diff --git a/playbooks/01-vpn.yml b/playbooks/01-vpn.yml deleted file mode 100644 index 1315e52..0000000 --- a/playbooks/01-vpn.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: Configure VPN network - hosts: asgard - - tasks: - - import_tasks: tasks/vpn/wireguard.yml diff --git a/playbooks/filesystem/valkyrie/etc/network/interfaces.d/wg0.j2 b/playbooks/filesystem/valkyrie/etc/network/interfaces.d/wg0.j2 deleted file mode 100644 index 69587e2..0000000 --- a/playbooks/filesystem/valkyrie/etc/network/interfaces.d/wg0.j2 +++ /dev/null @@ -1,18 +0,0 @@ -auto wg0 -iface wg0 inet static - pre-up ip link add $IFACE type wireguard - pre-up wg setconf $IFACE /etc/wireguard/$IFACE.conf - pre-up ip link set mtu 1420 dev $IFACE - - post-up /usr/local/sbin/post-up-$IFACE-inet.nft - post-up /usr/local/sbin/post-up-$IFACE-ipv4.nft - post-up ip route add {{ vpn_remote_br0_subnet }} dev $IFACE - - pre-down ip route del {{ vpn_remote_br0_subnet }} dev $IFACE - pre-down /usr/local/sbin/pre-down-$IFACE-ipv4.nft - pre-down /usr/local/sbin/pre-down-$IFACE-inet.nft - - post-down ip link del dev $IFACE - - address {{ vpn_wg0_address }} - netmask {{ vpn_wg0_netmask }} diff --git a/playbooks/filesystem/valkyrie/etc/wireguard/wg0.conf.j2 b/playbooks/filesystem/valkyrie/etc/wireguard/wg0.conf.j2 deleted file mode 100644 index 6e79773..0000000 --- a/playbooks/filesystem/valkyrie/etc/wireguard/wg0.conf.j2 +++ /dev/null @@ -1,8 +0,0 @@ -[Interface] -PrivateKey = {{ vpn_wg0_interface_private_key }} -ListenPort = {{ vpn_wg0_port }} - -[Peer] -PublicKey = {{ vpn_wg0_peer_public_key }} -PresharedKey = {{ vpn_wg0_preshared_key }} -AllowedIPs = {{ vpn_wg0_subnet }},{{ vpn_remote_br0_subnet }} diff --git a/playbooks/filesystem/yggdrasil/etc/network/interfaces.d/wg0.j2 b/playbooks/filesystem/yggdrasil/etc/network/interfaces.d/wg0.j2 deleted file mode 100644 index f73fe19..0000000 --- a/playbooks/filesystem/yggdrasil/etc/network/interfaces.d/wg0.j2 +++ /dev/null @@ -1,18 +0,0 @@ -auto wg0 -iface wg0 inet static - pre-up ip link add $IFACE type wireguard - pre-up wg setconf $IFACE /etc/wireguard/$IFACE.conf - pre-up ip link set mtu 1420 dev $IFACE - - post-up /usr/local/sbin/post-up-$IFACE-inet.nft - post-up /usr/local/sbin/post-up-$IFACE-ipv4.nft - post-up ip route add default dev $IFACE table 66 - - pre-down ip route del default dev $IFACE table 66 - pre-down /usr/local/sbin/pre-down-$IFACE-ipv4.nft - pre-down /usr/local/sbin/pre-down-$IFACE-inet.nft - - post-down ip link del dev $IFACE - - address {{ vpn_wg0_address }} - netmask {{ vpn_wg0_netmask }} diff --git a/playbooks/filesystem/yggdrasil/etc/wireguard/wg0.conf.j2 b/playbooks/filesystem/yggdrasil/etc/wireguard/wg0.conf.j2 deleted file mode 100644 index e436b1a..0000000 --- a/playbooks/filesystem/yggdrasil/etc/wireguard/wg0.conf.j2 +++ /dev/null @@ -1,9 +0,0 @@ -[Interface] -PrivateKey = {{ vpn_wg0_interface_private_key }} - -[Peer] -PublicKey = {{ vpn_wg0_peer_public_key }} -PresharedKey = {{ vpn_wg0_preshared_key }} -Endpoint = {{ vpn_wg0_endpoint_address }}:{{ vpn_wg0_port }} -AllowedIPs = 0.0.0.0/0 -PersistentKeepalive = 15 diff --git a/playbooks/filesystem/yggdrasil/usr/local/sbin/post-up-wg0-inet.nft.j2 b/playbooks/filesystem/yggdrasil/usr/local/sbin/post-up-wg0-inet.nft.j2 deleted file mode 100644 index 1351015..0000000 --- a/playbooks/filesystem/yggdrasil/usr/local/sbin/post-up-wg0-inet.nft.j2 +++ /dev/null @@ -1,9 +0,0 @@ -#!