bc65509b9ff48d88b4e7525416611 Mon Sep 17 00:00:00 2001 From: jowj Date: Wed, 8 Jan 2020 17:02:26 -0600 Subject: [PATCH 05/19] Create vault.yml for > 1 playbook; move mojovarsvault. --- ansible/group_vars/all/main.yml | 28 +++++++++++++++++++ ansible/group_vars/all/vault.yml | 22 +++++++++++++++ .../{all => mojos}/mojo-vars-vault.yml | 0 3 files changed, 50 insertions(+) create mode 100644 ansible/group_vars/all/vault.yml rename ansible/group_vars/{all => mojos}/mojo-vars-vault.yml (100%) diff --git a/ansible/group_vars/all/main.yml b/ansible/group_vars/all/main.yml index e0a06dd..8f4783e 100644 --- a/ansible/group_vars/all/main.yml +++ b/ansible/group_vars/all/main.yml @@ -5,3 +5,31 @@ gather_facts: True source_os: arch become: yes create_user: josiah + + +# all of this is stolen from mrled, because fuck this is way better than what i was doing. +# Wireguard docs +# TODO: lookup plugin to generate the pubkey from the privkey +# TODO: set all these as hostvars, use hostvars['HOSTNAME'].wireguard_privkey etc +# (should be ok even for e.g. glitch, which doesn't get provisioned from Ansible) +# To generate the keys: +# - wg genkey | tee privatekey | wg pubkey > publickey +# - save the privkey in the vault and the pubkey here +# - Delete the privatekey and publickey files +wireguard_vpn_network: 10.200.219.0/24 +wireguard_server_privkey: "{{ vault_wireguard_server_privkey }}" +wireguard_server_pubkey: e49UyNg/kqPETyT9K6nqIYjtTwlR8hY8Brm/P66xnmo= +wireguard_server_offset: 1 +wireguard_clients: + - name: matrix + offset: 10 + privkey: "{{ vault_wireguard_client_privkey_matrix }}" + pubkey: lNoFqmeHfSDb/VB0mutpFzb4cZELOjSVOYQCLEfQIRU= + - name: pvl + offset: 11 + privkey: "{{ vault_wireguard_client_privkey_pvl }}" + pubkey: l/j+UXtrxTqqTTjxjgheQ3B2QppZWs07na4GypZw9GM= + - name: ling8 + offset: 12 + privkey: "{{ vault_wireguard_client_privkey_ling8 }}" + pubkey: YqGQE6yUz6rjBFRWgZyj5mPEaGavxrmO/cclO5o+VBQ= diff --git a/ansible/group_vars/all/vault.yml b/ansible/group_vars/all/vault.yml new file mode 100644 index 0000000..b4e7b5f --- /dev/null +++ b/ansible/group_vars/all/vault.yml @@ -0,0 +1,22 @@ +$ANSIBLE_VAULT;1.1;AES256 +37626464343231323066306337616434313033366530356236336163353031396135333731306538 +3337343633343338383034636236393230396439346565390a343838643861363239326339613633 +33643363666233323631356661633164333538326566623736396138363063393366343261343932 +3165316631643363630a303830393962303732383439623938303364313937633338383333323564 +35646335313963373864646334336364386633326431393361393265306233343265303434613266 +33656636386432396431393034343738643366613163306530363562636564313863373138633738 +61376663303835333137653262393064396366316163373034646135633131336264343533313936 +64346163323930363266383863666139336337646232383135383635633064663334376532663439 +30306565643938323730373064353038306536646431623332623832326461663836656231346161 +34373563333363323364393135343234323334313462356234383563333566646339633935323037 +36663761366566633965336234323364376633343732396636363934613934666533343435616236 +31623934383462376637323637333039633536633336373662623430663337656461613437626330 +61626665643532393139383039393961316435626662313630343139386636343165303063616363 +30353261386639613563313233643538333134363235336263343634643833643538623065653264 +65396136373937663864326434656438323830393063313332623733383433333033613936393039 +64656537636161373033653231663631363661323361636637663234393634623738646263323035 +32323639653137643136313432396161346633343334616234393161366161323761626633636238 +39623161396235633138653736666164656465663733616238623136633934656162313936386666 +62396265323938633530383161643634303236346562336133663366333330623930313133653164 +64663638386261653763393338396637396539613366643637343361343838616561633033323037 +38373437613561303763383464626365333233303962363139373434306334393630 diff --git a/ansible/group_vars/all/mojo-vars-vault.yml b/ansible/group_vars/mojos/mojo-vars-vault.yml similarity index 100% rename from ansible/group_vars/all/mojo-vars-vault.yml rename to ansible/group_vars/mojos/mojo-vars-vault.yml -- 2.36.4 From c0d70a73cf40660e197a6647732a52dbae6c8f97 Mon Sep 17 00:00:00 2001 From: jowj Date: Wed, 8 Jan 2020 17:11:34 -0600 Subject: [PATCH 06/19] add root ansible readme --- ansible/readme.org | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 ansible/readme.org diff --git a/ansible/readme.org b/ansible/readme.org new file mode 100644 index 0000000..076d32d --- /dev/null +++ b/ansible/readme.org @@ -0,0 +1,3 @@ +* setup from scratch: +~ansible-playbook -i hosts.yml all.yml --ask-vault-pass --ask-become-pass~ + -- 2.36.4 From e2839fc3819fb94f1e855a32124204c92ba10b0b Mon Sep 17 00:00:00 2001 From: jowj Date: Wed, 8 Jan 2020 17:11:43 -0600 Subject: [PATCH 07/19] update idiot syntax of existing wg vpn readme. --- ansible/roles/wg_vpn/README.md | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/ansible/roles/wg_vpn/README.md b/ansible/roles/wg_vpn/README.md index 1c08054..58d4497 100644 --- a/ansible/roles/wg_vpn/README.md +++ b/ansible/roles/wg_vpn/README.md @@ -15,19 +15,15 @@ A description of the settable variables for this role should go here, including shit i'm still fixing ----------------- +---------------------- - its not actually working yet - mobile device seems like it connects - but i can't browse around. - arch tasks suck because ansible + pacman is bad. +- - -Example Playbook ----------------- - -I don't know what to put here because i don't understand how roles work lmao - `ansible-playbook -i ../hosts.yml tasks/main.yml -v` - +misc +---- useful for generating mobile device configs: qrencode -t ansiutf8 < /etc/wireguard/mobile.conf License -- 2.36.4 From 866908df2c24711d778be71d6c3d3aba5d89f590 Mon Sep 17 00:00:00 2001 From: jowj Date: Sun, 12 Jan 2020 17:10:05 -0600 Subject: [PATCH 08/19] Add new play for configuring cloud vpn server. --- ansible/cloud_wg.yml | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 ansible/cloud_wg.yml diff --git a/ansible/cloud_wg.yml b/ansible/cloud_wg.yml new file mode 100644 index 0000000..680b462 --- /dev/null +++ b/ansible/cloud_wg.yml @@ -0,0 +1,8 @@ +--- + +- name: cloud wg config + hosts: vpn + tasks: + - debug: msg="Deploying wg to cloud server" + roles: + - { name: wg_vpn } -- 2.36.4 From 0872b919ac303965107013b3fed33a64bb505898 Mon Sep 17 00:00:00 2001 From: jowj Date: Sun, 12 Jan 2020 17:10:20 -0600 Subject: [PATCH 09/19] Add cloud vpn play to all.yml. --- ansible/all.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/ansible/all.yml b/ansible/all.yml index a62ebe9..4fc5b94 100644 --- a/ansible/all.yml +++ b/ansible/all.yml @@ -12,3 +12,10 @@ - debug: msg="Deploying wg." roles: - { name: wg_vpn } + +- name: cloud wg config + hosts: vpn + tasks: + - debug: msg="Deploying wg to cloud server" + roles: + - { name: wg_vpn } -- 2.36.4 From c0f80848c32b29234767d92475b453dc67bd4641 Mon Sep 17 00:00:00 2001 From: jowj Date: Sun, 12 Jan 2020 17:10:39 -0600 Subject: [PATCH 10/19] Remove unnecessary header info from apt installs. --- ansible/roles/wg_vpn/tasks/main.