Add vpn:bridge:wg0
This commit is contained in:
parent
dda51db812
commit
ad6a9c1396
@ -1,6 +0,0 @@
|
||||
---
|
||||
- name: Configure VPN network
|
||||
hosts: asgard
|
||||
|
||||
tasks:
|
||||
- import_tasks: tasks/vpn/wireguard.yml
|
@ -1,18 +0,0 @@
|
||||
auto wg0
|
||||
iface wg0 inet static
|
||||
pre-up ip link add $IFACE type wireguard
|
||||
pre-up wg setconf $IFACE /etc/wireguard/$IFACE.conf
|
||||
pre-up ip link set mtu 1420 dev $IFACE
|
||||
|
||||
post-up /usr/local/sbin/post-up-$IFACE-inet.nft
|
||||
post-up /usr/local/sbin/post-up-$IFACE-ipv4.nft
|
||||
post-up ip route add {{ vpn_remote_br0_subnet }} dev $IFACE
|
||||
|
||||
pre-down ip route del {{ vpn_remote_br0_subnet }} dev $IFACE
|
||||
pre-down /usr/local/sbin/pre-down-$IFACE-ipv4.nft
|
||||
pre-down /usr/local/sbin/pre-down-$IFACE-inet.nft
|
||||
|
||||
post-down ip link del dev $IFACE
|
||||
|
||||
address {{ vpn_wg0_address }}
|
||||
netmask {{ vpn_wg0_netmask }}
|
@ -1,8 +0,0 @@
|
||||
[Interface]
|
||||
PrivateKey = {{ vpn_wg0_interface_private_key }}
|
||||
ListenPort = {{ vpn_wg0_port }}
|
||||
|
||||
[Peer]
|
||||
PublicKey = {{ vpn_wg0_peer_public_key }}
|
||||
PresharedKey = {{ vpn_wg0_preshared_key }}
|
||||
AllowedIPs = {{ vpn_wg0_subnet }},{{ vpn_remote_br0_subnet }}
|
@ -1,18 +0,0 @@
|
||||
auto wg0
|
||||
iface wg0 inet static
|
||||
pre-up ip link add $IFACE type wireguard
|
||||
pre-up wg setconf $IFACE /etc/wireguard/$IFACE.conf
|
||||
pre-up ip link set mtu 1420 dev $IFACE
|
||||
|
||||
post-up /usr/local/sbin/post-up-$IFACE-inet.nft
|
||||
post-up /usr/local/sbin/post-up-$IFACE-ipv4.nft
|
||||
post-up ip route add default dev $IFACE table 66
|
||||
|
||||
pre-down ip route del default dev $IFACE table 66
|
||||
pre-down /usr/local/sbin/pre-down-$IFACE-ipv4.nft
|
||||
pre-down /usr/local/sbin/pre-down-$IFACE-inet.nft
|
||||
|
||||
post-down ip link del dev $IFACE
|
||||
|
||||
address {{ vpn_wg0_address }}
|
||||
netmask {{ vpn_wg0_netmask }}
|
@ -1,9 +0,0 @@
|
||||
[Interface]
|
||||
PrivateKey = {{ vpn_wg0_interface_private_key }}
|
||||
|
||||
[Peer]
|
||||
PublicKey = {{ vpn_wg0_peer_public_key }}
|
||||
PresharedKey = {{ vpn_wg0_preshared_key }}
|
||||
Endpoint = {{ vpn_wg0_endpoint_address }}:{{ vpn_wg0_port }}
|
||||
AllowedIPs = 0.0.0.0/0
|
||||
PersistentKeepalive = 15
|
@ -1,9 +0,0 @@
|
||||
#!/usr/bin/env -S nft -f
|
||||
|
||||
table inet wg0_inet {
|
||||
chain forward {
|
||||
type filter hook forward priority 0;
|
||||
iif wg0 tcp flags syn tcp option maxseg size set rt mtu;
|
||||
oif wg0 tcp flags syn tcp option maxseg size set rt mtu;
|
||||
}
|
||||
}
|
@ -1,5 +0,0 @@
|
||||
#!/usr/bin/env -S nft -f
|
||||
|
||||
table ip wg0_ipv4 {
|
||||
|
||||
}
|
@ -1,4 +0,0 @@
|
||||
#!/usr/bin/env -S nft -f
|
||||
|
||||
flush table inet wg0_inet
|
||||
delete table inet wg0_inet
|
@ -1,4 +0,0 @@
|
||||
#!/usr/bin/env -S nft -f
|
||||
|
||||
flush table ip wg0_ipv4
|
||||
delete table ip wg0_ipv4
|
@ -1,53 +0,0 @@
|
||||
- name: WireGuard interface configuration
|
||||
template:
|
||||
src: ./filesystem/{{ ansible_hostname }}/etc/wireguard/wg0.conf.j2
|
||||
