stefan/wg-aws
1
0
Fork 0
Code Issues 1 Pull Requests Projects Releases Wiki Activity

Compare commits

base: stefan:0ba0c1ae164f4ea3643d08cc81058a181c556733
Branches Tags
stefan:master
stefan:features/ipv6
..
compare: stefan:688c1d0fa5bdd92a59072f9d160b23ace08f4062
Branches Tags
stefan:master
stefan:features/ipv6

No commits in common. "0ba0c1ae164f4ea3643d08cc81058a181c556733" and "688c1d0fa5bdd92a59072f9d160b23ace08f4062" have entirely different histories.
0ba0c1ae16 ... 688c1d0fa5

10 changed files with 8 additions and 144 deletions
Show Stats Expand all files Collapse all files

4
Readme.md
View File

@ -36,7 +36,3 @@ defaults by pressing return
1. Install wireguard client for your operating system (e.g. via package manager or Appstore) 1. Install wireguard client for your operating system (e.g. via package manager or Appstore)
2. Import the client profile that was created during the server installation. It is located in `wireguard_profiles` subfolder 2. Import the client profile that was created during the server installation. It is located in `wireguard_profiles` subfolder
as config file and as a qrcode png file to be scanned by mobile clients as config file and as a qrcode png file to be scanned by mobile clients
(!) under ubuntu, you have to enable tcp_mtu_probing e.g. by issuing 'echo 2 >
/proc/sys/net/ipv4/tcp_mtu_probing' or by setting 'net.ipv4.tcp_mtu_probing = 2'
/in /etc/sysctl.conf

3
create_aws_wireguard_server.yml
View File

@ -29,9 +29,6 @@
roles: roles:
- aws_graviton_nano_spot - aws_graviton_nano_spot
- name: include playbook for pihole
import_playbook: pihole.yml
- name: Include playbook to install wireguard - name: Include playbook to install wireguard
import_playbook: wireguard.yml import_playbook: wireguard.yml

15
pihole.yml
View File

@ -1,15 +0,0 @@
---
# INstall pihole
- name: Install pihole
hosts: launched
remote_user: admin
become: true
vars_prompt:
- name: install_pihole
prompt: Shall the wireguard server also act as pihole dns server (Defaults to false)?
default: false
private: no
roles:
- role: pihole
when: install_pihole

57
roles/pihole/tasks/main.yml
View File

@ -1,57 +0,0 @@
---
- name: Update APT package cache
apt:
update_cache: true
upgrade: dist
- name: Install git package
apt:
name: "git"
state: present
- name: '[main] Make sure /etc/pihole directory exists'
file:
state: directory
path: /etc/pihole
owner: root
group: root
mode: 0755
become: yes
- name: '[install] Clone pihole repo'
git:
repo: https://github.com/pi-hole/pi-hole.git
depth: 1
dest: /tmp/pi-hole
version: master
- name: '[install] Generate /etc/pihole/setupVars.conf for unattended install if it does not exist or if upgrading'
template:
src: setupVars.conf
dest: /etc/pihole/setupVars.conf
owner: root
group: root
mode: 0644
become: yes
- name: '[install] Install pihole'
command: 'bash /tmp/pi-hole/automated\ install/basic-install.sh --unattended'
become: yes
- name: '[install] Generate /etc/dnsmasq.d/01-pihole.conf'
template:
src: 01-pihole.conf
dest: /etc/dnsmasq.d/01-pihole.conf
become: yes
- name: '[install] Set cron job for daily pihole updates'
cron:
name: "daily pihole updater"
user: "{{ ansible_user_id }}"
minute: "0"
hour: "4"
job: "/usr/local/bin/pihole -up"
become: yes
tags: pihole

