Add AmneziaWG support with DPI obfuscation

- Add new AmneziaWG role with Ubuntu 24.04 DKMS support - Implement clean installation method for both Ubuntu 22.04/24.04 - Add obfuscation parameters for Deep Packet Inspection bypass - Configure AmneziaWG subnet (10.65.65.0/24) and port (58888/udp) - Update network role to include AmneziaWG in firewall rules - Add user management playbook for AmneziaWG - Update vault.yml.example with AmneziaWG peer configuration - Document project architecture and commands in CLAUDE.md 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-09-14 17:30:34 +03:00 · 2025-09-14 17:30:34 +03:00 · d3cdfc4a6f
commit d3cdfc4a6f
parent 5e2dc3602b
12 changed files with 353 additions and 72 deletions
--- a/CLAUDE.md
+++ b/CLAUDE.md
@ -0,0 +1,61 @@
+# CLAUDE.md
+
+This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
+
+## Architecture Overview
+
+This is an Ansible-based infrastructure automation project for deploying and managing a VPS with multiple VPN services and web proxies. The project uses Ansible playbooks to configure:
+
+- **VPN Services**: OpenConnect (ocserv) with multiple instances, WireGuard
+- **Web Infrastructure**: HAProxy load balancer, Nginx reverse proxy with SSL termination
+- **Security**: Fail2ban, automated Let's Encrypt certificates
+- **Network Configuration**: iptables rules, port management, reverse proxy setup
+
+## Key Commands
+
+### Main Deployment
+- `ansible-playbook site.yml` - Deploy full infrastructure stack
+- `ansible-playbook update_vpn_users.yml` - Update VPN user configurations only
+
+### Configuration Management
+- Encrypted variables stored in `group_vars/all/vault.yml` using Ansible Vault
+- Plain variables in `group_vars/all/vars.yml`
+- Vault password file configured at `~/.vault_pass`
+
+## Project Structure
+
+### Core Files
+- `site.yml` - Main playbook orchestrating all roles
+- `inventory.yml` - Defines target hosts (uses vault variables for IPs/credentials)
+- `ansible.cfg` - Ansible configuration with vault settings
+- `update_vpn_users.yml` - Dedicated playbook for VPN user management
+
+### Roles Architecture
+The project uses a modular role-based structure in `roles/`:
+
+- `base_system` - Base system configuration and hardening
+- `wireguard` - WireGuard VPN server setup
+- `ocserv` - OpenConnect VPN server with multi-instance support
+- `certbot` - Let's Encrypt certificate management
+- `certbot_renewal_config` - Certificate auto-renewal configuration
+- `haproxy` - Load balancer configuration
+- `nginx` - Reverse proxy with SSL termination
+- `network` - iptables and network rules
+- `fail2ban` - Intrusion prevention system
+
+### Configuration Variables
+Key configuration patterns in `group_vars/all/vars.yml`:
+- `vpn_subnets` - CIDR blocks for different VPN networks
+- `ports` - Centralized port management (external/internal)
+- `domains` - Domain mappings for different services
+- `reverse_proxy` - Backend service configuration
+- `ocserv_instances` - Multi-instance VPN configuration
+
+## Development Notes
+
+- The playbook requires Ubuntu 22.04+ and includes OS version validation
+- Multi-instance ocserv configuration allows separate VPN endpoints with different policies
+- Network configuration supports NAT masquerading for VPN subnets
+- SSL certificates are automatically managed via Let's Encrypt
+- The system includes automatic reboot after full deployment
+- Reverse proxy setup enables hosting multiple services behind a single public IP
--- a/group_vars/all/vars.yml
+++ b/group_vars/all/vars.yml
@ -3,6 +3,7 @@ vpn_subnets: # CIDR notation, these subnets will be added to iptables rules (mas
  ocserv_personal: "10.67.76.0/24"
  ocserv_friends: "10.68.68.0/24"
  wireguard: "10.66.66.0/24"
+  amneziawg: "10.65.65.0/24"

 # Network ports configuration, used by all playbooks
 ports:
@ -16,6 +17,9 @@ ports:
    wireguard:
      port: 58889
      type: udp
+    amneziawg:
+      port: 58888
