diff options
| author | Christian Pointner <equinox@spreadspace.org> | 2020-02-29 20:30:18 +0100 |
|---|---|---|
| committer | Christian Pointner <equinox@spreadspace.org> | 2020-02-29 20:30:27 +0100 |
| commit | 9283c8afccddadaf16bd4732099f24523367133c (patch) | |
| tree | efbe47f1a5574e5f1aa6c65ca94e5d353897af3b /inventory/host_vars | |
| parent | ele-router basic wireguard setup (diff) | |
elevate router setup
Diffstat (limited to 'inventory/host_vars')
| -rw-r--r-- | inventory/host_vars/ele-router.yml | 25 |
1 files changed, 19 insertions, 6 deletions
diff --git a/inventory/host_vars/ele-router.yml b/inventory/host_vars/ele-router.yml index 908ed17b..6c4a787d 100644 --- a/inventory/host_vars/ele-router.yml +++ b/inventory/host_vars/ele-router.yml @@ -9,6 +9,8 @@ wireguard_gateway_tunnels: priv_key: "{{ wireguard_keys.gwhetzner.priv }}" addresses: - 192.168.254.6/30 + default_gateway: + inner: 192.168.254.5 peers: - pub_key: "{{ hostvars['ele-gwhetzner'].wireguard_keys.emc.pub }}" endpoint: @@ -90,7 +92,7 @@ openwrt_network_external: - name: rule options: priority: 39001 - mark: 1 + mark: 2 lookup: 102 - name: route 'ffdefault' @@ -117,6 +119,14 @@ openwrt_network_internal_yaml: | ipaddr: "{{ network_zones[zone_name].gateway }}" netmask: "{{ network_zones[zone_name].prefix | ipaddr('netmask') }}" accept_ra: 0 + {% if zone_name in network_internal_zone_names__emc %} + + - name: rule + options: + priority: 38000 + in: "{{ zone_name }}" + lookup: 103 + {% endif %} {% endfor %} openwrt_network_base: @@ -266,7 +276,7 @@ openwrt_mixin: start() { ip link add dev wg-emc type wireguard - wg set wg-emc fwmark 1 private-key /etc/wireguard/wg-emc.priv + wg set wg-emc fwmark 2 private-key /etc/wireguard/wg-emc.priv {% for peer in wireguard_gateway_tunnels['wg-emc'].peers %} wg set wg-emc peer {{ peer.pub_key }} endpoint {{ peer.endpoint.host }}:{{ peer.endpoint.port }} persistent-keepalive {{ peer.keepalive_interval }} allowed-ips {{ peer.allowed_ips | join(',') }} @@ -276,10 +286,13 @@ openwrt_mixin: ip addr add dev wg-emc {{ addr }} {% endfor %} ip link set up dev wg-emc + + ip route add default via {{ wireguard_gateway_tunnels['wg-emc'].default_gateway.inner }} table 103 proto static } stop() { - ip link del dev wgemc + ip link del dev wg-emc + ip rule del pref 38000 } /etc/rc.d/S22network-fw: @@ -343,9 +356,9 @@ openwrt_mixin: iptables -t nat -A POSTROUTING -o "$WAN_IF" -s "$ipaddr/$netmask" -j MASQUERADE ;; {{ network_internal_zone_names__emc | join('|') }}) - iptables -A FORWARD -i "$interface" -o "$FF_IF" -s "$ipaddr/$netmask" -j ACCEPT - iptables -A FORWARD -i "$FF_IF" -o "$interface" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT - iptables -t nat -A POSTROUTING -o "$FF_IF" -s "$ipaddr/$netmask" -j MASQUERADE + iptables -A FORWARD -i "$interface" -o "wg-emc" -s "$ipaddr/$netmask" -j ACCEPT + iptables -A FORWARD -i "wg-emc" -o "$interface" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + iptables -t nat -A POSTROUTING -o "wg-emc" -s "$ipaddr/$netmask" -j MASQUERADE ;; esac done |