134 lines
3.1 KiB
Plaintext
134 lines
3.1 KiB
Plaintext
= Wireguard setup
|
|
|
|
Wireguard setup role. This role extends https://github.com/lablabs/ansible-collection-wireguard/tree/main/roles/wireguard[this codebase] to my needs. It's a bit simpler and adds more idempotence, e.g. when replaying the role to add another client to the server.
|
|
|
|
== Requirements
|
|
|
|
This role was written for Debian (tested on >=11) and requires root privileges. It also requires to have several collections installed on your ansible host you won't necessarily have depending on your Ansible installation:
|
|
|
|
- ansible.posix
|
|
- community.general (iptables_save module)
|
|
- ansible.utils (network filters)
|
|
- netaddr (python package)
|
|
|
|
== Role Variables
|
|
|
|
Variables can be found in the link:./defaults/main.yml[default vars file].
|
|
|
|
[source,yaml]
|
|
----
|
|
wireguard_dir: /etc/wireguard
|
|
wireguard_clients_dir: "{{ wireguard_dir }}/clients"
|
|
wireguard_clients_download_dir: clients/
|
|
wireguard_download_clients: false
|
|
wireguard_serverkeys_download_dir: server/
|
|
wireguard_download_serverkeys: false
|
|
----
|
|
|
|
Defines basic arborescence to store Wireguard files. `wireguard_download_clients` and `wireguard_download_serverkeys` can optionally set to true in order to download respectively clients and server's keys from the target host.
|
|
|
|
[source,yaml]
|
|
----
|
|
wireguard_restore_serverkeys_dir: ""
|
|
----
|
|
|
|
Use this variable if you want to use pre-existing keys from a directory to bootstrap Wireguard. Must ends with '/'.
|
|
|
|
[source,yaml]
|
|
----
|
|
wireguard_packages:
|
|
- wireguard
|
|
----
|
|
|
|
List of packages to install.
|
|
|
|
[source,yaml]
|
|
----
|
|
wireguard_port: 51810
|
|
----
|
|
|
|
Port which Wireguard will listen to.
|
|
|
|
[source,yaml]
|
|
----
|
|
wireguard_hostname: "{{ inventory_hostname }}"
|
|
----
|
|
|
|
Hostname the client will use to connect to the server.
|
|
|
|
[source,yaml]
|
|
----
|
|
wireguard_interface: wg0
|
|
----
|
|
|
|
Interface which will be mounted to the server.
|
|
|
|
[source,yaml]
|
|
----
|
|
nat_out_interface: eth0
|
|
----
|
|
|
|
Interface where the traffic will be NATed to on the server.
|
|
|
|
[source,yaml]
|
|
----
|
|
wireguard_address: 10.213.213.0/24
|
|
----
|
|
|
|
Subnet definition for the VPN network.
|
|
|
|
[source,yaml]
|
|
----
|
|
wireguard_keepalive: 25
|
|
----
|
|
|
|
Uses this if you wanna specify a keepalive value. See https://github.com/pirate/wireguard-docs#persistentkeepalive[this] for more information on keepalive.
|
|
|
|
[source,yaml]
|
|
----
|
|
wireguard_peers: []
|
|
----
|
|
|
|
Lits of peers (clients) you wanna create. You can define specific name, address, allowedIPs, DNS and keepalive for each peer. See playbook below for example.
|
|
|
|
[source,yaml]
|
|
----
|
|
filter_forward: false
|
|
other_interface:
|
|
----
|
|
|
|
Set `filter_forward` to true and specify an interface name for `other_interface` if you wanna drop packets from `wireguard_interface` to this interface.
|
|
|
|
== Dependencies
|
|
|
|
None.
|
|
|
|
== Example Playbook
|
|
|
|
[source,yaml]
|
|
----
|
|
- name: Deploy Wireguard
|
|
hosts: wireguard_hosts
|
|
become: true
|
|
vars:
|
|
wireguard_hostname: "mywireguard.server.com"
|
|
wireguard_address: 10.10.10.0/24
|
|
wireguard_peers:
|
|
- name: client_001
|
|
allowed_ip: "0.0.0.0/0, ::/0"
|
|
address: "10.10.10.2"
|
|
- name: client_002
|
|
allowed_ip: "0.0.0.0/0, ::/0"
|
|
address: "10.10.10.3"
|
|
roles:
|
|
- wireguard
|
|
----
|
|
|
|
== License
|
|
|
|
BSD-3
|
|
|
|
== Author Information
|
|
|
|
Role created by https://git.syyrell.com/syrell[syrell].
|