openwisp · pandafy · Nov 28, 2025 · May 13, 2026 · May 13, 2026 · May 13, 2026
diff --git a/README.md b/README.md
@@ -173,6 +173,10 @@ Below are listed all the variables you can customize
     openwisp2_wireguard_controller_url: "https://openwisp.yourdomain.com"
     # Directory where to install upgrader scripts
     openwisp2_wireguard_path: "/opt/wireguard-openwisp"
+    # Linux group used to run and access the WireGuard updater files
+    openwisp_group: "openwisp"
+    # Linux user used to run the WireGuard updater scripts and Flask app
+    openwisp_user: "openwisp"
     # Allows to download VPN configuration by using "insecure" SSL connections.
     # It is recommended to be left as false.
     openwisp2_wireguard_curl_insecure: false
@@ -243,7 +247,7 @@ Below are listed all the variables you can customize
 Here's how to trigger the configuration check manually if needed:
 
 ```
-sudo -u openwisp /opt/wireguard-openwisp/update_wireguard.sh check_config
+sudo -u <openwisp_user> <openwisp2_wireguard_path>/update_wireguard.sh check_config
 ```
 
 Logs of the application which is responsible to update the wireguard

diff --git a/defaults/main.yml b/defaults/main.yml
@@ -47,3 +47,6 @@ openwisp2_wireguard_ssl_state: "California"
 openwisp2_wireguard_ssl_locality: "San Francisco"
 openwisp2_wireguard_ssl_organization: "IT dep."
 openwisp2_wireguard_ssl_common_name: "{{ inventory_hostname }}"
+
+openwisp_group: "openwisp"
+openwisp_user: "openwisp"
diff --git a/files/sudoers.d/openwisp b/files/sudoers.d/openwisp
diff --git a/molecule/resources/verify.yml b/molecule/resources/verify.yml
@@ -25,6 +25,43 @@
       ansible.builtin.command: supervisorctl reload
       changed_when: true
   tasks:
+    - name: Verify configured OpenWISP user and group
+      block:
+        - name: Get configured OpenWISP user
+          ansible.builtin.getent:
+            database: passwd
+            key: "{{ openwisp_user }}"
+        - name: Get configured OpenWISP group
+          ansible.builtin.getent:
+            database: group
+            key: "{{ openwisp_group }}"
+        - name: Assert configured OpenWISP user belongs to configured group
+          ansible.builtin.assert:
+            that:
+              - ansible_facts.getent_passwd[openwisp_user][2] == ansible_facts.getent_group[openwisp_group][1]
+
+    - name: Verify configured OpenWISP paths and permissions
+      block:
+        - name: Stat WireGuard directory
+          ansible.builtin.stat:
+            path: "{{ openwisp2_wireguard_path }}"
+          register: wireguard_path_stat
+        - name: Stat update_wireguard.sh
+          ansible.builtin.stat:
+            path: "{{ openwisp2_wireguard_path }}/update_wireguard.sh"
+          register: update_wireguard_stat
+        - name: Stat configured sudoers file
+          ansible.builtin.stat:
+            path: "/etc/sudoers.d/{{ openwisp_group }}"
+          register: openwisp_sudoers_stat
+        - name: Assert configured OpenWISP paths and permissions
+          ansible.builtin.assert:
+            that:
+              - wireguard_path_stat.stat.gr_name == openwisp_group
+              - update_wireguard_stat.stat.gr_name == openwisp_group
+              - openwisp_sudoers_stat.stat.exists
+              - openwisp_sudoers_stat.stat.mode == "0440"
+
     - name: Test Flask WireGuard Updater
       block:
         - name: Test with correct auth token

diff --git a/molecule/vars/main.yml b/molecule/vars/main.yml
@@ -6,5 +6,5 @@ openwisp2_wireguard_flask_key: "flask-key"
 openwisp2_wireguard_path: /opt/wireguard-openwisp
 openwisp2_wireguard_flask_endpoint: "/trigger-update"
 openwisp2_wireguard_flask_port: "8081"
-openwisp_group: "openwisp"
-openwisp_user: "openwisp"
+openwisp_group: "owvpngroup"
+openwisp_user: "owvpnuser"
diff --git a/tasks/complete.yml b/tasks/complete.yml
@@ -1,7 +1,7 @@
 ---
 - name: Run update_wireguard.sh check_config as openwisp user
   become: true
-  become_user: openwisp
+  become_user: "{{ openwisp_user }}"
   ansible.builtin.command: "{{ openwisp2_wireguard_path }}/update_wireguard.sh check_config"
   changed_when: true
   # Skip this task during molecule tests: the OpenWISP Controller is not available

diff --git a/tasks/user_management.yml b/tasks/user_management.yml
@@ -9,10 +9,11 @@
     name: "{{ openwisp_user }}"
     shell: /sbin/nologin
     state: present
-    group: openwisp
+    group: "{{ openwisp_group }}"
 
 - name: Add sudo permissions for Wireguard and Network Manager commands
-  ansible.builtin.copy:
-    src: "sudoers.d/{{ openwisp_group }}"
-    dest: /etc/sudoers.d/openwisp
+  ansible.builtin.template:
+    src: "sudoers.d/openwisp_user"
+    dest: "/etc/sudoers.d/{{ openwisp_group }}"
     mode: "0440"
+    validate: "/usr/sbin/visudo -cf %s"
diff --git a/templates/sudoers.d/openwisp_user b/templates/sudoers.d/openwisp_user
@@ -0,0 +1 @@
+%{{ openwisp_group }} ALL = NOPASSWD: /usr/bin/wg-quick, /usr/bin/wg, /usr/bin/nmcli, /usr/bin/ip, /usr/sbin/bridge
diff --git a/vars/main.yml b/vars/main.yml
@@ -1,4 +1,2 @@
 ---
 virtualenv_path: "{{ openwisp2_wireguard_path }}/env"
-openwisp_group: "openwisp"
-openwisp_user: "openwisp"
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		%{{ openwisp_group }} ALL = NOPASSWD: /usr/bin/wg-quick, /usr/bin/wg, /usr/bin/nmcli, /usr/bin/ip, /usr/sbin/bridge