Felix
c9e77f3c05
|
||
|---|---|---|
| defaults | ||
| tasks | ||
| templates | ||
| README.md | ||
| playbook-client.sample.yml | ||
| playbook-server.sample.yml | ||
README.md
WireGuard ansible role
More information on WireGuard: Arch Wiki: WireGuard.
This role assumes you run it via separte playbooks on client and server (ahem, sorry, "peers").
It also assumes a Ubuntu server and an Arch Linux client. Should be easy to
substitute the appropriate calls to pacman with apt.
Assumptions about the network:
| Peer | Domain | Port | Address inside wg network | Interface |
|---|---|---|---|---|
| Server | example.org | 51820 | 10.0.0.1 | eth0 |
| Client | (dynamic) | 51820 | 10.0.0.2 | wlan0 |
See defaults.yml and adjust accordingly in your playbook or server vars.
Shared settings
Pre-shared key
wg genpsk > client-server.psk
Goes into wg_client_server_pre_shared_key
Server
Key setup
Private key
(umask 0077; wg genkey > server.key)
Goes into wg_server_private_key
Public key
wg pubkey < server.key > server.pub
Goes into wg_server_public_key
Running role on server
$ ansible-playbook playbook-server.yml --tags wg-server
Verify the interface is up by checking output of wg.
This should be taken care of by the role, but set just to be sure:
sysctl -w net.ipv4.ip_forward=1
sysctl -w net.ipv6.conf.all.forwarding=1
Starting up
The role will set up the server to auto-start the WireGuard connection.
For more info, from the wiki:
The interface may be brought up using
wg-quick up wg0respectively by starting and potentially enabling the interface viawg-quick@interface.service, e.g.wg-quick@wg0.service. To close the interface usewg-quick down wg0(respectively stoppingwg-quick@interface.service).
Client
Key setup
Note: Keys must be pasted literally, not as file paths!
Private key
(umask 0077; wg genkey > client.key)
Goes into wg_client_private_key
Public key
wg pubkey < client.key > client.pub
Goes into wg_client_public_key
Running role on client
The following will ask for you sudo password since it needs to install
packages and set up /etc/wireguard/wg0.conf.
$ ansible-playbook playbook-client.yml --tags wg-client
This will configure everything accordingly and set up the WireGuard connection
via wg-quick.
Non-default stuff
If, however, you want to have the integration into NetworkManager (or
something else), stop and disable the wg-quick service:
$ systemctl stop wg-quick@wg0
$ systemctl disable wg-quick@wg0
NetworkManager
$ [sudo] nmcli connection import type wireguard file /etc/wireguard/wg0.conf
This will create a WireGuard tunnel that auto-connects. You can view the
imported config at /etc/NetworkManager/system-connections/wg0.nmconnection
Closing connection:
nmcli connection down wg0
Bringing connection up again:
nmcli connection up wg0
Deleting connection:
nmcli connection delete wg0
Disable auto-connect:
nmcli connection modify wg0 autoconnect no
More info: WireGuard in NetworkManager
Stop touching /etc/resolv.conf
To stop NetworkManager from touching /etc/resolv.conf, set main.dns=none with a configuration file in /etc/NetworkManager/conf.d/:
# /etc/NetworkManager/conf.d/dns.conf
[main]
dns=none
Use systemd-resolved instead:
$ pacman -S systemd-resolvconf
$ systemctl enable --now systemd-resolved
$ ln -sf /etc/resolv.conf /run/systemd/resolve/stub-resolv.conf
# /etc/NetworkManager/conf.d/systemd-resolved.conf
[main]
dns=systemd-resolved