Private / Nat peers with persistence but no endpoint

[defect-track]

Hello,

have the use case where some of my peers are behind a Firewall where it isn't possible to get an inbound port opened for security reasons. However, if you just configure the persistence for these clients like described in https://www.wireguard.com/quickstart/#nat-and-firewall-traversal-persistence they can be still part of your VPN. Reading through the code you can set the persistence but only if an endpoint is defined which will of course fail in this scenario. Believe that this is quite a common use case?

My suggestion would be to introduce a new variable like "wireguard_private_peers" where you can define a list of peers located behind a firewall which will trigger to not populate the "Endpoint".

[githubixx]

Does #225 / #222 maybe solve this problem?

[defect-track]

No, they solve a different issue compared to the one I'm facing.

In this case you are behind a firewall (managed outside of your control) where you can't have an endpoint configured where clients can connect to. It is rather a one-way communication in first place, hence no need for endpoint configuration. See the wireguard link provided.

The referenced PR solves a differnent issue of client network isolation. It has nothing todo with wireguard low level connection options.

[pavlozt]

@defect-track Pay attention to the unmanaged_peers setting. Your situation is easily resolved.

If you still want to define peers in inventory, you'll need some Ansible code, of course.