VPN Server (Site connection) Provisioning

ansible/inventories/group_vars/wireguard_server/sifi.yaml

@@ -1,14 +1,12 @@
-server_port: "51820"
+---
-
+wg_interface: wg0
-peers:
+wg_port: 51820
-- publicKey: "NRGPm2GV+ocsXImNxJ5pT/FuQCPg8uQcvydB6OSQEBg="
+#wg_server_public_interface: eth0
-  allowedIPs: "192.168.99.4/32"
+wg_server_address: 192.168.99.1/32
+#wg_server_private_key: "{{ wg_server_private_key }}"
 
 
-
+wg_peers:  
-# client
+  - name: fabio_test
-{% for peer in peers %}
+    publicKey: "dzODOKndtafZSf2GqvClFdxrpwyNJnZ/AsZkNl+ovEE="
-[Peer]
+    allowedIP: "192.168.99.4/32"
-PublicKey = {{ peers[peer].publicKey}}
-AllowedIPs = {{ peers[peer].allowedIPs}}
-{{% endfor %}}

ansible/playbooks/requirements.yml

@@ -17,10 +17,8 @@ collections:
 
   # - name: community.postgresql
   #   version: "3.2.0"
-
   # - name: ansible.posix
   #   version: "1.5.4"
-
   # - name: myorg.infrastructure
   #   source: https://hub.internal.com/api/galaxy/
   #   version: "1.0.0"

ansible/playbooks/roles/wireguard_server/handlers/main.yaml

@@ -0,0 +1,5 @@
+---
+- name: Restart WireGuard
+  ansible.builtin.systemd:
+    name: "wg-quick@{{ wg_interface }}"
+    state: restarted

ansible/playbooks/roles/wireguard_server/tasks/configure_server.yaml

@@ -0,0 +1,31 @@
+# wireguard_server.yml - Configure WireGuard VPN server
+---
+- name: Get Private Key [privatekey => var_privatekey]
+  shell: cat privatekey
+  register: wg_server_private_key
+  args:
+    chdir: /etc/wireguard
+
+- name: Deploy WireGuard server configuration
+  ansible.builtin.template:
+    src: templates/wireguard_server.jinja
+    dest: "/etc/wireguard/{{ wg_interface }}.conf"
+    owner: root
+    group: root
+    mode: '0600'
+  notify: Restart WireGuard
+
+- name: Enable and start WireGuard
+  ansible.builtin.systemd:
+    name: "wg-quick@{{ wg_interface }}"
+    state: started
+    enabled: true
+
+- name: Open WireGuard port in firewall
+  community.general.ufw:
+    rule: allow
+    port: "{{ wg_port }}"
+    proto: udp
+    comment: "WireGuard VPN"
+  ignore_errors: true
+

ansible/playbooks/roles/wireguard_server/tasks/generate_keys.yaml

@@ -0,0 +1,49 @@
+# generate_keys.yml - Generate WireGuard key pairs
+---
+- name: Create WireGuard directory
+  ansible.builtin.file:
+    path: /etc/wireguard
+    state: directory
+    mode: '0700'
+
+- name: Check if private key already exists
+  ansible.builtin.stat:
+    path: /etc/wireguard/privatekey
+  register: privkey_file
+
+- name: Generate private key
+  ansible.builtin.command: wg genkey
+  register: wg_private_key
+  when: not privkey_file.stat.exists
+  changed_when: true
+
+- name: Save private key
+  ansible.builtin.copy:
+    content: "{{ wg_private_key.stdout }}"
+    dest: /etc/wireguard/privatekey
+    owner: root
+    group: root
+    mode: '0600'
+  when: not privkey_file.stat.exists
+
+- name: Read private key
+  ansible.builtin.slurp:
+    src: /etc/wireguard/privatekey
+  register: private_key_content
+
+- name: Generate public key from private key
+  ansible.builtin.shell: echo "{{ private_key_content.content | b64decode | trim }}" | wg pubkey
+  register: wg_public_key
+  changed_when: false
+
+- name: Save public key
+  ansible.builtin.copy:
+    content: "{{ wg_public_key.stdout }}"
+    dest: /etc/wireguard/publickey
+    owner: root
+    group: root
+    mode: '0644'
+
+- name: Display public key for reference
+  ansible.builtin.debug:
+    msg: "Public key for {{ inventory_hostname }}: {{ wg_public_key.stdout }}"

ansible/playbooks/roles/wireguard_server/tasks/install_wireguard.yaml

@@ -0,0 +1,25 @@
+# install_wireguard.yml - Install WireGuard on Linux hosts
+---
+- name: Install WireGuard on Debian/Ubuntu
+  ansible.builtin.apt:
+    name:
+      - wireguard
+      - wireguard-tools
+    state: present
+    update_cache: true
+  when: ansible_os_family == "Debian"
+
+- name: Install WireGuard on RHEL/CentOS 8+
+  ansible.builtin.yum:
+    name:
+      - wireguard-tools
+    state: present
+  when: ansible_os_family == "RedHat"
+
+- name: Enable IP forwarding
+  ansible.posix.sysctl:
+    name: net.ipv4.ip_forward
+    value: '1'
+    sysctl_set: true
+    state: present
+    reload: true

