39 lines
1.5 KiB
Markdown
39 lines
1.5 KiB
Markdown
# Network
|
|
|
|
Our infrascture may have machines accross multiple locations. We need to ensure that all machines can communicate with each other, even if they are behind a NAT. To allow such configuration, we will be using a VPN, more precisely, Wireguard. This also has the advantage of encrypting all traffic going between nodes.
|
|
|
|
To ease the installation process, the installation is handled by [Jawher Moussa's ansible playbook](https://github.com/jawher/automation-wireguard).
|
|
|
|
## Configuration
|
|
|
|
When adding a new host to the inventory, the following entry needs to be added:
|
|
```yaml
|
|
all:
|
|
hosts:
|
|
<hostname>:
|
|
wireguard_ip: <wireguard_ip>
|
|
[...]
|
|
```
|
|
|
|
The `wireguard_ip` is the unique IP address the host will use to communicate with other hosts.
|
|
|
|
It is also recommended to change the `wireguard_port` in `inventory/*/group_vars/all.yml` to a random port for added obfuscation.
|
|
Lastly, you can modify the `wireguard_mask_bits` to change the size of the subnet, but it is recommended to keep it at 8 for 254 IPs.
|
|
|
|
### UFW
|
|
|
|
For added security, UFW can be installed, but isn't enabled by default with these playbooks. To enable it, set the `enable_ufw` variable to `true` in `inventory/*/group_vars/all.yml`.
|
|
|
|
You will need to read more about the playbook's documentation [here](https://github.com/jawher/automation-wireguard).
|
|
|
|
## Installation
|
|
|
|
To install Wireguard on all hosts, run the following commands:
|
|
```bash
|
|
# Select the desired environment
|
|
export ENV=<environment>
|
|
|
|
# Install Wireguard
|
|
make wg
|
|
```
|