Provision any number of machines based on Debian 11 and create/update hosts.cfg, e.g.:
[vpn]
vpn-01 ansible_host=42.0.0.1The default WireGuard listening port is 10000. It is possible to customize the port per machine:
[vpn]
vpn-01 ansible_host=42.0.0.1 wireguard_port=12345After that, run:
ansible-playbook playbook.ymlSet up any number of WireGuard clients with unique IPs and create/update wireguard.yml, e.g.:
---
wireguard_peers:
client-01:
host: 10.0.0.2
pubkey: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=In some cases (e.g. on Android), it is convenient to import WireGuard configurations with the private key included. It is possible to also specify the private key, which will be injected into the generated tunnel configuration file:
---
wireguard_peers:
client-01:
host: 10.0.0.2
privkey: QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ=
pubkey: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=After that, run:
ansible-playbook playbook.yml --tags wireguardOnce the playbook finishes, the VPN tunnel configurations for every client will be exported under configs/, e.g. configs/client-01/wg-vpn-01.conf for the infrastructure described above.