# Directory to store WireGuard configuration on the remote hosts
wireguard_remote_directory: "/etc/wireguard"
@ -42,13 +42,13 @@ wireguard_interface: "wg0"
The following variable is mandatory and needs to be configured for every host in `host_vars/`:
```
```yaml
wireguard_address: "10.8.0.101/24"
```
Of course all IP's should be in the same subnet like `/24` we see in the example above. If `wireguard_allowed_ips` is not set then the default value is the value from `wireguard_address` without the CIDR but instead with `/32` which is basically a host route (have a look `templates/wg.conf.j2`). Let's see this example and let's assume you don't set `wireguard_allowed_ips` explicitly:
This is part of the WireGuard config from my workstation. It has the VPN IP `10.8.0.2` and we've a `/24` subnet in which all my WireGuard hosts are located. Also you can see we've a peer here that has the endpoint `controller01.p.domain.tld:51820`. When `wireguard_allowed_ips` is not explicitly set the Ansible template will add an `AllowedIPs` entry with the IP of that host plus `/32`. In WireGuard this basically specifies the routing. The config above says: On my workstation with the IP `10.8.0.2` I want send all traffic to `10.8.0.101/32` to the endpoint `controller01.p.domain.tld:51820`. Now let's assume we set `wireguard_allowed_ips: "0.0.0.0/0"`. Then the resulting config looks like this.
```
```ini
[Interface]
Address = 10.8.0.2/24
PrivateKey = ....
@ -78,7 +78,7 @@ Now this is basically the same as above BUT now the config says: I want to route
You can specify further optional settings (they don't have a default and won't be set if not specified besides `wireguard_allowed_ips` as already mentioned) also per host in `host_vars/` (or in your Ansible hosts file if you like). The values for the following variables are just examples and no defaults (for more information and examples see [wg-quick.8](https://git.zx2c4.com/WireGuard/about/src/tools/man/wg-quick.8)):
```
```yaml
wireguard_allowed_ips: ""
wireguard_endpoint: "host1.domain.tld"
wireguard_persistent_keepalive: "30"
@ -99,14 +99,14 @@ wireguard_save_config: "true"
`wireguard_(preup|predown|postup|postdown)` are specified as lists. Here are two examples:
```
```yaml
wireguard_postup:
- iptables -t nat -A POSTROUTING -o ens12 -j MASQUERADE
- iptables -A FORWARD -i %i -j ACCEPT
- iptables -A FORWARD -o %i -j ACCEPT
```
```
```yaml
wireguard_preup:
- echo 1 > /proc/sys/net/ipv4/ip_forward
- ufw allow 51820/udp
@ -139,7 +139,7 @@ As you can see I've three gropus here: `vpn` (all hosts on that will get WireGua
For the Kubernetes controller nodes I've defined the following host variables:
@ -193,7 +193,7 @@ As you can see the variables are basically the same as the controller nodes have
For my internal server at home (connected via DSL router to the internet) we've this configuration:
```
```yaml
---
wireguard_address: "10.8.0.1/24"
wireguard_endpoint: "server.at.home.p.domain.tld"
@ -206,7 +206,7 @@ By default the SSH daemon is listening on a different port than 22 on all of my
And finally for my workstation (on which I run all `ansible-playbook` commands):
```
```yaml
wireguard_address: "10.8.0.2/24"
wireguard_endpoint: ""
ansible_connection: local
@ -215,7 +215,7 @@ ansible_become: false
As you can see `wireguard_endpoint: ""` is a empty string here. That means the Ansible role won't set an endpoint for my workstation. Since there is no need for the other hosts to connect to my workstation it doesn't makes sense to have a endpoint defined. So in this case I can access all hosts defined in the Ansible group `vpn` from my workstation but not the other way round. So the resulting WireGuard config for my workstation looks like this:
```
```ini
[Interface]
Address = 10.8.0.2/24
PrivateKey = ....
@ -260,7 +260,7 @@ The other WireGuard config files (`wg0.conf` by default) looks similar but of co
Example Playbook
----------------
```
```yaml
- hosts: vpn
roles:
- wireguard
@ -271,7 +271,7 @@ Example Inventory using two different WireGuard interfaces on host "multi"
This is a complex example using yaml inventory format:
Joonas Kuorilehto
4 years ago
committed by