From 5be8955ff5ea93a1c2ca023f60a2fd1bd998ff7c Mon Sep 17 00:00:00 2001 From: Haitao Pan Date: Sun, 6 Apr 2025 17:50:32 +0800 Subject: [PATCH] feat: enhance WireGuard VPN Overlay deployment and DNAT support MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Changes: - Fixed wg0.conf.j2 template variables - Refactored wireguard/site logic to support dynamic peer/key selection - Updated defaults, playbook entry, and install script for consistency Tested: ✅ NodePort 443 + DNAT verified from master/slave nodes and external curl --- .../vhosts/common/files/install-packages.sh | 2 +- .../wireguard/site/defaults/main.yml | 9 +++- .../vpn-overlay/wireguard/site/tasks/main.yml | 44 ++++++++++++++----- .../wireguard/site/templates/wg0.conf.j2 | 10 +++-- ansible/playbooks/vpn-wireguard-site.yaml | 6 +-- config/sit/vpn-keys.yaml | 11 ++++- config/sit/vpn-overlay.yaml | 14 +++--- scripts/run.sh | 8 ++-- 8 files changed, 72 insertions(+), 32 deletions(-) diff --git a/ansible/playbooks/roles/vhosts/common/files/install-packages.sh b/ansible/playbooks/roles/vhosts/common/files/install-packages.sh index e3967b6e..982db402 100644 --- a/ansible/playbooks/roles/vhosts/common/files/install-packages.sh +++ b/ansible/playbooks/roles/vhosts/common/files/install-packages.sh @@ -2,4 +2,4 @@ export DEBIAN_FRONTEND=noninteractive sudo apt-get update -sudo apt-get install -y vim iputils-ping rsync +sudo apt-get install -y vim iputils-ping rsync wireguard-tools diff --git a/ansible/playbooks/roles/vhosts/vpn-overlay/wireguard/site/defaults/main.yml b/ansible/playbooks/roles/vhosts/vpn-overlay/wireguard/site/defaults/main.yml index 6c5b4ae1..d61f1bac 100644 --- a/ansible/playbooks/roles/vhosts/vpn-overlay/wireguard/site/defaults/main.yml +++ b/ansible/playbooks/roles/vhosts/vpn-overlay/wireguard/site/defaults/main.yml @@ -1,3 +1,8 @@ -wg_config_path: "/etc/wireguard/wg0.conf" wg_interface: "wg0" -wg_port: "{{ overlay_data.hub_port | default(51820) }}" + +# 默认配置文件路径,可在 playbook 中覆盖 +overlay_config_path: "{{ playbook_dir }}/../../config/sit/vpn-overlay.yaml" +overlay_keys_path: "{{ playbook_dir }}/../../config/sit/vpn-keys.yaml" + +# WireGuard 默认端口(若 overlay_data.hub_port 未定义) +wg_port: "51820" diff --git a/ansible/playbooks/roles/vhosts/vpn-overlay/wireguard/site/tasks/main.yml b/ansible/playbooks/roles/vhosts/vpn-overlay/wireguard/site/tasks/main.yml index 1df80855..eeff3664 100644 --- a/ansible/playbooks/roles/vhosts/vpn-overlay/wireguard/site/tasks/main.yml +++ b/ansible/playbooks/roles/vhosts/vpn-overlay/wireguard/site/tasks/main.yml @@ -1,27 +1,47 @@ --- -- name: 加载 overlay 配置 +- name: 加载 overlay 配置(标准 YAML) set_fact: overlay_data: "{{ lookup('file', overlay_config_path) | from_yaml }}" -- name: 加载密钥配置 - set_fact: - overlay_keys: "{{ lookup('file', overlay_keys_path) | from_yaml }}" +- name: 加载密钥配置(支持 !vault) + include_vars: + file: "{{ overlay_keys_path }}" + name: overlay_keys - name: 提取当前节点信息(作为 current) set_fact: - current_node: "{{ (overlay_data.sites + overlay_data.hubs) | selectattr('name', 'equalto', inventory_hostname) | list | first }}" - current_key: "{{ overlay_keys.keys | selectattr('name', 'equalto', inventory_hostname) | list | first }}" + current_node: >- + {{ (overlay_data.sites + overlay_data.hubs) + | selectattr('name', 'equalto', inventory_hostname) + | list | first }} + current_key: >- + {{ overlay_keys['keys'] + | selectattr('name', 'equalto', inventory_hostname) + | list | first }} -- name: 提取对端 peer 节点信息 +- name: 提取对端 peer 节点列表 set_fact: - peer_node: "{{ (overlay_data.sites + overlay_data.hubs) | selectattr('name', 'equalto', current_node.wireguard_peer) | list | first }}" - peer_key: "{{ overlay_keys.keys | selectattr('name', 'equalto', current_node.wireguard_peer) | list | first }}" + peer_node_list: "{{ (overlay_data.sites + overlay_data.hubs) | selectattr('name', 'equalto', current_node.wireguard_peer) | list }}" + peer_key_list: "{{ overlay_keys['keys'] | selectattr('name', 'equalto', current_node.wireguard_peer) | list }}" -- name: 生成 WireGuard 参数 +- name: 校验 wireguard_peer 是否匹配成功 + fail: + msg: "未找到对端节点 '{{ current_node.wireguard_peer }}' 或其密钥" + when: peer_node_list | length == 0 or peer_key_list | length == 0 + +- name: 设置对端节点与密钥 set_fact: + peer_nodes: "{{ peer_node_list }}" + peer_keys: "{{ peer_key_list }}" + +- name: 提取最终配置变量(私钥、公钥、端口等) + set_fact: + wg_port: "{{ wg_port }}" current_wg_ip: "{{ current_node.wg_ip }}" - peer_allowed_ips: "{{ peer_node.wg_ip }}/32" - peer_endpoint: "{{ peer_node.public_ip }}:{{ overlay_data.hub_port | default(51820) }}" + current_private_key: "{{ current_key.private_key }}" + current_allowed_ips: "{{ current_node.allowed_ips }}" + peer_public_key: "{{ peer_keys[0].public_key }}" + peer_endpoint: "{{ peer_nodes[0].public_ip }}:{{ overlay_data.hub_port | default(wg_port) }}" - name: 渲染 wg0.conf template: diff --git a/ansible/playbooks/roles/vhosts/vpn-overlay/wireguard/site/templates/wg0.conf.j2 b/ansible/playbooks/roles/vhosts/vpn-overlay/wireguard/site/templates/wg0.conf.j2 index d305f5b2..a065f004 100644 --- a/ansible/playbooks/roles/vhosts/vpn-overlay/wireguard/site/templates/wg0.conf.j2 +++ b/ansible/playbooks/roles/vhosts/vpn-overlay/wireguard/site/templates/wg0.conf.j2 @@ -1,10 +1,12 @@ [Interface] -PrivateKey = {{ current_key.private_key }} +PrivateKey = {{ current_private_key }} Address = {{ current_wg_ip }}/32 -ListenPort = {{ overlay_data.hub_port }} +ListenPort = {{ wg_port }} +DNS = 8.8.8.8 +MTU = 1400 [Peer] -PublicKey = {{ peer_key.public_key }} -AllowedIPs = {{ peer_allowed_ips }} +PublicKey = {{ peer_public_key }} +AllowedIPs = {{ current_allowed_ips }} Endpoint = {{ peer_endpoint }} PersistentKeepalive = 25 diff --git a/ansible/playbooks/vpn-wireguard-site.yaml b/ansible/playbooks/vpn-wireguard-site.yaml index 084c8b80..cf5bdafa 100644 --- a/ansible/playbooks/vpn-wireguard-site.yaml +++ b/ansible/playbooks/vpn-wireguard-site.yaml @@ -1,8 +1,8 @@ - name: Setup WireGuard for site - hosts: overlay_sites + hosts: all become: true vars: - overlay_config_path: "config/sit/vpn-overlay.yaml" - overlay_keys_path: "config/sit/vpn-keys.yaml" + overlay_config_path: "{{ playbook_dir }}/../../config/sit/vpn-overlay.yaml" + overlay_keys_path: "{{ playbook_dir }}/../../config/sit/vpn-keys.yaml" roles: - vhosts/vpn-overlay/wireguard/site diff --git a/config/sit/vpn-keys.yaml b/config/sit/vpn-keys.yaml index 1a34e287..82955714 100644 --- a/config/sit/vpn-keys.yaml +++ b/config/sit/vpn-keys.yaml @@ -25,8 +25,15 @@ keys: private_key: public_key: - - name: hub1 - private_key: + - name: hub-1 + private_key: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 33643635306332303761356562383035353333373234393132313162613834323963313635326562 + 3932356235303234356561623762393862666438386565310a376235306238343139386532336162 + 65623164666665353435653432396530303634666438656566656466643866366139613961363631 + 6363306631393038320a613163313338313237383837303966356333303737643331616433396430 + 33316331333766613438356462313130326433363961316162313761616561616466363939613033 + 3837623938376434656434386135333739613939653133373733 public_key: !vault | $ANSIBLE_VAULT;1.1;AES256 38336537383061383333643431643261343739323864316235303366623930633366336139386636 diff --git a/config/sit/vpn-overlay.yaml b/config/sit/vpn-overlay.yaml index b070cc36..01f4dc19 100644 --- a/config/sit/vpn-overlay.yaml +++ b/config/sit/vpn-overlay.yaml @@ -14,10 +14,10 @@ features: # WireGuard Hub 节点配置 hubs: - - name: hub1 - wg_ip: 10.100.0.1 + - name: hub-1 + wg_ip: 10.255.0.1 br_ip: 172.16.0.1 - public_ip: hub1.example.com + public_ip: global-proxy.onwalk.net - name: hub2 wg_ip: 10.100.1.1 @@ -28,8 +28,10 @@ hubs: sites: - name: master-1 interface: ens5 + allowed_ips: "10.255.0.0/16,10.253.0.0/16" wireguard_peer: hub-1 - br_ip: 10.253.253.2 + wg_ip: 10.255.0.200 + br_ip: 172.16.0.2 local_ip: 10.255.0.200 remote_ip: 10.255.0.100 vless: @@ -42,7 +44,9 @@ sites: - name: slave-1 interface: ens5 wireguard_peer: hub-1 - br_ip: 10.253.253.3 + allowed_ips: "10.255.0.0/16,10.253.0.0/16" + br_ip: 172.16.0.2 + wg_ip: 10.255.0.100 local_ip: 10.255.0.100 remote_ip: 10.255.0.200 vless: diff --git a/scripts/run.sh b/scripts/run.sh index a42311f4..18e8809d 100644 --- a/scripts/run.sh +++ b/scripts/run.sh @@ -262,12 +262,14 @@ pulumi_run() { # ========== 执行 Ansible ========== run_ansible() { - if [ ! -f scripts/inventory.py ]; then - echo "❌ 未找到 scripts/inventory.py" + if [ ! -f scripts/dynamic_inventory.py ]; then + echo "❌ 未找到 scripts/dynamic_inventory.py" exit 1 fi echo "🧪 执行 Ansible Playbook" - ansible-playbook -i scripts/inventory.py "$ANSIBLE_DIR/playbooks/setup.yml" + ansible-playbook -i scripts/dynamic_inventory.py ansible/playbooks/common_setup.yml -D + ansible-playbook -i scripts/dynamic_inventory.py ansible/playbooks/vpn-wireguard-site.yaml -D -l slave-1,master-1 + ansible-playbook -i scripts/dynamic_inventory.py ansible/playbooks/vpn-overlay.yaml -D -l slave-1,master-1 } # ========== 分发 ==========