+      type: udp
    http:
      port: 80
      type: tcp
--- a/group_vars/all/vault.yml
+++ b/group_vars/all/vault.yml
@ -1,73 +1,82 @@
 $ANSIBLE_VAULT;1.1;AES256
-35623738366664313366393061313930376133326136653139616632346365333261383831386264
-6439626663383161643362353533613139663130643135610a346265356234333438626137366261
-66326564393433386430643964316330313666393039626633336536323237623466666335373031
-3534633633346661640a663461613461616465343031383334376661613235613934666132663039
-33353432323263633634393031643266356337636331323130346133663635653838393264356535
-32616362343463626537323165663039373765323064333836626264633535346539646333663330
-66386533356439633333663663353334343735336161623965623036653635313530343034643834
-65363636363431303039663763626437303731363634643934363534396661316330333533663033
-30386561613363643736363436613935343830656332396539313132626539396632666430356134
-66623663386161376538306434356162316631633538653830636234353961393766633733396535
-31316236613065386338666332653531333937653434336638323635623438303962353333356132
-66333166323763336265343932633437343062363661386434646466653063313264623737323238
-37353666316432366465636237613062663833653538643362346437616137363331346165336138
-38343166616131343434356362663834386639363262623666353837656535316266396661663938
-62633332373534383039656562376264646331333934613438636463636463393438356131616639
-34626231633664363938353861303632633734333530613533623339373634326162303638336138
-34663135386432646236313362633164326239373932303830393036393930306336333261323238
-37333864306634306530613766376130656436346231393335383930613731333335616139663038
-63303561663833306631336533623236343337643734393938303666353938336665636361633137
-36353562353630323836623163303062646662616362366537356336303065376164613766323966
-65373966316165363735346332646339646133363433666363346464613830663366313034633338
-39613466656666653738663731396236613930336362346636363431643166653337303636663361
-66623730333433383964326161613565353434343962356662613561636564646263336563373061
-33333361623166363239383365313261373137623961333838666661656563626530393965643137
-64343430666366333233663264666466656232396465646237623934373563623336343665653263
-37663730373561393065353031663463316336346435666166666661623838316530346565663838
-65613036353866316436396336373866333038663363393564393337346466643433346534633462
-33616537663734646333313830353039663265393033623065333831333632363237313664343132
-30633566316230386663383161326630626565393830343937356331313536363964386635643336
-65306263353635653432343261613135626230626530323364386335623738623439396531386137
-32353935653964613462623562626465336631323434653265653634643930323562656533343237
-62333330313039613032636662653565396139623532623766313337356633323865316632303537
-64393863333539616233626238623637633932363961336264306666336463666662633862376530
-65306539336632303234666139336639303363353331303566633762363439373863666431386535
-37643139323733666137353832376664326561306637646238363662663036373537356463333035
-66653362623737643233336230343165613437316538643862623531313139363931656366653838
-66633738343562303666663435356663353235623464306663646233653232363238363636363938
-31343265343131623164653037623838653334323739613132616233396331343532353065333764
-65396135623235373731666361396266626362376465643932643663663830613131393931623366
-63343630636165333031333535306539663866653764366535623564613734346132333031653732
-33386539303166323737396336346537366361633239303134663738383132333265636130343239
-65383735316362326631663634623531646435303866663833633639633363653664633030333361
-39313166656235303336663638353935633062333132326365646665383163623962653238363365
-66343562316362343835626661653038396631393536666164386233373363323330383066303665
-38633431376261386633663738326561383430313334363633626263336463643039333132386231
-30656265666533636132356638373164366430353266383766616138643465626662373765663438
