githubixx
Can't set interface listen port without wireguard_endpoint being defined
The recent changes to the config template, namely adding a condition linking ListenPort to wireguard_endpoint have broken the ability to set a port on the interface without an endpoint defined. On 17.1.0 we get a random port assigned by WG every time, because the portion of the template setting up ListenPort never gets rendered. Server interfaces don't need endpoints configured - only the client peers need to specify endpoints to know where to connect, so this condition doesn't match WireGuard's actual requirements.
Change was merged in with 17.1.0 - https://github.com/githubixx/ansible-role-wireguard/issues/101 /
https://github.com/githubixx/ansible-role-wireguard/pull/102/files
https://github.com/githubixx/ansible-role-wireguard/blob/master/templates/etc/wireguard/wg.conf.j2#L18-L20:
[Interface]
...
{% if wireguard_endpoint is defined and wireguard_endpoint != "" %}
ListenPort = {{ wireguard_port }}
{% endif %}
Note that this is on the interface, not the peer. This functionality works as expected on 17.0.0 prior to the changes above.
+1 to this one. It shot me into the foot multiple times now. It should be fixed that port configuration is always rendered into config if it is specified in the yaml.
So what do you suggest? For some people https://github.com/githubixx/ansible-role-wireguard/pull/102 solved a problem. Just reverting the PR might also not be an option.
So what do you suggest? For some people #102 solved a problem. Just reverting the PR might also not be an option.
That is something else I think. That issue is about peers, this issue is about the interface block. The request is valid. To have wireguard passivly listening (vpn server), you should define the ListPort without a endpoint.
As a ugly hack, i currently misused the saveconfig var:
wireguard_save_config: |
true
ListenPort = 51820
