Giter Site home page Giter Site logo

lablabs / ansible-collection-wireguard Goto Github PK

View Code? Open in Web Editor NEW
18.0 4.0 5.0 96 KB

Ansible Collection to deploy Wireguard server

Home Page: https://galaxy.ansible.com/lablabs/wireguard

License: Apache License 2.0

Jinja 100.00%
ansible vpn wireguard fail2ban security-hardening

ansible-collection-wireguard's People

Contributors

monolithprojects avatar thunderysteak avatar tungsec avatar tverkuijlencg avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar

Forkers

lspecian tungsec juangarcia4ks thunderysteak ozby

ansible-collection-wireguard's Issues

feature: Add example hosts file to readme

Summary

Could the contributors please provide a sample hosts file? When going through the role tasks and comparing them to the default parameters it is unclear which host is designated as the server with the 10.213.213.1 IP and which is designated as the client with 10.213.213.2, .3, .4, .... .254.

Issue Type

Feature Idea

bug: Variable `wireguard_out_interface` is not defined anywhere

Summary

Variable wireguard_out_interface is nowhere defined nor mentioned anywhere in the documentation, this causes this following error:

TASK [Setup ipv4 IP forward] ***************************************************
fatal: [bastion]: FAILED! => {"changed": false, "msg": "Failed to reload sysctl: fs.protected_hardlinks = 1\nfs.protected_symlinks = 1\nfs.suid_dumpable = 0\nkernel.core_uses_pid = 1\nkernel.kptr_restrict = 2\nkernel.kexec_load_disabled = 1\nkernel.sysrq = 0\nkernel.randomize_va_space = 2\nkernel.yama.ptrace_scope = 1\nnet.ipv4.ip_forward = 1\nnet.ipv6.conf.all.forwarding = 0\nnet.ipv4.conf.all.rp_filter = 1\nnet.ipv4.conf.default.rp_filter = 1\nnet.ipv4.icmp_echo_ignore_broadcasts = 1\nnet.ipv4.icmp_ignore_bogus_error_responses = 1\nnet.ipv4.icmp_ratelimit = 100\nnet.ipv4.icmp_ratemask = 88089\nnet.ipv4.tcp_timestamps = 0\nnet.ipv4.conf.all.arp_ignore = 1\nnet.ipv4.conf.all.arp_announce = 2\nnet.ipv4.tcp_rfc1337 = 1\nnet.ipv4.tcp_syncookies = 1\nnet.ipv4.conf.all.shared_media = 1\nnet.ipv4.conf.default.shared_media = 1\nnet.ipv4.conf.all.accept_source_route = 0\nnet.ipv4.conf.default.accept_source_route = 0\nnet.ipv6.conf.all.accept_source_route = 0\nnet.ipv6.conf.default.accept_source_route = 0\nnet.ipv4.conf.all.send_redirects = 0\nnet.ipv4.conf.default.send_redirects = 0\nnet.ipv4.conf.all.log_martians = 1\nnet.ipv4.conf.default.log_martians = 1\nnet.ipv4.conf.default.accept_redirects = 0\nnet.ipv4.conf.all.accept_redirects = 0\nnet.ipv4.conf.all.secure_redirects = 0\nnet.ipv4.conf.default.secure_redirects = 0\nnet.ipv6.conf.default.accept_redirects = 0\nnet.ipv6.conf.all.accept_redirects = 0\nnet.ipv6.conf.all.accept_ra = 0\nnet.ipv6.conf.default.accept_ra = 0\nnet.ipv6.conf.default.router_solicitations = 0\nnet.ipv6.conf.default.accept_ra_rtr_pref = 0\nnet.ipv6.conf.default.accept_ra_pinfo = 0\nnet.ipv6.conf.default.accept_ra_defrtr = 0\nnet.ipv6.conf.default.autoconf = 0\nnet.ipv6.conf.default.dad_transmits = 0\nnet.ipv6.conf.default.max_addresses = 1\nvm.mmap_min_addr = 65536\nvm.mmap_rnd_bits = 32\nvm.mmap_rnd_compat_bits = 16\nkernel.unprivileged_bpf_disabled = 1\nfs.protected_fifos = 1\nfs.protected_regular = 2\nnet.ipv6.conf.all.router_solicitations = 0\nnet.ipv6.conf.all.autoconf = 0\nsysctl: cannot stat /proc/sys/kernel/unprivileged_userns_clone: No such file or directory\n"}

