1 files changed, 81 insertions, 7 deletions

diff --git a/inventory/host_vars/ele-router.yml b/inventory/host_vars/ele-router.yml
index 72cb2b14..908ed17b 100644
--- a/inventory/host_vars/ele-router.yml
+++ b/inventory/host_vars/ele-router.yml
@@ -4,14 +4,33 @@ wireguard_keys:
     pub: "fqaKDJbSj6V0H98d78d/lnFLolefgp6zDPH9bN4+zUY="
     priv: "{{ vault_wireguard_priv_keys.gwhetzner }}"
 
+wireguard_gateway_tunnels:
+  wg-emc:
+    priv_key: "{{ wireguard_keys.gwhetzner.priv }}"
+    addresses:
+    - 192.168.254.6/30
+    peers:
+    - pub_key: "{{ hostvars['ele-gwhetzner'].wireguard_keys.emc.pub }}"
+      endpoint:
+        host: 178.63.180.138 # TODO: fix this variable "{{ hostvars['ele-gwhetzner'].external_ip }}"
+        port: 51821
+      keepalive_interval: 15
+      allowed_ips:
+      - 0.0.0.0/0
+
+
 
 network_mgmt_zone: "{{ network_zones.mgmt }}"
-network_internal_zone_names:
+network_internal_zone_names__emc:
+  - emc
+network_internal_zone_names__wan:
   - lan
   - guest
   - mixer
   - infoscreens
 
+network_internal_zone_names: "{{ network_internal_zone_names__wan + network_internal_zone_names__emc }}"
+
 
 openwrt_network_external:
   - name: switch_vlan
@@ -68,6 +87,12 @@ openwrt_network_external:
       src: "{{ network_zones.funkfeuer.prefix | ipaddr(network_zones.funkfeuer.offsets[inventory_hostname]) | ipaddr('address') }}/32"
       lookup: 102
 
+  - name: rule
+    options:
+      priority: 39001
+      mark: 1
+      lookup: 102
+
   - name: route 'ffdefault'
     options:
       interface: 'wanff'
@@ -221,10 +246,46 @@ openwrt_mixin:
   /etc/htoprc:
     file: "{{ global_files_dir }}/common/htoprc"
 
+  /etc/wireguard/wg-emc.priv:
+    content: "{{ wireguard_gateway_tunnels['wg-emc'].priv_key }}\n"
+    mode: "0600"
+
+  /etc/rc.d/S21network-emc:
+    link: "../init.d/network-emc"
+
+  /etc/rc.d/K91network-emc:
+    link: "../init.d/network-emc"
+
+  /etc/init.d/network-emc:
+    mode: "0755"
+    content: |
+      #!/bin/sh /etc/rc.common
+
+      START=21
+      STOP=91
+
+      start() {
+        ip link add dev wg-emc type wireguard
+        wg set wg-emc fwmark 1 private-key /etc/wireguard/wg-emc.priv
+
+      {% for peer in wireguard_gateway_tunnels['wg-emc'].peers %}
+        wg set wg-emc peer {{ peer.pub_key }} endpoint {{ peer.endpoint.host }}:{{ peer.endpoint.port }} persistent-keepalive {{ peer.keepalive_interval }} allowed-ips {{ peer.allowed_ips | join(',') }}
+      {% endfor %}
+
+      {% for addr in wireguard_gateway_tunnels['wg-emc'].addresses %}
+        ip addr add dev wg-emc {{ addr }}
+      {% endfor %}
+        ip link set up dev wg-emc
+      }
+
+      stop() {
+        ip link del dev wgemc
+      }
+
   /etc/rc.d/S22network-fw:
     link: "../init.d/network-fw"
 
-  /etc/rc.d/K91network-fw:
+  /etc/rc.d/K92network-fw:
     link: "../init.d/network-fw"
 
   /etc/init.d/network-fw:
@@ -255,7 +316,12 @@ openwrt_mixin:
         iptables -A INPUT -i "$FF_IF" -p tcp --dport {{ ansible_port }} -j ACCEPT
         iptables -A INPUT -i "$FF_IF" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 
-        for zone in "{{ network_internal_zone_names | join('" "') }}"; do
+        iptables -A INPUT -i "wg-emc" -p icmp -j ACCEPT
+        iptables -A INPUT -i "wg-emc" -p tcp --dport {{ ansible_port }} -j ACCEPT
+        iptables -A INPUT -i "wg-emc" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+
+        # all internal zones
+        for zone in {{ network_internal_zone_names | join(' ') }}; do
           interface=$(uci get "network.$zone.ifname")
           ipaddr=$(uci get "network.$zone.ipaddr")
           netmask=$(uci get "network.$zone.netmask")
@@ -270,10 +336,18 @@ openwrt_mixin:
           iptables -A INPUT -i "$interface" -p icmp -d "$ipaddr" -s "$ipaddr/$netmask" -j ACCEPT
           iptables -A INPUT -i "$interface" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 
-
-          iptables -A FORWARD -i "$interface" -o "$WAN_IF" -s "$ipaddr/$netmask" -j ACCEPT
-          iptables -A FORWARD -i "$WAN_IF" -o "$interface" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-          iptables -t nat -A POSTROUTING -o "$WAN_IF" -s "$ipaddr/$netmask" -j MASQUERADE
+          case "$zone" in
+            {{ network_internal_zone_names__wan | join('|') }})
+              iptables -A FORWARD -i "$interface" -o "$WAN_IF" -s "$ipaddr/$netmask" -j ACCEPT
+              iptables -A FORWARD -i "$WAN_IF" -o "$interface" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+              iptables -t nat -A POSTROUTING -o "$WAN_IF" -s "$ipaddr/$netmask" -j MASQUERADE
+              ;;
+            {{ network_internal_zone_names__emc | join('|') }})
+              iptables -A FORWARD -i "$interface" -o "$FF_IF" -s "$ipaddr/$netmask" -j ACCEPT
+              iptables -A FORWARD -i "$FF_IF" -o "$interface" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+              iptables -t nat -A POSTROUTING -o "$FF_IF" -s "$ipaddr/$netmask" -j MASQUERADE
+              ;;
+          esac
         done
 
         iptables -P INPUT DROP