summaryrefslogtreecommitdiff
path: root/roles/wireguard
diff options
context:
space:
mode:
Diffstat (limited to 'roles/wireguard')
-rw-r--r--roles/wireguard/gateway/defaults/main.yml1
-rw-r--r--roles/wireguard/gateway/tasks/main.yml48
-rw-r--r--roles/wireguard/gateway/tasks/systemd-iptables.service.j242
-rw-r--r--roles/wireguard/gateway/templates/systemd-fix-default-gw.service.j212
-rw-r--r--roles/wireguard/gateway/templates/systemd.network.j213
5 files changed, 116 insertions, 0 deletions
diff --git a/roles/wireguard/gateway/defaults/main.yml b/roles/wireguard/gateway/defaults/main.yml
index 9ee0523c..8b1ab7f6 100644
--- a/roles/wireguard/gateway/defaults/main.yml
+++ b/roles/wireguard/gateway/defaults/main.yml
@@ -6,6 +6,7 @@
# listen_port: 1234
# addresses:
# - 192.168.255.254/24
+# ip_masq: yes
# peers:
# - pub_key: public_key_of_peer
# keepalive_interval: 10
diff --git a/roles/wireguard/gateway/tasks/main.yml b/roles/wireguard/gateway/tasks/main.yml
index 906ee640..bc14db1b 100644
--- a/roles/wireguard/gateway/tasks/main.yml
+++ b/roles/wireguard/gateway/tasks/main.yml
@@ -18,3 +18,51 @@
src: systemd.network.j2
dest: "/etc/systemd/network/{{ item.key }}.network"
notify: restart systemd-networkd
+
+- name: enable systemd-networkd
+ systemd:
+ name: systemd-networkd
+ enabled: yes
+ state: started
+
+
+- name: create iptables service unit
+ loop: "{{ wireguard_gateway_tunnels | dict2items }}"
+ loop_control:
+ label: "{{ item.key }}"
+ when: "'ip_snat' in item.value or 'port_forwardings' in item.value"
+ template:
+ src: systemd-iptables.service.j2
+ dest: "/etc/systemd/system/wireguard-gateway-{{ item.key }}-iptables.service"
+
+- name: enable/start iptables service unit
+ loop: "{{ wireguard_gateway_tunnels | dict2items }}"
+ loop_control:
+ label: "{{ item.key }}"
+ when: "'ip_snat' in item.value or 'port_forwardings' in item.value"
+ systemd:
+ daemon_reload: yes
+ name: "wireguard-gateway-{{ item.key }}-iptables.service"
+ enabled: yes
+ state: started
+
+
+- name: install workaround for default-gateway handling
+ loop: "{{ wireguard_gateway_tunnels | dict2items }}"
+ loop_control:
+ label: "{{ item.key }}"
+ when: "'default_gateway' in item.value"
+ template:
+ src: systemd-fix-default-gw.service.j2
+ dest: "/etc/systemd/system/wireguard-gateway-{{ item.key }}-fix-default-gw.service"
+
+- name: enable/start workaround for default-gateway handling
+ loop: "{{ wireguard_gateway_tunnels | dict2items }}"
+ loop_control:
+ label: "{{ item.key }}"
+ when: "'default_gateway' in item.value"
+ systemd:
+ daemon_reload: yes
+ name: "wireguard-gateway-{{ item.key }}-fix-default-gw.service"
+ enabled: yes
+ state: started
diff --git a/roles/wireguard/gateway/tasks/systemd-iptables.service.j2 b/roles/wireguard/gateway/tasks/systemd-iptables.service.j2
new file mode 100644
index 00000000..11cf4b8a
--- /dev/null
+++ b/roles/wireguard/gateway/tasks/systemd-iptables.service.j2
@@ -0,0 +1,42 @@
+[Unit]
+Wants=network-online.target
+After=network-online.target
+
+
+[Service]
