diff --git a/playbook.yml b/playbook.yml index ec15fe08..58402baf 100644 --- a/playbook.yml +++ b/playbook.yml @@ -7,6 +7,12 @@ - application-caffeine - driver-non-free +- name: application-wireguard + hosts: application_wireguard_hosts + become: true + roles: + - application-wireguard + - name: collection-office hosts: collection_officetools_hosts become: true diff --git a/roles/application-wireguard/README.md b/roles/application-wireguard/README.md new file mode 100644 index 00000000..7e1cb3cf --- /dev/null +++ b/roles/application-wireguard/README.md @@ -0,0 +1,22 @@ +# Role Native Wireguard +Manages wireguard on a client. + +### Create Client Keys +```bash + wg_private_key="$(wg genkey)" + wg_public_key="$(echo "$wg_private_key" | wg pubkey)" + echo "PrivateKey: $wg_private_key" + echo "PublicKey: $wg_public_key" + echo "PresharedKey: $(wg genpsk)" +``` + +## See +- https://golb.hplar.ch/2019/01/expose-server-vpn.html +- https://wiki.archlinux.org/index.php/WireGuard +- https://wireguard.how/server/raspbian/ +- https://www.scaleuptech.com/de/blog/was-ist-und-wie-funktioniert-subnetting/ +- https://bodhilinux.boards.net/thread/450/wireguard-rtnetlink-answers-permission-denied +- https://stackoverflow.com/questions/69140072/unable-to-ssh-into-wireguard-ip-until-i-ping-another-server-from-inside-the-serv +- https://unix.stackexchange.com/questions/717172/why-is-ufw-blocking-acces-to-ssh-via-wireguard +- https://forum.openwrt.org/t/cannot-ssh-to-clients-on-lan-when-accessing-router-via-wireguard-client/132709/3 +- https://serverfault.com/questions/1086297/wireguard-connection-dies-on-ubuntu-peer \ No newline at end of file diff --git a/roles/application-wireguard/handlers/main.yml b/roles/application-wireguard/handlers/main.yml new file mode 100644 index 00000000..6127fc1c --- /dev/null +++ b/roles/application-wireguard/handlers/main.yml @@ -0,0 +1,6 @@ +- name: "restart wireguard" + systemd: + name: wg-quick@wg0.service + state: restarted + enabled: yes + daemon_reload: yes diff --git a/roles/application-wireguard/tasks/main.yml b/roles/application-wireguard/tasks/main.yml new file mode 100644 index 00000000..82e2b6ae --- /dev/null +++ b/roles/application-wireguard/tasks/main.yml @@ -0,0 +1,18 @@ +- name: install wireguard + pacman: + name: wireguard-tools + state: present + +- name: enable ipv4-forwarding + shell: sysctl net.ipv4.ip_forward=1 + +- name: enable ipv6-forwarding + shell: sysctl net.ipv6.conf.all.forwarding=1 + +- name: create /etc/wireguard/wg0.conf + copy: + src: "{{ inventory_dir }}/files/{{ inventory_hostname }}/etc/wireguard/wg0.conf" + dest: /etc/wireguard/wg0.conf + owner: root + group: root + notify: restart wireguard