= Wireguard setup Wireguard setup role. This role extends https://github.com/lablabs/ansible-collection-wireguard/tree/main/roles/wireguard[this codebase] to my needs. It's a bit simpler and adds more idempotence, e.g. when replaying the role to add another client to the server. == Requirements This role was written for Debian (tested on >=11) and requires root privileges. It also requires to have several collections installed on your ansible host you won't necessarily have depending on your Ansible installation: - ansible.posix - community.general (iptables_save module) - ansible.utils (network filters) - netaddr (python package) == Role Variables Variables can be found in the link:./defaults/main.yml[default vars file]. [source,yaml] ---- wireguard_dir: /etc/wireguard wireguard_clients_dir: "{{ wireguard_dir }}/clients" wireguard_clients_download_dir: clients/ wireguard_download_clients: false wireguard_serverkeys_download_dir: server/ wireguard_download_serverkeys: false ---- Defines basic arborescence to store Wireguard files. `wireguard_download_clients` and `wireguard_download_serverkeys` can optionally set to true in order to download respectively clients and server's keys from the target host. [source,yaml] ---- wireguard_restore_serverkeys_dir: "" ---- Use this variable if you want to use pre-existing keys from a directory to bootstrap Wireguard. Must ends with '/'. [source,yaml] ---- wireguard_packages: - wireguard ---- List of packages to install. [source,yaml] ---- wireguard_port: 51810 ---- Port which Wireguard will listen to. [source,yaml] ---- wireguard_hostname: "{{ inventory_hostname }}" ---- Hostname the client will use to connect to the server. [source,yaml] ---- wireguard_interface: wg0 ---- Interface which will be mounted to the server. [source,yaml] ---- nat_out_interface: eth0 ---- Interface where the traffic will be NATed to on the server. [source,yaml] ---- wireguard_address: 10.213.213.0/24 ---- Subnet definition for the VPN network. [source,yaml] ---- wireguard_keepalive: 25 ---- Uses this if you wanna specify a keepalive value. See https://github.com/pirate/wireguard-docs#persistentkeepalive[this] for more information on keepalive. [source,yaml] ---- wireguard_peers: [] ---- Lits of peers (clients) you wanna create. You can define specific name, address, allowedIPs, DNS and keepalive for each peer. See playbook below for example. [source,yaml] ---- filter_forward: false other_interface: ---- Set `filter_forward` to true and specify an interface name for `other_interface` if you wanna drop packets from `wireguard_interface` to this interface. == Dependencies None. == Example Playbook [source,yaml] ---- - name: Deploy Wireguard hosts: wireguard_hosts become: true vars: wireguard_hostname: "mywireguard.server.com" wireguard_address: 10.10.10.0/24 wireguard_peers: - name: client_001 allowed_ip: "0.0.0.0/0, ::/0" address: "10.10.10.2" - name: client_002 allowed_ip: "0.0.0.0/0, ::/0" address: "10.10.10.3" roles: - wireguard ---- == License BSD-3 == Author Information Role created by https://git.syyrell.com/syrell[syrell].