manifests/wireguard_server.pp


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84

# TODO
# - Allow access over IPv4
# - Allow forwarding IPv6 addresses
# 
# - Possibly merge this and wireguard_peer
# - manage keys
# - allow accesss for phones
class profiles::wireguard_server (
  Sensitive[String] $private_key,
  Array[Hash] $peers,
) {
  include ::profiles::wireguard

  # gandalf $
  # ip link add dev wg0 type wireguard
  # ip addr add 10.0.10.1/24 dev wg0
  # [root@gandalf profiles]# ip addr add fdc9:281f:04df:9ee9::1/64 dev wg0
  # wg set wg0 listen-port 51871 private-key ~/peer_A.key
  # ## wg set wg0 peer CONTENTS_OF<peer_B.pub>
  # ip link set wg0 up
  # wg set wg0 peer 87Erkb8rXeSd162eBEXuuKUft/frF2iqdPdrMTStNVM= \
  #   allowed-ips 10.0.10.0/24,fdc9:281f:4d7:9ee9::/64

  # på B
  # wg set wg0 peer <> endpoint gandalf.adrift.space:51871


  networking::networkd_instance { 'wg0':
    type            => 'netdev',
    content         => {
      'NetDev'      => {
        'Name'        => 'wg0',
        'Kind'        => 'wireguard',
        'Description' => 'Wireguard tunnel wg0',
      },
      'WireGuard'    => {
        'ListenPort' => $profiles::wireguard::port,
        'PrivateKey' => $private_key,
      },
      'WireGuardPeer' => $peers,
    }
  }

  networking::networkd_instance { 'wg0-network':
    type       => 'network',
    content    => {
      'Match'  => {
        'Name' => 'wg0',
      },
      'Network'   => {
        'Address' => '10.0.10.1/24',
      }
    }
  }

  firewall { '100 Forward wireguard to network':
    table    => 'nat',
    chain    => 'POSTROUTING',
    jump     => 'MASQUERADE',
    outiface => 'br0',
    #iniface  => 'wg0',
    #source   => '10.0.10.0/24',
  }

  # -A FORWARD -p udp -m udp --dport 51871 --destination $(dig +short gandalf.adrift.space AAAA)
  @@firewall { '100 Allow IPv6 traffic to wiregaurd':
    provider    => 'ip6tables',
    proto       => 'udp',
    dport       => $profiles::wireguard::port,
    destination => $facts['ipaddress6'],
    tag         => [ 'router', ],
  }

  # -A VSERVER -p udp -m udp --dport 51871 -j DNAT --to-destination 10.0.0.40
  @@firewall { '100 PortForward to wiregaurd server':
    provider    => 'iptables',
    proto       => 'udp',
    chain       => 'VSERVER',
    dport       => $profiles::wireguard::port,
    goto        => 'DNAT',
    destination => $facts['ipaddress'],
    tag         => [ 'router', ],
  }
}