Ansible role that configures WireGuard interfaces on Linux machines.
None, but requires the ability to create WireGuard interfaces. This may not work on unprivileged Linux containers, but will work on bare metal and fully-virtualized virtual machines.
This role has been developed for use with Debian and Alpine Linux. Other distros may work and support may be added on a best-effort basis. Feel free to submit a pull request if you would like support to be added to other distributions.
Currently, the role does not restart the WireGuard interface when changes are made. One must restart the interface using systemctl
or rc-service
manually after changing the interface.
wg_interfaces
: List of interfaces managed by this role.private_key
: Private key used by the wg interface.listen
: Enable listening for connections on the interface. Defaults to false.listen_port
: If listen is true, the port to listen on. defaults to 51820.addresses
: List of IPv4 and IPv6 addresses.started
: Start the interface after creationenabled
: Enable the interface to start on bootdns
: DNS server to advertise to peerspost_up
: Post-up commandspre_down
: Pre-down commandspost_down
: Post-down commandspeers
: List of peersname
: Name of the peer. Optional.public_key
: Peer public keyallowed_ips
: IP addresses the peer can useendpoint
: If connecting to another peer that is listening, the endpoint to connect to. Optional.persistent_keepalive
: Enable persistent keepalive. Recommended for peers behind NAT.
wg_persistent_keepalive_time
: For peers using persistent keepalive, set the seconds used for keepalive timers. Defaults to 30 seconds.wg_sysctl
: If set to true, the role will manage sysctls for IPv4 and IPv6 forwarding.wg_sysctl_ipv4_fwd
: Enable IPv4 forwardingwg_sysctl_ipv6_fwd
: Enable IPv6 forwarding
Default interface settings: see defaults/main.yml
.
None.
NOTE: Interface settings should never be set in group_vars, only host_vars. Other settings, such as the default interface settings, may be configured using group_vars.
- host: peer1
become: yes
roles:
- wireguard
vars:
wg_interfaces:
- interface: wg0
listen: true
addresses:
- 192.168.100.1/24
private_key: peer1 private key
started: true
enabled: true
peers:
- name: peer2
public_key: peer2 public key
allowed_ips:
- 192.168.100.2/32
- 192.168.1.0/24 # adds a route for this network
persistent_keepalive: true
MIT
Colin Murphy [email protected]