jeka/ansible-openwrt-hirkn
1
0
Fork 0
mirror of https://github.com/itdoginfo/ansible-openwrt-hirkn.git synced 2025-12-22 23:23:35 +05:00
Code Issues Packages Projects Releases Wiki Activity
Files
ae9bf1dc67c3e48235645f42782ebff73d5843a4
ansible-openwrt-hirkn/playbooks/hirkn.yml
itdoginfo 74168ed0d7 fix noresolv
2022-11-06 11:59:10 +04:00

388 lines
8.5 KiB
YAML
Raw Blame History

---
- hosts: openwrt
remote_user: root
roles:
- gekmihesg.openwrt
vars:
ansible_template_dir: /etc/ansible/templates/
wg_server_address: wg_server_ip/url
wg_private_key: privatekey-client
wg_public_key: publickey-server
#wg_preshared_key: preshared-key
wg_listen_port: 51820
wg_client_port: 51820
wg_client_address: 192.168.100.3/24
download_utility: curl
# Packages installation
tasks:
- name: install kmod-wireguard
opkg:
name: kmod-wireguard
state: present
- name: install wireguard-tools
opkg:
name: wireguard-tools
state: present
- name: install curl
opkg:
name: curl
state: present
when: download_utility == "curl"
- name: install ipset
opkg:
name: ipset
state: present
when: ansible_distribution_major_version < "22"
- name: install dnscrypt
opkg:
name: dnscrypt-proxy2
state: present
# Hirkn script configure
- name: hirkn script copy
template:
src: "{{ ansible_template_dir }}openwrt-hirkn.j2"
dest: "/etc/init.d/hirkn"
mode: a+x
- name: create simplink in rc.d
file:
src: "/etc/init.d/hirkn"
dest: "/etc/rc.d/S99hirkn"
state: link
- name: check string in crontab
shell: grep "hirkn" /etc/crontabs/root
register: check_cron
ignore_errors: true
- name: add script to cron
lineinfile:
path: /etc/crontabs/root
create: yes
line: "0 4 * * * /etc/init.d/hirkn"
when: check_cron.stdout == ""
- name: enable and start crontab
service:
name: cron
state: started
enabled: yes
# Configure route table
- name: route copy in hotplug
template:
src: "{{ ansible_template_dir }}openwrt-30-rknroute.j2"
dest: "/etc/hotplug.d/iface/30-rknroute"
mode: 0644
- name: Check string in rt_tables
shell: grep "99 vpn" /etc/iproute2/rt_tables
register: check_rt_tables
ignore_errors: true
- name: add route table
lineinfile:
path: /etc/iproute2/rt_tables
line: "99 vpn"
when: check_rt_tables.stdout == ""
# Configure network
- name: add wg interface
uci:
command: add
config: network
type: interface
name: wg0
- name: configure wg interface
uci:
command: set
key: network.wg0
value:
proto: wireguard
private_key: "{{ wg_private_key }}"
listen_port: "{{ wg_listen_port }}"
addresses:
- "{{ wg_client_address }}"
- name: set wg client without wg_preshared_key
uci:
command: section
config: network
type: wireguard_wg0
find_by:
name: wg0_client
value:
public_key: "{{ wg_public_key }}"
route_allowed_ips: 0
persistent_keepalive: 25
endpoint_host: "{{ wg_server_address }}"
allowed_ips: 0.0.0.0/0
endpoint_port: "{{ wg_client_port }}"
when: wg_preshared_key is undefined
- name: set wg client with wg_preshared_key
uci:
command: section
config: network
type: wireguard_wg0
find_by:
name: wg0_client
value:
public_key: "{{ wg_public_key }}"
preshared_key: "{{ wg_preshared_key }}"
route_allowed_ips: 0
persistent_keepalive: 25
endpoint_host: "{{ wg_server_address }}"
allowed_ips: 0.0.0.0/0
endpoint_port: "{{ wg_client_port }}"
when: wg_preshared_key is defined
- name: set rule mark0x1
uci:
command: section
config: network
type: rule
find_by:
name: mark0x1
value:
mark: "0x1"
priority: 100
lookup: vpn
- name: set disable dns for wan
uci:
command: set
key: network.wan
value:
peerdns: 0
- name: uci commit
uci:
command: commit
config: network
