Configure wireguard VPN

2024-05-29 22:06:22 +03:00 · 2024-05-29 22:06:22 +03:00 · d779db5d34
parent dd5869a62d
commit d779db5d34
4 changed files with 79 additions and 2 deletions
--- a/README.md
+++ b/README.md
@ -30,6 +30,27 @@ mail_users:
    password: Password123
    virtuals:
      - "alice@pikami.net"
+
+mx1_wg:
+  private_key: <wireguard private key>
+  address: <hosts address inside vpn>
+  port: 21841
+  interface: wg0
+  peers:
+    - name: Gateway
+      public_key: <vpn gateway public key>
+      endpoint: <gateway ip>:21841
+      allowed_ips: 10.2.0.1/32
+mx2_wg:
+  private_key: <wireguard private key>
+  address: <hosts address inside vpn>
+  port: 21841
+  interface: wg0
+  peers:
+    - name: Gateway
+      public_key: <vpn gateway public key>
+      endpoint: <gateway ip>:21841
+      allowed_ips: 10.2.0.1/32
 ```

 The hosts are taken from the `inventory.yml` file:
@ -38,9 +59,9 @@ The hosts are taken from the `inventory.yml` file:
 all:
  hosts:
    mx1:
-      ansible_host: 51.158.215.227
+      ansible_host: <mail server ip>
    mx2:
-      ansible_host: 89.58.5.252
+      ansible_host: <secondary mail server ip>
 ```

 ## Environment setup
@ -77,3 +98,4 @@ Current ansible playbooks:
 - 02-ssl.yml - generates ssl certificates and adds a renew cron job
 - 03-mail.yml - installs and configures dovecot and opensmtpd
 - 04-secondary-mail.yml - installs and configures opensmtpd as a backup mail receiver
+- 05-vpn.yml - configures wireguard vpn
--- a/ansible/05-vpn.yml
+++ b/ansible/05-vpn.yml
@ -0,0 +1,36 @@
+- name: VPN Setup
+  hosts:
+    - mx1
+    - mx2
+  remote_user: root
+  vars_files:
+    - vars.yml
+  tasks:
+    - name: Install wireguard
+      community.general.openbsd_pkg:
+        name:
+          - wireguard-tools
+        state: present
+
+    - name: Ensures /etc/wireguard dir exists
+      file:
+        path: "/etc/wireguard"
+        state: directory
+
+    - name: Create wireguard config
+      template:
+        src: "templates/wireguard.conf.j2"
+        dest: "/etc/wireguard/{{ lookup('vars', inventory_hostname + '_wg').interface }}.conf"
+        owner: root
+        group: wheel
+        mode: "0600"
+
+    - name: Create wireguard interface
+      template:
+        src: "templates/wireguard.if.j2"
+        dest: "/etc/hostname.{{ lookup('vars', inventory_hostname + '_wg').interface }}"
+      register: iface_config
+
+    - name: Apply network configuration if changed
+      shell: sh /etc/netstart {{ lookup('vars', inventory_hostname + '_wg').interface }}
+      when: iface_config.changed
--- a/ansible/templates/wireguard.conf.j2
+++ b/ansible/templates/wireguard.conf.j2
@ -0,0 +1,13 @@
+{% set _wg = lookup('vars', inventory_hostname + '_wg') %}
+# {{ ansible_managed }}
+[Interface]
+PrivateKey = {{ _wg.private_key }}
+ListenPort = {{ _wg.port }}
+
+{% for peer in _wg.peers %}
+[Peer]
+# {{ peer.name }}
+PublicKey = {{ peer.public_key }}
+Endpoint = {{ peer.endpoint }}
+AllowedIPs = {{ peer.allowed_ips }}
+{% endfor %}
--- a/ansible/templates/wireguard.if.j2
+++ b/ansible/templates/wireguard.if.j2
@ -0,0 +1,6 @@
+{% set _wg = lookup('vars', inventory_hostname + '_wg') %}
+# {{ ansible_managed }}
+inet {{ _wg.address }} 255.255.255.0 NONE
+up
+
+!/usr/local/bin/wg setconf {{ _wg.interface }} /etc/wireguard/{{ _wg.interface }}.conf