+Type=oneshot
+
+{% if 'ip_snat' in item.value %}
+ExecStart=/usr/sbin/sysctl net.ipv4.ip_forward=1
+{% for addr in item.value.addresses %}
+ExecStart=/sbin/iptables -t nat -A POSTROUTING -s {{ addr | ipaddr('network/prefix') }} -o {{ item.value.ip_snat.interface }} -j SNAT --to {{ item.value.ip_snat.to }}
+{% endfor %}
+{% endif %}
+{% for forward in item.value.port_forwardings | default([]) %}
+{% for port in forward.tcp_ports | default([]) %}
+ExecStart=/sbin/iptables -t nat -A PREROUTING -d {{ forward.dest }} -p tcp --dport {{ port }} -j DNAT --to {{ forward.tcp_ports[port] }}
+{% endfor %}
+{% for port in forward.udp_ports | default([]) %}
+ExecStart=/sbin/iptables -t nat -A PREROUTING -d {{ forward.dest }} -p udp --dport {{ port }} -j DNAT --to {{ forward.udp_ports[port] }}
+{% endfor %}
+{% endfor %}
+
+{% if 'ip_snat' in item.value %}
+{% for addr in item.value.addresses %}
+ExecStop=/sbin/iptables -t nat -D POSTROUTING -s {{ addr | ipaddr('network/prefix') }} -o {{ item.value.ip_snat.interface }} -j SNAT --to {{ item.value.ip_snat.to }}
+{% endfor %}
+{% endif %}
+{% for forward in item.value.port_forwardings | default([]) %}
+{% for port in forward.tcp_ports | default([]) %}
+ExecStop=/sbin/iptables -t nat -D PREROUTING -d {{ forward.dest }} -p tcp --dport {{ port }} -j DNAT --to {{ forward.tcp_ports[port] }}
+{% endfor %}
+{% for port in forward.udp_ports | default([]) %}
+ExecStop=/sbin/iptables -t nat -D PREROUTING -d {{ forward.dest }} -p udp --dport {{ port }} -j DNAT --to {{ forward.udp_ports[port] }}
+{% endfor %}
+{% endfor %}
+
+RemainAfterExit=yes
+
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/wireguard/gateway/templates/systemd-fix-default-gw.service.j2 b/roles/wireguard/gateway/templates/systemd-fix-default-gw.service.j2
new file mode 100644
index 00000000..d2d8a470
--- /dev/null
+++ b/roles/wireguard/gateway/templates/systemd-fix-default-gw.service.j2
@@ -0,0 +1,12 @@
+[Unit]
+Wants=network-online.target
+After=network-online.target
+
+[Service]
+Type=oneshot
+ExecStart=/sbin/ip route add {{ item.value.default_gateway.outer }} via {{ ansible_default_ipv4.gateway }}
+ExecStop=/sbin/ip route del {{ item.value.default_gateway.outer }} via {{ ansible_default_ipv4.gateway }}
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/wireguard/gateway/templates/systemd.network.j2 b/roles/wireguard/gateway/templates/systemd.network.j2
index 8d8af966..6847aa6a 100644
--- a/roles/wireguard/gateway/templates/systemd.network.j2
+++ b/roles/wireguard/gateway/templates/systemd.network.j2
@@ -5,3 +5,16 @@ Name={{ item.key }}
{% for addr in item.value.addresses %}
Address={{ addr }}
{% endfor %}
+{% if 'ip_masq' in item.value and item.value.ip_masq %}
+IPMasquerade=yes
+{% endif %}
+{% if 'default_gateway' in item.value %}
+
+[Route]
+Destination=0.0.0.0/1
+Gateway={{ item.value.default_gateway.inner }}
+
+[Route]
+Destination=128.0.0.0/1
+Gateway={{ item.value.default_gateway.inner }}
+{% endif %}
generated by cgit v1.2.3 (git 2.39.1) at 2024-07-20 00:38:25 +0000