Issues with peers when adding a link
scooterh928 opened this issue · comments
Hello
i'm using your blog and such to learn some basic ansible and wireguard automation. I have is setup basically and was working good until i added a 3rd server in the Mix
Have 3 servers, what i'm wanting to do is just a link between A to B, A to C, before i added C into the mix it was all fine and dandy, but now it add's the C as a 2nd peer to each of the other servers, is there any way to have it not do the auto add peer from i'm guessings the hosts inventory, and just only use the unmanaged peer variables?
thanks in advance i really like your blog.
Hello! Actually I always had only the fully meshed setup (every host can connect to each other host in the mesh) in mind when I started the role as I wanted to replace the old PeerVPN setup (which offers a fully meshed setup only). If I get you right you want a setup that looks a little bit like this:
A (server)
-----------------------|----------------------
| |
B (client) C (client)
I've added a Molecule test in a separate branch that might solve your problem:
https://github.com/githubixx/ansible-role-wireguard/tree/add-molecule-single-server/molecule/kvm-single-server
This setup has three hosts defined:
- test-wg-ubuntu2004 (
Ain your case - serves at server) - test-wg-ubuntu1804 (
Bin your case - serves as client) - test-wg-debian11 (
Cin your case - serves as client too)
Have a look at the inventory variables here:
inventory:
host_vars:
test-wg-ubuntu2004:
wireguard_address: "10.10.10.10/24"
wireguard_port: 51820
wireguard_persistent_keepalive: "30"
wireguard_endpoint: "192.168.10.10"
test-wg-ubuntu1804:
wireguard_address: "10.10.10.20/24"
wireguard_persistent_keepalive: "30"
wireguard_endpoint: ""
test-wg-debian11:
wireguard_address: "10.10.10.30/24"
wireguard_persistent_keepalive: "30"
wireguard_endpoint: ""
As you can see B (test-wg-ubuntu1804) and C (test-wg-debian11) have wireguard_endpoint set to an empty string (""). Also both don't have wireguard_port defined. With that setup it is possible to ping 10.10.10.10 from test-wg-ubuntu1804 and test-wg-debian11 but ping 10.10.10.20 on test-wg-debian11 doesn't work and also not the other way round.
Maybe this helps a little bit.
let me explain a little diffrent, what this is for is i'm part of DN42, like a big meshed VPN network to tinker with BGP and routing, people use Wireguard and such to create tunnels with other peers and then setup a BGP connection to that peer via that tunnel
So for example my Dallas Server 1.1.1.1 would be my interface IP for the tunnel.
Joe wants to peer with my dallas server, so he gives me his info and i do the same and setup a WG tunnel between our 2 servers.
Interfaace Joe-dn42 ip of 1.1.1.1 and a peer config of his endpoint server and port. voila we have a tunnel configed and can ping and pass traffic via our tunnel.
Now Sally wants to peer with me, so i go through same process, all new files for sally's connection
Interface Sally-dn42 ip of 1.1.1.1 and a peer config of her endpoint server and port.
so in a since what i'm wanting and trying to do, and if i can't do that with your roles i understand, yours is just the most informative i've found so far and i'm tryin to work off of.
so when i setup my dallas server in host_vars/dallas.mydomain.tld it would have MY interface connection and the single peer for Sally, and then setup another config for my interface and Joes. like a point to point setup.
Then i can setup another server in host_vars/florida.mydomain.tld and same thing point to point. each interface config file is per 1 single peer.
i've also been tryin to read https://git.n0emis.eu/ansible_roles/dn42/src/branch/main and use both of yalls a little, but i'm still pretty new to all this ansible stuff and tryin to learn.
IF its something you don't feel like checking our or don't think your roles would be a good fit for me i understand just tell me to stfu :)
and thanks in advance.
Sorry for the late reply. I'm only understanding half of what you try to solve but I guess I get the basic idea. I actually never had that use case in mind when developing my role. The premise was always to have full control of all connected parties so to say. This role first collects information about all hosts that should be part of a fully meshed WireGuard network in order be able to render the WireGuard configuration file for every host.
But maybe something like this works:
wgvpn:
hosts:
host1:
wireguard_interface: "wg0"
wireguard_port: 51820
wireguard_address: 10.0.1.1/32
wireguard_allowed_ips: 10.10.0.1/32
wireguard_endpoint: my.dns.name.com
wireguard_unmanaged_peers:
joe.example.com:
public_key: 5zsSBeZZ8P9pQaaJvY9RbELQulcwC5VBXaZ93egzOlI=
preshared_key: ...
allowed_ips: 10.10.0.1/32
endpoint: joe.example.com:51820
host2:
wireguard_interface: "wg1"
wireguard_port: 51821
wireguard_address: 10.0.2.1/32
wireguard_allowed_ips: 10.20.0.1/32
wireguard_endpoint: my.dns.name.com
wireguard_unmanaged_peers:
sally.example.com:
public_key: vY9RbELQulcwC5VBXaZ93egzOlI5zsSBeZZ8P9pQaaJ=
preshared_key: ...
allowed_ips: 10.20.0.1/32
endpoint: sally.example.com:51820
host3:
wireguard_interface: "wg2"
wireguard_port: 51822
wireguard_address: 10.0.3.1/32
wireguard_allowed_ips: 10.30.0.1/32
wireguard_endpoint: my.dns.name.com
wireguard_unmanaged_peers:
bob.example.com:
public_key: VBXaZ93egzOlI5zvY9RbELQulcwC5sSBeZZ8P9pQaaJ=
preshared_key: ...
allowed_ips: 10.30.0.1/32
endpoint: bob.example.com:51820host(1-3) is actually always the same host and that's most probably your laptop or some other server. That's something you need to configure in Ansible's hosts file. In wireguard_unmanaged_peers you have the settings for the "other side" you don't have under control like "joe"'s or "sally"'s endpoint. Every connection to your friends will be handled by a different wireguard_interface. That might give you that "point-to-point" connection. But as said: I've no idea if this works at all 🤷♂️