No description
- Jinja 100%
| defaults | ||
| handlers | ||
| meta | ||
| tasks | ||
| templates | ||
| vars | ||
| README.md | ||
ansible-role-wireguard
This role will build and deploy an wireguard config
Peer details and other sensitive variables specific to each endpoint should be stored in a vault An external firewall role is expected to handle any configuration outside of the wireguard config
- name: Basic setup with firewalld role for wireguard endpoint access
hosts: vpn
become: true
roles:
- role: wireguard
- role: firewalld
firewalld_masquerade:
state: enabled
firewalld_ports:
- "{{ wg_port }}"/tcp
- name: Setup with firewalld rules for site to site routing
hosts: vpn
become: true
roles:
- role: wireguard
- role: firewalld
firewalld_masquerade:
state: enabled
firewalld_services:
- mdns
firewalld_ports:
- 1025-65535/tcp
- 1025-65535/udp
Define Peers in a central vault
---
wg_allowed: 10.66.0.0/24
wg_remote_lan: 10.10.0.0/24
wg_interface: ens18
wg_peers:
- name: some-host-a
public_key: xxx
private_key: xxx
endpoint: some-host-a-fqdn:51820
address: 10.66.0.2/32
pre_up: "{{ wg_pre_up }}"
pre_down: "{{ wg_pre_down }}"
post_up:
- iptables -A FORWARD -i %i -d {{ wg_remote_lan }} -j ACCEPT;
- iptables -A FORWARD -i %i -j DROP;
- iptables -t nat -A POSTROUTING -o {{ wg_host_interface }} -j MASQUERADE
post_down:
- iptables -D FORWARD -i %i -d {{ wg_remote_lan }} -j ACCEPT;
- iptables -D FORWARD -i %i -j DROP;
- iptables -t nat -D POSTROUTING -o {{ wg_host_interface }} -j MASQUERADE
- name: some-host-b
public_key: xxx
private_key: xxx
allowed_ips: "{{ wg_allowed }}, {{ wg_remote_lan }}"
endpoint: some-host-b-fqdn:51820
address: 10.66.0.4/32
- name: some-host-c
public_key: xxx
private_key: xxx
allowed_ips: "{{ wg_allowed }}, {{ wg_remote_lan }}"
endpoint: some-host-c-fqdn:51820
address: 10.66.0.6/32