the-nine-worlds/ansible-roles
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Split wireguard client and server files

Browse Source
This commit is contained in:
Wojciech Kozlowski 2023-07-22 21:08:50 +02:00
parent 9467013860
commit 9acf33085d
5 changed files with 38 additions and 40 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
vpn/wireguard/tasks/main.yml
View File

@ -5,7 +5,7 @@
- name: "configure wireguard"
ansible.builtin.template:
src: "./IFACE.conf"
src: "./{{ vpn_wireguard_role }}/IFACE.conf"
dest: "/etc/wireguard/{{ vpn_wireguard_iface }}.conf"
mode: 0600
register: vpn_wireguard_conf
@ -26,7 +26,7 @@
- name: "configure interface"
ansible.builtin.template:
src: "./IFACE"
src: "./{{ vpn_wireguard_role }}/IFACE"
dest: "/etc/network/interfaces.d/{{ vpn_wireguard_iface }}"
mode: 0644
validate: >

26
vpn/wireguard/templates/client/IFACE Normal file
View File

@ -0,0 +1,26 @@
auto {{ vpn_wireguard_iface }}
iface {{ vpn_wireguard_iface }} inet static
pre-up /usr/local/sbin/ip-link-add.sh $IFACE type wireguard
pre-up wg setconf $IFACE /etc/wireguard/$IFACE.conf
pre-up ip link set mtu {{ vpn_wireguard_mtu }} dev $IFACE
post-up /usr/local/sbin/post-up-$IFACE-inet.nft
post-up /usr/local/sbin/post-up-$IFACE-ipv4.nft
post-up ip route add default dev $IFACE table {{ vpn_wireguard_routing_table }}
pre-down ip route del default dev $IFACE table {{ vpn_wireguard_routing_table }}
pre-down /usr/local/sbin/pre-down-$IFACE-ipv4.nft
pre-down /usr/local/sbin/pre-down-$IFACE-inet.nft
address {{ vpn_wireguard_address }}
netmask {{ vpn_wireguard_prefixlen }}
{% if vpn_wireguard_address_v6 is defined %}
iface {{ vpn_wireguard_iface }} inet6 static
post-up ip -6 route add default dev $IFACE table {{ vpn_wireguard_routing_table }}
pre-down ip -6 route del default dev $IFACE table {{ vpn_wireguard_routing_table }}
address {{ vpn_wireguard_address_v6 }}
netmask {{ vpn_wireguard_prefixlen_v6 }}
{% endif %}

9
vpn/wireguard/templates/client/IFACE.conf Normal file
View File

@ -0,0 +1,9 @@
[Interface]
PrivateKey = {{ vpn_wireguard_interface_private_key }}
[Peer]
PublicKey = {{ vpn_wireguard_server_public_key }}
PresharedKey = {{ vpn_wireguard_server_preshared_key }}
Endpoint = {{ vpn_wireguard_server_address }}:{{ vpn_wireguard_port }}
AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepalive = 15

24
vpn/wireguard/templates/IFACE → vpn/wireguard/templates/server/IFACE
View File

@ -6,7 +6,6 @@ iface {{ vpn_wireguard_iface }} inet static
post-up /usr/local/sbin/post-up-$IFACE-inet.nft
post-up /usr/local/sbin/post-up-$IFACE-ipv4.nft
{% if vpn_wireguard_role == "server" %}
{% if vpn_wireguard_routing_table is defined %}
post-up ip rule add sport {{ vpn_wireguard_port }} ipproto udp table {{ vpn_wireguard_routing_table }}
post-up ip -6 rule add sport {{ vpn_wireguard_port }} ipproto udp table {{ vpn_wireguard_routing_table }}
@ -16,11 +15,7 @@ iface {{ vpn_wireguard_iface }} inet static
post-up ip route add {{ client.subnet }} dev $IFACE
{% endif %}
{% endfor %}
{% elif vpn_wireguard_role == "client" %}
post-up ip route add default dev $IFACE table {{ vpn_wireguard_routing_table }}
{% endif %}
{% if vpn_wireguard_role == "server" %}
{% for client in vpn_wireguard_clients %}
{% if 'subnet' in client %}
pre-down ip route del {{ client.subnet }} dev $IFACE
@ -29,9 +24,6 @@ iface {{ vpn_wireguard_iface }} inet static
{% if vpn_wireguard_routing_table is defined %}
pre-down ip -6 rule del sport {{ vpn_wireguard_port }} ipproto udp table {{ vpn_wireguard_routing_table }}
pre-down ip rule del sport {{ vpn_wireguard_port }} ipproto udp table {{ vpn_wireguard_routing_table }}
{% endif %}
{% elif vpn_wireguard_role == "client" %}
pre-down ip route del default dev $IFACE table {{ vpn_wireguard_routing_table }}
{% endif %}
pre-down /usr/local/sbin/pre-down-$IFACE-ipv4.nft
pre-down /usr/local/sbin/pre-down-$IFACE-inet.nft
@ -39,21 +31,5 @@ iface {{ vpn_wireguard_iface }} inet static
address {{ vpn_wireguard_address }}
netmask {{ vpn_wireguard_prefixlen }}
{% if vpn_wireguard_address_v6 is defined %}
iface {{ vpn_wireguard_iface }} inet6 static
{% if vpn_wireguard_role == "client" %}
post-up ip -6 route add default dev $IFACE table {{ vpn_wireguard_routing_table }}
{% endif %}
{% if vpn_wireguard_role == "client" %}
pre-down ip -6 route del default dev $IFACE table {{ vpn_wireguard_routing_table }}
{% endif %}
address {{ vpn_wireguard_address_v6 }}
netmask {{ vpn_wireguard_prefixlen_v6 }}
{% endif %}
{% if vpn_wireguard_address_v6 is defined %}
{% if vpn_wireguard_role == "server" %}
{{ __assert__wireguard_server_role_not_supported_for_ipv6 }}
{% endif %}
{% endif %}

15
vpn/wireguard/templates/IFACE.conf → vpn/wireguard/templates/server/IFACE.conf
View File

@ -1,11 +1,8 @@
[Interface]
PrivateKey = {{ vpn_wireguard_interface_private_key }}
{% if vpn_wireguard_role == "server" %}
ListenPort = {{ vpn_wireguard_port }}
{% endif %}
{% if vpn_wireguard_role == "server" %}
{% for client in vpn_wireguard_clients %}
[Peer]
PublicKey = {{ client.public_key }}
PresharedKey = {{ client.preshared_key }}
@ -14,14 +11,4 @@ AllowedIPs = {{ vpn_wireguard_subnet }},{{ client.subnet }}
{% else %}
AllowedIPs = {{ vpn_wireguard_subnet }}
{% endif %}
{% endfor %}
{% elif vpn_wireguard_role == "client" %}
[Peer]
PublicKey = {{ vpn_wireguard_server_public_key }}
PresharedKey = {{ vpn_wireguard_server_preshared_key }}
Endpoint = {{ vpn_wireguard_server_address }}:{{ vpn_wireguard_port }}
AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepalive = 15
{% endif %}