Ansible + WireGuard = VPN
This Ansible playbook will set up a point-to-point VPN mesh network.
Tested on Debian Stretch, but should also work on Ubuntu.
Please submit a pull request if you find any issues or want to support other platforms.
To customize installation, see roles/wireguard/vars/main.yml and roles/wireguard/defaults/main.yml.
- Ansible
- SSH
- Root account
First, list all VPN servers, including the VPN IP and public IP, in an Ansible hosts file:
server-1 ansible_ssh_host=212.x.x.x vpn_ip=192.168.0.1 public_ip=212.x.x.x
server-2 ansible_ssh_host=212.x.x.x vpn_ip=192.168.0.2 public_ip=212.x.x.x
[vpn-servers]
server-1
server-2
Next, install the VPN network:
$ ansible-playbook wireguard.yml -i hosts -u root
- ping: sendmsg: Required key not available
# ssh 192.168.0.1
# ping 192.168.0.2
PING 192.168.0.2 (192.168.0.2) 56(84) bytes of data.
From 192.168.0.1 icmp_seq=1 Destination Host Unreachable
ping: sendmsg: Required key not available# ssh 192.168.0.1
# ping 192.168.0.2
PING 192.168.0.2 (192.168.0.2) 56(84) bytes of data.
From 192.168.0.1 icmp_seq=1 Destination Host Unreachable
ping: sendmsg: Required key not availableSolution: Check that the peer server's IP address is in the range defined by AllowedIPs.
- all other issues
Verify that all the peers' private and public keys are correct, check IPs and ports are accessible:
# wg
interface: wg0
public key: <check this>
private key: (hidden) <check this>
listening port: 50111 <check this>
peer: <check this>
endpoint: 212.xxx <check this>
allowed ips: 192.168.0.0/16
transfer: 0 B received, 4.34 KiB sentShow WireGuard configuration:
# wgStop/Start WireGuard:
# wg-quick down wg0
# wg-quick up wg0Start the WireGuard service:
# systemctl start wg-quick@wg0Check WireGuard status:
# systemctl status wg-quick@wg0Configure WireGuard to start up at boot:
# systemctl enable wg-quick@wg0