No Description

Marek Küthe 18f203766f Add new client 2 months ago
group_vars b4789e31ac Add new client 4 months ago
host_vars 18f203766f Add new client 2 months ago
roles f759e1f633 Enable dnet dns 3 months ago
.gitignore 4daa9027af Initial commit 1 year ago
LICENSE 4daa9027af Initial commit 1 year ago
README.md d9d7cfab08 bug fixes and add readme 1 year ago
ansible.cfg d9d7cfab08 bug fixes and add readme 1 year ago
inventory.yml 22a4a3522b add new peer 9 months ago
update.yml 53f8823e10 improve scripts 1 year ago
vpn.mk16.de.yml d9d7cfab08 bug fixes and add readme 1 year ago

README.md

vpn.mk16.de

This Ansible profile describes a VPN server based on VyOS. This has one IPv4 and one IPv6. Furthermore, it has a /64 subnet. It is connected to the dnet (dn42 + NeoNetwork + CRXN) via BGP with BFD.

Roles:

  • basics - Increases the commit revision, sets the system name and domain, removes the motd message, and enables system reboot on kernel panic.
  • connection - Configures DNS servers and the IP addresses and routes to access the Internet.
  • dnet - Configures the connection between the dnet gateways and sets the appropriate settings.
  • dns-forwarding - Activates a DNS forwarding service to the system DNS servers and enables it for the clients.
  • firewall - Configures the firewall. It is especially important that no firewall rule number is used twice. Because of the rule numbering, all firewall settings are made in this role.
  • network-tweaks - Increases some kernel limits for better performance.
  • roadwarriar-vpn - Core module for the VPN server. Sets up the WireGuard clients and associated rules. Without this module, the dnet module will not work.
  • save-configuration - Saves the current configuration. (This could also be outsourced to a handler).
  • ssh - Enables SSH
  • ssh-ddos - Enables SSH brute force protection, similar to fail2ban.
  • ssh-keys - Installs my SSH keys
  • ssh-secure - Limits the use of the algorithms with SSH to a safe minimum (only chacha20 with poly1305, AES256-GCM, no Diffle-Hellman, only Curve25519-SHA256, HMAC-sha2-512, umac-128) Maybe disable umac?!