Skip to content
Automation-cli[20.0.40]

Wireguard VPN

“Automation-cli” can connect to servers located behind a ‘Wireguard’ VPN. To avoid installing the “package” and all the “Wireguard” settings on the control node, I use a “Wireguard” client running in user space.

WARNING: The “onetun” tool only works for small infrastructures (v.0.3.10), to reach a larger network, you’ll need to:

  • Install and configure the wireguard client on the control node.
  • Add the routes needed to reach the target hosts.

Runtime configuration

The executable is available from GitHub project :

  • Download the right binary for your platform. WARNING : version v0.3.7 does not work with multiple hosts, (problem reported).

  • Create directory in OPSDirectory : sudo mkdir -p $OPS/vpn/bin-wireguard/

  • Copy the downloaded binary into the “OPSDirectory” directory: sudo cp [binaire téléchargé] $OPS/vpn/bin-wireguard/onetun.

  • Make the file executable : sudo chmod +x $OPS/vpn/bin-wireguard/onetun

With the “run” command switches

To perform an operation on servers located behind a Wireguard VPN, you must provide several parameters:

Fenêtre de terminal
automation-cli run --help
[...]
  -wgsa, --wireguard-server-address <string>                Enter Wireguard server public IP address
  -wgsp, --wireguard-server-port <number>                   Enter Wireguard server public port
  -wgspk, --wireguard-server-public-key <string>            Enter Wireguard server public key
  -wgpk, --wireguard-your-private-key <string>              Enter your Wireguard private key
  -wgip, --wireguard-your-ip-address <string>               Enter your Wireguard private ip address (given by Wireguard admin)
  -wgma, --wireguard-match <string>                         Enter the regular expressions that determine which hosts must go through
                                                            wireguard (eg: ^172 all ip Address starting with 172)
[...]

The VPN connection is only started for hosts that match your regular expression.

Inventory configuration

Instead of passing parameters on the command line, use inventory (preferred), so secrets are not exposed on the command line.

[...]
internalVpn:
  wireguardServerAddress: [IP address of the server providing the Wireguard service]
  wireguardServerPort: [Wireguard service port]
  wireguardServerPublicKey: [Public key for wireguard server]
  wireguardYourPrivateKey: [Your wireguard private key (see wireguard for details)]
  wireguardYourIpAddress: [Your ip address on the VPN network (see wireguard for details)]
  wireguardMatch: "^172"
[...]