Add wgvpn role for WireGuard VPN

author: Dmitry Ilvokhin <d@ilvokhin.com> 2024-05-27 10:45:25 +0100
committer: Dmitry Ilvokhin <d@ilvokhin.com> 2024-05-27 10:45:25 +0100
commit: da9620ed0709be25b4ced254ca0f131f637bcfe6 (patch)
tree: b602e022d6df01539828be813907d7b39734c3d7
parent: da82868f7aee3997994474fd3c5a72e3676070c2 (diff)
download: infra-da9620ed0709be25b4ced254ca0f131f637bcfe6.tar.gz
infra-da9620ed0709be25b4ced254ca0f131f637bcfe6.tar.bz2
infra-da9620ed0709be25b4ced254ca0f131f637bcfe6.zip
6 files changed, 55 insertions, 0 deletions
diff --git a/roles/wgvpn/files/wgvpn.conf b/roles/wgvpn/files/wgvpn.conf
new file mode 100644
index 0000000..7ed621e
--- /dev/null
+++ b/roles/wgvpn/files/wgvpn.conf
@@ -0,0 +1,2 @@
+[Resolve]
+DNSStubListenerExtra=10.0.1.1
diff --git a/roles/wgvpn/handlers/main.yml b/roles/wgvpn/handlers/main.yml
new file mode 100644
index 0000000..15cde1e
--- /dev/null
+++ b/roles/wgvpn/handlers/main.yml
@@ -0,0 +1,9 @@
+- name: Reload wgvpn
+  ansible.builtin.service:
+    name: wg-quick@wg1
+    state: reloaded
+
+- name: Restart systemd-resolved
+  ansible.builtin.service:
+    name: systemd-resolved
+    state: restart
diff --git a/roles/wgvpn/meta/main.yml b/roles/wgvpn/meta/main.yml
new file mode 100644
index 0000000..aede5ad
--- /dev/null
+++ b/roles/wgvpn/meta/main.yml
@@ -0,0 +1,3 @@
+dependencies:
+  - role: netfwd
+  - role: wireguard
diff --git a/roles/wgvpn/tasks/main.yml b/roles/wgvpn/tasks/main.yml
new file mode 100644
index 0000000..8dc0e3b
--- /dev/null
+++ b/roles/wgvpn/tasks/main.yml
@@ -0,0 +1,23 @@
+- name: Configure WireGuard for wgvpn
+  ansible.builtin.template:
+    src: templates/wg1.conf.j2
+    dest: /etc/wireguard/wg1.conf
+    owner: root
+    group: root
+    mode: u+rw,g-rw,o-rw
+  notify: Reload wgvpn
+
+- name: Configure systemd-resolved for wgvpn
+  ansible.builtin.copy:
+    src: files/wgvpn.conf
+    dest: /etc/systemd/resolved.conf.d/wgvpn.conf
+    owner: root
+    group: root
+    mode: u+rw,g+r,o+r
+  notify: Restart systemd-resolved
+
+- name: Enable WireGuard service for wgvpn
+  ansible.builtin.service:
+    name: wg-quick@wg1
+    enabled: yes
+    state: started
diff --git a/roles/wgvpn/templates/wg1.conf.j2 b/roles/wgvpn/templates/wg1.conf.j2
new file mode 100644
index 0000000..8a930ac
--- /dev/null
+++ b/roles/wgvpn/templates/wg1.conf.j2
@@ -0,0 +1,17 @@
+[Interface]
+PrivateKey = {{ wireguard_private_key }}
+Address = 10.0.1.1/24
+ListenPort = 51821
+
+PostUp = iptables -A FORWARD -i %i -j ACCEPT
+PostUp = iptables -A FORWARD -o %i -j ACCEPT
+PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
+
+PostDown = iptables -D FORWARD -i %i -j ACCEPT;
+PostDown = iptables -D FORWARD -o %i -j ACCEPT;
+PostDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
+
+# earth
+[Peer]
+PublicKey = HhBhDQmGzltIGQOn+clbRIkQt7ocPAuqsUS+ytinIwU=
+AllowedIPs = 10.0.1.2/32
diff --git a/vpn.yml b/vpn.yml
index bba7ac9..7360062 100644
--- a/vpn.yml
+++ b/vpn.yml
@@ -2,3 +2,4 @@
   hosts: vpn
   roles:
     - { role: wgnet }
+    - { role: wgvpn }
author	Dmitry Ilvokhin <d@ilvokhin.com>	2024-05-27 10:45:25 +0100
committer	Dmitry Ilvokhin <d@ilvokhin.com>	2024-05-27 10:45:25 +0100
commit	da9620ed0709be25b4ced254ca0f131f637bcfe6 (patch)
tree	b602e022d6df01539828be813907d7b39734c3d7
parent	da82868f7aee3997994474fd3c5a72e3676070c2 (diff)
download	infra-da9620ed0709be25b4ced254ca0f131f637bcfe6.tar.gz infra-da9620ed0709be25b4ced254ca0f131f637bcfe6.tar.bz2 infra-da9620ed0709be25b4ced254ca0f131f637bcfe6.zip