Initial upload

gate/dns.yml

@@ -0,0 +1,32 @@
+---
+ - name: Install unbound
+   apt: name={{ item }} state=installed update_cache=true
+   with_items:
+     - unbound
+     - unbound-host
+
+ - name: Download the list of Root DNS Server
+   get_url:
+     url: https://www.internic.net/domain/named.cache
+     dest: /var/lib/unbound/root.hints
+     owner: unbound
+     group: unbound
+
+ - name: Generate unbound config
+   template:
+     src: "templates/unbound.conf"
+     dest: "/etc/unbound/unbound.conf"
+
+ - name: Enable and start unbound service
+   systemd:
+     name: unbound
+     enabled: yes
+     state: started
+
+ - name: Set var/lib/unbound ownership
+   file:
+     path: /var/lib/unbound
+     owner: unbound
+     group: unbound
+     recurse: yes 
+

gate/firewall.yml

@@ -0,0 +1,66 @@
+---
+ - name: Track input chain
+   iptables:
+     chain: INPUT
+     match: conntrack
+     ctstate: ESTABLISHED,RELATED
+     jump: ACCEPT
+
+ - name: Track forward chain  
+   iptables:
+     chain: FORWARD
+     match: conntrack
+     ctstate: ESTABLISHED,RELATED
+     jump: ACCEPT
+
+ - name: Allow incoming wireguard connections    
+   iptables:
+     chain: INPUT
+     protocol: udp
+     match: udp
+     destination_port: 51820
+     ctstate: NEW
+     jump: ACCEPT
+
+ - name: Allow recursive DNS tcp    
+   iptables:
+     chain: INPUT
+     source: 10.100.100.0/24
+     protocol: tcp
+     match: tcp
+     destination_port: 53
+     ctstate: NEW
+     jump: ACCEPT
+
+ - name: Allow recursive DNS udp  
+   iptables:
+     chain: INPUT
+     source: 10.100.100.0/24
+     protocol: udp
+     match: udp
+     destination_port: 53
+     ctstate: NEW
+     jump: ACCEPT
+
+ - name: Allow forwarding of packets that stay in the tunnel 
+   iptables:
+     chain: FORWARD
+     in_interface: wg0
+     match: conntrack
+     out_interface: wg0
+     ctstate: NEW
+     jump: ACCEPT
+
+ - name: Set up NAT
+   iptables:
+     table: nat
+     chain: POSTROUTING
+     source: 10.100.100.0/24
+     out_interface: eth0
+     jump: MASQUERADE  
+
+ - name: Install iptables-persistent
+   apt: pkg=iptables-persistent state=installed update_cache=true
+
+ - name: Set up iptables persistence
+   command: netfilter-persistent save

gate/hosts

@@ -0,0 +1,2 @@
+[all]
+192.241.160.45 ansible_python_interpreter=/usr/bin/python3

gate/templates/gate0.conf

@@ -0,0 +1,10 @@
+[Interface]
+Address = 10.100.100.2/32
+DNS = 10.100.100.1
+PrivateKey = {{ client_private_key }}
+
+[Peer]
+PublicKey = {{ server_public_key }}
+AllowedIPs = 10.100.100.1/32
+Endpoint = {{ ansible_default_ipv4.address }}:51820
+PersistentKeepalive = 21

gate/templates/unbound.conf

@@ -0,0 +1,49 @@
+server:
+
+  num-threads: 4
+
+  #Enable logs
+  verbosity: 1
+
+  #list of Root DNS Server
+  root-hints: "/var/lib/unbound/root.hints"
+
+  #Use the root servers key for DNSSEC
+  auto-trust-anchor-file: "/var/lib/unbound/root.key"
+
+  #Respond to DNS requests on all interfaces
+  interface: 0.0.0.0
+  max-udp-size: 3072
+
+  #Authorized IPs to access the DNS Server
+  access-control: 0.0.0.0/0                 refuse
+  access-control: 127.0.0.1                 allow
+  access-control: 10.200.200.0/24	   		allow
+  access-control: 10.100.100.0/24       allow
+
+  #not allowed to be returned for public internet  names
+  private-address: 10.200.200.0/24
+  private-address: 10.100.100.0/24
+
+  # Hide DNS Server info
+  hide-identity: yes
+  hide-version: yes
+
+  #Limit DNS Fraud and use DNSSEC
+  harden-glue: yes
+  harden-dnssec-stripped: yes
+  harden-referral-path: yes
+
+  #Add an unwanted reply threshold to clean the cache and avoid when possible a DNS Poisoning
+  unwanted-reply-threshold: 10000000
+
+  #Have the validator print validation failures to the log.
+  val-log-level: 1
+
+  #Minimum lifetime of cache entries in seconds
+  cache-min-ttl: 1800	
+
+  #Maximum lifetime of cached entries
+  cache-max-ttl: 14400
+  prefetch: yes
+  prefetch-key: yes

gate/templates/wg0-server.conf

@@ -0,0 +1,9 @@
+[Interface]
+Address = 10.100.100.1/24
+SaveConfig = true
+ListenPort = 51820
+PrivateKey = {{ server_private_key }}
+
+[Peer]
+PublicKey = {{ client_public_key }}
+AllowedIPs = 10.0.0.0/8

gate/wireguard.yml

@@ -0,0 +1,92 @@
+---
+
+- hosts: all
+  #become: true
+
+  vars:
+    testing123: testing
+
+  tasks:
+  - name: Determine the running kernel release
+    command: uname -r
+    register: kernel_release
+
+  - name: Add the WireGuard PPA
+    apt_repository:
+      repo: 'ppa:wireguard/wireguard'
+
+  - name: Install WireGuard and other requirements 
+    apt: name={{ item }} state=installed update_cache=true
+    with_items:
+      - linux-headers-{{ kernel_release.stdout }}
+      - linux-headers-generic
+      - wireguard-dkms
+      - wireguard-tools
+      - python2.7
+
+  - name: Generate private and public keys for the client and server
+    shell: umask 077; wg genkey | tee {{ item.private }} | wg pubkey > {{ item.public }}
+    with_items:
+      - { private: server_private_key, public: server_public_key }
+      - { private: client_private_key, public: client_public_key }
+
+  - name: Register the key file contents
+    command: cat {{ item }}
+    register: key_files
+    with_items:
+      - server_private_key
+      - server_public_key
+      - client_private_key
+      - client_public_key
+
+  - name: Assign the keys to their variables
+    set_fact:
+      server_private_key: "{{ key_files.results[0].stdout }}"
+      server_public_key: "{{ key_files.results[1].stdout }}"
+      client_private_key: "{{ key_files.results[2].stdout }}"
+      client_public_key: "{{ key_files.results[3].stdout }}"
+
+  - name: Generate server config
+    template:
+      src: "templates/wg0-server.conf"
+      dest: "/etc/wireguard/wg0.conf"
+      owner: root
+      group: root
+      mode: 0600
+
+  - name: Generate client config
+    template:
+      src: "templates/gate0.conf"
+      dest: "~/gate0.conf"
+      owner: root
+      group: root
+      mode: 0600
+
+  - name: Enable and wireguard interface
+    systemd:
+      name: wg-quick@wg0
+      enabled: yes
+      state: started
+
+  - name: Enable IPv4 traffic forwarding
+    sysctl:
+      name: net.ipv4.ip_forward
+      value: 1
+      sysctl_set: yes
+      state: present
+      reload: yes
+
+  - name: Enable IPv4 forwarding continued
+    command: echo 1 > /proc/sys/net/ipv4/ip_forward 
+
+  - name: Set up firewall rules
+    include: firewall.yml
+
+  - name: Set up unbound for DNS
+    include: dns.yml
+
+  - name: Reboot the server
+    shell: sleep 2 && shutdown -r now
+    async: 1
+    poll: 0
+    ignore_errors: true

middleman/dns.yml

@@ -0,0 +1,32 @@
+---
+ - name: Install unbound
+   apt: name={{ item }} state=installed update_cache=true
+   with_items:
+     - unbound
+     - unbound-host
+
+ - name: Download the list of Root DNS Server
+   get_url:
+     url: https://www.internic.net/domain/named.cache
+     dest: /var/lib/unbound/root.hints
+     owner: unbound
+     group: unbound
+
+ - name: Generate unbound config
+   template:
+     src: "templates/unbound.conf"
+     dest: "/etc/unbound/unbound.conf"
+
+ - name: Enable and start unbound service
+   systemd:
+     name: unbound
+     enabled: yes
+     state: started
+
+ - name: Set var/lib/unbound ownership
+   file:
+     path: /var/lib/unbound
+     owner: unbound
+     group: unbound
+     recurse: yes 
+

middleman/firewall.yml

@@ -0,0 +1,75 @@
+---
+ - name: Track input chain
+   iptables:
+     chain: INPUT
+     match: conntrack
+     ctstate: ESTABLISHED,RELATED
+     jump: ACCEPT
+
+ - name: Track forward chain  
+   iptables:
+     chain: FORWARD
+     match: conntrack
+     ctstate: ESTABLISHED,RELATED
+     jump: ACCEPT
+
+ - name: Allow incoming wireguard connections    
+   iptables:
+     chain: INPUT
+     protocol: udp
+     match: udp
+     destination_port: 51820
+     ctstate: NEW
+     jump: ACCEPT
+
+ - name: Allow recursive DNS tcp    
+   iptables:
+     chain: INPUT
+     source: 10.200.200.0/24
+     protocol: tcp
+     match: tcp
+     destination_port: 53
+     ctstate: NEW
+     jump: ACCEPT
+
+ - name: Allow recursive DNS udp  
+   iptables:
+     chain: INPUT
+     source: 10.200.200.0/24
+     protocol: udp
+     match: udp
+     destination_port: 53
+     ctstate: NEW
+     jump: ACCEPT
+
+ - name: Allow forwarding of packets that stay in the tunnel 
+   iptables:
+     chain: FORWARD
+     in_interface: wg0
+     match: conntrack
+     out_interface: wg0
+     ctstate: NEW
+     jump: ACCEPT
+
+ - name: Set up NAT
+   iptables:
+     table: nat
+     chain: POSTROUTING
+     source: 10.200.200.0/24
+     out_interface: eth0
+     jump: MASQUERADE  
+
+ - name: Set up vpn chain NAT 
+   iptables:
+     table: nat
+     chain: POSTROUTING
+     source: 10.200.200.0/24
+     to_source: 10.100.100.2
+     jump: SNAT
+
+
+ - name: Install iptables-persistent
+   apt: pkg=iptables-persistent state=installed update_cache=true
+
+ - name: Set up iptables persistence
+   command: netfilter-persistent save

middleman/hosts

@@ -0,0 +1,2 @@
+[all]
+138.197.133.110 ansible_python_interpreter=/usr/bin/python3