2026-06-07 14:31:51 +01:00
2026-06-07 14:31:51 +01:00
2026-06-06 14:50:48 +01:00
2026-06-06 15:03:32 +01:00
2026-06-06 15:05:09 +01:00
2026-06-07 12:42:52 +01:00
2026-06-06 14:52:14 +01:00

Information relating to my WireGuard VPN server and its Ansible playbook for automated deployment

Motivation

I have various mass-storage NFS/SMB shares which are only available locally, moreover I have strict firewall rules in place to only allow SSH access to my servers from within the same broadcast domain.

Though secure, this imposes the obvious limitation of only being able to access said servers or shares when I'm at home.

While maintaining security, and exposing my network as little as possible, I desired a reliable and minimalistic way to access these resources when away from home.

For this task, WireGuard's cryptography, asymmetric key-pairing and minimal overhead provided the perfect solution.

Architecture

+------------------+
|  Proxmox Host    |
|                  |
|  +------------+  |
|  | AlmaLinux  |  |
|  |    VM      |  |
|  |            |  |
|  | WireGuard  |  |
|  |   Server   |  |
|  +------------+  |
+--------+---------+
         |
+------------------+
| Firewall/Router  |
|   51820:51820    |
|    UDP --> VM    |
+------------------+
         |
 +----------------+
 |    Internet    |
 +----------------+
         |
 +----------------+
 |WireGuard-Client|
 +----------------+     

Features

  • Fully automated server-side deployment via an Ansible playbook, handling WireGuard installation and configuration, virtual network interfaces, IP forwarding kernel parameters and firewalld rules

  • Efficient use of address space, following RFC 3021 and utilizing a /31 subnet prefix. Optimized for a point-to-point connection with a single client.

  • Support for Dynamic home IP addresses via BashDDNS, and specifying a domain name as the endpoint for the client

  • Lightweight, with a dedicated virtual machine requiring less than 256Mi of RAM

  • Secure through WireGuard's dual-key asymmetric cryptography

  • Automated, unattended security updates keep the underlying virtual machine patched

Notes for playbook and automated deployment

This only automates the server-side set up, the client will still need to be manually configured.

The wireguard.ini file must be edited with the appropriate host, user and python interpreter information.

The playbook is written for a RHEL-based WireGuard server.

To set up from scratch, after cloning this repository on an Ansible Control Node, from the root of the directory, run:

ansible-playbook -i wireguard.ini playbooks/master.yml

Relevant port forwarding will need to be implemented on the router/firewall.

It is also highly recommended to make a DHCP reservation for the WireGuard VM, or to manually assign a static IP, to prevent the VPN tunnel breaking through IP changes.

After setup, the client and server public/private keys will be located in /etc/wireguard/ on the remote machine and can be relocated as desired.

A typical client configuration is:

Interface

  • Name, Client Private Key, Addresses (10.10.10.1/32)

Peer

  • Server Public Key, Allowed IPs (10.10.10.0/31, LAN IP range), Endpoint:51820, Persistent Keep Alive 25 seconds

Persistent Keep Alive will send a dummy packet every 25 seconds to maintain a connection, useful for when you are roaming with a mobile device that is subject to frequent IP change.

Extremely useful Linux tools in debugging

  • tcpdump for packet inspection and capture

  • nmap for verifying a UDP port is open on a remote host

  • ss for verifying the WireGuard service is bound to and listening on UDP port 51820

  • wg for displaying the current interface and client configuration

  • ip to display the current addressses of your physical and virutal interfaces

  • ping for sending ICMP echo requests to verify client connectivity to the virtual WireGuard interface and local resources

Extremely useful documentation

Description
No description provided
Readme 67 KiB
Languages
YAML 94.8%
Shell 5.2%