playing with the firewall config

files/vpn/packages.txt

@@ -1,2 +1,3 @@
 firewalld
 wireguard-tools
+ufw

tasks/tasks_machine_configuration/vpn/client/task_machine_configuration.yml

@@ -4,7 +4,7 @@
   ansible.builtin.shell:
     command: "wg genkey | sudo tee /etc/wireguard/privatekey | wg pubkey | sudo tee /etc/wireguard/publickey"
 
-- name: "10: Render Client Configuration file"
+
   
 
 

tasks/tasks_machine_configuration/vpn/server/task_machine_configuration.yml

@@ -1,4 +1,14 @@
 ---
+- name: "00: UFW configuration"
+  ansible.builtin.command: ufw allow "{{ vpn_server_port }}/udp"
+
+
+- name: "00: more UFW configuration"
+  ansible.builtin.command: ufw allow "OpenSSH"
+
+- name: "10: last UFW configurion i promise"
+  ansible.builtin.command: ufw disable && ufw enable
+
 - name: "00: Create Wireguard directory"
   ansible.builtin.file:
     path: "/etc/wireguard"

templates/wg0.conf.j2

@@ -3,6 +3,12 @@ Address = {{ vpn_network_address }}
 SaveConfig = true
 ListenPort = {{ vpn_server_port }}
 PrivateKey = {{ vpn_private_key_content }}
+
+PostUp = ufw route allow in on wg0 out on eth0
+PostUp = iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
+PreDown = ufw route delete allow in on wg0 out on eth0
+PreDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
+
 PostUp     = firewall-cmd --zone=public --add-port {{ vpn_server_port }}/udp && firewall-cmd --zone=public --add-masquerade
 PostDown   = firewall-cmd --zone=public --remove-port {{ vpn_server_port }}/udp && firewall-cmd --zone=public --remove-masquerade