├── .gitignore
├── LICENSE
├── README.md
├── inventory
    └── hosts.ini
├── roles
    ├── prepare
    │   └── tasks
    │   │   └── main.yml
    └── wireguard
    │   ├── handlers
    │       └── main.yml
    │   ├── tasks
    │       └── main.yml
    │   └── templates
    │       └── wg.conf.j2
└── wireguard.yml


/.gitignore:
--------------------------------------------------------------------------------
1 | *.retry


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2018 Gabriel Poulenard-Talbot
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # Ansible Wireguard
 2 | 
 3 | A simple ansible playbook to install [Wireguard](https://www.wireguard.com/) VPN / secure overlay network.
 4 | 
 5 | ## Todo
 6 |  - Add support for OS other then Debian
 7 |  - Use python-netaddr to generate private Ips
 8 | 
 9 | ## Requirements
10 | 
11 |  - Ansible 2.4 (or newer) installed on the machine that will run Ansible commands.
12 |  - Jinja
13 | 
14 | ## Install
15 | You must configure the inventory file in inventory/hosts.ini
16 |  
17 | 
18 |     git clone https://github.com/N0Cloud/ansible-wireguard.git
19 |     cd ansible-wireguard
20 |     # Edit inventory/hosts.ini
21 |     ansible-playbook -i inventory/hosts.ini wireguard.yml
22 | 
23 | ## Verify the installation
24 | You can get the status of Wireguard by running the following command on every hosts
25 | 
26 |     wg show
27 |  or with ansible
28 | 
29 |     ansible -i inventory/hosts.ini -a "wg show" wireguard
30 | 
31 | ## Resources
32 | For more information go to [Wireguard documentation](https://www.wireguard.com/quickstart/).
33 | 


--------------------------------------------------------------------------------
/inventory/hosts.ini:
--------------------------------------------------------------------------------
 1 | 
 2 | node-1 #ansible_ssh_host=192.168.1.10
 3 | node-2 #ansible_ssh_host=192.168.1.10
 4 | node-3 #ansible_ssh_host=192.168.1.10
 5 | 
 6 | [wireguard]
 7 | node-1
 8 | node-2
 9 | node-3
10 | 
11 | [wireguard:vars]
12 | ansible_user=root


--------------------------------------------------------------------------------
/roles/prepare/tasks/main.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | - fail: 
 3 |     msg: "Only Debian supported for now"
 4 |   when: ansible_distribution != 'Debian'
 5 | 
 6 | - name: Install wireguard repo (Debian)
 7 |   apt_repository:
 8 |     filename: unstable-wireguard
 9 |     repo: 'deb http://deb.debian.org/debian/ unstable main'
10 |     update_cache: yes
11 |   when: ansible_distribution == 'Debian'
12 | 
13 | - name: Configure wireguard repo (Debian)
14 |   blockinfile:
15 |     path: /etc/apt/preferences.d/limit-unstable
16 |     create: yes
17 |     block: |-
18 |       Package: *
19 |       Pin: release a=unstable
20 |       Pin-Priority: 150
21 | 
22 | #- name: Apt upgrade (Debian)
23 | #  apt:
24 | #    name: "*"
25 | #    update_cache: yes
26 | #    state: latest
27 | 
28 | - name: Install dependencies (Debian)
29 |   apt:
30 |     name: "{{ item }}"
31 |     state: present
32 |   with_items:
33 |     - linux-headers-{{ ansible_kernel }}
34 |     - software-properties-common
35 | 
36 | - name: Enable net.ipv4.ip_forward
37 |   sysctl:
38 |     name: net.ipv4.ip_forward
39 |     value: 1
40 |     reload: yes
41 |     state: present
42 | 
43 | 
44 | 


--------------------------------------------------------------------------------
/roles/wireguard/handlers/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # handlers
3 | - name: wg0_restart
4 |   systemd:
5 |     name: "wg-quick@wg0"
6 |     enabled: yes
7 |     state: restarted
8 | 


--------------------------------------------------------------------------------
/roles/wireguard/tasks/main.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | - name: Install wireguard (Debian)
 3 |   apt:
 4 |     name: wireguard
 5 |     state: present
 6 | 
 7 | - name: Generate private keys
 8 |   shell: wg genkey
 9 |   register: wireguard_genkey
10 |   changed_when: false
11 | 
12 | - set_fact:
13 |     private_key: "{{ wireguard_genkey.stdout }}"
14 | 
15 | - name: Generate public keys
16 |   shell: "echo {{ private_key }} | wg pubkey"
17 |   register: wireguard_pubkey
18 |   changed_when: false
19 | 
20 | - set_fact:
21 |     public_key: "{{ wireguard_pubkey.stdout }}"
22 | 
23 | - set_fact: private_ip="10.0.1.{{ groups['wireguard'].index(inventory_hostname) + 1 }}"
24 | 
25 | - name: Create wireguard directory
26 |   file:
27 |     path: /etc/wireguard
28 |     state: directory
29 | 
30 | - name: Configuring wireguard
31 |   template:
32 |     src: wg.conf.j2
33 |     dest: /etc/wireguard/wg0.conf
34 |     owner: root
35 |     group: root
36 |     mode: 600
37 |   notify: wg0_restart
38 |  
39 | 


--------------------------------------------------------------------------------
/roles/wireguard/templates/wg.conf.j2:
--------------------------------------------------------------------------------
 1 | [Interface]
 2 | Address = {{ private_ip }}
 3 | PrivateKey = {{ private_key }}
 4 | ListenPort = 51820
 5 | 
 6 | {% for item in groups['wireguard'] %}
 7 | {% if item != inventory_hostname %}
 8 | [Peer]
 9 | PublicKey = {{ hostvars[item]['public_key'] }}
10 | AllowedIps = {{ hostvars[item]['private_ip'] }}/32
11 | Endpoint = {{ hostvars[item]['ansible_default_ipv4']['address'] }}:51820
12 | 
13 | {% endif %}
14 | {% endfor %}


--------------------------------------------------------------------------------
/wireguard.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - hosts: wireguard
3 |   any_errors_fatal: true
4 |   roles: 
5 |     - { role: prepare }
6 |     - { role: wireguard }


--------------------------------------------------------------------------------