Connect with us

Publications

How to Automate Your VPN Setup With Ansible

Avatar

Published

on

Author profile picture

@tangramvisionTangram Vision

We make it simple to manage and optimize perception sensors for vision-enabled platforms like robots, drones and AVs.

In a previous blogpost, we set up a WireGuard VPN server and client and learned about various configuration options for WireGuard, how to improve VPN server uptime, how to relay traffic, and more. Setting up a server and client like that is a lot of work! If the server dies or you want to set up a new server (maybe for a friend or family member this time), you have to go back to the walk-through and follow all the steps, remembering if you deviated from those instructions at any point.

There’s a better way — automation! If you’re only going to do a thing once (e.g. set up a VPN), investing in automation probably doesn’t make sense. But if you anticipate doing a thing repeatedly, automating it frees up your time to learn and accomplish more in the future. You can also share your automation, empowering others to build and achieve more, faster.

Automation is the heart of computing, and many different automation tools and approaches have sprung up over time. For our project of automating VPN server setup, we can consider a variety of tools:

  • Shell scripts
    The simplest approach from a tooling perspective, writing shell scripts would involve running the commands from the previous WireGuard tutorial blogpost, using ssh for the commands that run on the server and 
    rsync

     to copy configurations files to the server.

  • SSH scripting libraries like Capistrano or Fabric
    If shell scripting isn’t ideal, there are libraries that expose similar scripting functionality in a more ergonomic interface for developers familiar with higher-level languages like Ruby and Python.
  • Infrastructure/configuration automation tools like PuppetChef, or Ansible
    Tools in this category are even more specialized for automating server infrastructure and configuration, often including an ecosystem of packages and plugins to automatically set up or configure nearly anything you can think of.
  • Infrastructure-as-code tools like Terraform
    Infrastructure-as-code (IaC) tools have a lot of overlap with the above category, but support provisioning cloud resources in a more first-class/native way.
  • Containers like Docker
    You could also run WireGuard in containers, deploying a server-configured container image to a cloud provider and running a client-configured container image locally to connect to the server. There are a few existing examples of this approach.

For this tutorial, I’m going to focus on the middle category above — infrastructure / configuration automation tools — and specifically, I’ll focus on Ansible. There is a great comparison of different tools in this area by Gruntwork and, even though that article favors Terraform, Ansible is still a useful general-purpose tool, especially if you’re working with servers that aren’t “in the cloud”, such as a Raspberry Pi at home.

Let’s get started with automating VPN setup with Ansible! By the end of this article, we’ll be able to set up a VPN server and client with a single command. Similar to the previous blogpost, I’ll use Ubuntu 20.04 and DigitalOcean droplets.

Setting Up Ansible

Ansible can be installed via an OS package manager like 

apt

, but I prefer to use 

pip

 so I can get the latest updates and avoid cluttering system package management with third-party PPAs (Personal Package Archives). We’ll also use 

pyenv

 (as suggested by Hypermodern Python) to make sure we’re not breaking or cluttering the system Python installation. Install

pyenv

 with the following:

# From https://github.com/pyenv/pyenv/wiki#suggested-build-environment
sudo apt-get update sudo apt-get install --no-install-recommends make build-essential libssl-dev zlib1g-dev libbz2-dev libreadline-dev libsqlite3-dev wget curl llvm libncurses5-dev xz-utils tk-dev libxml2-dev libxmlsec1-dev libffi-dev liblzma-dev curl https://pyenv.run | bash

It’s a good habit when a tutorial gives you 

curl <url> | bash

 to open up that URL and see what it’s going to do. In this case, you’ll see that it’ll download and execute a shell script on GitHub that will clone 6 repos from GitHub to your 

~/.pyenv

 folder and prompt you to add a few lines to your shell’s initialization script.

Follow the output prompt from above, which asks you to put lines like the below in your shell initialization script (e.g. 

~/.bashrc

 if you use the bash shell). Make sure to fill in your own username!

export PATH="/home/YOUR_USERNAME/.pyenv/bin:$PATH"
eval "$(pyenv init -)"
eval "$(pyenv virtualenv-init -)"

Install a recent python version:

# List available python versions
pyenv install --list # Install a specific version
pyenv install 3.9.2 # (Suggested) If you want to always use that version when running `python`
# in your terminal
pyenv global 3.9.2

If you want, you can also create a virtualenv to further isolate the Ansible installation, and make that virtualenv automatically activate when you’re in a particular folder/repo. That would look like:

# (Optional) # Feel free to pick a different virtualenv name than "ansible-tutorial"
pyenv virtualenv 3.9.2 ansible-tutorial # Create a .python-version file that pyenv will find when your shell is in the 
# same directory (or a sub-directory) and automatically activate the named
# virtualenv
pyenv local ansible-tutorial

Install the 

ansible

 pip package, which will install various command-line tools, including 

ansible-playbook

, which we’ll use to run a “playbook” of commands that will set up a VPN server and client for us.

pip install ansible # Confirm installation worked
ansible --version

Get a Server

To use Ansible for a VPN server, we need… a server! Ansible could provision a server from a cloud provider for us (and I’ll touch on this briefly later), but we’ll keep our playbook hardware-provider-agnostic for now, so you can run it as easily against a cloud server as a Raspberry Pi on your home network. I’m going to create a $5/month DigitalOcean droplet to test against, but you could also use Vagrant (to test against a local VM) or any server you can SSH to.

