From 670ad78d443f410acb2cc5128842304b14345a77 Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Tue, 23 Apr 2024 22:19:57 +0100 Subject: [PATCH] Add wireguard config for glinet router --- ansible/main.yml | 1 + ansible/roles/glinet_vpn/files/client.conf | 10 +++++++ ansible/roles/glinet_vpn/files/server.conf | 14 +++++++++ ansible/roles/glinet_vpn/handlers/main.yml | 5 ++++ ansible/roles/glinet_vpn/tasks/main.yml | 34 ++++++++++++++++++++++ ansible/roles/glinet_vpn/vars/main.yml | 8 +++++ ansible/roles/glinet_vpn/vars/vault.yml | 19 ++++++++++++ terraform/casey_vps.tf | 9 ------ 8 files changed, 91 insertions(+), 9 deletions(-) create mode 100644 ansible/roles/glinet_vpn/files/client.conf create mode 100644 ansible/roles/glinet_vpn/files/server.conf create mode 100644 ansible/roles/glinet_vpn/handlers/main.yml create mode 100644 ansible/roles/glinet_vpn/tasks/main.yml create mode 100644 ansible/roles/glinet_vpn/vars/main.yml create mode 100644 ansible/roles/glinet_vpn/vars/vault.yml diff --git a/ansible/main.yml b/ansible/main.yml index c73c4f9..2879a38 100644 --- a/ansible/main.yml +++ b/ansible/main.yml @@ -17,6 +17,7 @@ - fail2ban_ssh - restic - artis3n.tailscale + - glinet_vpn - hosts: - pve diff --git a/ansible/roles/glinet_vpn/files/client.conf b/ansible/roles/glinet_vpn/files/client.conf new file mode 100644 index 0000000..2d6b9aa --- /dev/null +++ b/ansible/roles/glinet_vpn/files/client.conf @@ -0,0 +1,10 @@ +[Interface] +Address = {{ client_cidr }} +PrivateKey = {{ client_private_key }} + +[Peer] +PublicKey = {{ server_public_key }} +Endpoint = {{ server_public_ip }}:53 +AllowedIPs = 0.0.0.0/0 ::/0 + +PersistentKeepalive = 25 diff --git a/ansible/roles/glinet_vpn/files/server.conf b/ansible/roles/glinet_vpn/files/server.conf new file mode 100644 index 0000000..2ecd4bc --- /dev/null +++ b/ansible/roles/glinet_vpn/files/server.conf @@ -0,0 +1,14 @@ +[Interface] +Address = {{ server_ip }} +PrivateKey = {{ server_private_key }} +ListenPort = 53 + +PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE +PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE + +PostUp = ip6tables -A FORWARD -i %i -j ACCEPT; ip6tables -A FORWARD -o %i -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE +PostDown = ip6tables -D FORWARD -i %i -j ACCEPT; ip6tables -D FORWARD -o %i -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE + +[Peer] +PublicKey = {{ client_public_key }} +AllowedIPs = {{ client_cidr }} diff --git a/ansible/roles/glinet_vpn/handlers/main.yml b/ansible/roles/glinet_vpn/handlers/main.yml new file mode 100644 index 0000000..271a823 --- /dev/null +++ b/ansible/roles/glinet_vpn/handlers/main.yml @@ -0,0 +1,5 @@ +- name: restart wireguard + service: + name: wg-quick@glinet + state: restarted + become: true diff --git a/ansible/roles/glinet_vpn/tasks/main.yml b/ansible/roles/glinet_vpn/tasks/main.yml new file mode 100644 index 0000000..84c3bda --- /dev/null +++ b/ansible/roles/glinet_vpn/tasks/main.yml @@ -0,0 +1,34 @@ +- name: Include vault + include_vars: vault.yml + +- name: Install wireguard tools + package: + name: "{{ item }}" + become: true + loop: + - wireguard-tools + - qrencode + +- name: Wireguard server config + template: + src: files/server.conf + dest: /etc/wireguard/glinet.conf + mode: "0600" + backup: true + become: true + notify: restart wireguard + +- name: Wireguard client config + template: + src: files/client.conf + dest: "{{ me.home }}/glinet-vpn.conf" + mode: "0600" + owner: "{{ me.user }}" + become: true + notify: restart wireguard + +- name: Enable wireguard + service: + name: wg-quick@glinet + enabled: true + become: true diff --git a/ansible/roles/glinet_vpn/vars/main.yml b/ansible/roles/glinet_vpn/vars/main.yml new file mode 100644 index 0000000..c3a2553 --- /dev/null +++ b/ansible/roles/glinet_vpn/vars/main.yml @@ -0,0 +1,8 @@ +client_public_key: "{{ vault_client_public_key }}" +client_private_key: "{{ vault_client_private_key }}" +client_cidr: 10.23.4.2/24 + +server_public_key: "{{ vault_server_public_key }}" +server_private_key: "{{ vault_server_private_key }}" +server_public_ip: "{{ ansible_default_ipv4.address }}" +server_ip: 10.23.4.1 diff --git a/ansible/roles/glinet_vpn/vars/vault.yml b/ansible/roles/glinet_vpn/vars/vault.yml new file mode 100644 index 0000000..c6d44cd --- /dev/null +++ b/ansible/roles/glinet_vpn/vars/vault.yml @@ -0,0 +1,19 @@ +$ANSIBLE_VAULT;1.1;AES256 +35366163656631633636333937333238346539653236323463316333356637623263326436623130 +3333616234643935306337386165623734333265663237610a326538636532643835373137316333 +30363133343035353235616639613637353435303863393130396261623063633836383430326530 +3634313639353264310a393266313230646132656561393737363834646566313765633235343139 +36303834353039303134393061386634373735316135656564386464363863376265633239313037 +62616535313239353233376163343437303933346264323266386533336138656135663664356164 +65643262303436343164613133333361393438616234616566336131636461383538326130623264 +62313134386430636665646539306661383039323339373838346164653836326536386332616634 +34313331623166356137363131356130623863313339663938386138643538323666616239656662 +36313534323237306631663931633830346565616139313864333762356330643131343630653535 +62323939376163363436336633386433323435316535623462353138386430333332653966383262 +33636534346466326631333362343638616332633163623533613364326665376565643739666261 +34646533613133313034366636623134613336623134356562393335313337336336623634336633 +66623365353866396564386536386330353537383866616665373762306530356333643265326537 +38353138626331623433643636623130613766616638343034633536306232316133303133356463 +36616665643264396137336234316466306238303461363531653461623834376361653334326235 +31366530636565383062313562663639393534373737363465656538393266363936333136636161 +3239303565613865633433313237393932306632633633373261 diff --git a/terraform/casey_vps.tf b/terraform/casey_vps.tf index cdcf20f..67fb02f 100644 --- a/terraform/casey_vps.tf +++ b/terraform/casey_vps.tf @@ -101,15 +101,6 @@ resource "linode_firewall" "casey" { ipv4 = ["0.0.0.0/0"] ipv6 = ["::/0"] } - - inbound { - label = "allow-inbound-tailscale" - action = "ACCEPT" - protocol = "UDP" - ports = "41641" - ipv4 = ["0.0.0.0/0"] - ipv6 = ["::/0"] - } } resource "linode_rdns" "casey_reverse_ipv4" {