5 files changed, 98 insertions, 11 deletions

diff --git a/inventory/host_vars/ele-gwhetzner.yml b/inventory/host_vars/ele-gwhetzner.yml
index 3575c943..7ebda8ff 100644
--- a/inventory/host_vars/ele-gwhetzner.yml
+++ b/inventory/host_vars/ele-gwhetzner.yml
@@ -39,7 +39,7 @@ wireguard_keys:
     priv: "{{ vault_wireguard_priv_keys.elemedia }}"
   emc:
     pub: "xgBLLDTRrVxUG0BEr0gNQ6ofkXSRDQR7OXilxCCwtxs="
-    priv: "{{ vault_wireguard_priv_keys.elemedia }}"
+    priv: "{{ vault_wireguard_priv_keys.emc }}"
 
 wireguard_gateway_tunnels:
   wg-elemedia:
diff --git a/inventory/host_vars/ele-media.yml b/inventory/host_vars/ele-media.yml
index d6b89a65..cffc462b 100644
--- a/inventory/host_vars/ele-media.yml
+++ b/inventory/host_vars/ele-media.yml
@@ -83,7 +83,9 @@ wireguard_gateway_tunnels:
       inner: 192.168.254.1
     peers:
     - pub_key: "{{ hostvars['ele-gwhetzner'].wireguard_keys.elemedia.pub }}"
-      endpoint: 178.63.180.138:51820 # TODO: fix this variable "{{ hostvars['ele-gwhetzner'].external_ip }}"
+      endpoint:
+        host: 178.63.180.138 # TODO: fix this variable "{{ hostvars['ele-gwhetzner'].external_ip }}"
+        port: 51820
       keepalive_interval: 15
       allowed_ips:
       - 0.0.0.0/0
diff --git a/inventory/host_vars/ele-router.yml b/inventory/host_vars/ele-router.yml
index 72cb2b14..908ed17b 100644
--- a/inventory/host_vars/ele-router.yml
+++ b/inventory/host_vars/ele-router.yml
@@ -4,14 +4,33 @@ wireguard_keys:
     pub: "fqaKDJbSj6V0H98d78d/lnFLolefgp6zDPH9bN4+zUY="
     priv: "{{ vault_wireguard_priv_keys.gwhetzner }}"
 
+wireguard_gateway_tunnels:
+  wg-emc:
+    priv_key: "{{ wireguard_keys.gwhetzner.priv }}"
+    addresses:
+    - 192.168.254.6/30
+    peers:
+    - pub_key: "{{ hostvars['ele-gwhetzner'].wireguard_keys.emc.pub }}"
+      endpoint:
+        host: 178.63.180.138 # TODO: fix this variable "{{ hostvars['ele-gwhetzner'].external_ip }}"
+        port: 51821
+      keepalive_interval: 15
+      allowed_ips:
+      - 0.0.0.0/0
+
+
 
 network_mgmt_zone: "{{ network_zones.mgmt }}"
-network_internal_zone_names:
+network_internal_zone_names__emc:
+  - emc
+network_internal_zone_names__wan:
   - lan
   - guest
   - mixer
   - infoscreens
 
+network_internal_zone_names: "{{ network_internal_zone_names__wan + network_internal_zone_names__emc }}"
+
 
 openwrt_network_external:
   - name: switch_vlan
@@ -68,6 +87,12 @@ openwrt_network_external:
       src: "{{ network_zones.funkfeuer.prefix | ipaddr(network_zones.funkfeuer.offsets[inventory_hostname]) | ipaddr('address') }}/32"
       lookup: 102
 
+  - name: rule
+    options:
+      priority: 39001
+      mark: 1
+      lookup: 102
+
   - name: route 'ffdefault'
     options:
       interface: 'wanff'
@@ -221,10 +246,46 @@ openwrt_mixin:
   /etc/htoprc:
     file: "{{ global_files_dir }}/common/htoprc"
 
+  /etc/wireguard/wg-emc.priv:
+    content: "{{ wireguard_gateway_tunnels['wg-emc'].priv_key }}\n"
+    mode: "0600"
+
+  /etc/rc.d/S21network-emc:
+    link: "../init.d/network-emc"
+
+  /etc/rc.d/K91network-emc:
+    link: "../init.d/network-emc"
+
+  /etc/init.d/network-emc:
+    mode: "0755"
+    content: |
+      #!/bin/sh /etc/rc.common
+
+      START=21
+      STOP=91
+
+      start() {
+        ip link add dev wg-emc type wireguard
+        wg set wg-emc fwmark 1 private-key /etc/wireguard/wg-emc.priv
+
+      {% for peer in wireguard_gateway_tunnels['wg-emc'].peers %}
+        wg set wg-emc peer {{ peer.pub_key }} endpoint {{ peer.endpoint.host }}:{{ peer.endpoint.port }} persistent-keepalive {{ peer.keepalive_interval }} allowed-ips {{ peer.allowed_ips | join(',') }}
+      {% endfor %}
+
+      {% for addr in wireguard_gateway_tunnels['wg-emc'].addresses %}
+        ip addr add dev wg-emc {{ addr }}
+      {% endfor %}
+        ip link set up dev wg-emc
+      }
+
+      stop() {
+        ip link del dev wgemc
+      }
+
   /etc/rc.d/S22network-fw:
     link: "../init.d/network-fw"
 