-64323362626463363435343761643834643631373734663631376164663866383961303063633330
-34383035383036373135663839306535303561646137663864393937346137386238623235316237
-36636332373237376239613162663938616163643033646538393163656166623766613839373861
-37366463303930633731366235633230316630633763316339383463303933393030633162356663
-63623065646565323732636638356539383064633838376130376535386638323032633335666166
-33666335393164316233353331313166613631643336663563396565623639613737303662666533
-39346564616563333763323434363231383639383731383561313563633836343038323666303365
-36633939336366323932313438616635616630346563396266666262646364396665636130343535
-38626133626534373666396136373865643839313433653164386639316465653837396233656431
-30666234396333373530343261383731636131326138373632633963643065633162383833656363
-66373764373731626536386430363463626363343966626434313337663435346261363365303033
-62653661333662376162396264633762333465386461363432643938396534666239313135313165
-34643830613032313265393833303636386631643262313935376133373932333162363631636535
-66633662366339303436313837643833623531666566363531393964366562323130333634663635
-64323862633666306530626632396639396639343932396439653064353865656462663635663462
-64323238646633383735653962323537303466333033313933663234636263313262663938363832
-37613762656234396234333038383931633031366334353138383939333765313162316666393035
-31626235623039383263353932333862636235313935393535666430343863343438396565343634
-64663964633831616661306139313363376538643135343363636464306165393133623134393534
-35373962343837333731653361316530383739616138643136626439643762666230303963666662
-39323337656430346538363266316462303136626230313832656635336437646530323439616439
-31336464646136626332363538346662343765366237363632333238666263386134623761393961
-62323535316534653738643835373266663335353064313862343134636466646635336133323661
-64646133313434653162656636343832613433393130623665313035363432303432613837663234
-37626437643861333664343763346135383263323634663734343063623834616165373766356335
-63316261653866366134
+37636630316634613663386563393166316166373331656362383630336165326534393031366531
+6238623530356634346461336435343934356264646661310a336661313962383165313633383137
+63353237333966376237343633363831376362383061343432353637663361646137613162353830
+6464356134323831390a363438653430333361623165623734326236306165343764653739663435
+37613133663732353237666366306365643064623031616236386239386230386163313432326465
+36313535636639343238613264343831366235363262316138333662333562313531323536393263
+34663066323262656132623861346266363038626339323834313338666435373866613166346361
+36336665383165373236316437663036373663323162323064316531346462333732323638666663
+38306337306130393431353662653561353731353265393032623135343563326562626462346133
+31613531623965303732643162613732393561373666376534633935623266323835646666666137
+37383931633133613634376538316234623437343134313434386433323633623666313332353565
+34646437353138323165613035306230316331656331643761386437363637666630353964343166
+30626235616261653833346365316630353430386566303536323937623534386164363539396532
+33663831396531623430396230373865376461663063623731623131303866613436366265316537
+63336633623364633165313239643531643461653466653237633564323131616639626339393734
+64306135613436373333373534393039656636633864656461353565366361383331656464643035
+39366433623236643535663339643437346332393262653938636135616139623932383235333732
+62326265303937613537363033373930336663366162643635383464656636376166353764343337
+30363931386665656364303232366236376364353930643165333263636235323634346636393461
+31386564356133346531363637666461356639366462336430633838386538316630643336343139
+37316134383135373739666534633162393563366262633664666331633638316162343463656539
+61373236336139363836323865343133353862393261366330666564343133323065386637613534
+63313131643839356237356135663930356334646230323966356565383864636164303763643865
