homelab/wireguard/README.md

Wireguard

Install Wireguard

https://www.wireguard.com/install/

Ansible

ansible-playbook -i ansible/inventory.yaml wireguard/keys.yaml
ansible-playbook -i ansible/inventory.yaml wireguard/wireguard.yaml
ansible-playbook -i ansible/inventory.yaml wireguard/peers.yaml

DNS Records

Collect DNS records from vars.yaml

cat wireguard/vars.yaml | \
    yq -r '.ip | map([.hostname + "-wg.reeselink.com", .address]).[].[]' > dns/duconet-wg.txt

CLI Setup

# Peer 1
wg genkey | tee /etc/wireguard/privatekey | wg pubkey > /etc/wireguard/publickey

ip link add dev duconet-wg type wireguard

ip address add dev duconet-wg fd00:fd41:d0f1:1010::0/64

wg set duconet-wg \
    listen-port 51821 \
    private-key /etc/wireguard/privatekey

wg set duconet-wg \
    peer CQxNsdPgfzjvOszjn/UZHFdAY3k+D9J+vI8qKUjCYV0= \
    allowed-ips '10.10.10.0/24' \
    endpoint 10.1.200.253:51821

ip link set up dev duconet-wg
touch /etc/wireguard/duconet-wg.conf
wg-quick save duconet-wg

# Peer 2
wg genkey | tee /etc/wireguard/privatekey | wg pubkey > /etc/wireguard/publickey

ip link add dev duconet-wg type wireguard

ip address add dev duconet-wg 10.10.10.2/24

wg set duconet-wg \
    listen-port 51821 \
    private-key /etc/wireguard/privatekey \
    peer kzbHUGzYk6Uyan/NFYY5mh3pxf2IX/WzWZtImeyp6Sw= \
    allowed-ips '10.10.10.0/24' \
    endpoint 10.1.203.197:51821

ip link set up dev duconet-wg
touch /etc/wireguard/duconet-wg.conf
wg-quick save duconet-wg

# Peer 3
wg genkey | tee /etc/wireguard/privatekey | wg pubkey > /etc/wireguard/publickey

ip link add dev duconet-wg type wireguard

ip address add dev duconet-wg 10.10.10.3/24

wg set duconet-wg \
    listen-port 51821 \
    private-key /etc/wireguard/privatekey \
    peer kzbHUGzYk6Uyan/NFYY5mh3pxf2IX/WzWZtImeyp6Sw= \
    allowed-ips '10.10.10.0/24' \
    endpoint 10.1.203.197:51821

wg set duconet-wg \
    peer 9/dBUlO9TGf0H9M3xwPiuIuz6Q/u7fSJVZaUxqAiqi8= \
    allowed-ips '10.10.10.0/24' \
    endpoint 10.1.2.10:51821

ip link set up dev duconet-wg
touch /etc/wireguard/duconet-wg.conf
wg-quick save duconet-wg

Teardown

# teardown
ip link delete duconet-wg
systemctl disable wg-quick@duconet-wg

Truenas

Because truenas's /etc/wireguard is ephemeral we need to create scripts to save and load our wireguard config at shutdown/boot.

Select these scripts in system settings -> advanced -> init/shutdown scripts

Startup Script:

/mnt/enc1/truenas/wireguard/duconet-save.sh

#!/bin/bash

cp -a /mnt/enc1/truenas/wireguard/* /etc/wireguard/
wg-quick up duconet-wg

Shutdown Script:

/mnt/enc1/truenas/wireguard/duconet-load.sh

#!/bin/bash

wg-quick save duconet-wg
cp -a /etc/wireguard/* /mnt/enc1/truenas/wireguard/