diff options
| author | Dmitry Ilvokhin <d@ilvokhin.com> | 2024-06-09 19:37:44 +0100 |
|---|---|---|
| committer | Dmitry Ilvokhin <d@ilvokhin.com> | 2024-06-09 19:37:44 +0100 |
| commit | bcc31e0abc2f44971420dac39a0274ea9a9df74d (patch) | |
| tree | 4975766ceb75118ce7f1f4647393ab71ae81b285 | |
| parent | d129e0950bdaf55c7d752933e77790e9d5b151a3 (diff) | |
| download | infra-bcc31e0abc2f44971420dac39a0274ea9a9df74d.tar.gz infra-bcc31e0abc2f44971420dac39a0274ea9a9df74d.tar.bz2 infra-bcc31e0abc2f44971420dac39a0274ea9a9df74d.zip | |
Add wgtor role for Tor middlebox
| -rw-r--r-- | roles/wgtor/handlers/main.yml | 7 | ||||
| -rw-r--r-- | roles/wgtor/meta/main.yml | 3 | ||||
| -rw-r--r-- | roles/wgtor/tasks/main.yml | 14 | ||||
| -rw-r--r-- | roles/wgtor/templates/wg2.conf.j2 | 22 |
4 files changed, 46 insertions, 0 deletions
diff --git a/roles/wgtor/handlers/main.yml b/roles/wgtor/handlers/main.yml new file mode 100644 index 0000000..9f1d3c5 --- /dev/null +++ b/roles/wgtor/handlers/main.yml @@ -0,0 +1,7 @@ +# Use restart instead of reload, because reload uses `wg syncconf` under the +# hood, which only updates config, but do not run `PostUp` and `PostDown` +# hooks. +- name: Restart wgtor + ansible.builtin.service: + name: wg-quick@wg2 + state: restarted diff --git a/roles/wgtor/meta/main.yml b/roles/wgtor/meta/main.yml new file mode 100644 index 0000000..aede5ad --- /dev/null +++ b/roles/wgtor/meta/main.yml @@ -0,0 +1,3 @@ +dependencies: + - role: netfwd + - role: wireguard diff --git a/roles/wgtor/tasks/main.yml b/roles/wgtor/tasks/main.yml new file mode 100644 index 0000000..68a4aee --- /dev/null +++ b/roles/wgtor/tasks/main.yml @@ -0,0 +1,14 @@ +- name: Configure WireGuard for wgtor + ansible.builtin.template: + src: templates/wg2.conf.j2 + dest: /etc/wireguard/wg2.conf + owner: root + group: root + mode: u+rw,g-rw,o-rw + notify: Restart wgtor + +- name: Enable WireGuard service for wgtor + ansible.builtin.service: + name: wg-quick@wg2 + enabled: yes + state: started diff --git a/roles/wgtor/templates/wg2.conf.j2 b/roles/wgtor/templates/wg2.conf.j2 new file mode 100644 index 0000000..5d72891 --- /dev/null +++ b/roles/wgtor/templates/wg2.conf.j2 @@ -0,0 +1,22 @@ +[Interface] +PrivateKey = {{ wireguard_private_key }} +Address = 10.0.2.1/24 +ListenPort = 51822 + +# See for source of iptables rules. +# https://gitlab.torproject.org/legacy/trac/-/wikis/doc/TransparentProxy + +PostUp = iptables -t nat -A PREROUTING -i %i -p udp --dport 53 -j REDIRECT --to-ports 5353 +PostUp = iptables -t nat -A PREROUTING -i %i -p udp --dport 5353 -j REDIRECT --to-ports 5353 +PostUp = iptables -t nat -A PREROUTING -i %i -p tcp --syn -j REDIRECT --to-ports 9040 +PostUp = iptables -t nat -A OUTPUT -p tcp -d 10.192.0.0/10 -j REDIRECT --to-ports 9040 + +PostDown = iptables -t nat -D PREROUTING -i %i -p udp --dport 53 -j REDIRECT --to-ports 5353 +PostDown = iptables -t nat -D PREROUTING -i %i -p udp --dport 5353 -j REDIRECT --to-ports 5353 +PostDown = iptables -t nat -D PREROUTING -i %i -p tcp --syn -j REDIRECT --to-ports 9040 +PostDown = iptables -t nat -D OUTPUT -p tcp -d 10.192.0.0/10 -j REDIRECT --to-ports 9040 + +# earth +[Peer] +PublicKey = HhBhDQmGzltIGQOn+clbRIkQt7ocPAuqsUS+ytinIwU= +AllowedIPs = 10.0.2.2/32 |