Ansible role to install and configure Wireguard.
A lot of roles setup the tunnel by using wg-quick
. It is fine in most cases,
but sometimes some automatic behiaviors of wg-quick
are not wanted. This role
allows to setup a tunnel by using wg-quick
, systemd-networkd
or just
generate a wireguard configuration that can be loaded by wg
.
For distributions that are not providing packages for wireguard in their official repositories, correct repositories need to be setup before using this role.
Declare the wireguard profiles in wireguard_profiles
wireguard_profiles:
# Tunnel interface name
tunnel_name:
# How to setup the tunnel
# Possible values are:
# wg-quick: using wg-quick
# systemd-networkd: generate a .netdev file to create the tunnel
# wireguard-conf: generate a wireguard configuration that can be used with `wg`
method:
# MTU variable, in bytes. Used by wg-quick and systemd-networkd. Optional
mtu:
# Listen port. Optional
listen_port:
private_key:
fwmark:
# String to dump at the end of the .netdev or configuration file, depending
# on the method. Can be used to add additional options.
additional_opts:
## Used by wg-quick only ##
# Enable or not the tunnel
enable: True
# Addresses to set on the tunnel interface. Optional
addresses: []
# DNS addresses to use. Optional
dns: []
# Route table to use. Optional
table:
# Post up script. Optional
post_up:
# Post down script. Optional
post_down:
###########################
peers:
# Description of the peer. Used to comment the config only. Optional
- comment:
public_key:
preshared_key:
allowed_ips: []
# Endpoint address
endpoint:
persistent_keepalive:
The wg-quick
method will setup the tunnel, peers and addresses. If
systemd-networkd
is used, only a .netdev
is created, and the user is
free to create their own .network
to attach addresses on it. wireguard-conf
will just generate a configuration in /etc/wireguard/
than can be used by
wg
.
- hosts: wireguard_servers
vars:
wg-test0:
method: "wg-quick"
enable: True
listen_port: 51820
private_key: "0FZwbRzUF1ZG2i4hqhr1+oJJAQ3NTJDZDhpX3c1Qz1g="
addresses:
- "192.0.2.0/31"
- "2001:db8::/127"
dns:
- "192.0.2.1"
peers:
- comment: "Some client"
public_key: "yEvY7Jm8hgWLE64ocDMpwvcE3MH27xac6u55I2R2tik="
allowed_ips:
- "192.0.2.1"
- "2001:db8::1"
endpoint: "203.0.113.5"
persistent_keepalive: 25
wg-test1:
method: "wireguard-conf"
enable: False
listen_port: 51821
private_key: "0FZwbRzUF1ZG2i4hqhr1+oJJAQ3NTJDZDhpX3c1Qz1g="
peers:
- comment: "Another client"
public_key: "WLE64ocDMpwvcyEvY7Jm8hgE3MH27xac6u55I2R2tik="
allowed_ips:
- "192.0.2.3"
endpoint: "203.0.113.9"
roles:
- role: Anthony25.wireguard
And add the following line in /etc/network/interfaces
to setup the second
interface.
auto wg-test1
iface wg-test1 inet static
address 192.0.2.2
netmask 255.255.255.254
pre-up ip link add $IFACE type wireguard
pre-up wg setconf $IFACE /etc/wireguard/$IFACE
post-down ip link del $IFACE
iface wg-test1 inet6 static
address 2001:db8::2
netmask 127
Anthony Ruhier (Anthony25)
Tool under the BSD license. Do not hesitate to report bugs, ask me some questions or do some pull request if you want to!