Skip to content


The cake function baseline_wireguard_mesh executes the Ansible role-wireguard-mesh, which installs and configures wireguard in a server-to-server mesh configuration

Simplified, the role_wireguard_mesh works as follows:

  • Install the wireguard apt packages
  • Generate a private and public key
  • Download the public key from all other servers
  • Template /etc/wireguard/mesh.conf, which contains the public IP and public key of all other servers


Key Value
Playbook path plays/baseline/wireguard-mesh.yml
Config file Description
/etc/wireguard/mesh.conf Wireguard configuration file for the server-to-server mesh network
/etc/wireguard/mesh.key Wireguard mesh private key
/etc/wireguard/ Wireguard mesh public key


Define a subnet for the wireguard mesh:


wireguard_mesh_subnet: ""

Define individual wireguard mesh IPs for each server:


cus-www-prod-db-1 nic_wg_mesh_ip= nic_pub_ip=

Adding new servers

Simply define the new servers in inventory/hosts and execute cake -f baseline_wireguard_mesh -i pub. Make sure to use --inventory pub as the wireguard mesh will restart during that play.


Common commands

Show wireguard status:

root@any-server ~ # wg show

interface: mesh
  public key: wireguard-public-key=
  private key: (hidden)
  listening port: 51819

peer: wireguard-public-key=
  allowed ips:
  latest handshake: 2 seconds ago
  transfer: 1.60 GiB received, 160.15 MiB sent

peer: wireguard-public-key=
  allowed ips:
  latest handshake: 11 seconds ago
  transfer: 1.50 GiB received, 122.50 MiB sent


Start / Stop wireguard:

systemctl stop wg-quick@mesh.service
systemctl start wg-quick@mesh.service
systemctl status wg-quick@mesh.service


Ping all servers via VPN - the Ping packages will be routed from your workstation via the employee VPN to gateway-1 or -2, then over the server-to-server mesh vpn from gateway-1 or -2 to your destination server:

CAKE master * cake -f debug_ping -i vpn
TASK [ping] ******************
ok: [cus-util-prod-log-1]
ok: [cus-util-prod-monitoring-1]
ok: [cus-util-prod-gitci-1]
ok: [cus-util-prod-deploy-1]
ok: [cus-www-prod-web-1]
ok: [cus-www-prod-myapp-1]

Ping server A from server B:

root@cus-util-prod-monitoring-1 ~ # host log
log has address

root@cus-util-prod-monitoring-1 ~ # ping
PING ( 56(84) bytes of data.
64 bytes from icmp_seq=1 ttl=64 time=1.01 ms

Source of the following commands

Debug wireguard logs live:

echo module wireguard +p > /sys/kernel/debug/dynamic_debug/control
dmesg -wT | grep wireguard'
echo module wireguard -p > /sys/kernel/debug/dynamic_debug/control

Debug wireguard packages:

tcpdump -i any port 51819 udp