From c3cb8e1e8fb7057300ec2362736235565ceafa70 Mon Sep 17 00:00:00 2001 From: Sonny Bakker Date: Wed, 29 Dec 2021 11:57:31 +0100 Subject: [PATCH] Add wireguard configuration --- files/desktop/wireguard/desktop.key | 7 ++ files/desktop/wireguard/desktop.pub | 1 + files/desktop/wireguard/preshared.psk | 7 ++ playbook.yml | 1 - tasks/network.yml | 97 ++++++++++++++--- .../{network.j2 => network/enp.network.j2} | 0 templates/desktop/network/vmbr0.netdev.j2 | 5 + templates/desktop/network/vmbr0.network.j2 | 10 ++ templates/desktop/network/wg0.netdev.j2 | 24 +++++ templates/desktop/network/wg0.network.j2 | 7 ++ templates/desktop/nftables.j2 | 4 +- templates/desktop/pulse-script.j2 | 2 +- templates/desktop/syncthing.j2 | 2 +- templates/laptop/openvpn.j2 | 102 ------------------ vars/desktop.yml | 25 +++++ vars/laptop.yml | 2 + vars/main.yml | 2 +- vars/vpn.yml | 5 +- 18 files changed, 176 insertions(+), 127 deletions(-) create mode 100644 files/desktop/wireguard/desktop.key create mode 100644 files/desktop/wireguard/desktop.pub create mode 100644 files/desktop/wireguard/preshared.psk rename templates/desktop/{network.j2 => network/enp.network.j2} (100%) create mode 100644 templates/desktop/network/vmbr0.netdev.j2 create mode 100644 templates/desktop/network/vmbr0.network.j2 create mode 100644 templates/desktop/network/wg0.netdev.j2 create mode 100644 templates/desktop/network/wg0.network.j2 delete mode 100644 templates/laptop/openvpn.j2 diff --git a/files/desktop/wireguard/desktop.key b/files/desktop/wireguard/desktop.key new file mode 100644 index 0000000..2a4e787 --- /dev/null +++ b/files/desktop/wireguard/desktop.key @@ -0,0 +1,7 @@ +$ANSIBLE_VAULT;1.1;AES256 +64386433373038346364353966343664623636623866656535326139353563396466653663613565 +3265323264623161653131663865343362323530643139340a383238383738303366333666326536 +32373330623636613863303636626536613736323565323632353263363531386339623636613965 +6232626334623437610a623236383763636431323332343237353835666432326439396361386139 +31383538613265633766316565313538663631383833383636376630326130393039623561666232 +3861343261303065363138616564666464653733353864386564 diff --git a/files/desktop/wireguard/desktop.pub b/files/desktop/wireguard/desktop.pub new file mode 100644 index 0000000..3045a86 --- /dev/null +++ b/files/desktop/wireguard/desktop.pub @@ -0,0 +1 @@ +izHzmRwh2yzICps6pFI2Bg3TnmTD66/8uH4loJpkuD4= diff --git a/files/desktop/wireguard/preshared.psk b/files/desktop/wireguard/preshared.psk new file mode 100644 index 0000000..3ce2db6 --- /dev/null +++ b/files/desktop/wireguard/preshared.psk @@ -0,0 +1,7 @@ +$ANSIBLE_VAULT;1.1;AES256 +35306261646161313832376338646666383439366336396566366163646263346661373861326630 +3461373866323562356338323837653032346333323962310a353436613736353763373163306163 +63356435306132623264323361333863363038306132333832303035393863616562363833663038 +3265306165623435390a383464343539393964396430343932363364353363323337346565646335 +37373332306534303963386139613931396561643763663438303932373832633565643765353433 +6564326235623439363438626261346264393835636134383664 diff --git a/playbook.yml b/playbook.yml index 912603f..eada34f 100644 --- a/playbook.yml +++ b/playbook.yml @@ -16,7 +16,6 @@ - import_tasks: 'tasks/setup.yml' - import_tasks: 'tasks/network.yml' - import_tasks: 'tasks/systemd.yml' - - import_tasks: 'tasks/openvpn.yml' - import_tasks: 'tasks/git.yml' - import_tasks: 'tasks/mpv.yml' - import_tasks: 'tasks/mpd.yml' diff --git a/tasks/network.yml b/tasks/network.yml index 76a32a8..026d908 100644 --- a/tasks/network.yml +++ b/tasks/network.yml @@ -1,42 +1,109 @@ -- name: setup desktop systemd networkd - become: yes - template: - src: 'templates/desktop/network.j2' - dest: '/etc/systemd/network/20-wired.network' +- name: create wireguard directories + become: true + file: + path: '{{ item | dirname }}' owner: root - group: root + group: systemd-network mode: '0644' - notify: restart systemd-networkd + state: directory + loop: + - '{{ vpn_private_key_path }}' + - '{{ vpn_public_key_path }}' + +- name: copy wireguard credentials + become: true + copy: + src: '{{ item.src }}' + dest: '{{ item.dest }}' + owner: root + group: systemd-network + mode: '0640' + loop: + - { + dest: '{{ vpn_public_key_path }}', + src: 'files/{{ platform }}/wireguard/{{ platform }}.pub', + } + - { + dest: '{{ vpn_private_key_path }}', + src: 'files/{{ platform }}/wireguard/{{ platform }}.key', + } + +- name: copy wireguard preshared keys + become: true + copy: + src: '{{ item.preshared_key_source_path }}' + dest: '{{ item.preshared_key_path }}' + owner: root + group: systemd-network + mode: '0640' + loop: '{{ vpn_peers }}' + +- name: setup desktop network configuration + become: true + template: + src: '{{ item.src }}' + dest: '{{ item.dest }}' + owner: root + group: systemd-network + mode: '0640' + loop: + - { + src: 'templates/desktop/network/enp.network.j2', + dest: '/etc/systemd/network/20-wired.network', + } + - { + src: 'templates/desktop/network/vmbr0.network.j2', + dest: '/etc/systemd/network/30-vmbr0.network', + } + - { + src: 'templates/desktop/network/vmbr0.netdev.j2', + dest: '/etc/systemd/network/30-vmbr0.netdev', + } + - { + src: 'templates/desktop/network/wg0.network.j2', + dest: '/etc/systemd/network/40-wg0.network', + } + - { + src: 'templates/desktop/network/wg0.netdev.j2', + dest: '/etc/systemd/network/40-wg0.netdev', + } when: platform == "desktop" -- name: setup laptop systemd networkd - become: yes +# TODO: update network configuration path +- name: setup laptop network configuration + become: true template: src: 'templates/laptop/network.j2' dest: '/etc/systemd/network/20-wireless.network' owner: root group: root mode: '0644' - notify: restart systemd-networkd when: platform == "laptop" +- name: restart systemd-networkd + become: true + systemd: + name: systemd-networkd + state: restarted + enabled: true + - name: start systemd-resolved service - become: yes + become: true systemd: name: systemd-resolved state: started - enabled: yes + enabled: true - name: start iwd service - become: yes + become: true systemd: name: iwd state: started - enabled: yes + enabled: true when: platform == "laptop" - name: copy firewall template - become: yes + become: true template: src: 'templates/{{ platform }}/nftables.j2' dest: '/etc/nftables.conf' diff --git a/templates/desktop/network.j2 b/templates/desktop/network/enp.network.j2 similarity index 100% rename from templates/desktop/network.j2 rename to templates/desktop/network/enp.network.j2 diff --git a/templates/desktop/network/vmbr0.netdev.j2 b/templates/desktop/network/vmbr0.netdev.j2 new file mode 100644 index 0000000..54f171b --- /dev/null +++ b/templates/desktop/network/vmbr0.netdev.j2 @@ -0,0 +1,5 @@ +# {{ ansible_managed }} {{ ansible_date_time.time }} {{ ansible_date_time.date }} + +[NetDev] +Name=vmbr0 +Kind=bridge diff --git a/templates/desktop/network/vmbr0.network.j2 b/templates/desktop/network/vmbr0.network.j2 new file mode 100644 index 0000000..a3ca139 --- /dev/null +++ b/templates/desktop/network/vmbr0.network.j2 @@ -0,0 +1,10 @@ +# {{ ansible_managed }} {{ ansible_date_time.time }} {{ ansible_date_time.date }} + +[Match] +Name=vmbr0 + +[Network] +Address=10.4.0.1/24 +DHCP=yes +IPForward=yes +ConfigureWithoutCarrier=yes diff --git a/templates/desktop/network/wg0.netdev.j2 b/templates/desktop/network/wg0.netdev.j2 new file mode 100644 index 0000000..de4e81e --- /dev/null +++ b/templates/desktop/network/wg0.netdev.j2 @@ -0,0 +1,24 @@ +# {{ ansible_managed }} {{ ansible_date_time.time }} {{ ansible_date_time.date }} + +[NetDev] +Name={{ vpn_interface }} +Kind=wireguard +Description=WireGuard tunnel {{ vpn_interface }} + +[WireGuard] +# PrivateKeyFile option does not seem to work, perhaps a bug? +PrivateKey={{ vpn_private_key }} + +{% for peer in vpn_peers %} +[WireGuardPeer] +PublicKey={{ peer.public_key }} +# PresharedKeyFile option does not seem to work, perhaps a bug? +PresharedKey={{ peer.preshared_key }} +AllowedIPs={{ peer.allowd_ips }} +{% if peer.endpoint %} +Endpoint={{ peer.endpoint }} +{% endif %} +{% if not loop.last %} + +{% endif %} +{% endfor %} diff --git a/templates/desktop/network/wg0.network.j2 b/templates/desktop/network/wg0.network.j2 new file mode 100644 index 0000000..81fbe8a --- /dev/null +++ b/templates/desktop/network/wg0.network.j2 @@ -0,0 +1,7 @@ +# {{ ansible_managed }} {{ ansible_date_time.time }} {{ ansible_date_time.date }} + +[Match] +Name={{ vpn_interface }} + +[Network] +Address={{ vpn_ip }}/{{ vpn_subnet }} diff --git a/templates/desktop/nftables.j2 b/templates/desktop/nftables.j2 index 3adbb58..502770a 100644 --- a/templates/desktop/nftables.j2 +++ b/templates/desktop/nftables.j2 @@ -25,10 +25,10 @@ table inet filter { tcp dport ssh accept # syncthing - ip saddr 10.8.1.1 tcp dport 22000 accept + ip saddr 10.0.0.1 tcp dport 22000 accept # allow remote pulse audio - ip saddr 10.8.1.1 tcp dport 4713 accept + ip saddr 10.0.0.1 tcp dport 4713 accept # allow dhcp requests for bridget connections iifname "vmbr0" udp dport { 53, 67 } accept diff --git a/templates/desktop/pulse-script.j2 b/templates/desktop/pulse-script.j2 index 56cd152..8bcc1ea 100644 --- a/templates/desktop/pulse-script.j2 +++ b/templates/desktop/pulse-script.j2 @@ -2,4 +2,4 @@ # # {{ ansible_managed }} {{ ansible_date_time.time }} {{ ansible_date_time.date }} -/usr/bin/pactl load-module module-native-protocol-tcp auth-anonymous=1 listen=10.8.1.10 +/usr/bin/pactl load-module module-native-protocol-tcp auth-anonymous=1 listen={{ vpn_ip }} diff --git a/templates/desktop/syncthing.j2 b/templates/desktop/syncthing.j2 index dba711e..d9e59f9 100644 --- a/templates/desktop/syncthing.j2 +++ b/templates/desktop/syncthing.j2 @@ -71,7 +71,7 @@ 0 -
tcp://10.8.0.1:22000
+
tcp://10.0.0.1:22000
false false 0 diff --git a/templates/laptop/openvpn.j2 b/templates/laptop/openvpn.j2 deleted file mode 100644 index 8e329e6..0000000 --- a/templates/laptop/openvpn.j2 +++ /dev/null @@ -1,102 +0,0 @@ -# {{ ansible_managed }} {{ ansible_date_time.time }} {{ ansible_date_time.date }} -# -############################################## -# Sample client-side OpenVPN 2.0 config file # -# for connecting to multi-client server. # -# # -# This configuration can be used by multiple # -# clients, however each client should have # -# its own cert and key files. # -# # -# On Windows, you might want to rename this # -# file so it has a .ovpn extension # -############################################## - -# Specify that we are a client and that we -# will be pulling certain config file directives -# from the server. -client - -# Use the same setting as you are using on -# the server. -# On most systems, the VPN will not function -# unless you partially or fully disable -# the firewall for the TUN/TAP interface. -dev {{ vpn_interface }} - -# Use unprivileged ip command -#iproute /usr/local/sbin/unpriv-ip - -# Are we connecting to a TCP or -# UDP server? Use the same setting as -# on the server. -proto {{ vpn_protocol }} - -# The hostname/IP and port of the server. -# You can have multiple remote entries -# to load balance between the servers. -remote {{ vpn_ip }} -port {{ vpn_port }} - -# Keep trying indefinitely to resolve the -# host name of the OpenVPN server. Very useful -# on machines which are not permanently connected -# to the internet such as laptops. -resolv-retry infinite - -# Ping every 30s - Inactivity restart 120s -keepalive 30 120 - -# Don't ping until connected to remote -ping-timer-rem - -# Most clients don't need to bind to -# a specific local port