Small ansible role to configure WireGuard on Client+Server (Arch/Ubuntu)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Felix c9e77f3c05
README: Add disable-autoconnect section
1 year ago
defaults Add sysctl handling, fix samples, idempotency 1 year ago
tasks Add sysctl handling, fix samples, idempotency 1 year ago
templates Add sysctl handling, fix samples, idempotency 1 year ago README: Add disable-autoconnect section 1 year ago
playbook-client.sample.yml Add sysctl handling, fix samples, idempotency 1 year ago
playbook-server.sample.yml Add sysctl handling, fix samples, idempotency 1 year ago

WireGuard ansible role

More information on WireGuard: Arch Wiki: WireGuard.

This role assumes you run it via separte playbooks on client and server (ahem, sorry, "peers").

It also assumes a Ubuntu server and an Arch Linux client. Should be easy to substitute the appropriate calls to pacman with apt.

Assumptions about the network:

Peer Domain Port Address inside wg network Interface
Server 51820 eth0
Client (dynamic) 51820 wlan0

See defaults.yml and adjust accordingly in your playbook or server vars.

Shared settings

Pre-shared key

wg genpsk > client-server.psk

Goes into wg_client_server_pre_shared_key


Specific use-case: VPN server

Key setup

Private key

(umask 0077; wg genkey > server.key)

Goes into wg_server_private_key

Public key

wg pubkey < server.key >

Goes into wg_server_public_key

Running role on server

$ ansible-playbook playbook-server.yml --tags wg-server

Verify the interface is up by checking output of wg.

This should be taken care of by the role, but set just to be sure:

sysctl -w net.ipv4.ip_forward=1
sysctl -w net.ipv6.conf.all.forwarding=1

Starting up

The role will set up the server to auto-start the WireGuard connection.

For more info, from the wiki:

The interface may be brought up using wg-quick up wg0 respectively by starting and potentially enabling the interface via wg-quick@interface.service, e.g. wg-quick@wg0.service. To close the interface use wg-quick down wg0 (respectively stopping wg-quick@interface.service).


Key setup

Note: Keys must be pasted literally, not as file paths!

Private key

(umask 0077; wg genkey > client.key)

Goes into wg_client_private_key

Public key

wg pubkey < client.key >

Goes into wg_client_public_key

Running role on client

The following will ask for you sudo password since it needs to install packages and set up /etc/wireguard/wg0.conf.

$ ansible-playbook playbook-client.yml --tags wg-client

This will configure everything accordingly and set up the WireGuard connection via wg-quick.

Non-default stuff

If, however, you want to have the integration into NetworkManager (or something else), stop and disable the wg-quick service:

$ systemctl stop wg-quick@wg0
$ systemctl disable wg-quick@wg0


$ [sudo] nmcli connection import type wireguard file /etc/wireguard/wg0.conf

This will create a WireGuard tunnel that auto-connects. You can view the imported config at /etc/NetworkManager/system-connections/wg0.nmconnection

Closing connection:

nmcli connection down wg0

Bringing connection up again:

nmcli connection up wg0

Deleting connection:

nmcli connection delete wg0

Disable auto-connect:

nmcli connection modify wg0 autoconnect no

More info: WireGuard in NetworkManager

Stop touching /etc/resolv.conf

To stop NetworkManager from touching /etc/resolv.conf, set main.dns=none with a configuration file in /etc/NetworkManager/conf.d/:

# /etc/NetworkManager/conf.d/dns.conf

Use systemd-resolved instead:

$ pacman -S systemd-resolvconf
$ systemctl enable --now systemd-resolved
$ ln -sf /etc/resolv.conf /run/systemd/resolve/stub-resolv.conf
# /etc/NetworkManager/conf.d/systemd-resolved.conf