This guide covers the setup process for a WireGuard VPN server and includes steps to add and manage VPN clients - using ansible. When you add a client you get a zip file and the QR code in the terminal.
Ensure that you have the following software installed on your system:
- Ansible
- Homebrew (for macOS)
- Python's
netaddrpackage devsec.hardeningAnsible collectioncommunity.generalAnsible collection
If these are not installed, you can set them up with the following commands:
# Install Homebrew (macOS)
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
# Install Ansible
brew install ansible
# Install devsec.hardening Ansible collection
ansible-galaxy collection install devsec.hardening --force
ansible-galaxy collection install community.general --force
# Install netaddr Python package
pip install netaddrInitialize the server IP, username, and SSH port.
make initThe make init command will prompt you for the server host, server username, and SSH port (default: 22).
To set up the WireGuard server, run the following command:
make vpn-server-setupThis command will ask you to enter the DNS server (default: 10.99.0.1).
Secure the server by blocking external access to sensitive ports (like DNS:53 and Web:8080) while allowing VPN clients and SSH.
make vpn-firewall-setupYou can optionally harden your server with the devsec.hardening Ansible collection and the server_hardening.yml playbook.
ansible-galaxy collection install devsec.hardening --force
ansible-playbook -i inventory.ini server_hardening.ymlTo add, remove, list, or generate QR codes for VPN clients, use the following commands:
make vpn-client-addThe command will prompt you to enter the client name.
make vpn-client-removeYou will need to enter the client name that you want to remove.
make vpn-client-listmake vpn-client-qrcodeYou will be asked to enter the client name whose QR code you want to display.
For further help and a list of all available commands, run make help.
GNU