baseline_wireguard_mesh¶
The cake function baseline_wireguard_mesh executes the Ansible role-wireguard-mesh, which installs and configures wireguard in a server-to-server mesh configuration
Simplified, the role_wireguard_mesh works as follows:
- Install the wireguard apt packages
- Generate a private and public key
- Download the public key from all other servers
- Template
/etc/wireguard/mesh.conf, which contains the public IP and public key of all other servers
Information¶
| Key | Value |
|---|---|
| Playbook path | plays/baseline/wireguard-mesh.yml |
| Role | https://git.blunix.com/ansible-roles/role-wireguard-mesh |
| Tags | https://git.blunix.com/ansible-roles/role-wireguard-mesh/-/tags |
| Defaults | https://git.blunix.com/ansible-roles/role-wireguard-mesh/-/blob/master/defaults/main.yml |
| Config file | Description |
|---|---|
| /etc/wireguard/mesh.conf | Wireguard configuration file for the server-to-server mesh network |
| /etc/wireguard/mesh.key | Wireguard mesh private key |
| /etc/wireguard/mesh.pub | Wireguard mesh public key |
Example¶
Define a subnet for the wireguard mesh:
inventory/group_vars/all.yml:
wireguard_mesh_subnet: "172.16.0.0/24"
Define individual wireguard mesh IPs for each server:
inventory/hosts:
cus-www-prod-db-1 nic_wg_mesh_ip=172.16.0.21 nic_pub_ip=3.4.5.6
Adding new servers¶
Simply define the new servers in inventory/hosts and execute cake -f baseline_wireguard_mesh -i pub. Make sure to use --inventory pub as the wireguard mesh will restart during that play.
Usage¶
Common commands¶
Show wireguard status:
root@any-server ~ # wg show
interface: mesh
public key: wireguard-public-key=
private key: (hidden)
listening port: 51819
peer: wireguard-public-key=
endpoint: 1.2.3.4:51819
allowed ips: 172.16.0.24/32
latest handshake: 2 seconds ago
transfer: 1.60 GiB received, 160.15 MiB sent
peer: wireguard-public-key=
endpoint: 2.3.4.5:51819
allowed ips: 172.16.0.34/32
latest handshake: 11 seconds ago
transfer: 1.50 GiB received, 122.50 MiB sent
[...]
Start / Stop wireguard:
systemctl stop wg-quick@mesh.service
systemctl start wg-quick@mesh.service
systemctl status wg-quick@mesh.service
Debugging¶
Ping all servers via VPN - the Ping packages will be routed from your workstation via the employee VPN to gateway-1 or -2, then over the server-to-server mesh vpn from gateway-1 or -2 to your destination server:
CAKE master * cake -f debug_ping -i vpn
[...]
TASK [ping] ******************
ok: [cus-util-prod-log-1]
ok: [cus-util-prod-monitoring-1]
ok: [cus-util-prod-gitci-1]
ok: [cus-util-prod-deploy-1]
ok: [cus-www-prod-web-1]
ok: [cus-www-prod-myapp-1]
[...]
Ping server A from server B:
root@cus-util-prod-monitoring-1 ~ # host log
log has address 172.16.0.9
root@cus-util-prod-monitoring-1 ~ # ping 172.16.0.9
PING 172.16.0.9 (172.16.0.9) 56(84) bytes of data.
64 bytes from 172.16.0.9: icmp_seq=1 ttl=64 time=1.01 ms
Source of the following commands
Debug wireguard logs live:
echo module wireguard +p > /sys/kernel/debug/dynamic_debug/control
dmesg -wT | grep wireguard'
echo module wireguard -p > /sys/kernel/debug/dynamic_debug/control
Debug wireguard packages:
tcpdump -i any port 51819 udp