105 lines
2.9 KiB
Markdown
105 lines
2.9 KiB
Markdown
# Wireguard ansible role
|
|
|
|
This role configures a host to act as a wireguard (default) gateway, supporting dual stack ipv4/ipv6.
|
|
It is only tested on Debian 10 but also works on a raspberry pi.
|
|
|
|
The role uses ndppd to proxy IPv6 neighbour requests, so you do not need a routed IPv6 range.
|
|
|
|
## Prerequisites
|
|
|
|
* Debian 10 or Raspberry Pi OS 10 for the gateway host
|
|
* Host has dual stack networking configured
|
|
* Host has both A and AAAA dns records
|
|
* If your device is behind a NAT router, have UDP/51820 forwarded on the edge gateway
|
|
|
|
## Example playbook
|
|
|
|
(Do not use the example keys)
|
|
|
|
```
|
|
- host: rpi
|
|
roles:
|
|
- role: wireguard-nftables
|
|
vars:
|
|
wireguard_peers:
|
|
- publickey: Y+UE7yK4qbkssZUITh0LKTeqG6XhaPXmXSWmFfSNlAM=
|
|
presharedkey: WLJH/t9dNn36mAyyR57ZWGkb4azjxcgX5lVVpjYJimc=
|
|
allowedips: ["10.0.0.2/32" ,"2a02:XXXX:XXXX:7d00::2/128"]`
|
|
|
|
```
|
|
|
|
## Configuring clients
|
|
|
|
Install wireguard on your client.
|
|
|
|
Generate a private key on your client:
|
|
```
|
|
wg genkey > wg.key
|
|
```
|
|
|
|
Calculate the public key:
|
|
```
|
|
cat wg.key | wg pubkey
|
|
Y+UE7yK4qbkssZUITh0LKTeqG6XhaPXmXSWmFfSNlAM=
|
|
```
|
|
|
|
Generate a new shared key (Optional)
|
|
```
|
|
wg genkey
|
|
WLJH/t9dNn36mAyyR57ZWGkb4azjxcgX5lVVpjYJimc=
|
|
```
|
|
|
|
Run the playbook with a new peer configuration:
|
|
```
|
|
- publickey: Y+UE7yK4qbkssZUITh0LKTeqG6XhaPXmXSWmFfSNlAM=
|
|
presharedkey: WLJH/t9dNn36mAyyR57ZWGkb4azjxcgX5lVVpjYJimc=
|
|
allowedips: ["10.0.0.2/32" ,"2a02:XXXX:XXXX:7d00::2/128"]`
|
|
```
|
|
|
|
The role will generate a private key on the server in /etc/wireguard. Calculate the public key from it:
|
|
```
|
|
cat /etc/wireguard/wg0.key | wg pubkey
|
|
6MnDIYj6MhI9Vic6SnbQ0GfObuYceKTADJuAmNoS9UY=
|
|
```
|
|
|
|
Create a configuration file on the client in /etc/wireguard, using:
|
|
|
|
* The clients private key
|
|
* The gateways public key
|
|
* The preshared key
|
|
|
|
```
|
|
[Interface]
|
|
PrivateKey = CEWE+IXpSUZbTSPPrQiQYeYo2E3XBm6xCmjQUzklA2k=
|
|
ListenPort = 51820
|
|
Address = 10.0.0.2/32, 2a02:XXXX:XXXX:7d00::2/128
|
|
|
|
[Peer]
|
|
PublicKey = 6MnDIYj6MhI9Vic6SnbQ0GfObuYceKTADJuAmNoS9UY=
|
|
PresharedKey = WLJH/t9dNn36mAyyR57ZWGkb4azjxcgX5lVVpjYJimc=
|
|
Endpoint = wg.my-domain.org:51820
|
|
AllowedIPs = 0.0.0.0/0,::0/0
|
|
```
|
|
|
|
Use wg-quick to bring up the tunnel (Asuming the configurion in /etc/wireguard/wg0.conf)
|
|
|
|
```
|
|
wg-quick up wg0
|
|
```
|
|
|
|
Disconnect:
|
|
```
|
|
wg-quick down wg0
|
|
```
|
|
## Choosing Client IP addresses for peers (clients)
|
|
|
|
### IPv4
|
|
Pick any RFC1918 ipv4 IP that does not cause conflicts for you. (nftables configures IP masquerading)
|
|
|
|
### IPv6
|
|
Choose any IP that is valid on the same network as your gateway device.
|
|
When on a network using stateless autoconfiguration, you're pretty safe picking something in the beginning of your range. (If your device has IP 2a02:XXXX:XXXX:7d00:ba27:ebff:fe7e:d22a/64, 2a02:XXXX:XXXX:7d00::2/128 is unlikely to cause a conflict)
|
|
|
|
VPS providers like Digital Ocean may limit the amount of IPv6 addresses you are allowed to use, so be sure to choose addresses that are in the allowed range.
|
|
|