From 1acd56de28c8d4ea23a1369ad697b49e3f4a8093 Mon Sep 17 00:00:00 2001 From: William Mantly Date: Wed, 18 Feb 2026 22:47:57 +0000 Subject: [PATCH] Update home_site.conf --- home_site.conf | 62 +++++++++++++++++++++++++++----------------------- 1 file changed, 33 insertions(+), 29 deletions(-) diff --git a/home_site.conf b/home_site.conf index 16fcc7e..d3f1e61 100644 --- a/home_site.conf +++ b/home_site.conf @@ -1,36 +1,40 @@ [Interface] -Address = 172.24.0.{SITE_ID}/32 -PrivateKey = {LOCAL_PRIVATE_KEY} +Address = 172.24.0.{{SITE_ID}}/32 +PrivateKey = {{LOCAL_PRIVATE_KEY}} ListenPort = 51820 Table = off -# --- 1. Global VPN Interface --- -PostUp = ip addr add 10.{SITE_ID}.0.1/16 dev %i - -# --- 2. THE SHADOW MAP (10.x.168.x -> 192.168.1.x) --- -# Map INCOMING mesh traffic (10.x.168.x) to physical LAN (192.168.1.x) -PostUp = iptables -t nat -A PREROUTING -i %i -d 10.{SITE_ID}.168.0/24 -j NETMAP --to 192.168.1.0/24 -# Map OUTGOING LAN traffic back to its "Shadow IP" so the return path works -PostUp = iptables -t nat -A POSTROUTING -o %i -s 192.168.1.0/24 -j NETMAP --to 10.{SITE_ID}.168.0/24 -# Force the kernel to treat this shadow range as local -PostUp = ip route add local 10.{SITE_ID}.168.0/24 dev lo - -# --- 3. LAN To Mesh Access --- -# Masquerade outbound LAN traffic headed to the 10.0.0.0/8 mesh -PostUp = iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o %i -j MASQUERADE - -# --- 4. Policy Based Routing (Exits) --- -PostUp = ip route add default via 10.5.0.1 dev %i table offshore -PostUp = ip route add default via 172.24.0.1 dev %i table us_vps -# Safety: Don't route local LAN traffic through the offshore/US tunnels -PostUp = ip route add 192.168.1.0/24 dev eth0 table offshore -PostUp = ip route add 192.168.1.0/24 dev eth0 table us_vps - -# --- 5. Mesh Routing --- +# --- 1. MESH FOUNDATION (Must come first) --- +# Add the local site management IP +PostUp = ip addr add 10.{{SITE_ID}}.0.1/16 dev %i +# Create the route to the mesh so the kernel recognizes the gateways in step 2 PostUp = ip route add 10.0.0.0/8 dev %i PostUp = ip route add 172.24.0.0/13 dev %i -# --- 6. Kernel Hardening for Routing --- +# --- 2. POLICY BASED ROUTING (Exits) --- +# Define the Offshore and US exits using the mesh IPs as gateways +PostUp = ip route add default via 10.5.0.1 dev %i table offshore +PostUp = ip route add default via 172.24.0.1 dev %i table us_vps + +# Assign specific device ranges to exits +# Phones (10.x.254.x) go Offshore +PostUp = ip rule add from 10.{{SITE_ID}}.254.0/24 lookup offshore +# Laptops/Admins (10.x.253.x) go US Hub +PostUp = ip rule add from 10.{{SITE_ID}}.253.0/24 lookup us_vps + +# --- 3. LOCAL LAN & SHADOW MAP --- +# Keep local physical traffic local for the custom tables +PostUp = ip route add 192.168.1.0/24 dev eth0 table offshore +PostUp = ip route add 192.168.1.0/24 dev eth0 table us_vps + +# NETMAP: Shadow network (10.x.168.x) to physical LAN (192.168.1.x) +PostUp = iptables -t nat -A PREROUTING -i %i -d 10.{{SITE_ID}}.168.0/24 -j NETMAP --to 192.168.1.0/24 +PostUp = iptables -t nat -A POSTROUTING -o %i -s 192.168.1.0/24 -j NETMAP --to 10.{{SITE_ID}}.168.0/24 +PostUp = ip route add local 10.{{SITE_ID}}.168.0/24 dev lo + +# --- 4. NAT & FORWARDING --- +# Allow the local LAN to reach the VPN mesh +PostUp = iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o %i -j MASQUERADE PostUp = sysctl -w net.ipv4.ip_forward=1 PostUp = sysctl -w net.ipv4.conf.all.rp_filter=0 PostUp = sysctl -w net.ipv4.conf.eth0.rp_filter=0 @@ -41,8 +45,7 @@ PostUp = sysctl -w net.ipv4.conf.%i.rp_filter=0 # Site 10.1: The Hub / US Exit Node [Peer] PublicKey = QZCvR3N1CdUabC2xWfc1lmYKHfSiXYs1UoVINIMftws= -Endpoint = {HUB_PUBLIC_IP}:51820 -# AllowedIPs covers the whole mesh + everything else for the exit tables +Endpoint = gg-si1.wgnode.com:51820 AllowedIPs = 172.24.0.0/16, 10.0.0.0/8, 0.0.0.0/0 PersistentKeepalive = 25 @@ -50,4 +53,5 @@ PersistentKeepalive = 25 [Peer] PublicKey = UoKnYszqcFl9ByfKmCS+sOTnVGjQ3II9ApuG/F+LuAk= Endpoint = nl.wgnode.com:51871 -AllowedIPs = 172.24.0.5/32, 10.5.0.0/16, 0.0.0.0/0 \ No newline at end of file +AllowedIPs = 172.24.0.5/32, 10.5.0.0/16, 0.0.0.0/0 +PersistentKeepalive = 25 \ No newline at end of file