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/ansible/roles/wg_vpn/tasks/main.yml b/ansible/roles/wg_vpn/tasks/main.yml index 60ebb53..2560223 100644 --- a/ansible/roles/wg_vpn/tasks/main.yml +++ b/ansible/roles/wg_vpn/tasks/main.yml @@ -9,12 +9,10 @@ - name: install wireguard apt: - # hardcoded header here is for digital oceans :( name: - wireguard - build-essential - dkms - - linux-headers-4.19.0-6-cloud-amd64 update_cache: yes state: latest -- 2.36.4 From 86accf4a2bba7b94e69e65a80f2061a9befdfc89 Mon Sep 17 00:00:00 2001 From: jowj Date: Sun, 12 Jan 2020 17:10:58 -0600 Subject: [PATCH 11/19] Add ios.conf template. this does not currently work. --- ansible/roles/wg_vpn/templates/ios.conf | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 ansible/roles/wg_vpn/templates/ios.conf diff --git a/ansible/roles/wg_vpn/templates/ios.conf b/ansible/roles/wg_vpn/templates/ios.conf new file mode 100644 index 0000000..7da6b00 --- /dev/null +++ b/ansible/roles/wg_vpn/templates/ios.conf @@ -0,0 +1,25 @@ +[Interface] +PrivateKey = {{ wireguard_clients['matrix']['privkey'] }} +Address = {{ wireguard_vpn_network | ipsubnet(32, client.offset) }} + +[Peer] +PublicKey = {{ wireguard_server_pubkey }} +Endpoint = vpn.awful.club:51820 +AllowedIPs = 0.0.0.0/0 + +{% for client in wireguard_clients %} +[Peer] +# {{ client.name }} +PublicKey = {{ client.pubkey }} +{# + We want the Address field here to be an IP address + withOUT the whole network in CIDR notation, like 10.0.0.15/32. + + If wireguard_vpn_network is a CIDR network like 10.0.0.0/24, + and client.offset is an integer like 15, + this will produce an offset of the start of the network with a /32 CIDR prefix + which in this case will be the desired 10.0.0.15/32. +#} +AllowedIPs = {{ wireguard_vpn_network | ipsubnet(32, client.offset) }} + +{% endfor %} -- 2.36.4 From 37a4c1734377f1acd7dc9a02445674b37f299761 Mon Sep 17 00:00:00 2001 From: jowj Date: Sun, 12 Jan 2020 17:11:16 -0600 Subject: [PATCH 12/19] Add an example ios config to allow easier testing / manual configs - only useful until i actually automate the idiot config process. --- ansible/roles/wg_vpn/templates/ios_example.conf | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 ansible/roles/wg_vpn/templates/ios_example.conf diff --git a/ansible/roles/wg_vpn/templates/ios_example.conf b/ansible/roles/wg_vpn/templates/ios_example.conf new file mode 100644 index 0000000..4cbfa81 --- /dev/null +++ b/ansible/roles/wg_vpn/templates/ios_example.conf @@ -0,0 +1,8 @@ +[Interface] +PrivateKey = +Address = 10.200.219.10/32 + +[Peer] +PublicKey = e49UyNg/kqPETyT9K6nqIYjtTwlR8hY8Brm/P66xnmo= +Endpoint = vpn.awful.club:51820 +AllowedIPs = 0.0.0.0/0 -- 2.36.4 From 71133f94fc9babe34fc83e80fe92cae4fc8d1017 Mon Sep 17 00:00:00 2001 From: jowj Date: Sun, 12 Jan 2020 17:11:48 -0600 Subject: [PATCH 13/19] Add iptables config lines. --- ansible/roles/wg_vpn/templates/wg0.conf | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ansible/roles/wg_vpn/templates/wg0.conf b/ansible/roles/wg_vpn/templates/wg0.conf index 8fee6e8..c6f54db 100644 --- a/ansible/roles/wg_vpn/templates/wg0.conf +++ b/ansible/roles/wg_vpn/templates/wg0.conf @@ -12,6 +12,9 @@ PrivateKey = {{ wireguard_server_privkey }} Address = {{ wireguard_vpn_network | ipaddr(wireguard_server_offset) }} ListenPort = {{ wireguard_server_listen_port }} +PostUp = iptables -A FORWARD -i wgnet0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE +PostDown = iptables -D FORWARD -i wgnet0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE + {% for client in wireguard_clients %} [Peer] # {{ client.name }} -- 2.36.4 From e40b68e6237e42d5439a65f2d0b02ab178de47a8 Mon Sep 17 00:00:00 2001 From: jowj Date: Mon, 13 Jan 2020 16:27:33 -0600 Subject: [PATCH 14/19] Fix the idiot mistakes i made in postup/down rules. - you'll note i fucked up interface name - and missing an argument :( --- ansible/roles/wg_vpn/templates/wg0.