Testing Ansible playbooks against VMs, rather than a bare-metal machine, comes with an advantage — after you’ve written the playbook, you can start a new, empty VM and test the whole playbook start to finish to ensure that it works consistently.

Connecting to the Server with Ansible

Once you have your server or VM, take note of its IP address use it to create an 

inventory.ini

 file like the below:

[vpn]
vpn_server ansible_host=203.0.113.1 ansible_user=root

An inventory file tells Ansible what servers it can act upon and how to access them. Let’s use the above inventory file as an example. When we run Ansible and target the 

vpn

 group of servers or the 

vpn_server

 host, it will try to connect to the server using a command like:

ssh root@203.0.113.1

So, if you can’t SSH to the server, then Ansible won’t be able to connect either!

Connecting to the server with an SSH key is strongly recommended! Add your SSH key to your server to connect without needing a password. If you must connect with a password, you can 

sudo apt install sshpass

and then provide your SSH password when using Ansible by adding the

--ask-pass

 flag to all ansible commands.

Let’s test to make sure that Ansible can connect to the server:

ansible -i inventory.ini -m ping vpn

This runs the ping Ansible module, targeting the 

vpn

 group of servers. You should see “pong” in the output, meaning that Ansible could connect to the server and the server has a Python installation that Ansible can use.

Ansible’s Built-in Variables and Facts

There are other useful Ansible modules that we can use with the

ansible

command:

Try running both of these modules with your server so you can see what facts and information Ansible makes available:

ansible -i inventory.ini -m setup vpn
ansible -i inventory.ini -m debug -a "var=hostvars" vpn

This was one of the most confusing parts for me when learning Ansible — figuring out what all these built-in variables and facts (like 

groups

,

inventory_dir

, and 

ansible_distribution

) were and how to find them.

Writing an Ansible Playbook

The 

ansible

 command lets you run ad-hoc commands across groups of servers. This is powerful, but we probably shouldn’t try to automate server setup and configuration in a single 

ansible

 command… probably. 🤔 Instead, we can organize multiple tasks in one or multiple YAML files, which we will run with the 

ansible-playbook

 command.

Let’s write a 

playbook.yml

 file In the same folder as 

inventory.ini

. Here are its contents:

---
- name: setup vpn server hosts: vpn_server tasks: - name: ping ping: - name: show variables and facts debug: var=hostvars

If you’re not familiar with YAML, the above is equivalent to this JSON structure:

[{'name': 'setup vpn server', 'hosts': 'vpn_server', 'tasks': [{'name': 'ping', 'ping': None}, {'name': 'show variables and facts', 'debug': 'var=hostvars'}]}]

Breaking down the above:

  • The top-level structure is a “play” in Ansible lexicon. Our play above has a 
    name

    , a 

    hosts

    pattern which describes which servers the play will run against, and a list of 

    tasks

    .

  • We have 2 tasks, each has a 
    name

     and the name of an Ansible module that will do something.

Run the playbook…

ansible-playbook -i inventory.ini playbook.yml

… and you’ll see that it gathers facts from the server (just like the 

ansible -m

setup command above did), and then runs the “ping” task and the “debug” task to show all the gathered facts and variables defined for

vpn_server

.

There are tons of built-in Ansible modules, even more curated Ansible community modules, and even more published to Ansible Galaxy (an open repository for Ansible collections and roles).

WireGuard Server Setup

There’s much more to learn about Ansible! But let’s stop here and apply what we’ve learned in order to set up a WireGuard server.

Referring to the steps we took in the previous tutorial, we want to:

  1. Install the 
    wireguard

     system package

  2. Create public and private keys with correct permissions
  3. Create the server’s WireGuard configuration file
  4. (Optionally) Enable IP forwarding for relaying traffic
  5. Start the VPN

Managing the Keys

As hinted at in the previous tutorial, if we want to repeatably deploy the VPN server without needing to reconfigure all VPN clients, we need to use the same private key every time.

Put another way: if we generated a private key while deploying the server and used the corresponding public key on various clients, and the server ends up dying, we could deploy it again by generating a new private key. However, all of our VPN clients would then need to update to the new public key to be able to connect to the new VPN server. This would be inconvenient!

Instead, we’ll generate the server keys once by hand and use them in the playbook so they’re consistent between every deploy. This means we won’t include step #2 from above in the Ansible playbook.

Generate the keys with 

wg genkey

 and 

wg pubkey

 commands. You can output both with the following command:

privkey=$(wg genkey) sh -c 'echo " server_privkey: $privkey server_pubkey: $(echo $privkey | wg pubkey)"'

Copy the output lines and add them to a new 

vars

 mapping under the play in 

playbook.yml

. Here’s what mine looks like now (your keys will be different):

---
- name: setup vpn server hosts: vpn_server vars: server_privkey: aBYk1JZyP8ck+FeaTjb3xi94U4Nv8V+gWoTW1hRLQlo= server_pubkey: 7/6f7bUT+2hWMEP5BxeK51PGuMuTnQ9pRpkxg5jUSTo= tasks: # ...

