diff --git a/playbook.yml b/playbook.yml index 58402baf..5740ae85 100644 --- a/playbook.yml +++ b/playbook.yml @@ -4,7 +4,6 @@ roles: - system-pacman - collection-administrator-base - - application-caffeine - driver-non-free - name: application-wireguard diff --git a/roles/application-caffeine/meta/main.yml b/roles/application-caffeine/meta/main.yml index 175059fe..f2b89588 100644 --- a/roles/application-caffeine/meta/main.yml +++ b/roles/application-caffeine/meta/main.yml @@ -1,3 +1,2 @@ dependencies: -- system-aur-helper -- system-gnome \ No newline at end of file +- system-aur-helper \ No newline at end of file diff --git a/roles/application-wireguard/README.md b/roles/application-wireguard/README.md index 8a4757ae..9b8e18c8 100644 --- a/roles/application-wireguard/README.md +++ b/roles/application-wireguard/README.md @@ -10,35 +10,6 @@ Manages wireguard on a client. echo "PresharedKey: $(wg genpsk)" ``` -## Debug - -### RTNETLINK answers: Permission denied -When ```systemctl restart wg-quick@wg0.service``` returns __RTNETLINK answers: Permission denied__, modify _/etc/sysctl.conf_: - -```bash -net.ipv6.conf.all.disable_ipv6 = 0 -net.ipv6.conf.default.disable_ipv6 = 0 -net.ipv6.conf.lo.disable_ipv6 = 0 -``` - -Afterwards reload: -```bash -sysctl -p -systemctl restart wg-quick@wg0.service -``` - - -### SSH - -When the SSH connection over wireguard is buggy try: - -```bash -ip li set mtu 1400 dev eth0 -ip li set mtu 1400 dev wlo1 -``` - -This can be connected to the [MTU](https://www.imperva.com/learn/application-security/what-is-mtu-mss/) - ## Other - https://golb.hplar.ch/2019/01/expose-server-vpn.html - https://wiki.archlinux.org/index.php/WireGuard @@ -50,4 +21,8 @@ This can be connected to the [MTU](https://www.imperva.com/learn/application-sec - https://forum.openwrt.org/t/cannot-ssh-to-clients-on-lan-when-accessing-router-via-wireguard-client/132709/3 - https://serverfault.com/questions/1086297/wireguard-connection-dies-on-ubuntu-peer - https://unix.stackexchange.com/questions/624987/ssh-fails-to-start-when-listenaddress-is-set-to-wireguard-vpn-ip -- https://serverfault.com/questions/210408/cannot-ssh-debug1-expecting-ssh2-msg-kex-dh-gex-reply \ No newline at end of file +- https://serverfault.com/questions/210408/cannot-ssh-debug1-expecting-ssh2-msg-kex-dh-gex-reply +- https://www.thomas-krenn.com/de/wiki/Linux_ip_Kommando +- https://wiki.archlinux.org/title/dhcpcd +- https://wiki.ubuntuusers.de/NetworkManager/Dispatcher/ +- https://askubuntu.com/questions/1024916/how-can-i-launch-a-systemd-service-at-startup-before-another-systemd-service-sta \ No newline at end of file diff --git a/roles/application-wireguard/files/set-mtu.service b/roles/application-wireguard/files/set-mtu.service new file mode 100644 index 00000000..56c48494 --- /dev/null +++ b/roles/application-wireguard/files/set-mtu.service @@ -0,0 +1,10 @@ +[Unit] +Description=set MTU +Before=wg-quick@wg0.service + +[Service] +Type=oneshot +ExecStart=set-mtu.sh + +[Install] +RequiredBy=wg-quick@wg0.service \ No newline at end of file diff --git a/roles/application-wireguard/files/wireguard-ip.conf b/roles/application-wireguard/files/wireguard-ip.conf new file mode 100644 index 00000000..cc0113b9 --- /dev/null +++ b/roles/application-wireguard/files/wireguard-ip.conf @@ -0,0 +1,8 @@ +# This file is created by +# https://github.com/kevinveenbirkenbach/client-playbook/tree/main/roles/application-wireguard + +net.ipv6.conf.all.disable_ipv6 = 0 +net.ipv6.conf.default.disable_ipv6 = 0 +net.ipv6.conf.lo.disable_ipv6 = 0 +net.ipv6.conf.all.forwarding = 1 +net.ipv4.ip_forward = 1 \ No newline at end of file diff --git a/roles/application-wireguard/handlers/main.yml b/roles/application-wireguard/handlers/main.yml index 6127fc1c..246d49a2 100644 --- a/roles/application-wireguard/handlers/main.yml +++ b/roles/application-wireguard/handlers/main.yml @@ -1,6 +1,13 @@ +- name: "restart set-mtu.service" + systemd: + name: set-mtu.service + state: restarted + enabled: yes + daemon_reload: yes + - name: "restart wireguard" systemd: name: wg-quick@wg0.service state: restarted enabled: yes - daemon_reload: yes + daemon_reload: yes \ No newline at end of file diff --git a/roles/application-wireguard/tasks/main.yml b/roles/application-wireguard/tasks/main.yml index 82e2b6ae..80f02c5b 100644 --- a/roles/application-wireguard/tasks/main.yml +++ b/roles/application-wireguard/tasks/main.yml @@ -3,11 +3,25 @@ name: wireguard-tools state: present -- name: enable ipv4-forwarding - shell: sysctl net.ipv4.ip_forward=1 +- name: create set-mtu.service + copy: + src: set-mtu.service + dest: /etc/systemd/system/set-mtu.service + notify: restart set-mtu.service -- name: enable ipv6-forwarding - shell: sysctl net.ipv6.conf.all.forwarding=1 +- name: create set-mtu.sh + template: + src: set-mtu.sh.j2 + dest: /usr/local/bin/set-mtu.sh + notify: restart set-mtu.service + +- name: create wireguard-ip.conf + copy: + src: "wireguard-ip.conf" + dest: /etc/sysctl.d/wireguard-ip.conf + owner: root + group: root + notify: reload sysctl configuration - name: create /etc/wireguard/wg0.conf copy: diff --git a/roles/application-wireguard/templates/set-mtu.sh.j2 b/roles/application-wireguard/templates/set-mtu.sh.j2 new file mode 100644 index 00000000..eae6555f --- /dev/null +++ b/roles/application-wireguard/templates/set-mtu.sh.j2 @@ -0,0 +1,4 @@ +#!/bin/bash +ip li set mtu 1400 dev eth0 +ip li set mtu 1400 dev wlo1 +sysctl -p \ No newline at end of file diff --git a/roles/system-gnome/meta/main.yml b/roles/system-gnome/meta/main.yml index f4aa4bc0..51bba34e 100644 --- a/roles/system-gnome/meta/main.yml +++ b/roles/system-gnome/meta/main.yml @@ -1,2 +1,3 @@ dependencies: -- application-git \ No newline at end of file +- application-git +- application-caffeine \ No newline at end of file