PiFrame/ansible-role-wireguard
Archived
1
0
Fork 0
Code Pull requests Releases Activity

Support for mutliple wireguard vpn on same host

Browse source 
add inventory exemple in readme
This commit is contained in:
Frédéric Bourqui 2019-10-19 01:45:34 +02:00
parent 5db3e19630
commit 2092bd06cb
3 changed files with 71 additions and 25 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

64
README.md
View file

@ -30,17 +30,14 @@ Role Variables
This variables can be changed in `group_vars/`: This variables can be changed in `group_vars/`:
``` ```
# The LOCAL directory where the WireGuard certificates are stored after they # LOCAL directory where the WireGuard certificates used to be stored
# were generated. By default this will expand to user's LOCAL ${HOME} # in older version of this role.
# (the user that run's "ansible-playbook" command) plus # Private keys are now read from the remote host, public key are derived
# "/wireguard/certs". That means if the user's ${HOME} directory is e.g. # from private key
# "/home/da_user" then "wireguard_cert_directory" will have a value of #
# "/home/da_user/wireguard/certs". If you change this make sure that # This config is kept to be able to delete the old folder, as having
# the parent directory is writable by the user that runs "ansible-playbook" # all the private keys locally is not a security best practice.
# command.
wireguard_cert_directory: "{{ '~/wireguard/certs' | expanduser }}" wireguard_cert_directory: "{{ '~/wireguard/certs' | expanduser }}"
wireguard_cert_owner: "root"
wireguard_cert_group: "root"
# Directory to store WireGuard configuration on the remote hosts # Directory to store WireGuard configuration on the remote hosts
wireguard_remote_directory: "/etc/wireguard" wireguard_remote_directory: "/etc/wireguard"
@ -252,6 +249,53 @@ Example Playbook
- wireguard - wireguard
``` ```
Example Inventory usint 2 different WireGuard interfaces on host multi
----------------------------------------------------------------------
This is a complex example using yaml inventory format
```
vpn1:
hosts:
multi:
wireguard_address: 10.9.0.1/32
wireguard_allowed_ips: "10.9.0.1/32, 192.168.2.0/24"
wireguard_endpoint: multi.exemple.com
nated:
wireguard_address: 10.9.0.2/32
wireguard_allowed_ips: "10.9.0.2/32, 192.168.3.0/24"
wireguard_persistent_keepalive: 15
wireguard_endpoint: nated.exemple.com
wireguard_postup: "iptables -t nat -A POSTROUTING -o ens12 -j MASQUERADE"
wireguard_postdown: "iptables -t nat -D POSTROUTING -o ens12 -j MASQUERADE"
vpn2:
hosts:
multi-wg1:
ansible_host: multi
wireguard_interface: wg1
wireguard_port: 51821 # when using several interface on one host, we must use different ports
wireguard_address: 10.9.1.1/32
wireguard_endpoint: multi.exemple.com
another:
wireguard_address: 10.9.1.2/32
wireguard_endpoint: another.exemple.com
```
Playbooks
---------
```
- hosts: vpn1
roles:
- wireguard
```
```
- hosts: vpn2
roles:
- wireguard
```
License License
------- -------

17
defaults/main.yml
View file

@ -1,15 +1,12 @@
--- ---
# The LOCAL directory where the WireGuard certificates are stored after they # LOCAL directory where the WireGuard certificates used to be stored
# were generated. By default this will expand to user's LOCAL ${HOME} # in older version of this role.
# (the user that run's "ansible-playbook" command) plus # Private keys are now read from the remote host, public key are derived
# "/wireguard/certs". That means if the user's ${HOME} directory is e.g. # from private key
# "/home/da_user" then "wireguard_cert_directory" will have a value of #
# "/home/da_user/wireguard/certs". If you change this make sure that # This config is kept to be able to delete the old folder, as having
# the parent directory is writable by the user that runs "ansible-playbook" # all the private keys locally is not a security best practice.
# command.
wireguard_cert_directory: "{{ '~/wireguard/certs' | expanduser }}" wireguard_cert_directory: "{{ '~/wireguard/certs' | expanduser }}"
wireguard_cert_owner: "root"
wireguard_cert_group: "root"
# Directory to store WireGuard configuration on the remote hosts # Directory to store WireGuard configuration on the remote hosts
wireguard_remote_directory: "/etc/wireguard" wireguard_remote_directory: "/etc/wireguard"

15
templates/wg.conf.j2
View file

@ -28,11 +28,16 @@ SaveConfig = true
{% if hostvars[host].wireguard_persistent_keepalive is defined %} {% if hostvars[host].wireguard_persistent_keepalive is defined %}
PersistentKeepalive = {{hostvars[host].wireguard_persistent_keepalive}} PersistentKeepalive = {{hostvars[host].wireguard_persistent_keepalive}}
{% endif %} {% endif %}
{% if hostvars[host].wireguard_endpoint is not defined %} {% if hostvars[host].wireguard_port is defined and hostvars[host].wireguard_port is number %}
Endpoint = {{host}}:{{wireguard_port}} {% if hostvars[host].wireguard_endpoint is defined and hostvars[host].wireguard_endpoint != "" %}
{% elif hostvars[host].wireguard_endpoint != "" %} Endpoint = {{hostvars[host].wireguard_endpoint}}:{{hostvars[host].wireguard_port}}
Endpoint = {{hostvars[host].wireguard_endpoint}}:{{wireguard_port}} {% else %}
Endpoint = {{host}}:{{hostvars[host].wireguard_port}}
{% endif %}
{% elif hostvars[host].wireguard_endpoint is defined and hostvars[host].wireguard_endpoint != "" %}
Endpoint = {{hostvars[host].wireguard_endpoint}}:51820
{% else %}
Endpoint = {{host}}:51820
{% endif %} {% endif %}
{% endif %} {% endif %}
{% endfor %} {% endfor %}