As mentioned in the previous post, networkd is quite nice for network configurations. It can also configure network devices, such as wireguard tunnels. The following config can go into a .netdev file (like /etc/systemd/network/as3668-1.netdev):
[NetDev]
Name=as3668-1
Kind=wireguard
MTUBytes=1412
[WireGuard]
PrivateKeyFile=/etc/wireguard/as3668-1
ListenPort=1337
[WireGuardPeer]
PublicKey=WiN46vGCfAGuH7p6mc+9zLvtmuACdyMtXULETbGP2SM=
Endpoint=router01.tld:1337
PersistentKeepalive=5
AllowedIPs=fe80::/64
AllowedIPs=fd00::/8
AllowedIPs=0.0.0.0/0
The configuration reads the private key from /etc/wireguard/as3668-1, it connects to router01.tld on port 1337, sends a keepalive packet every 5 seconds and allows all traffic to flow through the tunnel. The is configured to 1412 because this goes through a VDSL line. Of course you can configure all of this via Puppet! I published a module at https://forge.puppet.com/modules/puppet/wireguard. The following snippet creates the above configuration:
wireguard::interface {'as3668-1':
source_addresses => ['144.76.249.216', '2a01:4f8:171:1152::11'],
public_key => 'WiN46vGCfAGuH7p6mc+9zLvtmuACdyMtXULETbGP2SM=',
endpoint => 'router01.tld1337',
dport => 1337,
input_interface => $facts['networking']['primary'],
addresses => [{'Address' => '169.254.0.8/32', 'Peer' =>'169.254.0.7/32'},{'Address' => 'fe80::beef:e/64'},],
destination_addresses => [],
persistent_keepalive => 5,
}
It will also create a .network file:
[Match]
Name=as3668-1
[Network]
DHCP=no
IPv6AcceptRA=false
IPForward=yes
# for networkd >= 244 KeepConfiguration stops networkd from
# removing routes on this interface when restarting
KeepConfiguration=yes
[Address]
Address=169.254.0.8/32
Peer=169.254.0.7/32
[Address]
Address=fe80::beef:e/64