wireguard

Configure a wireguard tunnel to allow SSH-ing inside the video network from outside.

There are two computers:

  • local: inside the video network

  • remote: outside the network, into which a user SSH-es to. The remote is the wireguard server and the local is the wireguard client.

The private key for each side needs to be generated using a subcommand of wg (from the wireguard-tools package). When the key is updated, be sure to also update the corresponding public_key entry.

Roles

There are four different roles defined, but there can exactly be one local and one remote at a time. Configuration differs if we need to set it up for ifupdown or for systemd-networkd. Therefore there are four roles:

  • local_ifupdown - not yet implemented

  • local_networkd

  • remote_ifupdown

  • remote_networkd - not yet implemented

Each role has a single main task.

Available variables:

  • wireguard.port: The port the remove listens on. Local does not set ListenPort.

  • wireguard.local.ip_address: IP address for the generated wireguard interface. Should be in the same /24 network as remote.ip_address .

  • wireguard.if_name: Name for the wireguard interface. “wg0” is probably a sane value. Completely unrelated to that of the remote.

  • wireguard.local.private_key: A private key stored in the vault. A new one could be generated using wg keygen

  • wireguard.local.public_key: The private key’s public counterpart. Generated from the private key using wg pubkey.

  • wireguard.remote.host: The host name the local should connect to. It is assumed that it has a role of wireguard remote_.

  • wireguard.remote.ip_address: same as the local counterpart.

  • wireguard.remote.if_name: same as the local counterpart.

  • wireguard.remote.private_key: same as the local counterpart.

  • wireguard.remote.public_key: same as the local counterpart.