kravietz.wireguard_vpn

Panoramica Versioni Approfondimenti

wireguard_vpn

Set up a client-to-server Wireguard VPN service and create client configuration files.

Description

This role sets up a VPN service using Wireguard on a Linux machine with the following key features:

  • Network settings are managed by systemd-networkd
  • Uses RFC 1918 addressing for IPv4 in the VPN tunnel with NAT
  • IPv6 uses a routable subnet in the tunnel with NDP proxying
  • Supports Wireguard pre-shared keys
  • Creates client .conf files for wg-quick(8)
  • Supports all configuration options for wg-quick(8)

Role Variables

vpn_interface: wg1

# Generate with `wg genkey` and protect with ansible-vault
# vpn_private_key: "iP/lnL/zhicPMnAphlT6qAciKusTmR2X5utTAo7u5Ug="  # REQUIRED

# Generate with `wg pubkey` from the above private key
# vpn_public_key: "OBGsZZxxX0jcehmFJc0L6v7FX3PMnVDFgdgpjJFU0k4="   # REQUIRED

## UDP listening port on the public Internet
# vpn_listen_port: 1194  # REQUIRED

## Addresses for the internal VPN tunnel
# vpn_address4: "192.168.2.252/24"            # at least one is REQUIRED      
# vpn_address6: '2a05:1111:0:3:8000::252/65'  # at least one is REQUIRED

## Required to set up NDP entries for IPv6 VPN clients
# vpn_ndp_config: /etc/systemd/network/eth0.network  # OPTIONAL

## DNS resolvers set for clients to use with the VPN
# vpn_dns_resolvers: ["9.9.9.9", "2620:fe::fe"]  # OPTIONAL array

# Enable generation of .conf files for clients’ wg-quick utility
# vpn_clients_dir: /root/wireguard  # OPTIONAL

# Specify VPN clients (OPTIONAL array)
# vpn_clients:                                # OPTIONAL
#   - name: client1                           # REQUIRED
#     address4: 192.168.2.110/32              # at least one of address4 or address6 is REQUIRED
#     address6: "2a05:1111:0:3:8000::110/80"  # at least one of address4 or address6 is REQUIRED
#     # Only needed if generated .config files include a private key
#     # Otherwise, files will contain a placeholder
#     # Generate with `wg genkey` and protect with ansible-vault
#     # private_key: "+Noalz2HL9+nYFQpplZF2dYMmc7+MaXGuxMgc/QBbXU="  # OPTIONAL
#     # Generate with `wg pubkey` from the above
#     public_key: "RfDKFurwFo/ytXd9Ko5oEy7I7H4hjNBiT1bc1t+V4Wc="              # REQUIRED
#     # Tunnel route to set on the client side
#     # allowed_ips: ["192.168.2.1/32"]         # OPTIONAL
#     # Generate with `wg genpsk` and protect with ansible-vault
#     # psk: "151ODHNbvmiK/ox+2ndnZbVcfrIMRJjFjHXlb7o3ZeI="  # OPTIONAL
#     # mtu, table, preup, postdown - per wg-quick(8)

Warning: Always use ansible-vault to keep private keys and pre-shared secrets safe in your variable files.

Example Playbook

- hosts: vpn
  roles:
    - role: kravietz.wireguard_vpn
      vpn_private_key: "wIfnNpua6YlD4XzVGUvOCVknCo1LzAF6iGkp7Tho43o="
      vpn_public_key: "+RHdC7oc8O/dojCOMf7CtYBZc5pA2DZPiE4dNRHHhlw="
      vpn_listen_port: 1194
      vpn_address4: "192.168.1.1/24"
      vpn_address6: '2a05:1111:0:3:8000::1/65'
      vpn_clients_dir: /root/wireguard
      vpn_clients:
        - name: client1
          address4: 192.168.1.100/32
          address6: "2a05:1111:0:3:8000::100/128"
          private_key: "iJgcqx21xGETtzFIIdKfD/LvMqswJ2LWUiFPKUBLenw="
          public_key: "T4QbCHfGKLYFdmFeXVfDHP5AYpQ2AZapHIw+ZiCDIHs="

License

GPLv3

Author Information

Paweł Krawczyk https://krvtz.net/

Informazioni sul progetto

Configure a IPv4/IPv6 Wireguard-based VPN service using `systemd-networkd` and generate client config files.

role networking vpn wireguard
Installa
ansible-galaxy install kravietz.wireguard_vpn
GitHub repository
0 stelle
0 fork
1 problemi aperti
Licenza
Unknown
Download
6.8k
Proprietario
Paweł Krawczyk
Information security, DevOps and DevSecOps professional from Poland living in the UK