Hi,

On Ubuntu 20.04 (and Debian ?), the wg-quick requires resolvconf to run. But for some reason, apt does not install it as a dependency.

We're using the following workaround:

  pre_tasks:
    - name: Install Wireguard dependencies
      apt:
        name: resolvconf
  roles:
    - mawalu.wireguard_private_networking

I think we should add this to this role for now and create an upstream issue on the wg-quick bug tracker regarding the missing dependency to resolvconf.

Hi,

I looks like the Read private key task fails in check mode (ansible-playbook --check). Presumably because the private key is not actually created in the first place in check mode:

TASK [mawalu.wireguard_private_networking : Read private key] ******************
ok: [vpn-server]
fatal: [minecraft]: FAILED! => {"changed": false, "msg": "file not found: /etc/wireguard/privatekey"}

The task is ok for the vpn-server host because it was already provisioned and the /etc/wireguard/privatekey file does exist. Which is not the case for the minecraft host: it's a new machine.

I'll open a PR to fix this.

The idea behind PR#7 seems nice, but it appears to be pretty broken. Adding client_wireguard_path to vars causes the playbook to fail, complaining that:

FAILED! => {"changed": false, "msg": "AnsibleUndefinedVariable: 'client_vpn_ip' is undefined"}

And indeed, client_vpn_ip is indeed referenced in the templates:

$ git grep client_vpn_ip
templates/client.conf.j2:Address = {{ client_vpn_ip }}
templates/interface.conf.j2:AllowedIPs = {{ client_vpn_ip }}

... but isn't set or documented anywhere.

Since there's no sane default for client_vpn_ip, I'll make a PR that introduces an empty default for client_vpn_ip, and reverts to the previous default of client_wireguard_path: ~/wg.conf. Tasks that are currently conditional on client_wireguard_path having a non-zero length will become conditional on client_vpn_ip having a non-zero length.

Hello,

Here is the setup we need:

• A remote Wireguard VPN mesh hosted in the cloud.
• Some clients (laptops for example) connecting to the VPN and access all the nodes in the mesh.

Here is an example config:

vpn:
  hosts:
    vpn-server:
      vpn_ip: 10.1.0.1/32
    minecraft:
      vpn_ip: 10.1.0.253/32

and the playbook:

- name: Configure VPN network
  hosts: vpn
  remote_user: root
  roles:
    - mawalu.wireguard_private_networking

For a laptop to connect to the network, we use the following Interface config:

[Interface]
PrivateKey = {private_key}
Address = {address}/24
DNS = 10.1.0.1

[Peer]
PublicKey = {WIREGUARD_SERVER_PUBLIC_KEY}
Endpoint = vpn.hostname.com:5888
PersistentKeepalive = 15
AllowedIPs = 0.0.0.0/0, ::/0

But the result is as follow:

• The nodes of the VPN mesh listed above in the VPN group can connect to to each other, including to the VPN server.
• But the laptops using the interface above cannot connect to the other nodes in the mesh. Yet they can connect to each other.

As of today, here is what the template contains:

{% for node in play_hosts %}
[Peer]
PublicKey = {{ hostvars[node].public.content | b64decode | trim }}
AllowedIPs = {{ hostvars[node].vpn_ip }}
Endpoint = {{ hostvars[node]['public_addr'] | default(hostvars[node]['ansible_host']) | default(hostvars[node]['inventory_hostname']) }}:{{ wireguard_port }}
PersistentKeepalive = 25

{% endfor %}

I suspect that AllowedIPs = {{ hostvars[node].vpn_ip }} restricts peers to connect to the other listed peers in the conf file. So all the peers must be listed in the conf file. Which is unpractical.

Wouldn't it better to allow for a global/per-host wireguard_alled_ips variable? This way it could be set to 0.0.0.0/0, ::/0 and allow any node to connect to any node.

It would be a nice addition to have an option for a psk like:

# wg0.conf
[Peer]
PresharedKey = SomePSK

Getting error message after new update
{"msg": "The conditional check 'is_proxmox.stat.exists' failed. The error was: error while evaluating conditional (is_proxmox.stat.exists): 'dict object' has no attribute 'stat'\n\nThe error appears to be in '/home/<user>/.ansible/roles/mawalu.wireguard_private_networking/tasks/main.yml': line 24, column 3, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n- name: Install linux headers when debian proxmox\n ^ here\n"}

Issue

I have encountered the following error when applying the role using the default value for variable client_wireguard_path:

TASK [mawalu.wireguard-private-networking : Generate configs] *************************
fatal: [host.example.com]: FAILED! => {"changed": false, "msg": "AnsibleUndefinedVariable: 'dict object' has no attribute 'content'"}

Cause

The default value for client_wireguard_path is "~/wg.conf" which is set in defaults/main.yml. I believe the error occurs because the test in the template interface.conf.j2 (client_wireguard_path | length > 0) never evaluates to false because the variable client_wireguard_path will never have a zero length.

Solution

Setting variable client_wireguard_path = "" in defaults/main.yml resolves the issue

Hello,

Thank you for the great work!
I would like to open a PR to add the possibility to customize the DNS field of the Interface section of the interface.conf.j2 template with a wireguard_dns Ansible var.

Would you accept and merge such PR?

Right now I'm using the following task as a workaround:

- lineinfile:
    line: "DNS = {{ vpn_ip | ipaddr('address') }}"
    state: present
    insertafter: "PrivateKey = .*"
    path: "{{ client_wireguard_path }}"
  vars:
    ansible_connection: local
  become: no
  run_once: true
  when:
    - client_vpn_ip is defined
    - client_vpn_ip | length > 0
  delegate_to: localhost

Regards,

Hello,

As of today, the community.general collection is required whether allow_build_from_source is true or false. In order to avoid broken dependencies, we download and store the roles/collections in our git repository. And community.general is a pretty big dependency.

I was wondering if there was a way to eliminate the requirement for this collection when allow_build_from_source is false.

Regards,

Hi,

i noticed that this role fails when the packages lsb-release and ca-certificates are not installed for obvious reasons.
Not exactly sure how i ended up with those missing but if you could add those as prerequisites maybe somebody else using a weird installation method might appreciate it.

kind regards,

Stefan