Classes

• wireguard: Wireguard class manages wireguard - an open-source software application and protocol that implements virtual private network techniques to create secure point-to-point connections in routed or bridged configurations.
• wireguard::config: Class configures files and directories for wireguard
• wireguard::install: Class installs wireguard packages and sets yum repository
• wireguard::params: Class that contains OS specific parameters for other classes

Defined types

• wireguard::interface: Defines wireguard tunnel interfaces

Functions

• wireguard::genkey: Returns an array containing the wireguard private and public (in this order) key for a certain interface.
• wireguard::genprivatekey: Returns the private key. Will be generated and saved to disk if it doesn't already exist.
• wireguard::genpsk: Returns string containing the wireguard psk for a certain interface.
• wireguard::genpublickey: Returns a public key derived from a private key. Will be generated and saved to disk if it doesn't already exist.

We assume that the deployment of wireguard is in the one server and multiple clients

IP address information is currently stored in data/common.yaml in the form of hostname: ipaddress

---
wireguard::ipaddress:
  bofficetest: 192.168.4.1
  node-0101 : 192.168.4.2

The lookup is used to provide address to the interfaces.

Assuming that the server IP Address is 192.168.4.1 and

class {'::wireguard':
  manage_repo => true,
  interfaces => {"wg1"=> 
    { 
      #address => "192.168.4.1",
      address => lookup("wireguard::ipaddress.$hostname",undef, undef, '169.1.1.1'),
      listen_port => 51820,
      ## Public Keys of the Clients
      peers => [ {"PublicKey" => "Cg8ponDq6USCfhWymrzgnqG4bTZOudb03HxGg1xTQgQ=", "AllowedIPs" => "192.168.4.0/24"}, ],
      # Generate the server private key by using deferred function
      private_key => Deferred('wireguard::genprivatekey', ['/etc/wireguard/wg1.key'])
    }
  },    
}
# Generate the server public key using deferred function
file { '/etc/wireguard/wg1.pub':
content => Deferred('wireguard::genpublickey', ['/etc/wireguard/wg1.key', '/etc/wireguard/wg1.pub'])
}  

class {'::wireguard':
  manage_repo => false,
  interfaces => {"wg1"=> 
    { 
      # Address of the client
      #address => "192.168.4.2",
      address => lookup("wireguard::ipaddress.$hostname",undef, undef, '169.1.1.1'),
      listen_port => 53000,
      # Client peer would be the server public key and Endpoint would be the Server IP Address
      peers => [ {"PublicKey" => "XNjbPohUcm6TVo3kJlC8cKIr+jahysvGDwiJcXhBbUk=", "Endpoint" => "192.168.1.241:51820", "PersistentKeepalive" => 60, "AllowedIPs" => "192.168.4.0/24"}, ],
      # Generate the private key of the client
      private_key => Deferred('wireguard::genprivatekey', ['/etc/wireguard/wg1.key'])
    }
  },
}
# Generate the public key of the client
file { '/etc/wireguard/wg1.pub':
  content => Deferred('wireguard::genpublickey', ['/etc/wireguard/wg1.key', '/etc/wireguard/wg1.pub'])
}

We need to find an automatic way to submit the public keys of the client and add them to the Wireguard server.

Wireguard class manages wireguard - an open-source software application and protocol that implements virtual private network techniques to create secure point-to-point connections in routed or bridged configurations.

• See also https://www.wireguard.com/

The following parameters are available in the wireguard class.

Data type: Variant[Array, String]

Name the package(s) that installs wireguard

Default value: $wireguard::params::package_name

Data type: String

URL of wireguard repo

Default value: $wireguard::params::repo_url

Data type: Boolean

Should class manage yum repo

Default value: $wireguard::params::manage_repo

Data type: Boolean

Should class install package(s)

Default value: $wireguard::params::manage_package

Data type: Variant[Boolean, Enum['installed','latest','present']]

Set state of the package

Default value: 'installed'

Data type: Stdlib::Absolutepath

Path to wireguard configuration files

Default value: $wireguard::params::config_dir

Data type: String

The config_dir access mode bits

Default value: $wireguard::params::config_dir_mode

Data type: Optional[Hash]

Define wireguard interfaces

Default value: {}

Data type: Boolean

Default value: $wireguard::params::config_dir_purge

Class configures files and directories for wireguard

The following parameters are available in the wireguard::config class.

Data type: Stdlib::Absolutepath

Path to wireguard configuration files

Data type: String

The config_dir access mode bits

Data type: Boolean

Class installs wireguard packages and sets yum repository

The following parameters are available in the wireguard::install class.

Data type: Variant[Array, String]

Name the package(s) that installs wireguard

Data type: String

URL of wireguard repo

Data type: Boolean

Should class manage yum repo

Data type: Boolean

Should class install package(s)

Data type: Variant[Boolean, Enum['installed','latest','present']]

Set state of the package

Class that contains OS specific parameters for other classes

Defines wireguard tunnel interfaces

The following parameters are available in the wireguard::interface defined type.

