6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
|
# File 'manifests/init.pp', line 6
class wireguard (
Hash[String, Hash[String, Any]] $networks = {},
Array[String] $routers = [],
Array[Integer] $alternate_ports = [],
) {
package { 'wireguard-tools': }
-> file { [
'/etc/wireguard/private',
'/etc/wireguard/public',
]:
ensure => directory,
owner => 'root',
group => 'root',
mode => '0700',
}
$networks.each |String $interface, Hash $peers| {
wireguard::network { $interface:
peers => $peers,
}
}
firewall { '100 allow inbound wireguard traffic':
dport => 41194,
proto => 'udp',
action => 'accept',
}
$alternate_ports.each |Integer $port| {
firewall { "100 redirect ${port} as alternate wireguard port":
table => 'nat',
chain => 'PREROUTING',
dst_type => 'LOCAL',
proto => 'udp',
dport => $port,
jump => 'REDIRECT',
toports => 41194,
}
}
if length($routers) > 0 {
file { '/etc/sysctl.d/wireguard.conf':
ensure => file,
content => 'net.ipv4.ip_forward=1',
}
~> service { 'systemd-sysctl':
ensure => running,
enable => true,
}
$routers.each |String $router| {
firewall { "100 masquerade for wireguard routing on ${router}":
chain => 'POSTROUTING',
jump => 'MASQUERADE',
proto => 'all',
source => $router,
table => 'nat',
}
firewall { "100 forward for wireguard routing on ${router}":
chain => 'FORWARD',
proto => 'all',
action => 'accept',
source => $router,
}
}
}
}
|