mirror of https://github.com/trailofbits/algo
Add WireGuard support for Android (#910)
* WireGuard Implementation * Update client-android.md * Update README.md * WireGuard unattended upgrades * Update README.md * reload-module-on-update and syntax fix * SaveConfig to true * Azure firewall. Fixes #962 * Update README.md * Update client-android.mdpull/943/merge
parent
d27b849f24
commit
3488e660ad
@ -1 +0,0 @@
|
||||
<a href="android_{{ item.0 }}.sswan" type="application/vnd.strongswan.profile">{{ item.0 }}</a>
|
@ -1,15 +0,0 @@
|
||||
{
|
||||
"uuid": "{{ 600000 | random | to_uuid }}",
|
||||
"name": "Algo {{ IP_subject_alt_name }}",
|
||||
"type": "ikev2-cert",
|
||||
"remote": {
|
||||
"addr": "{{ IP_subject_alt_name }}",
|
||||
"cert": "{{ PayloadContentCA }}"
|
||||
},
|
||||
"local": {
|
||||
"p12": "{{ item.1.stdout }}"
|
||||
},
|
||||
"ike-proposal": "{{ ciphers.defaults.ike | replace('!', '') }}",
|
||||
"esp-proposal": "{{ ciphers.defaults.esp | replace('!', '') }}",
|
||||
"mtu": 1280
|
||||
}
|
@ -0,0 +1,18 @@
|
||||
---
|
||||
wireguard_config_path: "configs/{{ IP_subject_alt_name }}/wireguard/"
|
||||
wireguard_interface: wg0
|
||||
wireguard_network_ipv4:
|
||||
subnet: 10.19.49.0
|
||||
prefix: 24
|
||||
gateway: 10.19.49.1
|
||||
clients_range: 10.19.49
|
||||
clients_start: 100
|
||||
wireguard_network_ipv6:
|
||||
subnet: 'fd9d:bc11:4021::'
|
||||
prefix: 48
|
||||
gateway: 'fd9d:bc11:4021::1'
|
||||
clients_range: 'fd9d:bc11:4021::'
|
||||
clients_start: 100
|
||||
wireguard_vpn_network: "{{ wireguard_network_ipv4['subnet'] }}/{{ wireguard_network_ipv4['prefix'] }}"
|
||||
wireguard_vpn_network_ipv6: "{{ wireguard_network_ipv6['subnet'] }}/{{ wireguard_network_ipv6['prefix'] }}"
|
||||
easyrsa_reinit_existent: false
|
@ -0,0 +1,5 @@
|
||||
---
|
||||
- name: restart wireguard
|
||||
service:
|
||||
name: "wg-quick@{{ wireguard_interface }}"
|
||||
state: restarted
|
@ -0,0 +1,3 @@
|
||||
---
|
||||
dependencies:
|
||||
- { role: common, tags: common }
|
@ -0,0 +1,60 @@
|
||||
---
|
||||
- name: Delete the lock files
|
||||
file:
|
||||
dest: "/etc/wireguard/private_{{ item }}.lock"
|
||||
state: absent
|
||||
when: easyrsa_reinit_existent|bool == True
|
||||
with_items:
|
||||
- "{{ users }}"
|
||||
- "{{ IP_subject_alt_name }}"
|
||||
|
||||
- name: Generate private keys
|
||||
command: wg genkey
|
||||
register: wg_genkey
|
||||
args:
|
||||
creates: "/etc/wireguard/private_{{ item }}.lock"
|
||||
executable: bash
|
||||
with_items:
|
||||
- "{{ users }}"
|
||||
- "{{ IP_subject_alt_name }}"
|
||||
|
||||
- block:
|
||||
- name: Save private keys
|
||||
copy:
|
||||
dest: "{{ wireguard_config_path }}/private/{{ item['item'] }}"
|
||||
content: "{{ item['stdout'] }}"
|
||||
mode: "0600"
|
||||
no_log: true
|
||||
when: item.changed
|
||||
with_items: "{{ wg_genkey['results'] }}"
|
||||
delegate_to: localhost
|
||||
become: false
|
||||
|
||||
- name: Touch the lock file
|
||||
file:
|
||||
dest: "/etc/wireguard/private_{{ item }}.lock"
|
||||
state: touch
|
||||
with_items:
|
||||
- "{{ users }}"
|
||||
- "{{ IP_subject_alt_name }}"
|
||||
when: wg_genkey.changed
|
||||
|
||||
- name: Generate public keys
|
||||
shell: echo "{{ lookup('file', wireguard_config_path + '/private/' + item) }}" | wg pubkey
|
||||
register: wg_pubkey
|
||||
changed_when: false
|
||||
args:
|
||||
executable: bash
|
||||
with_items:
|
||||
- "{{ users }}"
|
||||
- "{{ IP_subject_alt_name }}"
|
||||