dest: /etc/wireguard/wg0.conf
|
||||
mode: 0600
|
||||
register: wg_intf_conf
|
||||
|
||||
- name: WireGuard interface post-up nftables inet script
|
||||
template:
|
||||
src: ./filesystem/{{ ansible_hostname }}/usr/local/sbin/post-up-wg0-inet.nft.j2
|
||||
dest: /usr/local/sbin/post-up-wg0-inet.nft
|
||||
mode: 0755
|
||||
register: wg_intf_post_up_inet
|
||||
|
||||
- name: WireGuard interface post-up nftables ipv4 script
|
||||
template:
|
||||
src: ./filesystem/{{ ansible_hostname }}/usr/local/sbin/post-up-wg0-ipv4.nft.j2
|
||||
dest: /usr/local/sbin/post-up-wg0-ipv4.nft
|
||||
mode: 0755
|
||||
register: wg_intf_post_up_ipv4
|
||||
|
||||
- name: Create WireGuard interface
|
||||
template:
|
||||
src: ./filesystem/{{ ansible_hostname }}/etc/network/interfaces.d/wg0.j2
|
||||
dest: /etc/network/interfaces.d/wg0
|
||||
mode: 0644
|
||||
validate: >
|
||||
bash -c
|
||||
'if ! diff %s /etc/network/interfaces.d/wg0 && ip link show dev wg0 ;
|
||||
then
|
||||
ifdown wg0 ;
|
||||
fi'
|
||||
register: wg_intf
|
||||
|
||||
- name: Restart WireGuard interface
|
||||
shell: if ip link show dev wg0 ; then ifdown wg0 && ifup wg0 ; else ifup wg0 ; fi
|
||||
when:
|
||||
wg_intf_conf is changed or
|
||||
wg_intf_post_up_inet is changed or
|
||||
wg_intf_post_up_ipv4 is changed or
|
||||
wg_intf is changed
|
||||
|
||||
- name: WireGuard interface pre-down nftables inet script
|
||||
template:
|
||||
src: ./filesystem/{{ ansible_hostname }}/usr/local/sbin/pre-down-wg0-inet.nft.j2
|
||||
dest: /usr/local/sbin/pre-down-wg0-inet.nft
|
||||
mode: 0755
|
||||
|
||||
- name: WireGuard interface pre-down nftables ipv4 script
|
||||
template:
|
||||
src: ./filesystem/{{ ansible_hostname }}/usr/local/sbin/pre-down-wg0-ipv4.nft.j2
|
||||
dest: /usr/local/sbin/pre-down-wg0-ipv4.nft
|
||||
mode: 0755
|
@ -8,7 +8,7 @@ argument_specs:
|
||||
local_network:
|
||||
type: "str"
|
||||
required: false
|
||||
vpn_routing_table:
|
||||
vpn_bridge_routing_table:
|
||||
type: "int"
|
||||
required: true
|
||||
vpn_bridge_dnat:
|
||||
@ -24,3 +24,28 @@ argument_specs:
|
||||
vpn_bridge_br0_netmask:
|
||||
type: "str"
|
||||
required: true
|
||||
vpn_bridge_role:
|
||||
type: "str"
|
||||
required: true
|
||||
vpn_bridge_wg0_port:
|
||||
type: "int"
|
||||
required: true
|
||||
vpn_bridge_wg0_interface_private_key:
|
||||
type: "str"
|
||||
required: true
|
||||
vpn_bridge_wg0_preshared_key:
|
||||
type: "str"
|
||||
required: true
|
||||
vpn_bridge_wg0_subnet:
|
||||
type: "str"
|
||||
required: true
|
||||
vpn_bridge_wg0_clients:
|
||||
type: "list"
|
||||
elem: "dict"
|
||||
required: "{{ vpn_bridge_role == 'server' }}"
|
||||
vpn_bridge_wg0_server_public_key:
|
||||
type: "str"
|
||||
required: "{{ vpn_bridge_role == 'client' }}"
|
||||
vpn_bridge_wg0_server_address:
|
||||
type: "str"
|
||||
required: "{{ vpn_bridge_role == 'client' }}"
|
||||
|
@ -23,7 +23,7 @@
|
||||
then
|
||||
ifdown br0 ;
|
||||
fi'
|
||||
register: vpn_bridge_br0_conf
|
||||
register: vpn_bridge_br0_intf
|
||||
|
||||
- name: "br0 : restart interface"
|
||||
ansible.builtin.shell: |
|
||||
@ -36,7 +36,7 @@
|
||||
