oukooveu.wireguard
WireGuard Ansible Role
This is a simple role designed to install WireGuard and connect all play hosts using a full-mesh network by default.
The role is inspired by this implementation, but it was rewritten from scratch because the original version is no longer maintained and doesn't accept pull requests.
Requirements
There are no special requirements. You must define the variable wireguard_vpn_ip for each host since there is no default value.
Role Variables
| Variable | Description | Default Value | 
|---|---|---|
| wireguard_vpn_ip | Private address | N/A, must be provided for each host | 
| wireguard_port | Port to listen on | 51820 | 
| wireguard_path | Path to configuration files | /etc/wireguard | 
| wireguard_public_ip | Public address | {{ ansible_default_ipv4.address }} | 
| wireguard_post_up | Script to run after bringing up | N/A | 
| wireguard_post_down | Script to run after bringing down | N/A | 
| wireguard_network | Network layout, see examples below | {} | 
| wireguard_network_name | Interface name | wg0 | 
| wireguard_additional_peers | Additional peers | [] | 
| wireguard_mtu_enabled | Manage MTUoption | false | 
| wireguard_mtu | MTUvalue | N/A | 
| wireguard_fw_mark_enabled | Manage FwMarkoption | false | 
| wireguard_fw_mark | FwMarkvalue | {{ wireguard_port }} | 
| wireguard_hosts_enabled | Add itself and WireGuard peers to /etc/hosts | false | 
| wireguard_hosts_domain | Domain for /etc/hostsrecords | wg.internal | 
The FwMark option can be useful for filtering unencrypted traffic. For example:
PostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
Example Playbooks
Full-Mesh Network
- name: Setup WireGuard full-mesh network
  hosts: cluster
  roles:
    - role: oukooveu.wireguard
Custom Network Topology with Additional Peer
- name: Setup WireGuard custom network
  hosts: cluster
  vars:
    wireguard_network:
        node1:
            - node2
            - node3
            - node4
        node2:
            - node1
            - node4
        node3:
            - node1
            - node4
        node4:
            - node1
            - node2
            - node3
    wireguard_additional_peers:
        - ip: 192.168.100.1
          key: s3cr3t
          endpoint: 10.0.100.1
          keepalive: 15
          comment: 'comment'
  roles:
    - role: oukooveu.wireguard
In this example, hosts node1 and node4 can access all hosts, while node2 and node3 cannot access each other. Make sure the configuration is symmetric (if one node connects to another, the other must also have the connection defined), as there are no checks for this.
Molecule Tests
To run tests locally:
python -m venv .venv
. .venv/bin/activate
pip install -r molecule/default/requirements.txt
molecule test
To test with a non-default image (like debian:11), set the MOLECULE_IMAGE environment variable as follows:
export MOLECULE_IMAGE=rockylinux:9
To clean up the test environment, run molecule destroy.
License
Apache 2.0
ansible-galaxy install oukooveu.wireguard