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ansible/roles/wg_vpn/templates/wg0.conf b/ansible/roles/wg_vpn/templates/wg0.conf index c6f54db..83090e3 100644 --- a/ansible/roles/wg_vpn/templates/wg0.conf +++ b/ansible/roles/wg_vpn/templates/wg0.conf @@ -12,8 +12,8 @@ PrivateKey = {{ wireguard_server_privkey }} Address = {{ wireguard_vpn_network | ipaddr(wireguard_server_offset) }} ListenPort = {{ wireguard_server_listen_port }} -PostUp = iptables -A FORWARD -i wgnet0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE -PostDown = iptables -D FORWARD -i wgnet0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE +PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE +PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE {% for client in wireguard_clients %} [Peer] -- 2.36.4 From 1ea0ab843787b58085c86767e406cd92214209e4 Mon Sep 17 00:00:00 2001 From: jowj Date: Mon, 13 Jan 2020 19:51:45 -0600 Subject: [PATCH 15/19] Add DNS entry to config; without this the 'route all traffic' part: - won't work - will be really frustrating. --- ansible/roles/wg_vpn/templates/ios.conf | 3 ++- ansible/roles/wg_vpn/templates/ios_example.conf | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/ansible/roles/wg_vpn/templates/ios.conf b/ansible/roles/wg_vpn/templates/ios.conf index 7da6b00..bf714de 100644 --- a/ansible/roles/wg_vpn/templates/ios.conf +++ b/ansible/roles/wg_vpn/templates/ios.conf @@ -1,7 +1,8 @@ [Interface] PrivateKey = {{ wireguard_clients['matrix']['privkey'] }} Address = {{ wireguard_vpn_network | ipsubnet(32, client.offset) }} - +DNS = 1.1.1.1 + [Peer] PublicKey = {{ wireguard_server_pubkey }} Endpoint = vpn.awful.club:51820 diff --git a/ansible/roles/wg_vpn/templates/ios_example.conf b/ansible/roles/wg_vpn/templates/ios_example.conf index 4cbfa81..e7e27db 100644 --- a/ansible/roles/wg_vpn/templates/ios_example.conf +++ b/ansible/roles/wg_vpn/templates/ios_example.conf @@ -1,7 +1,8 @@ [Interface] PrivateKey = Address = 10.200.219.10/32 - +DNS = 1.1.1.1 + [Peer] PublicKey = e49UyNg/kqPETyT9K6nqIYjtTwlR8hY8Brm/P66xnmo= Endpoint = vpn.awful.club:51820 -- 2.36.4 From ec8ea3208962537264ab23c95070c26697c4df02 Mon Sep 17 00:00:00 2001 From: jowj Date: Tue, 14 Jan 2020 15:42:22 -0600 Subject: [PATCH 16/19] Add ability to deploy matrix client from ansible - add client_matrix.yml play - add new ios.conf template - update main.yml task to include matrix.conf template deploy and tags. --- ansible/client_matrix.yml | 8 ++++++++ ansible/roles/wg_vpn/tasks/main.yml | 6 ++++++ ansible/roles/wg_vpn/templates/ios.conf | 21 ++------------------- 3 files changed, 16 insertions(+), 19 deletions(-) create mode 100644 ansible/client_matrix.yml diff --git a/ansible/client_matrix.yml b/ansible/client_matrix.yml new file mode 100644 index 0000000..283a0b0 --- /dev/null +++ b/ansible/client_matrix.yml @@ -0,0 +1,8 @@ +--- + +- name: generate ios client config + hosts: dev #localhost + tasks: + - debug: msg="generate phone config" + roles: + - { name: wg_vpn } diff --git a/ansible/roles/wg_vpn/tasks/main.yml b/ansible/roles/wg_vpn/tasks/main.yml index 2560223..9706864 100644 --- a/ansible/roles/wg_vpn/tasks/main.yml +++ b/ansible/roles/wg_vpn/tasks/main.yml @@ -32,3 +32,9 @@ - name: Start wireguard service: name=wg-quick@wg0.service enabled=yes state=started + +- name: Create matrix.conf file in ~/wireguard/. + template: src=ios.conf dest=/etc/wireguard/ owner=root mode=0600 + tags: + - clients + - client_matrix diff --git a/ansible/roles/wg_vpn/templates/ios.conf b/ansible/roles/wg_vpn/templates/ios.conf