when:
|
||||
vpn_bridge_post_up_br0_inet_nft.changed or
|
||||
vpn_bridge_post_up_br0_ipv4_nft.changed or
|
||||
vpn_bridge_br0_conf.changed
|
||||
vpn_bridge_br0_intf.changed
|
||||
|
||||
- name: "br0 : pre-down nftables inet script"
|
||||
ansible.builtin.copy:
|
||||
|
59
plays/vpn/roles/bridge/tasks/include/wg0.yml
Normal file
59
plays/vpn/roles/bridge/tasks/include/wg0.yml
Normal file
@ -0,0 +1,59 @@
|
||||
- name: "wg0 : configure wireguard"
|
||||
ansible.builtin.template:
|
||||
src: "./wg0/wg0.conf.j2"
|
||||
dest: "/etc/wireguard/wg0.conf"
|
||||
mode: 0600
|
||||
register: vpn_bridge_wg0_conf
|
||||
|
||||
- name: "wg0 : post-up nftables inet script"
|
||||
ansible.builtin.template:
|
||||
src: "./wg0/post-up-wg0-inet.nft.j2"
|
||||
dest: "/usr/local/sbin/post-up-wg0-inet.nft"
|
||||
mode: 0755
|
||||
register: vpn_bridge_post_up_wg0_inet_nft
|
||||
|
||||
- name: "wg0 : post-up nftables ipv4 script"
|
||||
ansible.builtin.template:
|
||||
src: "./wg0/post-up-wg0-ipv4.nft.j2"
|
||||
dest: "/usr/local/sbin/post-up-wg0-ipv4.nft"
|
||||
mode: 0755
|
||||
register: vpn_bridge_post_up_wg0_ipv4_nft
|
||||
|
||||
- name: "wg0 : configure interface"
|
||||
ansible.builtin.template:
|
||||
src: "./wg0/wg0.j2"
|
||||
dest: "/etc/network/interfaces.d/wg0"
|
||||
mode: 0644
|
||||
validate: >
|
||||
bash -c
|
||||
'if ! diff %s /etc/network/interfaces.d/wg0 && ip link show dev wg0 ;
|
||||
then
|
||||
ifdown wg0 ;
|
||||
fi'
|
||||
register: vpn_bridge_wg0_intf
|
||||
|
||||
- name: "wg0 : restart interface"
|
||||
ansible.builtin.shell: |
|
||||
if ip link show dev wg0
|
||||
then
|
||||
ifdown wg0 && ifup wg0
|
||||
else
|
||||
ifup wg0
|
||||
fi
|
||||
when:
|
||||
vpn_bridge_wg0_conf.changed or
|
||||
vpn_bridge_post_up_wg0_inet_nft.changed or
|
||||
vpn_bridge_post_up_wg0_ipv4_nft.changed or
|
||||
vpn_bridge_wg0_intf.changed
|
||||
|
||||
- name: "wg0 : pre-down nftables inet script"
|
||||
ansible.builtin.copy:
|
||||
src: "./wg0/pre-down-wg0-inet.nft"
|
||||
dest: "/usr/local/sbin/pre-down-wg0-inet.nft"
|
||||
mode: 0755
|
||||
|
||||
- name: "wg0 : pre-down nftables ipv4 script"
|
||||
ansible.builtin.copy:
|
||||
src: "./wg0/pre-down-wg0-ipv4.nft"
|
||||
dest: "/usr/local/sbin/pre-down-wg0-ipv4.nft"
|
||||
mode: 0755
|
@ -1,3 +1,6 @@
|
||||
- name: "play:vpn : role:bridge : tasks:br0"
|
||||
ansible.builtin.import_tasks: "include/br0.yml"
|
||||
tags: "vpn:bridge:br0"
|
||||
- name: "play:vpn : role:bridge : tasks:wg0"
|
||||
ansible.builtin.import_tasks: "include/wg0.yml"
|
||||
tags: "vpn:bridge:wg0"
|
||||
|
@ -4,14 +4,14 @@ iface br0 inet static
|
||||
|
||||
post-up /usr/local/sbin/post-up-$IFACE-inet.nft
|
||||
post-up /usr/local/sbin/post-up-$IFACE-ipv4.nft
|
||||
{% if local_network is defined %}
|
||||
post-up ip rule add dev $IFACE table {{ vpn_routing_table }}
|
||||
{% if vpn_bridge_role == "client" %}
|
||||
post-up ip rule add dev $IFACE table {{ vpn_bridge_routing_table }}
|
||||
post-up ip rule add dev $IFACE to {{ local_network }} table main priority 1
|
||||
{% endif %}
|
||||
|
||||
{% if local_network is defined %}
|
||||
