From a273f6752f72f6931c12144e2dc8e67b2ad6f0e7 Mon Sep 17 00:00:00 2001
From: Kevin Veen-Birkenbach <kevin@veen.world>
Date: Mon, 11 Jan 2021 18:51:44 +0100
Subject: [PATCH] Added role native-wireguard-behind-firewall

---
 roles/native-wireguard-behind-firewall/meta/main.yml  | 2 ++
 roles/native-wireguard-behind-firewall/readme.md      | 4 ++++
 roles/native-wireguard-behind-firewall/tasks/main.yml | 2 ++
 roles/native-wireguard/README.md                      | 4 ++--
 roles/native-wireguard/tasks/main.yml                 | 6 ++++++
 site.yml                                              | 7 ++++++-
 6 files changed, 22 insertions(+), 3 deletions(-)
 create mode 100644 roles/native-wireguard-behind-firewall/meta/main.yml
 create mode 100644 roles/native-wireguard-behind-firewall/readme.md
 create mode 100644 roles/native-wireguard-behind-firewall/tasks/main.yml

diff --git a/roles/native-wireguard-behind-firewall/meta/main.yml b/roles/native-wireguard-behind-firewall/meta/main.yml
new file mode 100644
index 00000000..a40e71bb
--- /dev/null
+++ b/roles/native-wireguard-behind-firewall/meta/main.yml
@@ -0,0 +1,2 @@
+dependencies:
+- native-wireguard
diff --git a/roles/native-wireguard-behind-firewall/readme.md b/roles/native-wireguard-behind-firewall/readme.md
new file mode 100644
index 00000000..5e39ad3d
--- /dev/null
+++ b/roles/native-wireguard-behind-firewall/readme.md
@@ -0,0 +1,4 @@
+# native-wireguard-behind-nat
+
+# see 
+- https://gist.github.com/insdavm/b1034635ab23b8839bf957aa406b5e39
diff --git a/roles/native-wireguard-behind-firewall/tasks/main.yml b/roles/native-wireguard-behind-firewall/tasks/main.yml
new file mode 100644
index 00000000..d83a76a6
--- /dev/null
+++ b/roles/native-wireguard-behind-firewall/tasks/main.yml
@@ -0,0 +1,2 @@
+- name: adapt iptable rules
+  shell: iptables -A FORWARD -i wg0-client -j ACCEPT && iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
diff --git a/roles/native-wireguard/README.md b/roles/native-wireguard/README.md
index 25c72e8b..15a2fd57 100644
--- a/roles/native-wireguard/README.md
+++ b/roles/native-wireguard/README.md
@@ -6,5 +6,5 @@ Manages wireguard natively on host. More information are available in the [Arch
 wg genkey | tee peer_A.key | wg pubkey > peer_A.pub
 ``
 
-# chown root:systemd-network /etc/systemd/network/99-*.netdev
-# chmod 0640 /etc/systemd/network/99-*.netdev
+chown root:systemd-network /etc/systemd/network/99-*.netdev
+chmod 0640 /etc/systemd/network/99-*.netdev
diff --git a/roles/native-wireguard/tasks/main.yml b/roles/native-wireguard/tasks/main.yml
index 3b60e7e8..0748ed3e 100644
--- a/roles/native-wireguard/tasks/main.yml
+++ b/roles/native-wireguard/tasks/main.yml
@@ -8,3 +8,9 @@
     owner: root
     group: root
   notify: restart wireguard
+
+- name: enable ipv4-forwarding
+  shell: sysctl net.ipv4.ip_forward=1
+
+- name: enable ipv6-forwarding
+  shell: sysctl net.ipv6.conf.all.forwarding=1
diff --git a/site.yml b/site.yml
index 0415c121..d54fa1f6 100644
--- a/site.yml
+++ b/site.yml
@@ -7,11 +7,16 @@
     - system-update
     - native-journalctl
     - native-hostname
-- name: setup wireguard hosts
+- name: setup standard wireguard hosts
   hosts: wireguard_hosts
   become: true
   roles:
     - native-wireguard
+- name: setup wireguard hosts behind firewall\nat
+  hosts: wireguard_behind_firewall_hosts
+  become: true
+  roles:
+    - native-wireguard-behind-firewall
 - name: setup primary backup hosts
   hosts: primary_backup_hosts
   become: true