# TODO # - Allow access over IPv4 # - Allow forwarding IPv6 addresses # # - Possibly merge this and wireguard_peer # - manage keys # - allow accesss for phones class profiles::wireguard_server ( Sensitive[String] $private_key, Array[Hash] $peers, ) { include ::profiles::wireguard # gandalf $ # ip link add dev wg0 type wireguard # ip addr add 10.0.10.1/24 dev wg0 # [root@gandalf profiles]# ip addr add fdc9:281f:04df:9ee9::1/64 dev wg0 # wg set wg0 listen-port 51871 private-key ~/peer_A.key # ## wg set wg0 peer CONTENTS_OF # ip link set wg0 up # wg set wg0 peer 87Erkb8rXeSd162eBEXuuKUft/frF2iqdPdrMTStNVM= \ # allowed-ips 10.0.10.0/24,fdc9:281f:4d7:9ee9::/64 # på B # wg set wg0 peer <> endpoint gandalf.adrift.space:51871 networking::networkd_instance { 'wg0': type => 'netdev', content => { 'NetDev' => { 'Name' => 'wg0', 'Kind' => 'wireguard', 'Description' => 'Wireguard tunnel wg0', }, 'WireGuard' => { 'ListenPort' => $profiles::wireguard::port, 'PrivateKey' => $private_key, }, 'WireGuardPeer' => $peers, } } networking::networkd_instance { 'wg0-network': type => 'network', content => { 'Match' => { 'Name' => 'wg0', }, 'Network' => { 'Address' => '10.0.10.1/24', } } } firewall { '100 Forward wireguard to network': table => 'nat', chain => 'POSTROUTING', jump => 'MASQUERADE', outiface => 'br0', #iniface => 'wg0', #source => '10.0.10.0/24', } # -A FORWARD -p udp -m udp --dport 51871 --destination $(dig +short gandalf.adrift.space AAAA) @@firewall { '100 Allow IPv6 traffic to wiregaurd': provider => 'ip6tables', proto => 'udp', dport => $profiles::wireguard::port, destination => $facts['ipaddress6'], tag => [ 'router', ], } # -A VSERVER -p udp -m udp --dport 51871 -j DNAT --to-destination 10.0.0.40 @@firewall { '100 PortForward to wiregaurd server': provider => 'iptables', proto => 'udp', chain => 'VSERVER', dport => $profiles::wireguard::port, goto => 'DNAT', destination => $facts['ipaddress'], tag => [ 'router', ], } }