Forge Home

wireguard

installs, configures, and manages wireguard

Vox Pupuli

puppet

1,739 downloads

224 latest version

5.0 quality score

Version information

  • 0.9.0 (latest)
  • 0.8.2
  • 0.8.0
  • 0.7.0
  • 0.6.2
  • 0.6.1
  • 0.5.0
released Sep 17th 2021
This version is compatible with:
  • Puppet Enterprise 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x, 2019.7.x, 2019.5.x, 2019.4.x, 2019.3.x, 2019.2.x, 2019.1.x
  • Puppet >= 6.1.0 < 8.0.0
  • Archlinux, Gentoo,
    Ubuntu
    ,
    Debian

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this declaration to your Puppetfile:

mod 'puppet-wireguard', '0.9.0'
Learn more about managing modules with a Puppetfile

Add this module to a Bolt project:

bolt module add puppet-wireguard
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install puppet-wireguard --version 0.9.0

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.

Download

Documentation

puppet/wireguard — version 0.9.0 Sep 17th 2021

puppet-wireguard

Build Status Release Puppet Forge Puppet Forge - downloads Puppet Forge - endorsement Puppet Forge - scores puppetmodule.info docs AGPL v3 License

Puppet module to configure wireguard through systemd-networkd configs

Setup

The module can create firewall rules with voxpupuli/ferm. This is enabled by default can be disabled by setting the manage_firewall parameter to false in the wireguard::interface defined resource. You need to have the ferm class in your catalog to use the feature.

This module uses systemd-networkd. You need to have a systemd-networkd service resource in your catalog. We recommend voxpupuli/systemd with manage_networkd set to true.

Furthermore this module assumes that you've a dualstack machine. Your IPv4 and IPv6 addresses will be automatically set to the destination_addresses array from the wireguard::interface defined resource. If you don't have dualstack you need to overwrite the parameter.

There is a structured fact called wireguard_pubkeys which is a hash with each filename without the .pub and the content (the public key):

# facter -p wireguard_pubkeys
{
  as1234 => "40mH10BbolserhidsruhieudrstlJBB7fxvoPlU=",
  as5678 => "Tci/bHoPColserjfoisehrjioesurrhGpEN+NDueNjUvBA=",
  asblub => "M7lTopd2koserhioesrhiouwerhpcvqSWEviI=",
  notebook => "sK9Ld+p1eH4id+BAuM6lserheoishriouwKhgwFf/HRw=",
  lan => "dIXj6QcWGBWTzq0pwoerjow4eroiwe4jr4CGkXUID3J8rO2k="
}

Example configurations

configure a tunnel with the name as9876.

  • listen for incoming traffic on port 9876
  • create a ferm rule to allow traffic on the global IPv4/IPv6 addresses
  • configure the provided public key from the peer
  • assign a IPv4 and IPv6 prefix on the tunnel interface
wireguard::interface {'as9876':
  source_addresses => ['2003:4e0:c17:5d::1', '195.37.53.176'],
  public_key       => 'BcxLll1BVxGkehriuehrFvjvX+EBhS4vcDn0R0=',
  endpoint         => 'wireguard.example.com:53668',
  addresses        => [{'Address' => '192.168.123.6/30',},{'Address' => 'fe80::beef:1/64'},],
}

configure a tunnel with the name as1234

  • listen on port 9876
  • don't create firewall rules
  • assign a IPv4 and IPv6 prefix on the tunnel interface
    • use /32 for the IPv4 address and add a peer route
wireguard::interface {'as1234':
  manage_firewall => false,
  public_key      => 'B1xSG/XTJRLd+GrWDsB06BqnIq8Xud93YVh/LYYYtUY=',
  endpoint        => 'wireguard.example.com:53668',
  addresses       => [{'Address' => '192.168.218.87/32', 'Peer' => '172.20.53.97/32'}, {'Address' => 'fe80::ade1/64',},],
}

Parameter reference

All parameters are documented with puppet-strings. You can view the markdown-rendered result at REFERENCE.md.

Tests

This module has several unit tests and linters configured. You can execute them by running:

bundle exec rake test

Detailed instructions are in the CONTRIBUTING.md file.

Contributions

Contribution is fairly easy:

  • Fork the module into your namespace
  • Create a new branch
  • Commit your bugfix or enhancement
  • Write a test for it (maybe start with the test first)
  • Create a pull request

Detailed instructions are in the CONTRIBUTING.md file.

License and Author

This module was originally written by Tim Meusel. It's licensed with AGPL version 3.