|
|
|
@ -1,5 +1,5 @@
|
|
|
|
|
{% set subnets = ([strongswan_network_ipv6] if ipsec_enabled else []) + ([wireguard_network_ipv6] if wireguard_enabled else []) %}
|
|
|
|
|
{% set ports = (['500', '4500'] if ipsec_enabled else []) + ([wireguard_port] if wireguard_enabled else []) %}
|
|
|
|
|
{% set ports = (['500', '4500'] if ipsec_enabled else []) + ([wireguard_port] if wireguard_enabled else []) + ([wireguard_port_actual] if wireguard_enabled and wireguard_port|int == wireguard_port_avoid|int else []) %}
|
|
|
|
|
|
|
|
|
|
#### The mangle table
|
|
|
|
|
# This table allows us to modify packet headers
|
|
|
|
@ -28,6 +28,11 @@ COMMIT
|
|
|
|
|
:PREROUTING ACCEPT [0:0]
|
|
|
|
|
:POSTROUTING ACCEPT [0:0]
|
|
|
|
|
|
|
|
|
|
{% if wireguard_enabled and wireguard_port|int == wireguard_port_avoid|int %}
|
|
|
|
|
# Handle the special case of allowing access to WireGuard over an already used
|
|
|
|
|
# port like 53
|
|
|
|
|
-A PREROUTING --in-interface {{ ansible_default_ipv6['interface'] }} -p udp --dport {{ wireguard_port_avoid }} -j REDIRECT --to-port {{ wireguard_port_actual }}
|
|
|
|
|
{% endif %}
|
|
|
|
|
# Allow traffic from the VPN network to the outside world, and replies
|
|
|
|
|
-A POSTROUTING -s {{ subnets|join(',') }} -m policy --pol none --dir out -j MASQUERADE
|
|
|
|
|
|
|
|
|
|