From b161cdda538cff515eb9b167a6bb4702aa8a93b9 Mon Sep 17 00:00:00 2001 From: Matt Birkholz Date: Sat, 28 Jun 2025 10:45:31 -0600 Subject: [PATCH] Include wild_net_cidr in client configs for the public VPN only. MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Using the tunnel to get to the server would be a mistake. Also fixed the examples to follow suit, or just to get the IoT appliance's PrivateKey field "correct", looking like the WireGuard™ for Android GUI dialog. --- README.org | 30 +++++++++++++++++++----------- inst | 20 ++++++++++++++------ 2 files changed, 33 insertions(+), 17 deletions(-) diff --git a/README.org b/README.org index 85d20d2..c682817 100644 --- a/README.org +++ b/README.org @@ -2061,8 +2061,8 @@ PostUp = resolvectl dns %i 192.168.56.1 PostUp = resolvectl domain %i small.private [Peer] -PublicKey = S+6HaTnOwwhWgUGXjSBcPAvifKw+j8BDTRfq534gNW4= EndPoint = 192.168.15.5:39608 +PublicKey = S+6HaTnOwwhWgUGXjSBcPAvifKw+j8BDTRfq534gNW4= AllowedIPs = 10.177.87.1 AllowedIPs = 192.168.56.0/24 AllowedIPs = 192.168.57.0/24 @@ -4896,17 +4896,17 @@ The configuration used on ~thing~, the IoT appliance, looks like this: #+BEGIN_SRC conf [Interface] Address = 10.84.139.2 -PrivateKey = wg set %i private-key /etc/wireguard/private-key +PrivateKey = +PublicKey = LdsCsgfjKCfd5+VKS+Q/dQhWO8NRNygByDO2VxbXlSQ= DNS = 192.168.56.1 Domain = small.private # Gate [Peer] -PublicKey = y3cjFnvQbylmH4lGTujpqc8rusIElmJ4Gu9hh6iR7QI= EndPoint = 192.168.57.1:51820 +PublicKey = y3cjFnvQbylmH4lGTujpqc8rusIElmJ4Gu9hh6iR7QI= AllowedIPs = 10.84.139.1 AllowedIPs = 192.168.56.0/24 -AllowedIPs = 192.168.57.0/24 AllowedIPs = 10.177.87.0/24 AllowedIPs = 10.84.139.0/24 #+END_SRC @@ -4924,10 +4924,10 @@ PostUp = resolvectl domain wg0 small.private # Gate [Peer] +EndPoint = 192.168.57.1:51820 PublicKey = y3cjFnvQbylmH4lGTujpqc8rusIElmJ4Gu9hh6iR7QI= AllowedIPs = 10.84.139.1 AllowedIPs = 192.168.56.0/24 -AllowedIPs = 192.168.57.0/24 AllowedIPs = 10.177.87.0/24 AllowedIPs = 10.84.139.0/24 #+END_SRC @@ -6524,24 +6524,32 @@ AllowedIPs = $ip\n"; sub write_wg_client ($$$$$$) { my ($file, $addr, $type, $pubkey, $endpt, $server_addr) = @_; + my $O = new IO::File; + open ($O, ">$file.tmp") or die "Could not open $file.tmp: $!\n"; + my $DNS = ($type eq "android" ? " -DNS = $core_addr\nDomain = $domain_priv" +DNS = $core_addr +Domain = $domain_priv" : " +PostUp = wg set %i private-key /etc/wireguard/private-key PostUp = resolvectl dns %i $core_addr PostUp = resolvectl domain %i $domain_priv"); - open ($O, ">$file.tmp") or die "Could not open $file.tmp: $!\n"; + + my $WILD = ($file eq "public.conf" + ? " +AllowedIPs = $wild_net_cidr" + : ""); + print $O "[Interface] -Address = $addr -PostUp = wg set %i private-key /etc/wireguard/private-key$DNS +Address = $addr$DNS [Peer] PublicKey = $pubkey EndPoint = $endpt AllowedIPs = $server_addr -AllowedIPs = $private_net_cidr -AllowedIPs = $wild_net_cidr +AllowedIPs = $private_net_cidr$WILD AllowedIPs = $public_wg_net_cidr AllowedIPs = $campus_wg_net_cidr\n"; close $O or die "Could not close $file.tmp: $!\n"; diff --git a/inst b/inst index 172f501..458a7ef 100755 --- a/inst +++ b/inst @@ -483,24 +483,32 @@ AllowedIPs = $ip\n"; sub write_wg_client ($$$$$$) { my ($file, $addr, $type, $pubkey, $endpt, $server_addr) = @_; + my $O = new IO::File; + open ($O, ">$file.tmp") or die "Could not open $file.tmp: $!\n"; + my $DNS = ($type eq "android" ? " -DNS = $core_addr\nDomain = $domain_priv" +DNS = $core_addr +Domain = $domain_priv" : " +PostUp = wg set %i private-key /etc/wireguard/private-key PostUp = resolvectl dns %i $core_addr PostUp = resolvectl domain %i $domain_priv"); - open ($O, ">$file.tmp") or die "Could not open $file.tmp: $!\n"; + + my $WILD = ($file eq "public.conf" + ? " +AllowedIPs = $wild_net_cidr" + : ""); + print $O "[Interface] -Address = $addr -PostUp = wg set %i private-key /etc/wireguard/private-key$DNS +Address = $addr$DNS [Peer] PublicKey = $pubkey EndPoint = $endpt AllowedIPs = $server_addr -AllowedIPs = $private_net_cidr -AllowedIPs = $wild_net_cidr +AllowedIPs = $private_net_cidr$WILD AllowedIPs = $public_wg_net_cidr AllowedIPs = $campus_wg_net_cidr\n"; close $O or die "Could not close $file.tmp: $!\n"; -- 2.25.1