+34343239646365303439643932383765323131636430666130316530303137636661353038356132
+65346232363934653362376366366634633362363863313362386364353861633261383861383963
+62323235363137333066636431636330653134373034366566326433353462663232313861623935
+61386262653765353736666364623862663533393934653334663137333464366561343138623035
+62626363386366646139623530313837313032346164383065646537663661616437393661306264
+32343032336661623561323166363132383663373436323434663163323264633737303865636462
+66353531613834646461636161386135316637353961313738316233393037363165633063396566
+37376633396264306330393165346337323937303265343163306564616266363932316437323130
+64303231386233316264333730633738373130336538616166326463653430636539316464616364
+33623938393436366164353230363030623137373632323437343266626263396438643437656633
+36663831336361346334346133653437376439346536633338646533653830313430333034623661
+30303263376133383836333264623733353336653338613263303164376264653030353966346162
+30646566313165393663383733313732353330393565636266616366613963383339363337653533
+64343036386566396434393264666663333565356133653133646661306331313934623038393430
+64623133313232306537643134666465313234663631303564316537303331373566386434316238
+63656461353339306331366665353965303437626132316332666137333234616162376565323164
+37396562653334386235643139666261346130656538633633626166383662353563353766633932
+34343161343463663037623935343961303831313464373936383431626239356331353866336538
+61626330396537353863373263336464356639353030343931326532306338376339653935666363
+63363430313435343431343564396532626537663031396135633365323864323166316361336535
+32633564386166313332616434633539303764326530656631366361356639353236383336613662
+61623633366433396631636136653433636531363833343234336533313366373763333638393131
+30313338666536336434613635636663333566393266346262393236303965356138333039663831
+35333031326264373535393631356633336135643264336633333739316332343236393430353063
+64366436656230353961343862616632316136633035623830306136653864623166663936393435
+32303063653463653665333139323165633061663630613630323437393839646466626563303631
+37383439623664626332393137616339636137373330336335646338336335363663346361626134
+37353332333736323733643736353930363366663163663733666336373935326333373734623362
+30623938303764386638326533373939393364656161303661643030643165343130646431346132
+38336566306663353137643465616230303839633430326634356161383361363932386266643738
+36376639623964316135633638633361656439343165316631666536653439363036396535396130
+32666131383633383334333332393266613634306134383264333665373933623535353630353266
+34623663333135386463356638373766643963353962623436373836656662303232393939326239
+34616133363665373333643531316334396634626336353035303730313166343634363437353830
+64393064333930333935663462663530636638643833343930376431326162313036643564666133
+35333965643564613230643839666639623030313265303930383664626130343830323061313338
+61346335636266313166396336616465653836663537653762633331336565643765316262336332
+30323761346538643561363634363666626435316239386535626466346239333736343332343338
+30646564323230383731623532646632326165623034663665643837353138333430643365376336
+62643830356331626331306635666464386162643366353332616338343662386663383233653632
+35383831346133653864353839643731643639633561623033366130646166623231303366353031
+32343566393632323266393464336339303434663066663036383034656433303135643363306331
+62393433313730316636383531343632386464656163323863383765346237646165633438616135
+36633434653039396333373731656563333062633638356565393164326334646362376463346636
+30326633666634373361663837336535633162633462623132303666346133313237626164646631
+34376538663864343336326662633766646331356466366662633563386265333465646138643633
+35306535366266333635643338363635316366363730343461396438353666313763643065316431
+64313537623135663032313763383132373430653833356630663866313965323963333661393163
