Small ansible role to configure WireGuard on Client+Server (Arch/Ubuntu)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Felix c9e77f3c05
README: Add disable-autoconnect section
11 months ago
defaults Add sysctl handling, fix samples, idempotency 12 months ago
tasks Add sysctl handling, fix samples, idempotency 12 months ago
templates Add sysctl handling, fix samples, idempotency 12 months ago README: Add disable-autoconnect section 11 months ago
playbook-client.sample.yml Add sysctl handling, fix samples, idempotency 12 months ago
playbook-server.sample.yml Add sysctl handling, fix samples, idempotency 12 months ago

WireGuard ansible role

More information on WireGuard: Arch Wiki: WireGuard.

This role assumes you run it via separte playbooks on client and server (ahem, sorry, "peers").

It also assumes a Ubuntu server and an Arch Linux client. Should be easy to substitute the appropriate calls to pacman with apt.

Assumptions about the network:

Peer Domain Port Address inside wg network Interface
Server 51820 eth0
Client (dynamic) 51820 wlan0

See defaults.yml and adjust accordingly in your playbook or server vars.

Shared settings

Pre-shared key

wg genpsk > client-server.psk

Goes into wg_client_server_pre_shared_key


Specific use-case: VPN server

Key setup

Private key

(umask 0077; wg genkey > server.key)

Goes into wg_server_private_key

Public key

wg pubkey < server.key >

Goes into wg_server_public_key

Running role on server

$ ansible-playbook playbook-server.yml --tags wg-server

Verify the interface is up by checking output of wg.

This should be taken care of by the role, but set just to be sure:

sysctl -w net.ipv4.ip_forward=1
sysctl -w net.ipv6.conf.all.forwarding=1

Starting up

The role will set up the server to auto-start the WireGuard connection.

For more info, from the wiki:

The interface may be brought up using wg-quick up wg0 respectively by starting and potentially enabling the interface via wg-quick@interface.service, e.g. wg-quick@wg0.service. To close the interface use wg-quick down wg0 (respectively stopping wg-quick@interface.service).


Key setup

Note: Keys must be pasted literally, not as file paths!

Private key

(umask 0077; wg genkey > client.key)

Goes into wg_client_private_key

Public key

wg pubkey < client.key >

Goes into wg_client_public_key

Running role on client

The following will ask for you sudo password since it needs to install packages and set up /etc/wireguard/wg0.conf.

$ ansible-playbook playbook-client.yml --tags wg-client

This will configure everything accordingly and set up the WireGuard connection via wg-quick.

Non-default stuff

If, however, you want to have the integration into NetworkManager (or something else), stop and disable the wg-quick service:

$ systemctl stop wg-quick@wg0
$ systemctl disable wg-quick@wg0


$ [sudo] nmcli connection import type wireguard file /etc/wireguard/wg0.conf

This will create a WireGuard tunnel that auto-connects. You can view the imported config at /etc/NetworkManager/system-connections/wg0.nmconnection

Closing connection:

nmcli connection down wg0

Bringing connection up again:

nmcli connection up wg0

Deleting connection:

nmcli connection delete wg0

Disable auto-connect:

nmcli connection modify wg0 autoconnect no

More info: WireGuard in NetworkManager

Stop touching /etc/resolv.conf

To stop NetworkManager from touching /etc/resolv.conf, set main.dns=none with a configuration file in /etc/NetworkManager/conf.d/:

# /etc/NetworkManager/conf.d/dns.conf

Use systemd-resolved instead:

$ pacman -S systemd-resolvconf
$ systemctl enable --now systemd-resolved
$ ln -sf /etc/resolv.conf /run/systemd/resolve/stub-resolv.conf
# /etc/NetworkManager/conf.d/systemd-resolved.conf