feat: enhance WireGuard VPN Overlay deployment and DNAT support

Changes: - Fixed wg0.conf.j2 template variables - Refactored wireguard/site logic to support dynamic peer/key selection - Updated defaults, playbook entry, and install script for consistency Tested: ✅ NodePort 443 + DNAT verified from master/slave nodes and external curl
2025-04-06 17:50:32 +08:00 · 2025-04-06 17:50:32 +08:00 · 5be8955ff5
commit 5be8955ff5
parent 31c915eb1f
8 changed files with 72 additions and 32 deletions
--- a/ansible/playbooks/roles/vhosts/common/files/install-packages.sh
+++ b/ansible/playbooks/roles/vhosts/common/files/install-packages.sh
@ -2,4 +2,4 @@

 export DEBIAN_FRONTEND=noninteractive
 sudo apt-get update
-sudo apt-get install -y vim iputils-ping rsync
+sudo apt-get install -y vim iputils-ping rsync wireguard-tools
--- a/ansible/playbooks/roles/vhosts/vpn-overlay/wireguard/site/defaults/main.yml
+++ b/ansible/playbooks/roles/vhosts/vpn-overlay/wireguard/site/defaults/main.yml
@ -1,3 +1,8 @@
-wg_config_path: "/etc/wireguard/wg0.conf"
 wg_interface: "wg0"
-wg_port: "{{ overlay_data.hub_port | default(51820) }}"
+
+# 默认配置文件路径，可在 playbook 中覆盖
+overlay_config_path: "{{ playbook_dir }}/../../config/sit/vpn-overlay.yaml"
+overlay_keys_path: "{{ playbook_dir }}/../../config/sit/vpn-keys.yaml"
+
+# WireGuard 默认端口（若 overlay_data.hub_port 未定义）
+wg_port: "51820"
--- a/ansible/playbooks/roles/vhosts/vpn-overlay/wireguard/site/tasks/main.yml
+++ b/ansible/playbooks/roles/vhosts/vpn-overlay/wireguard/site/tasks/main.yml
@ -1,27 +1,47 @@
 ---
- name: 加载 overlay 配置
+- name: 加载 overlay 配置（标准 YAML）
  set_fact:
    overlay_data: "{{ lookup('file', overlay_config_path) | from_yaml }}"

- name: 加载密钥配置
-  set_fact:
-    overlay_keys: "{{ lookup('file', overlay_keys_path) | from_yaml }}"
+- name: 加载密钥配置（支持 !vault）
+  include_vars:
+    file: "{{ overlay_keys_path }}"
+    name: overlay_keys

 - name: 提取当前节点信息（作为 current）
  set_fact:
-    current_node: "{{ (overlay_data.sites + overlay_data.hubs) | selectattr('name', 'equalto', inventory_hostname) | list | first }}"
-    current_key: "{{ overlay_keys.keys | selectattr('name', 'equalto', inventory_hostname) | list | first }}"
+    current_node: >-
+      {{ (overlay_data.sites + overlay_data.hubs)
+         | selectattr('name', 'equalto', inventory_hostname)
+         | list | first }}
+    current_key: >-
+      {{ overlay_keys['keys']
+         | selectattr('name', 'equalto', inventory_hostname)
+         | list | first }}

- name: 提取对端 peer 节点信息
+- name: 提取对端 peer 节点列表
  set_fact:
-    peer_node: "{{ (overlay_data.sites + overlay_data.hubs) | selectattr('name', 'equalto', current_node.wireguard_peer) | list | first }}"
-    peer_key: "{{ overlay_keys.keys | selectattr('name', 'equalto', current_node.wireguard_peer) | list | first }}"
+    peer_node_list: "{{ (overlay_data.sites + overlay_data.hubs) | selectattr('name', 'equalto', current_node.wireguard_peer) | list }}"
+    peer_key_list: "{{ overlay_keys['keys'] | selectattr('name', 'equalto', current_node.wireguard_peer) | list }}"

- name: 生成 WireGuard 参数
+- name: 校验 wireguard_peer 是否匹配成功
+  fail:
+    msg: "未找到对端节点 '{{ current_node.wireguard_peer }}' 或其密钥"
+  when: peer_node_list | length == 0 or peer_key_list | length == 0
+
+- name: 设置对端节点与密钥
  set_fact:
+    peer_nodes: "{{ peer_node_list }}"
+    peer_keys: "{{ peer_key_list }}"
+
+- name: 提取最终配置变量（私钥、公钥、端口等）
+  set_fact:
+    wg_port: "{{ wg_port }}"
    current_wg_ip: "{{ current_node.wg_ip }}"
-    peer_allowed_ips: "{{ peer_node.wg_ip }}/32"
-    peer_endpoint: "{{ peer_node.public_ip }}:{{ overlay_data.hub_port | default(51820) }}"
+    current_private_key: "{{ current_key.private_key }}"
+    current_allowed_ips: "{{ current_node.allowed_ips }}"
+    peer_public_key: "{{ peer_keys[0].public_key }}"
+    peer_endpoint: "{{ peer_nodes[0].public_ip }}:{{ overlay_data.hub_port | default(wg_port) }}"