ansible/playbooks/roles/wireguard_server/tasks/main.yaml

@@ -1,44 +1,4 @@
 ---
-- name: Install Wireguard Server
+- include_tasks: install_wireguard.yaml
-  apt:
+- include_tasks: generate_keys.yaml
-    pkg:
+- include_tasks: configure_server.yaml
-      - wireguard
-    state: latest
-    update_cache: true
-
-
-- name: Creating server privatekey and publickey
-  shell: wg genkey | tee privatekey | wg pubkey > publickey
-  args:
-    chdir: /etc/wireguard/keys
-
-- name: Get Private Key [privatekey => ]var_privatekey
-  shell: cat privatekey
-  register: var_privatekey
-  args:
-    chdir: /etc/wireguard/keys
-
-
-- name: Add WireGuard interface
-  command: ip link add dev wg0 type wireguard
-  become: true
-
-
-- name: Updating configuration
-  template:
-    src: wireguard_server
-    dest: /etc/wireguard/wg0.conf
-
-- name: Activating link
-  command: ip link set up dev wg0
-  become: true
-
-- name: Getting public key
-  shell: cat publickey
-  register: var_publickey
-  args:
-    chdir: /etc/wireguard/keys
-
-- name: Printing public key
-  debug:
-    msg: "Server public key is {{ var_publickey }}"

ansible/playbooks/roles/wireguard_server/tasks/main.yaml___back

@@ -0,0 +1,62 @@
+---
+- name: Install Wireguard Server
+  apt:
+    pkg:
+      - wireguard
+    state: latest
+    update_cache: true
+
+
+- name: Create directory for wg keys
+  ansible.builtin.file:
+    path: /etc/wireguard/keys
+    state: directory
+    mode: '0755'
+
+- name: Creating server privatekey and publickey
+  shell: wg genkey | tee privatekey | wg pubkey > publickey
+  args:
+    chdir: /etc/wireguard/keys
+
+- name: Get Private Key [privatekey => var_privatekey]
+  shell: cat privatekey
+  register: var_privatekey
+  args:
+    chdir: /etc/wireguard/keys
+
+
+#- name: Add WireGuard interface
+#  command: ip link add dev wg0 type wireguard
+
+
+- name: Updating configuration
+  template:
+    src: wireguard_server.jinja
+    dest: /etc/wireguard/wg0.conf
+
+#- name: Activating link
+#  command: ip link set up dev wg0
+
+
+- name: Starting wg service
+  systemd:
+    state: started
+    name: wg-quick@wg0
+    enabled: yes
+
+
+- name: Getting public key
+  shell: cat publickey
+  register: var_publickey
+  args:
+    chdir: /etc/wireguard/keys
+
+
+- name: Check server public IP
+  shell: curl https://ipinfo.io/ip
+  register: var_server_ip
+
+
+- name: Printing public key
+  debug:
+    msg: "Server {{ ansible_hostname }} reachable @{{var_server_ip}}. Public key is {{ var_publickey }}"

ansible/playbooks/roles/wireguard_server/templates/wireguard_server.jinja

@@ -1,11 +1,27 @@
-# device
+# templates/wireguard-server.conf.j2 - WireGuard server configuration
-[Interface]
+# Managed by Ansible - do not edit manually
-PrivateKey = {{ var_privatekey.stdout }}
-ListenPort = {{ server_port }}
 
-# client
+[Interface]
-{% for peer in peers %}
+Address = {{ wg_server_address }}
+ListenPort = {{ wg_port }}
+PrivateKey = {{ wg_server_private_key.stdout }}
+
+# IP forwarding
+PreUp = sysctl -w net.ipv4.ip_forward=1
+# IP masquerading
+PreUp = iptables -t mangle -A PREROUTING -i {{wg_interface}} -j MARK --set-mark 0x30
+PreUp = iptables -t nat -A POSTROUTING ! -o {{wg_interface}} -m mark --mark 0x30 -j MASQUERADE
+PostDown = iptables -t mangle -D PREROUTING -i {{wg_interface}} -j MARK --set-mark 0x30
+PostDown = iptables -t nat -D POSTROUTING ! -o {{wg_interface}} -m mark --mark 0x30 -j MASQUERADE
+
+
+{% for peer in wg_peers %}
+# {{ peer.name }}
 [Peer]
-PublicKey = {{ peers[peer].publicKey}}
+PublicKey = {{ peer.publicKey }}
-AllowedIPs = {{ peers[peer].allowedIP}}
+AllowedIPs = {{ peer.allowedIP }}
-{{% endfor %}}
+{% if peer.persistent_keepalive is defined %}
+PersistentKeepalive = {{ peer.persistent_keepalive }}
+{% endif %}
+
+{% endfor %}

ansible/playbooks/vpn_server.yaml

@@ -1,5 +1,6 @@
 ---
 - name: Configure VPN Server
   hosts: wireguard_server
+  become: true
   roles:
     - wireguard_server