Encrypting the Private Key

It’s a good practice to AVOID having secrets in plaintext (like the VPN private key above). This is especially true if those secrets will be shared with anyone else, like via a git repo. Let’s prevent this by using Ansible Vault. Vault is a tool for encrypting secret values and using them in playbooks. Encrypt the private key with:

ansible-vault encrypt_string --ask-vault-password --stdin-name server_privkey

You’ll be prompted twice for a Vault encryption password, after which you’ll paste your 

privkey

 value and hit 

Ctrl+d

 twice. If the command completed after a single 

Ctrl+d

, try again and make sure you’re not copy-pasting an invisible newline character at the end of the 

privkey

 value. Copy the output into your playbook, which will now look like:

---
- name: setup vpn server hosts: vpn_server vars: server_privkey: !vault | $ANSIBLE_VAULT;1.1;AES256 646438636565343063343631326136386239623935393637336539653636386135363 663386639393232346534643163656363316234306439306566306534610a31326664 363763663139383034636632343230376365333130333230373866353033326563303 5636138373830633534373033303536303566663166616539360a3936353033663263 336662663034376661616631343661333164363134373061343739633637623739306 465653532383838393662396333623966343165366635353132396332313762343534 65313761623964653532623839356633343838 server_pubkey: 7/6f7bUT+2hWMEP5BxeK51PGuMuTnQ9pRpkxg5jUSTo= tasks: ...

Make sure to remember your encryption password (and save it in a password manager); you’ll need to enter it every time you run the playbook.

Installing and Configuring WireGuard

Next, we’ll remove our testing 

ping

 and 

debug

 tasks and write tasks for steps 1, 3, 4, and 5 from the above list. These steps translate neatly into Ansible tasks in our updated 

playbook.yml

:

---
- name: setup vpn server hosts: vpn_server vars: server_privkey: !vault | $ANSIBLE_VAULT;1.1;AES256 646438636565343063343631326136386239623935393637336539653636386135363 663386639393232346534643163656363316234306439306566306534610a31326664 363763663139383034636632343230376365333130333230373866353033326563303 5636138373830633534373033303536303566663166616539360a3936353033663263 336662663034376661616631343661333164363134373061343739633637623739306 465653532383838393662396333623966343165366635353132396332313762343534 65313761623964653532623839356633343838 server_pubkey: 7/6f7bUT+2hWMEP5BxeK51PGuMuTnQ9pRpkxg5jUSTo= tasks: # https://docs.ansible.com/ansible/latest/collections/ansible/builtin/apt_module.html - name: install wireguard package apt: name: wireguard state: present update_cache: yes # https://docs.ansible.com/ansible/latest/collections/ansible/builtin/copy_module.html - name: create server wireguard config template: dest: /etc/wireguard/wg0.conf src: server_wg0.conf.j2 owner: root group: root mode: '0600' # https://docs.ansible.com/ansible/latest/collections/ansible/posix/sysctl_module.html - name: enable and persist ip forwarding sysctl: name: net.ipv4.ip_forward value: "1" state: present sysctl_set: yes reload: yes # https://docs.ansible.com/ansible/latest/collections/ansible/builtin/systemd_module.html - name: start wireguard and enable on boot systemd: name: wg-quick@wg0 enabled: yes state: started

Ok ok, yes, this is a bit like drawing an owl.

Source 

…but usually an ansible playbook like the above can be written quickly. I follow a cycle:

  1. Type “ansible module install package” into a search engine
  2. Open the docs.ansible.com result that looks most helpful
  3. Read through available parameters and the (often helpful) examples at the bottom
  4. Copy an example into my playbook and modify parameters as needed
  5. Go back to step 1, searching for the next task (e.g. “ansible module template file”)

I’ve included a comment line linking to the Ansible docs page for each module used in the 

playbook.yml

 above, in case you want to read about the parameters.

Testing our First Attempt

Let’s test our playbook.

$ ansible-playbook -i inventory.ini --ask-vault-password playbook.yml
Vault password: PLAY [setup vpn server] ******************************************************** TASK [Gathering Facts] *********************************************************
ok: [vpn_server] TASK [install wireguard package] ***********************************************
changed: [vpn_server] TASK [create server wireguard config] ******************************************
fatal: [vpn_server]: FAILED! => {"changed": false, "msg": "Could not find or access 'server_wg0.conf.j2'nSearched in: ..."} PLAY RECAP *********************************************************************
vpn_server : ok=2 changed=1 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0

Oh no!

Installing WireGuard was successful, but creating the config failed. Ansible’s error messages are usually helpful, and this one indicates that the template file (

server_wg0.conf.j2

) we’re trying to use to create the server’s configuration couldn’t be found.

Let’s create it at

templates/server_wg0.conf.j2

:

# {{ ansible_managed }}
[Interface]
Address = 10.0.1.1/24
ListenPort = 51820
PrivateKey = {{ server_privkey }}

A few notes about the above:

  • Ansible automatically searches in relative paths like 
    templates/

     and 

    files/

     when running Ansible modules that have a 

    src

     parameter. Our 

    template

     task has a parameter 

    src: server_wg0.conf.j2

    , so Ansible will search for it in the 

    templates/

    folder.

  • It’s convention to suffix template files with 
    .j2

    , to indicate that the file will be templated with Jinja2.

