Add sysctl handling, fix samples, idempotency

master
Felix 10 months ago
parent 82a9533967
commit 53ad483e2d
  1. 12
      README.md
  2. 3
      defaults/main.yml
  3. 22
      playbook-client.sample.yml
  4. 11
      playbook-client.yml
  5. 18
      playbook-server.sample.yml
  6. 9
      playbook-server.yml
  7. 32
      tasks/wg-server.yml
  8. 2
      templates/99-wireguard-sysctl.conf
  9. 3
      templates/wg0-client.conf.j2

@ -16,6 +16,8 @@ Assumptions about the network:
| Server | example.org | 51820 | 10.0.0.1 | `eth0` |
| Client | (dynamic) | 51820 | 10.0.0.2 | `wlan0` |
See `defaults.yml` and adjust accordingly in your playbook or server vars.
# Shared settings
**Pre-shared key**
@ -27,10 +29,6 @@ Goes into `wg_client_server_pre_shared_key`
# Server
[Specific use-case: VPN server](https://wiki.archlinux.org/title/WireGuard#Specific_use-case:_VPN_server)
```
sysctl -w net.ipv4.ip_forward=1
```
### Key setup
**Private key**
```
@ -52,6 +50,12 @@ $ ansible-playbook playbook-server.yml --tags wg-server
Verify the interface is up by checking output of `wg`.
This should be taken care of by the role, but set just to be sure:
```
sysctl -w net.ipv4.ip_forward=1
sysctl -w net.ipv6.conf.all.forwarding=1
```
### Starting up
The role will set up the server to auto-start the WireGuard connection.

@ -13,8 +13,9 @@ wg_server_private_key:
# Client config
wg_client_address: "10.0.0.2/32"
# No real need to set this, I think?
#wg_client_dns: "10.0.0.1"
wg_client_dns: "8.8.8.8"
#wg_client_dns: "8.8.8.8"
wg_client_allowed_ips: "0.0.0.0/0, ::/0"
wg_client_public_key:

@ -0,0 +1,22 @@
---
# Sample client playbook
# Copy to playbook-client.yml
# Run with
# $ ansible-playbook playbook-client.yml --tags wg-client
- hosts: localhost
connection: local
gather_facts: false
vars_prompt:
- name: "ansible_become_pass"
prompt: "sudo password"
private: "yes"
vars:
- wg_server_public_key: "foo"
- wg_server_private_key: "bar"
- wg_client_public_key: "baz"
- wg_client_private_key: "oof"
- wg_client_server_pre_shared_key:
roles:
- wireguard

@ -1,11 +0,0 @@
---
- hosts: localhost
connection: local
gather_facts: false
vars_prompt:
- name: "ansible_become_pass"
prompt: "sudo password"
private: "yes"
roles:
- wireguard

@ -0,0 +1,18 @@
---
# Sample server playbook
# Copy to playbook-server.yml
# Run with
# $ ansible-playbook playbook-server.yml --tags wg-server
- hosts: server.example.org
#remote_user: root
gather_facts: false
vars:
- wg_server_public_key: "foo"
- wg_server_private_key: "bar"
- wg_client_public_key: "baz"
- wg_client_private_key: "oof"
- wg_client_server_pre_shared_key:
roles:
- wireguard

@ -1,9 +0,0 @@
---
# Sample playbook
- hosts: server.example.org
#remote_user: root
gather_facts: false
roles:
- wireguard

@ -35,6 +35,30 @@
- wg-server
- update
- name: Install sysctl conf
template:
src: "99-wireguard-sysctl.conf"
dest: "/etc/sysctl.d/99-wireguard-sysctl.conf"
owner: root
group: root
mode: 0644
tags:
- install
- wg-server
- update
- name: Verify and apply sysctl values
sysctl:
name: "{{item.key}}"
value: "{{item.value}}"
state: present
reload: true
# Verify token value with the sysctl command and set with -w if necessary
sysctl_set: true
loop:
- { key: "net.ipv4.ip_forward", value: "1" }
- { key: "net.ipv6.conf.all.forwarding", value: "1" }
- name: Allow port for wg-server via ufw
ufw:
rule: allow
@ -46,6 +70,14 @@
- wg-server
- ufw
- name: Ensure wg0 is down
shell:
cmd: "wg-quick down wg0"
ignore_errors: true
- install
- update
- wg-server
- name: Bring up server interface via wg-quick
systemd:
name: wg-quick@wg0

@ -0,0 +1,2 @@
net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1

@ -14,4 +14,5 @@ Endpoint = {{wg_server_domain}}:{{wg_server_port}}
# Using the catch-all AllowedIPs = 0.0.0.0/0, ::/0 will forward
# all IPv4 (0.0.0.0/0) and IPv6 (::/0) traffic over the VPN.
AllowedIPs = {{wg_client_allowed_ips}}
PersistentKeepalive=30
# Ping server every 30 seconds, not really needed imo
#PersistentKeepalive=30

Loading…
Cancel
Save