diff options
Diffstat (limited to 'templates')
| -rw-r--r-- | templates/manage_wg_peers.sh.j2 | 17 | ||||
| -rw-r--r-- | templates/pveproxy | 1 | ||||
| -rw-r--r-- | templates/wg0.conf.j2 | 22 |
3 files changed, 24 insertions, 16 deletions
diff --git a/templates/manage_wg_peers.sh.j2 b/templates/manage_wg_peers.sh.j2 index ed2f800..fd27370 100644 --- a/templates/manage_wg_peers.sh.j2 +++ b/templates/manage_wg_peers.sh.j2 @@ -1,11 +1,12 @@ #!/bin/bash set -e -WG_SERVER_HOME="{{ wireguard_server_home }}" -WG_PEERS_HOME="${WG_SERVER_HOME}/peers.d" -IP_FILE="${WG_SERVER_HOME}/ips.txt" -SUBNET_PREFIX="{{ wireguard_subnet_prefix }}" -DEFAULT_PORT="{{ wireguard_port }}" +WG_SERVER_HOME="{{ wg_server_home }}" +WG_PEERS_HOME="{{ wg_peers_home }}" +IP_FILE="{{ wg_ip_file }}" +WIREGUARD_SUBNET_PREFIX="{{ wg_subnet_prefix }}" +NAT_SUBNET="{{ nat_subnet }}" +DEFAULT_PORT="{{ wg_port }}" DEFAULT_DNS="8.8.8.8" test "${EUID}" -ne 0 && printf "%s\n" "run as root" && exit 1 @@ -62,14 +63,14 @@ function get_next_available_ip() { flock -x 200 touch "${IP_FILE}" for i in {2..254}; do - ip="${SUBNET_PREFIX}.${i}" + ip="${WIREGUARD_SUBNET_PREFIX}.${i}" if ! grep -q "${ip}" "${IP_FILE}"; then printf "%s\n" "${ip}" printf "%s\n" "${ip}" >> "${IP_FILE}" exit 0 fi done - printf "%s\n" "[err] no available ips in range ${SUBNET_PREFIX}.2 - ${SUBNET_PREFIX}.254" + printf "%s\n" "[err] no available ips in range ${WIREGUARD_SUBNET_PREFIX}.2 - ${WIREGUARD_SUBNET_PREFIX}.254" exit 1 ) 200>"${IP_FILE}.lock" } @@ -102,7 +103,7 @@ DNS = ${dns} PublicKey = $(wg pubkey < "${WG_SERVER_HOME}/server.key") PresharedKey = $(cat "${WG_SERVER_HOME}/psk.key") Endpoint = ${server}:${port} -AllowedIPs = 0.0.0.0/0 +AllowedIPs = ${WIREGUARD_SUBNET_PREFIX}.0/24, ${NAT_SUBNET} PersistentKeepalive = 25 EOF printf "%s\n" \ diff --git a/templates/pveproxy b/templates/pveproxy new file mode 100644 index 0000000..01a7955 --- /dev/null +++ b/templates/pveproxy @@ -0,0 +1 @@ +LISTEN_IP="{{ wg_subnet_prefix }}.1" diff --git a/templates/wg0.conf.j2 b/templates/wg0.conf.j2 index 6b0aa34..10e3bc9 100644 --- a/templates/wg0.conf.j2 +++ b/templates/wg0.conf.j2 @@ -1,12 +1,18 @@ [Interface] PrivateKey = {{ private_key }} -Address = {{ wireguard_subnet_prefix}}.1/24 -ListenPort = {{ wireguard_port }} +Address = {{ wg_subnet_prefix }}.1/24 +ListenPort = {{ wg_port }} PostUp = sysctl -w net.ipv4.ip_forward=1 -PostUp = iptables -A FORWARD -i {{ wireguard_interface }} -o %i -j ACCEPT -PostUp = iptables -A FORWARD -i %i -j ACCEPT -PostUp = iptables -t nat -A POSTROUTING -o {{ wireguard_interface }} -j MASQUERADE +PostUp = iptables -A FORWARD -i wg0 -o vmbr0 -j ACCEPT +PostUp = iptables -A FORWARD -i vmbr0 -o wg0 -j ACCEPT +PostUp = iptables -A FORWARD -i wg0 -o vmbr1 -j ACCEPT +PostUp = iptables -A FORWARD -i vmbr1 -o wg0 -j ACCEPT +PostUp = iptables -t nat -A POSTROUTING -s {{ wg_subnet }} -o vmbr0 -j MASQUERADE +PostUp = iptables -t nat -A POSTROUTING -s {{ wg_subnet }} -o vmbr1 -j MASQUERADE PostDown = sysctl -w net.ipv4.ip_forward=0 -PostDown = iptables -D FORWARD -i {{ wireguard_interface }} -o %i -j ACCEPT -PostDown = iptables -D FORWARD -i %i -j ACCEPT -PostDown = iptables -t nat -D POSTROUTING -o {{ wireguard_interface }} -j MASQUERADE +PostDown = iptables -D FORWARD -i wg0 -o vmbr0 -j ACCEPT +PostDown = iptables -D FORWARD -i vmbr0 -o wg0 -j ACCEPT +PostDown = iptables -D FORWARD -i wg0 -o vmbr1 -j ACCEPT +PostDown = iptables -D FORWARD -i vmbr1 -o wg0 -j ACCEPT +PostDown = iptables -t nat -D POSTROUTING -s {{ wg_subnet }} -o vmbr0 -j MASQUERADE +PostDown = iptables -t nat -D POSTROUTING -s {{ wg_subnet }} -o vmbr1 -j MASQUERADE |