summaryrefslogtreecommitdiff
path: root/roles/network/wireguard
diff options
context:
space:
mode:
authorChristian Pointner <equinox@spreadspace.org>2021-01-23 22:17:02 +0100
committerChristian Pointner <equinox@spreadspace.org>2021-01-23 22:17:02 +0100
commitaefa7a4f57f91ed62ca166ecf5fdfc2eacc04f6a (patch)
treef7bb813720bc5198cbd2c172ae6136f2927eab3e /roles/network/wireguard
parentadd etherwake and wakeonlan to ch-equinox-(ws|t450s) (diff)
move wireguard to network sub-dir
Diffstat (limited to 'roles/network/wireguard')
-rw-r--r--roles/network/wireguard/base/tasks/main.yml33
-rw-r--r--roles/network/wireguard/gateway/defaults/main.yml27
-rw-r--r--roles/network/wireguard/gateway/handlers/main.yml6
-rw-r--r--roles/network/wireguard/gateway/tasks/main.yml68
-rw-r--r--roles/network/wireguard/gateway/templates/systemd-fix-default-gw.service.j212
-rw-r--r--roles/network/wireguard/gateway/templates/systemd-iptables.service.j242
-rw-r--r--roles/network/wireguard/gateway/templates/systemd.netdev.j226
-rw-r--r--roles/network/wireguard/gateway/templates/systemd.network.j220
-rw-r--r--roles/network/wireguard/p2p/defaults/main.yml18
-rw-r--r--roles/network/wireguard/p2p/handlers/main.yml6
-rw-r--r--roles/network/wireguard/p2p/tasks/main.yml20
-rw-r--r--roles/network/wireguard/p2p/tasks/systemd-iptables.service.j242
-rw-r--r--roles/network/wireguard/p2p/templates/systemd.netdev.j226
-rw-r--r--roles/network/wireguard/p2p/templates/systemd.network.j27
14 files changed, 353 insertions, 0 deletions
diff --git a/roles/network/wireguard/base/tasks/main.yml b/roles/network/wireguard/base/tasks/main.yml
new file mode 100644
index 00000000..4d60150d
--- /dev/null
+++ b/roles/network/wireguard/base/tasks/main.yml
@@ -0,0 +1,33 @@
+---
+- name: enable spreadspace repo
+ when: (ansible_distribution == 'Debian' and (ansible_distribution_major_version | int) < 11) or (ansible_distribution == 'Ubuntu' and (ansible_distribution_major_version | int) < 20)
+ import_role:
+ name: apt-repo/spreadspace
+
+- name: install dkms
+ import_role:
+ name: prepare-dkms
+
+- name: install wireguard packages
+ apt:
+ name:
+ - wireguard-dkms
+ - wireguard-tools
+ state: present
+
+- name: check if module is available for the currently running kernel
+ command: modprobe --dry-run wireguard
+ check_mode: no
+ register: wireguard_module_available
+ failed_when: false
+ changed_when: false
+
+- name: rebuild wireguard module
+ when: wireguard_module_available.rc != 0
+ command: dpkg-reconfigure wireguard-dkms
+
+- name: check again if module is available for the currently running kernel
+ when: wireguard_module_available.rc != 0
+ command: modprobe --dry-run wireguard
+ check_mode: no
+ changed_when: false
diff --git a/roles/network/wireguard/gateway/defaults/main.yml b/roles/network/wireguard/gateway/defaults/main.yml
new file mode 100644
index 00000000..69846fc3
--- /dev/null
+++ b/roles/network/wireguard/gateway/defaults/main.yml
@@ -0,0 +1,27 @@
+---
+# wireguard_gateway_tunnels:
+# wg-test:
+# description: some wireguard tunnel
+# priv_key: secret
+# listen_port: 1234
+# addresses:
+# - 192.168.255.254/24
