Configure additional peers
provokateurin opened this issue · comments
In my use case some peers share a network (I'll call it "local network") and another peer is outside of that network. The outside peer is accessible from the peers in the local network, but not the other way around. This ansible role already works for that use case, but I'd like to configure additional peers so that the traffic inside the local network isn't sent to the outside peer but directly inside the local network to the other peers.
TBH I don't completely get your use case but this sounds like you need a firewall somewhere in between. At least this is what I'd do. You can use the wireguard_preup
hook of this playbook together with ufw
(if you're on Ubuntu) e.g.:
wireguard_preup:
- ufw deny from 10.0.0.0/8
This can be set per host. Never tried it myself but should work.
I don't want to block anything but configure extra peers that only work on a physical local network level
Well, I guess that's a network design question and not really related to this role. Maybe it makes sense to have two WireGuard networks so to say. One for internal traffic and one for the "outside" traffic. But I guess you still need some firewall rules in place as WireGuard connections are normally bidirectional by default. So once traffic is allowed to flow from inside to the outside it also works the other way round.