Include wild_net_cidr in client configs for the public VPN only.

Using the tunnel to get to the server would be a mistake.

Also fixed the examples to follow suit, or just to get the IoT
appliance's PrivateKey field "correct", looking like the WireGuard™
for Android GUI dialog.

diff --git a/README.org b/README.org
index 85d20d29aacb41db9e254772f303bc4abf75c744..c682817995b748d670c1484d0be8faf06cd6a82f 100644 (file)
--- a/README.org
+++ b/README.org
@@ -2061,8 +2061,8 @@ PostUp = resolvectl dns %i 192.168.56.1
 PostUp = resolvectl domain %i small.private
 
 [Peer]
-PublicKey = S+6HaTnOwwhWgUGXjSBcPAvifKw+j8BDTRfq534gNW4=
 EndPoint = 192.168.15.5:39608
+PublicKey = S+6HaTnOwwhWgUGXjSBcPAvifKw+j8BDTRfq534gNW4=
 AllowedIPs = 10.177.87.1
 AllowedIPs = 192.168.56.0/24
 AllowedIPs = 192.168.57.0/24
@@ -4896,17 +4896,17 @@ The configuration used on ~thing~, the IoT appliance, looks like this:
 #+BEGIN_SRC conf
 [Interface]
 Address = 10.84.139.2
-PrivateKey = wg set %i private-key /etc/wireguard/private-key
+PrivateKey = <hidden>
+PublicKey = LdsCsgfjKCfd5+VKS+Q/dQhWO8NRNygByDO2VxbXlSQ=
 DNS = 192.168.56.1
 Domain = small.private
 
 # Gate
 [Peer]
-PublicKey = y3cjFnvQbylmH4lGTujpqc8rusIElmJ4Gu9hh6iR7QI=
 EndPoint = 192.168.57.1:51820
+PublicKey = y3cjFnvQbylmH4lGTujpqc8rusIElmJ4Gu9hh6iR7QI=
 AllowedIPs = 10.84.139.1
 AllowedIPs = 192.168.56.0/24
-AllowedIPs = 192.168.57.0/24
 AllowedIPs = 10.177.87.0/24
 AllowedIPs = 10.84.139.0/24
 #+END_SRC
@@ -4924,10 +4924,10 @@ PostUp = resolvectl domain wg0 small.private
 
 # Gate
 [Peer]
+EndPoint = 192.168.57.1:51820
 PublicKey = y3cjFnvQbylmH4lGTujpqc8rusIElmJ4Gu9hh6iR7QI=
 AllowedIPs = 10.84.139.1
 AllowedIPs = 192.168.56.0/24
-AllowedIPs = 192.168.57.0/24
 AllowedIPs = 10.177.87.0/24
 AllowedIPs = 10.84.139.0/24
 #+END_SRC
@@ -6524,24 +6524,32 @@ AllowedIPs = $ip\n";
 
 sub write_wg_client ($$$$$$) {
   my ($file, $addr, $type, $pubkey, $endpt, $server_addr) = @_;
+
   my $O = new IO::File;
+  open ($O, ">$file.tmp") or die "Could not open $file.tmp: $!\n";
+
   my $DNS = ($type eq "android"
             ? "
-DNS = $core_addr\nDomain = $domain_priv"
+DNS = $core_addr
+Domain = $domain_priv"
             : "
+PostUp = wg set %i private-key /etc/wireguard/private-key
 PostUp = resolvectl dns %i $core_addr
 PostUp = resolvectl domain %i $domain_priv");
-  open ($O, ">$file.tmp") or die "Could not open $file.tmp: $!\n";
+
+  my $WILD = ($file eq "public.conf"
+             ? "
+AllowedIPs = $wild_net_cidr"
+             : "");
+
   print $O "[Interface]
-Address = $addr
-PostUp = wg set %i private-key /etc/wireguard/private-key$DNS
+Address = $addr$DNS
 
 [Peer]
 PublicKey = $pubkey
 EndPoint = $endpt
 AllowedIPs = $server_addr
-AllowedIPs = $private_net_cidr
-AllowedIPs = $wild_net_cidr
+AllowedIPs = $private_net_cidr$WILD
 AllowedIPs = $public_wg_net_cidr
 AllowedIPs = $campus_wg_net_cidr\n";
   close $O or die "Could not close $file.tmp: $!\n";

diff --git a/inst b/inst
index 172f501cc01c8fe169ad8a6bac6c823cfa3d5d88..458a7ef76720004ac0442e9bc8e83d5d17bd98e1 100755 (executable)
--- a/inst
+++ b/inst
@@ -483,24 +483,32 @@ AllowedIPs = $ip\n";
 
 sub write_wg_client ($$$$$$) {
   my ($file, $addr, $type, $pubkey, $endpt, $server_addr) = @_;
+
   my $O = new IO::File;
+  open ($O, ">$file.tmp") or die "Could not open $file.tmp: $!\n";
+
   my $DNS = ($type eq "android"
             ? "
-DNS = $core_addr\nDomain = $domain_priv"
+DNS = $core_addr
+Domain = $domain_priv"
             : "
+PostUp = wg set %i private-key /etc/wireguard/private-key
 PostUp = resolvectl dns %i $core_addr
 PostUp = resolvectl domain %i $domain_priv");
-  open ($O, ">$file.tmp") or die "Could not open $file.tmp: $!\n";
+
+  my $WILD = ($file eq "public.conf"
+             ? "
+AllowedIPs = $wild_net_cidr"
+             : "");
+
   print $O "[Interface]
-Address = $addr
-PostUp = wg set %i private-key /etc/wireguard/private-key$DNS
+Address = $addr$DNS
 
 [Peer]
 PublicKey = $pubkey
 EndPoint = $endpt
 AllowedIPs = $server_addr
-AllowedIPs = $private_net_cidr
-AllowedIPs = $wild_net_cidr
+AllowedIPs = $private_net_cidr$WILD
 AllowedIPs = $public_wg_net_cidr
 AllowedIPs = $campus_wg_net_cidr\n";
   close $O or die "Could not close $file.tmp: $!\n";