Added the "install_wireguard" role

2024-05-12 13:16:42 +02:00
parent cdd7baf40e
commit 1edaaff9c9
18 changed files with 429 additions and 39 deletions
--- a/roles/install_wireguard/README.md
+++ b/roles/install_wireguard/README.md
@@ -0,0 +1,18 @@
+# Install Wireguard and configure IPTables
+
+This role will install a Wireguard server on a Debian VPS and configure
+IPTables to allow certian ports to be passed down to the peer.
+
+This role needs `become: true` to be set.
+
+## Variables
+
+| Name                                   | Is Required? | Default                  |
+|:--------------------------------------:|:------------:|:------------------------:|
+| `install_wireguard__server_ip`         | ✔️            | `"172.30.87.1"`          |
+| `install_wireguard__peer_ip`           | ✔️            | `"172.30.87.2"`          |
+| `install_wireguard__server_port`       | ✔️            | 51821                    |
+| `install_wireguard__keepalive`         | ✔️            | 25                       |
+| `install_wireguard__dns_servers`       | ✔️            | `["1.1.1.1", "1.0.0.1"]` |
+| `install_wireguard__forward_tcp_ports` | ✔️            | `[80, 443]`              |
+| `install_wireguard__forward_udp_ports` | ✔️            | `[51820]`                |
--- a/roles/install_wireguard/defaults/main.yml
+++ b/roles/install_wireguard/defaults/main.yml
@@ -0,0 +1,12 @@
+install_wireguard__server_ip: 172.30.87.1
+install_wireguard__peer_ip: 172.30.87.2
+install_wireguard__server_port: 51821
+install_wireguard__keepalive: 25
+install_wireguard__dns_servers:
+  - 1.1.1.1
+  - 1.0.0.1
+install_wireguard__forward_tcp_ports:
+  - 80
+  - 443
+install_wireguard__forward_udp_ports:
+  - 51820
--- a/roles/install_wireguard/tasks/main.yml
+++ b/roles/install_wireguard/tasks/main.yml
@@ -0,0 +1,90 @@
+- name: Install Wireguard
+  ansible.builtin.apt:
+    name: wireguard
+    update_cache: true
+
+- name: Enable IPv4 forward in /etc/sysctl.conf
+  ansible.posix.sysctl:
+    name: net.ipv4.ip_forward
+    value: "1"
+    sysctl_set: true
+
+- name: Create the /etc/wireguard/ansible directory
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+    mode: "0700"
+    owner: root
+    group: root
+  loop:
+    - /etc/wireguard
+    - /etc/wireguard/ansible
+
+- name: Create the keys
+  ansible.builtin.shell:
+    executable: /bin/bash
+    chdir: /etc/wireguard/ansible
+    creates: /etc/wireguard/ansible/preshared_key
+    cmd: |-
+      set -o pipefail
+      umask 077
+      wg genkey | tee server_private_key | wg pubkey > server_public_key
+      wg genkey | tee peer_private_key | wg pubkey > peer_public_key
+      openssl rand 32 | base64 > /etc/wireguard/ansible/preshared_key
+
+- name: Get the keys
+  block:
+    - name: Read the files in /etc/wireguard/ansible
+      ansible.builtin.slurp:
+        src: "/etc/wireguard/ansible/{{ item }}_key"
+      loop:
+        - server_public
+        - server_private
+        - peer_public
+        - peer_private
+        - preshared
+      register: tmp
+
+    - name: Extract the keys from the files
+      ansible.builtin.set_fact:
+        keys: "{{ keys | combine({item.item: (item.content | b64decode | trim)}) }}"
+      loop: "{{ tmp.results }}"
+      vars:
+        keys: {}
+      no_log: true
+
+- name: Create the configuration files
+  ansible.builtin.template:
+    src: "{{ item.name }}.j2"
+    dest: "/etc/wireguard/{{ item.name }}"
+    owner: root
+    group: root
+    mode: "{{ item.permissions }}"
+  loop:
+    - { name: "wg0.conf", permissions: "0600" }
+    - { name: "peer.conf", permissions: "0600" }
+    - { name: "iptables.sh", permissions: "0700" }
+  register: config_files
+  no_log: true
+
+- name: Start the Wireguard server
