added working wg setup + internal access

3 files changed, 24 insertions, 16 deletions

diff --git a/templates/manage_wg_peers.sh.j2 b/templates/manage_wg_peers.sh.j2
index ed2f800..fd27370 100644
--- a/templates/manage_wg_peers.sh.j2
+++ b/templates/manage_wg_peers.sh.j2
@@ -1,11 +1,12 @@
 #!/bin/bash
 set -e
 
-WG_SERVER_HOME="{{ wireguard_server_home }}"
-WG_PEERS_HOME="${WG_SERVER_HOME}/peers.d"
-IP_FILE="${WG_SERVER_HOME}/ips.txt"
-SUBNET_PREFIX="{{ wireguard_subnet_prefix }}"
-DEFAULT_PORT="{{ wireguard_port }}"
+WG_SERVER_HOME="{{ wg_server_home }}"
+WG_PEERS_HOME="{{ wg_peers_home }}"
+IP_FILE="{{ wg_ip_file }}"
+WIREGUARD_SUBNET_PREFIX="{{ wg_subnet_prefix }}"
+NAT_SUBNET="{{ nat_subnet }}"
+DEFAULT_PORT="{{ wg_port }}"
 DEFAULT_DNS="8.8.8.8"
 
 test "${EUID}" -ne 0 && printf "%s\n" "run as root" && exit 1
@@ -62,14 +63,14 @@ function get_next_available_ip() {
         flock -x 200
         touch "${IP_FILE}"
         for i in {2..254}; do
-            ip="${SUBNET_PREFIX}.${i}"
+            ip="${WIREGUARD_SUBNET_PREFIX}.${i}"
             if ! grep -q "${ip}" "${IP_FILE}"; then
                 printf "%s\n" "${ip}"
                 printf "%s\n" "${ip}" >> "${IP_FILE}"
                 exit 0
             fi
         done
-        printf "%s\n" "[err] no available ips in range ${SUBNET_PREFIX}.2 - ${SUBNET_PREFIX}.254"
+        printf "%s\n" "[err] no available ips in range ${WIREGUARD_SUBNET_PREFIX}.2 - ${WIREGUARD_SUBNET_PREFIX}.254"
         exit 1
     ) 200>"${IP_FILE}.lock"
 }
@@ -102,7 +103,7 @@ DNS        = ${dns}
 PublicKey           = $(wg pubkey < "${WG_SERVER_HOME}/server.key")
 PresharedKey        = $(cat "${WG_SERVER_HOME}/psk.key")
 Endpoint            = ${server}:${port}
-AllowedIPs          = 0.0.0.0/0
+AllowedIPs          = ${WIREGUARD_SUBNET_PREFIX}.0/24, ${NAT_SUBNET}
 PersistentKeepalive = 25
 EOF
         printf "%s\n" \
diff --git a/templates/pveproxy b/templates/pveproxy
new file mode 100644
index 0000000..01a7955
--- /dev/null
+++ b/templates/pveproxy
@@ -0,0 +1 @@
+LISTEN_IP="{{ wg_subnet_prefix }}.1"
diff --git a/templates/wg0.conf.j2 b/templates/wg0.conf.j2
index 6b0aa34..10e3bc9 100644
--- a/templates/wg0.conf.j2
+++ b/templates/wg0.conf.j2
@@ -1,12 +1,18 @@
 [Interface]
 PrivateKey = {{ private_key }}
-Address    = {{ wireguard_subnet_prefix}}.1/24
-ListenPort = {{ wireguard_port }}
+Address    = {{ wg_subnet_prefix }}.1/24
+ListenPort = {{ wg_port }}
 PostUp     = sysctl -w net.ipv4.ip_forward=1
-PostUp     = iptables -A FORWARD -i {{ wireguard_interface }} -o %i -j ACCEPT
-PostUp     = iptables -A FORWARD -i %i -j ACCEPT
-PostUp     = iptables -t nat -A POSTROUTING -o {{ wireguard_interface }} -j MASQUERADE
+PostUp     = iptables -A FORWARD -i wg0 -o vmbr0 -j ACCEPT
+PostUp     = iptables -A FORWARD -i vmbr0 -o wg0 -j ACCEPT
+PostUp     = iptables -A FORWARD -i wg0 -o vmbr1 -j ACCEPT
+PostUp     = iptables -A FORWARD -i vmbr1 -o wg0 -j ACCEPT
+PostUp     = iptables -t nat -A POSTROUTING -s {{ wg_subnet }} -o vmbr0 -j MASQUERADE
+PostUp     = iptables -t nat -A POSTROUTING -s {{ wg_subnet }} -o vmbr1 -j MASQUERADE
 PostDown   = sysctl -w net.ipv4.ip_forward=0
-PostDown   = iptables -D FORWARD -i {{ wireguard_interface }} -o %i -j ACCEPT
-PostDown   = iptables -D FORWARD -i %i -j ACCEPT
-PostDown   = iptables -t nat -D POSTROUTING -o {{ wireguard_interface }} -j MASQUERADE
+PostDown   = iptables -D FORWARD -i wg0 -o vmbr0 -j ACCEPT
+PostDown   = iptables -D FORWARD -i vmbr0 -o wg0 -j ACCEPT
+PostDown   = iptables -D FORWARD -i wg0 -o vmbr1 -j ACCEPT
+PostDown   = iptables -D FORWARD -i vmbr1 -o wg0 -j ACCEPT
+PostDown   = iptables -t nat -D POSTROUTING -s {{ wg_subnet }} -o vmbr0 -j MASQUERADE
+PostDown   = iptables -t nat -D POSTROUTING -s {{ wg_subnet }} -o vmbr1 -j MASQUERADE