This is a repository which has a script in Go to generate Wireguard conigurations for multiple VPNs,
where there is a single server and multiple clients. The generated configurations are compatible
with wg-quick and tunnel all traffic on the clients through the server. The configuration
generator handles the generation and sharing of public and private keys. It takes as input a single
JSON configuration file, which allows for the easy management of IP addresses within the various
tunnels that are setup. In-built validation ensures that you can’t re-use the same IP address for 2
peers in a tunnel and create a problematic setup which doesn’t work.
This configuration generator can be used together with playbooks inside the wireguard-ansible
repository.
First, you have to write the JSON configuration which will be used to generate keys and configuration files. input.json.example is an example configuration. One thing to note is that the identifiers for all the peers must be unique.
This example configuration shows the following VPN setup:
There are 2 networks here. When the client has the green network turned on, all traffic will be
routed through server1, whereas the blue network will route all traffic through server2. This
means that the sites that you visit will see the IP address of server1 rather than the public IP
address of client1.
Second, you should generate the wg-quick-compatible configurations using:
$ go run main.go \
-configuration-file './config.json' \
-keys-base-dir './keys' \
-confs-base-dir './configurations' \
[-dns-server '8.8.8.8']Note: Using a custom DNS server is recommended. Using a public DNS server such as 1.1.1.1 (Cloudflare) or 8.8.8.8 (Google) is possible. You can also use a private DNS server which you might be running.[fn:1]
The path to the keys and configurations directories can be pointed to a separate block device. You could use tomb to have a single file which stores everything required for your Wireguard setup and move that file around as you would any other file. You can also version control the configurations to ensure that you don’t end up making some change to the configuration which you can’t revert.
Third, you should write the hosts file which will be used by =ansible-wireguard=[fn:2], if you plan to
use that to set up any of the supported operating systems. You can use the hosts.example as a
sample. The network names and server identifiers in this file should match those in the JSON
configuration file.
Fourth, you should run Ansible on a different host to setup the Wireguard servers and place
configurations in the appropriate place and start the SystemD units that will keep Wireguard
running. When running ansible-playbook, you should pass the base path of the configuration files
as an “extra variable.” The value of the configurations_base_path variable should be the absolute
path of the ./configurations directory that was passed as the -confs-base-dir argument to the
configuration generator.
$ ansible-playbook -i hosts.example -CD bootstrap.yml \
--extra-vars 'configurations_base_path=/home/user/configurations'[fn:2] This repository is not public on GitHub.
[fn:1] I run a CoreDNS-based DNS server with the blocker plugin, which blocks most domains which serve only advertisements. By combining the adblocking DNS server and Wireguard, I can block ads even on mobile data on an iPhone, where addons like uBlock Origin can’t be installed. Without Wireguard, when using mobile data, it is not possible to specify a DNS server directly (as it is possible while using WiFi.)