/usr/bin/env -S nft -f - -table inet wg0_inet { - chain forward { - type filter hook forward priority 0; - iif wg0 tcp flags syn tcp option maxseg size set rt mtu; - oif wg0 tcp flags syn tcp option maxseg size set rt mtu; - } -} diff --git a/playbooks/filesystem/yggdrasil/usr/local/sbin/post-up-wg0-ipv4.nft.j2 b/playbooks/filesystem/yggdrasil/usr/local/sbin/post-up-wg0-ipv4.nft.j2 deleted file mode 100644 index 415c126..0000000 --- a/playbooks/filesystem/yggdrasil/usr/local/sbin/post-up-wg0-ipv4.nft.j2 +++ /dev/null @@ -1,5 +0,0 @@ -#!/usr/bin/env -S nft -f - -table ip wg0_ipv4 { - -} diff --git a/playbooks/filesystem/yggdrasil/usr/local/sbin/pre-down-wg0-inet.nft.j2 b/playbooks/filesystem/yggdrasil/usr/local/sbin/pre-down-wg0-inet.nft.j2 deleted file mode 100644 index 27813e2..0000000 --- a/playbooks/filesystem/yggdrasil/usr/local/sbin/pre-down-wg0-inet.nft.j2 +++ /dev/null @@ -1,4 +0,0 @@ -#!/usr/bin/env -S nft -f - -flush table inet wg0_inet -delete table inet wg0_inet diff --git a/playbooks/filesystem/yggdrasil/usr/local/sbin/pre-down-wg0-ipv4.nft.j2 b/playbooks/filesystem/yggdrasil/usr/local/sbin/pre-down-wg0-ipv4.nft.j2 deleted file mode 100644 index 5f6b6b0..0000000 --- a/playbooks/filesystem/yggdrasil/usr/local/sbin/pre-down-wg0-ipv4.nft.j2 +++ /dev/null @@ -1,4 +0,0 @@ -#!/usr/bin/env -S nft -f - -flush table ip wg0_ipv4 -delete table ip wg0_ipv4 diff --git a/playbooks/tasks/vpn/wireguard.yml b/playbooks/tasks/vpn/wireguard.yml deleted file mode 100644 index a37e174..0000000 --- a/playbooks/tasks/vpn/wireguard.yml +++ /dev/null @@ -1,53 +0,0 @@ -- name: WireGuard interface configuration - template: - src: ./filesystem/{{ ansible_hostname }}/etc/wireguard/wg0.conf.j2 - dest: /etc/wireguard/wg0.conf - mode: 0600 - register: wg_intf_conf - -- name: WireGuard interface post-up nftables inet script - template: - src: ./filesystem/{{ ansible_hostname }}/usr/local/sbin/post-up-wg0-inet.nft.j2 - dest: /usr/local/sbin/post-up-wg0-inet.nft - mode: 0755 - register: wg_intf_post_up_inet - -- name: WireGuard interface post-up nftables ipv4 script - template: - src: ./filesystem/{{ ansible_hostname }}/usr/local/sbin/post-up-wg0-ipv4.nft.j2 - dest: /usr/local/sbin/post-up-wg0-ipv4.nft - mode: 0755 - register: wg_intf_post_up_ipv4 - -- name: Create WireGuard interface - template: - src: ./filesystem/{{ ansible_hostname }}/etc/network/interfaces.d/wg0.j2 - dest: /etc/network/interfaces.d/wg0 - mode: 0644 - validate: > - bash -c - 'if ! diff %s /etc/network/interfaces.d/wg0 && ip link show dev wg0 ; - then - ifdown wg0 ; - fi' - register: wg_intf - -- name: Restart WireGuard interface - shell: if ip link show dev wg0 ; then ifdown wg0 && ifup wg0 ; else ifup wg0 ; fi - when: - wg_intf_conf is changed or - wg_intf_post_up_inet is changed or - wg_intf_post_up_ipv4 is changed or - wg_intf is changed - -- name: WireGuard interface pre-down nftables inet script - template: - src: ./filesystem/{{ ansible_hostname }}/usr/local/sbin/pre-down-wg0-inet.nft.j2 - dest: /usr/local/sbin/pre-down-wg0-inet.nft - mode: 0755 - -- name: WireGuard interface pre-down nftables ipv4 script - template: - src: ./filesystem/{{ ansible_hostname }}/usr/local/sbin/pre-down-wg0-ipv4.nft.j2 - dest: /usr/local/sbin/pre-down-wg0-ipv4.nft - mode: 0755 diff --git a/playbooks/filesystem/valkyrie/usr/local/sbin/pre-down-wg0-inet.nft.j2 b/plays/vpn/roles/bridge/files/wg0/pre-down-wg0-inet.nft similarity index 100% rename from playbooks/filesystem/valkyrie/usr/local/sbin/pre-down-wg0-inet.nft.j2 rename to plays/vpn/roles/bridge/files/wg0/pre-down-wg0-inet.nft diff --git a/playbooks/filesystem/valkyrie/usr/local/sbin/pre-down-wg0-ipv4.nft.j2 b/plays/vpn/roles/bridge/files/wg0/pre-down-wg0-ipv4.nft similarity index 100% rename from playbooks/filesystem/valkyrie/usr/local/sbin/pre-down-wg0-ipv4.nft.j2 rename to plays/vpn/roles/bridge/files/wg0/pre-down-wg0-ipv4.nft diff --git a/plays/vpn/roles/bridge/meta/argument_specs.yml b/plays/vpn/roles/bridge/meta/argument_specs.yml index 858f9ee..3ca15e0 100644 --- a/plays/vpn/roles/bridge/meta/argument_specs.yml +++ b/plays/vpn/roles/bridge/meta/argument_specs.yml @@ -8,7 +8,7 @@ argument_specs: local_network: type: "str" required: false - vpn_routing_table: + vpn_bridge_routing_table: type: "int" required: true vpn_bridge_dnat: @@ -24,3 +24,28 @@ argument_specs: vpn_bridge_br0_netmask: type: "str" required: true + vpn_bridge_role: + type: "str" + required: true + vpn_bridge_wg0_port: + type: "int" + required: true + vpn_bridge_wg0_interface_private_key: + type: "str" + required: true + vpn_bridge_wg0_preshared_key: + type: "str" + required: true + vpn_bridge_wg0_subnet: + type: "str" + required: true + vpn_bridge_wg0_clients: + type: "list" + elem: "dict" + required: "{{ vpn_bridge_role == 'server' }}" + vpn_bridge_wg0_server_public_key: + type: "str" + required: "{{ vpn_bridge_role == 'client' }}" + vpn_bridge_wg0_server_address: + type: "str" + required: "{{ vpn_bridge_role == 'client' }}" diff --git a/plays/vpn/roles/bridge/tasks/include/br0.yml b/plays/vpn/roles/bridge/tasks/include/br0.yml index d6a8ff8..9ce22be 100644 --- a/plays/vpn/roles/bridge/tasks/include/br0.yml +++ b/plays/vpn/roles/bridge/tasks/include/br0.yml @@ -23,7 +23,7 @@ then ifdown br0 ; fi' - register: vpn_bridge_br0_conf + register: vpn_bridge_br0_intf - name: "br0 : restart interface" ansible.builtin.shell: | @@ -36,7 +36,7 @@ when: vpn_bridge_post_up_br0_inet_nft.changed or vpn_bridge_post_up_br0_ipv4_nft.changed or - vpn_bridge_br0_conf.changed + vpn_bridge_br0_intf.changed - name: "br0 : pre-down nftables inet script" ansible.builtin.copy: diff --git a/plays/vpn/roles/bridge/tasks/include/wg0.yml b/plays/vpn/roles/bridge/tasks/include/wg0.yml new file mode 100644 index 0000000..479c35e --- /dev/null +++ b/plays/vpn/roles/bridge/tasks/include/wg0.yml @@ -0,0 +1,59 @@ +- name: "wg0 : configure wireguard" + ansible.builtin.template: + src: "./wg0/wg0.conf.j2" + dest: "/etc/wireguard/wg0.conf" + mode: 