nicolabelluti/wg-cgnat
1
1
Fork 0
generated from nicolabelluti/template-ansible
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Added the "install_wireguard" role

Browse Source
This commit is contained in:
Nicola Belluti
2024-05-12 13:16:42 +02:00
parent cdd7baf40e
commit 1edaaff9c9
18 changed files with 429 additions and 39 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
roles/install_wireguard/templates/iptables.sh.j2 Normal file
View File

@@ -0,0 +1,27 @@
#!/usr/bin/env bash
{{ ansible_managed | comment('plain') }}
set -xeu
WG_INTERFACE=$1
iptables $2 FORWARD -i $WG_INTERFACE -j ACCEPT
iptables $2 FORWARD -o $WG_INTERFACE -j ACCEPT
iptables -t nat $2 POSTROUTING -o {{ ansible_facts.default_ipv4.interface }} -j MASQUERADE
{% if (install_wireguard__forward_tcp_ports is defined) and install_wireguard__forward_tcp_ports %}
for TCP_PORT in {{ install_wireguard__forward_tcp_ports | join(" ") }}; do
iptables $2 FORWARD -i {{ ansible_facts.default_ipv4.interface }} -o $WG_INTERFACE -p tcp --syn --dport $TCP_PORT -m conntrack --ctstate NEW -j ACCEPT
iptables -t nat $2 PREROUTING -i {{ ansible_facts.default_ipv4.interface }} -p tcp --dport $TCP_PORT -j DNAT --to-destination {{ install_wireguard__peer_ip }}
iptables -t nat $2 POSTROUTING -o $WG_INTERFACE -p tcp --dport $TCP_PORT -d {{ install_wireguard__peer_ip }} -j SNAT --to-source {{ install_wireguard__server_ip }}
done
{% endif %}
{% if (install_wireguard__forward_udp_ports is defined) and install_wireguard__forward_udp_ports %}
for UDP_PORT in {{ install_wireguard__forward_udp_ports | join(" ") }}; do
iptables $2 FORWARD -i {{ ansible_facts.default_ipv4.interface }} -o $WG_INTERFACE -p udp --dport $UDP_PORT -m conntrack --ctstate NEW -j ACCEPT
iptables -t nat $2 PREROUTING -i {{ ansible_facts.default_ipv4.interface }} -p udp --dport $UDP_PORT -j DNAT --to-destination {{ install_wireguard__peer_ip }}
iptables -t nat $2 POSTROUTING -o $WG_INTERFACE -p udp --dport $UDP_PORT -d {{ install_wireguard__peer_ip }} -j SNAT --to-source {{ install_wireguard__server_ip }}
done
{% endif %}

17
roles/install_wireguard/templates/peer.conf.j2 Normal file
View File

@@ -0,0 +1,17 @@
{{ ansible_managed | comment('plain') }}
[Interface]
PrivateKey = {{ keys["peer_private"] }}
Address = {{ install_wireguard__peer_ip }}
{% if install_wireguard__dns_servers != 0 %}
DNS = {{ install_wireguard__dns_servers | join(", ") }}
{% endif %}
[Peer]
PublicKey = {{ keys["server_public"] }}
PresharedKey = {{ keys["preshared"] }}
AllowedIPs = 0.0.0.0/0
Endpoint = {{ ansible_facts.default_ipv4.address }}:{{ install_wireguard__server_port }}
{% if install_wireguard__keepalive != 0 %}
PersistentKeepalive = {{ install_wireguard__keepalive }}
{% endif %}

13
roles/install_wireguard/templates/wg0.conf.j2 Normal file
View File

@@ -0,0 +1,13 @@
{{ ansible_managed | comment('plain') }}
[Interface]
PrivateKey = {{ keys["server_private"] }}
ListenPort = {{ install_wireguard__server_port }}
Address = {{ install_wireguard__server_ip }}
PostUp = /etc/wireguard/iptables.sh %i -A
PostDown = /etc/wireguard/iptables.sh %i -D
[Peer]
PublicKey = {{ keys["peer_public"] }}
PresharedKey = {{ keys["preshared"] }}
AllowedIPs = {{ install_wireguard__peer_ip }}