bundles/wireguard: easier snat setup

2023-09-10 21:19:23 +02:00 · 2023-09-10 21:19:23 +02:00 · 234e81431d
commit 234e81431d
parent e70a86a6c1
4 changed files with 18 additions and 24 deletions
--- a/bundles/wireguard/metadata.py
+++ b/bundles/wireguard/metadata.py
@ -197,15 +197,19 @@ def firewall(metadata):
 )
 def interface_ips(metadata):
    interfaces = {}
+    snat_ip = metadata.get('wireguard/snat_ip', None)
+
    for peer, config in sorted(metadata.get('wireguard/peers', {}).items()):
        if '/' in config['my_ip']:
            my_ip = config['my_ip']
        else:
            my_ip = '{}/31'.format(config['my_ip'])
+
+        ips = {my_ip}
+        if snat_ip:
+            ips.add(snat_ip)
        interfaces[f'wg_{config["iface"]}'] = {
-            'ips': {
-                my_ip,
-            },
+            'ips': ips,
        }
    return {
        'interfaces': interfaces,
@ -219,16 +223,18 @@ def snat(metadata):
    if not node.has_bundle('nftables') or node.os == 'arch':
        raise DoNotRunAgain

+    snat_ip = metadata.get('wireguard/snat_ip', None)
+
    rules = set()
    for peer, config in sorted(metadata.get('wireguard/peers', {}).items()):
        rules.add(f'inet filter forward iifname wg_{config["iface"]} accept')
        rules.add(f'inet filter forward oifname wg_{config["iface"]} accept')

-        if 'snat_to' in config:
+        if snat_ip:
            rules.add('nat postrouting ip saddr {} ip daddr != {} snat to {}'.format(
                config['my_ip'],
                config['their_ip'],
-                config['snat_to'],
+                snat_ip,
            ))

    return {