0600 + register: vpn_bridge_wg0_conf + +- name: "wg0 : post-up nftables inet script" + ansible.builtin.template: + src: "./wg0/post-up-wg0-inet.nft.j2" + dest: "/usr/local/sbin/post-up-wg0-inet.nft" + mode: 0755 + register: vpn_bridge_post_up_wg0_inet_nft + +- name: "wg0 : post-up nftables ipv4 script" + ansible.builtin.template: + src: "./wg0/post-up-wg0-ipv4.nft.j2" + dest: "/usr/local/sbin/post-up-wg0-ipv4.nft" + mode: 0755 + register: vpn_bridge_post_up_wg0_ipv4_nft + +- name: "wg0 : configure interface" + ansible.builtin.template: + src: "./wg0/wg0.j2" + dest: "/etc/network/interfaces.d/wg0" + mode: 0644 + validate: > + bash -c + 'if ! diff %s /etc/network/interfaces.d/wg0 && ip link show dev wg0 ; + then + ifdown wg0 ; + fi' + register: vpn_bridge_wg0_intf + +- name: "wg0 : restart interface" + ansible.builtin.shell: | + if ip link show dev wg0 + then + ifdown wg0 && ifup wg0 + else + ifup wg0 + fi + when: + vpn_bridge_wg0_conf.changed or + vpn_bridge_post_up_wg0_inet_nft.changed or + vpn_bridge_post_up_wg0_ipv4_nft.changed or + vpn_bridge_wg0_intf.changed + +- name: "wg0 : pre-down nftables inet script" + ansible.builtin.copy: + src: "./wg0/pre-down-wg0-inet.nft" + dest: "/usr/local/sbin/pre-down-wg0-inet.nft" + mode: 0755 + +- name: "wg0 : pre-down nftables ipv4 script" + ansible.builtin.copy: + src: "./wg0/pre-down-wg0-ipv4.nft" + dest: "/usr/local/sbin/pre-down-wg0-ipv4.nft" + mode: 0755 diff --git a/plays/vpn/roles/bridge/tasks/main.yml b/plays/vpn/roles/bridge/tasks/main.yml index a8e844f..9ad34c7 100644 --- a/plays/vpn/roles/bridge/tasks/main.yml +++ b/plays/vpn/roles/bridge/tasks/main.yml @@ -1,3 +1,6 @@ - name: "play:vpn : role:bridge : tasks:br0" ansible.builtin.import_tasks: "include/br0.yml" tags: "vpn:bridge:br0" +- name: "play:vpn : role:bridge : tasks:wg0" + ansible.builtin.import_tasks: "include/wg0.yml" + tags: "vpn:bridge:wg0" diff --git a/plays/vpn/roles/bridge/templates/br0/br0.j2 b/plays/vpn/roles/bridge/templates/br0/br0.j2 index 4c7c7d5..853228f 100644 --- a/plays/vpn/roles/bridge/templates/br0/br0.j2 +++ b/plays/vpn/roles/bridge/templates/br0/br0.j2 @@ -4,14 +4,14 @@ iface br0 inet static post-up /usr/local/sbin/post-up-$IFACE-inet.nft post-up /usr/local/sbin/post-up-$IFACE-ipv4.nft -{% if local_network is defined %} - post-up ip rule add dev $IFACE table {{ vpn_routing_table }} +{% if vpn_bridge_role == "client" %} + post-up ip rule add dev $IFACE table {{ vpn_bridge_routing_table }} post-up ip rule add dev $IFACE to {{ local_network }} table main priority 1 {% endif %} -{% if local_network is defined %} +{% if vpn_bridge_role == "client" %} pre-down ip rule del dev $IFACE to {{ local_network }} table main priority 1 - pre-down ip rule del dev $IFACE table {{ vpn_routing_table }} + pre-down ip rule del dev $IFACE table {{ vpn_bridge_routing_table }} {% endif %} pre-down /usr/local/sbin/pre-down-$IFACE-ipv4.nft pre-down /usr/local/sbin/pre-down-$IFACE-inet.nft diff --git a/playbooks/filesystem/valkyrie/usr/local/sbin/post-up-wg0-inet.nft.j2 b/plays/vpn/roles/bridge/templates/wg0/post-up-wg0-inet.nft.j2 similarity index 100% rename from