From 55a6e0f7138706dc7a2c008a36212289beaa3fbd Mon Sep 17 00:00:00 2001 From: Tanguy Herbron Date: Tue, 25 Mar 2025 18:01:19 +0100 Subject: [PATCH] docs(Wireguard): Add documentation --- docs/6-network.md | 38 ++++++++++++++++++++++++++++++++++++-- 1 file changed, 36 insertions(+), 2 deletions(-) diff --git a/docs/6-network.md b/docs/6-network.md index 44bd5f5..6ce6c71 100644 --- a/docs/6-network.md +++ b/docs/6-network.md @@ -1,4 +1,38 @@ # Network -Coming soon ! -// Wireguard +Our infrascture may have machines accross multiple locations. We need to ensure that all machines can communicate with each other, even if they are behind a NAT. To allow such configuration, we will be using a VPN, more precisely, Wireguard. This also has the advantage of encrypting all traffic going between nodes. + +To ease the installation process, the installation is handled by [Jawher Moussa's ansible playbook](https://github.com/jawher/automation-wireguard). + +## Configuration + +When adding a new host to the inventory, the following entry needs to be added: +```yaml +all: + hosts: + : + wireguard_ip: + [...] +``` + +The `wireguard_ip` is the unique IP address the host will use to communicate with other hosts. + +It is also recommended to change the `wireguard_port` in `inventory/*/group_vars/all.yml` to a random port for added obfuscation. +Lastly, you can modify the `wireguard_mask_bits` to change the size of the subnet, but it is recommended to keep it at 8 for 254 IPs. + +### UFW + +For added security, UFW can be installed, but isn't enabled by default with these playbooks. To enable it, set the `enable_ufw` variable to `true` in `inventory/*/group_vars/all.yml`. + +You will need to read more about the playbook's documentation [here](https://github.com/jawher/automation-wireguard). + +## Installation + +To install Wireguard on all hosts, run the following commands: +```bash +# Select the desired environment +export ENV= + +# Install Wireguard +make wg +```