Skip to content
/ wireguard-private-networking Public
forked from mawalu/wireguard-private-networking

Build your own multi server private network using wireguard and ansible

License

MIT license
0 stars 36 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

pjbrzozowski/wireguard-private-networking

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

40 Commits
defaults
defaults
 
 
meta
meta
 
 
tasks
tasks
 
 
templates
templates
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

Private server to server network with ansible and wireguard

Ansible Role

This role allowes you to deploy a fast, secure and provider agnostic private network between multiple servers. This is usefull for providers like hetzner cloud that do not provide you with a private network or if you want to connect servers that are spread over multiple regions and providers.

How

The role installs wireguard on Debian or Ubuntu, creates a mesh between all servers by adding them all as peers and configures the wg-quick systemd service.

Installation

Installation can be done using ansible galaxy:

$ ansible-galaxy install mawalu.wireguard_private_networking

Setup

Install this role, assign a vpn_ip variable to every host that should be part of the network and run the role. Plese make sure to allow the VPN port (default is 5888) in your firewall. Here is a small example configuration:

# inventory host file

wireguard:
  hosts:
    1.1.1.1:
      vpn_ip: 10.1.0.1/32
    2.2.2.2:
      vpn_ip: 10.1.0.2/32

# playbook

- name: Configure wireguard mesh
  hosts: wireguard
  remote_user: root
  roles:
    - mawalu.wireguard_private_networking
# playbook (with client config)
- name: Configure wireguard mesh
  hosts: wireguard
  remote_user: root
  vars:
    client_vpn_ip: 10.1.0.100
    client_wireguard_path: "~/my-client-config.conf"
  roles:
    - mawalu.wireguard_private_networking

Additional configuration

There are a small number of role variables that can be overwritten.

wireguard_port: "5888" # the port to use for server to server connections
wireguard_path: "/etc/wireguard" # location of all wireguard configurations

wireguard_network_name: "private" # the name to use for the config file and wg-quick

debian_enable_testing: true # if the debian testing repos should be added on debian machines
debian_pin_packages: true # if the pin configuration to limit the use of unstable repos should be created on debian machines

client_vpn_ip: "" # if set an additional wireguard config file will be generated at the specified path on localhost
client_wireguard_path: "~/wg.conf" # path on localhost to write client config, if client_vpn_ip is set 

# a list of additional peers that will be added to each server
wireguard_additional_peers:
  - comment: martin
    ip: 10.2.3.4
    key: your_wireguard_public_key
  - comment: other_network
    ip: 10.32.0.0/16
    key: their_wireguard_public_key
    keepalive: 20 
    endpoint: some.endpoint:2230 

wireguard_post_up: "iptables ..." # PostUp hook command
wireguard_post_down: "iptables"   # PostDown hook command

Contributing

Feel free to open issues or MRs if you find problems or have ideas for improvements. I'm especially open for MRs that add support for more operating systems.

About

Build your own multi server private network using wireguard and ansible

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

8 tags

Packages

No packages published