Infra_mgmt/roles/wireguard/README.adoc

3.1 KiB
Raw Blame History

Wireguard setup

Wireguard setup role. This role extends this codebase to my needs. Its a bit simpler and adds more idempotence, e.g. when replaying the role to add another client to the server.

Requirements

This role was written for Debian (tested on >=11) and requires root privileges. It also requires to have several collections installed on your ansible host you wont necessarily have depending on your Ansible installation:

  • ansible.posix

  • community.general (iptables_save module)

  • ansible.utils (network filters)

  • netaddr (python package)

Role Variables

Variables can be found in the default vars file.

wireguard_dir: /etc/wireguard
wireguard_clients_dir: "{{ wireguard_dir }}/clients"
wireguard_clients_download_dir: clients/
wireguard_download_clients: false
wireguard_serverkeys_download_dir: server/
wireguard_download_serverkeys: false

Defines basic arborescence to store Wireguard files. wireguard_download_clients and wireguard_download_serverkeys can optionally set to true in order to download respectively clients and servers keys from the target host.

wireguard_restore_serverkeys_dir: ""

Use this variable if you want to use pre-existing keys from a directory to bootstrap Wireguard. Must ends with '/'.

wireguard_packages:
- wireguard

List of packages to install.

wireguard_port: 51810

Port which Wireguard will listen to.

wireguard_hostname: "{{ inventory_hostname }}"

Hostname the client will use to connect to the server.

wireguard_interface: wg0

Interface which will be mounted to the server.

nat_out_interface: eth0

Interface where the traffic will be NATed to on the server.

wireguard_address: 10.213.213.0/24

Subnet definition for the VPN network.

wireguard_keepalive: 25

Uses this if you wanna specify a keepalive value. See this for more information on keepalive.

wireguard_peers: []

Lits of peers (clients) you wanna create. You can define specific name, address, allowedIPs, DNS and keepalive for each peer. See playbook below for example.

filter_forward: false
other_interface:

Set filter_forward to true and specify an interface name for other_interface if you wanna drop packets from wireguard_interface to this interface.

Dependencies

None.

Example Playbook

- name: Deploy Wireguard
  hosts: wireguard_hosts
  become: true
  vars:
    wireguard_hostname: "mywireguard.server.com"
    wireguard_address: 10.10.10.0/24
    wireguard_peers:
      - name: client_001
        allowed_ip: "0.0.0.0/0, ::/0"
        address: "10.10.10.2"
      - name: client_002
        allowed_ip: "0.0.0.0/0, ::/0"
        address: "10.10.10.3"
  roles:
    - wireguard

License

BSD-3

Author Information

Role created by syrell.