WireGuard Lab Overlay Network

Automated deployment of WireGuard-based overlay networks for lab environments with support for Linux and MikroTik gateways.

Features

• Multi-Vendor Support: Linux VMs, MikroTik routers, and OpenWrt devices
• Layer 2 Overlay: VXLAN over WireGuard for L2 connectivity
• DHCP Options: ISC DHCP with failover OR dnsmasq with split ranges
• Road Warrior Access: Built-in support for mobile/laptop clients
• Monitoring: Prometheus exporters and Grafana dashboards
• Firewall Isolation: Automatic firewall zones for OpenWrt gateways
• Full Automation: Terraform + Ansible deployment

Architecture

• WireGuard: Encrypted mesh tunnels between gateways
• VXLAN: Layer 2 extension over WireGuard
• Linux Bridge/MikroTik Bridge: Local device attachment
• DHCP: Redundant DHCP servers per lab network
• Monitoring Hub: Centralized Prometheus + Grafana

Quick Start

1. Prerequisites

# Install required tools
apt-get install terraform ansible python3-pip

# Install Ansible collections
ansible-galaxy collection install community.routeros
ansible-galaxy collection install ansible.netcommon

# Install Python dependencies
pip3 install librouteros prometheus-client

2. Configure Lab Networks

Edit terraform/terraform.tfvars:

lab_networks = {
  lab100 = {
    vni           = 100
    subnet        = "10.100.0.0/24"
    wireguard_net = "172.16.100.0/24"
    dhcp_mode     = "failover"
    road_warrior  = true
    gateways = [
      # Define your gateways here
    ]
  }
}

3. Deploy

# Run deployment script
./deploy.sh

Or manual steps:

# Initialize Terraform
cd terraform
terraform init
terraform apply
terraform output -json > outputs.json

# Deploy to gateways
cd ../ansible
ansible-playbook -i inventory/hosts.yml playbooks/site.yml

# Generate road warrior configs
ansible-playbook -i inventory/hosts.yml playbooks/generate-road-warrior.yml

# Start monitoring
cd ../monitoring
docker-compose up -d

Operational Playbooks

Rolling Update

ansible-playbook playbooks/rolling-update.yml

Health Check

ansible-playbook playbooks/health-check.yml

Emergency Shutdown

ansible-playbook playbooks/emergency-shutdown.yml

Restore Lab

ansible-playbook playbooks/restore-lab.yml

Add Gateway

ansible-playbook playbooks/add-gateway.yml

Remove Gateway

ansible-playbook playbooks/remove-gateway.yml

Directory Structure

wireguard-lab-overlay/
├── terraform/              # Infrastructure state
├── ansible/                # Configuration management
│   ├── roles/             # Ansible roles (Linux & MikroTik)
│   ├── playbooks/         # Operational playbooks
│   └── inventory/         # Inventory and variables
├── monitoring/            # Monitoring stack
│   ├── prometheus/
│   ├── grafana/
│   └── docker-compose.yml
├── road-warrior/          # Client configurations
└── docs/                  # Documentation

Monitoring

Access monitoring:

• Grafana: http://monitoring-hub:3000 (admin/admin)
• Prometheus: http://monitoring-hub:9090

Security Notes

• WireGuard private keys are stored in Terraform state (use remote backend with encryption)
• Consider using HashiCorp Vault or AWS Secrets Manager for production
• Ansible Vault is used for MikroTik credentials
• Road warrior configs should be distributed securely

Support

For issues and questions, refer to:

• docs/architecture.md - Detailed architecture
• docs/deployment.md - Deployment guide
• docs/operations.md - Operations manual
• docs/mikrotik-setup.md - MikroTik specific guide
• docs/openwrt-setup.md - OpenWrt specific guide
• docs/gateway-comparison.md - Gateway type comparison

License

Internal use only - Company proprietary