githubixx/ansible-role-wireguard

manage firewall if present and active

leggewie opened this issue · 4 comments

leggewie commented

Hi, first of all, thank you very much for your work on this. Many people profited.

I'd be surprised if this never came up before but one issue that I ran into while deploying this some of my servers out there was that one of them had a firewall running, ufw to be precise. Do you agree it might make sense to open the respective wireguard_port on all hosts by default?

ypid commented

If I may jump in, I think the issue is that there are many different ways to manage host firewall rules on Linux. That is the reason we at DebOps "outsourced" this to individual roles. See https://docs.debops.org/en/master/dep/dep-0002.html#ansible-role-dependencies for the concept. My fork of this role supports ferm (https://github.com/ypid/ansible-wireguard/blob/prepare-for-debops/docs/playbooks/wireguard.yml). DebOps is working on firewalld support with this concept.

githubixx commented

@leggewie I'm a fan of "one role, one task" 😉 Like all the Unix/Linux tools out there. For managing firewall I created this role: https://github.com/githubixx/ansible-role-harden-linux (which uses also ufw). But there are other roles out there of course that do OS hardening or managing firewalls. But you even don't need that because you can use wireguard_postup or wireguard_preup to execute ufw or iptables. These variables are also mentioned in the README. I hope this helps.

leggewie commented

@githubixx I very much agree with your principle to focus, to do 1 thing and do it well. But the question is, what is that 1 task in the case of ansible-role-wireguard. Is it simply to deploy some configuration (output) vs. is it to get a working setup (outcome)?

githubixx commented

@leggewie Not sure if I get you right. This role provides everything to get a working setup. There is no reason to add firewall support to this role. People have lots of choises: iptables, ufw, firewalld, pfSense, ... to name just a few. It makes no sense to implement them all. Just because I use ufw it doesn't mean everyone else should do so 😉

But still that's not really an issue. As already mentioned in my previous comment nobody prevents you using something like this (which is also mentioned in the README of this role):

wireguard_preup:
  - echo 1 > /proc/sys/net/ipv4/ip_forward
  - ufw allow 51820/udp

This is all you need for a given host to open the default WireGuard port 51820 for protocol udp if you want to use ufw as your firewall frontend. The README also contains a different example for iptables. So users can decide if they use a different role to manage firewall settings (which I'd expect a lot of people do) or do it via wireguard_preup or wireguard_postup.