bundles/wireguard: support s2s connection to other services

2024-03-22 22:52:12 +01:00 · 2024-03-22 22:52:12 +01:00 · 104d1f11bf
parent ae14265abc
commit 104d1f11bf
3 changed files with 7 additions and 3 deletions
--- a/bundles/wireguard/files/wg.netdev
+++ b/bundles/wireguard/files/wg.netdev
@ -10,7 +10,9 @@ ListenPort=${port}
 [WireGuardPeer]
 PublicKey=${pubkey}
 AllowedIPs=0.0.0.0/0
+% if psk:
 PresharedKey=${psk}
+% endif
 % if endpoint:
 Endpoint=${endpoint}
 % endif
--- a/bundles/wireguard/items.py
+++ b/bundles/wireguard/items.py
@ -25,7 +25,7 @@ for peer, config in sorted(node.metadata.get('wireguard/peers', {}).items()):
            'peer': peer,
            'port': config['my_port'],
            'privatekey': node.metadata.get('wireguard/privatekey'),
-            'psk': config['psk'],
+            'psk': config.get('psk'),
            'pubkey': config['pubkey'],
            'specials': repo.libs.s2s.WG_AUTOGEN_SETTINGS.get(peer, {}),
        },
--- a/bundles/wireguard/metadata.py
+++ b/bundles/wireguard/metadata.py
@ -253,7 +253,7 @@ def interface_ips(metadata):
            my_ip = '{}/31'.format(config['my_ip'])

        ips = {my_ip}
-        if snat_ip:
+        if snat_ip and peer in repo.libs.s2s.WG_AUTOGEN_NODES:
            ips.add(snat_ip)

        their_ip = config['their_ip']
@ -289,12 +289,14 @@ def snat(metadata):
        forward.add(f'iifname wg_{config["iface"]} accept')
        forward.add(f'oifname wg_{config["iface"]} accept')

-        if snat_ip:
+        if snat_ip and peer in repo.libs.s2s.WG_AUTOGEN_NODES:
            postrouting.add('ip saddr {} ip daddr != {} snat to {}'.format(
                config['my_ip'],
                config['their_ip'],
                snat_ip,
            ))
+        elif config.get('masquerade', False):
+            postrouting.add(f'oifname wg_{peer} masquerade')

    return {
        'nftables': {