diff --git a/plays/vpn/roles/bridge/meta/argument_specs.yml b/plays/vpn/roles/bridge/meta/argument_specs.yml index acb440b..812a668 100644 --- a/plays/vpn/roles/bridge/meta/argument_specs.yml +++ b/plays/vpn/roles/bridge/meta/argument_specs.yml @@ -26,4 +26,4 @@ argument_specs: required: true vpn_wireguard_routing_table: type: "int" - required: true + required: "{{ vpn_wireguard_role == 'client' }}" diff --git a/plays/vpn/roles/wireguard/meta/argument_specs.yml b/plays/vpn/roles/wireguard/meta/argument_specs.yml index 2a33d94..dc1428e 100644 --- a/plays/vpn/roles/wireguard/meta/argument_specs.yml +++ b/plays/vpn/roles/wireguard/meta/argument_specs.yml @@ -5,9 +5,6 @@ argument_specs: interface: type: "str" required: true - vpn_wireguard_routing_table: - type: "int" - required: true vpn_wireguard_role: type: "str" required: true @@ -23,9 +20,6 @@ argument_specs: vpn_wireguard_interface_private_key: type: "str" required: true - vpn_wireguard_preshared_key: - type: "str" - required: true vpn_wireguard_subnet: type: "str" required: false @@ -33,9 +27,15 @@ argument_specs: type: "list" elem: "dict" required: "{{ vpn_wireguard_role == 'server' }}" + vpn_wireguard_routing_table: + type: "int" + required: "{{ vpn_wireguard_role == 'client' }}" vpn_wireguard_server_public_key: type: "str" required: "{{ vpn_wireguard_role == 'client' }}" + vpn_wireguard_server_preshared_key: + type: "str" + required: "{{ vpn_wireguard_role == 'client' }}" vpn_wireguard_server_address: type: "str" required: "{{ vpn_wireguard_role == 'client' }}" diff --git a/plays/vpn/roles/wireguard/templates/wg0.conf.j2 b/plays/vpn/roles/wireguard/templates/wg0.conf.j2 index d612bce..9448591 100644 --- a/plays/vpn/roles/wireguard/templates/wg0.conf.j2 +++ b/plays/vpn/roles/wireguard/templates/wg0.conf.j2 @@ -8,18 +8,18 @@ ListenPort = {{ vpn_wireguard_port }} {% for client in vpn_wireguard_clients %} [Peer] PublicKey = {{ client.public_key }} -PresharedKey = {{ vpn_wireguard_preshared_key }} -{% if vpn_wireguard_subnet is defined %} +PresharedKey = {{ client.preshared_key }} +{% if 'subnet' in client %} AllowedIPs = {{ vpn_wireguard_subnet }},{{ client.subnet }} {% else %} -AllowedIPs = {{ client.subnet }} +AllowedIPs = {{ vpn_wireguard_subnet }} {% endif %} {% endfor %} {% elif vpn_wireguard_role == "client" %} [Peer] PublicKey = {{ vpn_wireguard_server_public_key }} -PresharedKey = {{ vpn_wireguard_preshared_key }} +PresharedKey = {{ vpn_wireguard_server_preshared_key }} Endpoint = {{ vpn_wireguard_server_address }}:{{ vpn_wireguard_port }} AllowedIPs = 0.0.0.0/0 PersistentKeepalive = 15 diff --git a/plays/vpn/roles/wireguard/templates/wg0.j2 b/plays/vpn/roles/wireguard/templates/wg0.j2 index a28f7ab..303e17a 100644 --- a/plays/vpn/roles/wireguard/templates/wg0.j2 +++ b/plays/vpn/roles/wireguard/templates/wg0.j2 @@ -6,17 +6,21 @@ iface wg0 inet static post-up /usr/local/sbin/post-up-$IFACE-inet.nft post-up /usr/local/sbin/post-up-$IFACE-ipv4.nft -{% if vpn_wireguard_role == "client" %} - post-up ip route add default dev $IFACE table {{ vpn_wireguard_routing_table }} -{% elif vpn_wireguard_role == "server" %} +{% if vpn_wireguard_role == "server" %} {% for client in vpn_wireguard_clients %} +{% if 'subnet' in client %} post-up ip route add {{ client.subnet }} dev $IFACE +{% endif %} {% endfor %} +{% elif vpn_wireguard_role == "client" %} + post-up ip route add default dev $IFACE table {{ vpn_wireguard_routing_table }} {% endif %} {% if vpn_wireguard_role == "server" %} {% for client in vpn_wireguard_clients %} +{% if 'subnet' in client %} pre-down ip route del {{ client.subnet }} dev $IFACE +{% endif %} {% endfor %} {% elif vpn_wireguard_role == "client" %} pre-down ip route del default dev $IFACE table {{ vpn_wireguard_routing_table }}