bundles/wireguard: easier snat setup

This commit is contained in:
Franzi 2023-09-10 21:19:23 +02:00
parent e70a86a6c1
commit 234e81431d
Signed by: kunsi
GPG key ID: 12E3D2136B818350
4 changed files with 18 additions and 24 deletions

View file

@ -197,15 +197,19 @@ def firewall(metadata):
)
def interface_ips(metadata):
interfaces = {}
snat_ip = metadata.get('wireguard/snat_ip', None)
for peer, config in sorted(metadata.get('wireguard/peers', {}).items()):
if '/' in config['my_ip']:
my_ip = config['my_ip']
else:
my_ip = '{}/31'.format(config['my_ip'])
ips = {my_ip}
if snat_ip:
ips.add(snat_ip)
interfaces[f'wg_{config["iface"]}'] = {
'ips': {
my_ip,
},
'ips': ips,
}
return {
'interfaces': interfaces,
@ -219,16 +223,18 @@ def snat(metadata):
if not node.has_bundle('nftables') or node.os == 'arch':
raise DoNotRunAgain
snat_ip = metadata.get('wireguard/snat_ip', None)
rules = set()
for peer, config in sorted(metadata.get('wireguard/peers', {}).items()):
rules.add(f'inet filter forward iifname wg_{config["iface"]} accept')
rules.add(f'inet filter forward oifname wg_{config["iface"]} accept')
if 'snat_to' in config:
if snat_ip:
rules.add('nat postrouting ip saddr {} ip daddr != {} snat to {}'.format(
config['my_ip'],
config['their_ip'],
config['snat_to'],
snat_ip,
))
return {

View file

@ -165,10 +165,10 @@ nodes['home.router'] = {
},
'wireguard': {
'external_hostname': 'franzi-home.kunbox.net', # Set via DynDNS
'snat_ip': '172.19.138.1',
'peers': {
'ovh.wireguard': {
'health_check': True,
'snat_to': '172.19.138.1',
},
'icinga2': {},
},

View file

@ -50,16 +50,10 @@ nodes['htz-cloud.wireguard'] = {
'ram': 2,
},
'wireguard': {
'snat_ip': '172.19.137.2',
'peers': {
'ovh.wireguard': {
'snat_to': '172.19.137.2',
},
'icinga2': {
'snat_to': '172.19.137.2',
},
},
'subnets': {
'172.19.137.0/24',
'ovh.wireguard': {},
'icinga2': {},
},
},
},

View file

@ -26,12 +26,6 @@ ips = [
gateway4 = "10.255.255.1"
gateway6 = "fe80::1"
[metadata.interfaces.wg_home_router]
ips = ["172.19.136.4"]
[metadata.interfaces.wg_htz-cloud_wi]
ips = ["172.19.136.4"]
[metadata.bird]
static_routes = ["172.19.136.4/32"]
@ -62,11 +56,11 @@ SERVICEGROUP_ID = 80
[metadata.postgresql]
version = 15
[metadata.wireguard.peers.'home.router']
snat_to = "172.19.136.4"
[metadata.wireguard]
snat_ip = "172.19.136.4"
[metadata.wireguard.peers.'home.router']
[metadata.wireguard.peers.'htz-cloud.wireguard']
snat_to = "172.19.136.4"
[metadata.vm]
cpu = 2