This role will install Wireguard, a virtual private network (VPN) server designed with the goals of ease of use, high speed performance, and low attack surface.
Clients of the wireguard server will be able to route their traffic through it.
- See meta/main.yml
- The server's UDP port
51820must be reachable by clients. Configure NAT/port forwarding on your router if necessary, and allow port51820/udpin the host's firewall (if theansible.xsrv.commonrole is deployed, afirewalldrule is automatically added). - IP forwarding must be enabled on the host, for example using the common role:
sysctl_allow_forwarding: yes
# playbook.yml
- hosts: my.CHANGEME.org
roles:
- nodiscc.xsrv.common # (optional) base server setup, hardening, firewall
- nodiscc.xsrv.monitoring # (optional) system/server monitoring and health checks
- nodiscc.xsrv.backup # (optional) automatic local backup of private keys
- nodiscc.xsrv.dnsmasq # DNS resolution for VPN clients
- nodiscc.xsrv.wireguard
# required variables
# host_vars/my.CHANGEME.org/my.CHANGEME.org.yml
wireguard_server_public_ip: "CHANGEME"
wireguard_peers:
- name: client1
public_key: Faz...4vEQ=
ip_address: "10.200.200.10/24"See defaults/main.yml for all configuration variables.
Connecting VPN clients VPN clients (peers) must generate their private/public keys beforehand:
Please generate VPN keys by running:
sudo apt install wireguard-tools
wg genkey | (umask 0077 && tee $HOSTNAME-wireguard.key) | wg pubkey > $HOSTNAME-wireguard.pub
and send the contents of the$HOSTNAME-wireguard.pubfile to the VPN server administrator. Keep a copy of the content of$HOSTNAME-wireguard.keysomewhere safe as you will need it later. You may then delete$HOSTNAME-wireguard.pub/keyfiles.
Setup clients in wireguard_peers using the public_key value they provided and deploy the role. A configuration file for each client will be generated in data/wireguard/ in the playbook directory. Send their respective configuration file to all clients - it contains further instructions to connect to the VPN on client machines.
List connected clients: Access the server over SSH (xsrv ssh) and run sudo wg.
Only allow VPN clients to connect to a service on the host: When firewalld is managed by the common role, by default VPN clients are part of the internal zone. To make VPN clients part of the wireguard zone instead:
# remove 10.0.0.0/8 from the internal zone
firewalld_zone_sources:
- zone: internal
sources:
- 192.168.0.0/24
- 10.0.1.0/24
- 10.0.2.0/24
- ...
- zone: internal
sources:
- 10.0.0.0/8
state: absent
# disallow connections from LAN to the service, but explicitly allow from wireguard
apache_firewalld_zones:
- zone: public
state: disabled
- zone: internal
state: disabled
- zone: wireguard
state: enabled
# to disallow connections from VPN clients instead, but still allow connections from LAN:
apache_firewalld_zones:
- zone: public
state: enabled
- zone: internal
state: enabled
- zone: wireguard
state: disabledYou can turn on debug logging at any time by running echo module wireguard +p | sudo tee /sys/kernel/debug/dynamic_debug/control. To disable debug logging: echo module wireguard -p | sudo tee /sys/kernel/debug/dynamic_debug/control. Debug logging will log events such as peers connecting/disconnecting and rejected connection attempts.
The server's private/public keys should be backed up. See the included rsnapshot configuration for information about directories to backup/restore.
wireguard - setup wireguard