1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
|
# TODO
# - Allow access over IPv4
# - Allow forwarding IPv6 addresses
#
# - Possibly merge this and wireguard_peer
# - manage keys
# - allow accesss for phones
class profiles::wireguard_server (
Sensitive[String] $private_key,
Array[Hash] $peers,
) {
include ::profiles::wireguard
# gandalf $
# ip link add dev wg0 type wireguard
# ip addr add 10.0.10.1/24 dev wg0
# [root@gandalf profiles]# ip addr add fdc9:281f:04df:9ee9::1/64 dev wg0
# wg set wg0 listen-port 51871 private-key ~/peer_A.key
# ## wg set wg0 peer CONTENTS_OF<peer_B.pub>
# ip link set wg0 up
# wg set wg0 peer 87Erkb8rXeSd162eBEXuuKUft/frF2iqdPdrMTStNVM= \
# allowed-ips 10.0.10.0/24,fdc9:281f:4d7:9ee9::/64
# på B
# wg set wg0 peer <> endpoint gandalf.adrift.space:51871
networking::networkd_instance { 'wg0':
type => 'netdev',
content => {
'NetDev' => {
'Name' => 'wg0',
'Kind' => 'wireguard',
'Description' => 'Wireguard tunnel wg0',
},
'WireGuard' => {
'ListenPort' => $profiles::wireguard::port,
'PrivateKey' => $private_key,
},
'WireGuardPeer' => $peers,
}
}
networking::networkd_instance { 'wg0-network':
type => 'network',
content => {
'Match' => {
'Name' => 'wg0',
},
'Network' => {
'Address' => '10.0.10.1/24',
}
}
}
firewall { '100 Forward wireguard to network':
table => 'nat',
chain => 'POSTROUTING',
jump => 'MASQUERADE',
outiface => 'br0',
#iniface => 'wg0',
#source => '10.0.10.0/24',
}
# -A FORWARD -p udp -m udp --dport 51871 --destination $(dig +short gandalf.adrift.space AAAA)
@@firewall { '100 Allow IPv6 traffic to wiregaurd':
provider => 'ip6tables',
proto => 'udp',
dport => $profiles::wireguard::port,
destination => $facts['ipaddress6'],
tag => [ 'router', ],
}
# -A VSERVER -p udp -m udp --dport 51871 -j DNAT --to-destination 10.0.0.40
@@firewall { '100 PortForward to wiregaurd server':
provider => 'iptables',
proto => 'udp',
chain => 'VSERVER',
dport => $profiles::wireguard::port,
goto => 'DNAT',
destination => $facts['ipaddress'],
tag => [ 'router', ],
}
}
|