From e16c9fb62d1db020078e192955170dded6fa2f1f Mon Sep 17 00:00:00 2001 From: iamckn Date: Thu, 28 Dec 2017 08:39:07 +0300 Subject: [PATCH] Initial upload --- gate/dns.yml | 32 ++++++++++ gate/firewall.yml | 66 +++++++++++++++++++++ gate/hosts | 2 + gate/templates/gate0.conf | 10 ++++ gate/templates/unbound.conf | 49 +++++++++++++++ gate/templates/wg0-server.conf | 9 +++ gate/wireguard.yml | 92 +++++++++++++++++++++++++++++ middleman/dns.yml | 32 ++++++++++ middleman/firewall.yml | 75 +++++++++++++++++++++++ middleman/hosts | 2 + middleman/templates/unbound.conf | 47 +++++++++++++++ middleman/templates/wg0-client.conf | 10 ++++ middleman/templates/wg0-server.conf | 9 +++ middleman/wireguard.retry | 1 + middleman/wireguard.yml | 92 +++++++++++++++++++++++++++++ 15 files changed, 528 insertions(+) create mode 100644 gate/dns.yml create mode 100644 gate/firewall.yml create mode 100644 gate/hosts create mode 100644 gate/templates/gate0.conf create mode 100644 gate/templates/unbound.conf create mode 100644 gate/templates/wg0-server.conf create mode 100644 gate/wireguard.yml create mode 100644 middleman/dns.yml create mode 100644 middleman/firewall.yml create mode 100644 middleman/hosts create mode 100644 middleman/templates/unbound.conf create mode 100644 middleman/templates/wg0-client.conf create mode 100644 middleman/templates/wg0-server.conf create mode 100644 middleman/wireguard.retry create mode 100644 middleman/wireguard.yml diff --git a/gate/dns.yml b/gate/dns.yml new file mode 100644 index 0000000..7db1e2b --- /dev/null +++ b/gate/dns.yml @@ -0,0 +1,32 @@ +--- + - name: Install unbound + apt: name={{ item }} state=installed update_cache=true + with_items: + - unbound + - unbound-host + + - name: Download the list of Root DNS Server + get_url: + url: https://www.internic.net/domain/named.cache + dest: /var/lib/unbound/root.hints + owner: unbound + group: unbound + + - name: Generate unbound config + template: + src: "templates/unbound.conf" + dest: "/etc/unbound/unbound.conf" + + - name: Enable and start unbound service + systemd: + name: unbound + enabled: yes + state: started + + - name: Set var/lib/unbound ownership + file: + path: /var/lib/unbound + owner: unbound + group: unbound + recurse: yes + \ No newline at end of file diff --git a/gate/firewall.yml b/gate/firewall.yml new file mode 100644 index 0000000..eb73e83 --- /dev/null +++ b/gate/firewall.yml @@ -0,0 +1,66 @@ +--- + - name: Track input chain + iptables: + chain: INPUT + match: conntrack + ctstate: ESTABLISHED,RELATED + jump: ACCEPT + + - name: Track forward chain + iptables: + chain: FORWARD + match: conntrack + ctstate: ESTABLISHED,RELATED + jump: ACCEPT + + - name: Allow incoming wireguard connections + iptables: + chain: INPUT + protocol: udp + match: udp + destination_port: 51820 + ctstate: NEW + jump: ACCEPT + + - name: Allow recursive DNS tcp + iptables: + chain: INPUT + source: 10.100.100.0/24 + protocol: tcp + match: tcp + destination_port: 53 + ctstate: NEW + jump: ACCEPT + + - name: Allow recursive DNS udp + iptables: + chain: INPUT + source: 10.100.100.0/24 + protocol: udp + match: udp + destination_port: 53 + ctstate: NEW + jump: ACCEPT + + - name: Allow forwarding of packets that stay in the tunnel + iptables: + chain: FORWARD + in_interface: wg0 + match: conntrack + out_interface: wg0 + ctstate: NEW + jump: ACCEPT + + - name: Set up NAT + iptables: + table: nat + chain: POSTROUTING + source: 10.100.100.0/24 + out_interface: eth0 + jump: MASQUERADE + + - name: Install iptables-persistent + apt: pkg=iptables-persistent state=installed update_cache=true + + - name: Set up iptables persistence + command: netfilter-persistent save \ No newline at end of file diff --git a/gate/hosts b/gate/hosts new file mode 100644 index 0000000..fe875cf --- /dev/null +++ b/gate/hosts @@ -0,0 +1,2 @@ +[all] +192.241.160.45 ansible_python_interpreter=/usr/bin/python3 diff --git a/gate/templates/gate0.conf b/gate/templates/gate0.conf new file