Add a more flexible routing config to wireguard ; enable wireguard dns reresolver daily service/timer

9 months ago · b003ebdcfd
4 changed files with 50 additions and 1 deletions
--- a/inventory.example
+++ b/inventory.example
@ -17,6 +17,10 @@ frames:
    monit_wireguard_ip: 192.168.254.1
    rtty_server: 192.168.254.1
    munin_server: 192.168.254.1
+    wireguard_postup:
+      - ip route add 192.168.254.0/24 dev wg0
+    wireguard_postdown:
+      - ip route del 192.168.254.0/24 dev wg0
 wg:
  hosts:
      frame1:
@ -27,7 +31,6 @@ wg:
        wireguard_remote_directory: "/opt/wireguard"
        wireguard_address: 192.168.254.1/32
        wireguard_allowed_ips: "192.168.254.0/24"
-        wireguard_table: "off"
        wireguard_postup:
          - ip route add 192.168.254.0/24 via 192.168.254.1 dev wg0
          - iptables -t nat -A PREROUTING -s 192.168.254.0/24 -d 192.168.254.0/24 -j ACCEPT
@ -43,6 +46,7 @@ wg:
          - iptables -D -A INPUT -i wg0 -s 192.168.254.0/24 -d 192.168.254.0/24 -j ACCEPT
          - iptables -D -A INPUT -i wg0 -s 192.168.254.0/24 -d 0.0.0.0/0 -j DROP
  vars:
+    wireguard_table: "off"
    wireguard_port: 51821
    wireguard_endpoint: 192.168.0.2
    wireguard_persistent_keepalive: 30
--- a/roles/wireguard/tasks/main.yml
+++ b/roles/wireguard/tasks/main.yml
@ -131,3 +131,32 @@
    state: started
    enabled: yes
  when: not wireguard_containerized
+
+- name: Setup wg dns-reresolver service
+  template:
+    src: wireguard_reresolve-dns.service
+    dest: "/etc/systemd/system/wireguard_reresolve-dns.service"
+    owner: root
+    group: root
+    mode: 0644
+  tags:
+    - wg-config
+  when: not wireguard_containerized
+
+- name: Setup wg dns-reresolver timer
+  template:
+    src: wireguard_reresolve-dns.timer
+    dest: "/etc/systemd/system/wireguard_reresolve-dns.timer"
+    owner: root
+    group: root
+    mode: 0644
+  tags:
+    - wg-config
+  when: not wireguard_containerized
+
+- name: Enable wg dns-reresolver timer
+  systemd:
+    name: wireguard_reresolve-dns.timer
+    daemon_reload: yes
+    enabled: yes
+    state: restarted
--- a/roles/wireguard/templates/wireguard_reresolve-dns.service
+++ b/roles/wireguard/templates/wireguard_reresolve-dns.service
@ -0,0 +1,8 @@
+[Unit]
+Description=Reresolve DNS of all WireGuard endpoints
+Wants=network-online.target
+After=network-online.target
+
+[Service]
+Type=oneshot
+ExecStart=/bin/sh -c 'for i in /etc/wireguard/*.conf; do /usr/share/doc/wireguard-tools/examples/reresolve-dns/reresolve-dns.sh "$i"; done'
--- a/roles/wireguard/templates/wireguard_reresolve-dns.timer
+++ b/roles/wireguard/templates/wireguard_reresolve-dns.timer
@ -0,0 +1,8 @@
+[Unit]
+Description=Periodically reresolve DNS of all WireGuard endpoints
+
+[Timer]
+OnCalendar=*-*-* 01:00:00
+
+[Install]
+WantedBy=timers.target