Ansible role to install and setup a Wireguard VPN server.
- An EC2 instance (t3-micro recommended) with public Elastic IP address
- Ubuntu 18.04 Minimal
- S3 bucket with credentials for backup & centralize user config key
The dictionary list of users to add to the VPN, with username, unique private(local to the VPN node itself) IP address and settings:
s3_bucket : "nfq-infrastructure-terraform"
s3_key_prefix : "credentials/wireguard" # s3://<bucket-name>/credentials/wireguard
aws_access_key: "{{ lookup('env','AWS_ACCESS_KEY_ID') }}"
aws_secret_key: "{{ lookup('env','AWS_SECRET_ACCESS_KEY') }}"
security_token: "{{ lookup('env','AWS_SESSION_TOKEN') }}"
region : "ap-southeast-1"
wg_user_list:
devops:
username: "devops"
private_ip: "10.99.0.11"
default_route: true
wg_dns_enabled: true
remove: false
nam.nguyen:
username: "nam.nguyen"
private_ip: "10.99.0.11"
default_route: true
wg_dns_enabled: true
remove: false
nghia.pham:
username: "nghia.pham"
private_ip: "10.99.0.12"
default_route: true
wg_dns_enabled: true
remove: falseDecsription of the required parameters:
username: usernameprivate_ip: private IP address to be assigned on Wireguard tunneldefault_route: yes if user is allowed to use VPN as default routewg_dns_enabled: yes if user is allowed to use server DNS resolverremove: no (yes if user is marked to be deleted)
- Listen port: UDP/51820 (Set with
wg_listen_port) - Tunnel network: 10.99.0.0/24 (Set with
wg_private_ipand changeprivate_ipof each client) - Download path for profile is default to
~/Downloads, set inwg_download_path
n/a
sysctl- Add IPv4 forwarding to Sysctlinstall- Install Wireguardconfigure- Configure Wireguardusers- Add/remove usersupload- Push client key into S3 bucket
To use, either use wg-quick:
brew install wireguard-tools
wg-quick up ~/Downloads/path-to/wg0.conf
# Shutdown:
wg-quick down ~/Downloads/path-to/wg0.confOr use the official clients here
- DNS push not working automatically on MacOS