index bf714de..79fadf2 100644 --- a/ansible/roles/wg_vpn/templates/ios.conf +++ b/ansible/roles/wg_vpn/templates/ios.conf @@ -1,26 +1,9 @@ [Interface] -PrivateKey = {{ wireguard_clients['matrix']['privkey'] }} -Address = {{ wireguard_vpn_network | ipsubnet(32, client.offset) }} +PrivateKey = {{ wireguard_clients[0]['privkey'] }} +Address = {{ wireguard_vpn_network | ipsubnet(32, wireguard_clients[0]['offset']) }} DNS = 1.1.1.1 [Peer] PublicKey = {{ wireguard_server_pubkey }} Endpoint = vpn.awful.club:51820 AllowedIPs = 0.0.0.0/0 - -{% for client in wireguard_clients %} -[Peer] -# {{ client.name }} -PublicKey = {{ client.pubkey }} -{# - We want the Address field here to be an IP address - withOUT the whole network in CIDR notation, like 10.0.0.15/32. - - If wireguard_vpn_network is a CIDR network like 10.0.0.0/24, - and client.offset is an integer like 15, - this will produce an offset of the start of the network with a /32 CIDR prefix - which in this case will be the desired 10.0.0.15/32. -#} -AllowedIPs = {{ wireguard_vpn_network | ipsubnet(32, client.offset) }} - -{% endfor %} -- 2.36.4 From 532c5b97727bb2da7840980fa15d97bb4dad37e0 Mon Sep 17 00:00:00 2001 From: jowj Date: Tue, 14 Jan 2020 15:43:22 -0600 Subject: [PATCH 17/19] Update the ansible_connection for localhost to local - why the /fuck/ is this not the default aaaaaah --- ansible/hosts.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/ansible/hosts.yml b/ansible/hosts.yml index 0ae563f..951bbf5 100644 --- a/ansible/hosts.yml +++ b/ansible/hosts.yml @@ -9,6 +9,7 @@ all: dev: hosts: localhost: + ansible_connection: local onprem_clients: hosts: hydra-ling: -- 2.36.4 From 78fb60952f86c1d091c8dcedd193dbef33efc466 Mon Sep 17 00:00:00 2001 From: jowj Date: Tue, 14 Jan 2020 15:43:52 -0600 Subject: [PATCH 18/19] Provide readme for how to use the client_matrix.yml play. --- ansible/readme.org | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/ansible/readme.org b/ansible/readme.org index 076d32d..c8ea780 100644 --- a/ansible/readme.org +++ b/ansible/readme.org @@ -1,3 +1,9 @@ * setup from scratch: ~ansible-playbook -i hosts.yml all.yml --ask-vault-pass --ask-become-pass~ + +* wg + +** clients +you probably want to deploy clients individually most of the time. to do that, provide a tag, like: +~ansible-playbook -i hosts.yml client_matrix.yml --ask-vault-pass --ask-become-pass --tags matrix_client~ -- 2.36.4 From 048ebc903a2232a7a1282560e62a7508d0e59530 Mon Sep 17 00:00:00 2001 From: jowj Date: Fri, 17 Jan 2020 12:39:30 -0600 Subject: [PATCH 19/19] Add mosh package to sys_packages vars. --- ansible/roles/droplets/tasks/serverbuild.yml | 2 +- ansible/roles/home-net/vars/main.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ansible/roles/droplets/tasks/serverbuild.yml b/ansible/roles/droplets/tasks/serverbuild.yml index 1f9615c..cc6c719 100644 --- a/ansible/roles/droplets/tasks/serverbuild.yml +++ b/ansible/roles/droplets/tasks/serverbuild.yml @@ -4,7 +4,7 @@ vars: create_user: josiah copy_local_key: "{{ lookup('file', lookup('env','HOME') + '/.ssh/digitalocean.pub') }}" - sys_packages: [ 'curl', 'vim', 'git', 'fail2ban' ] + sys_packages: [ 'curl', 'vim', 'git', 'fail2ban', 'mosh' ] tasks: - name: Make sure we have a 'sudo' group diff --git a/ansible/roles/home-net/vars/main.yml b/ansible/roles/home-net/vars/main.yml index 0b7eb25..0ba8d59 100644 --- a/ansible/roles/home-net/vars/main.yml +++ b/ansible/roles/home-net/vars/main.yml @@ -1 +1 @@ -sys_packages: [ 'curl', 'vim', 'git', '', 'emacs', 'build-essential' ] +sys_packages: [ 'curl', 'vim', 'git', '', 'emacs', 'build-essential', 'mosh' ] -- 2.36.4