{% if vpn_bridge_role == "client" %}
|
||||
pre-down ip rule del dev $IFACE to {{ local_network }} table main priority 1
|
||||
pre-down ip rule del dev $IFACE table {{ vpn_routing_table }}
|
||||
pre-down ip rule del dev $IFACE table {{ vpn_bridge_routing_table }}
|
||||
{% endif %}
|
||||
pre-down /usr/local/sbin/pre-down-$IFACE-ipv4.nft
|
||||
pre-down /usr/local/sbin/pre-down-$IFACE-inet.nft
|
||||
|
@ -1,8 +1,12 @@
|
||||
#!/usr/bin/env -S nft -f
|
||||
|
||||
table ip wg0_ipv4 {
|
||||
|
||||
{% if vpn_bridge_role == "server" %}
|
||||
chain postrouting {
|
||||
type nat hook postrouting priority 100;
|
||||
iif wg0 oif {{ ethx }} masquerade;
|
||||
iif wg0 oif {{ ansible_default_ipv4.interface }} masquerade;
|
||||
}
|
||||
|
||||
{% endif %}
|
||||
}
|
21
plays/vpn/roles/bridge/templates/wg0/wg0.conf.j2
Normal file
21
plays/vpn/roles/bridge/templates/wg0/wg0.conf.j2
Normal file
@ -0,0 +1,21 @@
|
||||
[Interface]
|
||||
PrivateKey = {{ vpn_bridge_wg0_interface_private_key }}
|
||||
{% if vpn_bridge_role == "server" %}
|
||||
ListenPort = {{ vpn_bridge_wg0_port }}
|
||||
{% endif %}
|
||||
|
||||
{% if vpn_bridge_role == "server" %}
|
||||
{% for client in vpn_bridge_wg0_clients %}
|
||||
[Peer]
|
||||
PublicKey = {{ client.public_key }}
|
||||
PresharedKey = {{ vpn_bridge_wg0_preshared_key }}
|
||||
AllowedIPs = {{ vpn_bridge_wg0_subnet }},{{ client.subnet }}
|
||||
{% endfor %}
|
||||
{% elif vpn_bridge_role == "client" %}
|
||||
[Peer]
|
||||
PublicKey = {{ vpn_bridge_wg0_server_public_key }}
|
||||
PresharedKey = {{ vpn_bridge_wg0_preshared_key }}
|
||||
Endpoint = {{ vpn_bridge_wg0_server_address }}:{{ vpn_bridge_wg0_port }}
|
||||
AllowedIPs = 0.0.0.0/0
|
||||
PersistentKeepalive = 15
|
||||
{% endif %}
|
28
plays/vpn/roles/bridge/templates/wg0/wg0.j2
Normal file
28
plays/vpn/roles/bridge/templates/wg0/wg0.j2
Normal file
@ -0,0 +1,28 @@
|
||||
auto wg0
|
||||
iface wg0 inet static
|
||||
pre-up /usr/local/sbin/ip-link-add.sh $IFACE type wireguard
|
||||
pre-up wg setconf $IFACE /etc/wireguard/$IFACE.conf
|
||||
pre-up ip link set mtu 1420 dev $IFACE
|
||||
|
||||
post-up /usr/local/sbin/post-up-$IFACE-inet.nft
|
||||
post-up /usr/local/sbin/post-up-$IFACE-ipv4.nft
|
||||
{% if vpn_bridge_role == "client" %}
|
||||
post-up ip route add default dev $IFACE table {{ vpn_bridge_routing_table }}
|
||||
{% elif vpn_bridge_role == "server" %}
|
||||
{% for client in vpn_bridge_wg0_clients %}
|
||||
post-up ip route add {{ client.subnet }} dev $IFACE
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
||||
{% if vpn_bridge_role == "server" %}
|
||||
{% for client in vpn_bridge_wg0_clients %}
|
||||
pre-down ip route del {{ client.subnet }} dev $IFACE
|
||||
{% endfor %}
|
||||
{% elif vpn_bridge_role == "client" %}
|
||||
pre-down ip route del default dev $IFACE table {{ vpn_bridge_routing_table }}
|
||||
{% endif %}
|
||||
pre-down /usr/local/sbin/pre-down-$IFACE-ipv4.nft
|
||||
pre-down /usr/local/sbin/pre-down-$IFACE-inet.nft
|
||||
|
||||
address {{ vpn_bridge_wg0_address }}
|
||||
netmask {{ vpn_bridge_wg0_netmask }}
|
Loading…
Reference in New Issue
Block a user