+# ip_masq: yes
+# ip_snat:
+# interface: eth1
+# to: 1.2.3.4
+# port_forwardings:
+# - dest: 1.2.3.4
+# tcp_ports:
+# 80: 192.158.255.3:80
+# udp_ports:
+# 123: 192.158.255.3:200
+# peers:
+# - pub_key: public_key_of_peer
+# keepalive_interval: 10
+# endpoint:
+# host: 5.6.7.8
+# port: 1234
+# allowed_ips:
+# - 192.168.255.3/32
+# - 192.168.123.0/24
diff --git a/roles/network/wireguard/gateway/handlers/main.yml b/roles/network/wireguard/gateway/handlers/main.yml
new file mode 100644
index 00000000..625032dc
--- /dev/null
+++ b/roles/network/wireguard/gateway/handlers/main.yml
@@ -0,0 +1,6 @@
+---
+- name: restart systemd-networkd
+ systemd:
+ daemon_reload: yes
+ name: systemd-networkd
+ state: restarted
diff --git a/roles/network/wireguard/gateway/tasks/main.yml b/roles/network/wireguard/gateway/tasks/main.yml
new file mode 100644
index 00000000..bc14db1b
--- /dev/null
+++ b/roles/network/wireguard/gateway/tasks/main.yml
@@ -0,0 +1,68 @@
+---
+- name: install wireguard interfaces (netdev)
+ loop: "{{ wireguard_gateway_tunnels | dict2items }}"
+ loop_control:
+ label: "{{ item.key }}"
+ template:
+ src: systemd.netdev.j2
+ dest: "/etc/systemd/network/{{ item.key }}.netdev"
+ mode: 0640
+ group: systemd-network
+ notify: restart systemd-networkd
+
+- name: install wireguard interfaces (network)
+ loop: "{{ wireguard_gateway_tunnels | dict2items }}"
+ loop_control:
+ label: "{{ item.key }}"
+ template:
+ src: systemd.network.j2
+ dest: "/etc/systemd/network/{{ item.key }}.network"
+ notify: restart systemd-networkd
+
+- name: enable systemd-networkd
+ systemd:
+ name: systemd-networkd
+ enabled: yes
+ state: started
+
+
+- name: create iptables service unit
+ loop: "{{ wireguard_gateway_tunnels | dict2items }}"
+ loop_control:
+ label: "{{ item.key }}"
+ when: "'ip_snat' in item.value or 'port_forwardings' in item.value"
+ template:
+ src: systemd-iptables.service.j2
+ dest: "/etc/systemd/system/wireguard-gateway-{{ item.key }}-iptables.service"
+
+- name: enable/start iptables service unit
+ loop: "{{ wireguard_gateway_tunnels | dict2items }}"
+ loop_control:
+ label: "{{ item.key }}"
+ when: "'ip_snat' in item.value or 'port_forwardings' in item.value"
+ systemd:
+ daemon_reload: yes
+ name: "wireguard-gateway-{{ item.key }}-iptables.service"
+ enabled: yes
+ state: started
+
+
+- name: install workaround for default-gateway handling
+ loop: "{{ wireguard_gateway_tunnels | dict2items }}"
+ loop_control:
+ label: "{{ item.key }}"
+ when: "'default_gateway' in item.value"
+ template:
+ src: systemd-fix-default-gw.service.j2
+ dest: "/etc/systemd/system/wireguard-gateway-{{ item.key }}-fix-default-gw.service"
+
+- name: enable/start workaround for default-gateway handling
+ loop: "{{ wireguard_gateway_tunnels | dict2items }}"
+ loop_control:
+ label: "{{ item.key }}"
+ when: "'default_gateway' in item.value"
+ systemd:
+ daemon_reload: yes
+ name: "wireguard-gateway-{{ item.key }}-fix-default-gw.service"
+ enabled: yes
+ state: started
diff --git a/roles/network/wireguard/gateway/templates/systemd-fix-default-gw.service.j2 b/roles/network/wireguard/gateway/templates/systemd-fix-default-gw.service.j2
