|
||
---|---|---|
defaults | ||
tasks | ||
templates | ||
README.md | ||
playbook-client.sample.yml | ||
playbook-server.sample.yml |
README.md
WireGuard ansible role
More information on WireGuard: Arch Wiki: WireGuard.
This role assumes you run it via separte playbooks on client and server (ahem, sorry, "peers").
It also assumes a Ubuntu server and an Arch Linux client. Should be easy to
substitute the appropriate calls to pacman
with apt
.
Assumptions about the network:
Peer | Domain | Port | Address inside wg network | Interface |
---|---|---|---|---|
Server | example.org | 51820 | 10.0.0.1 | eth0 |
Client | (dynamic) | 51820 | 10.0.0.2 | wlan0 |
See defaults.yml
and adjust accordingly in your playbook or server vars.
Shared settings
Pre-shared key
wg genpsk > client-server.psk
Goes into wg_client_server_pre_shared_key
Server
Key setup
Private key
(umask 0077; wg genkey > server.key)
Goes into wg_server_private_key
Public key
wg pubkey < server.key > server.pub
Goes into wg_server_public_key
Running role on server
$ ansible-playbook playbook-server.yml --tags wg-server
Verify the interface is up by checking output of wg
.
This should be taken care of by the role, but set just to be sure:
sysctl -w net.ipv4.ip_forward=1
sysctl -w net.ipv6.conf.all.forwarding=1
Starting up
The role will set up the server to auto-start the WireGuard connection.
For more info, from the wiki:
The interface may be brought up using
wg-quick up wg0
respectively by starting and potentially enabling the interface viawg-quick@interface.service
, e.g.wg-quick@wg0.service
. To close the interface usewg-quick down wg0
(respectively stoppingwg-quick@interface.service
).
Client
Key setup
Note: Keys must be pasted literally, not as file paths!
Private key
(umask 0077; wg genkey > client.key)
Goes into wg_client_private_key
Public key
wg pubkey < client.key > client.pub
Goes into wg_client_public_key
Running role on client
The following will ask for you sudo
password since it needs to install
packages and set up /etc/wireguard/wg0.conf
.
$ ansible-playbook playbook-client.yml --tags wg-client
This will configure everything accordingly and set up the WireGuard connection
via wg-quick
.
Non-default stuff
If, however, you want to have the integration into NetworkManager
(or
something else), stop and disable the wg-quick
service:
$ systemctl stop wg-quick@wg0
$ systemctl disable wg-quick@wg0
NetworkManager
$ [sudo] nmcli connection import type wireguard file /etc/wireguard/wg0.conf
This will create a WireGuard tunnel that auto-connects. You can view the
imported config at /etc/NetworkManager/system-connections/wg0.nmconnection
Closing connection:
nmcli connection down wg0
Bringing connection up again:
nmcli connection up wg0
Deleting connection:
nmcli connection delete wg0
Disable auto-connect:
nmcli connection modify wg0 autoconnect no
More info: WireGuard in NetworkManager
Stop touching /etc/resolv.conf
To stop NetworkManager from touching /etc/resolv.conf, set main.dns=none with a configuration file in /etc/NetworkManager/conf.d/:
# /etc/NetworkManager/conf.d/dns.conf
[main]
dns=none
Use systemd-resolved
instead:
$ pacman -S systemd-resolvconf
$ systemctl enable --now systemd-resolved
$ ln -sf /etc/resolv.conf /run/systemd/resolve/stub-resolv.conf
# /etc/NetworkManager/conf.d/systemd-resolved.conf
[main]
dns=systemd-resolved