Forge Home


installs, configures, and manages wireguard


153 latest version

5.0 quality score

Version information

  • 1.1.0 (latest)
  • 1.0.0
  • 0.10.0
  • 0.9.0
  • 0.8.2
  • 0.8.0
  • 0.7.0
  • 0.6.2
  • 0.6.1
  • 0.5.0
released Aug 3rd 2022
This version is compatible with:
  • Puppet Enterprise 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x, 2019.7.x, 2019.5.x, 2019.4.x, 2019.3.x, 2019.2.x, 2019.1.x
  • Puppet >= 6.1.0 < 8.0.0
  • Archlinux, Gentoo, ,

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'puppet-wireguard', '1.1.0'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add puppet-wireguard
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install puppet-wireguard --version 1.1.0

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.



puppet/wireguard — version 1.1.0 Aug 3rd 2022


Build Status Release Puppet Forge Puppet Forge - downloads Puppet Forge - endorsement Puppet Forge - scores docs AGPL v3 License

Puppet module to configure wireguard through systemd-networkd configs


The module can create firewall rules with voxpupuli/ferm. This is enabled by default but can be disabled by setting the manage_firewall parameter to false in the wireguard::interface defined resource. You need to have the ferm class in your catalog to use the feature.

This module uses systemd-networkd. You need to have a systemd-networkd service resource in your catalog. We recommend voxpupuli/systemd with manage_networkd set to true.

Furthermore, this module assumes that you've a dualstack machine. Your IPv4 and IPv6 addresses will be automatically set to the destination_addresses array from the wireguard::interface defined resource. If you don't have dualstack you need to overwrite the parameter.

There is a structured fact called wireguard_pubkeys which is a hash with each filename without the .pub and the content (the public key):

# facter -p wireguard_pubkeys
  as1234 => "40mH10BbolserhidsruhieudrstlJBB7fxvoPlU=",
  as5678 => "Tci/bHoPColserjfoisehrjioesurrhGpEN+NDueNjUvBA=",
  asblub => "M7lTopd2koserhioesrhiouwerhpcvqSWEviI=",
  notebook => "sK9Ld+p1eH4id+BAuM6lserheoishriouwKhgwFf/HRw=",
  lan => "dIXj6QcWGBWTzq0pwoerjow4eroiwe4jr4CGkXUID3J8rO2k="

Example configurations

configure a tunnel with the name as9876.

  • listen for incoming traffic on port 9876
  • create a ferm rule to allow traffic on the global IPv4/IPv6 addresses
  • configure the provided public key from the peer
  • assign a IPv4 and IPv6 prefix on the tunnel interface
wireguard::interface {'as9876':
  source_addresses => ['2003:4e0:c17:5d::1', ''],
  public_key       => 'BcxLll1BVxGkehriuehrFvjvX+EBhS4vcDn0R0=',
  endpoint         => '',
  addresses        => [{'Address' => '',},{'Address' => 'fe80::beef:1/64'},],

configure a tunnel with the name as1234

  • listen on port 9876
  • don't create firewall rules
  • assign a IPv4 and IPv6 prefix on the tunnel interface
    • use /32 for the IPv4 address and add a peer route
wireguard::interface {'as1234':
  manage_firewall => false,
  public_key      => 'B1xSG/XTJRLd+GrWDsB06BqnIq8Xud93YVh/LYYYtUY=',
  endpoint        => '',
  addresses       => [{'Address' => '', 'Peer' => ''}, {'Address' => 'fe80::ade1/64',},],

Parameter reference

All parameters are documented with puppet-strings. You can view the markdown-rendered result at


This module has several unit tests and linters configured. You can execute them by running:

bundle exec rake test

Detailed instructions are in the file.


Contribution is fairly easy:

  • Fork the module into your namespace
  • Create a new branch
  • Commit your bugfix or enhancement
  • Write a test for it (maybe start with the test first)
  • Create a pull request

Detailed instructions are in the file.

License and Author

This module was originally written by Tim Meusel. It's licensed with AGPL version 3.