Create VPN for port 53

This commit is contained in:
Jake Howard 2022-03-18 19:44:06 +00:00
parent bd49c1c869
commit b8736e1c65
Signed by: jake
GPG key ID: 57AFB45680EDD477
8 changed files with 96 additions and 0 deletions

View file

@ -9,6 +9,7 @@
- gateway
- nebula
- fail2ban_ssh
- wireguard_53
- hosts:
- pve

View file

@ -0,0 +1,10 @@
[Interface]
Address = {{ client_cidr }}
PrivateKey = {{ client_private_key }}
[Peer]
PublicKey = {{ server_public_key }}
Endpoint = {{ server_public_ip }}:53
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25

View file

@ -0,0 +1,11 @@
[Interface]
Address = {{ server_ip }}
PrivateKey = {{ server_private_key }}
ListenPort = 53
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
[Peer]
PublicKey = {{ client_public_key }}
AllowedIPs = {{ client_cidr }}

View file

@ -0,0 +1,5 @@
- name: restart wireguard
service:
name: wg-quick@wg53
state: restarted
become: true

View file

@ -0,0 +1,33 @@
- name: Include vault
include_vars: vault.yml
- name: Install wireguard tools
package:
name: "{{ item }}"
become: true
loop:
- wireguard-tools
- qrencode
- name: Wireguard server config
template:
src: files/server.conf
dest: /etc/wireguard/wg53.conf
mode: "0600"
backup: true
become: true
notify: restart wireguard
- name: Wireguard client config
template:
src: files/client.conf
dest: "{{ home }}/wg53.conf"
mode: "0600"
become: true
notify: restart wireguard
- name: Enable wireguard
service:
name: wg-quick@wg53
enabled: true
become: true

View file

@ -0,0 +1,8 @@
client_public_key: "{{ vault_client_public_key }}"
client_private_key: "{{ vault_client_private_key }}"
client_cidr: 10.23.4.2/24
server_public_key: "{{ vault_server_public_key }}"
server_private_key: "{{ vault_server_private_key }}"
server_public_ip: "{{ ansible_default_ipv4.address }}"
server_ip: 10.23.4.1

View file

@ -0,0 +1,19 @@
$ANSIBLE_VAULT;1.1;AES256
35366163656631633636333937333238346539653236323463316333356637623263326436623130
3333616234643935306337386165623734333265663237610a326538636532643835373137316333
30363133343035353235616639613637353435303863393130396261623063633836383430326530
3634313639353264310a393266313230646132656561393737363834646566313765633235343139
36303834353039303134393061386634373735316135656564386464363863376265633239313037
62616535313239353233376163343437303933346264323266386533336138656135663664356164
65643262303436343164613133333361393438616234616566336131636461383538326130623264
62313134386430636665646539306661383039323339373838346164653836326536386332616634
34313331623166356137363131356130623863313339663938386138643538323666616239656662
36313534323237306631663931633830346565616139313864333762356330643131343630653535
62323939376163363436336633386433323435316535623462353138386430333332653966383262
33636534346466326631333362343638616332633163623533613364326665376565643739666261
34646533613133313034366636623134613336623134356562393335313337336336623634336633
66623365353866396564386536386330353537383866616665373762306530356333643265326537
38353138626331623433643636623130613766616638343034633536306232316133303133356463
36616665643264396137336234316466306238303461363531653461623834376361653334326235
31366530636565383062313562663639393534373737363465656538393266363936333136636161
3239303565613865633433313237393932306632633633373261

View file

@ -47,6 +47,15 @@ resource "linode_firewall" "casey" {
ipv6 = ["::/0"]
}
inbound {
label = "allow-inbound-wireguard-53"
action = "ACCEPT"
protocol = "UDP"
ports = "53"
ipv4 = ["0.0.0.0/0"]
ipv6 = ["::/0"]
}
inbound {
label = "allow-inbound-nebula"
action = "ACCEPT"