new file mode 100644
index 00000000..d2d8a470
--- /dev/null
+++ b/roles/network/wireguard/gateway/templates/systemd-fix-default-gw.service.j2
@@ -0,0 +1,12 @@
+[Unit]
+Wants=network-online.target
+After=network-online.target
+
+[Service]
+Type=oneshot
+ExecStart=/sbin/ip route add {{ item.value.default_gateway.outer }} via {{ ansible_default_ipv4.gateway }}
+ExecStop=/sbin/ip route del {{ item.value.default_gateway.outer }} via {{ ansible_default_ipv4.gateway }}
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/network/wireguard/gateway/templates/systemd-iptables.service.j2 b/roles/network/wireguard/gateway/templates/systemd-iptables.service.j2
new file mode 100644
index 00000000..11cf4b8a
--- /dev/null
+++ b/roles/network/wireguard/gateway/templates/systemd-iptables.service.j2
@@ -0,0 +1,42 @@
+[Unit]
+Wants=network-online.target
+After=network-online.target
+
+
+[Service]
+Type=oneshot
+
+{% if 'ip_snat' in item.value %}
+ExecStart=/usr/sbin/sysctl net.ipv4.ip_forward=1
+{% for addr in item.value.addresses %}
+ExecStart=/sbin/iptables -t nat -A POSTROUTING -s {{ addr | ipaddr('network/prefix') }} -o {{ item.value.ip_snat.interface }} -j SNAT --to {{ item.value.ip_snat.to }}
+{% endfor %}
+{% endif %}
+{% for forward in item.value.port_forwardings | default([]) %}
+{% for port in forward.tcp_ports | default([]) %}
+ExecStart=/sbin/iptables -t nat -A PREROUTING -d {{ forward.dest }} -p tcp --dport {{ port }} -j DNAT --to {{ forward.tcp_ports[port] }}
+{% endfor %}
+{% for port in forward.udp_ports | default([]) %}
+ExecStart=/sbin/iptables -t nat -A PREROUTING -d {{ forward.dest }} -p udp --dport {{ port }} -j DNAT --to {{ forward.udp_ports[port] }}
+{% endfor %}
+{% endfor %}
+
+{% if 'ip_snat' in item.value %}
+{% for addr in item.value.addresses %}
+ExecStop=/sbin/iptables -t nat -D POSTROUTING -s {{ addr | ipaddr('network/prefix') }} -o {{ item.value.ip_snat.interface }} -j SNAT --to {{ item.value.ip_snat.to }}
+{% endfor %}
+{% endif %}
+{% for forward in item.value.port_forwardings | default([]) %}
+{% for port in forward.tcp_ports | default([]) %}
+ExecStop=/sbin/iptables -t nat -D PREROUTING -d {{ forward.dest }} -p tcp --dport {{ port }} -j DNAT --to {{ forward.tcp_ports[port] }}
+{% endfor %}
+{% for port in forward.udp_ports | default([]) %}
+ExecStop=/sbin/iptables -t nat -D PREROUTING -d {{ forward.dest }} -p udp --dport {{ port }} -j DNAT --to {{ forward.udp_ports[port] }}
+{% endfor %}
+{% endfor %}
+
+RemainAfterExit=yes
+
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/network/wireguard/gateway/templates/systemd.netdev.j2 b/roles/network/wireguard/gateway/templates/systemd.netdev.j2
new file mode 100644
index 00000000..96399b52
--- /dev/null
+++ b/roles/network/wireguard/gateway/templates/systemd.netdev.j2
@@ -0,0 +1,26 @@
+[NetDev]
+Name={{ item.key }}
+Kind=wireguard
+{% if 'description' in item.value %}
+Description={{ item.value.description }}
+{% endif %}
+
+
+[WireGuard]
+PrivateKey={{ item.value.priv_key }}
+ListenPort={{ item.value.listen_port | default(51820) }}
+
+{% for peer in item.value.peers %}
+
