In my ever-growing list of things I find to do besides the dishes and laundry, I decided one weekend that I wanted an easy way to deploy an AWS Lightsail instance and set it up as a WireGuard server. I know there are actual VPN services out there that are possibly more reliable and definitely less of a headache, but what's the fun in that? I wanted to see if I could do it...and I did!
Here is the "intended" way for this repo to be used:
- Download the repo, optionally as a zip folder, and delete the folder after every time you set up the WireGuard server.
- This repo assumes you have https://direnv.net/ installed to load and unload the
.envrcfiles when changing directories. I'd recommend installing it, otherwise if you're so inclined, you can manage the environment variables through another package or manually. - Change to the new directory for the repo once you have the folder downloaded/unzipped/un-tar'd/etc.
- Copy
.envrc.examplein the root directory to a file named.envrc, and update your variables for your AWS region. Ensure your AWS credentials are set up in the~/.awsfolder as per the AWS CLI configuration. For help setting up these credentials, visit AWS CLI Configuration.
direnvshould prompt you to allow the new.envrcfile with an easy copy and pasteable error message! This will need to be done before running the scripts so the variables exist.
- Finally, make the shell script(s) executable with
chmod +x *.sh, and then turn up the server and let Ansible go to town configuring everything!
The shell script installs the Ansible Galaxy packages required, along with the pip modules used. Then it generates an SSH key to use with the server, sets some environment variables from the terraform.tfstate file after the machine is configured, runs the monolithic playbook, and does some sed replacements on the config files so they're ready to be pasted into a device.
wget https://github.com/oct8l/Lightsail-WireGuard-one-shot/archive/refs/heads/main.tar.gz
tar -xzf main.tar.gz
rm main.tar.gz
cd Lightsail-WireGuard-one-shot-main
chmod +x *.sh
mv .envrc.example .envrc
vi .envrcAfter you defeat the vi boss and have your variables set, you can run ./run-all.sh and watch the magic happen!
You can also optionally run ./ssh.sh if you'd like to SSH to the machine, it will use the SSH key that was generated by the previous script.
The Terraform template also applies the needed firewall rules and assigns the machine to that firewall group, so no need to manually allow it. It makes port 51820/udp and 22/tcp accessible from any IPv4 address, but only pubkey authentication is allowed for SSH and Fail2Ban also gets set up with the Ansible playbook.
Something I want to change is to break the Ansible folder into proper roles and call the roles instead of having everything in one playbook. Another thing is to pull the Ansible Galaxy installs out of the shell script because that seems a little intrusive to be installing them, as well as the pip modules. It definitely would be best to use a venv for this, but I was in a bit of a rush for a trip that I wanted to try this setup out on with GL.iNet routers. Man, I love those things.