diff --git a/ansible/main.yml b/ansible/main.yml index 2ac5f98..d1cd2c3 100644 --- a/ansible/main.yml +++ b/ansible/main.yml @@ -9,6 +9,7 @@ - gateway - nebula - fail2ban_ssh + - wireguard_53 - hosts: - pve diff --git a/ansible/roles/wireguard_53/files/client.conf b/ansible/roles/wireguard_53/files/client.conf new file mode 100644 index 0000000..4322c32 --- /dev/null +++ b/ansible/roles/wireguard_53/files/client.conf @@ -0,0 +1,10 @@ +[Interface] +Address = {{ client_cidr }} +PrivateKey = {{ client_private_key }} + +[Peer] +PublicKey = {{ server_public_key }} +Endpoint = {{ server_public_ip }}:53 +AllowedIPs = 0.0.0.0/0 + +PersistentKeepalive = 25 diff --git a/ansible/roles/wireguard_53/files/server.conf b/ansible/roles/wireguard_53/files/server.conf new file mode 100644 index 0000000..2ab3e09 --- /dev/null +++ b/ansible/roles/wireguard_53/files/server.conf @@ -0,0 +1,11 @@ +[Interface] +Address = {{ server_ip }} +PrivateKey = {{ server_private_key }} +ListenPort = 53 + +PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE +PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE + +[Peer] +PublicKey = {{ client_public_key }} +AllowedIPs = {{ client_cidr }} diff --git a/ansible/roles/wireguard_53/handlers/main.yml b/ansible/roles/wireguard_53/handlers/main.yml new file mode 100644 index 0000000..989e9bc --- /dev/null +++ b/ansible/roles/wireguard_53/handlers/main.yml @@ -0,0 +1,5 @@ +- name: restart wireguard + service: + name: wg-quick@wg53 + state: restarted + become: true diff --git a/ansible/roles/wireguard_53/tasks/main.yml b/ansible/roles/wireguard_53/tasks/main.yml new file mode 100644 index 0000000..1a34919 --- /dev/null +++ b/ansible/roles/wireguard_53/tasks/main.yml @@ -0,0 +1,33 @@ +- name: Include vault + include_vars: vault.yml + +- name: Install wireguard tools + package: + name: "{{ item }}" + become: true + loop: + - wireguard-tools + - qrencode + +- name: Wireguard server config + template: + src: files/server.conf + dest: /etc/wireguard/wg53.conf + mode: "0600" + backup: true + become: true + notify: restart wireguard + +- name: Wireguard client config + template: + src: files/client.conf + dest: "{{ home }}/wg53.conf" + mode: "0600" + become: true + notify: restart wireguard + +- name: Enable wireguard + service: + name: wg-quick@wg53 + enabled: true + become: true diff --git a/ansible/roles/wireguard_53/vars/main.yml b/ansible/roles/wireguard_53/vars/main.yml new file mode 100644 index 0000000..c3a2553 --- /dev/null +++ b/ansible/roles/wireguard_53/vars/main.yml @@ -0,0 +1,8 @@ +client_public_key: "{{ vault_client_public_key }}" +client_private_key: "{{ vault_client_private_key }}" +client_cidr: 10.23.4.2/24 + +server_public_key: "{{ vault_server_public_key }}" +server_private_key: "{{ vault_server_private_key }}" +server_public_ip: "{{ ansible_default_ipv4.address }}" +server_ip: 10.23.4.1 diff --git a/ansible/roles/wireguard_53/vars/vault.yml b/ansible/roles/wireguard_53/vars/vault.yml new file mode 100644 index 0000000..c6d44cd --- /dev/null +++ b/ansible/roles/wireguard_53/vars/vault.yml @@ -0,0 +1,19 @@ +$ANSIBLE_VAULT;1.1;AES256 +35366163656631633636333937333238346539653236323463316333356637623263326436623130 +3333616234643935306337386165623734333265663237610a326538636532643835373137316333 +30363133343035353235616639613637353435303863393130396261623063633836383430326530 +3634313639353264310a393266313230646132656561393737363834646566313765633235343139 +36303834353039303134393061386634373735316135656564386464363863376265633239313037 +62616535313239353233376163343437303933346264323266386533336138656135663664356164 +65643262303436343164613133333361393438616234616566336131636461383538326130623264 +62313134386430636665646539306661383039323339373838346164653836326536386332616634 +34313331623166356137363131356130623863313339663938386138643538323666616239656662 +36313534323237306631663931633830346565616139313864333762356330643131343630653535 +62323939376163363436336633386433323435316535623462353138386430333332653966383262 +33636534346466326631333362343638616332633163623533613364326665376565643739666261 +34646533613133313034366636623134613336623134356562393335313337336336623634336633 +66623365353866396564386536386330353537383866616665373762306530356333643265326537 +38353138626331623433643636623130613766616638343034633536306232316133303133356463 +36616665643264396137336234316466306238303461363531653461623834376361653334326235 +31366530636565383062313562663639393534373737363465656538393266363936333136636161 +3239303565613865633433313237393932306632633633373261 diff --git a/terraform/casey_vps.tf b/terraform/casey_vps.tf index 93adae2..47082b4 100644 --- a/terraform/casey_vps.tf +++ b/terraform/casey_vps.tf @@ -47,6 +47,15 @@ resource "linode_firewall" "casey" { ipv6 = ["::/0"] } + inbound { + label = "allow-inbound-wireguard-53" + action = "ACCEPT" + protocol = "UDP" + ports = "53" + ipv4 = ["0.0.0.0/0"] + ipv6 = ["::/0"] + } + inbound { label = "allow-inbound-nebula" action = "ACCEPT"