+65646232316636323062373332626430656562663338343864666138393431366365643234666435
+36393733353864393735353165653739353833343362343333326663633039636466666333663433
+37336432623136326663623663353938326337613331363433353431316664313030313932386235
+62666331393435616536633261313366346438366536306431323734356333306564623939636539
+37313066356162663439623039373935623130393563366338636562316237616139393639313136
+39396161343063383432343035353035653136306339393863393262343862323065626562643930
+62313862663733363732336236366634643935396265313438306662363437306161383138313734
+30663131656231346635643433643362363961396337313038663434366630363364343830353935
+37613033396137393963373866356633363166633464346665303737333836323962333964353139
+3431
--- a/group_vars/all/vault.yml.example
+++ b/group_vars/all/vault.yml.example
@ -25,4 +25,18 @@ wireguard_peers:
    private_key: "key"
    public_key: "key"
    ip: "10.26.66.2"
+
+amneziawg_peers:
+  - name: "nova"
+    private_key: "private_key_generated_by_awg_genkey"
+    public_key: "public_key_generated_by_awg_pubkey"
+    ip: "10.65.65.2"
+  - name: "phantom"
+    private_key: "private_key_generated_by_awg_genkey"
+    public_key: "public_key_generated_by_awg_pubkey"
+    ip: "10.65.65.3"
+  - name: "mobile"
+    private_key: "private_key_generated_by_awg_genkey"
+    public_key: "public_key_generated_by_awg_pubkey"
+    ip: "10.65.65.10"
 
--- a/roles/amneziawg/defaults/main.yml
+++ b/roles/amneziawg/defaults/main.yml
@ -0,0 +1,19 @@
+amneziawg_interface: "awg0"
+amneziawg_address: "{{ vpn_subnets.amneziawg }}"
+amneziawg_port: "{{ ports.external.amneziawg.port }}"
+amneziawg_private_key_path: "/etc/amnezia/amneziawg/private.key"
+amneziawg_public_key_path: "/etc/amnezia/amneziawg/public.key"
+amneziawg_config_path: "/etc/amnezia/amneziawg"
+amneziawg_clients_dir: "/etc/amnezia/amneziawg/clients"
+
+# AmneziaWG obfuscation parameters for DPI bypass
+amneziawg_obfuscation:
+  jc: 30
+  jmin: 60
+  jmax: 120
+  s1: 55
+  s2: 155
+  h1: 1953034736
+  h2: 752945292
+  h3: 3945748733
+  h4: 1666444888
--- a/roles/amneziawg/handlers/main.yml
+++ b/roles/amneziawg/handlers/main.yml
@ -0,0 +1,5 @@
+---
+- name: restart amneziawg
+  systemd:
+    name: "awg-quick@{{ amneziawg_interface }}"
+    state: restarted
--- a/roles/amneziawg/tasks/main.yml
+++ b/roles/amneziawg/tasks/main.yml
@ -0,0 +1,114 @@
+---
+- name: Fix Ubuntu sources for DKMS (Ubuntu 24.04)
+  blockinfile:
+    path: /etc/apt/sources.list.d/ubuntu.sources
+    marker: "# {mark} ANSIBLE MANAGED - AmneziaWG DKMS"
+    block: |
+      Types: deb deb-src
+      URIs: http://archive.ubuntu.com/ubuntu/
+      Suites: noble noble-updates noble-backports
+      Components: main restricted universe multiverse
+      Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg
+    create: yes
+  when: ansible_distribution == 'Ubuntu' and ansible_distribution_version == '24.04'
+
+- name: Install prerequisites for AmneziaWG
+  apt:
+    name:
+      - software-properties-common
+      - python3-launchpadlib
+      - gnupg2
+      - linux-headers-{{ ansible_kernel }}
+      - build-essential
+      - dkms
+    state: present
+    update_cache: yes
+
+- name: Add AmneziaWG PPA key
+  apt_key:
+    keyserver: keyserver.ubuntu.com
+    id: 57290828
+    state: present
+
+- name: Add AmneziaWG PPA repository
+  apt_repository:
+    repo: "deb https://ppa.launchpadcontent.net/amnezia/ppa/ubuntu {{ 'noble' if ansible_distribution_version == '24.04' else 'focal' }} main"
+    state: present
+
+- name: Add AmneziaWG PPA source repository  
+  apt_repository:
+    repo: "deb-src https://ppa.launchpadcontent.net/amnezia/ppa/ubuntu {{ 'noble' if ansible_distribution_version == '24.04' else 'focal' }} main"
+    state: present
+
+- name: Update apt cache and install AmneziaWG
+  apt:
+    name: amneziawg
+    state: present
+    update_cache: yes
+
+- name: Create AmneziaWG config directory
+  file:
+    path: "{{ amneziawg_config_path }}"
