bundles/wireguard: easier snat setup

2023-09-10 21:19:23 +02:00 · 2023-09-10 21:19:23 +02:00 · 234e81431d
parent e70a86a6c1
commit 234e81431d
4 changed files with 18 additions and 24 deletions
--- a/bundles/wireguard/metadata.py
+++ b/bundles/wireguard/metadata.py
@ -197,15 +197,19 @@ def firewall(metadata):
 )
 def interface_ips(metadata):
    interfaces = {}
+    snat_ip = metadata.get('wireguard/snat_ip', None)
+
    for peer, config in sorted(metadata.get('wireguard/peers', {}).items()):
        if '/' in config['my_ip']:
            my_ip = config['my_ip']
        else:
            my_ip = '{}/31'.format(config['my_ip'])
+
+        ips = {my_ip}
+        if snat_ip:
+            ips.add(snat_ip)
        interfaces[f'wg_{config["iface"]}'] = {
-            'ips': {
-                my_ip,
-            },
+            'ips': ips,
        }
    return {
        'interfaces': interfaces,
@ -219,16 +223,18 @@ def snat(metadata):
    if not node.has_bundle('nftables') or node.os == 'arch':
        raise DoNotRunAgain

+    snat_ip = metadata.get('wireguard/snat_ip', None)
+
    rules = set()
    for peer, config in sorted(metadata.get('wireguard/peers', {}).items()):
        rules.add(f'inet filter forward iifname wg_{config["iface"]} accept')
        rules.add(f'inet filter forward oifname wg_{config["iface"]} accept')

-        if 'snat_to' in config:
+        if snat_ip:
            rules.add('nat postrouting ip saddr {} ip daddr != {} snat to {}'.format(
                config['my_ip'],
                config['their_ip'],
-                config['snat_to'],
+                snat_ip,
            ))

    return {
--- a/nodes/home/router.py
+++ b/nodes/home/router.py
@ -165,10 +165,10 @@ nodes['home.router'] = {
        },
        'wireguard': {
            'external_hostname': 'franzi-home.kunbox.net', # Set via DynDNS
+            'snat_ip': '172.19.138.1',
            'peers': {
                'ovh.wireguard': {
                    'health_check': True,
-                    'snat_to': '172.19.138.1',
                },
                'icinga2': {},
            },
--- a/nodes/htz-cloud/wireguard.py
+++ b/nodes/htz-cloud/wireguard.py
@ -50,16 +50,10 @@ nodes['htz-cloud.wireguard'] = {
            'ram': 2,
        },
        'wireguard': {
+            'snat_ip': '172.19.137.2',
            'peers': {
-                'ovh.wireguard': {
-                    'snat_to': '172.19.137.2',
-                },
-                'icinga2': {
-                    'snat_to': '172.19.137.2',
-                },
-            },
-            'subnets': {
-                '172.19.137.0/24',
+                'ovh.wireguard': {},
+                'icinga2': {},
            },
        },
    },
--- a/nodes/icinga2.toml
+++ b/nodes/icinga2.toml
@ -26,12 +26,6 @@ ips = [
 gateway4 = "10.255.255.1"
 gateway6 = "fe80::1"

-[metadata.interfaces.wg_home_router]
-ips = ["172.19.136.4"]
-
-[metadata.interfaces.wg_htz-cloud_wi]
-ips = ["172.19.136.4"]
-
 [metadata.bird]
 static_routes = ["172.19.136.4/32"]

@ -62,11 +56,11 @@ SERVICEGROUP_ID = 80
 [metadata.postgresql]
 version = 15

-[metadata.wireguard.peers.'home.router']
-snat_to = "172.19.136.4"
+[metadata.wireguard]
+snat_ip = "172.19.136.4"

+[metadata.wireguard.peers.'home.router']
 [metadata.wireguard.peers.'htz-cloud.wireguard']
-snat_to = "172.19.136.4"

 [metadata.vm]
 cpu = 2