  • In Jinja2, values inside double curly braces (
    {{ variable }}

    ) will be replaced with the value of the variable. In this template, the 

    server_privkey

     variable will be decrypted and its value inserted into the resulting file in place of 

    {{ server_privkey }}

    .

  • The 
    {{ ansible_managed }}

     text is replaced with the string “Ansible managed”. It’s a good convention to put this in a comment at the top of templated files, because it signals to anyone reading the file on the server that the file is managed by Ansible — any edits they make could be overwritten when Ansible next runs, so they should find and make edits in the corresponding Ansible playbook and template files instead.

Let’s run the test again:

$ ansible-playbook -i inventory.ini --ask-vault-password playbook.yml
Vault password: PLAY [setup vpn server] ******************************************************** TASK [Gathering Facts] *********************************************************
ok: [vpn_server] TASK [install wireguard package] ***********************************************
ok: [vpn_server] TASK [create server wireguard config] ******************************************
changed: [vpn_server] TASK [enable and persist ip forwarding] ****************************************
changed: [vpn_server] TASK [start wireguard and enable on boot] **************************************
changed: [vpn_server] PLAY RECAP *********************************************************************
vpn_server : ok=5 changed=3 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0

It succeeded!

The WireGuard interface is now running on the server.

Notice that the “install wireguard package” step shows 

ok

 instead of

changed

 this time. The 

apt

 module (and most modules) detect that the server is already in the desired state (the 

wireguard

 package was installed last time we ran the playbook, so it satisfies 

state=present

) and perform no actions. The task is idempotent, meaning you can run it repeatedly and the outcome is the same. Idempotent tasks make it easy to see what changed and what didn’t each time a playbook is run.

WireGuard Client Setup

Ansible can also operate on the local machine. To set up our local machine as a client, we want to:

  1. Install the 
    wireguard

     system package

  2. Create public and private keys with correct permissions
  3. Create the client’s WireGuard configuration file, which must include the server’s public key
  4. Start the VPN

We also need to update the server’s configuration file with a 

[Peer]

section including the client’s public key, so the client can connect to the server. The client’s public key isn’t known until after we create it — we could create client keys manually like we did for the server’s keys, but then the playbook wouldn’t be able to set up multiple clients without having to manually edit the keys for each client.

Acting on Localhost

Because we’re targeting a new host (

localhost

), we need to write a new play in 

playbook.yml

. We can put it above the existing play (which targets

vpn_server

), so the client’s keys are generated before the server config is templated.

---
- name: setup vpn client hosts: localhost connection: local become: yes vars: # Use system python so apt package is available ansible_python_interpreter: "/usr/bin/env python" tasks: # Coming soon - name: setup vpn server hosts: vpn # Rest of server vars/tasks here...

Lots of new things here!

  • We target the local machine with using 
    [localhost](http://localhost)

     for the hosts pattern.

  • We “connect” locally by using the 
    local

     connection plugin.

  • The 
    become: yes

     line indicates that the play will run as root, which we need to be able to install the 

    wireguard

     package. Ansible will effectively run 

    sudo apt-get install wireguard

    , rather than just 

    apt-get install wireguard

     (which would fail). Because of this setting, we’ll need to run the playbook with the 

    --ask-become-pass

     flag. We didn’t need this line for the server setup play, because we’re already connecting as root via the

    ansible_user=root

     connection variable.

  • With the 
    ansible_python_interpreter

     var, we tell Ansible to use the system python (which includes the 

    apt

     python package). Alternatively, we could install that package for our current python 3.9.2 installation. If you get a 

    No such file or directory

     error, you may need to change the line from 

    python

     to 

    python3

    .

Client Setup Tasks and Config

Writing the Ansible tasks for the client-side VPN setup is similar to the server side.

---
- name: setup vpn clients hosts: localhost connection: local become: yes vars: # Use system python so apt package is available ansible_python_interpreter: "/usr/bin/env python" tasks: - name: install wireguard package apt: name: wireguard state: present update_cache: yes - name: generate private key shell: cmd: umask 077 && wg genkey | tee privatekey | wg pubkey > publickey chdir: /etc/wireguard creates: /etc/wireguard/publickey - name: get public key command: cat /etc/wireguard/publickey register: publickey_contents changed_when: False # Save pubkey as a fact, so we can use it to template wg0.conf for the server - name: set public key fact set_fact: pubkey: "{{ publickey_contents.stdout }}" - name: create client wireguard config template: dest: /etc/wireguard/wg0.conf src: client_wg0.conf.j2 owner: root group: root mode: '0600' - name: setup vpn server hosts: vpn_server # Rest of server vars/tasks here...

Breaking this down:

  • Installing the 
    wireguard

     package should look very familiar!

  • We generate keys with the 
    shell

     module so we can use pipes and file redirection. The keys are only generated if the 

    publickey

     file doesn’t already exist, thanks to the 

    creates

    parameter.

  • Next, we need to save the public key so we can add it as a 
    [Peer]

     section in the server config. Normally, we’d use 

    {{ lookup('file', '/etc/wireguard/publickey') }}

     to look up a value from a file, but the file lookup modules seems not to respect 

    become: yes

    ; it tries to read the file without escalating to root privileges and fails as a result. So, we instead

    cat

     the file and save the resulting output as a fact.

