Automated WireGuard VPN Deployment on Scaleway Cloud with Terraform and Ansible

Table of Contents

Overview

This project focuses on the automation of a WireGuard VPN server on Scaleway’s cloud infrastructure using Terraform, Ansible, Jinja2 Templates, and shell scripts. The automation is designed to provision, configure, and maintain WireGuard instances using Shell scripts. The project includes scripts for both deployment and destruction of the infrastructure, along with templates for the WireGuard server and client configurations.

Key Components

  • Terraform: Used for provisioning the infrastructure.
  • Ansible: Used for configuration management of the WireGuard VPN.
  • Jinja2 Configuration Templates: For generating WireGuard configurations dynamically.
  • Shell Scripts: For automation of deployment and teardown.

Notes

  • API Keys:

    • Ensure your Scaleway API keys are correctly set in the scaleway.auto.tfvars file before running the deployment scripts.
    • Protect the scaleway.auto.tfvars file and any files containing sensitive information.
  • Prerequisites:

    • Basic knowledge of Terraform, Ansible, and WireGuard is assumed.
    • Ensure Terraform, Ansible, and WireGuard are installed on your control node (local machine).
  • Security Considerations:

    • The generated configuration files and key files contain sensitive information. Handle them with care and secure them appropriately.
    • Do not commit sensitive files (like private keys and scaleway.auto.tfvars) to version control systems like Git.
  • Customization:

    • The templates and scripts can be customized to fit specific needs, such as adding more clients or changing network configurations.
    • Modify the Terraform files and Ansible playbooks as needed for your environment.

Project Structure

  • automated-wireguard-vpn/
    • terraform/
      • provider.tf: Specifies the cloud provider (Scaleway).
      • scaleway.auto.tfvars: Scaleway cloud provider secret variables for API connectivity. (Important: Protect this file; do not expose API keys.)
      • main.tf: The main Terraform configuration file.
    • ansible/
      • playbooks/
        • wireguard.yml: Ansible playbook for configuring the WireGuard server.
      • templates/
        • client.conf.j2: Jinja2 template for generating the WireGuard client configuration.
        • wireguard.conf.j2: Jinja2 template for generating the WireGuard sever configuration.
      • keys/: Generated directory to store generated client keys (private and public).
      • config/: Generated directory where the generated client configuration file will be stored.
    • scripts/
      • deploy.sh: Script to deploy the infrastructure and configure the WireGuard VPN.
      • destroy.sh: Script to tear down the infrastructure.

Program Workflow

1. Provisioning Infrastructure with Terraform

The first step is provisioning the infrastructure required for the WireGuard VPN server using Terraform.

  • provider.tf:

    • Specifies Scaleway as the cloud provider.
    • Includes necessary API credentials to manage resources via Scaleway’s API.
  • main.tf:

    • Contains configuration variables such as instance sizes, network configurations, and region settings.
    • Defines the infrastructure for the VPN, including:
      • The compute instance that will host the WireGuard VPN.
      • Security groups and networking configurations to ensure proper routing and security.
  • scaleway.auto.tfvars:

    • Stores sensitive API key information and other variable values.
    • Important: Protect this file; it contains API keys and secrets.
  • Outputs:

    • After provisioning, outputs like the public IP and other relevant data are generated, which will be used in the next steps.

Key Commands:

terraform init    # Initializes the working directory
terraform plan    # Previews the infrastructure changes
terraform apply   # Creates and provisions the infrastructure

2. Configuring the WireGuard VPN with Ansible

Once the infrastructure is provisioned, Ansible is installed and ready to be used to configure the WireGuard VPN server and client.

