Compare commits
No commits in common. "688c1d0fa5bdd92a59072f9d160b23ace08f4062" and "e65032c158e8932395c5bf6a66e3f1fc43ad501f" have entirely different histories.
688c1d0fa5
...
e65032c158
2
.gitignore
vendored
2
.gitignore
vendored
@ -1,5 +1,3 @@
|
|||||||
.terraform
|
.terraform
|
||||||
wireguard_profiles/*
|
wireguard_profiles/*
|
||||||
*~
|
*~
|
||||||
inventory/*
|
|
||||||
.DS_Store
|
|
||||||
@ -29,6 +29,17 @@
|
|||||||
roles:
|
roles:
|
||||||
- aws_graviton_nano_spot
|
- aws_graviton_nano_spot
|
||||||
|
|
||||||
- name: Include playbook to install wireguard
|
- name: Install wireguard server on launched hosts
|
||||||
import_playbook: wireguard.yml
|
hosts: launched
|
||||||
|
remote_user: admin
|
||||||
|
become: true
|
||||||
|
vars_prompt:
|
||||||
|
- name: vpn_clients
|
||||||
|
prompt: Number of vpn clients to be generated
|
||||||
|
default: 1
|
||||||
|
private: no
|
||||||
|
vars:
|
||||||
|
vpn_network: '10.100.100'
|
||||||
|
vpn_port: '58172'
|
||||||
|
roles:
|
||||||
|
- wireguard_server
|
||||||
|
|||||||
@ -2,13 +2,12 @@
|
|||||||
amazon.aws.ec2_key:
|
amazon.aws.ec2_key:
|
||||||
name: vpn_key
|
name: vpn_key
|
||||||
key_material: "{{ lookup('file', '{{ ssh_pub_key_file }}') }}"
|
key_material: "{{ lookup('file', '{{ ssh_pub_key_file }}') }}"
|
||||||
region: "{{ aws_region }}"
|
|
||||||
|
|
||||||
- name: network security policy that allows all traffic incoming and outgoing
|
- name: network security policy that allows all traffic incoming and outgoing
|
||||||
amazon.aws.ec2_group:
|
amazon.aws.ec2_group:
|
||||||
region: "{{ aws_region }}"
|
|
||||||
name: "vpn allow all"
|
name: "vpn allow all"
|
||||||
description: allow all traffic/protocol/ports
|
description: allow all traffic/protocol/ports
|
||||||
|
region: "{{ aws_region }}"
|
||||||
rules:
|
rules:
|
||||||
- proto: all
|
- proto: all
|
||||||
cidr_ip: 0.0.0.0/0
|
cidr_ip: 0.0.0.0/0
|
||||||
|
|||||||
@ -26,53 +26,42 @@
|
|||||||
- name: ensure wireguard services are stopped
|
- name: ensure wireguard services are stopped
|
||||||
command: "systemctl stop wg-quick@wg0"
|
command: "systemctl stop wg-quick@wg0"
|
||||||
|
|
||||||
- name: generate directory for server configs
|
|
||||||
file:
|
|
||||||
path: "~/wg/wireguard-server"
|
|
||||||
state: directory
|
|
||||||
owner: root
|
|
||||||
group: root
|
|
||||||
mode: 0700
|
|
||||||
|
|
||||||
- name: generate directories for client configs
|
- name: generate directories for client configs
|
||||||
file:
|
file:
|
||||||
path: "~/wg/{{ item }}"
|
path: "~/wg/client_{{ item }}"
|
||||||
state: directory
|
state: directory
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
mode: 0700
|
mode: 0700
|
||||||
with_items: "{{ vpn_client_names }}"
|
with_sequence: start=1 end={{ vpn_clients }}
|
||||||
|
|
||||||
- name: generate private key for the server
|
- name: generate private and public keys for the client and server
|
||||||
shell: umask 077; wg genkey | tee ~/wg/wireguard-server.private
|
shell: umask 077; wg genkey | tee ~/wg/{{ item }}.private | wg pubkey > ~/wg/{{ item }}.public
|
||||||
register: vpn_server_private_key
|
register: key_files
|
||||||
|
with_sequence: start=0 end={{ vpn_clients }}
|
||||||
|
|
||||||
- name: generate public key for the server
|
- name: register private key file contents
|
||||||
shell: umask 077; cat ~/wg/wireguard-server.private | wg pubkey | tee ~/wg/wireguard-server.public
|
shell: cat ~/wg/{{ item }}.private
|
||||||
register: vpn_server_public_key
|
register: private_key_files
|
||||||
|
with_sequence: start=0 end={{ vpn_clients }}
|
||||||
- name: generate private keys for clients
|
|
||||||
shell: umask 077; wg genkey | tee ~/wg/{{ item }}/wg0.private
|
|
||||||
register: vpn_client_private_keys
|
|
||||||
with_items: "{{ vpn_client_names }}"
|
|
||||||
|
|
||||||
- name: generate public keys for clients
|
- name: register public key file contents
|
||||||
shell: umask 077; cat ~/wg/{{ item }}/wg0.private | wg pubkey | tee ~/wg/{{ item }}/wg0.public
|
shell: cat ~/wg/{{ item }}.public
|
||||||
register: vpn_client_public_keys
|
register: public_key_files
|
||||||
with_items: "{{ vpn_client_names }}"
|
with_sequence: start=0 end={{ vpn_clients }}
|
||||||
|
|
||||||
- name: generate client configs
|
- name: generate client configs
|
||||||
template:
|
template:
|
||||||
src: "wg0-client.conf"
|
src: "wg0-client.conf"
|
||||||
dest: "~/wg/{{ item.item }}/wg0-client.conf"
|
dest: "~/wg/client_{{ item }}/wg0-client.conf"
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
mode: 0600
|
mode: 0600
|
