[Interface]
Address = 172.24.0.{{SITE_ID}}/32
PrivateKey = {{LOCAL_PRIVATE_KEY}}
ListenPort = 51820
Table = off

# --- 1. MESH FOUNDATION (Must come first) ---
# Add the local site management IP
PostUp = ip addr add 10.{{SITE_ID}}.0.1/16 dev %i
# Create the route to the mesh so the kernel recognizes the gateways in step 2
PostUp = ip route add 10.0.0.0/8 dev %i
PostUp = ip route add 172.24.0.0/13 dev %i

# --- 2. POLICY BASED ROUTING (Exits) ---
# Define the Offshore and US exits using the mesh IPs as gateways
PostUp = ip route add default via 10.5.0.1 dev %i table offshore
PostUp = ip route add default via 172.24.0.1 dev %i table us_vps

# Assign specific device ranges to exits
# Phones (10.x.254.x) go Offshore
PostUp = ip rule add from 10.{{SITE_ID}}.254.0/24 lookup offshore
# Laptops/Admins (10.x.253.x) go US Hub
PostUp = ip rule add from 10.{{SITE_ID}}.253.0/24 lookup us_vps

# --- 3. LOCAL LAN & SHADOW MAP ---
# Keep local physical traffic local for the custom tables
PostUp = ip route add 192.168.1.0/24 dev eth0 table offshore
PostUp = ip route add 192.168.1.0/24 dev eth0 table us_vps

# NETMAP: Shadow network (10.x.168.x) to physical LAN (192.168.1.x)
PostUp = iptables -t nat -A PREROUTING -i %i -d 10.{{SITE_ID}}.168.0/24 -j NETMAP --to 192.168.1.0/24
PostUp = iptables -t nat -A POSTROUTING -o %i -s 192.168.1.0/24 -j NETMAP --to 10.{{SITE_ID}}.168.0/24
PostUp = ip route add local 10.{{SITE_ID}}.168.0/24 dev lo

# --- 4. NAT & FORWARDING ---
# Allow the local LAN to reach the VPN mesh
PostUp = iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o %i -j MASQUERADE
PostUp = sysctl -w net.ipv4.ip_forward=1
PostUp = sysctl -w net.ipv4.conf.all.rp_filter=0
PostUp = sysctl -w net.ipv4.conf.eth0.rp_filter=0
PostUp = sysctl -w net.ipv4.conf.%i.rp_filter=0

# --- PEERS ---

# Site 10.1: The Hub / US Exit Node
[Peer]
PublicKey = QZCvR3N1CdUabC2xWfc1lmYKHfSiXYs1UoVINIMftws=
Endpoint = gg-si1.wgnode.com:51820
AllowedIPs = 172.24.0.0/16, 10.0.0.0/8, 0.0.0.0/0
PersistentKeepalive = 25

# Site 10.5: Netherlands (Offshore Exit)
[Peer]
PublicKey = UoKnYszqcFl9ByfKmCS+sOTnVGjQ3II9ApuG/F+LuAk=
Endpoint = nl.wgnode.com:51871
AllowedIPs = 172.24.0.5/32, 10.5.0.0/16, 0.0.0.0/0
PersistentKeepalive = 25