From d07015e48aadb24db6e4eeaf522db78027851e94 Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Tue, 27 Jul 2021 20:46:46 +0200 Subject: [PATCH] Make endpoint optional The endpoint parameter is only required if wireguard should connect to a remote site. That's not always possible. For example in situations where the remote site is behind a NAT gateway and/or has a dynamic IP address. For such setups you can create a 'passive' configuration that listens for incoming packets. --- REFERENCE.md | 14 ++++++++++++-- manifests/interface.pp | 28 ++++++++++++++++++---------- 2 files changed, 30 insertions(+), 12 deletions(-) diff --git a/REFERENCE.md b/REFERENCE.md index 53f11bc..ad06a12 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -85,6 +85,14 @@ wireguard::interface {'as2273': endpoint => 'wg.example.com:53668', addresses => [{'Address' => '192.168.218.87/32', 'Peer' => '172.20.53.97/32'}, {'Address' => 'fe80::ade1/64',},], } + +Create a passive wireguard interface that listens for incoming connections. Useful when the other side has a dynamic IP / is behind NAT +wireguard::interface {'as2273': + source_addresses => ['2003:4f8:c17:4cf::1', '149.9.255.4'], + public_key => 'BcxLll1BVxGQ5DeijroesjroiesjrjvX+EBhS4vcDn0R0=', + dport => 53668, + addresses => [{'Address' => '192.168.218.87/32', 'Peer' => '172.20.53.97/32'}, {'Address' => 'fe80::ade1/64',},], +} ``` #### Parameters @@ -143,7 +151,7 @@ Default value: `[]` ##### `destination_addresses` -Data type: `Optional[Array[Stdlib::IP::Address]]` +Data type: `Array[Stdlib::IP::Address]` array of addresses where the remote peer connects to (our local ips), used for firewalling @@ -157,10 +165,12 @@ base64 encoded pubkey from the remote peer ##### `endpoint` -Data type: `String[1]` +Data type: `Optional[String[1]]` fqdn:port or ip:port where we connect to +Default value: ``undef`` + ##### `addresses` Data type: `Array[Hash[String,Variant[Stdlib::IP::Address::V4::CIDR,Stdlib::IP::Address::V6::CIDR]]]` diff --git a/manifests/interface.pp b/manifests/interface.pp index 89bfd43..51b036c 100644 --- a/manifests/interface.pp +++ b/manifests/interface.pp @@ -30,9 +30,16 @@ # addresses => [{'Address' => '192.168.218.87/32', 'Peer' => '172.20.53.97/32'}, {'Address' => 'fe80::ade1/64',},], # } # +# Create a passive wireguard interface that listens for incoming connections. Useful when the other side has a dynamic IP / is behind NAT +# wireguard::interface {'as2273': +# source_addresses => ['2003:4f8:c17:4cf::1', '149.9.255.4'], +# public_key => 'BcxLll1BVxGQ5DeijroesjroiesjrjvX+EBhS4vcDn0R0=', +# dport => 53668, +# addresses => [{'Address' => '192.168.218.87/32', 'Peer' => '172.20.53.97/32'}, {'Address' => 'fe80::ade1/64',},], +# } define wireguard::interface ( String[1] $public_key, - String[1] $endpoint, + Optional[String[1]] $endpoint = undef, Array[Stdlib::IP::Address] $destination_addresses = [$facts['networking']['ip'], $facts['networking']['ip6'],], String[1] $interface = $title, Integer[1024, 65000] $dport = Integer(regsubst($title, '^\D+(\d+)$', '\1')), @@ -76,28 +83,29 @@ require => Exec["generate ${interface} keys"], } # lint:ignore:strict_indent - $netdev_config = @("EOT") + $netdev_config = @(EOT) + <%- | $interface, $dport, $public_key, $endpoint | -%> # THIS FILE IS MANAGED BY PUPPET # based on https://dn42.dev/howto/wireguard [NetDev] - Name=${interface} + Name=<%= $interface %> Kind=wireguard [WireGuard] - PrivateKeyFile=/etc/wireguard/${interface} - ListenPort=${dport} + PrivateKeyFile=/etc/wireguard/<%= $interface %> + ListenPort=<%= $dport %> [WireGuardPeer] - PublicKey=${public_key} - # OPTIONAL, pre-shared key - #PresharedKey= - Endpoint=${endpoint} + PublicKey=<%= $public_key %> + <% if $endpoint { -%> + Endpoint=<%= $endpoint %> + <%} -%> AllowedIPs=fe80::/64 AllowedIPs=fd00::/8 AllowedIPs=0.0.0.0/0 | EOT systemd::network { "${interface}.netdev": - content => $netdev_config, + content => inline_epp($netdev_config, { 'interface' => $interface, 'dport' => $dport, 'public_key' => $public_key, 'endpoint' => $endpoint }), restart_service => true, owner => 'root', group => 'systemd-network',