Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow to use multiple addresses and added IPv6 support #174

Merged
merged 4 commits into from
Mar 1, 2023
Merged

Allow to use multiple addresses and added IPv6 support #174

merged 4 commits into from
Mar 1, 2023

Conversation

DiscowZombie
Copy link
Contributor

First of all, thanks for the great work, this role was really useful for one of my project.

Current limitations

Until now, it has been impossible for a host to have multiple IPs inside the VPN. This prevents a lot of use-cases, especially dual-stack network (one IPv4 and one IPv6). Furthermore, putting an IPv6 inside the wireguard_address produced an invalid configuration file, since the IP got suffixed by the /32 mask :

ansible-role-wireguard/templates/etc/wireguard/wg.conf.j2

Line 56 in f6a6e46

AllowedIPs = {{ hostvars[host].wireguard_address.split('/')[0] }}/32

This PR aims to fix IPv6 support and allow using multiple IPs.

To do this, the PR implements the wireguard_addresses variable. This variable can contain an array of IPv4 or IPv6 addresses to be used inside the Wireguard network. The old way of specifying one IPv4 (through the wireguard_address variable) is still supported, even I recommend migrating to the new wireguard_addresses variable.

Examples

Consider three nodes, ansible1, ansible2 and ansible3.

IPv4 only network

Old way (still working)

hosts.yaml

all:
  hosts:
    ansible1:
      # Variables such as ansible_host have been removed
      wireguard_endpoint: "ansible1.public.tld"
      wireguard_address: "10.8.0.1/24"
    ansible2:
      wireguard_endpoint: "ansible2.public.tld"
      wireguard_address: "10.8.0.2/24"
    ansible3:
      wireguard_endpoint: "ansible3.public.tld"
      wireguard_address: "10.8.0.3/24"

New way

hosts.yaml

all:
  hosts:
    ansible1:
      # Variables such as ansible_host have been removed
      wireguard_endpoint: "ansible1.public.tld"
      wireguard_addresses: 
        - "10.8.0.1/24"
    ansible2:
      wireguard_endpoint: "ansible2.public.tld"
      wireguard_addresses: 
        - "10.8.0.2/24"
    ansible3:
      wireguard_endpoint: "ansible3.public.tld"
      wireguard_addresses: 
        - "10.8.0.3/24"

Dual-stack network

hosts.yaml

all:
  hosts:
    ansible1:
      # Variables such as ansible_host have been removed
      wireguard_endpoint: "ansible1.public.tld"
      wireguard_addresses: 
        - "10.8.0.1/24"
        - "fd0d:1234:5678::1/64"
    ansible2:
      wireguard_endpoint: "ansible2.public.tld"
      wireguard_addresses: 
        - "10.8.0.2/24"
        - "fd0d:1234:5678::2/64"
    ansible3:
      wireguard_endpoint: "ansible3.public.tld"
      wireguard_addresses: 
        - "10.8.0.3/24"
        - "fd0d:1234:5678::3/64"

Complex network

A more complex network example.

hosts.yaml

all:
  hosts:
    ansible1:
      # Variables such as ansible_host have been removed
      wireguard_endpoint: "ansible1.public.tld"
      wireguard_addresses: 
        - "10.8.0.1/24"
        - "10.10.0.1/23"
        - "fd0d:1234:5678::1/64"
    ansible2:
      wireguard_endpoint: "ansible2.public.tld"
      wireguard_addresses: 
        - "10.8.0.2/24"
    ansible3:
      wireguard_endpoint: "ansible3.public.tld"
      wireguard_addresses: 
        - "10.8.0.3/24"
        - "10.10.1.3/23"
        - "fd0d:1234:5678::3/64"

Testing and other notes

All those setups have been tested with multipass. If I have time, I will be happy to experiment with molecule too. I would be happy if some could experiment on their side too (and give inputs).

All the changes have been designed to be backward compatible.

If you plan merging this PR, let me know, since the readme will benefit from an update to explain the new variable too.

FYI: During my testing, I tried using an IPv6 as Endpoint and can confirm it (already) work.

@githubixx
Copy link
Owner

Thanks for the PR! Looks promising 😉 I'll try to test it within the next two or three days. Being backward compatible is one of my main concerns because I don't want to kill my own Wireguard setup 😄

@githubixx
Copy link
Owner

@DiscowZombie Sorry for getting back this late. The PR works fine for me. So README.md should be updated accordingly as you already mentioned. Also CHANGELOG.md needs to be updated. I'll add a version 12.0.0 shortly. So you either wait for this release or need to rebase. Since this your PR adds a major feature I'd suggest using version 13.0.0.

@DiscowZombie
Copy link
Contributor Author

Happy to see this notification!

I will update the README.md in the coming days to add IPv6 examples. When 12.0.0 will be released, I will work on the CHANGELOG.md and suggest this feature for 13.0.0 as you suggest!

@githubixx
Copy link
Owner

FYI: I just released 12.0.0.

DiscowZombie and others added 3 commits February 26, 2023 02:07
@DiscowZombie
Basic IPv6 support
74e487e 
Hosts can now have one IPv6, by specifying 'wireguard_address_v6' variable. This IP is added to peer's AllowedIPs.

Future plans :
- Support IPv6 only hosts (No 'wireguard_address')
- Allow the endpoint to be an IPv6 address
@DiscowZombie
Added 'wireguard_addresses' to use multiple IPs
974c09a 
Added the 'wireguard_addresses' variable to specify an array of IPv4 and IPv6. The old 'wireguard_address' variable can be deprecated even she still work to specify one IPv4.

The 'wireguard_address_v6' from last commit was deleted.
@DiscowZombie
Updating the README to use wireguard_addresses
bac59c0
@githubixx
Copy link
Owner

@DiscowZombie Is this ready to be merged? Please also add an entry to CHANGELOG e.g.:

## 13.0.0

- add IPv6 support (contribution by @DiscowZombie)
- introduce `wireguard_addresses` variable (contribution by @DiscowZombie)

@DiscowZombie
Copy link
Contributor Author

@DiscowZombie Is this ready to be merged? Please also add an entry to CHANGELOG e.g.:

## 13.0.0

- add IPv6 support (contribution by @DiscowZombie)
- introduce `wireguard_addresses` variable (contribution by @DiscowZombie)

Everything is ready 🚀

@githubixx githubixx merged commit dd64b7b into githubixx:master Mar 1, 2023
vincentDcmps pushed a commit to vincentDcmps/ansible-role-wireguard that referenced this pull request Mar 26, 2023
@DiscowZombie @vincentDcmps
Allow to use multiple addresses and added IPv6 support (githubixx#174)
a451c11 
* Basic IPv6 support

Hosts can now have one IPv6, by specifying 'wireguard_address_v6' variable. This IP is added to peer's AllowedIPs.

Future plans :
- Support IPv6 only hosts (No 'wireguard_address')
- Allow the endpoint to be an IPv6 address

* Added 'wireguard_addresses' to use multiple IPs

Added the 'wireguard_addresses' variable to specify an array of IPv4 and IPv6. The old 'wireguard_address' variable can be deprecated even she still work to specify one IPv4.

The 'wireguard_address_v6' from last commit was deleted.

* Updating the README to use `wireguard_addresses`

* 13.0.0 changelog
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@githubixx githubixx githubixx approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@DiscowZombie @githubixx