Issue Type

Bug Report

Ansible Version

โ””> ansible --version
ansible [core 2.15.0]
  config file = None
  configured module search path = ['/Users/thunderysteak/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/local/lib/python3.11/site-packages/ansible
  ansible collection location = /Users/thunderysteak/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/local/bin/ansible
  python version = 3.11.3 (main, Apr  7 2023, 19:25:52) [Clang 14.0.0 (clang-1400.0.29.202)] (/usr/local/opt/[email protected]/bin/python3.11)
  jinja version = 3.1.2
  libyaml = True

Steps to Reproduce

Using the default example playbook vars and running the playbook on Rocky Linux 8 system produces the result

 # - name: Run Security hardening
 #  import_playbook: lablabs.wireguard.security
 #  tags: security

- name: Install and configure Wireguard
  import_playbook: lablabs.wireguard.wireguard
  tags: wireguard

Expected Results

When the missing variable is added, playbook finishes successfully

TASK [Setup MASQUERADE for server access through vpn server] *******************
changed: [bastion] => {"chain": "POSTROUTING", "chain_management": false, "changed": true, "flush": false, "ip_version": "ipv4", "rule": "-s 10.213.213.0/24 -j MASQUERADE -o enp0s8", "state": "present", "table": "nat"}

TASK [Save current state of the firewall in system file] ***********************
changed: [bastion] => {"changed": true, "cmd": "/sbin/iptables-save", "initial_state": ["# Generated by iptables-save v1.8.4", "*nat", ":PREROUTING ACCEPT [0:0]", ":INPUT ACCEPT [0:0]", ":POSTROUTING ACCEPT [0:0]", ":OUTPUT ACCEPT [0:0]", "-A POSTROUTING -s 10.213.213.0/24 -o eth0 -j MASQUERADE", "-A POSTROUTING -s 10.213.213.0/24 -o enp0s8 -j MASQUERADE", "COMMIT", "# Completed"], "saved": ["# Generated by iptables-save v1.8.4", "*nat", ":PREROUTING ACCEPT [0:0]", ":INPUT ACCEPT [0:0]", ":POSTROUTING ACCEPT [0:0]", ":OUTPUT ACCEPT [0:0]", "-A POSTROUTING -s 10.213.213.0/24 -o eth0 -j MASQUERADE", "-A POSTROUTING -s 10.213.213.0/24 -o enp0s8 -j MASQUERADE", "COMMIT", "# Completed"], "tables": {"nat": [":PREROUTING ACCEPT", ":INPUT ACCEPT", ":POSTROUTING ACCEPT", ":OUTPUT ACCEPT", "-A POSTROUTING -s 10.213.213.0/24 -o eth0 -j MASQUERADE", "-A POSTROUTING -s 10.213.213.0/24 -o enp0s8 -j MASQUERADE"]}}

TASK [Setup ipv4 IP forward] ***************************************************
ok: [bastion] => {"changed": false}

PLAY RECAP *********************************************************************
bastion                    : ok=31   changed=2    unreachable=0    failed=0    skipped=7    rescued=0    ignored=0