+    state: directory
+    mode: '0700'
+
+- name: Check if private key exists
+  stat:
+    path: "{{ amneziawg_private_key_path }}"
+  register: private_key_file
+
+- name: Generate private key if not exists
+  shell: awg genkey > {{ amneziawg_private_key_path }}
+  args:
+    creates: "{{ amneziawg_private_key_path }}"
+  when: not private_key_file.stat.exists
+
+- name: Set proper permissions on private key
+  file:
+    path: "{{ amneziawg_private_key_path }}"
+    mode: '0600'
+
+- name: Read private key
+  slurp:
+    src: "{{ amneziawg_private_key_path }}"
+  register: amneziawg_private_key
+
+- name: Generate public key
+  shell: echo "{{ amneziawg_private_key.content | b64decode | trim }}" | awg pubkey > {{ amneziawg_public_key_path }}
+  args:
+    creates: "{{ amneziawg_public_key_path }}"
+
+- name: Read public key
+  slurp:
+    src: "{{ amneziawg_public_key_path }}"
+  register: amneziawg_public_key
+
+- name: Create client configs directory
+  file:
+    path: "{{ amneziawg_clients_dir }}"
+    state: directory
+    mode: '0700'
+
+- name: Generate server config
+  template:
+    src: awg0.conf.j2
+    dest: "{{ amneziawg_config_path }}/{{ amneziawg_interface }}.conf"
+    mode: '0600'
+  notify: restart amneziawg
+  no_log: true
+
+- name: Generate client configs
+  template:
+    src: client.conf.j2
+    dest: "{{ amneziawg_clients_dir }}/{{ item.name }}.conf"
+    mode: '0600'
+  loop: "{{ amneziawg_peers }}"
+  notify: restart amneziawg
+  no_log: true
+  when: amneziawg_peers is defined
+
+- name: Enable and start AmneziaWG
+  systemd:
+    name: "awg-quick@{{ amneziawg_interface }}"
+    enabled: yes
+    state: started
--- a/roles/amneziawg/templates/awg0.conf.j2
+++ b/roles/amneziawg/templates/awg0.conf.j2
@ -0,0 +1,24 @@
+[Interface]
+PrivateKey = {{ amneziawg_private_key.content | b64decode | trim }}
+Address = {{ amneziawg_address }}
+ListenPort = {{ amneziawg_port }}
+
+# AmneziaWG obfuscation parameters
+Jc = {{ amneziawg_obfuscation.jc }}
+Jmin = {{ amneziawg_obfuscation.jmin }}
+Jmax = {{ amneziawg_obfuscation.jmax }}
+S1 = {{ amneziawg_obfuscation.s1 }}
+S2 = {{ amneziawg_obfuscation.s2 }}
+H1 = {{ amneziawg_obfuscation.h1 }}
+H2 = {{ amneziawg_obfuscation.h2 }}
+H3 = {{ amneziawg_obfuscation.h3 }}
+H4 = {{ amneziawg_obfuscation.h4 }}
+
+{% if amneziawg_peers is defined %}
+{% for peer in amneziawg_peers %}
+[Peer]
+PublicKey = {{ peer.public_key }}
+AllowedIPs = {{ peer.ip }}/32
+
+{% endfor %}
+{% endif %}
--- a/roles/amneziawg/templates/client.conf.j2
+++ b/roles/amneziawg/templates/client.conf.j2
@ -0,0 +1,21 @@
+[Interface]
+PrivateKey = {{ item.private_key }}
+Address = {{ item.ip }}/32
+DNS = 94.140.14.14, 94.140.15.15
+MTU = 1420
+
+[Peer]
+PublicKey = {{ amneziawg_public_key.content | b64decode | trim }}
+Endpoint = {{ ansible_default_ipv4.address }}:{{ amneziawg_port }}
+AllowedIPs = 0.0.0.0/0
+
+# AmneziaWG obfuscation parameters for DPI bypass
+Jc = {{ amneziawg_obfuscation.jc }}
+Jmin = {{ amneziawg_obfuscation.jmin }}
+Jmax = {{ amneziawg_obfuscation.jmax }}
+S1 = {{ amneziawg_obfuscation.s1 }}
+S2 = {{ amneziawg_obfuscation.s2 }}
+H1 = {{ amneziawg_obfuscation.h1 }}
+H2 = {{ amneziawg_obfuscation.h2 }}
+H3 = {{ amneziawg_obfuscation.h3 }}
+H4 = {{ amneziawg_obfuscation.h4 }}
--- a/roles/network/tasks/main.yml
+++ b/roles/network/tasks/main.yml
@ -42,6 +42,7 @@
    - "{{ vpn_subnets.ocserv_friends }}"
    - "{{ vpn_subnets.ocserv_personal }}"
    - "{{ vpn_subnets.wireguard }}"
+    - "{{ vpn_subnets.amneziawg }}"
  when: vpn_subnets.ocserv_friends is defined

 - name: Allow established connections
--- a/site.yml
+++ b/site.yml
@ -20,6 +20,7 @@
  roles:
    - base_system
    - wireguard
+    - amneziawg
    - certbot
    - haproxy
    - nginx
--- a/update_amneziawg_users.yml
+++ b/update_amneziawg_users.yml
@ -0,0 +1,8 @@
+---
+- name: Update AmneziaWG Users
+  hosts: vps
+  become: true
+  gather_facts: true
+
+  roles:
+    - amneziawg