wireguard

installs, configures, and manages wireguard

8,958 downloads

658 latest version

4.7 quality score

Version information

  • 4.1.0 (latest)
  • 4.0.1
  • 4.0.0
  • 3.1.2
  • 3.1.0
  • 3.0.0
  • 2.2.0
  • 2.1.0
  • 2.0.4
  • 2.0.3
  • 2.0.2
  • 2.0.1
  • 2.0.0
  • 1.1.0
  • 1.0.0
  • 0.10.0
  • 0.9.0
  • 0.8.2
  • 0.8.0
  • 0.7.0
  • 0.6.2
  • 0.6.1
  • 0.5.0
released Mar 24th 2024
This version is compatible with:
  • Puppet Enterprise 2025.3.x, 2025.2.x, 2025.1.x, 2023.8.x, 2023.7.x, 2023.6.x, 2023.5.x, 2023.4.x, 2023.3.x, 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x
  • Puppet >= 7.0.0 < 9.0.0
  • Archlinux, Gentoo,
    Ubuntu
    ,
    Debian

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'puppet-wireguard', '4.1.0'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add puppet-wireguard
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install puppet-wireguard --version 4.1.0

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.

Download

Documentation

puppet/wireguard — version 4.1.0 Mar 24th 2024

puppet-wireguard

Build Status Release Puppet Forge Puppet Forge - downloads Puppet Forge - endorsement Puppet Forge - scores puppetmodule.info docs AGPL v3 License

Puppet module to configure wireguard through systemd-networkd configs

Setup

The module can create firewall rules with voxpupuli/nftables. This is enabled by default but can be disabled by setting the manage_firewall parameter to false in the wireguard::interface defined resource. You need to have the nftables class in your catalog to use the feature (Version 3.6.0 or newer).

Version 3 and older of the module use voxpupuli/ferm to manage firewall rules

This module can use systemd-networkd or wg-quick to configure tunnels. For the former, you need to have a systemd-networkd service resource in your catalog. We recommend voxpupuli/systemd with manage_networkd set to true. You do not need to configure your entire network with systemd-networkd, only the tunnels. That said, wg-quick might be better a better match if you do not want to touch systemd.

Furthermore, this module assumes that you've a dualstack machine. Your IPv4 and IPv6 addresses will be automatically set to the destination_addresses array from the wireguard::interface defined resource. If you don't have dualstack you need to overwrite the parameter.

There is a structured fact called wireguard_pubkeys which is a hash with each filename without the .pub and the content (the public key):

# facter -p wireguard_pubkeys
{
  as1234 => "40mH10BbolserhidsruhieudrstlJBB7fxvoPlU=",
  as5678 => "Tci/bHoPColserjfoisehrjioesurrhGpEN+NDueNjUvBA=",
  asblub => "M7lTopd2koserhioesrhiouwerhpcvqSWEviI=",
  notebook => "sK9Ld+p1eH4id+BAuM6lserheoishriouwKhgwFf/HRw=",
  lan => "dIXj6QcWGBWTzq0pwoerjow4eroiwe4jr4CGkXUID3J8rO2k="
}

Example configurations

configure a tunnel with the name as9876.

  • listen for incoming traffic on port 9876
  • create a ferm rule to allow traffic on the global IPv4/IPv6 addresses
  • configure the provided public key from the peer
  • assign a IPv4 and IPv6 prefix on the tunnel interface
wireguard::interface {'as9876':
  source_addresses => ['2003:4e0:c17:5d::1', '195.37.53.176'],
  public_key       => 'BcxLll1BVxGkehriuehrFvjvX+EBhS4vcDn0R0=',
  endpoint         => 'wireguard.example.com:53668',
  addresses        => [{'Address' => '192.168.123.6/30',},{'Address' => 'fe80::beef:1/64'},],
}

configure a tunnel with the name as1234

  • listen on port 9876
  • don't create firewall rules
  • assign a IPv4 and IPv6 prefix on the tunnel interface
    • use /32 for the IPv4 address and add a peer route
wireguard::interface {'as1234':
  manage_firewall => false,
  public_key      => 'B1xSG/XTJRLd+GrWDsB06BqnIq8Xud93YVh/LYYYtUY=',
  endpoint        => 'wireguard.example.com:53668',
  addresses       => [{'Address' => '192.168.218.87/32', 'Peer' => '172.20.53.97/32'}, {'Address' => 'fe80::ade1/64',},],
}

More examples are available in the REFERENCE.md file.

Parameter reference

All parameters are documented with puppet-strings. You can view the markdown-rendered result at REFERENCE.md.

Tests

This module has several unit tests and linters configured. You can execute them by running:

bundle exec rake test

Detailed instructions are in the CONTRIBUTING.md file.

Contributions

Contribution is fairly easy:

  • Fork the module into your namespace
  • Create a new branch
  • Commit your bugfix or enhancement
  • Write a test for it (maybe start with the test first)
  • Create a pull request

Detailed instructions are in the CONTRIBUTING.md file.

License and Author

This module was originally written by Tim Meusel. It's licensed with AGPL version 3.