diff options
| author | Hugo Hörnquist <hugo@lysator.liu.se> | 2022-11-03 14:40:41 +0100 |
|---|---|---|
| committer | Hugo Hörnquist <hugo@lysator.liu.se> | 2022-11-03 16:52:45 +0100 |
| commit | d62c19a2cb05a97961c73dc62691058604699f53 (patch) | |
| tree | 41128ad5c3e7101a84bfac5bf148348b99c48714 /manifests/wireguard_peer.pp | |
| parent | Add backlight. (diff) | |
| download | profiles-d62c19a2cb05a97961c73dc62691058604699f53.tar.gz profiles-d62c19a2cb05a97961c73dc62691058604699f53.tar.xz | |
Add initial wireguard profiles.
Diffstat (limited to '')
| -rw-r--r-- | manifests/wireguard_peer.pp | 67 |
1 files changed, 67 insertions, 0 deletions
diff --git a/manifests/wireguard_peer.pp b/manifests/wireguard_peer.pp new file mode 100644 index 0000000..0f02e39 --- /dev/null +++ b/manifests/wireguard_peer.pp @@ -0,0 +1,67 @@ +class profiles::wireguard_peer ( + Sensitive[String] $private_key, + String $peer_key, +) { + include ::profiles::wireguard + + + # ithryn $ + # [root@ithryn hugo]# ip link add dev wg0 type wireguard + # [root@ithryn hugo]# ip addr add 10.0.10.2/24 dev wg0 + # [root@ithryn hugo]# ip addr add fdc9:281f:04d7:9ee9::2/64 dev wg0 + # [root@ithryn hugo]# wg set wg0 listen-port 51902 private-key peer_B.key + # [root@ithryn hugo]# wg set wg0 peer MSplIgjOqQoODOOWkkJd3x/FWuxTirTrsVwqJOJzAEQ= + # [root@ithryn hugo]# wg set wg0 peer MSplIgjOqQoODOOWkkJd3x/FWuxTirTrsVwqJOJzAEQ= allowed-ips 10.0.10.0/24,[THAT IPV6 ADDRESS]/64 + # [root@ithryn hugo]# wg set wg0 peer MSplIgjOqQoODOOWkkJd3x/FWuxTirTrsVwqJOJzAEQ= endpoint gandalf.adrift.space:51781 + # [root@ithryn hugo]# ip link set wg0 up + # + + # ip addr add 10.0.0.45/23 dev wg0 + # ip addr add 10.0.0.0/23 via 10.0.0.45 dev wg0 + # [root@gandalf manifests]# iptables -t nat -A POSTROUTING -s 10.0.10.0/24 -o br0 -j MASQUERADE + + networking::networkd_instance { 'wg0': + type => 'netdev', + content => { + 'NetDev' => { + 'Name' => 'wg0', + 'Kind' => 'wireguard', + 'Description' => 'WireGuard tunnal wg0' + }, + 'WireGuard' => { + 'ListenPort' => $profiles::wireguard::port, + 'PrivateKey' => $private_key, + }, + 'WireGuardPeer' => { + 'PublicKey' => $peer_key, + # IP addresses which the kernel will accept sending over this + # interface. Set it to 0.0.0.0/0 to allow anything to traverse + # the tunnel + 'AllowedIPs' => [ + '10.0.0.0/23', # adrift.space localnet + '10.0.10.2/32', # Wireguard return + ], + # TODO is IP addresses allowed here? + # Where the peer we want to connect to resides + 'Endpoint' => "gandalf.adrift.space:${profiles::wireguard::port}", + } + } + } + + networking::networkd_instance { 'wg0-network': + type => 'network', + content => { + 'Match' => { + 'Name' => 'wg0', + }, + 'Network' => { + 'Address' => '10.0.10.2/24', + }, + 'Route' => { + 'Destination' => '10.0.0.0/23', + 'Source' => '10.0.10.2', + 'Gateway' => '10.0.10.1', + } + } + } +} |