Deploying WireGuard VPN with Ansible and Nginx for Secure Access

Deploying WireGuard VPN with Ansible and Nginx for Secure Access
Photo by Annie Spratt / Unsplash


WireGuard is a modern and lightweight VPN solution that excels in simplicity and security. In this article, we will guide you through deploying WireGuard on a VPN server using Ansible for automated configuration.

Additionally, we'll configure Nginx to allow access only to users connecting via the WireGuard VPN, with UFW (Uncomplicated Firewall) providing an extra layer of security.

How this should work?

Client <——————————Wireguard Tunnel——————————>Web App

  • The client should configure on his end (Wireguard tunnel) via the Wireguard app
  • The private web server should be accessible only for clients are using Wireguard client(using the VPN client)

Step 1: Setting Up the VPN Server

1.1. Install WireGuard:

Start by installing WireGuard on your VPN server. WireGuard is available in the official Ubuntu repositories.

sudo apt update
sudo apt install wireguard

1.2. Generate WireGuard Keys:

Generate a key pair for the VPN server:

wg genkey | sudo tee /etc/wireguard/privatekey | wg pubkey | sudo tee /etc/wireguard/publickey

1.3. Create the WireGuard Configuration:

Create a WireGuard configuration file (/etc/wireguard/wg0.conf). Replace <your_server_private_key> and <your_server_public_key> with your server's private and public keys:

sudo nano /etc/wireguard/wg0.conf
PrivateKey = <your_server_private_key>
Address =
ListenPort = 51820

PublicKey = <client1_public_key>
AllowedIPs =

PublicKey = <client2_public_key>
AllowedIPs =

1.4. Start WireGuard:

Enable and start the WireGuard service:

sudo systemctl enable wg-quick@wg0
sudo systemctl start wg-quick@wg0

Step 2: Automate WireGuard Configuration with Ansible

Automate the generation of WireGuard client configurations using Ansible. Create an Ansible playbook (e.g., generate_wg_config.yml) to generate client configurations:

2.1. Install Ansible:

If you haven't already, install Ansible on your local machine:

pip install ansible

2.2. Create an Ansible Playbook:

Create the Ansible playbook:

- hosts: localhost
    - name: Generate WireGuard Key Pair
      command: wg genkey | tee {{ client_key }} | wg pubkey > {{ client_public_key }}
        - client1_key
        - client2_key
      delegate_to: localhost

    - name: Generate WireGuard Config
        src: templates/wireguard-client.conf.j2
        dest: /etc/wireguard/clients/{{ item.0 }}.conf
        owner: root
        group: root
        mode: '0600'
        - ["client1", ""]
        - ["client2", ""]
      delegate_to: localhost

2.3. Create a Jinja2 Template:

Create a Jinja2 template (e.g., wireguard-client.conf.j2) for generating WireGuard client configuration files:

PrivateKey = {{ lookup('file', item.0 + '_key') }}
Address = {{ item.1 }}
DNS =  # Optional: Set your DNS server

PublicKey = {{ server_public_key }}
Endpoint = {{ server_public_ip }}:51820
AllowedIPs =

2.4. Run the Ansible Playbook:

Execute the Ansible playbook to generate client configurations:

ansible-playbook -i localhost, generate_wg_config.yml

Step 3: Configuring Nginx and UFW

Now, let's configure Nginx to allow access only to users connecting through the WireGuard VPN. UFW will be used for firewalling.

3.1. Install Nginx:

Install Nginx if it's not already installed:

sudo apt install nginx

3.2. Create an Nginx Server Block:

Create an Nginx server block configuration for your application. Replace <your_application_config> with your actual Nginx configuration.

sudo nano /etc/nginx/sites-available/<your_application_config>
server {
    listen 80;

    location / {
        deny all;
        # Allow access only from WireGuard VPN IP range
        deny all;

    # Additional Nginx configuration for your application...

3.3. Enable the Nginx Server Block:

Enable the Nginx server block configuration by creating a symbolic link:

sudo ln -s /etc/nginx/sites-available/<your_application_config> /etc/nginx/sites-enabled/

3.5. Configure UFW:

Allow incoming connections from and enable UFW:

sudo ufw allow from
sudo ufw enable

3.6. Test Nginx Configuration:

Before reloading Nginx, test the configuration to ensure there are no syntax errors:

sudo nginx -t

3.7. Reload Nginx:

Reload Nginx to apply the configuration changes:

sudo systemctl reload nginx

Final step : Configure Wireguard VPN client to access the private web apps.

Click here to Configuring WireGuard Clients on macOS, Linux, and Windows


You have successfully deployed WireGuard on a VPN server using Ansible for automated client configurations.

Additionally, Nginx and UFW have been configured to allow access only to users connecting through the WireGuard VPN.

This setup provides a secure and private way to access your web server and resources, enhancing the overall security of your infrastructure.

Be sure to maintain your server and WireGuard configurations while keeping security in mind at all times.