Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Register

Quick Links


Categories

In this Discussion

Boringguard - Ansible Role for Wireguard install & setup
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Boringguard - Ansible Role for Wireguard install & setup

nstormnstorm Member
in Tutorials

Boringguard - Ansible Role for Wireguard install & setup

https://github.com/N-Storm/boringguard

Hey everyone! 👋

I wanted to share a piece of my private collection of custom ansible roles that I've created for configuring and managing various VPSs, lowends included. I've recently decided to make one of these roles, Boringguard, public to see if it might be useful to the community.

Features:

  • Compatibility: It works with deb/apt-based distros like Debian 11+ (might work with 9+, haven't tested), Ubuntu 20.04+, Armbian, and RPM-based RHEL8+ distros (CentOS, Rocky, Alma, Oracle, etc).
  • Boringtun Installation: This role can install Boringtun, a userspace Wireguard daemon implementation by CloudFlare, which doesn't require a kernel module. It's great for container-based VPSs (OpenVZ, LXC, Virtuozo, etc), especially if you have TUN/TAP capability. It even works on NAT VPSs with UDP port-forwarding.

  • Binary Packages Included (.deb and .rpm): Since there's no official repo for Boringguard and no distro packages available, I've built binaries from sources for various architectures (x86_64, aarch64, ARMv7). This includes builds with MUSL lib as well as Glibc, to better suit resource-constrained devices. Should work on a variety of small/embedded devices, like SBCs, ARM routers, etc. Tested on Hetzner CAX ARM64 plans and ARMv7 Orange Pi One SBC.
    Don't trust my binaries? I'm absolutely with you here ;) You can build and add your own. The packages to install are configurable in a yaml vars file. Let me know if you need a guide for building those packages. Just a ~couple of requests and I'll write recipe to automate building those packages I have there.

  • Configurations and QR Codes: Configure the server with as many peers as you want and generate client config files and QR-codes.

  • Idempotent with Persistent Config: The primary reason I created my own 'Wireguard installer' is probably its idempotency and persistent configuration. It's mostly inspired by the "Nyr wireguard-install script", but I found it lacking in the ability to restore VPN settings on VPS reinstall/migration/etc. (like almost every Wireguard install script), not to mention the absence of ARM support. This is where Ansible comes in as a more suitable tool for such tasks - you simply define your configuration with variables for each host (or even host group), tweak some settings or start with the defaults, and set up your VPN. Once generated, items like private keys and other settings will be stored on the host used for configuration (the "ansible host").
    I don't want to configure clients from scratch every time I need to rebuild a VPS. Or manually fix configs on VPS migration, for example. Can be a serious hassle if you have many VPSs or clients. Managed configuration approach solves a few things at once here:
    • a) generates a populated VPN config file which you can edit. When you run the playbook again, the new settings will be applied;
    • b) ensures that if you reinstall/migrate/change your VPS, running the playbook again will install and restore the same settings as before (assuming the hostname remains the same). Peers can connect with the same keys/certs as before.

This might not be a huge deal, but it's incredibly useful for me. As a part of a much larger "VPS toolkit" I have, which I'm not planning to make fully public (it's tailored to my specific environment). However, if Boringguard is useful to others, I might consider migrating more features from my private collection.

Docs & Feedback:

I haven't finished the documentation yet (missing Quick Start, etc.). Feel free to ask here if you're interested, and I'll work on improving the docs if there's enough interest.

Cheers! 🚀

Thanked by 8tentor verl20 sh97 ariq01 API t0m argado lanefu

Comments

  • APIAPI Member

    Looks interesting! If you have some time to add the package builds it would be awesome :blush:

  • nstormnstorm Member
    edited January 29

    @API said: Looks interesting! If you have some time to add the package builds it would be awesome

    I've created an experimental Dockerfile that builds Boringtun packages inside containers (and keeping the host system clean of build artifacts). It should be an easy way to compile your own packages from source. I will push it to the repository along with some instructions soon.

    Thanked by 1API
  • nstormnstorm Member

    @API added build script & Dockerfile to the repo: https://github.com/N-Storm/boringguard/tree/master/build
    Tested to work on Debian 11/12.

    Thanked by 1API
  • nstormnstorm Member

    It's great for container-based VPSs (OpenVZ, LXC, Virtuozo, etc), especially if you have TUN/TAP capability

    sigh used ChatGPT as a hack to correct text. But missed that "he" added own flavour here. Actually this sentance were supposed to mean that you can run WireGuard VPN server on a container type VPS but that is only possible if you have TUN/TAP capability of course.

Sign In or Register to comment.