  • Finally, template the client config file. Its contents closely match the previous tutorial’s, but we use the 
    ansible_host

     IP address of the VPN server from 

    inventory.ini

     to set the server’s endpoint.

  • [Interface]
    # The address your computer will use on the VPN
    Address = 10.0.0.8/32 # Load your privatekey from file
    PostUp = wg set %i private-key /etc/wireguard/privatekey
    # Also ping the vpn server to ensure the tunnel is initialized
    PostUp = ping -c1 10.0.0.1 [Peer]
    # VPN server's wireguard public key
    PublicKey = {{ server_pubkey }} # Public IP address of your VPN server (USE YOURS!)
    # Use the floating IP address if you created one for your VPN server
    Endpoint = {{ hostvars['vpn_server'].ansible_host }}:51820 # 10.0.0.0/24 is the VPN subnet
    AllowedIPs = 10.0.0.0/24 # To also accept and send traffic to a VPC subnet at 10.110.0.0/20
    # AllowedIPs = 10.0.0.0/24,10.110.0.0/20 # To accept traffic from and send traffic to any IP address through the VPN
    # AllowedIPs = 0.0.0.0/0 # To keep a connection open from the server to this client
    # (Use if you're behind a NAT, e.g. on a home network, and
    # want peers to be able to connect to you.)
    # PersistentKeepalive = 25

Managing Variables

If we run the playbook now, it will fail with a 

'server_pubkey' is undefined

 error. That’s because 

server_pubkey

 is defined for the play that targets the server, it’s not available for the play targeting the client. We need to move the variable somewhere so that it’s readable by the entire playbook. Ansible looks for YAML files in a 

group_vars/

 folder where the filename matches server groups in the inventory file. So, we could create a 

group_vars/vpn.yml

 file and declare variables in it, which would be directly usable when running a play against any servers in the

vpn

 group. We don’t include 

localhost

 as a host in the 

vpn

 group (though we could). We’ll instead use the special 

group_vars/all.yml

file, which makes variables available to all hosts.

Move the server keys’ variables from 

playbook.yml

 to

group_vars.all.yml

:

---
server_privkey: !vault | $ANSIBLE_VAULT;1.1;AES256 646438636565343063343631326136386239623935393637336539653636386135363 663386639393232346534643163656363316234306439306566306534610a31326664 363763663139383034636632343230376365333130333230373866353033326563303 5636138373830633534373033303536303566663166616539360a3936353033663263 336662663034376661616631343661333164363134373061343739633637623739306 465653532383838393662396333623966343165366635353132396332313762343534 65313761623964653532623839356633343838
server_pubkey: 7/6f7bUT+2hWMEP5BxeK51PGuMuTnQ9pRpkxg5jUSTo=

Your directory should now look like this:

.
├── group_vars
│ ├── all.yml
├── inventory.ini
├── playbook.yml
└── templates ├── client_wg0.conf.j2 └── server_wg0.conf.j2

Run the playbook and the client should run all its tasks successfully:

ansible-playbook -i inventory.ini --ask-vault-password --ask-become-pass playbook.yml

The VPN client is now set up. The only remaining step for the client is to start the VPN after the server is running and configured to accept connections from the client (so the client’s 

PostUp

 ping will succeed).

Adding a Peer to the Server Config

Add a 

[Peer]

 section to the server template at

templates/server_wg0.conf.j2

:

# {{ ansible_managed }}
[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = {{ server_privkey }} [Peer]
PublicKey = {{ hostvars['localhost'].pubkey }}
AllowedIPs = 10.0.0.8

We read the 

{{ server_privkey }}

 from 

group_vars/all.yml

 and we read 

{{ hostvars['localhost'].pubkey }}

 from the 

set_fact

module that runs during the client-targeted play in the playbook.

Reloading the Server Config

If we run the playbook, the config file on the server will be updated with the new 

[Peer]

 section, but the WireGuard interface is already running and configured based on the old file contents. We need to reload the configuration when it changes. Handlers are the Ansible-provided mechanism for this, and they trigger when a task referencing them changes. Handlers run at the end of the play in which they’re notified, so many tasks could notify a “reload config” handler, but the handler would only run once at the end. Let’s create a couple handlers in a 

handlers

 list after the 

tasks

 lists in 

playbook.yml

 and notify them from the 

create client wireguard config

 and 

create server wireguard config

 tasks:

# ... - name: create client wireguard config template: dest: /etc/wireguard/wg0.conf src: client_wg0.conf.j2 owner: root group: root mode: '0600' notify: restart wireguard handlers: # Restarts WireGuard interface, loading any new config and running PostUp # commands in the process. Notify this handler on client config changes. - name: restart wireguard shell: wg-quick down wg0; wg-quick up wg0 args: executable: /bin/bash - name: setup vpn server hosts: vpn_server tasks: # ... - name: create server wireguard config template: dest: /etc/wireguard/wg0.conf src: wg0.conf.j2 owner: root group: root mode: '0600' notify: reload wireguard config # ... handlers: # Reloads config without disrupting current peer sessions, but does not # re-run PostUp commands. Notify this handler on server config changes. - name: reload wireguard config shell: wg syncconf wg0 <(wg-quick strip wg0) args: executable: /bin/bash
# ...