number. -nobind - -# Try to preserve some state across restarts. -persist-key -persist-tun - -# SSL/TLS parms. -# See the server config file for more -# description. It's best to use -# a separate .crt/.key file pair -# for each client. A single ca -# file can be used for all clients. -ca /etc/openvpn/client/zeus/ca.crt -cert /etc/openvpn/client/zeus/laptop.crt -key /etc/openvpn/client/zeus/laptop.key - -# Verify server certificate by checking that the -# certicate has the correct key usage set. -# This is an important precaution to protect against -# a potential attack discussed here: -# http://openvpn.net/howto.html#mitm -# -# To use this feature, you will need to generate -# your server certificates with the keyUsage set to -# digitalSignature, keyEncipherment -# and the extendedKeyUsage to -# serverAuth -# EasyRSA can do this for you. -remote-cert-tls server - -# If a tls-auth key is used on the server -# then every client must also have the key. -tls-auth ta.key 1 -auth SHA512 - -# Select a cryptographic cipher. -# If the cipher option is used on the server -# then you must also specify it here. -cipher AES-256-CBC - -# Enable compression on the VPN link. -# Don't enable this unless it is also -# enabled in the server config file. -# Disabled as advised on https://openvpn.net/security-advisories/ -#compress lz4 - -# Set log file verbosity. -verb {{ vpn_verbosity }} diff --git a/vars/desktop.yml b/vars/desktop.yml index 28d4ccb..7cf4afa 100644 --- a/vars/desktop.yml +++ b/vars/desktop.yml @@ -1 +1,26 @@ platform_packages: [] + +vpn_ip: '10.0.0.3' +vpn_subnet: '24' + +vpn_public_key_path: '/etc/wireguard/keys/public/desktop.pub' +vpn_private_key_path: '/etc/wireguard/keys/private/desktop.key' +vpn_private_key: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 65386334366166306164363464633364383935313739373730373139663139373964336665636264 + 3563663038313039363230623266393164646164373739620a623536633631643231633938613461 + 63366239333230663531306333383962353937353736663336343434663633303232386531353832 + 6434633935333538650a613065306239333031656362356165326136333131356135383436326561 + 62303035386634636333353664373231633434656538303866386262353139363439363435346637 + 6637363334623133376134306165626564343864633032613763 + +vpn_peers: + - { + name: 'zeus', + allowd_ips: '10.0.0.1/32', + endpoint: '178.85.119.159:51902', + public_key: 'CeybSMpJiicXmndIuhe89Bay3z3PEdYNyAwIFsacBEo=', + preshared_key_path: '/etc/wireguard/keys/private/preshared-zeus.psk', + preshared_key_source_path: 'files/desktop/wireguard/preshared.psk', + preshared_key: !vault "$ANSIBLE_VAULT;1.1;AES256\r\n363333633336613939306632323163396239303739366135393232396134393266623939613534326238393638333137383235313039623264343932303038330a633934373638363966306533346235326234663464313963356238623064666430303030643533666536393662316237333463336462376366343335363131350a333135366239633765633136316133653535336661666461666365636233656165666635663037386666323931643265623233366133623237663734623661623661316436396465343866363266393565653237636136626536353630383263" + } diff --git a/vars/laptop.yml b/vars/laptop.yml index 3ea944c..0f6cd7f 100644 --- a/vars/laptop.yml +++ b/vars/laptop.yml @@ -1,3 +1,5 @@ platform_packages: - iwd - powertop + +vpn_ip: '10.0.0.2' diff --git a/vars/main.yml b/vars/main.yml index 80107c3..b8c5488 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -10,7 +10,6 @@ packages: - nftables - mpd - nfs-utils - - openvpn - okular - postgresql - plasma-meta @@ -29,5 +28,6 @@ packages: - pipewire - pipewire-pulse - pipewire-alsa + - wireguard-tools platform_packages: [] diff --git a/vars/vpn.yml b/vars/vpn.yml index 1cca5e3..194c351 100644 --- a/vars/vpn.yml +++ b/vars/vpn.yml @@ -1,5 +1,2 @@ -vpn_ip: '178.85.119.159' -vpn_port: '7531' -vpn_interface: 'tun0' +vpn_interface: 'wg0' vpn_protocol: 'udp' -vpn_verbosity: '1'