tapionx · October 8, 2019 07:16
diff --git a/vpn.conf b/vpn.conf
 [Interface]
 Address = 10.8.0.1/24
 PrivateKey = XXXXXXXXXX
 PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
 PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
 ListenPort = 51821

 [Peer]
 PublicKey = XXXXXXXXXX
 AllowedIPs = 10.8.0.2/24
diff --git a/vpnclient.conf b/vpnclient.conf
 [Interface]
 Address = 10.8.0.2/24
 PrivateKey = XXXXXXXXXX
 DNS = 10.8.0.1

 [Peer]
 PublicKey = XXXXXXXXXX
 Endpoint = XXXXXXXXXX:51821
 AllowedIPs = 0.0.0.0/0
 PersistentKeepalive = 21

 # qrencode -t ansiutf8 < client.conf
diff --git a/wireguard.yml b/wireguard.yml
 ---
 - hosts: all
  remote_user: root
  tasks:
    - name: add unstable repositories for wireguard
      copy:
        content: 'deb http://deb.debian.org/debian/ unstable main'
        dest: /etc/apt/sources.list.d/unstable.list
    - name: pin unstable repository preferences
      copy:
        content: |
          Package: *
          Pin: release a=unstable
          Pin-Priority: 90
        dest: /etc/apt/preferences.d/limit-unstable
    - name: apt update
      apt:
        update_cache: yes
    - name: Install packages
      apt:
        name: "{{ packages }}"
      vars:
        packages:
        - wireguard
        - linux-headers-{{ ansible_kernel }}
        - qrencode
    - name: UFW allow WireGuard
      ufw:
        rule: allow
        port: "51821"
        proto: udp
    - name: add wireguard kernel module
      modprobe:
        name: wireguard
    - name: copy wireguard server config
      copy:
        src: ../templates/wireguard/vpn.conf
        dest: /etc/wireguard/vpn.conf
        owner: root
        group: root
        mode: 0600
    - name: enable IP forwarding
      sysctl:
        name: net.ipv4.ip_forward
        value: "1"
        sysctl_set: yes
        state: present
        reload: yes
    - name: enable wireguard vpn service
      systemd:
        name: [email protected]
        enabled: yes
    - name: start wireguard vpn service
      systemd:
        name: [email protected]
        state: started
      notify:
      - reboot
  handlers:
    - name: reboot
      reboot:
	[Interface]
	Address = 10.8.0.1/24
	PrivateKey = XXXXXXXXXX
	PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
	PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
	ListenPort = 51821

	[Peer]
	PublicKey = XXXXXXXXXX
	AllowedIPs = 10.8.0.2/24
	[Interface]
	Address = 10.8.0.2/24
	PrivateKey = XXXXXXXXXX
	DNS = 10.8.0.1

	[Peer]
	PublicKey = XXXXXXXXXX
	Endpoint = XXXXXXXXXX:51821
	AllowedIPs = 0.0.0.0/0
	PersistentKeepalive = 21

	# qrencode -t ansiutf8 < client.conf
	---
	- hosts: all
	remote_user: root
	tasks:
	- name: add unstable repositories for wireguard
	copy:
	content: 'deb http://deb.debian.org/debian/ unstable main'
	dest: /etc/apt/sources.list.d/unstable.list
	- name: pin unstable repository preferences
	copy:
	content: \|
	Package: *
	Pin: release a=unstable
	Pin-Priority: 90
	dest: /etc/apt/preferences.d/limit-unstable
	- name: apt update
	apt:
	update_cache: yes
	- name: Install packages
	apt:
	name: "{{ packages }}"
	vars:
	packages:
	- wireguard
	- linux-headers-{{ ansible_kernel }}
	- qrencode
	- name: UFW allow WireGuard
	ufw:
	rule: allow
	port: "51821"
	proto: udp
	- name: add wireguard kernel module
	modprobe:
	name: wireguard
	- name: copy wireguard server config
	copy:
	src: ../templates/wireguard/vpn.conf
	dest: /etc/wireguard/vpn.conf
	owner: root
	group: root
	mode: 0600
	- name: enable IP forwarding
	sysctl:
	name: net.ipv4.ip_forward
	value: "1"
	sysctl_set: yes
	state: present
	reload: yes
	- name: enable wireguard vpn service
	systemd:
	name: [email protected]
	enabled: yes
	- name: start wireguard vpn service
	systemd:
	name: [email protected]
	state: started
	notify:
	- reboot
	handlers:
	- name: reboot
	reboot: