This role allowes you to deploy a fast, secure and provider agnostic private network between multiple servers. This is usefull for providers that do not provide you with a private network or if you want to connect servers that are spread over multiple regions and providers.
The role installs wireguard on Debian or Ubuntu, creates a mesh between all servers by adding them all as peers and configures the wg-quick systemd service.
Installation can be done using ansible galaxy:
$ ansible-galaxy install mawalu.wireguard_private_networking
Install this role, assign a vpn_ip variable to every host that should be part of the network and run the role. Plese make sure to allow the VPN port (default is 5888) in your firewall. Here is a small example configuration:
# inventory host file
wireguard:
hosts:
1.1.1.1:
vpn_ip: 10.1.0.1/32
2.2.2.2:
vpn_ip: 10.1.0.2/32
# playbook
- name: Configure wireguard mesh
hosts: wireguard
remote_user: root
roles:
- mawalu.wireguard_private_networking# playbook (with client config)
- name: Configure wireguard mesh
hosts: wireguard
remote_user: root
vars:
client_vpn_ip: 10.1.0.100
client_wireguard_path: "~/my-client-config.conf"
roles:
- mawalu.wireguard_private_networkingThere are a small number of role variables that can be overwritten.
wireguard_port: "5888" # the port to use for server to server connections
wireguard_path: "/etc/wireguard" # location of all wireguard configurations
wireguard_network_name: "private" # the name to use for the config file and wg-quick
wireguard_mtu: 1500 # Optionally a MTU to set in the wg-quick file. Not set by default. Can also be set per host
debian_enable_backports: true # if the debian backports repos should be added on debian machines
client_vpn_ip: "" # if set an additional wireguard config file will be generated at the specified path on localhost
client_wireguard_path: "~/wg.conf" # path on localhost to write client config, if client_vpn_ip is set
# a list of additional peers that will be added to each server
wireguard_additional_peers:
- comment: martin
ip: 10.2.3.4
key: your_wireguard_public_key
- comment: other_network
ip: 10.32.0.0/16
key: their_wireguard_public_key
keepalive: 20
endpoint: some.endpoint:2230
wireguard_post_up: "iptables ..." # PostUp hook command
wireguard_post_down: "iptables" # PostDown hook commandThis role has a small test setup that is created using molecule. To run the tests follow the molecule install guide, ensure that a docker daemon runs on your machine and execute molecule test.
Feel free to open issues or MRs if you find problems or have ideas for improvements. I'm especially open for MRs that add support for additional operating systems and more tests.
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent