Ansible role for installing WireGuard on Debian

This role installs WireGuard on Debian.

This role can not configure WireGuard. For configuring WireGuard you can use our systemd-network role. If you wish so, then read #configuring-wireguard.

Example Playbook

The following is a minimal example playbook using this role.

- hosts: wg-server01
  become: true
  roles:
    - role: wireguard

Configuring WireGuard

The following is an example playbook if you wish to additionally use our systemd-network role in order to configure WireGuard.

- hosts: wg-server01
  become: true
  roles:
    - role: wireguard
    - role: systemd-network
      systemd_network_netdevs:
        # /etc/systemd/network/*.netdev files are configured here
      systemd_network_networks:
        # /etc/systemd/network/*.network files are configured here

Hereby you have to make yourself familiar with how to configure WireGuard using systemd-networkd. Then refer to our systemd-network role documentation in order to learn how to accordingly populate the systemd_network_netdevs and systemd_network_networks role variables.

Synchronize a routing table into WireGuard allowed-ips

This role supports synchronizing a routing table into the allowed-ips of a WireGuard interface. To do so, simply use the role variable wireguard_synchronize_allowed_ips as in the following example, where the main routing table is synchronized into the allowed-ips of the WireGuard interface wg0.

- hosts: wg-server01
  become: true
  roles:
    - role: wireguard
      wireguard_synchronize_allowed_ips:
        wg0: main
    - role: systemd-network
      systemd_network_netdevs:
        # /etc/systemd/network/*.netdev files are configured here
      systemd_network_networks:
        # /etc/systemd/network/*.network files are configured here

You can do this for any number of WireGuard interfaces. Note that they also have to be configured, for example using our systemd-network role.