Puppet Class: wireguard

Defined in:
manifests/init.pp

Summary

Configure wireguard networks

Overview

Parameters:

  • networks (Hash[String, Hash[String, Any]]) (defaults to: {})

    sets the list of WG networks to create

  • routers (Array[String]) (defaults to: [])

    is an optional list of subnets that the instance should route for

  • alternate_ports (Array[Integer]) (defaults to: [])

    sets the extra ports that can be used for wireguard clients



6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
 
# File 'manifests/init.pp', line 6

class wireguard (
  Hash[String, Hash[String, Any]] $networks = {},
  Array[String] $routers = [],
  Array[Integer] $alternate_ports = [],
) {
  package { 'wireguard-tools': }

  -> file { [
      '/etc/wireguard/private',
      '/etc/wireguard/public',
    ]:
      ensure => directory,
      owner  => 'root',
      group  => 'root',
      mode   => '0700',
  }

  $networks.each |String $interface, Hash $peers| {
    wireguard::network { $interface:
      peers => $peers,
    }
  }

  firewall { '100 allow inbound wireguard traffic':
    dport  => 41194,
    proto  => 'udp',
    action => 'accept',
  }

  $alternate_ports.each |Integer $port| {
    firewall { "100 redirect ${port} as alternate wireguard port":
      table    => 'nat',
      chain    => 'PREROUTING',
      dst_type => 'LOCAL',
      proto    => 'udp',
      dport    => $port,
      jump     => 'REDIRECT',
      toports  => 41194,
    }
  }

  if length($routers) > 0 {
    file { '/etc/sysctl.d/wireguard.conf':
      ensure  => file,
      content => 'net.ipv4.ip_forward=1',
    }

    ~> service { 'systemd-sysctl':
      ensure => running,
      enable => true,
    }

    $routers.each |String $router| {
      firewall { "100 masquerade for wireguard routing on ${router}":
        chain  => 'POSTROUTING',
        jump   => 'MASQUERADE',
        proto  => 'all',
        source => $router,
        table  => 'nat',
      }
      firewall { "100 forward for wireguard routing on ${router}":
        chain  => 'FORWARD',
        proto  => 'all',
        action => 'accept',
        source => $router,
      }
    }
  }
}