diff options
author | Egor Tensin <Egor.Tensin@gmail.com> | 2023-08-08 22:38:33 +0200 |
---|---|---|
committer | Egor Tensin <Egor.Tensin@gmail.com> | 2023-08-08 22:45:22 +0200 |
commit | 0b2eb8d752c5229e50663226be897f8ef8bfa013 (patch) | |
tree | 05192797197d2d6745a03596af1343d8763bf05b /roles/wireguard | |
parent | firewall: reboot on rule changes (diff) | |
download | infra-ansible-0b2eb8d752c5229e50663226be897f8ef8bfa013.tar.gz infra-ansible-0b2eb8d752c5229e50663226be897f8ef8bfa013.zip |
wireguard: optionally set iptables rules
Diffstat (limited to 'roles/wireguard')
-rw-r--r-- | roles/wireguard/defaults/main.yml | 1 | ||||
-rw-r--r-- | roles/wireguard/templates/wg0.conf | 11 |
2 files changed, 12 insertions, 0 deletions
diff --git a/roles/wireguard/defaults/main.yml b/roles/wireguard/defaults/main.yml index 67964a5..9f7733a 100644 --- a/roles/wireguard/defaults/main.yml +++ b/roles/wireguard/defaults/main.yml @@ -1,2 +1,3 @@ wg_name: wg0 wg_listen_port: 51280 +wg_firewall: false diff --git a/roles/wireguard/templates/wg0.conf b/roles/wireguard/templates/wg0.conf index 1d6140c..aff1300 100644 --- a/roles/wireguard/templates/wg0.conf +++ b/roles/wireguard/templates/wg0.conf @@ -3,6 +3,17 @@ PrivateKey = {{ wg_private_key }} Address = {{ wg_addr4 }}, {{ wg_addr6 }} ListenPort = {{ wg_listen_port }} SaveConfig = false + +{% if wg_firewall %} +PostUp = iptables -t nat -A POSTROUTING -s {{ wg_addr4 }} -m policy --pol none --dir out -j MASQUERADE +PostUp = iptables -A FORWARD -s {{ wg_addr4 }} -j ACCEPT +PostUp = ip6tables -t nat -A POSTROUTING -s {{ wg_addr6 }} -m policy --pol none --dir out -j MASQUERADE +PostUp = ip6tables -A FORWARD -s {{ wg_addr6 }} -j ACCEPT +PostDown = iptables -t nat -D POSTROUTING -s {{ wg_addr4 }} -m policy --pol none --dir out -j MASQUERADE +PostDown = iptables -D FORWARD -s {{ wg_addr4 }} -j ACCEPT +PostDown = ip6tables -t nat -A POSTROUTING -s {{ wg_addr6 }} -m policy --pol none --dir out -j MASQUERADE +PostDown = ip6tables -D FORWARD -s {{ wg_addr6 }} -j ACCEPT +{% endif %} {% if wg_peers is defined %} {% for peer in wg_peers %} |