Hi, so been working on this for a week but not really happy with the solutions I find as they seem to be done by induviduals who rely heavily on ai. I got wireguard easy going and can remotly connect which is great but id love to be able to route any internet traffic to and from the wireguard clients to go though another server while filtering my local onsite services. Felt that if i can crack this i dont need to rely on tailscale. The end goal is to have no reliance on tailscale as i am preparing for the eventual enshitification.
I have a custom made ansible role that does what you are asking for. I've wanted to clean it up a bit before putting it up on Github, and your post just gave me a motivation to stop procrastinating it :) This was initially made for my own use, and I'm not an Ansible expert so it can have some rough edges, but I tried my best to make it adhere to the Ansible way of doing things (applying the same role to a host twice should be idempotent).
Using this role, I'm able to quickly define wireguard networks, define which peer participates in which network, optionally configure a peer as a router (with NAT and port forwarding) for a given network. For Ansible-managed hosts, it installs wireguard, generates and deploys wireguard configurations, and enables IP forwarding on exit nodes. It can also generate ready-to-deploy wireguard configurations for externally managed hosts.
The repo is at https://github.com/pcouy/ansible-wireguard . I tried giving some instructions in the readme but they may not be detailed enough. If you try it, please open an issue for anything that's not clear enough from the readme so I can improve it. (I tried making a "Quick start" section for people who never used ansible before)
Thank you so much! I shall head over and have a look :D
Quick question (love your solution btw so eloquent could follow along easily which was such a nice change from the week i have had) does your solution manage multiple clients with different firewall requirements? Why i was heading down the wireguard ui route was the ease of firewall configuration per client. Its a weird thing where i feel headscale is a little bit more than i need and wireguard vanilla is a little too simplistic. I know nothing about ansible other than what i quickly read up on now.
Do you have specific examples of the "different firewall requirements" ?
Its via gui but its basically just server side allow list so the client cant modify the ips it can access. The ips i use for https internet are 0.0.0.0/0:443 for example
The ansible role I made does not cover this. If you make a server an exit node for a network, the server gets configured to forward everything that comes from the wireguard network. Since my use case does not need this, I don't think I'll add it, but the role could be expanded to support ACLs by taking inspiration from how it deals with port forwarding.
Thats ok, thanks for the idea and sharing your project! Glad to hear this post was the push that convinced you to share it with the wider world its a cool project :)