commit 85c5bf583819e51ba93f1d734c07fea87f5541fe Author: Antonio J. Delgado Date: Tue Oct 11 10:19:17 2022 +0300 Initial commit with previous code diff --git a/defaults/main.yml b/defaults/main.yml new file mode 100644 index 0000000..9985816 --- /dev/null +++ b/defaults/main.yml @@ -0,0 +1,11 @@ +--- +# Default values for variables of the role +# variable_name: value +address: '192.168.2.1/24' +listenport: '1928' +privatekey: '' +interface_name: wg0 +clients: + - name: client1 + PublicKey: 'Som3thing=' + AllowedIPs: '192.168.2.2/32' \ No newline at end of file diff --git a/handlers/main.yml b/handlers/main.yml new file mode 100644 index 0000000..8b786ab --- /dev/null +++ b/handlers/main.yml @@ -0,0 +1,6 @@ +- name: Restart Wireguard service + systemd: + name: "wg-quick@{{ interface_name }}" + state: restarted + enabled: yes + daemon_reload: yes diff --git a/tasks/configure.yml b/tasks/configure.yml new file mode 100644 index 0000000..f9d5b6e --- /dev/null +++ b/tasks/configure.yml @@ -0,0 +1,42 @@ +--- +- name: Ensure Wireguard server is configure + template: + src: templates/wireguard_server.conf + dest: "/etc/wireguard/{{ interface_name }}.conf" + notify: + - Restart Wireguard service + +- name: Ensure UFW firewall rule exists + ufw: + rule: allow + port: "{{ listenport }}" + comment: 'Wireguard server listener' + proto: udp + +- name: Ensure UFW firewall routes + ufw: + default: allow + direction: routed + +- name: Ensure IPv4 forwarding works + sysctl: + name: net.ipv4.ip_forward + value: '1' + sysctl_set: yes + +- name: Ensure IPv6 forwarding works + sysctl: + name: net.ipv6.conf.all.forwarding + value: '1' + sysctl_set: yes + +- name: Ensure Wireguard service is running for {{ interface_name }} + systemd: + name: "wg-quick@{{ interface_name }}" + state: started + daemon_reload: yes + +- name: Ensure VPN traffic is enabled + ufw: + from_ip: 192.168.2.0/24 + rule: allow \ No newline at end of file diff --git a/tasks/install.yml b/tasks/install.yml new file mode 100644 index 0000000..062b881 --- /dev/null +++ b/tasks/install.yml @@ -0,0 +1,17 @@ +--- +- name: Ensure Wireguard is installed (Ubuntu >= 19.10) + apt: + name: wireguard + when: ansible_distribution_major_version|int >= 20 or ansible_distribution_version == '19.10' + +- apt_repository: + repo: ppa:wireguard/wireguard + state: absent + when: ansible_distribution_major_version|int < 20 and ansible_distribution_version != '19.10' + +- name: Ensure Wireguard is installed (Ubuntu < 19.10) + apt: + name: wireguard + state: latest + update_cache: yes + when: ansible_distribution_major_version|int < 20 and ansible_distribution_version != '19.10' \ No newline at end of file diff --git a/tasks/main.yml b/tasks/main.yml new file mode 100644 index 0000000..cbe813e --- /dev/null +++ b/tasks/main.yml @@ -0,0 +1,5 @@ +--- +- name: Ensure installation + include_tasks: install.yml +- name: Ensure configuration + include_tasks: configure.yml \ No newline at end of file diff --git a/templates/wireguard_server.conf b/templates/wireguard_server.conf new file mode 100644 index 0000000..31fb6c1 --- /dev/null +++ b/templates/wireguard_server.conf @@ -0,0 +1,13 @@ +[Interface] +Address = {{ address }} +PrivateKey = {{ privatekey }} +ListenPort = {{ listenport }} +PostUp = iptables -t nat -A POSTROUTING -o {{ public_interface }} -j MASQUERADE; ip6tables -t nat -A POSTROUTING -o {{ public_interface }} -j MASQUERADE +PostDown = iptables -t nat -D POSTROUTING -o {{ public_interface }} -j MASQUERADE; ip6tables -t nat -D POSTROUTING -o {{ public_interface }} -j MASQUERADE +{% for item in clients %} + +# Client: {{ item.name }} +[Peer] +PublicKey = {{ item.PublicKey }} +AllowedIPs = {{ item.AllowedIPs }} +{% endfor %} \ No newline at end of file