# Configure firewall
- name: set WG firewall zone
uci:
command: section
config: firewall
type: zone
find_by:
name: wg
value:
forward: REJECT
output: ACCEPT
name: wg
input: REJECT
masq: 1
mtu_fix: 1
network: wg0
family: ipv4
- name: add WG forwarding
uci:
command: section
config: firewall
type: forwarding
find_by:
name: wg-lan
value:
dest: wg
src: lan
family: ipv4
- name: add ipset for subnet (<22)
uci:
command: section
config: firewall
type: ipset
find_by:
name: vpn_subnets
value:
match: dst_net
storage: hash
loadfile: /tmp/lst/subnet.lst
when: ansible_distribution_major_version < "22"
- name: add ipset for ip (<22)
uci:
command: section
config: firewall
type: ipset
find_by:
name: vpn_ip
value:
match: dst_net
storage: hash
loadfile: /tmp/lst/ip.lst
hashsize: 9900000
maxelem: 9900000
when: ansible_distribution_major_version < "22"
- name: add ipset for community (<22)
uci:
command: section
config: firewall
type: ipset
find_by:
name: vpn_community
value:
match: dst_net
storage: hash
loadfile: /tmp/lst/community.lst
hashsize: 9900000
maxelem: 9900000
when: ansible_distribution_major_version < "22"
- name: add ipset for subnet (22)
uci:
command: section
config: firewall
type: ipset
find_by:
name: vpn_subnets
value:
match: dst_net
loadfile: /tmp/lst/subnet.lst
when: ansible_distribution_major_version == "22"
- name: add ipset for ip (22)
uci:
command: section
config: firewall
type: ipset
find_by:
name: vpn_ip
value:
match: dst_net
loadfile: /tmp/lst/ip.lst
when: ansible_distribution_major_version == "22"
- name: add ipset for community (22)
uci:
command: section
config: firewall
type: ipset
find_by:
name: vpn_community
value:
match: dst_net
loadfile: /tmp/lst/community.lst
when: ansible_distribution_major_version == "22"
- name: add mark rule vpn_subnet
uci:
command: section
config: firewall
type: rule
find_by:
name: mark_subnet
value:
src: lan
dest: "*"
proto: all
ipset: vpn_subnets
set_mark: "0x1"
target: MARK
family: ipv4
- name: add mark rule vpn_ip
uci:
command: section
config: firewall
type: rule
find_by:
name: mark_ip
value:
src: lan
dest: "*"
proto: all
ipset: vpn_ip
set_mark: "0x1"
target: MARK
family: ipv4
- name: add mark rule vpn_community
uci:
command: section
config: firewall
type: rule
find_by:
name: mark_community
value:
src: lan
dest: "*"
proto: all
ipset: vpn_community
set_mark: "0x1"
target: MARK
family: ipv4
- name: uci commit firewall
uci:
command: commit
config: firewall
# Configure dnscrypt2
- name: check string in dnscrypt-proxy.toml
shell: grep "# server_names" /etc/dnscrypt-proxy2/dnscrypt-proxy.toml
register: check_server_names
ignore_errors: true
- name: dnscrypt2 enable exact servers
lineinfile:
path: /etc/dnscrypt-proxy2/dnscrypt-proxy.toml
regexp: "# server_names ="
line: "server_names = ['google', 'cloudflare', 'scaleway-fr', 'yandex']"
when: check_server_names.stdout
- name: edit dhcp config. add localhost server
lineinfile:
path: /etc/config/dhcp
firstmatch: "true"
insertafter: "option leasefile '/tmp/dhcp.leases'"
line: "{{ item }}"
with_items:
- " list server '127.0.0.53#53'"
- " list server '/pool.ntp.org/208.67.222.222'"
- " option noresolv '1'"
- name: enable and start dnscrypt-proxy
service:
name: dnscrypt-proxy
state: restarted
enabled: yes
- name: restart dnsmasq
service:
name: dnsmasq
state: restarted
# Restart network and run script
- name: restart network
service:
name: network
state: restarted
- name: run hirkn script
service:
name: hirkn
state: started
Reference in New Issue View Git Blame Copy Permalink