+  ansible.builtin.systemd_service:
+    enabled: true
+    state: |-
+      {%
+        set file_changed = config_files.results
+            | selectattr('item.name', 'in', ['wg0.conf', 'iptables.sh'])
+            | map(attribute='changed')
+            | select('equalto', True)
+            | list
+            | length > 0
+      %}
+      {{ "restarted" if file_changed else "started" }}
+    name: wg-quick@wg0
+
+- name: Download the Wireguard peer config
+  when: (config_files.results | selectattr('item.name', 'equalto', 'peer.conf') | map(attribute='changed'))[0]
+  ansible.builtin.fetch:
+    src: /etc/wireguard/peer.conf
+    dest: ../wireguard-configs/{{ inventory_hostname }}/vpn.conf
+    flat: true
--- a/roles/install_wireguard/templates/iptables.sh.j2
+++ b/roles/install_wireguard/templates/iptables.sh.j2
@@ -0,0 +1,27 @@
+#!/usr/bin/env bash
+
+{{ ansible_managed | comment('plain') }}
+
+set -xeu
+
+WG_INTERFACE=$1
+
+iptables $2 FORWARD -i $WG_INTERFACE -j ACCEPT
+iptables $2 FORWARD -o $WG_INTERFACE -j ACCEPT
+iptables -t nat $2 POSTROUTING -o {{ ansible_facts.default_ipv4.interface }} -j MASQUERADE
+
+{% if (install_wireguard__forward_tcp_ports is defined) and install_wireguard__forward_tcp_ports %}
+for TCP_PORT in {{ install_wireguard__forward_tcp_ports | join(" ") }}; do
+    iptables $2 FORWARD -i {{ ansible_facts.default_ipv4.interface }} -o $WG_INTERFACE -p tcp --syn --dport $TCP_PORT -m conntrack --ctstate NEW -j ACCEPT
+    iptables -t nat $2 PREROUTING -i {{ ansible_facts.default_ipv4.interface }} -p tcp --dport $TCP_PORT -j DNAT --to-destination {{ install_wireguard__peer_ip }}
+    iptables -t nat $2 POSTROUTING -o $WG_INTERFACE -p tcp --dport $TCP_PORT -d {{ install_wireguard__peer_ip }} -j SNAT --to-source {{ install_wireguard__server_ip }}
+done
+{% endif %}
+
+{% if (install_wireguard__forward_udp_ports is defined) and install_wireguard__forward_udp_ports %}
+for UDP_PORT in {{ install_wireguard__forward_udp_ports | join(" ") }}; do
+    iptables $2 FORWARD -i {{ ansible_facts.default_ipv4.interface }} -o $WG_INTERFACE -p udp --dport $UDP_PORT -m conntrack --ctstate NEW -j ACCEPT
+    iptables -t nat $2 PREROUTING -i {{ ansible_facts.default_ipv4.interface }} -p udp --dport $UDP_PORT -j DNAT --to-destination {{ install_wireguard__peer_ip }}
+    iptables -t nat $2 POSTROUTING -o $WG_INTERFACE -p udp --dport $UDP_PORT -d {{ install_wireguard__peer_ip }} -j SNAT --to-source {{ install_wireguard__server_ip }}
+done
+{% endif %}
--- a/roles/install_wireguard/templates/peer.conf.j2
+++ b/roles/install_wireguard/templates/peer.conf.j2
@@ -0,0 +1,17 @@
+{{ ansible_managed | comment('plain') }}
+
+[Interface]
+PrivateKey = {{ keys["peer_private"] }}
+Address = {{ install_wireguard__peer_ip }}
+{% if install_wireguard__dns_servers != 0 %}
+DNS = {{ install_wireguard__dns_servers | join(", ") }}
+{% endif %}
+
+[Peer]
+PublicKey = {{ keys["server_public"] }}
+PresharedKey = {{ keys["preshared"] }}
+AllowedIPs = 0.0.0.0/0
+Endpoint = {{ ansible_facts.default_ipv4.address }}:{{ install_wireguard__server_port }}
+{% if install_wireguard__keepalive != 0 %}
+PersistentKeepalive = {{ install_wireguard__keepalive }}
+{% endif %}
--- a/roles/install_wireguard/templates/wg0.conf.j2
+++ b/roles/install_wireguard/templates/wg0.conf.j2
@@ -0,0 +1,13 @@
+{{ ansible_managed | comment('plain') }}
+
+[Interface]
+PrivateKey = {{ keys["server_private"] }}
+ListenPort = {{ install_wireguard__server_port }}
+Address = {{ install_wireguard__server_ip }}
+PostUp = /etc/wireguard/iptables.sh %i -A
+PostDown = /etc/wireguard/iptables.sh %i -D
+
+[Peer]
+PublicKey = {{ keys["peer_public"] }}
+PresharedKey = {{ keys["preshared"] }}
+AllowedIPs = {{ install_wireguard__peer_ip }}