├── README.md ├── defaults └── main.yml ├── handlers └── main.yml ├── meta └── main.yml ├── tasks ├── main.yml ├── private_key.yml └── public_key.yml ├── templates └── wg0-server.conf.j2 └── vars └── main.yml /README.md: -------------------------------------------------------------------------------- 1 | # Wireguard Ansible 2 | 3 | Simple role to set up a wireguard server 4 | 5 | ## Role Variables 6 | wireguard_root_ip: 10.212.122.1 # VPN address of server 7 | wireguard_clients: [] # List of clients to add to wireguard config 8 | wireguard_private_key: "..." # Undefined by default, the role will generate a key on each run 9 | 10 | 11 | ## Example Playbook 12 | 13 | - hosts: webservers 14 | vars: 15 | wireguard_private_key: "..." 16 | wireguard_clients: 17 | - { public_key: 'fMVHmYgYIl8w6dPnbspiNcXjxNcsYmNUL5hBHbkzEng=', allowed_ip: '10.212.122.10/32', preshared_key: 'pEoSSHnrbk94CJepW8+GGGUThgiJwJHdUszPN/30Xks=' } 18 | - { public_key: '...', allowed_ip: '10.212.122.20/32', preshared_key: '....' } 19 | roles: 20 | - { role: botto.wireguard } 21 | 22 | ## TODO 23 | - [ ] Inspect existing server config and extract private key 24 | - [ ] Make sure multiple wg instances can be set up i.e.: wg0-server and wg1-server and so on 25 | -------------------------------------------------------------------------------- /defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | wireguard_listen_port: "51820" 3 | 4 | wireguard_path: "/etc/wireguard" 5 | wireguard_public_key_file: "{{ wireguard_path }}/server.pub" 6 | 7 | wireguard_clients: [] 8 | wireguard_root_ip: '10.212.122.1' 9 | -------------------------------------------------------------------------------- /handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: restart wireguard 3 | service: 4 | name: wg-quick@wg0-server 5 | state: restarted 6 | -------------------------------------------------------------------------------- /meta/main.yml: -------------------------------------------------------------------------------- 1 | galaxy_info: 2 | author: Martin Eskdale Moen 3 | description: Provides a basic wireguard role for ubuntu based systems 4 | license: MIT 5 | min_ansible_version: 2.9 6 | platforms: 7 | - name: Ubuntu 8 | versions: 9 | - xenial 10 | - yakkety 11 | - zesty 12 | 13 | galaxy_tags: 14 | - wireguard 15 | - vpn 16 | - networking 17 | 18 | -------------------------------------------------------------------------------- /tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Install kernel headers matching kernel version 3 | ansible.builtin.shell: "apt -y install linux-headers-$(uname -r)" 4 | 5 | - name: Install the WireGuard packages 6 | ansible.builtin.package: 7 | name: "{{ item }}" 8 | with_items: 9 | - wireguard-dkms 10 | - wireguard-tools 11 | 12 | - include: './private_key.yml' 13 | - include: './public_key.yml' 14 | 15 | - name: Generate the client and server configuration files 16 | ansible.builtin.template: 17 | src: "{{ item }}.j2" 18 | dest: "{{ wireguard_path }}/{{ item }}" 19 | owner: root 20 | group: root 21 | mode: 0600 22 | with_items: 23 | - wg0-server.conf 24 | notify: 'restart wireguard' 25 | 26 | - name: Enable the WireGuard service so it starts at boot, and bring up the WireGuard network interface 27 | ansible.builtin.systemd: 28 | name: wg-quick@wg0-server.service 29 | enabled: yes 30 | state: started 31 | when: wireguard_clients.0 is defined 32 | 33 | -------------------------------------------------------------------------------- /tasks/private_key.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Generate private key 3 | ansible.builtin.shell: umask 077; wg genkey 4 | register: wireguard_private_key_cmd 5 | when: wireguard_private_key is not defined or wireguard_private_key|length == 0 6 | 7 | - set_fact: 8 | wireguard_private_key: "{{ wireguard_private_key_cmd.stdout }}" 9 | when: wireguard_private_key_cmd is defined and (wireguard_private_key is not defined or wireguard_private_key|length == 0) 10 | -------------------------------------------------------------------------------- /tasks/public_key.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Generate public key 3 | ansible.builtin.shell: 'echo "{{ wireguard_private_key }}" | wg pubkey' 4 | register: wireguard_public_key 5 | when: wireguard_public_key is not defined or wireguard_public_key|length == 0 6 | 7 | - name: Save public key 8 | ansible.builtin.copy: 9 | content: "{{ wireguard_public_key.stdout }}" 10 | dest: "{{ wireguard_public_key_file }}" 11 | when: wireguard_public_key is defined and wireguard_public_key|length == 0 12 | -------------------------------------------------------------------------------- /templates/wg0-server.conf.j2: -------------------------------------------------------------------------------- 1 | [Interface] 2 | Address = {{ wireguard_root_ip}} 3 | SaveConfig = {{ wireguard_save_config }} 4 | ListenPort = {{ wireguard_listen_port }} 5 | PrivateKey = {{ wireguard_private_key }} 6 | 7 | {% for peer in wireguard_clients %} 8 | [Peer] 9 | PublicKey = {{ peer.public_key }} 10 | AllowedIPs = {{ peer.allowed_ip }} 11 | {% if 'preshared_key' in peer %} 12 | PresharedKey = {{ peer.preshared_key }} 13 | {% endif %} 14 | {% if 'endpoint' in peer %} 15 | Endpoint={{ peer.endpoint }} 16 | PersistentKeepalive=10 17 | {% endif %} 18 | {% endfor %} 19 | -------------------------------------------------------------------------------- /vars/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | wireguard_save_config: False 3 | --------------------------------------------------------------------------------