diff options
| author | Hugo Hörnquist <hugo@lysator.liu.se> | 2022-11-03 14:40:41 +0100 |
|---|---|---|
| committer | Hugo Hörnquist <hugo@lysator.liu.se> | 2022-11-03 16:52:45 +0100 |
| commit | d62c19a2cb05a97961c73dc62691058604699f53 (patch) | |
| tree | 41128ad5c3e7101a84bfac5bf148348b99c48714 /manifests/wireguard_server.pp | |
| parent | Add backlight. (diff) | |
| download | profiles-d62c19a2cb05a97961c73dc62691058604699f53.tar.gz profiles-d62c19a2cb05a97961c73dc62691058604699f53.tar.xz | |
Add initial wireguard profiles.
Diffstat (limited to 'manifests/wireguard_server.pp')
| -rw-r--r-- | manifests/wireguard_server.pp | 81 |
1 files changed, 81 insertions, 0 deletions
diff --git a/manifests/wireguard_server.pp b/manifests/wireguard_server.pp new file mode 100644 index 0000000..03c4cda --- /dev/null +++ b/manifests/wireguard_server.pp @@ -0,0 +1,81 @@ +class profiles::wireguard_server ( + Sensitive[String] $private_key, + String $peer_key, +) { + include ::profiles::wireguard + + # gandalf $ + # ip link add dev wg0 type wireguard + # ip addr add 10.0.10.1/24 dev wg0 + # [root@gandalf profiles]# ip addr add fdc9:281f:04df:9ee9::1/64 dev wg0 + # wg set wg0 listen-port 51871 private-key ~/peer_A.key + # ## wg set wg0 peer CONTENTS_OF<peer_B.pub> + # ip link set wg0 up + # wg set wg0 peer 87Erkb8rXeSd162eBEXuuKUft/frF2iqdPdrMTStNVM= \ + # allowed-ips 10.0.10.0/24,fdc9:281f:4d7:9ee9::/64 + + # på B + # wg set wg0 peer <> endpoint gandalf.adrift.space:51871 + + + networking::networkd_instance { 'wg0': + type => 'netdev', + content => { + 'NetDev' => { + 'Name' => 'wg0', + 'Kind' => 'wireguard', + 'Description' => 'Wireguard tunnel wg0', + }, + 'WireGuard' => { + 'ListenPort' => $profiles::wireguard::port, + 'PrivateKey' => $private_key, + }, + # TODO multiple public peers + 'WireGuardPeer' => { + 'PublicKey' => $peer_key, + 'AllowedIPs' => '10.0.10.2/32', + } + } + } + + networking::networkd_instance { 'wg0-network': + type => 'network', + content => { + 'Match' => { + 'Name' => 'wg0', + }, + 'Network' => { + 'Address' => '10.0.10.1/24', + } + } + } + + firewall { '100 Forward wireguard to network': + table => 'nat', + chain => 'POSTROUTING', + jump => 'MASQUERADE', + outiface => 'br0', + #iniface => 'wg0', + #source => '10.0.10.0/24', + } + + # -A FORWARD -p udp -m udp --dport 51871 --destination $(dig +short gandalf.adrift.space AAAA) + @@firewall { '100 Allow IPv6 traffic to wiregaurd': + provider => 'ip6tables', + proto => 'udp', + dport => $profiles::wireguard::port, + destination => $facts['ipaddress6'], + tag => [ 'router', ], + } + + # -A VSERVER -p udp -m udp --dport 51871 -j DNAT --to-destination 10.0.0.40 + @@firewall { '100 PortForward to wiregaurd server': + provider => 'iptables', + proto => 'udp', + chain => 'VSERVER', + dport => $profiles::wireguard::port, + goto => 'DNAT', + destination => $facts['ipaddress'], + tag => [ 'router', ], + } +} |