Skip to content

One BASH script to spin up a Lightsail VM, do some magic, and then spit out WireGuard client configs!

Notifications You must be signed in to change notification settings

oct8l/Lightsail-WireGuard-one-shot

Repository files navigation

AWS Lightsail WireGuard server one-shot

What's the purpose of this repo?

In my ever-growing list of things I find to do besides the dishes and laundry, I decided one weekend that I wanted an easy way to deploy an AWS Lightsail instance and set it up as a WireGuard server. I know there are actual VPN services out there that are possibly more reliable and definitely less of a headache, but what's the fun in that? I wanted to see if I could do it...and I did!

How do I use it?

Here is the "intended" way for this repo to be used:

  1. Download the repo, optionally as a zip folder, and delete the folder after every time you set up the WireGuard server.
  2. This repo assumes you have https://direnv.net/ installed to load and unload the .envrc files when changing directories. I'd recommend installing it, otherwise if you're so inclined, you can manage the environment variables through another package or manually.
  3. Change to the new directory for the repo once you have the folder downloaded/unzipped/un-tar'd/etc.
  4. Copy .envrc.example in the root directory to a file named .envrc, and update your variables for your AWS region. Ensure your AWS credentials are set up in the ~/.aws folder as per the AWS CLI configuration. For help setting up these credentials, visit AWS CLI Configuration.
  • direnv should prompt you to allow the new .envrc file with an easy copy and pasteable error message! This will need to be done before running the scripts so the variables exist.
  1. Finally, make the shell script(s) executable with chmod +x *.sh, and then turn up the server and let Ansible go to town configuring everything!

The shell script installs the Ansible Galaxy packages required, along with the pip modules used. Then it generates an SSH key to use with the server, sets some environment variables from the terraform.tfstate file after the machine is configured, runs the monolithic playbook, and does some sed replacements on the config files so they're ready to be pasted into a device.

Copy and pasteable commands for the trusting

wget https://github.com/oct8l/Lightsail-WireGuard-one-shot/archive/refs/heads/main.tar.gz
tar -xzf main.tar.gz
rm main.tar.gz
cd Lightsail-WireGuard-one-shot-main
chmod +x *.sh
mv .envrc.example .envrc
vi .envrc

After you defeat the vi boss and have your variables set, you can run ./run-all.sh and watch the magic happen!

You can also optionally run ./ssh.sh if you'd like to SSH to the machine, it will use the SSH key that was generated by the previous script.

Extra info

The Terraform template also applies the needed firewall rules and assigns the machine to that firewall group, so no need to manually allow it. It makes port 51820/udp and 22/tcp accessible from any IPv4 address, but only pubkey authentication is allowed for SSH and Fail2Ban also gets set up with the Ansible playbook.

Something I want to change is to break the Ansible folder into proper roles and call the roles instead of having everything in one playbook. Another thing is to pull the Ansible Galaxy installs out of the shell script because that seems a little intrusive to be installing them, as well as the pip modules. It definitely would be best to use a venv for this, but I was in a bit of a rush for a trip that I wanted to try this setup out on with GL.iNet routers. Man, I love those things.

About

One BASH script to spin up a Lightsail VM, do some magic, and then spit out WireGuard client configs!

Resources

Stars

Watchers

Forks