From 9283c8afccddadaf16bd4732099f24523367133c Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@spreadspace.org>
Date: Sat, 29 Feb 2020 20:30:18 +0100
Subject: elevate router setup

---
 inventory/group_vars/elevate-festival/main.yml |  1 +
 inventory/host_vars/ele-router.yml             | 25 +++++++++++++++++++------
 2 files changed, 20 insertions(+), 6 deletions(-)

diff --git a/inventory/group_vars/elevate-festival/main.yml b/inventory/group_vars/elevate-festival/main.yml
index b7372e2b..a8041cfe 100644
--- a/inventory/group_vars/elevate-festival/main.yml
+++ b/inventory/group_vars/elevate-festival/main.yml
@@ -202,5 +202,6 @@ network_zones:
       ele-br-uplink: 13
       ele-router: 12
       equinox-t450s: 11
+      datacop: 10
     dns:
       - 10.12.0.10
diff --git a/inventory/host_vars/ele-router.yml b/inventory/host_vars/ele-router.yml
index 908ed17b..6c4a787d 100644
--- a/inventory/host_vars/ele-router.yml
+++ b/inventory/host_vars/ele-router.yml
@@ -9,6 +9,8 @@ wireguard_gateway_tunnels:
     priv_key: "{{ wireguard_keys.gwhetzner.priv }}"
     addresses:
     - 192.168.254.6/30
+    default_gateway:
+      inner: 192.168.254.5
     peers:
     - pub_key: "{{ hostvars['ele-gwhetzner'].wireguard_keys.emc.pub }}"
       endpoint:
@@ -90,7 +92,7 @@ openwrt_network_external:
   - name: rule
     options:
       priority: 39001
-      mark: 1
+      mark: 2
       lookup: 102
 
   - name: route 'ffdefault'
@@ -117,6 +119,14 @@ openwrt_network_internal_yaml: |
       ipaddr: "{{ network_zones[zone_name].gateway }}"
       netmask: "{{ network_zones[zone_name].prefix | ipaddr('netmask') }}"
       accept_ra: 0
+  {%   if zone_name in network_internal_zone_names__emc %}
+
+  - name: rule
+    options:
+      priority: 38000
+      in: "{{ zone_name }}"
+      lookup: 103
+  {%   endif %}
   {% endfor %}
 
 openwrt_network_base:
@@ -266,7 +276,7 @@ openwrt_mixin:
 
       start() {
         ip link add dev wg-emc type wireguard
-        wg set wg-emc fwmark 1 private-key /etc/wireguard/wg-emc.priv
+        wg set wg-emc fwmark 2 private-key /etc/wireguard/wg-emc.priv
 
       {% for peer in wireguard_gateway_tunnels['wg-emc'].peers %}
         wg set wg-emc peer {{ peer.pub_key }} endpoint {{ peer.endpoint.host }}:{{ peer.endpoint.port }} persistent-keepalive {{ peer.keepalive_interval }} allowed-ips {{ peer.allowed_ips | join(',') }}
@@ -276,10 +286,13 @@ openwrt_mixin:
         ip addr add dev wg-emc {{ addr }}
       {% endfor %}
         ip link set up dev wg-emc
+
+        ip route add default via {{ wireguard_gateway_tunnels['wg-emc'].default_gateway.inner }} table 103 proto static
       }
 
       stop() {
-        ip link del dev wgemc
+        ip link del dev wg-emc
+        ip rule del pref 38000
       }
 
   /etc/rc.d/S22network-fw:
@@ -343,9 +356,9 @@ openwrt_mixin:
               iptables -t nat -A POSTROUTING -o "$WAN_IF" -s "$ipaddr/$netmask" -j MASQUERADE
               ;;
             {{ network_internal_zone_names__emc | join('|') }})
-              iptables -A FORWARD -i "$interface" -o "$FF_IF" -s "$ipaddr/$netmask" -j ACCEPT
-              iptables -A FORWARD -i "$FF_IF" -o "$interface" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-              iptables -t nat -A POSTROUTING -o "$FF_IF" -s "$ipaddr/$netmask" -j MASQUERADE
+              iptables -A FORWARD -i "$interface" -o "wg-emc" -s "$ipaddr/$netmask" -j ACCEPT
+              iptables -A FORWARD -i "wg-emc" -o "$interface" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+              iptables -t nat -A POSTROUTING -o "wg-emc" -s "$ipaddr/$netmask" -j MASQUERADE
               ;;
           esac
         done
-- 
cgit v1.2.3