a bunch of updates, with some new ways of doing old things
- no one agreeing on iptables vs ufw vs nftables is confusing.
This commit is contained in:
parent
d25fb5e79f
commit
8b1da104f8
@ -6,6 +6,8 @@
|
|||||||
become: yes
|
become: yes
|
||||||
vars:
|
vars:
|
||||||
vpn_packages: [ 'strongswan','strongswan-pki','ufw' ]
|
vpn_packages: [ 'strongswan','strongswan-pki','ufw' ]
|
||||||
|
remote_host: 165.22.156.25
|
||||||
|
local_host: 0.0.0.0
|
||||||
|
|
||||||
tasks:
|
tasks:
|
||||||
- name: Update apt
|
- name: Update apt
|
||||||
@ -14,31 +16,23 @@
|
|||||||
- name: Install required system packages
|
- name: Install required system packages
|
||||||
apt: name={{ vpn_packages }} state=latest
|
apt: name={{ vpn_packages }} state=latest
|
||||||
|
|
||||||
- name: Build temp pki dir structure - cacerts
|
- name: set kernel params
|
||||||
shell: mkdir -p ~/pki/cacerts
|
shell: |
|
||||||
- name: Build temp pki dir structure - certs
|
cat >> /etc/sysctl.conf << EOF
|
||||||
shell: mkdir -p ~/pki/certs
|
net.ipv4.ip_forward = 1
|
||||||
- name: Build temp pki dir structure - private and set perms
|
net.ipv4.conf.all.accept_redirects = 0
|
||||||
shell: mkdir -p ~/pki/private && chmod 700 ~/pki
|
net.ipv4.conf.all.send_redirects = 0
|
||||||
|
EOF
|
||||||
|
|
||||||
- name: Generate root key 4096 bit RSA
|
- name: save kernel params
|
||||||
shell: ipsec pki --gen --type rsa --size 4096 --outform pem > ~/pki/private/awful-ca-key.pem
|
shell: sysctl -p /etc/sysctl.conf
|
||||||
|
|
||||||
|
- name: Generate preshared key
|
||||||
|
shell: openssl rand -hex 32
|
||||||
|
register: awful_psk
|
||||||
|
|
||||||
- name: Create root cert authority & sign with root key
|
- debug:
|
||||||
become_method: sudo
|
msg: got this key {{ awful_psk }}
|
||||||
shell: ipsec pki --self --ca --lifetime 3650 --in ~/pki/private/awful-ca-key.pem --type rsa --dn "CN=vpn.awful.club" --outform pem > ~/pki/cacerts/awful-ca-cert.pem
|
|
||||||
|
|
||||||
- name: Generate cert for the VPN host
|
|
||||||
shell: ipsec pki --gen --type rsa --size 4096 --outform pem > ~/pki/private/awful-server-key.pem
|
|
||||||
|
|
||||||
- name: Create & sign VPN server cert with CA cert.
