kunsi/bundlewrap
1
0
Fork 0
Code Issues 1 Pull requests 1 Releases Activity

bundles/wireguard: easier snat setup

Browse source
This commit is contained in:
Franzi 2023-09-10 21:19:23 +02:00
parent e70a86a6c1
commit 234e81431d
Signed by: kunsi
GPG key ID: 12E3D2136B818350
4 changed files with 18 additions and 24 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
bundles/wireguard/metadata.py
View file

@ -197,15 +197,19 @@ def firewall(metadata):
) )
def interface_ips(metadata): def interface_ips(metadata):
interfaces = {} interfaces = {}
snat_ip = metadata.get('wireguard/snat_ip', None)
for peer, config in sorted(metadata.get('wireguard/peers', {}).items()): for peer, config in sorted(metadata.get('wireguard/peers', {}).items()):
if '/' in config['my_ip']: if '/' in config['my_ip']:
my_ip = config['my_ip'] my_ip = config['my_ip']
else: else:
my_ip = '{}/31'.format(config['my_ip']) my_ip = '{}/31'.format(config['my_ip'])
ips = {my_ip}
if snat_ip:
ips.add(snat_ip)
interfaces[f'wg_{config["iface"]}'] = { interfaces[f'wg_{config["iface"]}'] = {
'ips': { 'ips': ips,
my_ip,
},
} }
return { return {
'interfaces': interfaces, 'interfaces': interfaces,
@ -219,16 +223,18 @@ def snat(metadata):
if not node.has_bundle('nftables') or node.os == 'arch': if not node.has_bundle('nftables') or node.os == 'arch':
raise DoNotRunAgain raise DoNotRunAgain
snat_ip = metadata.get('wireguard/snat_ip', None)
rules = set() rules = set()
for peer, config in sorted(metadata.get('wireguard/peers', {}).items()): for peer, config in sorted(metadata.get('wireguard/peers', {}).items()):
rules.add(f'inet filter forward iifname wg_{config["iface"]} accept') rules.add(f'inet filter forward iifname wg_{config["iface"]} accept')
rules.add(f'inet filter forward oifname wg_{config["iface"]} accept') rules.add(f'inet filter forward oifname wg_{config["iface"]} accept')
if 'snat_to' in config: if snat_ip:
rules.add('nat postrouting ip saddr {} ip daddr != {} snat to {}'.format( rules.add('nat postrouting ip saddr {} ip daddr != {} snat to {}'.format(
config['my_ip'], config['my_ip'],
config['their_ip'], config['their_ip'],
config['snat_to'], snat_ip,
)) ))
return { return {

2
nodes/home/router.py
View file

@ -165,10 +165,10 @@ nodes['home.router'] = {
}, },
'wireguard': { 'wireguard': {
'external_hostname': 'franzi-home.kunbox.net', # Set via DynDNS 'external_hostname': 'franzi-home.kunbox.net', # Set via DynDNS
'snat_ip': '172.19.138.1',
'peers': { 'peers': {
'ovh.wireguard': { 'ovh.wireguard': {
'health_check': True, 'health_check': True,
'snat_to': '172.19.138.1',
}, },
'icinga2': {}, 'icinga2': {},
}, },

12
nodes/htz-cloud/wireguard.py
View file

@ -50,16 +50,10 @@ nodes['htz-cloud.wireguard'] = {
'ram': 2, 'ram': 2,
}, },
'wireguard': { 'wireguard': {
'snat_ip': '172.19.137.2',
'peers': { 'peers': {
'ovh.wireguard': { 'ovh.wireguard': {},
'snat_to': '172.19.137.2', 'icinga2': {},
},
'icinga2': {
'snat_to': '172.19.137.2',
},
},
'subnets': {
'172.19.137.0/24',
}, },
}, },
}, },

12
nodes/icinga2.toml
View file

@ -26,12 +26,6 @@ ips = [
gateway4 = "10.255.255.1" gateway4 = "10.255.255.1"
gateway6 = "fe80::1" gateway6 = "fe80::1"
[metadata.interfaces.wg_home_router]
ips = ["172.19.136.4"]
[metadata.interfaces.wg_htz-cloud_wi]
ips = ["172.19.136.4"]
[metadata.bird] [metadata.bird]
static_routes = ["172.19.136.4/32"] static_routes = ["172.19.136.4/32"]
@ -62,11 +56,11 @@ SERVICEGROUP_ID = 80
[metadata.postgresql] [metadata.postgresql]
version = 15 version = 15
[metadata.wireguard.peers.'home.router'] [metadata.wireguard]
snat_to = "172.19.136.4" snat_ip = "172.19.136.4"
[metadata.wireguard.peers.'home.router']
[metadata.wireguard.peers.'htz-cloud.wireguard'] [metadata.wireguard.peers.'htz-cloud.wireguard']
snat_to = "172.19.136.4"
[metadata.vm] [metadata.vm]
cpu = 2 cpu = 2