Update doc : vpn server playbook
This commit is contained in:
parent
d0efa5e9be
commit
2a7017a8c8
|
|
@ -37,11 +37,15 @@ Calls role nextcloud_aio, dependent on docker role.
|
|||
- Downloads SSE-Lab Repo
|
||||
- Runs compose up (using ansible plugins)
|
||||
|
||||
E.g. `ansible-playbook -i inventories/ -l nextrup_copy_test playbooks/nextcloud.yaml`
|
||||
E.g.
|
||||
|
||||
```ansible-playbook -i inventories/ -l nextrup_copy_test playbooks/nextcloud.yaml```
|
||||
|
||||
### Bootstrap ###
|
||||
Creates sudoer user ansible, necessitates of sudoer user.
|
||||
Use `ansible-playbook -i inventories playbooks/bootstrap.yml -l [TARGET_HOST] -e 'ansible_user=[REMOTE_USER]' -K`
|
||||
Use
|
||||
|
||||
```ansible-playbook -i inventories playbooks/bootstrap.yml -l [TARGET_HOST] -e 'ansible_user=[REMOTE_USER]' -K```
|
||||
|
||||
|
||||
### NameServer ###
|
||||
|
|
@ -56,8 +60,72 @@ Configures a OPNSense edge node features :
|
|||
- Wireguard VPN
|
||||
|
||||
NB runs locally so python intepreter needs to be specified
|
||||
E.g. `ansible-playbook -i inventories/sifi.yaml playbooks/opnsense.yaml --extra-vars="ansible_python_interpreter=$(which python)"
|
||||
`
|
||||
E.g.
|
||||
|
||||
```ansible-playbook -i inventories/sifi.yaml playbooks/opnsense.yaml --extra-vars="ansible_python_interpreter=$(which python)"
|
||||
```
|
||||
|
||||
### VPN Server ###
|
||||
Configures a VPN Server (only wireguard supported at the moment) for the specified 'wg_peers'.
|
||||
|
||||
The server acts as a gateway into a site, tunneling each connection and allowing only traffic into allowed subnets.
|
||||
|
||||
|
||||
Needed parameters and configuration example :
|
||||
|
||||
```
|
||||
wg_interface: wg0
|
||||
wg_port: 51820
|
||||
wg_server_address: 192.168.99.1/32
|
||||
wg_peers:
|
||||
- name: fabio_test
|
||||
publicKey: "9a3tgXpF5CAOffbHZdW1QBEJgSLFnBDVbD1JaMPgzkM="
|
||||
ip: "192.168.99.4/32"
|
||||
allowedIPs :
|
||||
- "192.168.99.0/24"
|
||||
- "10.22.0.0/16"
|
||||
- name: missing_key_test
|
||||
ip: "192.168.99.5/32"
|
||||
allowedIPs :
|
||||
- "192.168.99.0/24"
|
||||
- "10.22.0.0/16"
|
||||
- name: forced_missing_key_test
|
||||
forceRegeneration: True
|
||||
ip: "192.168.99.6/32"
|
||||
allowedIPs :
|
||||
- "192.168.99.0/24"
|
||||
- "10.22.0.0/16"
|
||||
|
||||
```
|
||||
|
||||
#### Wg-peers items ####
|
||||
|
||||
Each item represents a client [**Peer**] with :
|
||||
|
||||
- *name* [**Mandatory**] : a unique label for the client configuration
|
||||
- *publicKey*: public key used by the client. If missing, the playbook generates both public and private keys, if needed.
|
||||
- *ip* [**Mandatory**]: reserved ip for the client
|
||||
- *allowedIPs* [**Mandatory**]: subnets to which the server allows traffic to for the present client
|
||||
- *forceRegeneration*: force regeneration of public / private keys pair.
|
||||
|
||||
#### Client configurations ####
|
||||
The playbook generates client configurations at the following path
|
||||
|
||||
> "{{ playbook_dir }}/wg_clients/{{ inventory_hostname }}/{{ item.name }}.conf"
|
||||
|
||||
**NB** Client configurations are ready to be imported in wireguard client if the playbook generated both public and private keys. Otherwise only the client's public key is reported and the user is expected to fill the configuration properly with their private key.
|
||||
|
||||
|
||||
#### Key pair generation policy ####
|
||||
|
||||
In order to configure peers to connect to the server, public/private key pairs are needed.
|
||||
|
||||
The playbook evalutes the need for key generation as following :
|
||||
- If *forceRegeneration* is set to *True*, keys are generated
|
||||
- If *publicKey* is declared, that key is used
|
||||
- If a public Key is already configured on the server for that Peer's name, that key is used
|
||||
- If no public key is declared nor found, a new private / public key pair is generated and reported in client's configuration
|
||||
|
||||
|
||||
## Inventories
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue