In my ever-growing list of things I find to do besides the dishes and laundry, I decided one weekend that I wanted an easy way to deploy a Vultr server and set it up as a WireGuard server. I know there are actual VPN services out there that are possibly more reliable and definitely less of a headache, but what's the fun in that? I wanted to see if I could do it...and I did!
Here is the "intended" way for this repo to be used:
- Download the repo, optionally as a zip folder, and delete the folder after every time you set up the WireGuard server.
- This repo assumes you have https://direnv.net/ installed to load and unload the
.envrcfiles when changing directories. I'd recommend installing it, otherwise if you're so inclined, you can manage the environment variables through another package or manually. - Change to the new directory for the repo once you have the folder downloaded/unzipped/un-tar'd/etc.
- Copy
.envrc.examplein the root directory to a file named.envrc, and update your variables for your Vultr API key, and three public and private keys for the clients to use. I'll hopefully improve this to dynamically generate X number of configs based on environment variables, or maybe a variable set somewhere else.
direnvshould prompt you to allow the new.envrcfile with an easy copy and pasteable error message! This will ned to be done before running the scripts so the variables exist.
- Finally, make the shell script(s) executable with
chmod +x *.sh, and then turn up the server and let Ansible go to town configuring everything!
The shell script installs the Ansible Galaxy packages required, along with the pip modules used. Then it generates an SSH key to use with the server, sets some environment variables from the terraform.tfstate file after the machine is configured, runs the monolithic playbook, and does some sed replacements on the config files so they're ready to be pasted into a device.
wget https://github.com/oct8l/Vultr-WireGuard-one-shot/archive/refs/heads/main.tar.gz
tar -xzf main.tar.gz
rm main.tar.gz
cd Vultr-WireGuard-one-shot-main
chmod +x *.sh
mv .envrc.example .envrc
vi .envrcAfter you defeat the vi boss and have your variables set, you can run ./run-all.sh and watch the magic happen!
You can also optionally run ./ssh.sh if you'd like to SSH to the machine, it will use the SSH key that was generated by the previous script.
The Terraform template also applies the needed firewall rules and assigns the machine to that firewall group, so no need to manually allow it. It makes port 51820/udp and 22/tcp accessible from any IPv4 address, but only pubkey authentication is allowed for SSH and Fail2Ban also gets set up with the Ansible playbook.
Something I want to change is to break the Ansible folder into proper roles and call the roles instead of having everything in one playbook. Another thing is to pull the Ansible Galaxy installs out of the shell script because that seems a little intrusive to be installing them, as well as the pip modules. It definitely would be best to use a venv for this, but I was in a bit of a rush for a trip that I wanted to try this setup out on with GL.iNet routers. Man, I love those things.