From ea87aa7ec193435941901e14ed6ecedb54d41902 Mon Sep 17 00:00:00 2001
From: Jeltz <tom.barthe+aurore@ens-paris-saclay.fr>
Date: Sun, 31 Jan 2021 06:07:05 +0100
Subject: [PATCH] WIP: Create a role for a Wireguard VPN endpoint

---
 hosts                                         |  1 +
 roles/wireguard-endpoint/handlers/main.yml    |  9 ++
 roles/wireguard-endpoint/tasks/main.yml       | 60 +++++++++++++
 .../wireguard-endpoint/templates/interface.j2 | 10 +++
 .../templates/nftables.conf.j2                | 86 +++++++++++++++++++
 .../templates/sysctl.conf.j2                  |  4 +
 .../templates/wireguard.conf.j2               | 12 +++
 vpn.yml                                       |  6 ++
 8 files changed, 188 insertions(+)
 create mode 100644 roles/wireguard-endpoint/handlers/main.yml
 create mode 100644 roles/wireguard-endpoint/tasks/main.yml
 create mode 100644 roles/wireguard-endpoint/templates/interface.j2
 create mode 100644 roles/wireguard-endpoint/templates/nftables.conf.j2
 create mode 100644 roles/wireguard-endpoint/templates/sysctl.conf.j2
 create mode 100644 roles/wireguard-endpoint/templates/wireguard.conf.j2
 create mode 100755 vpn.yml

diff --git a/hosts b/hosts
index eec54a0..8abfcda 100644
--- a/hosts
+++ b/hosts
@@ -58,6 +58,7 @@ matrix-services.adm.auro.re
 serge.adm.auro.re
 passbolt.adm.auro.re
 vpn-ovh.adm.auro.re
+vpn-ovh-ng.auro.re
 docker-ovh.adm.auro.re
 switchs-manager.adm.auro.re
 ldap-replica-ovh.adm.auro.re
diff --git a/roles/wireguard-endpoint/handlers/main.yml b/roles/wireguard-endpoint/handlers/main.yml
new file mode 100644
index 0000000..cddbb29
--- /dev/null
+++ b/roles/wireguard-endpoint/handlers/main.yml
@@ -0,0 +1,9 @@
+---
+- name: Reload network interfaces
+  command: ifreload -a
+
+- name: Reload nftables
+  systemd:
+    name: nftables.service
+    state: reloaded
+...
diff --git a/roles/wireguard-endpoint/tasks/main.yml b/roles/wireguard-endpoint/tasks/main.yml
new file mode 100644
index 0000000..413adf7
--- /dev/null
+++ b/roles/wireguard-endpoint/tasks/main.yml
@@ -0,0 +1,60 @@
+---
+- name: Install required packages
+  apt:
+    pkg:
+      - ifupdown2
+      - wireguard
+      - nftables
+    state: latest
+    update_cache: yes
+
+- name: Tweak sysctl to enable IP forwarding
+  template:
+    src: sysctl.conf.j2
+    dest: /etc/sysctl.d/forwarding.conf
+    owner: root
+    group: root
+    mode: u=rw,g=r,o=
+
+- name: Create tunnels configurations
+  template:
+    src: wireguard.conf.j2
+    dest: "/etc/wireguard/{{ item.name }}.conf"
+    owner: root
+    group: root
+    mode: u=rw,g=,o=
+  loop: "{{ wireguard_endpoints }}"
+  # try to hide clear-text private keys from Ansible output
+  no_log: True
+  diff: no
+
+- name: Create network interfaces
+  template:
+    src: interface.j2
+    dest: "/etc/network/interfaces.d/{{ item.name }}"
+    owner: root
+    group: root
+    mode: u=rw,g=r,o=
+  loop: "{{ wireguard_endpoints }}"
+  no_log: True
+  diff: no
+  notify:
+    - Reload network interfaces
+
+- name: Enable nftables
+  systemd:
+    name: nftables.service
+    state: started
+    enabled: yes
+
+- name: Configure nftables
+  template:
+    src: nftables.conf.j2
+    dest: /etc/nftables.conf
+    validate: /sbin/nft -c -f %s
+    owner: root
+    group: root
+    mode: u=rw,g=r,o=
+  notify:
+    - Reload nftables
+...