The 

template

 Ansible module only performs an action and marks the task as changed if the config file changes — it is idempotent. Idempotence is valuable when used with handlers, because the handler will only run when the task changes. Notifying a handler on a task that isn’t idempotent may result in the handler always running (e.g. a service is unnecessarily restarted everytime the playbook is run).

Start the VPN Client

Add one final play to the end of the playbook to start the client VPN now that the server is configured to accept its connection:

# ...
- name: start vpn on clients hosts: localhost connection: local become: yes tasks: - name: start vpn command: wg-quick up wg0

Automation Complete!

Now we can run the whole playbook and — whether the server and client are brand-new or in some intermediate state — this single command will set up a WireGuard VPN server and client!

ansible-playbook -i inventory.ini --ask-vault-password --ask-become-pass playbook.yml

The complete Ansible code can be found at: https://gitlab.com/tangram-vision-oss/tangram-visions-blog/-/tree/main/AnsibleVpnSetup

There are many improvements that could be made:

  • Provision a cloud server automatically, using an Ansible module such as community.digitalocean.digital_ocean_droplet.
  • Automatically update a floating IP address when provisioning a new cloud VPN server.
  • Configure multiple clients automatically. One approach is to add a 
    vpn_clients

     group to the inventory, define VPN IPs in the inventory (e.g. 

    vpn_ip=10.0.0.8

    ), and use those host variables in the config templates. When templating the server config, loop over hostnames in the clients group, adding a new 

    [Peer]

     block for each.

  • Organize the playbook as roles, one for the server and one for the client. Roles are more reusable and shareable than playbooks.
  • Test and lint with molecule and ansible-lint.

Thanks for joining me on this Ansible-learning journey! If you have any suggestions or corrections, please let me know or send us a tweet, and if you’re curious to learn more about how we improve perception sensors, visit us at Tangram Vision.

Previously published here.

Tags

Join Hacker Noon

Create your free account to unlock your custom reading experience.

Checkout PrimeXBT
Trade with the Official CFD Partners of AC Milan
The Easiest Way to Way To Trade Crypto.
Source: https://hackernoon.com/how-to-automate-your-vpn-setup-with-ansible-nl3133ri?source=rss

Forex

What is an Action Refund Review?

Avatar

Published

on

You have been defrauded by a fraudulent broker. What are you going to do ? In this Action Refund review, we’ll explain everything to you.

A study by “Scamwatch”, with the help of the ACCC (Australian Competition & Consumer Commission), suggests that so far, in 2020, around 195,848 reports of all types of scams have been submitted, with a loss of approximately $ 150,838,567. This is insane!

A real company called “Action Refund” had the ambition to help victims internationally to recover their stolen capital from various crooks in the foreign exchange market. Their team is made up of knowledgeable service agents who have helped dozens of users and victims of scams across the world. In addition, Action Refund offers a free consultation over the phone with a professional case analyst. We suggest that you contact Action Refund as soon as possible.

When you are in the middle of the process of filing a refund claim with a complicated case, it is very important to have professional assistance on your side. If you’re curious about what the company’s collection service is all about, below is an interview with a fraud victim to understand what Action Refund did with their case:

Can you tell us how it all started? (Action Refund Review)

At the end of 2019, I came across an advertisement in my inbox approving that Bill Gates made a fortune from forex trading, so I thought “I’ll give it a shot” and left some of my details on the site of this company.

They assigned me an account manager named “Gary Silverson”. He was polite and appeared to be an expert, promising the world and more with future profits. He assured me that with his advice, my trading account could be multiplied by 10 in no time. I thought that was probably an overestimate, however, if the forex market is open to everyone it is very possible to increase my income and triple my investments, at least that’s what I got. has sold. I wanted to deposit around $ 750 to open an account so I followed his instructions.

Gary explained to me very briefly about the application they are using, omitting crucial details and saying “trust me, you don’t need this info, we need more repositories”. You could say that I was very naive.

That seems good to me…

Back then, I was making decent profits instantly. We had a few trading sessions together for two months. Over time, he started to take control of my account transactions and I followed his lead, not asking anything because I knew he wouldn’t respond correctly. A few days later, the agent reached out to me via WhatsApp regarding a new opportunity emerging due to the announcement of the US election. Gary offered me a zero risk plan so that we could increase my earnings. I confirmed it, and we did make a little more profit.

At the time, my account was showing a profit of $ 5,129 from my initial deposit. I wanted to request a withdrawal of $ 1000 and it was returned to me without a problem. I remember I was quite surprised. I thought to myself, “How could I not find this forex trading company before?”. A month passed, and I reconsidered depositing an additional $ 15,000. Then I got promoted for what the company calls “platinum membership”.

So you claim that you had no problem withdrawing funds from the trading account?

Not at all. As I mentioned, everything went well at first. Honestly, it looked like Gary was doing a good job.

Continue Reading

Forex

Vestle Review 2021 – CySEC Broker Or CySEC Scam?

Avatar

Published

on

 

Description: Can you be scammed by Vestle broker? Read our comprehensive Vestle review covering the most important information about the broker.