||||||
with_items: "{{ vpn_client_private_keys.results }}"
|
with_sequence: start=1 end={{ vpn_clients }}
|
||||||
|
|
||||||
- name: generate qr codes for client configs
|
- name: generate qr codes for client configs
|
||||||
shell: umask 077; qrencode --type=PNG --output=/root/wg/{{ item }}/wg0-client.png < ~/wg/{{ item }}/wg0-client.conf
|
shell: umask 077; qrencode --type=PNG --output=/root/wg/client_{{ item }}/wg0-client.png < ~/wg/client_{{ item }}/wg0-client.conf
|
||||||
with_items: "{{ vpn_client_names }}"
|
with_sequence: start=1 end={{ vpn_clients }}
|
||||||
|
|
||||||
- name: generate server config
|
- name: generate server config
|
||||||
template:
|
template:
|
||||||
@ -98,14 +87,15 @@
|
|||||||
|
|
||||||
- name: download client conf files to the "wireguard_profiles/" folder on your local host
|
- name: download client conf files to the "wireguard_profiles/" folder on your local host
|
||||||
fetch:
|
fetch:
|
||||||
src: "~/wg/{{item}}/wg0-client.conf"
|
src: "~/wg/client_{{item}}/wg0-client.conf"
|
||||||
dest: "wireguard_profiles/{{ ansible_ssh_host }}/{{item}}/"
|
dest: "wireguard_profiles/{{ ansible_ssh_host }}/client_{{item}}/"
|
||||||
flat: yes
|
flat: yes
|
||||||
with_items: "{{ vpn_client_names }}"
|
with_sequence: start=1 end={{ vpn_clients }}
|
||||||
|
|
||||||
- name: download client conf files to the "wireguard_profiles/" folder on your local host
|
- name: download client qr codes to the "wireguard_profiles/" folder on your local host
|
||||||
fetch:
|
fetch:
|
||||||
src: "~/wg/{{item}}/wg0-client.png"
|
src: "~/wg/client_{{item}}/wg0-client.png"
|
||||||
dest: "wireguard_profiles/{{ ansible_ssh_host }}/{{item}}/"
|
dest: "wireguard_profiles/{{ ansible_ssh_host }}/client_{{item}}/"
|
||||||
flat: yes
|
flat: yes
|
||||||
with_items: "{{ vpn_client_names }}"
|
with_sequence: start=1 end={{ vpn_clients }}
|
||||||
|
|
||||||
@ -1,10 +1,10 @@
|
|||||||
[Interface]
|
[Interface]
|
||||||
Address = {{ vpn_network }}.{{item|int + 1}}/32
|
Address = {{ vpn_network }}.{{item|int + 1}}/32
|
||||||
DNS = 9.9.9.9
|
DNS = 9.9.9.9
|
||||||
PrivateKey = {{ item.stdout }}
|
PrivateKey = {{ private_key_files.results[item|int].stdout }}
|
||||||
|
|
||||||
[Peer]
|
[Peer]
|
||||||
PublicKey = {{ vpn_server_public_key.stdout }}
|
PublicKey = {{ public_key_files.results[0].stdout }}
|
||||||
AllowedIPs = 0.0.0.0/0
|
AllowedIPs = 0.0.0.0/0
|
||||||
Endpoint = {{ ansible_ssh_host }}:{{ vpn_port }}
|
Endpoint = {{ ansible_ssh_host }}:{{ vpn_port }}
|
||||||
PersistentKeepalive = 0
|
PersistentKeepalive = 0
|
||||||
|
|||||||
@ -2,13 +2,13 @@
|
|||||||
Address = {{ vpn_network }}.1/24
|
Address = {{ vpn_network }}.1/24
|
||||||
SaveConfig = false
|
SaveConfig = false
|
||||||
ListenPort = {{ vpn_port }}
|
ListenPort = {{ vpn_port }}
|
||||||
PrivateKey = {{ vpn_server_private_key.stdout }}
|
PrivateKey = {{ private_key_files.results[0].stdout }}
|
||||||
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o ens5 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o ens5 -j MASQUERADE
|
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o ens5 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o ens5 -j MASQUERADE
|
||||||
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o ens5 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o ens5 -j MASQUERADE
|
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o ens5 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o ens5 -j MASQUERADE
|
||||||
|
|
||||||
{% for i in range(vpn_client_public_keys.results|int) %}
|
{% for i in range(vpn_clients|int) %}
|
||||||
[Peer]
|
[Peer]
|
||||||
PublicKey = {{ vpn_client_public_keys.results[i].stdout }}
|
PublicKey = {{ public_key_files.results[i + 1].stdout }}
|
||||||
AllowedIPs = {{ vpn_network }}.{{ i + 2 }}/32
|
AllowedIPs = {{ vpn_network }}.{{ i + 2 }}/32
|
||||||
|
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
@ -1,17 +0,0 @@
|
|||||||
---
|
|
||||||
- name: Install wireguard server on launched hosts
|
|
||||||
hosts: launched
|
|
||||||
remote_user: admin
|
|
||||||
become: true
|
|
||||||
vars_prompt:
|
|
||||||
- name: vpn_clients_text
|
|
||||||
prompt: Please provide a space separated list of clients keys to generate (e.g. "mobilephone dekstop"
|
|
||||||
default: ""
|
|
||||||
private: no
|
|
||||||
vars:
|
|
||||||
vpn_client_names: "{{ vpn_clients_text.split(' ') }}"
|
|
||||||
vpn_clients: []
|
|
||||||
vpn_network: '10.100.100'
|
|
||||||
vpn_port: '58172'
|
|
||||||
roles:
|
|
||||||
- wireguard_server
|
|
||||||
Loading…
x
Reference in New Issue
Block a user