|
||||
- name: Save public keys
|
||||
copy:
|
||||
dest: "{{ wireguard_config_path }}/public/{{ item['item'] }}"
|
||||
content: "{{ item['stdout'] }}"
|
||||
mode: "0600"
|
||||
no_log: true
|
||||
with_items: "{{ wg_pubkey['results'] }}"
|
||||
delegate_to: localhost
|
||||
become: false
|
@ -0,0 +1,57 @@
|
||||
---
|
||||
- name: WireGuard repository configured
|
||||
apt_repository:
|
||||
repo: ppa:wireguard/wireguard
|
||||
state: present
|
||||
|
||||
- name: WireGuard installed
|
||||
apt:
|
||||
name: wireguard
|
||||
state: present
|
||||
update_cache: true
|
||||
|
||||
- name: Ensure the required directories exist
|
||||
file:
|
||||
dest: "{{ wireguard_config_path }}/{{ item }}"
|
||||
state: directory
|
||||
recurse: true
|
||||
with_items:
|
||||
- private
|
||||
- public
|
||||
delegate_to: localhost
|
||||
become: false
|
||||
|
||||
- name: Generate keys
|
||||
import_tasks: keys.yml
|
||||
tags: update-users
|
||||
|
||||
- name: WireGuard configured
|
||||
template:
|
||||
src: server.conf.j2
|
||||
dest: "/etc/wireguard/{{ wireguard_interface }}.conf"
|
||||
mode: "0600"
|
||||
notify: restart wireguard
|
||||
tags: update-users
|
||||
|
||||
- name: WireGuard reload-module-on-update
|
||||
file:
|
||||
dest: /etc/wireguard/.reload-module-on-update
|
||||
state: touch
|
||||
|
||||
- name: WireGuard users config generated
|
||||
template:
|
||||
src: client.conf.j2
|
||||
dest: "{{ wireguard_config_path }}/{{ item.1 }}.conf"
|
||||
mode: "0600"
|
||||
with_indexed_items: "{{ users }}"
|
||||
tags: update-users
|
||||
delegate_to: localhost
|
||||
become: false
|
||||
|
||||
- name: WireGuard enabled and started
|
||||
service:
|
||||
name: "wg-quick@{{ wireguard_interface }}"
|
||||
state: started
|
||||
enabled: true
|
||||
|
||||
- meta: flush_handlers
|
@ -0,0 +1,10 @@
|
||||
[Interface]
|
||||
PrivateKey = {{ lookup('file', wireguard_config_path + '/private/' + item.1) }}
|
||||
Address = {{ wireguard_network_ipv4['clients_range'] }}.{{ wireguard_network_ipv4['clients_start'] + item.0 + 1 }}/32{% if ipv6_support %},{{ wireguard_network_ipv6['clients_range'] }}{{ wireguard_network_ipv6['clients_start'] + item.0 + 1 }}/{{ wireguard_network_ipv6['prefix'] }}
|
||||
{% endif %}
|
||||
DNS = {{ local_service_ip }}
|
||||
|
||||
[Peer]
|
||||
PublicKey = {{ lookup('file', wireguard_config_path + '/public/' + IP_subject_alt_name) }}
|
||||
AllowedIPs = 0.0.0.0/0, ::/0
|
||||
Endpoint = {{ IP_subject_alt_name }}:{{ wireguard_port }}
|
@ -0,0 +1,18 @@
|
||||
[Interface]
|
||||
Address = {{ wireguard_network_ipv4['subnet'] }}/{{ wireguard_network_ipv4['prefix'] }}{% if ipv6_support %},{{ wireguard_network_ipv6['gateway'] }}/{{ wireguard_network_ipv6['prefix'] }}
|
||||
{% endif %}
|
||||
|
||||
DNS = {{ local_service_ip }}
|
||||
ListenPort = {{ wireguard_port }}
|
||||
PrivateKey = {{ lookup('file', wireguard_config_path + '/private/' + IP_subject_alt_name) }}
|
||||
SaveConfig = true
|
||||
Table = off
|
||||
|
||||
{% for u in users %}
|
||||
|
||||
[Peer]
|
||||
# {{ u }}
|
||||
PublicKey = {{ lookup('file', wireguard_config_path + '/public/' + u) }}
|
||||
AllowedIPs = {{ wireguard_network_ipv4['clients_range'] }}.{{ wireguard_network_ipv4['clients_start'] + loop.index }}/32{% if ipv6_support %},{{ wireguard_network_ipv6['clients_range'] }}{{ wireguard_network_ipv6['clients_start'] + loop.index }}/128
|
||||
{% endif %}
|
||||
{% endfor %}
|
Loading…
Reference in New Issue