--- - name: Update APT package cache apt: update_cache: true upgrade: dist - name: Ensure WireGuard DKMS package is removed apt: name: - "wireguard-dkms" state: absent - name: Install wireguard package apt: name: "wireguard" state: present - name: Install qrencode package apt: name: "qrencode" state: present - name: Reboot to use new kernel reboot: - name: ensure wireguard services are stopped command: "systemctl stop wg-quick@wg0" - name: generate directory for server configs file: path: "~/wg/wireguard-server" state: directory owner: root group: root mode: 0700 - name: generate directories for client configs file: path: "~/wg/{{ item }}" state: directory owner: root group: root mode: 0700 with_items: "{{ vpn_client_names }}" - name: generate private key for the server shell: umask 077; wg genkey | tee ~/wg/wireguard-server.private register: vpn_server_private_key - name: generate public key for the server shell: umask 077; cat ~/wg/wireguard-server.private | wg pubkey | tee ~/wg/wireguard-server.public register: vpn_server_public_key - name: generate private keys for clients shell: umask 077; wg genkey | tee ~/wg/{{ item }}/wg0.private register: vpn_client_private_keys with_items: "{{ vpn_client_names }}" - name: generate public keys for clients shell: umask 077; cat ~/wg/{{ item }}/wg0.private | wg pubkey | tee ~/wg/{{ item }}/wg0.public register: vpn_client_public_keys with_items: "{{ vpn_client_names }}" - name: generate client configs template: src: "wg0-client.conf" dest: "~/wg/{{ item.item }}/wg0-client.conf" owner: root group: root mode: 0600 with_items: "{{ vpn_client_private_keys.results }}" - name: generate qr codes for client configs shell: umask 077; qrencode --type=PNG --output=/root/wg/{{ item }}/wg0-client.png < ~/wg/{{ item }}/wg0-client.conf with_items: "{{ vpn_client_names }}" - name: generate server config template: src: "wg0.conf" dest: "/etc/wireguard/wg0.conf" owner: root group: root mode: 0600 - name: enable ipv4 traffic forwarding sysctl: name: net.ipv4.ip_forward value: "1" sysctl_set: yes state: present reload: yes - name: ensure wireguard services are enabled command: "systemctl enable wg-quick@wg0" - name: ensure all wireguard services are started command: "systemctl start wg-quick@wg0" - name: download client conf files to the "wireguard_profiles/" folder on your local host fetch: src: "~/wg/{{item}}/wg0-client.conf" dest: "wireguard_profiles/{{ ansible_ssh_host }}/{{item}}/" flat: yes with_items: "{{ vpn_client_names }}" - name: download client conf files to the "wireguard_profiles/" folder on your local host fetch: src: "~/wg/{{item}}/wg0-client.png" dest: "wireguard_profiles/{{ ansible_ssh_host }}/{{item}}/" flat: yes with_items: "{{ vpn_client_names }}"