1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
|
class profiles::wireguard_server (
Variant[String,Sensitive[String]] $private_key,
Array[Hash] $peers,
String $ifname = 'wg0',
) {
include ::profiles::wireguard
networking::networkd_instance { $ifname:
type => 'netdev',
mode => '0600',
content => {
'NetDev' => {
'Name' => $ifname,
'Kind' => 'wireguard',
'Description' => "Wireguard tunnel ${ifname}",
},
'WireGuard' => {
'ListenPort' => $profiles::wireguard::port,
'PrivateKey' => $private_key,
},
'WireGuardPeer' => $peers,
}
}
networking::networkd_instance { "${ifname}-network":
type => 'network',
content => {
'Match' => {
'Name' => $ifname,
},
'Route' => {
'Destination' => $peers.map |$p| { $p['AllowedIPs'] }.flatten,
}
}
}
['ip', 'ip6'].each |$provider| {
firewall { "100 Forward ${provider} wireguard to network":
table => 'nat',
chain => 'POSTROUTING',
jump => 'MASQUERADE',
outiface => 'br0',
proto => 'all',
provider => "${provider}tables",
}
}
# -A FORWARD -p udp -m udp --dport 51871 --destination $(dig +short gandalf.adrift.space AAAA)
@@firewall { '100 Allow IPv6 traffic to wiregaurd':
provider => 'ip6tables',
proto => 'udp',
dport => $profiles::wireguard::port,
destination => $facts['ipaddress6'],
tag => [ 'router', ],
}
# -A VSERVER -p udp -m udp --dport 51871 -j DNAT --to-destination 10.0.0.40
@@firewall { '100 PortForward to wiregaurd server':
provider => 'iptables',
proto => 'udp',
chain => 'VSERVER',
dport => $profiles::wireguard::port,
goto => 'DNAT',
destination => $facts['ipaddress'],
tag => [ 'router', ],
}
}
|
