Ansible connect to jump machine through VPN?

Question

I was wondering if it were possible to tell Ansible to set up a VPN connection before executing the rest of the playbook. I've googled around, but haven't seen much on this.

Answer 1

If you're using Amazon Web Services, check out the ec2_vpc_vpn module which can create, modify, and delete VPN connections. It uses boto3/botocore library.

For example:

- name: create a VPN connection
  ec2_vpc_vpn:
    state: present
    vpn_gateway_id: vgw-XXXXXXXX
    customer_gateway_id: cgw-XXXXXXXX

- name: delete a connection
  ec2_vpc_vpn:
    vpn_connection_id: vpn-XXXXXXXX
    state: absent

---

For other cloud services, check the list of Ansible Cloud Modules.

Answer 2

Check How To Use Ansible and Tinc VPN to Secure Your Server Infrastructure.

Basically, you need to install thisismitch/ansible-tinc playbook and create a hosts inventory file with the nodes that you want to include in the VPN, for example:

[vpn]
prod01 vpn_ip=10.0.0.1 ansible_host=162.243.125.98
prod02 vpn_ip=10.0.0.2 ansible_host=162.243.243.235
prod03 vpn_ip=10.0.0.3 ansible_host=162.243.249.86
prod04 vpn_ip=10.0.0.4 ansible_host=162.243.252.151

[removevpn]

Then you should review the contents of the /group_vars/all file such as:

---

netname: nyc3
physical_ip: "{{ ansible_eth1.ipv4.address }}"

vpn_interface: tun0

vpn_netmask: 255.255.255.0
vpn_subnet_cidr_netmask: 32

where:

• physical_ip is IP address which you want tinc to bind to;
• vpn_netmask is the netmask that the will be applied to the VPN interface.

Answer 3

You could combine a local playbook to setup a VPN and a playbook to run your tasks against a server.

Depending on whats the job you can use ansible or a shell script to connect the VPN. Maybe there should be another playbook to disconnect afterwards.

As result you will have three playbooks and one to combine them via include:

- include: connect_vpn.yml
- include: do_stuff.yml
- include: disconnect_vpn.yml