wireguard

wireguard ansible role

Molecule

This is a simple role to install wireguard and configure full-mesh connectivity (by default) between all play hosts.

The role was inspired by this implementation but because it's in unmaintained state and PRs are not accepted it was decided to rewrite it from scratch.

Requirements

There are no special requirements. There is no default for wireguard_vpn_ip, this variable must be defined for each host.

Role Variables

Variable Description Default value
wireguard_vpn_ip private address N/A, must be provided through host vars
wireguard_port port to listen 51820
wireguard_path path to configuration files /etc/wireguard
wireguard_public_ip public address {{ ansible_default_ipv4.address }}
wireguard_post_up post up script N/A
wireguard_post_down post down script N/A
wireguard_network network topology, see samples below {}
wireguard_network_name interface name wg0
wireguard_additional_peers additional peers []
wireguard_mtu_enabled manage MTU option false
wireguard_mtu MTU option value N/A
wireguard_fw_mark_enabled manage FwMark option false
wireguard_fw_mark FwMark option value {{ wireguard_port }}
wireguard_hosts_enabled add itself and wireguard peers into /etc/hosts false
wireguard_hosts_domain domain for /etc/hosts records wg.internal

FwMark wireguard option can be useful when you need to filter out all unencrypted traffic, for example:

PostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT

Example Playbooks

full-mesh network

- name: setup wireguard full-mesh network
  hosts: cluster
  roles:
    - role: oukooveu.wireguard

custom network topology with additional peer

- name: setup wireguard custom network
  hosts: cluster
  vars:
    wireguard_network:
        node1:
            - node2
            - node3
            - node4
        node2:
            - node1
            - node4
        node3:
            - node1
            - node4
        node4:
            - node1
            - node2
            - node3
    wireguard_additional_peers:
        - ip: 192.168.100.1
          key: s3cr3t
          endpoint: 10.0.100.1
          keepalive: 15
          comment: 'comment'
  roles:
    - role: oukooveu.wireguard

In the sample above hosts node1 and node4 have access to all hosts and hosts node2 and node3 don't have access to each other. Configuration should be symmetric (if connectivity for one node is defined it should be defined for an another node too) and there are no additional checks for this, be careful.

Molecule tests

To run tests locally:

python -m venv .venv
. .venv/bin/activate
pip install -r molecule/default/requirements.txt
molecule test

To run tests for non-default image (debian:11) set MOLECULE_IMAGE environment variable to an appropriate value, for example:

export MOLECULE_IMAGE=rockylinux:9

To cleanup test environment run molecule destroy.

License

Apache 2.0

About

wireguard ansible role

Install
ansible-galaxy install oukooveu/ansible-role-wireguard
GitHub repository
License
Unknown
Downloads
151