Deploy WireGuard and IPsec VPN Server using Ansible

Posted on 62 views

Welcome to this guide on how to deploy Wireguard and IPsec VPN Server using Ansible. Ansible is a free and open-source tool written in Python, used for management, configuration, and automation.

To automate the WireGuard and IPsec VPN Server deployment, we will use Algo VPN. This is a set of Ansible scripts that can be used to fire up WireGuard and IPsec VPN on-premise or in the cloud. It uses the most secure defaults available as well as works with common cloud providers.

The features provided by Algo VPN are:

  • It generates Apple profiles to auto-configure iOS and macOS devices
  • Supports only IKEv2 with strong crypto (AES-GCM, SHA2, and P-256) for iOS, macOS, and Linux
  • Includes a helper script to add and remove users
  • Supports WireGuard for iOS, macOS, Linux, Android and Windows 10
  • Blocks ads with a local DNS resolver (optional)
  • Sets up limited SSH users for tunneling traffic (optional)
  • It can be used to install to DigitalOcean, Amazon Lightsail, Amazon EC2, Vultr, Microsoft Azure, Google Compute Engine, Scaleway, OpenStack, CloudStack, Hetzner Cloud, Linode, or your own Ubuntu server (for more advanced users)
  • Based on current versions of Ubuntu and strongSwan
  • Generates .conf files and QR codes for iOS, macOS, Android, and Windows WireGuard clients

Let’s plunge in!

Step 1 – Install the Requirements

Algo requires Python 3.8 or later which can be installed on your system with the command:

##On Ubuntu
sudo apt update
sudo apt install -y --no-install-recommends  python3-virtualenv libffi-dev libssl-dev git

##On Rhel/CentOS/Alma Linux/Rocky Linux/Fedora
sudo dnf install python38-devel python3-virtualenv git -y

##On Debian 11
sudo apt update
sudo apt install -y --no-install-recommends libffi-dev libssl-dev git
sudo apt remove python3-virtualenv
curl -sSL https://install.python-poetry.org | python3 -
echo 'export PATH="/root/.local/bin:$PATH"'|tee -a ~/.bashrc

Verify the python3 version.

$ python3 --version
Python 3.8.10

On Rhel-based systems, configure the default version with the command:

$ sudo update-alternatives --config python3
There are 2 programs which provide 'python3'.

  Selection    Command
-----------------------------------------------
*+ 1           /usr/bin/python3.6
   2           /usr/bin/python3.8

Enter to keep the current selection[+], or type selection number: 2

Obtain a copy of Algo. For this guide, we will use git

sudo su -
git clone https://github.com/trailofbits/algo.git

Install other dependencies:

cd algo
python3 -m pip install -U pip virtualenv
python3 -m virtualenv --python=$(which python3) env
source env/bin/activate
python3 -m pip install -r requirements.txt

Step 2 – Configure your Ansible host

The host to which WireGuard and IPsec VPN Server are to be installed needs to be running Ubuntu.

Make the configurations below:

Ensure root login is permitted.

sudo vim /etc/ssh/sshd_config

Find, uncomment and edit the line below

PermitRootLogin yes

Restart the SSH service:

sudo systemctl restart ssh

Allow passwordless login to the remote host by generating and copying the SSH keys.

On the Manager Node, run:

ssh-keygen -t rsa

Now copy the keys to the managed node. Remember to replace the managed-node-IP address correctly

ssh-copy-id -i ~/.ssh/id_rsa.pub [email protected]

At this point, you should be able to log in to the root user on the managed node using the SSH keys.

Step 3 – Make WireGuard and IPsec VPN Server configurations

To make desired configurations, open the config.cfg with your favorite text editor and specify the users for the devices you wish to connect to:

vim config.cfg

I will have 3 users specified as shown.

users:
  - sample
  - test
  - admin

Step 4 – Deploy WireGuard and IPsec VPN Server

Once the above configurations have been made, proceed and deploy the WireGuard and IPsec VPN Server using ansible. Here there are variables you can pass using the -e or --extra-vars flag.

The variables here include:

  • provider– specifies the provider you want to use, this may include digital ocean, Amazon EC2, Local, e.t.c. For this guide, we will use the local to install the VPN Server to an existing local server
  • server_name – (Required) Server name. (Default: algo)
  • ondemand_cellular: This is optional. It enables VPN On Demand when connected to cellular networks for iOS/macOS clients using IPsec. (Default: false)
  • ondemand_wifi – It is optional. It is used to enable VPN On Demand when connected to WiFi networks for iOS/macOS clients using IPsec. (Default: false)
  • dns_adblocking – Enables dnscrypt-proxy adblocking. (Default: false)
  • ssh_tunneling – Enable SSH tunneling for each user. (Default: false)
  • store_pki – It is used to specify whether or not keep the CA key. This is required if you want to add users in the future, but less secure. (Default: false)

The above variables can be passed as shown.