Whether you have or plan to have an account with this broker, this Vestle review is something you must read

Regulated by: CySEC
Headquarters Country: Cyprus
Foundation year: 2015
Platforms: Web trader
Instruments: FX, commodities, shares, indicies, crypto, ETFs

Is Vestle a legit broker?

Over the years, many clients had a terrible experience with CySEC regulated brokers. Therefore, we decided to check few things in our Vestle review. 

For a start, is Vestle regulation a real regulation or yet another attempt of a regulated company to have an off-sight brand. How the broker operates, and the odds that it will steal your money. Let’s start.

 Vestle Regulation and Security

Vestle is a brand owned by iCFD Limited, regulated by CySEC. The company was formerly known as iForex Ltd. Whenever the broker changes its name, there is a reason for that. And usually, the reason is hundreds of unsatisfied traders and bad reviews. 

When it comes to funds, allegedly, every payment method the company uses is supervised by another EU country. It seems that the broker just listed all the countries where payment providers are based.

What can you trade with a Vestle broker?

Vestle is a broker that provides a high range of trading assets. Clients can trade with currency pairs, commodities, indices, shares, cryptocurrencies, and ETFs. There are over 900 assets available.

All the trades are executed on the web trader of a broker called FXnet. This type of trading platform is always riskier than trading with MT4 or MT5. Every experienced trader prefers MetaTrader in the first place because of security reasons, but also because it has more features. Unfortunately, the broker does not have a Demo account, so we couldn’t test the web trader and decide if it’s good or bad. Besides the web trader, the broker also offers Vestle mobile, its own app for Android and iOS devices. 

When it comes to leverage, it’s limited by CySEC rules. The highest leverage is 1:30 for currency pairs.

 

 

Deposit and Withdrawal Methods

When we talk about funding the account, there are several methods available. The client can deposit using debit/credit card, wire transfer, and few E-wallets. For card deposits, funds are visible instantly, while for wire transfers and E-wallets takes up to 5 business days. The same methods are available for withdrawals; only it takes up to 10 business days for the money to appear on the client’s account.

As per our Vestle review, it seems that the broker has issues with double charging. Many clients of this company complained that they see the double transaction in their bank statement. 

When it comes to the deposit amount, Vestle keeps it hidden. Nowhere on the website, you cannot find the list of account types and deposits necessary. It seems that after you get a call from their support, they will evaluate your financial situation and require a certain amount of money from you.

The same thing can be said about commissions and fees the broker is charging. We were unable to find this list anywhere. This looks bad for the Vestle broker. As a CySEC regulated broker, it should be very transparent when it comes to money.

Conclusion about Vestle

Based on everything in our Vestle review, we can say next. The broker shows a low level of transparency about fees and costs. The trades are executed on the web trader, easy to manipulate and change market prices. Even though the company is in the CySEC register since 2015, on the website of Vestle, there is a claim that they are operating for over 15 years. Now, it opens two questions: were they working unregulated or misleading clients to believe they are joining a long-lasting company. Whatever the answer is, a broker should not be proud to publish it.

After saying all this, we will leave it to you to decide if Vestle is a good broker or yet another CySEC scam.

 Source : Plato

Continue Reading

Forex

New method of investment: Copy trading, or copy trading as it was originally called

Avatar

Published

on

These are busy days for those who have a certain level of savings in the economy. Because already sharp movements occur in the Turkish lira because of their very high rates of investment to translate the uncertainties in Turkey in recent times with a certain amount of savings. This enables people to turn to different investment methods.

If you are looking for a dynamic investment method and still do not know where to start, we will have a profitable suggestion for you. A type of investment, originally called “Forex copy trading”, and another name that can be translated as copy investment in Turkish is social investment. It can be a good entry-level choice for those who do not know exactly how and how to invest in investment vehicles.

The basic logic of copy trading is to imitate the investments of successful investors in the exchange you want to enter. It’s that simple. Anyway, the name of this investment concept is therefore determined as copy investment.

According to one of the studies conducted in recent years, this type of investment is increasingly taking up a place in the market. The copy investment market will reach an amount of € 70 billion by the end of 2025, according to researches.

To start copy trading, the first thing to do is to choose a reliable and profitable investment platform. At this point, the next step in choosing a reliable investment platform is  Forex Copy Trading

that is, to be able to follow reliable investors for copy investment. Therefore, the choice of platform is very important at this point.

A Close Look at Copy Investment

In short, it is important that copy investment or social investment platforms allow experienced investors to copy their investments directly. Here, when you find such an investment exchange, the investment made in this way is also called “auto investment” because you invest your own account directly into the account of the experienced investor.

You can invest in the form of copy investment in the BIST 100, crypto money exchanges and even foreign exchanges. It is a method that can be followed even for foreign currency deposits. However, it will require serious research at the stage of determining the investors you will follow in the first place.

How Exactly to Invest in Copy?

In fact, there are two popular ways to do this.

Following the Investors’ Strategies One to One

Whichever exchange you are investing in, you can learn the investments made by the really experienced names of that stock exchange with a good research and make these investments one by one.

Benefits:

Simple System: The investment you will make in this way will be a very simple and easy-to-use investment type. This is the reason why it is called auto investment as a type of investment that you can directly imitate the investments of expert investors in the field.

