initial commit

2023-02-08 15:04:36 +01:00
commit bc06adc15a
5 changed files with 138 additions and 0 deletions
--- a/README.md
+++ b/README.md
@@ -0,0 +1,5 @@
 # wg-roadwarrior
 Ansible Playbook for a simple Wireguard VPN
 # License
 All code In this repository is piblished as Public Domain and may be used by anyone without any restrictions
--- a/example.yml
+++ b/example.yml
@@ -0,0 +1,30 @@
 all:
  children:
    wg_server:
      hosts:
        vpnserver:
          wg_key: q2w3e4r5t6
          wg_ip4: "10.0.0.0/24"
          wg_ip6: "fd01::/64"
          wg_dns: "1.2.3.4"
          wg_hostname: "vpn.example.com"
          wg_port: "666"
          wg_routes:
            - "0.0.0.0/0"
            - "::/0"
          wg_interface: "wg0"
          wg_extraconf:
            - "PostUp = ip6tables -t nat -A POSTROUTING -s fd01::/64 -o eth0 ! -d fc00::/7 -j MASQUERADE"
            - "PreDown = ip6tables -t nat -D POSTROUTING -s fd01::/64 -o eth0 ! -d fc00::/7 -j MASQUERADE"
    wg_clients:
      hosts:
        client_1:
          wg_key: asdfg
          wg_ip4: "10.0.0.2"
          wg_ip6: "fd01::2"
        clinet_2:
          wg_key: qwerty
          wg_ip4: "10.0.0.3"
          wg_ip6: "fd01::3"
 # vim: shiftwidth=2
--- a/wg_client.j2
+++ b/wg_client.j2
@@ -0,0 +1,18 @@
 {% set client = hostvars[item] %}
 {% set servername = groups['wg_server'][0] %}
 {% set server = hostvars[servername] %}
 [Interface]
 PrivateKey = {{ client.wg_key }}
 {% if client.wg_ip4 | default(false) %}
 Address = {{ client.wg_ip4 }}
 {% endif %}
 {% if client.wg_ip6 | default(false) %}
 Address = {{ client.wg_ip6 }}
 {% endif %}
 DNS = {{ server.wg_dns }}
 [Peer]
 PublicKey = {{ server_pubkey.stdout }}
 Endpoint = {{ server.wg_hostname }}:{{ server.wg_port }}
 AllowedIPs = {{ server.wg_routes | join(',') }}
 PersistentKeepalive = 25
--- a/wg_server.j2
+++ b/wg_server.j2
@@ -0,0 +1,31 @@
 [Interface]
 PrivateKey = {{ wg_key }}
 ListenPort = {{ wg_port }}
 {% if wg_ip4 | default(false) %}
 Address = {{ wg_ip4 }}
 {% endif %}
 {% if wg_ip6 | default(false) %}
 Address = {{ wg_ip6 }}
 {% endif %}
 {% if wg_extraconf | default(false) %}
 {% for line in wg_extraconf %}
 {{ line }}
 {% endfor %}
 {% endif %}
 {% for clientname in groups['wg_clients'] %}
 {% set ip4 = hostvars[clientname].wg_ip4 | default(false) %}
 {% set ip6 = hostvars[clientname].wg_ip6 | default(false) %}
 {% set wg_pubkey = pubkeys.results | selectattr('item', 'match', clientname) | map(attribute='stdout') | first %}
 #{{ clientname }}
 [Peer]
 PublicKey = {{ wg_pubkey }}
 {% if ip4 and ip6 %}
 AllowedIPs = {{ ip4 }},{{ ip6 }}
 {% elif ip4 %}
 AllowedIPs = {{ ip4 }}
 {% elif ip6 %}
 AllowedIPs = {{ ip6 }}
 {% endif %}
 {% endfor %}
--- a/wireguard.yml
+++ b/wireguard.yml
@@ -0,0 +1,54 @@
 - name: Setup Wireguard server
  hosts: wg_server
  tasks:
    - name: Install wireguard
      apt:
        name:
          - wireguard
          - wireguard-tools
        state: present
      when: ansible_facts['os_family'] == "Debian"
    - name: generate public keys
      shell: "echo \"{{ hostvars[item].wg_key }}\" | wg pubkey"
      register: pubkeys
      delegate_to: localhost
      changed_when: false
      with_items: "{{ groups['wg_clients'] | list }}"
    - name: Generate Server wg-config
      template:
        src: wg_server.j2
        dest: "/etc/wireguard/{{ wg_interface }}.conf"
      notify: read wg config
 #    - name: Gemerate debian-specific interface-config
 #      template:
 #        src: debian_interface.j2
 #        dest: "/etc/network/interfaces.d/{{ wg_interface }}"
 #      when: ansible_facts['os_family'] == "Debian"
 #      notify: reload interface
    - name: Start and enable wg-quick service
      service:
        name: "wg-quick@{{ wg_interface }}"
        state: started
        enabled: true
  handlers:
    - name: read wg config
      shell: "wg syncconf {{ wg_interface }} <(wg-quick strip {{ wg_interface }})"
 #      command: "wg setconf {{ wg_interface }} /etc/wireguard/{{ wg_interface }}.conf"
 #    - name: reload interface
 #      shell: "ifdown {{ wg_interface }}; ifup {{ wg_interface }}"
 - name: Generate client configs
  hosts: localhost
  tasks:
    - name: Ensure cient conf directory exists
      file:
        path: wg_clients
        state: directory
    - name: generate server pubkey
      shell: "echo \"{{ hostvars[groups['wg_server'][0]].wg_key }}\" | wg pubkey"
      register: server_pubkey
      changed_when: false
    - name: generate client config
      template:
        src: wg_client.j2
        dest: "wg_clients/wg_{{ item }}.conf"
      with_items: "{{ groups['wg_clients'] | list }}"