07 Apr

Manage Wireguard users using Ansible

Day 16 of lockdown here in Haryana due to Covid19. Time for some distraction.


Last week it was reported that Wireguard will be added in next version of Linux kernel. I have been using Wireguard from over a year and it has been working great. I replaced OpenVPN with Wireguard for both site to site VPN as well as client-server VPN. If you are looking for a free open source VPN for remote employees or just connecting to your own remote servers Wireguard can be a really good candidate.

Recently I create client-server VPN at home so that I can get inside the home network whenever travelling (which is little uncommon due to Covid19 lockdown!).

Somehow I did not find any good automated script to generate keys. Tried a few projects and either they did not work or they tend to re-write everything inside /etc/wireguard directory. I presently run 5 different VPN daemons on my Raspberry Pi. It does site to site VPNs to two locations over two different uplinks and then OSPF running over FRR takes care of dynamically routing. For 5th one which is client-server VPN, I used Ansible put a playbook. Idea is to run playbook each time I want to add a user, provide it with client-name and client-ip (didn’t automate client IP since it’s just 4-5 devices max) and the playbook will take care of generating keys, config (which can be copy-pasted in Wireguard running on a laptop) and also QR code which can be scanned for importing config along with the keys in iOS devices. Ideally, I should put a more detailed one as Ansible role but then it’s just me being lazy and settling for a playbook instead.

Here’s goes the playbook! 

---
  - hosts: ## Put server hostname here ##
    gather_facts: no
    become: yes
    vars: 
      client_name: anurag-phone
      client_ip: 10.0.0.10 
      client_mask: 24
      client_dns: 10.1.0.5
      wgname: wg5
      wgport: 5005
      work_dir: "/home/anurag/config"
      server_ip: ## Put server IP here ##


    tasks: 
      - name: Ensure {{ work_dir }} exists
        file: 
          path: '{{ work_dir }}'
          state: directory

      - name: Generate client keys for {{ client_name }}
        shell:
          cmd: wg genkey | tee privatekey | wg pubkey > publickey
          chdir: "{{ work_dir }}"

      - name: Read client privatekey and register into variable
        shell: cat {{ work_dir }}/privatekey
        register: privatekey    
      
      - name: Read client publickey and register into variable
        shell: cat {{ work_dir }}/publickey
        register: clientpublickey    
  
      - name: Read server publickey of server and register into variable
        shell: cat /etc/wireguard/publickey
        register: serverpublickey    

      - name: Add {{ client_name }} to the server
        blockinfile:
          path: '/etc/wireguard/{{ wgname }}.conf'
          marker: "## Added by Ansible"
          block: |
              # {{ client_name }}
              [Peer]
              PublicKey = {{ clientpublickey.stdout }}
              AllowedIPs = {{ client_ip }}/32

      - name: Stop wireguard for {{ wgname }}
        command: wg-quick down {{ wgname }}
        register: wireguardstop 
        tags: wireguardrestart

      - debug: 
          var: wireguardstop.stderr_lines
        tags: wireguardrestart 

      - name: Start wireguard for {{ wgname }}
        command: wg-quick up {{ wgname }}
        register: wireguardstart
        tags: wireguardrestart

      - debug: 
          var: wireguardstart.stderr_lines
        tags: wireguardrestart  

      - name: Generate client config for {{ client_name }} for full internet access
        blockinfile:
          path: "{{ work_dir }}/{{ client_name }}-full.conf"
          block: |
              [Interface]
              PrivateKey = {{ privatekey.stdout }}
              Address = {{ client_ip }}/{{ client_mask }}
              DNS = {{ client_dns }}
          
              [Peer]
              PublicKey = {{ serverpublickey.stdout }}
              AllowedIPs = 0.0.0.0/0
              Endpoint = {{ server_ip }}:{{ wgport }}       

          state: present    
          create: yes

      - name: Generate QR code for {{ client_name }}
        shell: qrencode -t ansiutf8  < {{ work_dir }}/{{ client_name }}-full.conf  > {{ work_dir }}/{{ client_name }}-qr-full
        tags: qr

Some limitations of this playbook:

  1. Cannot be used to delete users. I don’t do that often and thus I am OK to delete those just manually though one can make it little more smart to do that. Probably define users within vars and have a check to not-re-write keys during each run.
  2. It will keep on adding keys to the server side config and hence if run twice for same user, IP – it will add junk. Again, this was more of a quick written solution and not a extensively written playbook to tackle that.

The key objective here was just to generate keys, insert client public key in server side config and server’s key in client side config. And ofcourse making config available in text and QR code form so that one can use import and delete it.

