Add wireguard config for glinet router

2024-04-23 22:19:57 +01:00 · 2024-04-23 22:19:57 +01:00 · 670ad78d44
commit 670ad78d44
parent 8929a22ce5
8 changed files with 91 additions and 9 deletions
--- a/ansible/main.yml
+++ b/ansible/main.yml
@ -17,6 +17,7 @@
    - fail2ban_ssh
    - restic
    - artis3n.tailscale
+    - glinet_vpn

 - hosts:
    - pve
--- a/ansible/roles/glinet_vpn/files/client.conf
+++ b/ansible/roles/glinet_vpn/files/client.conf
@ -0,0 +1,10 @@
+[Interface]
+Address = {{ client_cidr }}
+PrivateKey = {{ client_private_key }}
+
+[Peer]
+PublicKey = {{ server_public_key }}
+Endpoint = {{ server_public_ip }}:53
+AllowedIPs = 0.0.0.0/0 ::/0
+
+PersistentKeepalive = 25
--- a/ansible/roles/glinet_vpn/files/server.conf
+++ b/ansible/roles/glinet_vpn/files/server.conf
@ -0,0 +1,14 @@
+[Interface]
+Address = {{ server_ip }}
+PrivateKey = {{ server_private_key }}
+ListenPort = 53
+
+PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
+PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
+
+PostUp = ip6tables -A FORWARD -i %i -j ACCEPT; ip6tables -A FORWARD -o %i -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
+PostDown = ip6tables -D FORWARD -i %i -j ACCEPT; ip6tables -D FORWARD -o %i -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
+
+[Peer]
+PublicKey = {{ client_public_key }}
+AllowedIPs = {{ client_cidr }}
--- a/ansible/roles/glinet_vpn/handlers/main.yml
+++ b/ansible/roles/glinet_vpn/handlers/main.yml
@ -0,0 +1,5 @@
+- name: restart wireguard
+  service:
+    name: wg-quick@glinet
+    state: restarted
+  become: true
--- a/ansible/roles/glinet_vpn/tasks/main.yml
+++ b/ansible/roles/glinet_vpn/tasks/main.yml
@ -0,0 +1,34 @@
+- name: Include vault
+  include_vars: vault.yml
+
+- name: Install wireguard tools
+  package:
+    name: "{{ item }}"
+  become: true
+  loop:
+    - wireguard-tools
+    - qrencode
+
+- name: Wireguard server config
+  template:
+    src: files/server.conf
+    dest: /etc/wireguard/glinet.conf
+    mode: "0600"
+    backup: true
+  become: true
+  notify: restart wireguard
+
+- name: Wireguard client config
+  template:
+    src: files/client.conf
+    dest: "{{ me.home }}/glinet-vpn.conf"
+    mode: "0600"
+    owner: "{{ me.user }}"
+  become: true
+  notify: restart wireguard
+
+- name: Enable wireguard
+  service:
+    name: wg-quick@glinet
+    enabled: true
+  become: true
--- a/ansible/roles/glinet_vpn/vars/main.yml
+++ b/ansible/roles/glinet_vpn/vars/main.yml
@ -0,0 +1,8 @@
+client_public_key: "{{ vault_client_public_key }}"
+client_private_key: "{{ vault_client_private_key }}"
+client_cidr: 10.23.4.2/24
+
+server_public_key: "{{ vault_server_public_key }}"
+server_private_key: "{{ vault_server_private_key }}"
+server_public_ip: "{{ ansible_default_ipv4.address }}"
+server_ip: 10.23.4.1
--- a/ansible/roles/glinet_vpn/vars/vault.yml
+++ b/ansible/roles/glinet_vpn/vars/vault.yml
@ -0,0 +1,19 @@
+$ANSIBLE_VAULT;1.1;AES256
+35366163656631633636333937333238346539653236323463316333356637623263326436623130
+3333616234643935306337386165623734333265663237610a326538636532643835373137316333
+30363133343035353235616639613637353435303863393130396261623063633836383430326530
+3634313639353264310a393266313230646132656561393737363834646566313765633235343139
+36303834353039303134393061386634373735316135656564386464363863376265633239313037
+62616535313239353233376163343437303933346264323266386533336138656135663664356164
+65643262303436343164613133333361393438616234616566336131636461383538326130623264
+62313134386430636665646539306661383039323339373838346164653836326536386332616634
+34313331623166356137363131356130623863313339663938386138643538323666616239656662
+36313534323237306631663931633830346565616139313864333762356330643131343630653535
+62323939376163363436336633386433323435316535623462353138386430333332653966383262
+33636534346466326631333362343638616332633163623533613364326665376565643739666261
+34646533613133313034366636623134613336623134356562393335313337336336623634336633
+66623365353866396564386536386330353537383866616665373762306530356333643265326537
+38353138626331623433643636623130613766616638343034633536306232316133303133356463
+36616665643264396137336234316466306238303461363531653461623834376361653334326235
+31366530636565383062313562663639393534373737363465656538393266363936333136636161
+3239303565613865633433313237393932306632633633373261
--- a/terraform/casey_vps.tf
+++ b/terraform/casey_vps.tf
@ -101,15 +101,6 @@ resource "linode_firewall" "casey" {
    ipv4     = ["0.0.0.0/0"]
    ipv6     = ["::/0"]
  }
-
-  inbound {
-    label    = "allow-inbound-tailscale"
-    action   = "ACCEPT"
-    protocol = "UDP"
-    ports    = "41641"
-    ipv4     = ["0.0.0.0/0"]
-    ipv6     = ["::/0"]
-  }
 }

 resource "linode_rdns" "casey_reverse_ipv4" {