-  /etc/rc.d/K91network-fw:
+  /etc/rc.d/K92network-fw:
     link: "../init.d/network-fw"
 
   /etc/init.d/network-fw:
@@ -255,7 +316,12 @@ openwrt_mixin:
         iptables -A INPUT -i "$FF_IF" -p tcp --dport {{ ansible_port }} -j ACCEPT
         iptables -A INPUT -i "$FF_IF" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 
-        for zone in "{{ network_internal_zone_names | join('" "') }}"; do
+        iptables -A INPUT -i "wg-emc" -p icmp -j ACCEPT
+        iptables -A INPUT -i "wg-emc" -p tcp --dport {{ ansible_port }} -j ACCEPT
+        iptables -A INPUT -i "wg-emc" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+
+        # all internal zones
+        for zone in {{ network_internal_zone_names | join(' ') }}; do
           interface=$(uci get "network.$zone.ifname")
           ipaddr=$(uci get "network.$zone.ipaddr")
           netmask=$(uci get "network.$zone.netmask")
@@ -270,10 +336,18 @@ openwrt_mixin:
           iptables -A INPUT -i "$interface" -p icmp -d "$ipaddr" -s "$ipaddr/$netmask" -j ACCEPT
           iptables -A INPUT -i "$interface" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 
-
-          iptables -A FORWARD -i "$interface" -o "$WAN_IF" -s "$ipaddr/$netmask" -j ACCEPT
-          iptables -A FORWARD -i "$WAN_IF" -o "$interface" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-          iptables -t nat -A POSTROUTING -o "$WAN_IF" -s "$ipaddr/$netmask" -j MASQUERADE
+          case "$zone" in
+            {{ network_internal_zone_names__wan | join('|') }})
+              iptables -A FORWARD -i "$interface" -o "$WAN_IF" -s "$ipaddr/$netmask" -j ACCEPT
+              iptables -A FORWARD -i "$WAN_IF" -o "$interface" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+              iptables -t nat -A POSTROUTING -o "$WAN_IF" -s "$ipaddr/$netmask" -j MASQUERADE
+              ;;
+            {{ network_internal_zone_names__emc | join('|') }})
+              iptables -A FORWARD -i "$interface" -o "$FF_IF" -s "$ipaddr/$netmask" -j ACCEPT
+              iptables -A FORWARD -i "$FF_IF" -o "$interface" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+              iptables -t nat -A POSTROUTING -o "$FF_IF" -s "$ipaddr/$netmask" -j MASQUERADE
+              ;;
+          esac
         done
 
         iptables -P INPUT DROP
diff --git a/roles/wireguard/gateway/defaults/main.yml b/roles/wireguard/gateway/defaults/main.yml
index 8b1ab7f6..69846fc3 100644
--- a/roles/wireguard/gateway/defaults/main.yml
+++ b/roles/wireguard/gateway/defaults/main.yml
@@ -7,10 +7,21 @@
 #     addresses:
 #     - 192.168.255.254/24
 #     ip_masq: yes
+#     ip_snat:
+#       interface: eth1
+#       to: 1.2.3.4
+#     port_forwardings:
+#     - dest: 1.2.3.4
+#       tcp_ports:
+#         80: 192.158.255.3:80
+#       udp_ports:
+#         123: 192.158.255.3:200
 #     peers:
 #     - pub_key: public_key_of_peer
 #       keepalive_interval: 10
-#       endpoint: 5.6.7.8:1234
+#       endpoint:
+#         host: 5.6.7.8
+#         port: 1234
 #       allowed_ips:
 #         - 192.168.255.3/32
 #         - 192.168.123.0/24
diff --git a/roles/wireguard/gateway/templates/systemd.netdev.j2 b/roles/wireguard/gateway/templates/systemd.netdev.j2
index 62f0d0a6..96399b52 100644
--- a/roles/wireguard/gateway/templates/systemd.netdev.j2
+++ b/roles/wireguard/gateway/templates/systemd.netdev.j2
@@ -18,7 +18,7 @@ PublicKey={{ peer.pub_key }}
 AllowedIPs={{ ip }}
 {%   endfor %}
 {%   if 'endpoint' in peer %}
-Endpoint={{ peer.endpoint }}
+Endpoint={{ peer.endpoint.host }}:{{ peer.endpoint.port | default(51820) }}
 {%   endif %}
 {%   if 'keepalive_interval' in peer %}
 PersistentKeepalive={{ peer.keepalive_interval }}