This repository has been archived by the owner on Jun 21, 2022. It is now read-only.
forked from nuket/provision-digitalocean-vpn
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathsetup-vpn.yml
50 lines (50 loc) · 2.22 KB
/
setup-vpn.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
---
- hosts: 127.0.0.1
vars:
ipsec_psk: "{{ lookup('file', 'ipsec.psk') }}"
tasks:
- name: Install OpenSWAN.
apt: name=openswan state=latest
- name: Install xl2tpd.
apt: name=xl2tpd state=latest
- name: Install pppd.
apt: name=ppp state=latest
- name: Install lsof.
apt: name=lsof state=latest
- name: Set up iptables routing.
command: /sbin/iptables -t nat -A POSTROUTING -j SNAT --to-source {{ ansible_default_ipv4["address"] }} -o {{ ansible_default_ipv4["interface"] }}
- name: Set sysctl.conf (ip_forward, accept_directs, send_redirects, rp_filter, accept_source_route, ignore_bogus) values.
lineinfile: dest=/etc/sysctl.conf line="{{ item }}" backup=yes
with_items:
- "net.ipv4.ip_forward = 1"
- "net.ipv4.conf.all.accept_redirects = 0"
- "net.ipv4.conf.all.send_redirects = 0"
- "net.ipv4.conf.default.rp_filter = 0"
- "net.ipv4.conf.default.accept_source_route = 0"
- "net.ipv4.conf.default.send_redirects = 0"
- "net.ipv4.icmp_ignore_bogus_error_responses = 1"
- name: Set accept_redirects to 0 on all network interfaces.
shell: /bin/echo 0 > {{ item }}
with_fileglob:
- /proc/sys/net/ipv4/conf/*/accept_redirects
- name: Set send_redirects to 0 on all network interfaces.
shell: /bin/echo 0 > {{ item }}
with_fileglob:
- /proc/sys/net/ipv4/conf/*/send_redirects
- name: Apply sysctl changes.
command: /sbin/sysctl -p
- name: Setup IPsec config file.
template: src=ipsec.conf.j2 dest=/etc/ipsec.conf backup=yes owner=root group=root mode=0644
- name: Setup IPsec shared secret.
template: src=ipsec.secrets.j2 dest=/etc/ipsec.secrets backup=yes owner=root group=root mode=0600
- name: Setup xl2ptd
template: src=xl2tpd.conf.j2 dest=/etc/xl2tpd/xl2tpd.conf backup=yes owner=root group=root mode=0644
- name: Setup xl2tpd options.
template: src=options.xl2tpd.j2 dest=/etc/ppp/options.xl2tpd backup=yes owner=root group=root mode=0644
- name: Copy over chap-secrets file.
template: src=chap-secrets.j2 dest=/etc/ppp/chap-secrets backup=yes owner=root group=root mode=0600
- name: Restart services.
service: name={{ item }} state=restarted
with_items:
- ipsec
- xl2tpd