- name: Update apt cache
apt:
update_cache: yes
- name: Install VPN package requirements
apt:
name: "{{ strongswan_requeriments }}"
state: present
install_recommends: no
- name: Create directory /var/log/strongswan
file:
path: /var/log/strongswan
state: directory
owner: root
group: root
mode: '0755'
- name: Insert certificates
no_log: true
copy:
content: "{{ item.content }}"
dest: "{{ item.dest }}"
owner: root
group: root
mode: "{{ item.mode }}"
loop: "{{ certificates }}"
- name: Add private key
copy:
content: "{{ lookup(passbolt, 'ipsec_private_key', folder_parent_id=passbolt_folder).description }}"
dest: /etc/ipsec.d/private/key.pem
owner: root
group: root
mode: u=r,g=r,o=
- name: Configure ipsec and charon
template:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
owner: root
group: root
mode: "{{ item.mode }}"
loop: "{{ config_ipsec_files }}"
notify: restart-ipsec
- name: Copy Configure file and logrotate Charon
copy:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
owner: root
group: root
mode: u=rw,g=r,o=r
loop: "{{ config_and_logrotate }}"
notify: restart-ipsec
- name: IP forward as a router
sysctl:
name: net.ipv4.ip_forward
value: "1"
state: present
sysctl_set: yes
reload: yes
- name: Add iptables rules in rules.v4 file
blockinfile:
path: /etc/iptables/rules.v4
marker: "# {mark} ANSIBLE-MANAGED MANGLE CHAIN"
block: "{{ mangle_block }}"
register: iptables
- name: Reload iptables rules
command: netfilter-persistent reload
when: iptables.changed
- name: Get default IPv4 interface
command: ip -o -4 route show default
register: default_route
- name: Extract interface default name
set_fact:
active_interface: "{{ default_route.stdout.split()[-1] }}"
- name: Routing table for VPN
lineinfile:
path: /etc/iproute2/rt_tables
line: "10 vpn"
state: present
regexp: "vpn"
- name: Static routing rules to send VPN traffic directly to the firewall
lineinfile:
path: /etc/network/interfaces
insertafter: "dhcp"
line: "{{ item }}"
state: present
loop: "{{ static_routes }}"