Update home_site.conf

home_site.conf

@@ -1,36 +1,40 @@
 [Interface]
-Address = 172.24.0.{SITE_ID}/32
+Address = 172.24.0.{{SITE_ID}}/32
-PrivateKey = {LOCAL_PRIVATE_KEY}
+PrivateKey = {{LOCAL_PRIVATE_KEY}}
 ListenPort = 51820
 Table = off
 
-# --- 1. Global VPN Interface ---
+# --- 1. MESH FOUNDATION (Must come first) ---
-PostUp = ip addr add 10.{SITE_ID}.0.1/16 dev %i
+# Add the local site management IP
-
+PostUp = ip addr add 10.{{SITE_ID}}.0.1/16 dev %i
-# --- 2. THE SHADOW MAP (10.x.168.x -> 192.168.1.x) ---
+# Create the route to the mesh so the kernel recognizes the gateways in step 2
-# Map INCOMING mesh traffic (10.x.168.x) to physical LAN (192.168.1.x)
-PostUp = iptables -t nat -A PREROUTING -i %i -d 10.{SITE_ID}.168.0/24 -j NETMAP --to 192.168.1.0/24
-# Map OUTGOING LAN traffic back to its "Shadow IP" so the return path works
-PostUp = iptables -t nat -A POSTROUTING -o %i -s 192.168.1.0/24 -j NETMAP --to 10.{SITE_ID}.168.0/24
-# Force the kernel to treat this shadow range as local
-PostUp = ip route add local 10.{SITE_ID}.168.0/24 dev lo
-
-# --- 3. LAN To Mesh Access ---
-# Masquerade outbound LAN traffic headed to the 10.0.0.0/8 mesh
-PostUp = iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o %i -j MASQUERADE
-
-# --- 4. Policy Based Routing (Exits) ---
-PostUp = ip route add default via 10.5.0.1 dev %i table offshore
-PostUp = ip route add default via 172.24.0.1 dev %i table us_vps
-# Safety: Don't route local LAN traffic through the offshore/US tunnels
-PostUp = ip route add 192.168.1.0/24 dev eth0 table offshore
-PostUp = ip route add 192.168.1.0/24 dev eth0 table us_vps
-
-# --- 5. Mesh Routing ---
 PostUp = ip route add 10.0.0.0/8 dev %i
 PostUp = ip route add 172.24.0.0/13 dev %i
 
-# --- 6. Kernel Hardening for Routing ---
+# --- 2. POLICY BASED ROUTING (Exits) ---
+# Define the Offshore and US exits using the mesh IPs as gateways
+PostUp = ip route add default via 10.5.0.1 dev %i table offshore
+PostUp = ip route add default via 172.24.0.1 dev %i table us_vps
+
+# Assign specific device ranges to exits
+# Phones (10.x.254.x) go Offshore
+PostUp = ip rule add from 10.{{SITE_ID}}.254.0/24 lookup offshore
+# Laptops/Admins (10.x.253.x) go US Hub
+PostUp = ip rule add from 10.{{SITE_ID}}.253.0/24 lookup us_vps
+
+# --- 3. LOCAL LAN & SHADOW MAP ---
+# Keep local physical traffic local for the custom tables
+PostUp = ip route add 192.168.1.0/24 dev eth0 table offshore
+PostUp = ip route add 192.168.1.0/24 dev eth0 table us_vps
+
+# NETMAP: Shadow network (10.x.168.x) to physical LAN (192.168.1.x)
+PostUp = iptables -t nat -A PREROUTING -i %i -d 10.{{SITE_ID}}.168.0/24 -j NETMAP --to 192.168.1.0/24
+PostUp = iptables -t nat -A POSTROUTING -o %i -s 192.168.1.0/24 -j NETMAP --to 10.{{SITE_ID}}.168.0/24
+PostUp = ip route add local 10.{{SITE_ID}}.168.0/24 dev lo
+
+# --- 4. NAT & FORWARDING ---
+# Allow the local LAN to reach the VPN mesh
+PostUp = iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o %i -j MASQUERADE
 PostUp = sysctl -w net.ipv4.ip_forward=1
 PostUp = sysctl -w net.ipv4.conf.all.rp_filter=0
 PostUp = sysctl -w net.ipv4.conf.eth0.rp_filter=0
@@ -41,8 +45,7 @@ PostUp = sysctl -w net.ipv4.conf.%i.rp_filter=0
 # Site 10.1: The Hub / US Exit Node
 [Peer]
 PublicKey = QZCvR3N1CdUabC2xWfc1lmYKHfSiXYs1UoVINIMftws=
-Endpoint = {HUB_PUBLIC_IP}:51820
+Endpoint = gg-si1.wgnode.com:51820
-# AllowedIPs covers the whole mesh + everything else for the exit tables
 AllowedIPs = 172.24.0.0/16, 10.0.0.0/8, 0.0.0.0/0
 PersistentKeepalive = 25
 
@@ -50,4 +53,5 @@ PersistentKeepalive = 25
 [Peer]
 PublicKey = UoKnYszqcFl9ByfKmCS+sOTnVGjQ3II9ApuG/F+LuAk=
 Endpoint = nl.wgnode.com:51871
-AllowedIPs = 172.24.0.5/32, 10.5.0.0/16, 0.0.0.0/0
+AllowedIPs = 172.24.0.5/32, 10.5.0.0/16, 0.0.0.0/0
+PersistentKeepalive = 25