From 0cd36bf935e26f8df454f04df6ca82cdc63e71ac Mon Sep 17 00:00:00 2001
From: Alex <caskd@420blaze.it>
Date: Sun, 31 May 2020 12:00:52 +0200
Subject: [PATCH] Add bidirectional forward permissions and allow ipv4 forwards
 in the kernel

---
 tasks/main.yml              | 7 +++++++
 templates/wireguard.conf.j2 | 4 ++--
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/tasks/main.yml b/tasks/main.yml
index 655a2f0..a1b8e92 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -11,3 +11,10 @@
         - config
         - wireguard
         - vault
+- name: Enable forwarding in sysctl
+  loop:
+          - { name: "net.ipv4.ip_forward", value: "1" }
+  sysctl:
+        name: "{{ item.name }}"
+        value: "{{ item.value }}"
+        sysctl_set: yes
diff --git a/templates/wireguard.conf.j2 b/templates/wireguard.conf.j2
index f9312d0..dc30c1c 100644
--- a/templates/wireguard.conf.j2
+++ b/templates/wireguard.conf.j2
@@ -1,7 +1,7 @@
 [Interface]
 Address = {{ wireguard.net.v4.addr }}.1/{{ wireguard.net.v4.range.serv }}, {{ wireguard.net.v6.addr }}:1/{{ wireguard.net.v6.range.serv }}
-PostUp = iptables -A FORWARD -i {{ wireguard.interface }} -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i {{ wireguard.interface }} -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
-PostDown = iptables -D FORWARD -i {{ wireguard.interface }} -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i {{ wireguard.interface }} -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
+PostUp = iptables -A FORWARD -i {{ wireguard.interface }} -j ACCEPT; iptables -A FORWARD -o {{ wireguard.interface }} -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -o {{ wireguard.interface }} -j ACCEPT; ip6tables -A FORWARD -i {{ wireguard.interface }} -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
+PostDown = iptables -D FORWARD -o {{ wireguard.interface }} -j ACCEPT; iptables -D FORWARD -i {{ wireguard.interface }} -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -o {{ wireguard.interface }} -j ACCEPT; ip6tables -D FORWARD -i {{ wireguard.interface }} -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
 ListenPort = {{ wireguard.port }}
 PrivateKey = {{ vault_wireguard.privkey }}