Welcome to this guide on how to deploy Wireguard and IPsec VPN Server using Ansible. Ansible is a free and open-source tool written in Python, used for management, configuration, and automation.
To automate the WireGuard and IPsec VPN Server deployment, we will use Algo VPN. This is a set of Ansible scripts that can be used to fire up WireGuard and IPsec VPN on-premise or in the cloud. It uses the most secure defaults available as well as works with common cloud providers.
The features provided by Algo VPN are:
- It generates Apple profiles to auto-configure iOS and macOS devices
- Supports only IKEv2 with strong crypto (AES-GCM, SHA2, and P-256) for iOS, macOS, and Linux
- Includes a helper script to add and remove users
- Supports WireGuard for iOS, macOS, Linux, Android and Windows 10
- Blocks ads with a local DNS resolver (optional)
- Sets up limited SSH users for tunneling traffic (optional)
- It can be used to install to DigitalOcean, Amazon Lightsail, Amazon EC2, Vultr, Microsoft Azure, Google Compute Engine, Scaleway, OpenStack, CloudStack, Hetzner Cloud, Linode, or your own Ubuntu server (for more advanced users)
- Based on current versions of Ubuntu and strongSwan
- Generates .conf files and QR codes for iOS, macOS, Android, and Windows WireGuard clients
Let’s plunge in!
Step 1 – Install the Requirements
Algo requires Python 3.8 or later which can be installed on your system with the command:
##On Ubuntu sudo apt update sudo apt install -y --no-install-recommends python3-virtualenv libffi-dev libssl-dev git ##On Rhel/CentOS/Alma Linux/Rocky Linux/Fedora sudo dnf install python38-devel python3-virtualenv git -y ##On Debian 11 sudo apt update sudo apt install -y --no-install-recommends libffi-dev libssl-dev git sudo apt remove python3-virtualenv curl -sSL https://install.python-poetry.org | python3 - echo 'export PATH="/root/.local/bin:$PATH"'|tee -a ~/.bashrc
Verify the python3 version.
$ python3 --version Python 3.8.10
On Rhel-based systems, configure the default version with the command:
$ sudo update-alternatives --config python3 There are 2 programs which provide 'python3'. Selection Command ----------------------------------------------- *+ 1 /usr/bin/python3.6 2 /usr/bin/python3.8 Enter to keep the current selection[+], or type selection number: 2
Obtain a copy of Algo. For this guide, we will use
sudo su - git clone https://github.com/trailofbits/algo.git
Install other dependencies:
cd algo python3 -m pip install -U pip virtualenv python3 -m virtualenv --python=$(which python3) env source env/bin/activate python3 -m pip install -r requirements.txt
Step 2 – Configure your Ansible host
The host to which WireGuard and IPsec VPN Server are to be installed needs to be running Ubuntu.
Make the configurations below:
Ensure root login is permitted.
sudo vim /etc/ssh/sshd_config
Find, uncomment and edit the line below
Restart the SSH service:
sudo systemctl restart ssh
Allow passwordless login to the remote host by generating and copying the SSH keys.
On the Manager Node, run:
ssh-keygen -t rsa
Now copy the keys to the managed node. Remember to replace the managed-node-IP address correctly
ssh-copy-id -i ~/.ssh/id_rsa.pub [email protected]
At this point, you should be able to log in to the root user on the managed node using the SSH keys.
Step 3 – Make WireGuard and IPsec VPN Server configurations
To make desired configurations, open the
config.cfg with your favorite text editor and specify the users for the devices you wish to connect to:
I will have 3 users specified as shown.
users: - sample - test - admin
Step 4 – Deploy WireGuard and IPsec VPN Server
Once the above configurations have been made, proceed and deploy the WireGuard and IPsec VPN Server using ansible. Here there are variables you can pass using the
The variables here include:
- provider– specifies the provider you want to use, this may include digital ocean, Amazon EC2, Local, e.t.c. For this guide, we will use the local to install the VPN Server to an existing local server
- server_name – (Required) Server name. (Default: algo)
- ondemand_cellular: This is optional. It enables VPN On Demand when connected to cellular networks for iOS/macOS clients using IPsec. (Default: false)
- ondemand_wifi – It is optional. It is used to enable VPN On Demand when connected to WiFi networks for iOS/macOS clients using IPsec. (Default: false)
- dns_adblocking – Enables dnscrypt-proxy adblocking. (Default: false)
- ssh_tunneling – Enable SSH tunneling for each user. (Default: false)
- store_pki – It is used to specify whether or not keep the CA key. This is required if you want to add users in the future, but less secure. (Default: false)
The above variables can be passed as shown.