  • Ansible Playbook (wireguard.yml):
    • Install WireGuard:
      • Installs the WireGuard VPN package on the server.
      • Enables IPv4 and IPv6 packet forwarding.
    • Generate and Manage Keys:
      • Checks if the server’s private and public keys exist.
      • Generates and saves the server keys if they are missing.
      • Transfers the server’s public key to the localhost control node for later use.
    • Generate Server Configuration:
      • Uses the template wireguard.conf.j2 to dynamically create the server’s configuration file, incorporating the server’s private key and other variables.
    • Generate Client Configuration:
      • On the control node, checks for the existence of the client’s keys.
      • Generates client keys if necessary and saves them.
      • Transfers the client’s public key to the server and updates the server’s configuration to add the client as a peer.
      • Uses the template client.conf.j2 to generate the client’s WireGuard configuration.
    • Start and Enable WireGuard:
      • Ensures that the WireGuard service is enabled, started, and restarted to apply any changes to both server and client configurations.

This process ensures that both the server and client are properly configured with keys and WireGuard settings to establish a secure VPN connection.

Command to Run the Playbook:

ansible-playbook -i inventory wireguard.yml

3. Deployment Automation with Shell Scripts

To simplify the process, two shell scripts are provided to automate the deployment and destruction of the VPN infrastructure.

Deployment Script (deploy.sh)

This script orchestrates the full deployment process, executing both Terraform and Ansible commands to set up the infrastructure and configure WireGuard.

Workflow:

  1. Initializes and applies the Terraform plan.
  2. Runs the Ansible playbook to configure the WireGuard VPN.

Run the deployment with:

cd scripts
./deploy.sh

What happens:

  • The infrastructure is provisioned using terraform init and terraform apply.
  • Once provisioning is complete, the Ansible playbook configures WireGuard.

Destruction Script (destroy.sh)

Automates the teardown of the entire infrastructure, including removing the WireGuard VPN server and all related resources on Scaleway.

Run the destruction process with:

cd scripts
./destroy.sh

What happens:

  • The infrastructure is destroyed using terraform destroy.
  • Any generated files (such as the WireGuard configurations and keys) are deleted.

Usage

Deployment Process

  1. Clone the repository:
git clone https://github.com/cusable/automated-wireguard-vpn.git
cd automated-wireguard-vpn
  1. Configure Scaleway Credentials:
  • Edit the scaleway.auto.tfvars file in the terraform/ directory to include your Scaleway API keys and desired settings.
  • Important: Protect this file to prevent unauthorized access to your API keys.
  1. Deploy the infrastructure:
cd scripts
./deploy.sh
  1. Connect to the VPN:
  • Use the generated client configuration file located at ansible/config/client.conf to connect to the VPN using your WireGuard client.

Teardown Process

To remove the VPN and free up resources:

  1. Run the Destroy Script:
cd scripts
./destroy.sh
  1. Cleanup:
  • This will cleanly remove all infrastructure from Scaleway and delete any generated configuration files and keys.

Generated Files

During deployment, certain configuration files and keys are generated, and they are all removed during the destruction process:

  • WireGuard Server Configuration (wg0.conf):
    • Generated from wireguard.conf.j2.
    • Located at /etc/wireguard/wg0.conf on the server.
    • Configures the WireGuard server with keys and network settings.
  • Client Configuration (client.conf):
    • Generated from client.conf.j2.
    • Located at ansible/config/client.conf on the control node.
    • Contains the settings required for clients to connect to the WireGuard VPN.
  • Key Files:
    • Server Keys:
      • Private Key: /etc/wireguard/server_private.key (server)
      • Public Key: /etc/wireguard/server_public.key (server) and ansible/keys/server_public.key (control node)
    • Client Keys:
      • Private Key: ansible/keys/client_private.key (control node)
      • Public Key: ansible/keys/client_public.key (control node) and /etc/wireguard/client_public.key (server)

Conclusion

This automated setup simplifies the deployment and management of a WireGuard VPN on Scaleway’s cloud infrastructure. By using Terraform and Ansible, the process becomes reproducible and manageable, ensuring that infrastructure and configurations are consistent and can be easily modified or destroyed as needed.


Resources