Initial commit

main.tf

@@ -0,0 +1,29 @@
+# Create a new SSH key
+resource "digitalocean_ssh_key" "default" {
+  name       = "Terraform Example"
+  public_key = file("~/.ssh/id_rsa.pub")
+}
+
+# Create a new Web Droplet in the nyc2 region
+resource "digitalocean_droplet" "web" {
+  image    = "ubuntu-22-04-x64"
+  name     = "wireguard"
+  region   = "nyc1"
+  size     = "s-2vcpu-4gb"
+  ssh_keys = [digitalocean_ssh_key.default.fingerprint]
+  user_data = file("setup.sh")
+  connection {
+    host = digitalocean_droplet.web.ipv4_address
+    type = "ssh"
+    user = "root"
+    private_key = "${file("~/.ssh/id_rsa.pem")}"
+  }
+
+  provisioner "remote-exec" {
+    inline = [ "cat /root/wireguard-config/client-config.conf" ]
+  }
+}
+
+output "droplet_output" {
+  value = digitalocean_droplet.web.ipv4_address
+}

setup.sh

@@ -0,0 +1,61 @@
+#!/bin/bash
+apt update
+
+# Install wireguard
+apt install -y wireguard
+
+LISTENPORT=51820
+umask 077
+# Generate public and private key
+mkdir /root/wireguard-conf
+cd /root/wireguard-conf
+
+wg genkey > privatekey
+wg pubkey < privatekey > publickey
+mkdir client
+
+wg genkey > client/privatekey
+wg pubkey < client/privatekey > client/publickey
+
+
+echo "[Interface]
+Address = 10.66.66.1/24,fd42:42:42::1/64
+ListenPort = $LISTENPORT
+PrivateKey = $(cat privatekey)
+
+### Client mike-home
+[Peer]
+PublicKey = $(cat client/publickey)
+AllowedIPs = 10.66.66.2/32,fd42:42:42::2/128
+" > /etc/wireguard/do.conf
+
+wg-quick up do
+
+echo "[Interface]
+PrivateKey = $(cat client/privatekey)
+Address = 10.66.66.2/32,fd42:42:42::2/128
+DNS = 1.1.1.1,1.0.0.1
+
+[Peer]
+PublicKey = $(cat publickey)
+Endpoint = $(curl icanhazip.com):$LISTENPORT
+AllowedIPs = 0.0.0.0/0,::/0
+" > client-config.conf
+
+# Add iptables rules to forward internet traffic through this box
+# We are assuming our Wireguard interface is called do and our
+# primary public facing interface is called eth0.
+iptables -I INPUT -p udp --dport 51820 -j ACCEPT
+iptables -I FORWARD -i eth0 -o do -j ACCEPT
+iptables -I FORWARD -i do -j ACCEPT
+iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
+ip6tables -I FORWARD -i do -j ACCEPT
+ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
+
+# Enable routing on the server
+echo "net.ipv4.ip_forward = 1
+      net.ipv6.conf.all.forwarding = 1" >/etc/sysctl.d/wg.conf
+sysctl --system
+
+
+cat client-config.conf

terraform.tf

@@ -0,0 +1,13 @@
+terraform {
+  required_providers {
+    digitalocean = {
+      source  = "digitalocean/digitalocean"
+      version = "2.41.0"
+    }
+  }
+}
+
+provider "digitalocean" {
+  token = var.do_token
+}
+

variables.tf

@@ -0,0 +1,4 @@
+variable "do_token" {
+  type        = string
+  description = "Digital Ocean API token"
+}