playbooks/filesystem/valkyrie/usr/local/sbin/post-up-wg0-inet.nft.j2 rename to plays/vpn/roles/bridge/templates/wg0/post-up-wg0-inet.nft.j2 diff --git a/playbooks/filesystem/valkyrie/usr/local/sbin/post-up-wg0-ipv4.nft.j2 b/plays/vpn/roles/bridge/templates/wg0/post-up-wg0-ipv4.nft.j2 similarity index 52% rename from playbooks/filesystem/valkyrie/usr/local/sbin/post-up-wg0-ipv4.nft.j2 rename to plays/vpn/roles/bridge/templates/wg0/post-up-wg0-ipv4.nft.j2 index 93b60c2..fc375d0 100644 --- a/playbooks/filesystem/valkyrie/usr/local/sbin/post-up-wg0-ipv4.nft.j2 +++ b/plays/vpn/roles/bridge/templates/wg0/post-up-wg0-ipv4.nft.j2 @@ -1,8 +1,12 @@ #!/usr/bin/env -S nft -f table ip wg0_ipv4 { + +{% if vpn_bridge_role == "server" %} chain postrouting { type nat hook postrouting priority 100; - iif wg0 oif {{ ethx }} masquerade; + iif wg0 oif {{ ansible_default_ipv4.interface }} masquerade; } + +{% endif %} } diff --git a/plays/vpn/roles/bridge/templates/wg0/wg0.conf.j2 b/plays/vpn/roles/bridge/templates/wg0/wg0.conf.j2 new file mode 100644 index 0000000..f20de3d --- /dev/null +++ b/plays/vpn/roles/bridge/templates/wg0/wg0.conf.j2 @@ -0,0 +1,21 @@ +[Interface] +PrivateKey = {{ vpn_bridge_wg0_interface_private_key }} +{% if vpn_bridge_role == "server" %} +ListenPort = {{ vpn_bridge_wg0_port }} +{% endif %} + +{% if vpn_bridge_role == "server" %} +{% for client in vpn_bridge_wg0_clients %} +[Peer] +PublicKey = {{ client.public_key }} +PresharedKey = {{ vpn_bridge_wg0_preshared_key }} +AllowedIPs = {{ vpn_bridge_wg0_subnet }},{{ client.subnet }} +{% endfor %} +{% elif vpn_bridge_role == "client" %} +[Peer] +PublicKey = {{ vpn_bridge_wg0_server_public_key }} +PresharedKey = {{ vpn_bridge_wg0_preshared_key }} +Endpoint = {{ vpn_bridge_wg0_server_address }}:{{ vpn_bridge_wg0_port }} +AllowedIPs = 0.0.0.0/0 +PersistentKeepalive = 15 +{% endif %} diff --git a/plays/vpn/roles/bridge/templates/wg0/wg0.j2 b/plays/vpn/roles/bridge/templates/wg0/wg0.j2 new file mode 100644 index 0000000..8d6d500 --- /dev/null +++ b/plays/vpn/roles/bridge/templates/wg0/wg0.j2 @@ -0,0 +1,28 @@ +auto wg0 +iface wg0 inet static + pre-up /usr/local/sbin/ip-link-add.sh $IFACE type wireguard + pre-up wg setconf $IFACE /etc/wireguard/$IFACE.conf + pre-up ip link set mtu 1420 dev $IFACE + + post-up /usr/local/sbin/post-up-$IFACE-inet.nft + post-up /usr/local/sbin/post-up-$IFACE-ipv4.nft +{% if vpn_bridge_role == "client" %} + post-up ip route add default dev $IFACE table {{ vpn_bridge_routing_table }} +{% elif vpn_bridge_role == "server" %} +{% for client in vpn_bridge_wg0_clients %} + post-up ip route add {{ client.subnet }} dev $IFACE +{% endfor %} +{% endif %} + +{% if vpn_bridge_role == "server" %} +{% for client in vpn_bridge_wg0_clients %} + pre-down ip route del {{ client.subnet }} dev $IFACE +{% endfor %} +{% elif vpn_bridge_role == "client" %} + pre-down ip route del default dev $IFACE table {{ vpn_bridge_routing_table }} +{% endif %} + pre-down /usr/local/sbin/pre-down-$IFACE-ipv4.nft + pre-down /usr/local/sbin/pre-down-$IFACE-inet.nft + + address {{ vpn_bridge_wg0_address }} + netmask {{ vpn_bridge_wg0_netmask }}