# playbook to go from a "base configured" server to a wg vpn peer - hosts: vpn remote_user: josiah gather_facts: false become: yes tasks: - name: add unstable to repos shell: | echo "deb http://deb.debian.org/debian/ unstable main" > /etc/apt/sources.list.d/unstable.list printf 'Package: *\nPin: release a=unstable\nPin-Priority: 90\n' > /etc/apt/preferences.d/limit-unstable - name: Update aptitude apt: update_cache=yes - name: install wireguard apt: name=wireguard state=latest - name: install linux headers (necessary on older cloud kernels (fuck u digitalocean)) # the kernel version is hard coded because this is what DO currently uses # and that's what i use apt: name=linux-headers-4.19.0-6-cloud-amd64 - name: install misc other things the internet says i need apt: name=build-essential - name: install misc other things the internet says i need apt: name=dkms - name: install misc other things the internet says i need apt: name=openresolv - name: enable kernel relay/forwarding shell: | echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf echo "net.ipv4.conf.all.proxy_arp = 1" >> /etc/sysctl.conf sudo sysctl -p /etc/sysctl.conf iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -i wg0 -o wg0 -m conntrack --ctstate NEW -j ACCEPT iptables -t nat -A POSTROUTING -s 10.200.219.0/24 -o eth0 -j MASQUERADE - name: ensure /etc/wireguard/ exists file: path: /etc/wireguard/ state: directory - name: Generate keys shell: | printf "[Interface]\nPrivateKey = " > /etc/wireguard/wg0.conf wg genkey | tee -a /etc/wireguard/wg0.conf | wg pubkey > /etc/wireguard/publickey vars: umask: "077" - name: register publickey for later use shell: cat /etc/wireguard/publickey register: server_publickey # install wg, generate keys, files on local machine - name: (local) install wg (i use) arch (btw) pacman: update_cache: yes name: wireguard-tools, wireguard-arch state: present delegate_to: localhost - name: (local) ensure /etc/wireguard/ exists file: path: /etc/wireguard/ state: directory delegate_to: localhost - name: (local) Generate keys shell: | printf "[Interface]\nPrivateKey = " > /etc/wireguard/wg0.conf wg genkey | tee -a /etc/wireguard/wg0.conf | wg pubkey > /etc/wireguard/publickey vars: umask: "077" delegate_to: localhost - name: (local) register publickey for later use shell: cat /etc/wireguard/publickey register: arch_publickey delegate_to: localhost - name: (local) fill out the rest of the wg0.conf file blockinfile: path: /etc/wireguard/wg0.conf block: | Address = 10.200.219.2/32, fd86:ea04:1115::2/128 DNS = 1.1.1.1 [Peer] PublicKey = {{ server_publickey.stdout }} Endpoint = vpn.awful.club:51820 AllowedIPs = 0.0.0.0/0 delegate_to: localhost - name: fill out the rest of the wg0.conf file blockinfile: path: /etc/wireguard/wg0.conf block: | Address = 10.200.219.1/24 Address = fd86:ea04:1115::1/64 ListenPort = 51820 SaveConfig = true [Peer] # name = luggable-laptop PublicKey = {{ arch_publickey.stdout }} AllowedIPs = 10.200.219.2/32, fd86:ea04:1115::2/128 - name: bring wg up on the relay node shell: wg-quick up /etc/wireguard/wg0.conf - name: test if wg is up on relay shell: ping -c1 10.200.219.1 register: test_result - name: (local) bring wg up on local shell: wg-quick up wg0 delegate_to: localhost - name: (local) test if it worked on local shell: ping -c1 10.200.219.2 register: test_result_local delegate_to: localhost - name: Test tunnel shell: ping -c1 10.200.219.1 register: test_tunnel_local delegate_to: localhost ignore_errors: yes