+[WireGuardPeer]
+PublicKey={{ peer.pub_key }}
+{% for ip in peer.allowed_ips %}
+AllowedIPs={{ ip }}
+{% endfor %}
+{% if 'endpoint' in peer %}
+Endpoint={{ peer.endpoint.host }}:{{ peer.endpoint.port | default(51820) }}
+{% endif %}
+{% if 'keepalive_interval' in peer %}
+PersistentKeepalive={{ peer.keepalive_interval }}
+{% endif %}
+{% endfor %}
diff --git a/roles/network/wireguard/gateway/templates/systemd.network.j2 b/roles/network/wireguard/gateway/templates/systemd.network.j2
new file mode 100644
index 00000000..6847aa6a
--- /dev/null
+++ b/roles/network/wireguard/gateway/templates/systemd.network.j2
@@ -0,0 +1,20 @@
+[Match]
+Name={{ item.key }}
+
+[Network]
+{% for addr in item.value.addresses %}
+Address={{ addr }}
+{% endfor %}
+{% if 'ip_masq' in item.value and item.value.ip_masq %}
+IPMasquerade=yes
+{% endif %}
+{% if 'default_gateway' in item.value %}
+
+[Route]
+Destination=0.0.0.0/1
+Gateway={{ item.value.default_gateway.inner }}
+
+[Route]
+Destination=128.0.0.0/1
+Gateway={{ item.value.default_gateway.inner }}
+{% endif %}
diff --git a/roles/network/wireguard/p2p/defaults/main.yml b/roles/network/wireguard/p2p/defaults/main.yml
new file mode 100644
index 00000000..9d93b810
--- /dev/null
+++ b/roles/network/wireguard/p2p/defaults/main.yml
@@ -0,0 +1,18 @@
+---
+# wireguard_p2p_interface:
+# name: p2p
+# description: some wireguard tunnel
+# priv_key: secret
+# listen_port: 1234
+# addresses:
+# - 192.168.123.254/24
+
+# wireguard_p2p_peer:
+# pub_key: public_key_of_peer
+# keepalive_interval: 10
+# endpoint:
+# host: 5.6.7.8
+# port: 1234
+# allowed_ips:
+# - 192.168.255.3/32
+# - 192.168.123.0/24
diff --git a/roles/network/wireguard/p2p/handlers/main.yml b/roles/network/wireguard/p2p/handlers/main.yml
new file mode 100644
index 00000000..625032dc
--- /dev/null
+++ b/roles/network/wireguard/p2p/handlers/main.yml
@@ -0,0 +1,6 @@
+---
+- name: restart systemd-networkd
+ systemd:
+ daemon_reload: yes
+ name: systemd-networkd
+ state: restarted
diff --git a/roles/network/wireguard/p2p/tasks/main.yml b/roles/network/wireguard/p2p/tasks/main.yml
new file mode 100644
index 00000000..78cfaf43
--- /dev/null
+++ b/roles/network/wireguard/p2p/tasks/main.yml
@@ -0,0 +1,20 @@
+---
+- name: install wireguard interfaces (netdev)
+ template:
+ src: systemd.netdev.j2
+ dest: "/etc/systemd/network/{{ wireguard_p2p_interface.name }}.netdev"
+ mode: 0640
+ group: systemd-network
+ notify: restart systemd-networkd
+
+- name: install wireguard interfaces (network)
+ template:
+ src: systemd.network.j2
+ dest: "/etc/systemd/network/{{ wireguard_p2p_interface.name }}.network"
+ notify: restart systemd-networkd
+
+- name: enable systemd-networkd
+ systemd:
+ name: systemd-networkd
+ enabled: yes
+ state: started
diff --git a/roles/network/wireguard/p2p/tasks/systemd-iptables.service.j2 b/roles/network/wireguard/p2p/tasks/systemd-iptables.service.j2
new file mode 100644
index 00000000..11cf4b8a
--- /dev/null
+++ b/roles/network/wireguard/p2p/tasks/systemd-iptables.service.j2
@@ -0,0 +1,42 @@
+[Unit]
+Wants=network-online.target
+After=network-online.target
+
+
+[Service]
