nils/ansible-role-wireguard-nftables
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

first commit

Browse Source
This commit is contained in:
Nils Cant
2020-06-23 14:05:23 +02:00
commit 0249fac42b
1 changed files with 105 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

105
README.md Normal file
View File

@@ -0,0 +1,105 @@
# Wireguard ansible role
This role configures a host to act as a wireguard (default) gateway, supporting dual stack ipv4/ipv6.
It is only tested on Debian 10 but also works on a raspberry pi.
The role uses ndppd to proxy IPv6 neighbour requests, so you do not need a routed IPv6 range.
## Prerequisites
* Debian 10 or Raspberry Pi OS 10 for the gateway host
* Host has dual stack networking configured
* Host has both A and AAAA dns records
* Kernel headers installed for your currently running kernel (raspberrypi-kernel-headers, linux-headers-cloud-amd64, ...)
* If your device is behind a NAT router, have UDP/51820 forwarded on the edge gateway
## Example playbook
(Do not use the example keys)
```
- host: rpi
roles:
- role: wireguard-nftables
vars:
wireguard_peers:
- publickey: Y+UE7yK4qbkssZUITh0LKTeqG6XhaPXmXSWmFfSNlAM=
presharedkey: WLJH/t9dNn36mAyyR57ZWGkb4azjxcgX5lVVpjYJimc=
allowedips: ["10.0.0.2/32" ,"2a02:XXXX:XXXX:7d00::2/128"]`
```
## Configuring clients
Install wireguard on your client.
Generate a private key on your client:
```
wg genkey > wg.key
```
Calculate the public key:
```
cat wg.key | wg pubkey
Y+UE7yK4qbkssZUITh0LKTeqG6XhaPXmXSWmFfSNlAM=
```
Generate a new shared key (Optional)
```
wg genkey
WLJH/t9dNn36mAyyR57ZWGkb4azjxcgX5lVVpjYJimc=
```
Run the playbook with a new peer configuration:
```
- publickey: Y+UE7yK4qbkssZUITh0LKTeqG6XhaPXmXSWmFfSNlAM=
presharedkey: WLJH/t9dNn36mAyyR57ZWGkb4azjxcgX5lVVpjYJimc=
allowedips: ["10.0.0.2/32" ,"2a02:XXXX:XXXX:7d00::2/128"]`
```
The role will generate a private key on the server in /etc/wireguard. Calculate the public key from it:
```
cat /etc/wireguard/wg0.key | wg pubkey
6MnDIYj6MhI9Vic6SnbQ0GfObuYceKTADJuAmNoS9UY=
```
Create a configuration file on the client in /etc/wireguard, using:
* The clients private key
* The gateways public key
* The preshared key
```
[Interface]
PrivateKey = CEWE+IXpSUZbTSPPrQiQYeYo2E3XBm6xCmjQUzklA2k=
ListenPort = 51820
Address = 10.0.0.2/32, 2a02:XXXX:XXXX:7d00::2/128
[Peer]
PublicKey = 6MnDIYj6MhI9Vic6SnbQ0GfObuYceKTADJuAmNoS9UY=
PresharedKey = WLJH/t9dNn36mAyyR57ZWGkb4azjxcgX5lVVpjYJimc=
Endpoint = wg.my-domain.org:51820
AllowedIPs = 0.0.0.0/0,::0/0
```
Use wg-quick to bring up the tunnel (Asuming the configurion in /etc/wireguard/wg0.conf)
```
wg-quick up wg0
```
Disconnect:
```
wg-quick down wg0
```
## Choosing Client IP addresses for peers (clients)
### IPv4
Pick any RFC1918 ipv4 IP that does not cause conflicts for you. (nftables configures IP masquerading)
### IPv6
Choose any IP that is valid on the same network as your gateway device.
When on a network using stateless autoconfiguration, you're pretty safe picking something in the beginning of your range. (If your device has IP 2a02:XXXX:XXXX:7d00:ba27:ebff:fe7e:d22a/64, 2a02:XXXX:XXXX:7d00::2/128 is unlikely to cause a conflict)
VPS providers like Digital Ocean may limit the amount of IPv6 addresses you are allowed to use, so be sure to choose addresses that are in the allowed range.