Flexibility: You can follow this type of investment from any digital device. It is a very flexible method as you will do the same no matter where you are, as soon as you hear about the direct investment of the person you follow, as there is no subject to think about.

Choosing a strategy is very easy: All you have to do is find the best in the field with the right research. Once you find it, it will be very easy to determine your strategy.

Transaction Fees: Most successful traders will charge you a certain fee to return their investments. These fee claims create an additional cost. However, you can manage your funds with the confidence that there will be no additional fees or expenses for the investment.

Let others follow your investment. For this, create an investment strategy.

Here you will be the one followed. Of course, this has certain advantages and disadvantages.

Your strategies will directly affect the market: Since you will be the person who will determine the strategy, whatever strategy you follow, the strategy you will follow will be a strategy that will affect the market completely.

You will also get the reward for your labor outside of profits: In this way, you will have to spend all your work on this work. However, you will get more than your followers for your efforts.

You will set the rules of the game: However, doing these operations will require both very serious experience and serious work.

Of course, it would be useful for you to carefully investigate whether there is a method to follow completely. However, it is possible to say that you can carry out such transactions with peace of mind with detailed analysis on the leading quality investment and stock exchange platforms such as AMarkets.

 

 

Continue Reading

Coinpedia

Ethereum Price Smashed $2000, $3000 Incoming At Lightning Speed!

Avatar

Published

on

Ethereum Price (ETH) May Hit $10,000 This Cycle!

The Ethereum price that is known to maintain a stable price movement, finally broke the previous ATH to form a new one. It took more than a months time to regain its lost position above $2000, yet sustained successfully. 

Advertisement header-banner-ad

The price took more time than expected to break the $2000 barrier, yet $3000 may be approaching at rocket speed. As predicted by founder of Gokhstein Media, David Gokhstein, the next stop for the ETH price is around $3,900. 

With the continued bullish trend and intensified rally, the price is expected to surge to the highest levels. According to an analyst and Crypto Youtuber, Young and Investing, the Ethereum price may hit $10,000 within the current bull run.

With the accelerated bull run, many analysts believe Ethereum could lead the market instead of Bitcoin too. Therefore providing a huge opportunity for the altcoins to boom within the ETH bull rally. 

Is Altcoin-Season On the Cards?

Many altcoins normally pop-up with the surge in the price of the second dominant crypto Ethereum. Currently, ETH price is trading around its new all time high around $2152 and expected to fly high. Therefore, many small cap altcoins are expected to rise from ashes and pump more than 50x or even 100x also.

Many analysts believe the Altcoin Season of 2021 is on the way and is expected to be the greatest season ever. According to a popular analyst, XRPcryptowolf, the season will reach its peak during the summer.

Moreover, the coins which are believed to be dead or not performing are also expected to rise. One of the analysts, MC also has given a brief idea on which all coins might pump in the current AltSeason.

Collectively, the breakout of Ethereum price has led to initialization of the most awaited AltSeason of 2021. The ETH price rally is expected to intensify in the coming days, that might smash $10,000 soon.

Checkout PrimeXBT
Trade with the Official CFD Partners of AC Milan
Source: https://coinpedia.org/ethereum/ethereum-price-to-surge-to-3000-soon/

Continue Reading
Esports2 days ago

Free Fire World Series APK Download for Android

Esports5 days ago

DreamHack Online Open Ft. Fortnite April Edition – How To Register, Format, Dates, Prize Pool & More

Esports5 days ago

Hikaru Nakamura drops chessbae, apologizes for YouTube strike

Esports2 days ago

Dota 2: Top Mid Heroes of Patch 7.29

Esports14 hours ago

Overwatch League 2021 Day 1 Recap

Esports4 days ago

Ludwig Closes Out Month-Long Streaming Marathon in First Place – Weekly Twitch Top 10s, April 5-11

Esports4 days ago

Position 5 Faceless Void is making waves in North American Dota 2 pubs after patch 7.29

Esports5 days ago

Apex Legends update 1.65 brings five new LTMs for War Games

Blockchain5 days ago

Which crypto exchange platform is faster, coin transfer or Godex?

Esports5 days ago

Complete guide to romance and marriage in Stardew Valley

Esports4 days ago

Wild Rift patch 2.2a brings tons of champion changes and the addition of Rammus later this month

Esports4 days ago

Fortnite: Patch Notes v16.20 – Off-Road Vehicle Mods, 50-Player Creative Lobbies, Bug Fixes & More

Esports5 days ago

LoL: MAD Lions Are The New Kings Of Europe, Is The Reign Of G2 Esports And Fnatic Finally Over?

Esports5 days ago

TenZ on loan to Sentinels through Valorant Challengers Finals

Esports4 days ago

Fortnite Leak Teases Aloy Skin From Horizon Zero Dawn

Blockchain4 days ago

Bitcoin Preis steigt auf über 60.000 USD, neues ATH wahrscheinlich

Esports3 days ago

Capcom Reveals Ransomware Hack Came from Old VPN

Esports5 days ago

flusha announces new CSGO roster featuring suNny and sergej

Esports4 days ago

Epic Games Store lost $181 million & $273 million in 2019 and 2020

Esports14 hours ago

C9 White Keiti Blackmail Scandal Explains Sudden Dismissal

Trending