From 234e81431d12d3b4afc78579c9ff24c626d4f621 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 10 Sep 2023 21:19:23 +0200 Subject: [PATCH] bundles/wireguard: easier snat setup --- bundles/wireguard/metadata.py | 16 +++++++++++----- nodes/home/router.py | 2 +- nodes/htz-cloud/wireguard.py | 12 +++--------- nodes/icinga2.toml | 12 +++--------- 4 files changed, 18 insertions(+), 24 deletions(-) diff --git a/bundles/wireguard/metadata.py b/bundles/wireguard/metadata.py index c9fd288..0823dbf 100644 --- a/bundles/wireguard/metadata.py +++ b/bundles/wireguard/metadata.py @@ -197,15 +197,19 @@ def firewall(metadata): ) def interface_ips(metadata): interfaces = {} + snat_ip = metadata.get('wireguard/snat_ip', None) + for peer, config in sorted(metadata.get('wireguard/peers', {}).items()): if '/' in config['my_ip']: my_ip = config['my_ip'] else: my_ip = '{}/31'.format(config['my_ip']) + + ips = {my_ip} + if snat_ip: + ips.add(snat_ip) interfaces[f'wg_{config["iface"]}'] = { - 'ips': { - my_ip, - }, + 'ips': ips, } return { 'interfaces': interfaces, @@ -219,16 +223,18 @@ def snat(metadata): if not node.has_bundle('nftables') or node.os == 'arch': raise DoNotRunAgain + snat_ip = metadata.get('wireguard/snat_ip', None) + rules = set() for peer, config in sorted(metadata.get('wireguard/peers', {}).items()): rules.add(f'inet filter forward iifname wg_{config["iface"]} accept') rules.add(f'inet filter forward oifname wg_{config["iface"]} accept') - if 'snat_to' in config: + if snat_ip: rules.add('nat postrouting ip saddr {} ip daddr != {} snat to {}'.format( config['my_ip'], config['their_ip'], - config['snat_to'], + snat_ip, )) return { diff --git a/nodes/home/router.py b/nodes/home/router.py index 58f58c7..b61fe14 100644 --- a/nodes/home/router.py +++ b/nodes/home/router.py @@ -165,10 +165,10 @@ nodes['home.router'] = { }, 'wireguard': { 'external_hostname': 'franzi-home.kunbox.net', # Set via DynDNS + 'snat_ip': '172.19.138.1', 'peers': { 'ovh.wireguard': { 'health_check': True, - 'snat_to': '172.19.138.1', }, 'icinga2': {}, }, diff --git a/nodes/htz-cloud/wireguard.py b/nodes/htz-cloud/wireguard.py index d7c9a89..ea1086c 100644 --- a/nodes/htz-cloud/wireguard.py +++ b/nodes/htz-cloud/wireguard.py @@ -50,16 +50,10 @@ nodes['htz-cloud.wireguard'] = { 'ram': 2, }, 'wireguard': { + 'snat_ip': '172.19.137.2', 'peers': { - 'ovh.wireguard': { - 'snat_to': '172.19.137.2', - }, - 'icinga2': { - 'snat_to': '172.19.137.2', - }, - }, - 'subnets': { - '172.19.137.0/24', + 'ovh.wireguard': {}, + 'icinga2': {}, }, }, }, diff --git a/nodes/icinga2.toml b/nodes/icinga2.toml index d9b24b2..1c85347 100644 --- a/nodes/icinga2.toml +++ b/nodes/icinga2.toml @@ -26,12 +26,6 @@ ips = [ gateway4 = "10.255.255.1" gateway6 = "fe80::1" -[metadata.interfaces.wg_home_router] -ips = ["172.19.136.4"] - -[metadata.interfaces.wg_htz-cloud_wi] -ips = ["172.19.136.4"] - [metadata.bird] static_routes = ["172.19.136.4/32"] @@ -62,11 +56,11 @@ SERVICEGROUP_ID = 80 [metadata.postgresql] version = 15 -[metadata.wireguard.peers.'home.router'] -snat_to = "172.19.136.4" +[metadata.wireguard] +snat_ip = "172.19.136.4" +[metadata.wireguard.peers.'home.router'] [metadata.wireguard.peers.'htz-cloud.wireguard'] -snat_to = "172.19.136.4" [metadata.vm] cpu = 2