Marek Kuethe
8aeff4a09f
add new peer
|
1 month ago | |
|---|---|---|
| group_vars | 4 months ago | |
| host_vars | 1 month ago | |
| roles | 3 months ago | |
| .gitignore | 4 months ago | |
| LICENSE | 4 months ago | |
| README.md | 4 months ago | |
| ansible.cfg | 4 months ago | |
| inventory.yml | 4 months ago | |
| pw_file.sh | 4 months ago | |
| update.yml | 3 months ago | |
| vpn.mk16.de.yml | 4 months ago |
README.md
vpn.mk16.de
This Ansible profile describes a VPN server based on VyOS. This has one IPv4 and one IPv6. Furthermore, it has a /64 subnet. It is connected to the dnet (dn42 + NeoNetwork + CRXN) via BGP with BFD.
Roles:
basics- Increases the commit revision, sets the system name and domain, removes the motd message, and enables system reboot on kernel panic.connection- Configures DNS servers and the IP addresses and routes to access the Internet.dnet- Configures the connection between the dnet gateways and sets the appropriate settings.dns-forwarding- Activates a DNS forwarding service to the system DNS servers and enables it for the clients.firewall- Configures the firewall. It is especially important that no firewall rule number is used twice. Because of the rule numbering, all firewall settings are made in this role.network-tweaks- Increases some kernel limits for better performance.roadwarriar-vpn- Core module for the VPN server. Sets up the WireGuard clients and associated rules. Without this module, thednetmodule will not work.save-configuration- Saves the current configuration. (This could also be outsourced to a handler).ssh- Enables SSHssh-ddos- Enables SSH brute force protection, similar to fail2ban.ssh-keys- Installs my SSH keysssh-secure- Limits the use of the algorithms with SSH to a safe minimum (only chacha20 with poly1305, AES256-GCM, no Diffle-Hellman, only Curve25519-SHA256, HMAC-sha2-512, umac-128) Maybe disable umac?!