|
|
||||||
shell: ipsec pki --pub --in ~/pki/private/awful-server-key.pem --type rsa | ipsec pki --issue --lifetime 1825 --cacert ~/pki/cacerts/awful-ca-cert.pem --cakey ~/pki/private/awful-ca-key.pem --dn "CN=vpn.awful.club" --san "vpn.awful.club" --flag serverAuth --flag ikeIntermediate --outform pem > ~/pki/certs/awful-server-cert.pem
|
|
||||||
|
|
||||||
- name: move temp pki dir structure to proper /etc/ipsec.d/ dir
|
|
||||||
shell: sudo cp -r ~/pki/* /etc/ipsec.d/
|
|
||||||
|
|
||||||
- name: make backup of default sswan conf file
|
|
||||||
shell: sudo mv /etc/ipsec.conf /etc/ipsec.conf.original
|
|
||||||
|
|
||||||
- name: Copy my ipsec.conf file to the VPN host
|
- name: Copy my ipsec.conf file to the VPN host
|
||||||
# this file does a lot. view more info in the readme.md
|
# this file does a lot. view more info in the readme.md
|
||||||
@ -48,81 +42,17 @@
|
|||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
|
|
||||||
- name: Copy my ipsec.secrets file to the VPN host
|
- name: remove existing ipsec.secerts
|
||||||
# this file does a lot. view more info in the readme.md
|
shell: rm /etc/ipsec.secrets
|
||||||
copy:
|
|
||||||
src: ipsec.secrets
|
|
||||||
dest: /etc/ipsec.secrets
|
|
||||||
owner: root
|
|
||||||
group: root
|
|
||||||
|
|
||||||
- name: restart strongswan
|
- name: create ipsec.secrets with psk info
|
||||||
shell: systemctl restart strongswan
|
shell: |
|
||||||
|
cat >> /etc/ipsec.secrets << EOF
|
||||||
- name: allow SSH connections
|
{{ remote_host }} {{local_host}}: PSK "{{awful_psk.stdout}}"
|
||||||
ufw:
|
EOF
|
||||||
rule: allow
|
|
||||||
name: OpenSSH
|
|
||||||
|
|
||||||
- name: Deny everything and enable UFW
|
|
||||||
ufw:
|
|
||||||
state: enabled
|
|
||||||
policy: deny
|
|
||||||
|
|
||||||
- name: rate limit ssh connections
|
|
||||||
ufw:
|
|
||||||
rule: limit
|
|
||||||
port: ssh
|
|
||||||
proto: tcp
|
|
||||||
|
|
||||||
- name: Allow all access from RFC1918 networks to this host
|
|
||||||
ufw:
|
|
||||||
rule: allow
|
|
||||||
src: '{{ item }}'
|
|
||||||
loop:
|
|
||||||
- 10.0.0.0/8
|
|
||||||
- 172.16.0.0/12
|
|
||||||
- 192.168.0.0/16
|
|
||||||
|
|
||||||
|
|
||||||
- name: Allow tcp ipsec ports
|
|
||||||
ufw:
|
|
||||||
rule: allow
|
|
||||||
port: 500
|
|
||||||
port: 4500
|
|
||||||
proto: tcp
|
|
||||||
|
|
||||||
- name: Allow udp ipsec ports
|
|
||||||
ufw:
|
|
||||||
rule: allow
|
|
||||||
port: 4500
|
|
||||||
port: 500
|
|
||||||
proto: udp
|
|
||||||
|
|
||||||
- name: copy local before.rules to vpn host
|
|
||||||
copy:
|
|
||||||
src: before.rules
|
|
||||||
dest: /etc/ufw/before.rules
|
|
||||||
owner: root
|
|
||||||
group: root
|
|
||||||
|
|
||||||
- name: copy local sysctl.conf to vpn host
|
- name: update route rules
|
||||||
copy:
|
shell: iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -d 10.138.0.0/16 -j MASQUERADE
|
||||||
src: sysctl.conf
|
|
||||||
dest: /etc/ufw/sysctl.conf
|
|
||||||
owner: root
|
|
||||||
group: root
|
|
||||||
|
|
||||||
- name: disable ufw to save config
|
# - name: copy psk down to local machine
|
||||||
ufw:
|
# local_action: copy_content={{ awful_psk }} dest=psk.txt
|
||||||
state: disabled
|
|
||||||
|
|
||||||
- name: reload ufw to activate changes
|
|
||||||
ufw:
|
|
||||||
state: enabled
|
|
||||||
|
|
||||||
- name: Copy ca-cert down to local machine
|
|
||||||
fetch:
|
|
||||||
src: /etc/ipsec.d/cacerts/awful-ca-cert.pem
|
|
||||||
dest: awful-ca-cert.pem
|
|
||||||
flat: yes
|
|
||||||
|
Loading…
Reference in New Issue
Block a user