Make endpoint optional

The endpoint parameter is only required if wireguard should connect to a remote site. That's not always possible. For example in situations where the remote site is behind a NAT gateway and/or has a dynamic IP address. For such setups you can create a 'passive' configuration that listens for incoming packets.
voxpupuli · Jul 27, 2021 · f78a6fc · f78a6fc
1 parent d0b4338
commit f78a6fc
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 11 deletions.
diff --git a/REFERENCE.md b/REFERENCE.md
@@ -85,6 +85,14 @@ wireguard::interface {'as2273':
   endpoint         => 'wg.example.com:53668',
   addresses        => [{'Address' => '192.168.218.87/32', 'Peer' => '172.20.53.97/32'}, {'Address' => 'fe80::ade1/64',},],
 }
+
+Create a passive wireguard interface that listens for incoming connections. Useful when the other side has a dynamic IP / is behind NAT
+wireguard::interface {'as2273':
+  source_addresses => ['2003:4f8:c17:4cf::1', '149.9.255.4'],
+  public_key       => 'BcxLll1BVxGQ5DeijroesjroiesjrjvX+EBhS4vcDn0R0=',
+  dport            => 53668,
+  addresses        => [{'Address' => '192.168.218.87/32', 'Peer' => '172.20.53.97/32'}, {'Address' => 'fe80::ade1/64',},],
+}
 ```
 
 #### Parameters
@@ -157,10 +165,12 @@ base64 encoded pubkey from the remote peer
 
 ##### <a name="endpoint"></a>`endpoint`
 
-Data type: `String[1]`
+Data type: `Optional[String[1]]`
 
 fqdn:port or ip:port where we connect to
 
+Default value: ``undef``
+
 ##### <a name="addresses"></a>`addresses`
 
 Data type: `Array[Hash[String,Variant[Stdlib::IP::Address::V4::CIDR,Stdlib::IP::Address::V6::CIDR]]]`

diff --git a/manifests/interface.pp b/manifests/interface.pp
@@ -30,9 +30,16 @@
 #    addresses        => [{'Address' => '192.168.218.87/32', 'Peer' => '172.20.53.97/32'}, {'Address' => 'fe80::ade1/64',},],
 #  }
 #
+#  Create a passive wireguard interface that listens for incoming connections. Useful when the other side has a dynamic IP / is behind NAT
+#  wireguard::interface {'as2273':
+#    source_addresses => ['2003:4f8:c17:4cf::1', '149.9.255.4'],
+#    public_key       => 'BcxLll1BVxGQ5DeijroesjroiesjrjvX+EBhS4vcDn0R0=',
+#    dport            => 53668,
+#    addresses        => [{'Address' => '192.168.218.87/32', 'Peer' => '172.20.53.97/32'}, {'Address' => 'fe80::ade1/64',},],
+#  }
 define wireguard::interface (
   String[1] $public_key,
-  String[1] $endpoint,
+  Optional[String[1]] $endpoint = undef,
   Optional[Array[Stdlib::IP::Address]] $destination_addresses = [$facts['networking']['ip'], $facts['networking']['ip6'],],
   String[1] $interface = $title,
   Integer[1024, 65000] $dport = Integer(regsubst($title, '^\D+(\d+)$', '\1')),
@@ -78,28 +85,29 @@
     require => Exec["generate ${interface} keys"],
   }
   # lint:ignore:strict_indent
-  $netdev_config = @("EOT")
+  $netdev_config = @(EOT)
+  <%- | $interface, $dport, $public_key, $endpoint | -%>
   # THIS FILE IS MANAGED BY PUPPET
   # based on https://dn42.dev/howto/wireguard
   [NetDev]
-  Name=${interface}
+  Name=<%= $interface %>
   Kind=wireguard
 
   [WireGuard]
-  PrivateKeyFile=/etc/wireguard/${interface}
-  ListenPort=${dport}
+  PrivateKeyFile=/etc/wireguard/<%= $interface %>
+  ListenPort=<%= $dport %>
 
   [WireGuardPeer]
-  PublicKey=${public_key}
-  # OPTIONAL, pre-shared key
-  #PresharedKey=<pre-shared key>
-  Endpoint=${endpoint}
+  PublicKey=<%= $public_key %>
+  <% if $endpoint { -%>
+  Endpoint=<%= $endpoint %>
+  <%} -%>
   AllowedIPs=fe80::/64
   AllowedIPs=fd00::/8
   AllowedIPs=0.0.0.0/0
   | EOT
   systemd::network { "${interface}.netdev":
-    content         => $netdev_config,
+    content         => inline_epp($netdev_config, { 'interface' => $interface, 'dport' => $dport, 'public_key' => $public_key, 'endpoint' => $endpoint}),
     restart_service => true,
     owner           => 'root',
     group           => 'systemd-network',