Create VPN for port 53

ansible/main.yml

@@ -9,6 +9,7 @@
     - gateway
     - nebula
     - fail2ban_ssh
+    - wireguard_53
 
 - hosts:
     - pve

ansible/roles/wireguard_53/files/client.conf

@@ -0,0 +1,10 @@
+[Interface]
+Address = {{ client_cidr }}
+PrivateKey = {{ client_private_key }}
+
+[Peer]
+PublicKey = {{ server_public_key }}
+Endpoint = {{ server_public_ip }}:53
+AllowedIPs = 0.0.0.0/0
+
+PersistentKeepalive = 25

ansible/roles/wireguard_53/files/server.conf

@@ -0,0 +1,11 @@
+[Interface]
+Address = {{ server_ip }}
+PrivateKey = {{ server_private_key }}
+ListenPort = 53
+
+PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
+PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
+
+[Peer]
+PublicKey = {{ client_public_key }}
+AllowedIPs = {{ client_cidr }}

ansible/roles/wireguard_53/handlers/main.yml

@@ -0,0 +1,5 @@
+- name: restart wireguard
+  service:
+    name: wg-quick@wg53
+    state: restarted
+  become: true

ansible/roles/wireguard_53/tasks/main.yml

@@ -0,0 +1,33 @@
+- name: Include vault
+  include_vars: vault.yml
+
+- name: Install wireguard tools
+  package:
+    name: "{{ item }}"
+  become: true
+  loop:
+    - wireguard-tools
+    - qrencode
+
+- name: Wireguard server config
+  template:
+    src: files/server.conf
+    dest: /etc/wireguard/wg53.conf
+    mode: "0600"
+    backup: true
+  become: true
+  notify: restart wireguard
+
+- name: Wireguard client config
+  template:
+    src: files/client.conf
+    dest: "{{ home }}/wg53.conf"
+    mode: "0600"
+  become: true
+  notify: restart wireguard
+
+- name: Enable wireguard
+  service:
+    name: wg-quick@wg53
+    enabled: true
+  become: true

ansible/roles/wireguard_53/vars/main.yml

@@ -0,0 +1,8 @@
+client_public_key: "{{ vault_client_public_key }}"
+client_private_key: "{{ vault_client_private_key }}"
+client_cidr: 10.23.4.2/24
+
+server_public_key: "{{ vault_server_public_key }}"
+server_private_key: "{{ vault_server_private_key }}"
+server_public_ip: "{{ ansible_default_ipv4.address }}"
+server_ip: 10.23.4.1

ansible/roles/wireguard_53/vars/vault.yml

@@ -0,0 +1,19 @@
+$ANSIBLE_VAULT;1.1;AES256
+35366163656631633636333937333238346539653236323463316333356637623263326436623130
+3333616234643935306337386165623734333265663237610a326538636532643835373137316333
+30363133343035353235616639613637353435303863393130396261623063633836383430326530
+3634313639353264310a393266313230646132656561393737363834646566313765633235343139
+36303834353039303134393061386634373735316135656564386464363863376265633239313037
+62616535313239353233376163343437303933346264323266386533336138656135663664356164
+65643262303436343164613133333361393438616234616566336131636461383538326130623264
+62313134386430636665646539306661383039323339373838346164653836326536386332616634
+34313331623166356137363131356130623863313339663938386138643538323666616239656662
+36313534323237306631663931633830346565616139313864333762356330643131343630653535
+62323939376163363436336633386433323435316535623462353138386430333332653966383262
+33636534346466326631333362343638616332633163623533613364326665376565643739666261
+34646533613133313034366636623134613336623134356562393335313337336336623634336633
+66623365353866396564386536386330353537383866616665373762306530356333643265326537
+38353138626331623433643636623130613766616638343034633536306232316133303133356463
+36616665643264396137336234316466306238303461363531653461623834376361653334326235
+31366530636565383062313562663639393534373737363465656538393266363936333136636161
+3239303565613865633433313237393932306632633633373261

terraform/casey_vps.tf

@@ -47,6 +47,15 @@ resource "linode_firewall" "casey" {
     ipv6     = ["::/0"]
   }
 
+  inbound {
+    label    = "allow-inbound-wireguard-53"
+    action   = "ACCEPT"
+    protocol = "UDP"
+    ports    = "53"
+    ipv4     = ["0.0.0.0/0"]
+    ipv6     = ["::/0"]
+  }
+
   inbound {
     label    = "allow-inbound-nebula"
     action   = "ACCEPT"