diff --git a/roles/wireguard-endpoint/templates/interface.j2 b/roles/wireguard-endpoint/templates/interface.j2
new file mode 100644
index 0000000..9347859
--- /dev/null
+++ b/roles/wireguard-endpoint/templates/interface.j2
@@ -0,0 +1,10 @@
+# {{ ansible_managed }}
+
+auto {{ item.name }}
+
+iface {{ item.name }}
+	link-type wireguard
+	pre-up wg setconf $IFACE /etc/wireguard/$IFACE.conf
+	{% for addr in item.addrs %}
+	address {{ addr }}
+	{% endfor %}
diff --git a/roles/wireguard-endpoint/templates/nftables.conf.j2 b/roles/wireguard-endpoint/templates/nftables.conf.j2
new file mode 100644
index 0000000..77388fe
--- /dev/null
+++ b/roles/wireguard-endpoint/templates/nftables.conf.j2
@@ -0,0 +1,86 @@
+#!/usr/sbin/nft -f
+# {{ ansible_managed }}
+
+flush ruleset
+
+#table ip nat {
+#
+#	chain prerouting {
+#		type nat hook prerouting priority -100
+#		policy accept
+#	}
+#
+#	chain postrouting {
+#		type nat hook prerouting priority 100
+#		policy accept
+#
+#		#{% for endpoint in wireguard_endpoints %}
+#		#oifname "{{ endpoint.name }}" masquerade
+#		#{% endfor %}
+#	}
+#
+#}
+
+table inet filter {
+
+	set blacklist_v4 {
+		type ipv4_addr
+	}
+
+	set blacklist_v6 {
+		type ipv6_addr
+	}
+
+	chain blacklist {
+		ip saddr @blacklist_v4 drop
+		ip6 saddr @blacklist_v6 drop
+	}
+
+	chain conntrack {
+		ct state invalid drop
+		ct state related, established accept
+	}
+
+	chain input {
+		type filter hook input priority 0
+		policy drop
+
+		iif lo accept
+
+		jump blacklist
+		jump conntrack
+
+		# TODO: ansible + separate nftables module
+		ip protocol icmp accept
+
+		{% for rule in nftables_basic_input_rules %}
+		{{ rule.proto }} \
+			{% if "saddr" in rule %} saddr {{ rule.saddr }} \ {% endif %}
+			{% if "sport" in rule %} sport {{ rule.sport }} \ {% endif %}
+			{% if "daddr" in rule %} daddr {{ rule.daddr }} \ {% endif %}
+			{% if "dport" in rule %} dport {{ rule.dport }} \ {% endif %}
+			{{ rule.verdict }}
+		{% endfor %}
+	}
+
+	chain forward {
+		type filter hook forward priority 0
+		policy drop
+
+		iif lo accept
+
+		jump blacklist
+		jump conntrack
+
+		{% for endpoint in wireguard_endpoints %}
+		iifname "{{ endpoint.name }}" accept
+		{% endfor %}
+	}
+
+	chain output {
+		type filter hook output priority 0
+		policy accept
+	}
+
+}
+
diff --git a/roles/wireguard-endpoint/templates/sysctl.conf.j2 b/roles/wireguard-endpoint/templates/sysctl.conf.j2
new file mode 100644
index 0000000..75be14e
--- /dev/null
+++ b/roles/wireguard-endpoint/templates/sysctl.conf.j2
@@ -0,0 +1,4 @@
+# {{ ansible_managed }}
+
+net.ipv4.ip_forward=1
+net.ipv6.conf.all.forwarding=1
diff --git a/roles/wireguard-endpoint/templates/wireguard.conf.j2 b/roles/wireguard-endpoint/templates/wireguard.conf.j2
new file mode 100644
index 0000000..3b44ef8
--- /dev/null
+++ b/roles/wireguard-endpoint/templates/wireguard.conf.j2
@@ -0,0 +1,12 @@
+# {{ ansible_managed }}
+
+[Interface]
+Address = {{ item.addrs | join(",") }}
+PrivateKey = {{ item.private_key }}
+ListenPort = {{ item.listen_port }}
+
+{% for peer in item.peers %}
+[Peer]
+PublicKey = {{ item.public_key }}
+AllowedIps = {{ item.allowed_addrs | join(",") }}
+{% endfor %}
diff --git a/vpn.yml b/vpn.yml
new file mode 100755
index 0000000..99f0964
--- /dev/null
+++ b/vpn.yml
@@ -0,0 +1,6 @@
+#!/usr/bin/env ansible-playbook
+---
+- hosts: vpn-ovh-ng.auro.re
+  roles:
+    - wireguard-endpoint
+...