Browse Source

Add bidirectional forward permissions and allow ipv4 forwards in the kernel

master
Alex 12 months ago
parent
commit
0cd36bf935
Signed by: caskd GPG Key ID: F92BA85F61F4C173
  1. 7
      tasks/main.yml
  2. 4
      templates/wireguard.conf.j2

7
tasks/main.yml

@ -11,3 +11,10 @@
- config
- wireguard
- vault
- name: Enable forwarding in sysctl
loop:
- { name: "net.ipv4.ip_forward", value: "1" }
sysctl:
name: "{{ item.name }}"
value: "{{ item.value }}"
sysctl_set: yes

4
templates/wireguard.conf.j2

@ -1,7 +1,7 @@
[Interface]
Address = {{ wireguard.net.v4.addr }}.1/{{ wireguard.net.v4.range.serv }}, {{ wireguard.net.v6.addr }}:1/{{ wireguard.net.v6.range.serv }}
PostUp = iptables -A FORWARD -i {{ wireguard.interface }} -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i {{ wireguard.interface }} -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i {{ wireguard.interface }} -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i {{ wireguard.interface }} -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
PostUp = iptables -A FORWARD -i {{ wireguard.interface }} -j ACCEPT; iptables -A FORWARD -o {{ wireguard.interface }} -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -o {{ wireguard.interface }} -j ACCEPT; ip6tables -A FORWARD -i {{ wireguard.interface }} -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -o {{ wireguard.interface }} -j ACCEPT; iptables -D FORWARD -i {{ wireguard.interface }} -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -o {{ wireguard.interface }} -j ACCEPT; ip6tables -D FORWARD -i {{ wireguard.interface }} -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
ListenPort = {{ wireguard.port }}
PrivateKey = {{ vault_wireguard.privkey }}