Small ansible role to configure WireGuard on Client+Server (Arch/Ubuntu)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Felix c9e77f3c05 README: Add disable-autoconnect section 3 months ago
defaults Add sysctl handling, fix samples, idempotency 3 months ago
tasks Add sysctl handling, fix samples, idempotency 3 months ago
templates Add sysctl handling, fix samples, idempotency 3 months ago
README.md README: Add disable-autoconnect section 3 months ago
playbook-client.sample.yml Add sysctl handling, fix samples, idempotency 3 months ago
playbook-server.sample.yml Add sysctl handling, fix samples, idempotency 3 months ago

README.md

WireGuard ansible role

More information on WireGuard: Arch Wiki: WireGuard.

This role assumes you run it via separte playbooks on client and server (ahem, sorry, "peers").

It also assumes a Ubuntu server and an Arch Linux client. Should be easy to substitute the appropriate calls to pacman with apt.

Assumptions about the network:

Peer Domain Port Address inside wg network Interface
Server example.org 51820 10.0.0.1 eth0
Client (dynamic) 51820 10.0.0.2 wlan0

See defaults.yml and adjust accordingly in your playbook or server vars.

Shared settings

Pre-shared key

wg genpsk > client-server.psk

Goes into wg_client_server_pre_shared_key

Server

Specific use-case: VPN server

Key setup

Private key

(umask 0077; wg genkey > server.key)

Goes into wg_server_private_key

Public key

wg pubkey < server.key > server.pub

Goes into wg_server_public_key

Running role on server

$ ansible-playbook playbook-server.yml --tags wg-server

Verify the interface is up by checking output of wg.

This should be taken care of by the role, but set just to be sure:

sysctl -w net.ipv4.ip_forward=1
sysctl -w net.ipv6.conf.all.forwarding=1

Starting up

The role will set up the server to auto-start the WireGuard connection.

For more info, from the wiki:

The interface may be brought up using wg-quick up wg0 respectively by starting and potentially enabling the interface via wg-quick@interface.service, e.g. wg-quick@wg0.service. To close the interface use wg-quick down wg0 (respectively stopping wg-quick@interface.service).

Client

Key setup

Note: Keys must be pasted literally, not as file paths!

Private key

(umask 0077; wg genkey > client.key)

Goes into wg_client_private_key

Public key

wg pubkey < client.key > client.pub

Goes into wg_client_public_key

Running role on client

The following will ask for you sudo password since it needs to install packages and set up /etc/wireguard/wg0.conf.

$ ansible-playbook playbook-client.yml --tags wg-client

This will configure everything accordingly and set up the WireGuard connection via wg-quick.

Non-default stuff

If, however, you want to have the integration into NetworkManager (or something else), stop and disable the wg-quick service:

$ systemctl stop wg-quick@wg0
$ systemctl disable wg-quick@wg0

NetworkManager

$ [sudo] nmcli connection import type wireguard file /etc/wireguard/wg0.conf

This will create a WireGuard tunnel that auto-connects. You can view the imported config at /etc/NetworkManager/system-connections/wg0.nmconnection

Closing connection:

nmcli connection down wg0

Bringing connection up again:

nmcli connection up wg0

Deleting connection:

nmcli connection delete wg0

Disable auto-connect:

nmcli connection modify wg0 autoconnect no

More info: WireGuard in NetworkManager

Stop touching /etc/resolv.conf

To stop NetworkManager from touching /etc/resolv.conf, set main.dns=none with a configuration file in /etc/NetworkManager/conf.d/:

# /etc/NetworkManager/conf.d/dns.conf
[main]
dns=none

Use systemd-resolved instead:

$ pacman -S systemd-resolvconf
$ systemctl enable --now systemd-resolved
$ ln -sf /etc/resolv.conf /run/systemd/resolve/stub-resolv.conf
# /etc/NetworkManager/conf.d/systemd-resolved.conf
[main]
dns=systemd-resolved