Added role native-wireguard-behind-firewall

roles/native-wireguard-behind-firewall/meta/main.yml

@@ -0,0 +1,2 @@
+dependencies:
+- native-wireguard

roles/native-wireguard-behind-firewall/readme.md

@@ -0,0 +1,4 @@
+# native-wireguard-behind-nat
+
+# see 
+- https://gist.github.com/insdavm/b1034635ab23b8839bf957aa406b5e39

roles/native-wireguard-behind-firewall/tasks/main.yml

@@ -0,0 +1,2 @@
+- name: adapt iptable rules
+  shell: iptables -A FORWARD -i wg0-client -j ACCEPT && iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

roles/native-wireguard/README.md

@@ -6,5 +6,5 @@ Manages wireguard natively on host. More information are available in the [Arch
 wg genkey | tee peer_A.key | wg pubkey > peer_A.pub
 ``
 
-# chown root:systemd-network /etc/systemd/network/99-*.netdev
-# chmod 0640 /etc/systemd/network/99-*.netdev
+chown root:systemd-network /etc/systemd/network/99-*.netdev
+chmod 0640 /etc/systemd/network/99-*.netdev

roles/native-wireguard/tasks/main.yml

@@ -8,3 +8,9 @@
     owner: root
     group: root
   notify: restart wireguard
+
+- name: enable ipv4-forwarding
+  shell: sysctl net.ipv4.ip_forward=1
+
+- name: enable ipv6-forwarding
+  shell: sysctl net.ipv6.conf.all.forwarding=1

site.yml

@@ -7,11 +7,16 @@
     - system-update
     - native-journalctl
     - native-hostname
-- name: setup wireguard hosts
+- name: setup standard wireguard hosts
   hosts: wireguard_hosts
   become: true
   roles:
     - native-wireguard
+- name: setup wireguard hosts behind firewall\nat
+  hosts: wireguard_behind_firewall_hosts
+  become: true
+  roles:
+    - native-wireguard-behind-firewall
 - name: setup primary backup hosts
   hosts: primary_backup_hosts
   become: true