43
roles/pihole/templates/01-pihole.conf
View File

@ -1,43 +0,0 @@
# Pi-hole: A black hole for Internet advertisements
# (c) 2017 Pi-hole, LLC (https://pi-hole.net)
# Network-wide ad blocking via your own hardware.
#
# Dnsmasq config for Pi-hole's FTLDNS
#
# This file is copyright under the latest version of the EUPL.
# Please see LICENSE file for your rights under this license.
###############################################################################
# FILE AUTOMATICALLY POPULATED BY PI-HOLE INSTALL/UPDATE PROCEDURE. #
# ANY CHANGES MADE TO THIS FILE AFTER INSTALL WILL BE LOST ON THE NEXT UPDATE #
# #
# IF YOU WISH TO CHANGE THE UPSTREAM SERVERS, CHANGE THEM IN: #
# /etc/pihole/setupVars.conf #
# #
# ANY OTHER CHANGES SHOULD BE MADE IN A SEPARATE CONFIG FILE #
# WITHIN /etc/dnsmasq.d/yourname.conf #
###############################################################################
addn-hosts=/etc/pihole/local.list
addn-hosts=/etc/pihole/custom.list
localise-queries
no-resolv
cache-size=10000
#log-queries
log-facility=/var/log/pihole.log
local-ttl=2
log-async
server=9.9.9.9
server=149.112.112.112
interface=wg0
server=/use-application-dns.net/

12
roles/pihole/templates/setupVars.conf
View File

@ -1,12 +0,0 @@
PIHOLE_INTERFACE=wg0
IPV4_ADDRESS=10.100.100.1
IPV6_ADDRESS=
PIHOLE_DNS_1=9.9.9.9
PIHOLE_DNS_2=149.112.112.112
QUERY_LOGGING=false
INSTALL_WEB_SERVER=true
INSTALL_WEB_INTERFACE=true
LIGHTTPD_ENABLED=true
CACHE_SIZE=10000
WEBPASSWORD=7f1e9d01ec046e7e51e17bdad56720fdfea4b4dcc96169f67b0a114ce8a5f954
BLOCKING_ENABLED=true

3
roles/wireguard_server/tasks/main.yml
View File

@ -20,6 +20,9 @@
name: "qrencode" name: "qrencode"
state: present state: present
- name: Reboot to use new kernel
reboot:
- name: ensure wireguard services are stopped - name: ensure wireguard services are stopped
command: "systemctl stop wg-quick@wg0" command: "systemctl stop wg-quick@wg0"

4
roles/wireguard_server/templates/wg0-client.conf
View File

@ -1,6 +1,6 @@
[Interface] [Interface]
Address = {{ vpn_network }}.{{item|int + 2}}/32 Address = {{ vpn_network }}.{{item|int + 1}}/32
DNS = {{ dns_for_clients }} DNS = 9.9.9.9
PrivateKey = {{ item.stdout }} PrivateKey = {{ item.stdout }}
[Peer] [Peer]

7
roles/wireguard_server/templates/wg0.conf
View File

@ -6,10 +6,9 @@ PrivateKey = {{ vpn_server_private_key.stdout }}
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o ens5 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o ens5 -j MASQUERADE PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o ens5 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o ens5 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o ens5 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o ens5 -j MASQUERADE PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o ens5 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o ens5 -j MASQUERADE
{% for i in vpn_client_public_keys.results %} {% for i in range(vpn_client_public_keys.results|int) %}
# {{ i.item }}
[Peer] [Peer]
PublicKey = {{ i.stdout }} PublicKey = {{ vpn_client_public_keys.results[i].stdout }}
AllowedIPs = {{ vpn_network }}.{{ loop.index0 + 2 }}/32 AllowedIPs = {{ vpn_network }}.{{ i + 2 }}/32
{% endfor %} {% endfor %}

4
wireguard.yml
View File

@ -8,10 +8,6 @@
prompt: Please provide a space separated list of clients keys to generate (e.g. "mobilephone dekstop" prompt: Please provide a space separated list of clients keys to generate (e.g. "mobilephone dekstop"
default: "" default: ""
private: no private: no
- name: dns_for_clients
prompt: Please provide the dns that is announced to clients (e.g. 10.100.100.1 if pihole is used on server). Defaults to 9.9.9.9
default: "9.9.9.9"
private: no
vars: vars:
vpn_client_names: "{{ vpn_clients_text.split(' ') }}" vpn_client_names: "{{ vpn_clients_text.split(' ') }}"
vpn_clients: [] vpn_clients: []