ansible-playbook main.yml -e "provider=local
                                server_name=algo
                                ondemand_cellular=false
                                ondemand_wifi=false
                                dns_adblocking=true
                                ssh_tunneling=true
                                store_pki=true
                                do_token=token"

The deployment will be initialized as shown:

Deploy-WireGuard-and-IPsec-VPN-Server-using-Ansible

Press Enter and proceed to specify the managed ansible node(remote system)

.....
Enter the IP address of your server: (or use localhost for local installation):
[localhost]
:
192.168.205.11
TASK [local : pause] ***********************************************************
ok: [localhost]

TASK [local : Set the facts] ***************************************************
ok: [localhost]
[local : pause]
What user should we use to login on the server? (note: passwordless login required, or ignore if you're deploying to localhost)
[root]
:
root
Enter the public IP address or domain name of your server: (IMPORTANT! This is used to verify the certificate)
[192.168.205.11]
:
192.168.205.11
......

We have specified the remote IP_Address and user. Remember the root user is required for the installations and configurations to occur.

Sit back and relax as you wait for the process to complete. If all goes well, you will see this:

Deploy-WireGuard-and-IPsec-VPN-Server-using-Ansible-2-1024x634

If you encounter an error along the way, troubleshoot it and run be below commands before you restart the installation:

sudo rm -rf /etc/wireguard/*.lock
rm -rf configs/192.168.205.11

After this, you will have connection profiles created in the current algo-master directory at configs/IP_Address/wireguard/ for example:

$ ls  configs/192.168.205.11/wireguard/
admin.conf  admin.png  apple  sample.conf  sample.png  test.conf  test.png

You can view the content of any of these files:

$ cat configs/192.168.205.11/wireguard/admin.conf 
[Interface]
PrivateKey = 4KYCcDD0GYiRH0MO5gCgFxdxtQ5qj6X8V1e15uL+n3o=
Address = 10.49.0.4 
DNS =  172.25.97.255 

[Peer]
PublicKey = /3OF6hbKH1/fZyTlPCv2WAMSjckonfbO6cgHrZoxaHM=
PresharedKey = UjTv+rsnfedqiLbaapg9+MGSCPbcY6wdOntgwdfCZb0=
AllowedIPs = 0.0.0.0/0,::/0
Endpoint = 192.168.205.11:51820

These files contain all you need to set up the WireGuard VPN Client. The PNG files contain QR codes that can be scanned and used by the client to connect to the VPN server.

WireGuard and IPsec VPN Server should also be set up on the remote host. Verify with as shown:

On the managed noderun:

sudo wg

Sample Output:

Deploy-WireGuard-and-IPsec-VPN-Server-using-Ansible-4

Step 5 – Connect to VPN server on Linux

To verify if the installation is working, I will proceed and set up the WireGuard VPN Client. Using the user files above, you can connect to the VPN endpoint on the remote system.

Wireguard client can be installed on your Linux or macOS system as illustrated in the official Wireguard installation instructions page

Once installed, create a configuration file:

sudo vim /etc/wireguard/wgvpn.conf

Add the lines present in the generated user file, for example in the admin.conf

[Interface]
PrivateKey = 4KYCcDD0GYiRH0MO5gCgFxdxtQ5qj6X8V1e15uL+n3o=
Address = 10.49.0.4 
DNS =  172.25.97.255 

[Peer]
PublicKey = /3OF6hbKH1/fZyTlPCv2WAMSjckonfbO6cgHrZoxaHM=
PresharedKey = UjTv+rsnfedqiLbaapg9+MGSCPbcY6wdOntgwdfCZb0=
AllowedIPs = 0.0.0.0/0,::/0
Endpoint = 192.168.205.11:51820

Save the file and reboot the system:

sudo reboot

Once the system boots, start the interface:

$ sudo wg-quick up wgvpn
[#] ip link add wgvpn type wireguard
[#] wg setconf wgvpn /dev/fd/63
[#] ip -4 address add 10.49.0.4 dev wgvpn
[#] ip link set mtu 1420 up dev wgvpn
[#] mount `172.25.97.255' /etc/resolv.conf
[#] wg set wgvpn fwmark 51820
[#] ip -6 route add ::/0 dev wgvpn table 51820
[#] ip -6 rule add not fwmark 51820 table 51820
[#] ip -6 rule add table main suppress_prefixlength 0
[#] nft -f /dev/fd/63
[#] ip -4 route add 0.0.0.0/0 dev wgvpn table 51820
[#] ip -4 rule add not fwmark 51820 table 51820

On Debian/Ubuntu, you need to install the package below. Otherwise, you will find the error “resolvconf: command not found

sudo apt install openresolv

Once started, verify if the interface is running:

sudo wg

Sample output:

Deploy-WireGuard-and-IPsec-VPN-Server-using-Ansible-3

You can also connect to your mobile device using the aid in the guide below:

I hope this was significant.

coffee

Gravatar Image
A systems engineer with excellent skills in systems administration, cloud computing, systems deployment, virtualization, containers, and a certified ethical hacker.