Private Server to Server Network with Ansible and WireGuard

This role helps you create a fast, secure private network between multiple servers, no matter the provider. It's useful if your provider doesn't offer a private network or if you want to connect servers in different regions or from different providers.

How It Works

The role installs WireGuard on Debian or Ubuntu. It sets up a connection (mesh) between all servers by adding them as peers and configures the wg-quick service.

Installation

You can install it using Ansible Galaxy:

$ ansible-galaxy install mawalu.wireguard_private_networking

Setup

After installation, assign a vpn_ip variable for each host that will join the network and run the role. Make sure the VPN port (default is 5888) is allowed in your firewall. Here's a simple example configuration:

Optionally, you can set a public_addr for each host. This will be used to connect to the WireGuard peer instead of the inventory address. This is helpful if you're connecting from a different network than WireGuard's. For example, Ansible might connect over a local area network (LAN) to your peer.

# Inventory Host File

wireguard:
  hosts:
    1.1.1.1:
      vpn_ip: 10.1.0.1/32
      public_addr: "example.com" # optional
    2.2.2.2:
      vpn_ip: 10.1.0.2/32

# Playbook

- name: Configure WireGuard Network
  hosts: wireguard
  remote_user: root
  roles:
    - mawalu.wireguard_private_networking

# Playbook (with Client Config)
- name: Configure WireGuard Network
  hosts: wireguard
  remote_user: root
  vars:
    client_vpn_ip: 10.1.0.100
    client_wireguard_path: "~/my-client-config.conf"
  roles:
    - mawalu.wireguard_private_networking

Additional Configuration

There are a few variables you can change:

wireguard_port: "5888" # Port for server-to-server connections
wireguard_path: "/etc/wireguard" # Location of WireGuard configurations

wireguard_network_name: "private" # Name used for the config file and wg-quick

wireguard_mtu: 1500 # Optional MTU setting for the wg-quick file, not set by default

debian_enable_backports: true # Whether to add Debian backports repos

# Raspberry Pi Zero Support
allow_build_from_source: true # Enable manual compilation of WireGuard, may trigger reboot

wireguard_sources_path: "/var/cache" # Location to clone WireGuard sources if needed

client_vpn_ip: "" # If set, will create an additional WireGuard config file for localhost
client_wireguard_path: "~/wg.conf" # Path to write client config if client_vpn_ip is set

# List of additional peers to add to each server
wireguard_additional_peers:
  - comment: martin
    ip: 10.2.3.4
    key: your_wireguard_public_key
  - comment: other_network
    ip: 10.32.0.0/16
    key: their_wireguard_public_key
    keepalive: 20 
    endpoint: some.endpoint:2230 

wireguard_post_up: "iptables ..." # Command to run after bringing up WireGuard
wireguard_post_down: "iptables"     # Command to run after bringing down WireGuard

Testing

This role includes a testing setup created with Molecule. To run the tests, follow the Molecule installation guide, ensure a Docker daemon is running, and execute molecule test.

Contributing

Feel free to report issues or suggest improvements. Contributions that add support for more operating systems or additional tests are particularly welcome.