From b003ebdcfdc79c91bfe12c52e8603843bd3a86bc Mon Sep 17 00:00:00 2001 From: KemoNine Date: Thu, 13 Aug 2020 20:36:50 -0400 Subject: [PATCH] Add a more flexible routing config to wireguard ; enable wireguard dns reresolver daily service/timer --- inventory.example | 6 +++- roles/wireguard/tasks/main.yml | 29 +++++++++++++++++++ .../templates/wireguard_reresolve-dns.service | 8 +++++ .../templates/wireguard_reresolve-dns.timer | 8 +++++ 4 files changed, 50 insertions(+), 1 deletion(-) create mode 100644 roles/wireguard/templates/wireguard_reresolve-dns.service create mode 100644 roles/wireguard/templates/wireguard_reresolve-dns.timer diff --git a/inventory.example b/inventory.example index 52663ff..44a721c 100644 --- a/inventory.example +++ b/inventory.example @@ -17,6 +17,10 @@ frames: monit_wireguard_ip: 192.168.254.1 rtty_server: 192.168.254.1 munin_server: 192.168.254.1 + wireguard_postup: + - ip route add 192.168.254.0/24 dev wg0 + wireguard_postdown: + - ip route del 192.168.254.0/24 dev wg0 wg: hosts: frame1: @@ -27,7 +31,6 @@ wg: wireguard_remote_directory: "/opt/wireguard" wireguard_address: 192.168.254.1/32 wireguard_allowed_ips: "192.168.254.0/24" - wireguard_table: "off" wireguard_postup: - ip route add 192.168.254.0/24 via 192.168.254.1 dev wg0 - iptables -t nat -A PREROUTING -s 192.168.254.0/24 -d 192.168.254.0/24 -j ACCEPT @@ -43,6 +46,7 @@ wg: - iptables -D -A INPUT -i wg0 -s 192.168.254.0/24 -d 192.168.254.0/24 -j ACCEPT - iptables -D -A INPUT -i wg0 -s 192.168.254.0/24 -d 0.0.0.0/0 -j DROP vars: + wireguard_table: "off" wireguard_port: 51821 wireguard_endpoint: 192.168.0.2 wireguard_persistent_keepalive: 30 diff --git a/roles/wireguard/tasks/main.yml b/roles/wireguard/tasks/main.yml index 81da6db..50c46e7 100644 --- a/roles/wireguard/tasks/main.yml +++ b/roles/wireguard/tasks/main.yml @@ -131,3 +131,32 @@ state: started enabled: yes when: not wireguard_containerized + +- name: Setup wg dns-reresolver service + template: + src: wireguard_reresolve-dns.service + dest: "/etc/systemd/system/wireguard_reresolve-dns.service" + owner: root + group: root + mode: 0644 + tags: + - wg-config + when: not wireguard_containerized + +- name: Setup wg dns-reresolver timer + template: + src: wireguard_reresolve-dns.timer + dest: "/etc/systemd/system/wireguard_reresolve-dns.timer" + owner: root + group: root + mode: 0644 + tags: + - wg-config + when: not wireguard_containerized + +- name: Enable wg dns-reresolver timer + systemd: + name: wireguard_reresolve-dns.timer + daemon_reload: yes + enabled: yes + state: restarted diff --git a/roles/wireguard/templates/wireguard_reresolve-dns.service b/roles/wireguard/templates/wireguard_reresolve-dns.service new file mode 100644 index 0000000..d3579ec --- /dev/null +++ b/roles/wireguard/templates/wireguard_reresolve-dns.service @@ -0,0 +1,8 @@ +[Unit] +Description=Reresolve DNS of all WireGuard endpoints +Wants=network-online.target +After=network-online.target + +[Service] +Type=oneshot +ExecStart=/bin/sh -c 'for i in /etc/wireguard/*.conf; do /usr/share/doc/wireguard-tools/examples/reresolve-dns/reresolve-dns.sh "$i"; done' diff --git a/roles/wireguard/templates/wireguard_reresolve-dns.timer b/roles/wireguard/templates/wireguard_reresolve-dns.timer new file mode 100644 index 0000000..af7c81d --- /dev/null +++ b/roles/wireguard/templates/wireguard_reresolve-dns.timer @@ -0,0 +1,8 @@ +[Unit] +Description=Periodically reresolve DNS of all WireGuard endpoints + +[Timer] +OnCalendar=*-*-* 01:00:00 + +[Install] +WantedBy=timers.target