Actual Results

TASK [Save current state of the firewall in system file] ***********************
changed: [bastion] => {"changed": true, "cmd": "/sbin/iptables-save", "initial_state": ["# Generated by iptables-save v1.8.4", "*nat", ":PREROUTING ACCEPT [0:0]", ":INPUT ACCEPT [0:0]", ":POSTROUTING ACCEPT [0:0]", ":OUTPUT ACCEPT [0:0]", "-A POSTROUTING -s 10.213.213.0/24 -o eth0 -j MASQUERADE", "COMMIT", "# Completed"], "saved": ["# Generated by iptables-save v1.8.4", "*nat", ":PREROUTING ACCEPT [0:0]", ":INPUT ACCEPT [0:0]", ":POSTROUTING ACCEPT [0:0]", ":OUTPUT ACCEPT [0:0]", "-A POSTROUTING -s 10.213.213.0/24 -o eth0 -j MASQUERADE", "COMMIT", "# Completed"], "tables": {"nat": [":PREROUTING ACCEPT", ":INPUT ACCEPT", ":POSTROUTING ACCEPT", ":OUTPUT ACCEPT", "-A POSTROUTING -s 10.213.213.0/24 -o eth0 -j MASQUERADE"]}}

TASK [Setup ipv4 IP forward] ***************************************************
fatal: [bastion]: FAILED! => {"changed": false, "msg": "Failed to reload sysctl: fs.protected_hardlinks = 1\nfs.protected_symlinks = 1\nfs.suid_dumpable = 0\nkernel.core_uses_pid = 1\nkernel.kptr_restrict = 2\nkernel.kexec_load_disabled = 1\nkernel.sysrq = 0\nkernel.randomize_va_space = 2\nkernel.yama.ptrace_scope = 1\nnet.ipv4.ip_forward = 1\nnet.ipv6.conf.all.forwarding = 0\nnet.ipv4.conf.all.rp_filter = 1\nnet.ipv4.conf.default.rp_filter = 1\nnet.ipv4.icmp_echo_ignore_broadcasts = 1\nnet.ipv4.icmp_ignore_bogus_error_responses = 1\nnet.ipv4.icmp_ratelimit = 100\nnet.ipv4.icmp_ratemask = 88089\nnet.ipv4.tcp_timestamps = 0\nnet.ipv4.conf.all.arp_ignore = 1\nnet.ipv4.conf.all.arp_announce = 2\nnet.ipv4.tcp_rfc1337 = 1\nnet.ipv4.tcp_syncookies = 1\nnet.ipv4.conf.all.shared_media = 1\nnet.ipv4.conf.default.shared_media = 1\nnet.ipv4.conf.all.accept_source_route = 0\nnet.ipv4.conf.default.accept_source_route = 0\nnet.ipv6.conf.all.accept_source_route = 0\nnet.ipv6.conf.default.accept_source_route = 0\nnet.ipv4.conf.all.send_redirects = 0\nnet.ipv4.conf.default.send_redirects = 0\nnet.ipv4.conf.all.log_martians = 1\nnet.ipv4.conf.default.log_martians = 1\nnet.ipv4.conf.default.accept_redirects = 0\nnet.ipv4.conf.all.accept_redirects = 0\nnet.ipv4.conf.all.secure_redirects = 0\nnet.ipv4.conf.default.secure_redirects = 0\nnet.ipv6.conf.default.accept_redirects = 0\nnet.ipv6.conf.all.accept_redirects = 0\nnet.ipv6.conf.all.accept_ra = 0\nnet.ipv6.conf.default.accept_ra = 0\nnet.ipv6.conf.default.router_solicitations = 0\nnet.ipv6.conf.default.accept_ra_rtr_pref = 0\nnet.ipv6.conf.default.accept_ra_pinfo = 0\nnet.ipv6.conf.default.accept_ra_defrtr = 0\nnet.ipv6.conf.default.autoconf = 0\nnet.ipv6.conf.default.dad_transmits = 0\nnet.ipv6.conf.default.max_addresses = 1\nvm.mmap_min_addr = 65536\nvm.mmap_rnd_bits = 32\nvm.mmap_rnd_compat_bits = 16\nkernel.unprivileged_bpf_disabled = 1\nfs.protected_fifos = 1\nfs.protected_regular = 2\nnet.ipv6.conf.all.router_solicitations = 0\nnet.ipv6.conf.all.autoconf = 0\nsysctl: cannot stat /proc/sys/kernel/unprivileged_userns_clone: No such file or directory\n"}

PLAY RECAP *********************************************************************
bastion                    : ok=30   changed=2    unreachable=0    failed=1    skipped=7    rescued=0    ignored=0

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.