diff --git a/README.md b/README.md index c8d2a4b..6c3ca65 100644 --- a/README.md +++ b/README.md @@ -27,7 +27,7 @@ see [CHANGELOG.md](https://github.com/githubixx/ansible-role-wireguard/blob/mast Role Variables -------------- -Those variables can be changed in `group_vars/`: +These variables can be changed in `group_vars/`: ``` # Directory to store WireGuard configuration on the remote hosts @@ -76,13 +76,18 @@ Endpoint = controller01.p.domain.tld:51820 Now this is basically the same as above BUT now the config says: I want to route EVERY traffic originating from my workstation to the endpoint `controller01.p.domain.tld:51820`. If that endpoint can handle the traffic is of course another thing and it's up to you how you configure the endpoint routing ;-) -You can specify further optional settings (they don't have a default and won't be set if not specified besides `wireguard_allowed_ips` as already mentioned) also per host in `host_vars/` (or in your Ansible hosts file if you like): +You can specify further optional settings (they don't have a default and won't be set if not specified besides `wireguard_allowed_ips` as already mentioned) also per host in `host_vars/` (or in your Ansible hosts file if you like). The values for the following variables are just examples and no defaults (for more information and examples see [wg-quick.8](https://git.zx2c4.com/WireGuard/about/src/tools/man/wg-quick.8)): ``` wireguard_allowed_ips: "" wireguard_endpoint: "host1.domain.tld" wireguard_persistent_keepalive: "30" wireguard_dns: "1.1.1.1" +wireguard_fwmark: "1234" +wireguard_mtu: "1492" +wireguard_table: "5000" +wireguard_preup: "..." +wireguard_predown: "..." wireguard_postup: "..." wireguard_postdown: "..." wireguard_save_config: "true" @@ -259,6 +264,7 @@ vpn1: wireguard_endpoint: nated.exemple.com wireguard_postup: "iptables -t nat -A POSTROUTING -o ens12 -j MASQUERADE" wireguard_postdown: "iptables -t nat -D POSTROUTING -o ens12 -j MASQUERADE" + vpn2: hosts: multi-wg1: # use a different name, and define ansible_host, to avoid mixing of vars without needing to prefix vars with interface name diff --git a/templates/wg.conf.j2 b/templates/wg.conf.j2 index 93f2883..eb74425 100644 --- a/templates/wg.conf.j2 +++ b/templates/wg.conf.j2 @@ -1,11 +1,27 @@ #jinja2: lstrip_blocks:"True",trim_blocks:"True" [Interface] +# {{ inventory_hostname }} Address = {{hostvars[inventory_hostname].wireguard_address}} PrivateKey = {{private_key}} ListenPort = {{wireguard_port}} {% if hostvars[inventory_hostname].wireguard_dns is defined %} DNS = {{hostvars[inventory_hostname].wireguard_dns}} {% endif %} +{% if hostvars[inventory_hostname].wireguard_fwmark is defined %} +FwMark = {{hostvars[inventory_hostname].wireguard_fwmark}} +{% endif %} +{% if hostvars[inventory_hostname].wireguard_mtu is defined %} +MTU = {{hostvars[inventory_hostname].wireguard_mtu}} +{% endif %} +{% if hostvars[inventory_hostname].wireguard_table is defined %} +Table = {{hostvars[inventory_hostname].wireguard_table}} +{% endif %} +{% if hostvars[inventory_hostname].wireguard_preup is defined %} +PreUp = {{hostvars[inventory_hostname].wireguard_preup}} +{% endif %} +{% if hostvars[inventory_hostname].wireguard_predown is defined %} +PreDown = {{hostvars[inventory_hostname].wireguard_predown}} +{% endif %} {% if hostvars[inventory_hostname].wireguard_postup is defined %} PostUp = {{hostvars[inventory_hostname].wireguard_postup}} {% endif %} @@ -19,6 +35,7 @@ SaveConfig = true {% if host != inventory_hostname %} [Peer] + # {{ host }} PublicKey = {{hostvars[host].public_key}} {% if hostvars[host].wireguard_allowed_ips is defined %} AllowedIPs = {{hostvars[host].wireguard_allowed_ips}} @@ -37,7 +54,7 @@ SaveConfig = true {% elif hostvars[host].wireguard_endpoint is defined and hostvars[host].wireguard_endpoint != "" %} Endpoint = {{hostvars[host].wireguard_endpoint}}:{{wireguard_port}} {% elif hostvars[host].wireguard_endpoint == "" %} - # No endpoint defined + # No endpoint defined for this peer {% else %} Endpoint = {{host}}:{{wireguard_port}} {% endif %}