--- - hosts: openwrt remote_user: root roles: - gekmihesg.openwrt vars: ansible_template_dir: /etc/ansible/templates/ wg_server_address: wg_server_ip/url wg_private_key: privatekey-client wg_public_key: publickey-server #wg_preshared_key: preshared-key wg_listen_port: 51820 wg_client_port: 51820 wg_client_address: 192.168.100.3/24 download_utility: curl # Packages installation tasks: - name: install kmod-wireguard opkg: name: kmod-wireguard state: present - name: install wireguard-tools opkg: name: wireguard-tools state: present - name: install curl opkg: name: curl state: present when: download_utility == "curl" - name: install ipset opkg: name: ipset state: present when: ansible_distribution_major_version < "22" - name: install dnscrypt opkg: name: dnscrypt-proxy2 state: present # Hirkn script configure - name: hirkn script copy template: src: "{{ ansible_template_dir }}openwrt-hirkn.j2" dest: "/etc/init.d/hirkn" mode: a+x - name: create simplink in rc.d file: src: "/etc/init.d/hirkn" dest: "/etc/rc.d/S99hirkn" state: link - name: check string in crontab shell: grep "hirkn" /etc/crontabs/root register: check_cron ignore_errors: true - name: add script to cron lineinfile: path: /etc/crontabs/root create: yes line: "0 4 * * * /etc/init.d/hirkn" when: check_cron.stdout == "" - name: enable and start crontab service: name: cron state: started enabled: yes # Configure route table - name: route copy in hotplug template: src: "{{ ansible_template_dir }}openwrt-30-rknroute.j2" dest: "/etc/hotplug.d/iface/30-rknroute" mode: 0644 - name: Check string in rt_tables shell: grep "99 vpn" /etc/iproute2/rt_tables register: check_rt_tables ignore_errors: true - name: add route table lineinfile: path: /etc/iproute2/rt_tables line: "99 vpn" when: check_rt_tables.stdout == "" # Configure network - name: add wg interface uci: command: add config: network type: interface name: wg0 - name: configure wg interface uci: command: set key: network.wg0 value: proto: wireguard private_key: "{{ wg_private_key }}" listen_port: "{{ wg_listen_port }}" addresses: - "{{ wg_client_address }}" - name: set wg client without wg_preshared_key uci: command: section config: network type: wireguard_wg0 find_by: name: wg0_client value: public_key: "{{ wg_public_key }}" route_allowed_ips: 0 persistent_keepalive: 25 endpoint_host: "{{ wg_server_address }}" allowed_ips: 0.0.0.0/0 endpoint_port: "{{ wg_client_port }}" when: wg_preshared_key is undefined - name: set wg client with wg_preshared_key uci: command: section config: network type: wireguard_wg0 find_by: name: wg0_client value: public_key: "{{ wg_public_key }}" preshared_key: "{{ wg_preshared_key }}" route_allowed_ips: 0 persistent_keepalive: 25 endpoint_host: "{{ wg_server_address }}" allowed_ips: 0.0.0.0/0 endpoint_port: "{{ wg_client_port }}" when: wg_preshared_key is defined - name: set rule mark0x1 uci: command: section config: network type: rule find_by: name: mark0x1 value: mark: "0x1" priority: 100 lookup: vpn - name: set disable dns for wan uci: command: set key: network.wan value: peerdns: 0 - name: uci commit uci: command: commit config: network # Configure firewall - name: set WG firewall zone uci: command: section config: firewall type: zone find_by: name: wg value: forward: REJECT output: ACCEPT name: wg input: REJECT masq: 1 mtu_fix: 1 network: wg0 family: ipv4 - name: add WG forwarding uci: command: section config: firewall type: forwarding find_by: name: wg-lan value: dest: wg src: lan family: ipv4 - name: add ipset for subnet (<22) uci: command: section config: firewall type: ipset find_by: name: vpn_subnets value: match: dst_net storage: hash loadfile: /tmp/lst/subnet.lst when: ansible_distribution_major_version < "22" - name: add ipset for ip (<22) uci: command: section config: firewall type: ipset find_by: name: vpn_ip value: match: dst_net storage: hash loadfile: /tmp/lst/ip.lst hashsize: 9900000 maxelem: 9900000 when: ansible_distribution_major_version < "22" - name: add ipset for community (<22) uci: command: section config: firewall type: ipset find_by: name: vpn_community value: match: dst_net storage: hash loadfile: /tmp/lst/community.lst hashsize: 9900000 maxelem: 9900000 when: ansible_distribution_major_version < "22" - name: add ipset for subnet (22) uci: command: section config: firewall type: ipset find_by: name: vpn_subnets value: match: dst_net loadfile: /tmp/lst/subnet.lst when: ansible_distribution_major_version == "22" - name: add ipset for ip (22) uci: command: section config: firewall type: ipset find_by: name: vpn_ip value: match: dst_net loadfile: /tmp/lst/ip.lst when: ansible_distribution_major_version == "22" - name: add ipset for community (22) uci: command: section config: firewall type: ipset find_by: name: vpn_community value: match: dst_net loadfile: /tmp/lst/community.lst when: ansible_distribution_major_version == "22" - name: add mark rule vpn_subnet uci: command: section config: firewall type: rule find_by: name: mark_subnet value: src: lan dest: "*" proto: all ipset: vpn_subnets set_mark: "0x1" target: MARK family: ipv4 - name: add mark rule vpn_ip uci: command: section config: firewall type: rule find_by: name: mark_ip value: src: lan dest: "*" proto: all ipset: vpn_ip set_mark: "0x1" target: MARK family: ipv4 - name: add mark rule vpn_community uci: command: section config: firewall type: rule find_by: name: mark_community value: src: lan dest: "*" proto: all ipset: vpn_community set_mark: "0x1" target: MARK family: ipv4 - name: uci commit firewall uci: command: commit config: firewall # Configure dnscrypt2 - name: check string in dnscrypt-proxy.toml shell: grep "# server_names" /etc/dnscrypt-proxy2/dnscrypt-proxy.toml register: check_server_names ignore_errors: true - name: dnscrypt2 enable exact servers lineinfile: path: /etc/dnscrypt-proxy2/dnscrypt-proxy.toml regexp: "# server_names =" line: "server_names = ['google', 'cloudflare', 'scaleway-fr', 'yandex']" when: check_server_names.stdout == "1" - name: edit dhcp config. resolvfile commented lineinfile: path: /etc/config/dhcp regexp: "option resolvfile" line: " #option resolvfile '/tmp/resolv.conf.auto'" - name: edit dhcp config. add localhost server lineinfile: path: /etc/config/dhcp insertafter: "#option resolvfile" line: "{{ item }}" with_items: - " list server '127.0.0.53#53'" - " list server '/pool.ntp.org/208.67.222.222'" - name: enable and start dnscrypt-proxy service: name: dnscrypt-proxy state: restarted enabled: yes - name: restart dnsmasq service: name: dnsmasq state: restarted # Restart network and run script - name: restart network service: name: network state: restarted - name: run hirkn script service: name: hirkn state: started