Data type: Any

Private key for data encryption

Data type: Integer[1,65535]

The port to listen

Data type: Enum['present','absent']

State of the interface

Default value: 'present'

Data type: Optional[Variant[Array,String]]

List of IP (v4 or v6) addresses (optionally with CIDR masks) to be assigned to the interface. Data type isn't 100% correct but needs to be 'Any' to allow 'Deferred' on Puppet 6 systems. epp will enforce Optional[Variant[Array,String]].

Default value: undef

Data type: Optional[Integer[1,9202]]

Set MTU for the wireguard interface

Default value: undef

Data type: Optional[Variant[Array,String]]

List of commands to run before the interface is brought up

Default value: undef

Data type: Optional[Variant[Array,String]]

List of commands to run after the interface is brought up

Default value: undef

Data type: Optional[Variant[Array,String]]

List of commands to run before the interface is taken down

Default value: undef

List of commands to run after the interface is taken down

Default value: undef

Data type: Optional[Array[Struct[ { 'PublicKey' => String, 'AllowedIPs' => Optional[String], 'Endpoint' => Optional[String], 'PersistentKeepalive' => Optional[Integer], 'PresharedKey' => Optional[String], 'Comment' => Optional[String], } ]]]

List of peers for wireguard interface

Default value: []

Data type: Optional[String]

List of IP (v4 or v6) addresses of DNS servers to use

Default value: undef

Data type: Boolean

save current state of the interface upon shutdown

Default value: true

Data type: Stdlib::Absolutepath

Path to wireguard configuration files

Default value: '/etc/wireguard'

Data type: Optional[Variant[Array,String]]

Default value: undef

Type: Ruby 4.x API

Returns an array containing the wireguard private and public (in this order) key for a certain interface.

wireguard::genkey('wg0', '/etc/wireguard') => [
  '2N0YBID3tnptapO/V5x3GG78KloA8xkLz1QtX6OVRW8=',
  'Pz4sRKhRMSet7IYVXXeZrAguBSs+q8oAVMfAAXHJ7S8=',
]

Returns an array containing the wireguard private and public (in this order) key for a certain interface.

Returns: Array Returns [$private_key, $public_key].

wireguard::genkey('wg0', '/etc/wireguard') => [
  '2N0YBID3tnptapO/V5x3GG78KloA8xkLz1QtX6OVRW8=',
  'Pz4sRKhRMSet7IYVXXeZrAguBSs+q8oAVMfAAXHJ7S8=',
]

Data type: String

The interface name.

Data type: Optional[String]

Absolut path to the wireguard key files (default '/etc/wireguard').

Type: Ruby 4.x API

Returns the private key. Will be generated and saved to disk if it doesn't already exist.

wireguard::genprivatekey('/etc/wireguard/wg0.key') => '2N0YBID3tnptapO/V5x3GG78KloA8xkLz1QtX6OVRW8='

include wireguard
wireguard::interface { 'wg0':
  private_key => Deferred('wireguard::genprivatekey', ['/etc/wireguard/wg0.key']),
  listen_port => 53098,
}

Returns the private key. Will be generated and saved to disk if it doesn't already exist.

Returns: String Returns the private key.

wireguard::genprivatekey('/etc/wireguard/wg0.key') => '2N0YBID3tnptapO/V5x3GG78KloA8xkLz1QtX6OVRW8='

include wireguard
wireguard::interface { 'wg0':
  private_key => Deferred('wireguard::genprivatekey', ['/etc/wireguard/wg0.key']),
  listen_port => 53098,
}

Data type: String

Absolut path to the private key

Type: Ruby 4.x API

Returns string containing the wireguard psk for a certain interface.

wireguard::genpsk('wg0') => 'FIVuvMyHvzujQweYa+oJdLDRvrpbHBithvMmNjN5rK4='

Returns string containing the wireguard psk for a certain interface.

Returns: String Returns psk.

wireguard::genpsk('wg0') => 'FIVuvMyHvzujQweYa+oJdLDRvrpbHBithvMmNjN5rK4='

Data type: String

The interface name.

Data type: Optional[String]

Absolut path to the wireguard key files (default '/etc/wireguard').

Type: Ruby 4.x API

Returns a public key derived from a private key. Will be generated and saved to disk if it doesn't already exist.

wireguard::genpublickey('/etc/wireguard/wg0.key',
                         '/etc/wireguard/wg0.pub'
                        ) => 'gNaMjIpR7LKg019iktKJC74GX/MD3Y35Wo+WRNRQZxA='

Returns a public key derived from a private key. Will be generated and saved to disk if it doesn't already exist.

Returns: String Returns the public key.

wireguard::genpublickey('/etc/wireguard/wg0.key',
                         '/etc/wireguard/wg0.pub'
                        ) => 'gNaMjIpR7LKg019iktKJC74GX/MD3Y35Wo+WRNRQZxA='

Data type: String

Absolut path to the private key

Data type: String

Absolut path to the public key