+Type=oneshot
+
+{% if 'ip_snat' in item.value %}
+ExecStart=/usr/sbin/sysctl net.ipv4.ip_forward=1
+{% for addr in item.value.addresses %}
+ExecStart=/sbin/iptables -t nat -A POSTROUTING -s {{ addr | ipaddr('network/prefix') }} -o {{ item.value.ip_snat.interface }} -j SNAT --to {{ item.value.ip_snat.to }}
+{% endfor %}
+{% endif %}
+{% for forward in item.value.port_forwardings | default([]) %}
+{% for port in forward.tcp_ports | default([]) %}
+ExecStart=/sbin/iptables -t nat -A PREROUTING -d {{ forward.dest }} -p tcp --dport {{ port }} -j DNAT --to {{ forward.tcp_ports[port] }}
+{% endfor %}
+{% for port in forward.udp_ports | default([]) %}
+ExecStart=/sbin/iptables -t nat -A PREROUTING -d {{ forward.dest }} -p udp --dport {{ port }} -j DNAT --to {{ forward.udp_ports[port] }}
+{% endfor %}
+{% endfor %}
+
+{% if 'ip_snat' in item.value %}
+{% for addr in item.value.addresses %}
+ExecStop=/sbin/iptables -t nat -D POSTROUTING -s {{ addr | ipaddr('network/prefix') }} -o {{ item.value.ip_snat.interface }} -j SNAT --to {{ item.value.ip_snat.to }}
+{% endfor %}
+{% endif %}
+{% for forward in item.value.port_forwardings | default([]) %}
+{% for port in forward.tcp_ports | default([]) %}
+ExecStop=/sbin/iptables -t nat -D PREROUTING -d {{ forward.dest }} -p tcp --dport {{ port }} -j DNAT --to {{ forward.tcp_ports[port] }}
+{% endfor %}
+{% for port in forward.udp_ports | default([]) %}
+ExecStop=/sbin/iptables -t nat -D PREROUTING -d {{ forward.dest }} -p udp --dport {{ port }} -j DNAT --to {{ forward.udp_ports[port] }}
+{% endfor %}
+{% endfor %}
+
+RemainAfterExit=yes
+
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/network/wireguard/p2p/templates/systemd.netdev.j2 b/roles/network/wireguard/p2p/templates/systemd.netdev.j2
new file mode 100644
index 00000000..04abfa1d
--- /dev/null
+++ b/roles/network/wireguard/p2p/templates/systemd.netdev.j2
@@ -0,0 +1,26 @@
+[NetDev]
+Name={{ wireguard_p2p_interface.name }}
+Kind=wireguard
+{% if 'description' in wireguard_p2p_interface %}
+Description={{ wireguard_p2p_interface.description }}
+{% endif %}
+
+
+[WireGuard]
+PrivateKey={{ wireguard_p2p_interface.priv_key }}
+{% if 'listen_port' in wireguard_p2p_interface %}
+ListenPort={{ wireguard_p2p_interface.listen_port }}
+{% endif %}
+
+
+[WireGuardPeer]
+PublicKey={{ wireguard_p2p_peer.pub_key }}
+{% for ip in wireguard_p2p_peer.allowed_ips %}
+AllowedIPs={{ ip }}
+{% endfor %}
+{% if 'endpoint' in wireguard_p2p_peer %}
+Endpoint={{ wireguard_p2p_peer.endpoint.host }}:{{ wireguard_p2p_peer.endpoint.port | default(51820) }}
+{% endif %}
+{% if 'keepalive_interval' in wireguard_p2p_peer %}
+PersistentKeepalive={{ wireguard_p2p_peer.keepalive_interval }}
+{% endif %}
diff --git a/roles/network/wireguard/p2p/templates/systemd.network.j2 b/roles/network/wireguard/p2p/templates/systemd.network.j2
new file mode 100644
index 00000000..3d1e2431
--- /dev/null
+++ b/roles/network/wireguard/p2p/templates/systemd.network.j2
@@ -0,0 +1,7 @@
+[Match]
+Name={{ wireguard_p2p_interface.name }}
+
+[Network]
+{% for addr in wireguard_p2p_interface.addresses %}
+Address={{ addr }}
+{% endfor %}