Skip to content

Latest commit

 

History

History
71 lines (55 loc) · 3.84 KB

README.org

File metadata and controls

71 lines (55 loc) · 3.84 KB

Wireguard Configuration Generator

This is a repository which has a script in Go to generate Wireguard conigurations for multiple VPNs, where there is a single server and multiple clients. The generated configurations are compatible with wg-quick and tunnel all traffic on the clients through the server. The configuration generator handles the generation and sharing of public and private keys. It takes as input a single JSON configuration file, which allows for the easy management of IP addresses within the various tunnels that are setup. In-built validation ensures that you can’t re-use the same IP address for 2 peers in a tunnel and create a problematic setup which doesn’t work.

This configuration generator can be used together with playbooks inside the wireguard-ansible repository.

First, you have to write the JSON configuration which will be used to generate keys and configuration files. input.json.example is an example configuration. One thing to note is that the identifiers for all the peers must be unique.

This example configuration shows the following VPN setup:

img/Wireguard-Configuration-Generator-Schematic.png

There are 2 networks here. When the client has the green network turned on, all traffic will be routed through server1, whereas the blue network will route all traffic through server2. This means that the sites that you visit will see the IP address of server1 rather than the public IP address of client1.

Second, you should generate the wg-quick-compatible configurations using:

 $ go run main.go \
	-configuration-file './config.json' \
	-keys-base-dir './keys' \
	-confs-base-dir './configurations' \
	[-dns-server '8.8.8.8']

Note: Using a custom DNS server is recommended. Using a public DNS server such as 1.1.1.1 (Cloudflare) or 8.8.8.8 (Google) is possible. You can also use a private DNS server which you might be running.[fn:1]

The path to the keys and configurations directories can be pointed to a separate block device. You could use tomb to have a single file which stores everything required for your Wireguard setup and move that file around as you would any other file. You can also version control the configurations to ensure that you don’t end up making some change to the configuration which you can’t revert.

Third, you should write the hosts file which will be used by =ansible-wireguard=[fn:2], if you plan to use that to set up any of the supported operating systems. You can use the hosts.example as a sample. The network names and server identifiers in this file should match those in the JSON configuration file.

Fourth, you should run Ansible on a different host to setup the Wireguard servers and place configurations in the appropriate place and start the SystemD units that will keep Wireguard running. When running ansible-playbook, you should pass the base path of the configuration files as an “extra variable.” The value of the configurations_base_path variable should be the absolute path of the ./configurations directory that was passed as the -confs-base-dir argument to the configuration generator.

 $ ansible-playbook -i hosts.example -CD bootstrap.yml \
	--extra-vars 'configurations_base_path=/home/user/configurations'

Footnotes

[fn:2] This repository is not public on GitHub.

[fn:1] I run a CoreDNS-based DNS server with the blocker plugin, which blocks most domains which serve only advertisements. By combining the adblocking DNS server and Wireguard, I can block ads even on mobile data on an iPhone, where addons like uBlock Origin can’t be installed. Without Wireguard, when using mobile data, it is not possible to specify a DNS server directly (as it is possible while using WiFi.)