mode 100644 index 0000000..076b1f8 --- /dev/null +++ b/gate/templates/gate0.conf @@ -0,0 +1,10 @@ +[Interface] +Address = 10.100.100.2/32 +DNS = 10.100.100.1 +PrivateKey = {{ client_private_key }} + +[Peer] +PublicKey = {{ server_public_key }} +AllowedIPs = 10.100.100.1/32 +Endpoint = {{ ansible_default_ipv4.address }}:51820 +PersistentKeepalive = 21 \ No newline at end of file diff --git a/gate/templates/unbound.conf b/gate/templates/unbound.conf new file mode 100644 index 0000000..68c93fb --- /dev/null +++ b/gate/templates/unbound.conf @@ -0,0 +1,49 @@ +server: + + num-threads: 4 + + #Enable logs + verbosity: 1 + + #list of Root DNS Server + root-hints: "/var/lib/unbound/root.hints" + + #Use the root servers key for DNSSEC + auto-trust-anchor-file: "/var/lib/unbound/root.key" + + #Respond to DNS requests on all interfaces + interface: 0.0.0.0 + max-udp-size: 3072 + + #Authorized IPs to access the DNS Server + access-control: 0.0.0.0/0 refuse + access-control: 127.0.0.1 allow + access-control: 10.200.200.0/24 allow + access-control: 10.100.100.0/24 allow + + #not allowed to be returned for public internet names + private-address: 10.200.200.0/24 + private-address: 10.100.100.0/24 + + # Hide DNS Server info + hide-identity: yes + hide-version: yes + + #Limit DNS Fraud and use DNSSEC + harden-glue: yes + harden-dnssec-stripped: yes + harden-referral-path: yes + + #Add an unwanted reply threshold to clean the cache and avoid when possible a DNS Poisoning + unwanted-reply-threshold: 10000000 + + #Have the validator print validation failures to the log. + val-log-level: 1 + + #Minimum lifetime of cache entries in seconds + cache-min-ttl: 1800 + + #Maximum lifetime of cached entries + cache-max-ttl: 14400 + prefetch: yes + prefetch-key: yes \ No newline at end of file diff --git a/gate/templates/wg0-server.conf b/gate/templates/wg0-server.conf new file mode 100644 index 0000000..6c3bfdd --- /dev/null +++ b/gate/templates/wg0-server.conf @@ -0,0 +1,9 @@ +[Interface] +Address = 10.100.100.1/24 +SaveConfig = true +ListenPort = 51820 +PrivateKey = {{ server_private_key }} + +[Peer] +PublicKey = {{ client_public_key }} +AllowedIPs = 10.0.0.0/8 diff --git a/gate/wireguard.yml b/gate/wireguard.yml new file mode 100644 index 0000000..1cd1864 --- /dev/null +++ b/gate/wireguard.yml @@ -0,0 +1,92 @@ +--- + +- hosts: all + #become: true + + vars: + testing123: testing + + tasks: + - name: Determine the running kernel release + command: uname -r + register: kernel_release + + - name: Add the WireGuard PPA + apt_repository: + repo: 'ppa:wireguard/wireguard' + + - name: Install WireGuard and other requirements + apt: name={{ item }} state=installed update_cache=true + with_items: + - linux-headers-{{ kernel_release.stdout }} + - linux-headers-generic + - wireguard-dkms + - wireguard-tools + - python2.7 + + - name: Generate private and public keys for the client and server + shell: umask 077; wg genkey | tee {{ item.private }} | wg pubkey > {{ item.public }} + with_items: + - { private: server_private_key, public: server_public_key } + - { private: client_private_key, public: client_public_key } + + - name: Register the key file contents + command: cat {{ item }} + register: key_files + with_items: + - server_private_key + - server_public_key + - client_private_key + - client_public_key + + - name: Assign the keys to their variables + set_fact: + server_private_key: "{{ key_files.results[0].stdout }}" + server_public_key: "{{ key_files.results[1].stdout }}" + client_private_key: "{{ key_files.results[2].stdout }}" + client_public_key: "{{ key_files.results[3].stdout }}" + + - name: Generate server config + template: + src: "templates/wg0-server.conf" + dest: "/etc/wireguard/wg0.conf" + owner: root + group: root + mode: 0600 + + - name: Generate client config + template: + src: "templates/gate0.conf" + dest: "~/gate0.conf" + owner: root + group: root + mode: 0600 + + - name: Enable and wireguard interface + systemd: + name: wg-quick@wg0 + enabled: yes + state: started + + - name: Enable IPv4 traffic forwarding + sysctl: + name: net.ipv4.ip_forward + value: 1 + sysctl_set: yes + state: present + reload: yes + + - name: Enable IPv4 forwarding continued + command: echo 1 > /proc/sys/net/ipv4/ip_forward + + - name: Set up firewall rules + include: firewall.yml + + - name: Set up unbound for DNS + include: dns.yml + + - name: Reboot the server + shell: sleep 2 && shutdown -r now + async: 1 + poll: 0 + ignore_errors: true \ No newline at end of file diff --git a/middleman/dns.yml b/middleman/dns.yml new file mode 100644 index 0000000..7db1e2b --- /dev/null +++ b/middleman/dns.yml @@ -0,0 +1,32 @@ +--- + - name: Install unbound + apt: name={{ item }} state=installed update_cache=true + with_items: + - unbound + - unbound-host + + - name: Download the list of Root DNS Server + get_url: + url: https://www.internic.net/domain/named.cache + dest: /var/lib/unbound/root.hints + owner: unbound + group: unbound + + - name: Generate unbound config + template: + src: "templates/unbound.conf" + dest: "/etc/unbound/unbound.conf" + + - name: Enable and start unbound service + systemd: + name: unbound + enabled: yes + state: started + + - name: Set var/lib/unbound ownership + file: + path: /var/lib/unbound + owner: unbound + group: unbound + recurse: yes + \ No newline at end of file diff --git a/middleman/firewall.yml b/middleman/firewall.yml new file mode 100644 index 0000000..8db3d17 --- /dev/null +++ b/middleman/firewall.yml @@ -0,0 +1,75 @@ +--- + - name: Track input chain + iptables: + chain: INPUT + match: conntrack + ctstate: ESTABLISHED,RELATED + jump: ACCEPT + + - name: Track forward chain + iptables: + chain: FORWARD + match: conntrack + ctstate: ESTABLISHED,RELATED + jump: ACCEPT + + - name: Allow incoming wireguard connections + iptables: + chain: INPUT + protocol: udp + match: udp + destination_port: 51820 + ctstate: NEW + jump: ACCEPT + + - name: Allow recursive DNS tcp + iptables: + chain: INPUT + source: 10.200.200.0/24 + protocol: tcp + match: tcp + destination_port: 53 + ctstate: NEW + jump: ACCEPT + + - name: Allow recursive DNS udp + iptables: + chain: INPUT + source: 10.200.200.0/24 + protocol: udp + match: udp + destination_port: 53 + ctstate: NEW + jump: ACCEPT + + - name: Allow forwarding of packets that stay in the tunnel + iptables: + chain: FORWARD + in_interface: wg0 + match: conntrack + out_interface: wg0 + ctstate: NEW + jump: ACCEPT + + - name: Set up NAT + iptables: + table: nat + chain: POSTROUTING + source: 10.200.200.0/24 + out_interface: eth0 + jump: MASQUERADE + + - name: Set up vpn chain NAT + iptables: + table: nat + chain: POSTROUTING + source: 10.200.200.0/24 + to_source: 10.100.100.2 + jump: SNAT + + + - name: Install iptables-persistent + apt: pkg=iptables-persistent state=installed update_cache=true + + - name: Set up iptables persistence + command: netfilter-persistent save \ No newline at end of file diff --git a/middleman/hosts b/middleman/hosts new file mode 100644 index 0000000..6596325 --- /dev/null +++ b/middleman/hosts @@ -0,0 +1,2 @@ +[all] +138.197.133.110 ansible_python_interpreter=/usr/bin/python3 diff --git a/middleman/templates/unbound.conf b/middleman/templates/unbound.conf new file mode 100644 index 0000000..240493d --- /dev/null +++ b/middleman/templates/unbound.conf @@ -0,0 +1,47 @@ +server: + + num-threads: 4 + + #Enable logs + verbosity: 1 + + #list of Root DNS Server + root-hints: "/var/lib/unbound/root.hints" + + #Use the root servers key for DNSSEC + auto-trust-anchor-file: "/var/lib/unbound/root.key" + + #Respond to DNS requests on all interfaces + interface: 0.0.0.0 + max-udp-size: 3072 + + #Authorized IPs to access the DNS Server + access-control: 0.0.0.0/0 refuse + access-control: 127.0.0.1 allow + access-control: 10.200.200.0/24 allow + + #not allowed to be returned for public internet names + private-address: 10.200.200.0/24 + + # Hide DNS Server info + hide-identity: