56 lines
2.5 KiB
YAML
56 lines
2.5 KiB
YAML
# This should really be set per host, but I'm abusing the fact that there's only
|
|
# one vpn_server host
|
|
wireguard_addresses:
|
|
- "10.4.4.1/24"
|
|
|
|
wireguard_endpoint: "{{ inventory_hostname }}"
|
|
|
|
wireguard_preup:
|
|
- echo 1 > /proc/sys/net/ipv4/ip_forward
|
|
|
|
wireguard_postup: |
|
|
{% filter from_yaml %}
|
|
{%- for value in (nat_map | dict2items | map(attribute='value')) %}
|
|
|
|
# incoming packets to vps_ip, dst port 10,000-40,000 are DNAT'd to vpn_ip
|
|
# with a matching port
|
|
- iptables -t nat -A PREROUTING -p tcp -d {{ value.vps_ip }} --dport 10000:40000 -j DNAT --to-destination {{ value.vpn_ip }}
|
|
|
|
# incoming packets from vpn_ip are SNAT'd to vps_ip with a matching port to
|
|
# complete the reverse NAT path
|
|
- iptables -t nat -A POSTROUTING -p tcp -s {{ value.vpn_ip }} -j SNAT --to-source {{ value.vps_ip }}
|
|
|
|
# Same thing for UDP. We do this selectively because we don't wanna mess with
|
|
# stuff like icmp
|
|
- iptables -t nat -A PREROUTING -p udp -d {{ value.vps_ip }} --dport 10000:40000 -j DNAT --to-destination {{ value.vpn_ip }}
|
|
- iptables -t nat -A POSTROUTING -p udp -s {{ value.vpn_ip }} -j SNAT --to-source {{ value.vps_ip }}
|
|
{%- endfor %}
|
|
{% endfilter %}
|
|
|
|
# Exact reverse of above to delete all the rules
|
|
wireguard_predown: |
|
|
{% filter from_yaml %}
|
|
{%- for value in (nat_map | dict2items | map(attribute='value') | reverse) %}
|
|
- iptables -t nat -D POSTROUTING -p tcp -s {{ value.vpn_ip }} -j SNAT --to-source {{ value.vps_ip }}
|
|
- iptables -t nat -D PREROUTING -p tcp -i enX0 -d {{ value.vps_ip }} --dport 10000:40000 -j DNAT --to-destination {{ value.vpn_ip }}
|
|
- iptables -t nat -D PREROUTING -p udp -d {{ value.vps_ip }} --dport 10000:40000 -j DNAT --to-destination {{ value.vpn_ip }}
|
|
- iptables -t nat -D POSTROUTING -p udp -s {{ value.vpn_ip }} -j SNAT --to-source {{ value.vps_ip }}
|
|
{%- endfor %}
|
|
{% endfilter %}
|
|
|
|
wireguard_postdown:
|
|
- echo 0 > /proc/sys/net/ipv4/ip_forward
|
|
|
|
# https://www.procustodibus.com/blog/2021/03/wireguard-allowedips-calculator/
|
|
# Above recommends to just add specific routing rules rather than compute
|
|
# an equivalent list of subnets
|
|
#
|
|
# Yes, this is supposed to be defined on vpn_server rather than vpn_client, like
|
|
# I initially thought. The reason for this is likely because the role was meant
|
|
# for a fully meshed network rather than a single server with multiple clients,
|
|
# and each host defines a list of IPs that should be routed _to this host_, not
|
|
# a list of IPs that should be routed to the "server" (because everyone is a
|
|
# peer in a fully meshed network)
|
|
wireguard_allowed_ips: "0.0.0.0/0"
|
|
|