23
Automate Generating WireGuard Config without Managing Existing Installation (lemmy.cafe)
submitted 1 year ago by Skyline@lemmy.cafe to c/selfhosted@lemmy.world
4 comments fedilink hide all child comments

Is there an open-source tool to bulk-generate wireguard configurations without managing the wireguard installation itself?

I have an existing server set up with a special wireguard configuration that I created manually. I want to add a standard VPN server configuration to that machine without affecting the existing configuration. I've used tools for this in the past, but they all work on the premise that wireguard isn't already installed and that only said tool is used to managed the installation. I'm worried this might break my existing config, so what I want is something to automate generating keys and writing configuration files, without interacting with the existing wireguard installation. Does this exist?

you are viewing a single comment's thread
view the rest of the comments
[-] Skyline@lemmy.cafe 1 points 1 year ago

Sure, it's possible. I could do it by hand, but the more clients you want to add, the more cumbersome the process. What I'd like is a tool to automate what is mostly a templating process.

[-] aard@kyu.de 2 points 1 year ago* (last edited 1 year ago)

This should be trivially scriptable by ansible. Ideally you'd also transform your existing configuration into an ansible data structure so it can write out the complete config as that way is just more reliably - but ansible also is capable of editing stuff in place.

I'm using a structure like this:

wireguard:
  wg-mgmt:
    interface:
      address: 192.168.1.10/24
      listen_port: 34800
      private_key_file: /etc/wireguard/private.key
      passdb_entry: vpn/fi1-mgmt
    peers:
      aard_meteor:
        public_key: bmV2ZXIgZ29ubmEgZ2l2ZSB5b3UgdXAK
        allowed_ips:
          - 192.168.1.11/32
      aard_zak:
        public_key: bmV2ZXIgZ29ubmEgbGV0IHlvdSBkb3duCg==
        allowed_ips:
          - 192.168.1.12/32

To set up both server and client. I'm mostly adding other peoples systems, so I don't know the private keys, and receive the public ones from them - but if you control both it's also trivial to pull that information from the system you're generating it on, and reuse it later.

This is the template used for the wireguard configuration, this the task managing the wireguard setup.

Getting the pubkey from a private key into a variable in ansible would look something like this:

- name: dump pubkey
  shell: "wg pubkey < {{_pubkey_file}}"
  register: _wg_pubkey
  changed_when: false

- name: register pubkey
  set_fact:
    wg_pubkey: "{{_wg_pubkey.stdout}}"
  when: >
     _wg_pubkey is defined

It's then easy to dump it into a password store or something like that - if you check the repo in above links you'll see pass heavily used.

this post was submitted on 04 Sep 2023
23 points (92.6% liked)

Selfhosted

39937 readers
395 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz