Michael Schiemer
55a330b223
- Add DISCOVERY_LOG_LEVEL=debug - Add DISCOVERY_SHOW_PROGRESS=true - Temporary changes for debugging InitializerProcessor fixes on production
85 lines
2.4 KiB
YAML
85 lines
2.4 KiB
YAML
---
|
|
# Netzwerk-Konfiguration für WireGuard (ohne Firewall)
|
|
- name: Aktiviere IP-Forwarding
|
|
sysctl:
|
|
name: net.ipv4.ip_forward
|
|
value: '1'
|
|
state: present
|
|
sysctl_set: true
|
|
reload: true
|
|
|
|
- name: Installiere iptables-persistent für dauerhafte Regeln
|
|
apt:
|
|
name: iptables-persistent
|
|
state: present
|
|
|
|
- name: Prüfe ob WireGuard-NAT-Regel bereits existiert
|
|
shell: iptables -t nat -C POSTROUTING -o {{ wireguard_exit_interface }} -s {{ wireguard_network }} -j MASQUERADE
|
|
register: nat_rule_exists
|
|
ignore_errors: true
|
|
changed_when: false
|
|
|
|
- name: Setze NAT-Regel für WireGuard-Traffic
|
|
iptables:
|
|
table: nat
|
|
chain: POSTROUTING
|
|
out_interface: "{{ wireguard_exit_interface }}"
|
|
source: "{{ wireguard_network }}"
|
|
jump: MASQUERADE
|
|
comment: "WireGuard VPN NAT"
|
|
when: nat_rule_exists.rc != 0
|
|
|
|
- name: Prüfe ob FORWARD-Regel für WireGuard eingehend existiert
|
|
shell: iptables -C FORWARD -i {{ wireguard_interface }} -j ACCEPT
|
|
register: forward_in_exists
|
|
ignore_errors: true
|
|
changed_when: false
|
|
|
|
- name: Erlaube FORWARD von WireGuard-Interface
|
|
iptables:
|
|
chain: FORWARD
|
|
in_interface: "{{ wireguard_interface }}"
|
|
jump: ACCEPT
|
|
comment: "Allow WireGuard traffic in"
|
|
when: forward_in_exists.rc != 0
|
|
|
|
- name: Prüfe ob FORWARD-Regel für WireGuard ausgehend existiert
|
|
shell: iptables -C FORWARD -o {{ wireguard_interface }} -j ACCEPT
|
|
register: forward_out_exists
|
|
ignore_errors: true
|
|
changed_when: false
|
|
|
|
- name: Erlaube FORWARD zu WireGuard-Interface
|
|
iptables:
|
|
chain: FORWARD
|
|
out_interface: "{{ wireguard_interface }}"
|
|
jump: ACCEPT
|
|
comment: "Allow WireGuard traffic out"
|
|
when: forward_out_exists.rc != 0
|
|
|
|
- name: Speichere iptables-Regeln permanent
|
|
shell: |
|
|
iptables-save > /etc/iptables/rules.v4
|
|
ip6tables-save > /etc/iptables/rules.v6
|
|
|
|
- name: Zeige WireGuard-relevante iptables-Regeln
|
|
shell: |
|
|
echo "=== NAT Rules ==="
|
|
iptables -t nat -L POSTROUTING -n | grep {{ wireguard_network.split('/')[0] }}
|
|
echo "=== FORWARD Rules ==="
|
|
iptables -L FORWARD -n | grep {{ wireguard_interface }}
|
|
register: wg_rules
|
|
changed_when: false
|
|
ignore_errors: true
|
|
|
|
- name: Debug WireGuard-Netzwerk-Konfiguration
|
|
debug:
|
|
msg: |
|
|
✅ WireGuard-Netzwerk konfiguriert
|
|
✅ IP-Forwarding aktiviert
|
|
✅ NAT für VPN-Clients aktiviert
|
|
✅ Server bleibt öffentlich erreichbar
|
|
✅ VPN-Clients können ins Internet
|
|
|
|
{{ wg_rules.stdout }}
|