yes + hide-version: yes + + #Limit DNS Fraud and use DNSSEC + harden-glue: yes + harden-dnssec-stripped: yes + harden-referral-path: yes + + #Add an unwanted reply threshold to clean the cache and avoid when possible a DNS Poisoning + unwanted-reply-threshold: 10000000 + + #Have the validator print validation failures to the log. + val-log-level: 1 + + #Minimum lifetime of cache entries in seconds + cache-min-ttl: 1800 + + #Maximum lifetime of cached entries + cache-max-ttl: 14400 + prefetch: yes + prefetch-key: yes \ No newline at end of file diff --git a/middleman/templates/wg0-client.conf b/middleman/templates/wg0-client.conf new file mode 100644 index 0000000..ca391b1 --- /dev/null +++ b/middleman/templates/wg0-client.conf @@ -0,0 +1,10 @@ +[Interface] +Address = 10.200.200.2/32 +DNS = 10.200.200.1 +PrivateKey = {{ client_private_key }} + +[Peer] +PublicKey = {{ server_public_key }} +AllowedIPs = 0.0.0.0/0 +Endpoint = {{ ansible_default_ipv4.address }}:51820 +PersistentKeepalive = 21 \ No newline at end of file diff --git a/middleman/templates/wg0-server.conf b/middleman/templates/wg0-server.conf new file mode 100644 index 0000000..631e85f --- /dev/null +++ b/middleman/templates/wg0-server.conf @@ -0,0 +1,9 @@ +[Interface] +Address = 10.200.200.1/24 +SaveConfig = true +ListenPort = 51820 +PrivateKey = {{ server_private_key }} + +[Peer] +PublicKey = {{ client_public_key }} +AllowedIPs = 10.200.200.2/32 diff --git a/middleman/wireguard.retry b/middleman/wireguard.retry new file mode 100644 index 0000000..2226f3d --- /dev/null +++ b/middleman/wireguard.retry @@ -0,0 +1 @@ +107.170.197.126 diff --git a/middleman/wireguard.yml b/middleman/wireguard.yml new file mode 100644 index 0000000..98057dc --- /dev/null +++ b/middleman/wireguard.yml @@ -0,0 +1,92 @@ +--- + +- hosts: all + #become: true + + vars: + testing123: testing + + tasks: + - name: Determine the running kernel release + command: uname -r + register: kernel_release + + - name: Add the WireGuard PPA + apt_repository: + repo: 'ppa:wireguard/wireguard' + + - name: Install WireGuard and other requirements + apt: name={{ item }} state=installed update_cache=true + with_items: + - linux-headers-{{ kernel_release.stdout }} + - linux-headers-generic + - wireguard-dkms + - wireguard-tools + - python2.7 + + - name: Generate private and public keys for the client and server + shell: umask 077; wg genkey | tee {{ item.private }} | wg pubkey > {{ item.public }} + with_items: + - { private: server_private_key, public: server_public_key } + - { private: client_private_key, public: client_public_key } + + - name: Register the key file contents + command: cat {{ item }} + register: key_files + with_items: + - server_private_key + - server_public_key + - client_private_key + - client_public_key + + - name: Assign the keys to their variables + set_fact: + server_private_key: "{{ key_files.results[0].stdout }}" + server_public_key: "{{ key_files.results[1].stdout }}" + client_private_key: "{{ key_files.results[2].stdout }}" + client_public_key: "{{ key_files.results[3].stdout }}" + + - name: Generate server config + template: + src: "templates/wg0-server.conf" + dest: "/etc/wireguard/wg0.conf" + owner: root + group: root + mode: 0600 + + - name: Generate client config + template: + src: "templates/wg0-client.conf" + dest: "~/wg0.conf" + owner: root + group: root + mode: 0600 + + - name: Enable and wireguard interface + systemd: + name: wg-quick@wg0 + enabled: yes + state: started + + - name: Enable IPv4 traffic forwarding + sysctl: + name: net.ipv4.ip_forward + value: 1 + sysctl_set: yes + state: present + reload: yes + + - name: Enable IPv4 forwarding continued + command: echo 1 > /proc/sys/net/ipv4/ip_forward + + - name: Set up firewall rules + include: firewall.yml + + - name: Set up unbound for DNS + include: dns.yml + + - name: Reboot the server + shell: sleep 2 && shutdown -r now + async: 1 + poll: 0 + ignore_errors: true \ No newline at end of file