|Marek Kuethe 8aeff4a09f add new peer||1 month ago|
|group_vars||4 months ago|
|host_vars||1 month ago|
|roles||3 months ago|
|.gitignore||4 months ago|
|LICENSE||4 months ago|
|README.md||4 months ago|
|ansible.cfg||4 months ago|
|inventory.yml||4 months ago|
|pw_file.sh||4 months ago|
|update.yml||3 months ago|
|vpn.mk16.de.yml||4 months ago|
This Ansible profile describes a VPN server based on VyOS. This has one IPv4 and one IPv6. Furthermore, it has a /64 subnet. It is connected to the dnet (dn42 + NeoNetwork + CRXN) via BGP with BFD.
basics- Increases the commit revision, sets the system name and domain, removes the motd message, and enables system reboot on kernel panic.
connection- Configures DNS servers and the IP addresses and routes to access the Internet.
dnet- Configures the connection between the dnet gateways and sets the appropriate settings.
dns-forwarding- Activates a DNS forwarding service to the system DNS servers and enables it for the clients.
firewall- Configures the firewall. It is especially important that no firewall rule number is used twice. Because of the rule numbering, all firewall settings are made in this role.
network-tweaks- Increases some kernel limits for better performance.
roadwarriar-vpn- Core module for the VPN server. Sets up the WireGuard clients and associated rules. Without this module, the
dnetmodule will not work.
save-configuration- Saves the current configuration. (This could also be outsourced to a handler).
ssh- Enables SSH
ssh-ddos- Enables SSH brute force protection, similar to fail2ban.
ssh-keys- Installs my SSH keys
ssh-secure- Limits the use of the algorithms with SSH to a safe minimum (only chacha20 with poly1305, AES256-GCM, no Diffle-Hellman, only Curve25519-SHA256, HMAC-sha2-512, umac-128) Maybe disable umac?!