 - name: 渲染 wg0.conf
  template:
--- a/ansible/playbooks/roles/vhosts/vpn-overlay/wireguard/site/templates/wg0.conf.j2
+++ b/ansible/playbooks/roles/vhosts/vpn-overlay/wireguard/site/templates/wg0.conf.j2
@ -1,10 +1,12 @@
 [Interface]
-PrivateKey = {{ current_key.private_key }}
+PrivateKey = {{ current_private_key }}
 Address = {{ current_wg_ip }}/32
-ListenPort = {{ overlay_data.hub_port }}
+ListenPort = {{ wg_port }}
+DNS = 8.8.8.8
+MTU = 1400

 [Peer]
-PublicKey = {{ peer_key.public_key }}
-AllowedIPs = {{ peer_allowed_ips }}
+PublicKey = {{ peer_public_key }}
+AllowedIPs = {{ current_allowed_ips }}
 Endpoint = {{ peer_endpoint }}
 PersistentKeepalive = 25
--- a/ansible/playbooks/vpn-wireguard-site.yaml
+++ b/ansible/playbooks/vpn-wireguard-site.yaml
@ -1,8 +1,8 @@
 - name: Setup WireGuard for site
-  hosts: overlay_sites
+  hosts: all
  become: true
  vars:
-    overlay_config_path: "config/sit/vpn-overlay.yaml"
-    overlay_keys_path: "config/sit/vpn-keys.yaml"
+    overlay_config_path: "{{ playbook_dir }}/../../config/sit/vpn-overlay.yaml"
+    overlay_keys_path: "{{ playbook_dir }}/../../config/sit/vpn-keys.yaml"
  roles:
    - vhosts/vpn-overlay/wireguard/site
--- a/config/sit/vpn-keys.yaml
+++ b/config/sit/vpn-keys.yaml
@ -25,8 +25,15 @@ keys:
    private_key: <site_c_private_key>
    public_key: <site_c_public_key>

-  - name: hub1
-    private_key: <hub1_private_key>
+  - name: hub-1
+    private_key: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          33643635306332303761356562383035353333373234393132313162613834323963313635326562
+          3932356235303234356561623762393862666438386565310a376235306238343139386532336162
+          65623164666665353435653432396530303634666438656566656466643866366139613961363631
+          6363306631393038320a613163313338313237383837303966356333303737643331616433396430
+          33316331333766613438356462313130326433363961316162313761616561616466363939613033
+          3837623938376434656434386135333739613939653133373733
    public_key: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          38336537383061383333643431643261343739323864316235303366623930633366336139386636
--- a/config/sit/vpn-overlay.yaml
+++ b/config/sit/vpn-overlay.yaml
@ -14,10 +14,10 @@ features:

 # WireGuard Hub 节点配置
 hubs:
-  - name: hub1
-    wg_ip: 10.100.0.1
+  - name: hub-1
+    wg_ip: 10.255.0.1
    br_ip: 172.16.0.1
-    public_ip: hub1.example.com
+    public_ip: global-proxy.onwalk.net

  - name: hub2
    wg_ip: 10.100.1.1
@ -28,8 +28,10 @@ hubs:
 sites:
  - name: master-1
    interface: ens5
+    allowed_ips: "10.255.0.0/16,10.253.0.0/16"
    wireguard_peer: hub-1
-    br_ip: 10.253.253.2
+    wg_ip: 10.255.0.200
+    br_ip: 172.16.0.2
    local_ip: 10.255.0.200
    remote_ip: 10.255.0.100
    vless:
@ -42,7 +44,9 @@ sites:
  - name: slave-1
    interface: ens5
    wireguard_peer: hub-1
-    br_ip: 10.253.253.3
+    allowed_ips: "10.255.0.0/16,10.253.0.0/16"
+    br_ip: 172.16.0.2
+    wg_ip: 10.255.0.100
    local_ip: 10.255.0.100
    remote_ip: 10.255.0.200
    vless:
--- a/scripts/run.sh
+++ b/scripts/run.sh
@ -262,12 +262,14 @@ pulumi_run() {

 # ========== 执行 Ansible ==========
 run_ansible() {
-  if [ ! -f scripts/inventory.py ]; then
-    echo "❌ 未找到 scripts/inventory.py"
+  if [ ! -f scripts/dynamic_inventory.py ]; then
+    echo "❌ 未找到 scripts/dynamic_inventory.py"
    exit 1
  fi
  echo "🧪 执行 Ansible Playbook"
-  ansible-playbook -i scripts/inventory.py "$ANSIBLE_DIR/playbooks/setup.yml"
+    ansible-playbook -i scripts/dynamic_inventory.py ansible/playbooks/common_setup.yml -D
+    ansible-playbook -i scripts/dynamic_inventory.py ansible/playbooks/vpn-wireguard-site.yaml -D -l slave-1,master-1
+    ansible-playbook -i scripts/dynamic_inventory.py ansible/playbooks/vpn-overlay.yaml -D -l slave-1,master-1
 }

 # ========== 分发 ==========