Add home_site.conf
This commit is contained in:
53
home_site.conf
Normal file
53
home_site.conf
Normal file
@@ -0,0 +1,53 @@
|
|||||||
|
[Interface]
|
||||||
|
Address = 172.24.0.{SITE_ID}/32
|
||||||
|
PrivateKey = {LOCAL_PRIVATE_KEY}
|
||||||
|
ListenPort = 51820
|
||||||
|
Table = off
|
||||||
|
|
||||||
|
# --- 1. Global VPN Interface ---
|
||||||
|
PostUp = ip addr add 10.{SITE_ID}.0.1/16 dev %i
|
||||||
|
|
||||||
|
# --- 2. THE SHADOW MAP (10.x.168.x -> 192.168.1.x) ---
|
||||||
|
# Map INCOMING mesh traffic (10.x.168.x) to physical LAN (192.168.1.x)
|
||||||
|
PostUp = iptables -t nat -A PREROUTING -i %i -d 10.{SITE_ID}.168.0/24 -j NETMAP --to 192.168.1.0/24
|
||||||
|
# Map OUTGOING LAN traffic back to its "Shadow IP" so the return path works
|
||||||
|
PostUp = iptables -t nat -A POSTROUTING -o %i -s 192.168.1.0/24 -j NETMAP --to 10.{SITE_ID}.168.0/24
|
||||||
|
# Force the kernel to treat this shadow range as local
|
||||||
|
PostUp = ip route add local 10.{SITE_ID}.168.0/24 dev lo
|
||||||
|
|
||||||
|
# --- 3. LAN To Mesh Access ---
|
||||||
|
# Masquerade outbound LAN traffic headed to the 10.0.0.0/8 mesh
|
||||||
|
PostUp = iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o %i -j MASQUERADE
|
||||||
|
|
||||||
|
# --- 4. Policy Based Routing (Exits) ---
|
||||||
|
PostUp = ip route add default via 10.5.0.1 dev %i table offshore
|
||||||
|
PostUp = ip route add default via 172.24.0.1 dev %i table us_vps
|
||||||
|
# Safety: Don't route local LAN traffic through the offshore/US tunnels
|
||||||
|
PostUp = ip route add 192.168.1.0/24 dev eth0 table offshore
|
||||||
|
PostUp = ip route add 192.168.1.0/24 dev eth0 table us_vps
|
||||||
|
|
||||||
|
# --- 5. Mesh Routing ---
|
||||||
|
PostUp = ip route add 10.0.0.0/8 dev %i
|
||||||
|
PostUp = ip route add 172.24.0.0/13 dev %i
|
||||||
|
|
||||||
|
# --- 6. Kernel Hardening for Routing ---
|
||||||
|
PostUp = sysctl -w net.ipv4.ip_forward=1
|
||||||
|
PostUp = sysctl -w net.ipv4.conf.all.rp_filter=0
|
||||||
|
PostUp = sysctl -w net.ipv4.conf.eth0.rp_filter=0
|
||||||
|
PostUp = sysctl -w net.ipv4.conf.%i.rp_filter=0
|
||||||
|
|
||||||
|
# --- PEERS ---
|
||||||
|
|
||||||
|
# Site 10.1: The Hub / US Exit Node
|
||||||
|
[Peer]
|
||||||
|
PublicKey = QZCvR3N1CdUabC2xWfc1lmYKHfSiXYs1UoVINIMftws=
|
||||||
|
Endpoint = {HUB_PUBLIC_IP}:51820
|
||||||
|
# AllowedIPs covers the whole mesh + everything else for the exit tables
|
||||||
|
AllowedIPs = 172.24.0.0/16, 10.0.0.0/8, 0.0.0.0/0
|
||||||
|
PersistentKeepalive = 25
|
||||||
|
|
||||||
|
# Site 10.5: Netherlands (Offshore Exit)
|
||||||
|
[Peer]
|
||||||
|
PublicKey = UoKnYszqcFl9ByfKmCS+sOTnVGjQ3II9ApuG/F+LuAk=
|
||||||
|
Endpoint = nl.wgnode.com:51871
|
||||||
|
AllowedIPs = 172.24.0.5/32, 10.5.0.0/16, 0.0.0.0/0
|
||||||
Reference in New Issue
Block a user