19 Mar

Making things happen in the government

A fascinating lecture by Mr Anil Swarup (retired IAS, ex-Secretary to Govt. of India & State Govt of UP) at Lt Governer, Puducherry Raj Niwas. His Wikipedia page here and Twitter account here.

The first half is the talk itself, followed by some time of Q&A, followed by a short talk by Mr Ashwani Kumar (Chief Secretary to Government of Pondicherry) and in the end is Lt Governor Kiran Bedi.

Misc notes from this talk

  1. For an idea to fructify in a democracy like ours, it has to politically acceptable, socially desirable, technologically feasible, financially viable, administratively doable and judiciary tenable.
  2. Don’t get agitated about things over which you have no control.
  3. Key thing is to focus and change yourself and rest will just follow.
  4. The digitalisation helps significantly in reducing corruption and adding more transparency.
  5. For solutions to a large number of problems, we do not need to look outside (of the country) but inwards towards various states from the length and breadth of the country.
  6. There was a draconian section clause in the Prevention of Corruption Act 13 (1) d. The clause was: while holding office as a public servant, obtains for any person any valuable thing or pecuniary advantage without any public interest; or (source)

    In simple terms, it means that if anyone makes an undue benefit in a process, the bureaucrat will be held for it whether or not he had any benefit from it. Eventually, Modi Govt. in the centre revoked it and this Gazette notification has a new law. Thus now for bonafide mistake bureaucrats are legally protected.
  7. Culture of views & counterviews in the bureaucracy got deteriorated because of RTI activism. “RTI activist” end up in matching the notes of multiple officers & then try to play them against each other.
  8. Systems like Aadhar should have been respected & promoted but became a major target of “activist brigade”. I personally had a discussion with some of the folks who are heavily against the Aadhar and would even go to the extent of suggesting to shut down the program. While they might make a couple of valid points, but a large part of their points come with the fundamental assumption that rest of society, systems, identification technologies etc are utopian in nature!
  9. E-office system of Govt. needs more improvement. In some case, it’s just another system and a process where one has to dump scanned documents instead of actually digitalising.

Ending this post with a poem from Mr Swarup in Hindi! ЁЯЩВ

рд╕рдордп рд░реБрдХрд╛ рдирд╣реАрдВ, рд╣рдо рдХреНрдпреВ рдард╣рд░ рдЧрдП? рдЕрднреА рддреЛ рд╣рдо рдЪрд▓реЗ рднреА рдирд╣реАрдВ, рдлрд┐рд░ рдХреНрдпреВ рдердХ рдЧрдП?
рдЙрдареЛ рдкрдерд┐рдХ, рдЙрдареЛ рдкрдерд┐рдХ рдордд рднреНрд░рдорд┐рдд рд╣реЛ рдзреВрдорд┐рд▓ рдЕрдВрдзрд┐рдпрд╛рд░реЗ рдореЗрдВ, рд╢реНрд░реЗрд╖реНрда рд╡рд╣реА рдЬреЛ рдШрд┐рд░рд╛ рдирд╣реАрдВ рд╣реЛ рд╖рдгрд┐рдХ рдирд┐рд░рд╛рд╢рд╛ рдореЗрдВ|
рдЬрд╛рдЧреЛ рдЬрдЧрд╛рдУ, рдорди рдордд рдмрд╣рд▓рд╛рдУ, рдПрдХ рдорд╕реАрд╣рд╛ рддреБрдо рднреА рдмрди рдЬрд╛рдУ |

21 Feb

Indian RPKI ROA status

In Melbourne for the week for APRICOT 2020. Someone jokingly said it’s should be “APRICOT and RPKI 2020”. ЁЯЩВ

It seems like both JPNIC and TWNIC are doing a good job at promoting their member operators in Japan & Taiwan for signing ROA. I thought to check for the status in India to find how India is doing.

RPKI ROA status for India










  1. Total prefixes: 40,834 (IPv4 + IPv6)
  2. Prefixes with valid ROA: 4693
  3. Prefixes with invalid ROA: 354
  4. Prefixes without ROA: 35,787

IRR route objects

  1. Prefixes with at least one valid IRR route object: 38,075
  2. Prefixes with invalid route object: 2213
  3. Prefixes with missing route object: 546

The method used to pull this data

  1. Download APNIC extended data: https://ftp.apnic.net/stats/apnic/delegated-apnic-extended-20200221
  2. Find IN ASNs which is APNIC assigned as well as IRINN delegated prefixes.
  3. Find all prefixes originated by these ASNs (assuming a large of them would be used in India only).
  4. Check for IRR and RPKI status for those prefixes.