Skip to content

An Ansible Role that manages a VPN tunnel setup between two peers based on IPsec / strongSwan and provides gateway related routing configuration.

License

Notifications You must be signed in to change notification settings

nl2go/ansible-role-vpn-gateway

Repository files navigation

Travis (.org) branch Ansible Galaxy GitHub tag (latest by date) Ansible Galaxy Downloads

Ansible Role: VPN Gateway

An Ansible Role that manages a VPN tunnel setup between two peers based on IPsec / strongSwan and provides gateway related routing configuration.

Role Variables

Available variables are listed below, along with default values (see defaults/main.yml):

vpn_gateway_configs:
  - name: default
    psk: secret

Configuration sets must be defined using vpn_gateway_configs variable. The name of the configuration set is mandatory and used for identification. Pre-shared key can be specified using psk.

vpn_gateway_configs:
  - name: default
    state: absent

The specific gateway configuration can be removed using state: absent.

vpn_gateway_configs:
  - name: default
    psk: secret
    params:
      lifetime: 8h

General connection parameters like lifetime may be set within params section (s. ipsec.conf for full parameter description).

vpn_gateway_configs:
  - name: default
    psk: secret
    local:
      public: 1.1.1.1
      networks:
        - 172.4.0.0/21
    remote:
      public: 1.2.3.4
      networks:
        - 172.240.0.0/21
        - 10.2.0.0/16

A configuration set contains the local and remote peer configuration part.

vpn_gateway_default_config_params:
  type: tunnel
  keyingtries: 0
  ikelifetime: 1h
  lifetime: 8h
  dpddelay: 300s
  dpdtimeout: 120
  dpdaction: clear
  authby: secret
  auto: start
  esp: aes256-sha256-modp3072
  ike: aes256-sha256-modp3072
  keyexchange: ikev2
  leftfirewall: 'yes'
  compress: 'no'
  rekey: 'no'
  fragmentation: 'yes'
  forceencaps: 'yes'

The params within vpn_gateway_configs extend/override default connection parameters present above.

vpn_gateway_config_dir: "/etc/ipsec.d/{{ role_name }}"

Defines the custom IPsec configuration directory for isolation purposes.

Tags

Tags can be used to limit the role execution to a particular task module. Following tags are available:

  • vpn_gateway: Covers the full role lifecycle.
  • vpn_gateway_validate, validate: Validates given configuration.
  • vpn_gateway_install, install: Installs required packages.
  • vpn_gateway_config, config: Configures required packages.

Dependencies

None.

Example Playbook

- hosts: all
  roles:
     - nl2go.vpn_gateway

Development

Use docker-molecule following the instructions to run Molecule or install Molecule locally (not recommended, version conflicts might appear).

Provide Hetzner Cloud token:

export HCLOUD_TOKEN=123abc456efg

Use following to run tests:

molecule test --all

Maintainers

License

See the LICENSE.md file for details.

Author Information

This role was created by in 2020 by Newsletter2Go GmbH.

About

An Ansible Role that manages a VPN tunnel setup between two peers based on IPsec / strongSwan and provides gateway related routing configuration.

Topics

Resources

License

Stars

Watchers

Forks

Packages

No packages published