Ansible WireGuard Role

Forked from https://git.coop/webarch/wireguard

An Ansible role to configure WireGuard on Debian and Ubuntu servers based on Ubuntu 20.04 set up WireGuard VPN server and How To Set Up WireGuard Firewall Rules in Linux, see also the Quick Start documentation.

This role is designed to be used with an inventory / variables like this, you need to provide values for the

variables from the clients and pick a port number:

The server private key is automatically generated and included in the configuration file, for the client install WireGuard:

Generate a private and public key:

The

contents needs to be added to Ansible to add it to the server, the

privatekey

, needs to be added to a file you need to create, for example

/etc/wireguard/wg0.conf

, it should be owned and only readable by

root

(mode

0600

and

root:root

).

The

client configuration files can be based on the following example, the two instances of

XXX

, the IP addres and port,

PUBLIC_IPV4_ADDRESS:50000

and probably the IP

Address

value need to be replaced:

You can then start the VPN on the client:

To stop the VPN:

TODO

1. Add support for client configuration for clients that are reachable via a public IP address.

Example

inventory.yml

wg01:
  hosts:
    srv.example.org:
      ansible_connection: ssh
      ansible_user: root
      ansible_password: 'password'

playbook.yml

- name: Run WireGuard
  hosts: all
  roles:
    - wireguard
  vars:
    wireguard_devices:
      wg0:
        interface:
          ipv4_address: 192.168.1.1
          ipv4_subnet: 255.255.255.0
          listen_port: 50000
        peers:
          - name: Client_1
            public_key: tTFqFdSiL2PXXZY+SJVCpGmgoUPV3dNlyZ3ert0mwVI=
            allowed_ips:
              - 192.168.1.2

Run command

ansible-playbook -i inventory.yml playbook.yml