ansible-playbook main.yml -e "provider=local server_name=algo ondemand_cellular=false ondemand_wifi=false dns_adblocking=true ssh_tunneling=true store_pki=true do_token=token"
The deployment will be initialized as shown:
Press Enter and proceed to specify the managed ansible node(remote system)
..... Enter the IP address of your server: (or use localhost for local installation): [localhost] : 192.168.205.11 TASK [local : pause] *********************************************************** ok: [localhost] TASK [local : Set the facts] *************************************************** ok: [localhost] [local : pause] What user should we use to login on the server? (note: passwordless login required, or ignore if you're deploying to localhost) [root] : root Enter the public IP address or domain name of your server: (IMPORTANT! This is used to verify the certificate) [192.168.205.11] : 192.168.205.11 ......
We have specified the remote IP_Address and user. Remember the root user is required for the installations and configurations to occur.
Sit back and relax as you wait for the process to complete. If all goes well, you will see this:
If you encounter an error along the way, troubleshoot it and run be below commands before you restart the installation:
sudo rm -rf /etc/wireguard/*.lock rm -rf configs/192.168.205.11
After this, you will have connection profiles created in the current algo-master directory at configs/IP_Address/wireguard/ for example:
$ ls configs/192.168.205.11/wireguard/ admin.conf admin.png apple sample.conf sample.png test.conf test.png
You can view the content of any of these files:
$ cat configs/192.168.205.11/wireguard/admin.conf [Interface] PrivateKey = 4KYCcDD0GYiRH0MO5gCgFxdxtQ5qj6X8V1e15uL+n3o= Address = 10.49.0.4 DNS = 172.25.97.255 [Peer] PublicKey = /3OF6hbKH1/fZyTlPCv2WAMSjckonfbO6cgHrZoxaHM= PresharedKey = UjTv+rsnfedqiLbaapg9+MGSCPbcY6wdOntgwdfCZb0= AllowedIPs = 0.0.0.0/0,::/0 Endpoint = 192.168.205.11:51820
These files contain all you need to set up the WireGuard VPN Client. The PNG files contain QR codes that can be scanned and used by the client to connect to the VPN server.
WireGuard and IPsec VPN Server should also be set up on the remote host. Verify with as shown:
On the managed node, run:
Step 5 – Connect to VPN server on Linux
To verify if the installation is working, I will proceed and set up the WireGuard VPN Client. Using the user files above, you can connect to the VPN endpoint on the remote system.
Wireguard client can be installed on your Linux or macOS system as illustrated in the official Wireguard installation instructions page
Once installed, create a configuration file:
sudo vim /etc/wireguard/wgvpn.conf
Add the lines present in the generated user file, for example in the admin.conf
[Interface] PrivateKey = 4KYCcDD0GYiRH0MO5gCgFxdxtQ5qj6X8V1e15uL+n3o= Address = 10.49.0.4 DNS = 172.25.97.255 [Peer] PublicKey = /3OF6hbKH1/fZyTlPCv2WAMSjckonfbO6cgHrZoxaHM= PresharedKey = UjTv+rsnfedqiLbaapg9+MGSCPbcY6wdOntgwdfCZb0= AllowedIPs = 0.0.0.0/0,::/0 Endpoint = 192.168.205.11:51820
Save the file and reboot the system:
Once the system boots, start the interface:
$ sudo wg-quick up wgvpn [#] ip link add wgvpn type wireguard [#] wg setconf wgvpn /dev/fd/63 [#] ip -4 address add 10.49.0.4 dev wgvpn [#] ip link set mtu 1420 up dev wgvpn [#] mount `172.25.97.255' /etc/resolv.conf [#] wg set wgvpn fwmark 51820 [#] ip -6 route add ::/0 dev wgvpn table 51820 [#] ip -6 rule add not fwmark 51820 table 51820 [#] ip -6 rule add table main suppress_prefixlength 0 [#] nft -f /dev/fd/63 [#] ip -4 route add 0.0.0.0/0 dev wgvpn table 51820 [#] ip -4 rule add not fwmark 51820 table 51820
On Debian/Ubuntu, you need to install the package below. Otherwise, you will find the error “resolvconf: command not found“
sudo apt install openresolv
Once started, verify if the interface is running:
You can also connect to your mobile device using the aid in the guide below:
I hope this was significant.