Add peers as option for vpn_traffic

chadgeary · Nov 15, 2020 · f8e2e4e · f8e2e4e
1 parent 185e9ea
commit f8e2e4e
Show file tree

Hide file tree

Showing 11 changed files with 28 additions and 18 deletions.
diff --git a/aws/aws.tfvars b/aws/aws.tfvars
@@ -14,9 +14,11 @@ wireguard_peers = 20
 # dns over https provider, one of adguard applied-privacy cloudflare google hurricane-electric libre-dns opendns pi-dns quad9-recommended - see https://github.com/curl/curl/wiki/DNS-over-HTTPS
 doh_provider = "opendns"
 
-# Generate wireguard client configurations to route only DNS traffic through VPN, or all traffic.
+# Generate wireguard client configurations to route only "dns" traffic through VPN, or:
+# "peers" - dns + other connected peers
+# "all" - all traffic
 # The wireguard server container does NOT restrict clients, clients can change their AllowedIPs as desired.
-# either "dns" or "all"
+# either "dns" "peers" or "all"
 vpn_traffic = "dns"
 
 # a value of 1 permits mgmt_cidr access to DNS without the VPN

diff --git a/azure/az.tfvars b/azure/az.tfvars
@@ -9,9 +9,11 @@ wireguard_peers = 20
 # dns over https provider, one of adguard applied-privacy cloudflare google hurricane-electric libre-dns opendns pi-dns quad9-recommended - see https://github.com/curl/curl/wiki/DNS-over-HTTPS
 doh_provider = "opendns"
 
-# Generate wireguard client configurations to route only DNS traffic through VPN, or all traffic.
-# The wireguard server container does NOT restrict clients, clients can change their AllowedIPs as desired.
-# either "dns" or "all"
+# Generate wireguard client configurations to route only "dns" traffic through VPN, or:
+# # "peers" - dns + other connected peers
+# # "all" - all traffic
+# # The wireguard server container does NOT restrict clients, clients can change their AllowedIPs as desired.
+# # either "dns" "peers" or "all"
 vpn_traffic = "dns"
 
 # a value of 1 permits mgmt_cidr access to DNS without the VPN

diff --git a/gcp/gcp.tfvars b/gcp/gcp.tfvars
@@ -12,9 +12,11 @@ wireguard_peers = 20
 # dns over https provider, one of adguard applied-privacy cloudflare google hurricane-electric libre-dns opendns pi-dns quad9-recommended - see https://github.com/curl/curl/wiki/DNS-over-HTTPS
 doh_provider = "opendns"
 
-# Generate wireguard client configurations to route only DNS traffic through VPN, or all traffic.
+# Generate wireguard client configurations to route only "dns" traffic through VPN, or:
+# "peers" - dns + other connected peers
+# "all" - all traffic
 # The wireguard server container does NOT restrict clients, clients can change their AllowedIPs as desired.
-# either "dns" or "all"
+# either "dns" "peers" or "all"
 vpn_traffic = "dns"
 
 # a value of 1 permits mgmt_cidr access to DNS without the VPN

diff --git a/oci/oci.tfvars b/oci/oci.tfvars
@@ -12,9 +12,11 @@ wireguard_peers = 20
 # dns over https provider, one of adguard applied-privacy cloudflare google hurricane-electric libre-dns opendns pi-dns quad9-recommended - see https://github.com/curl/curl/wiki/DNS-over-HTTPS
 doh_provider = "opendns"
 
-# Generate wireguard client configurations to route only DNS traffic through VPN, or all traffic.
+# Generate wireguard client configurations to route only "dns" traffic through VPN, or:
+# "peers" - dns + other connected peers
+# "all" - all traffic
 # The wireguard server container does NOT restrict clients, clients can change their AllowedIPs as desired.
-# either "dns" or "all"
+# either "dns" "peers" or "all"
 vpn_traffic = "dns"
 
 # a value of 1 permits mgmt_cidr access to DNS without the VPN

diff --git a/playbooks/README.md b/playbooks/README.md
@@ -27,10 +27,12 @@ One of: adguard applied-privacy cloudflare google hurricane-electric libre-dns o
 Flag to allow DNS lookups directly to the pihole service without Wireguard VPN (exposes Pihole 53/tcp and 53/udp). Useful for local deployments where a traditional DNS service is required.
 1 for true, 0 for false
 
-# vpn_traffic
-# Generate wireguard client configurations to route only DNS traffic through VPN, or all traffic.
+# Generate wireguard client configurations to route only "dns" traffic through VPN, or:
+# "peers" - dns + other connected peers
+# "all" - all traffic
 # The wireguard server container does NOT restrict clients, clients can change their AllowedIPs as desired.
-One of: dns all
+# either "dns" "peers" or "all"
+vpn_traffic = "dns"
 
 # others
 The IP address variables should be changed if they'll conflict/overlap local networks. wireguard_network must not be in the same /24 as docker_<var>s

diff --git a/playbooks/cloudblock_amd64.yml b/playbooks/cloudblock_amd64.yml
@@ -181,7 +181,7 @@
           TZ: "Etc/UTC"
           SERVERURL: "auto"
           SERVERPORT: "51820"
-          ALLOWEDIPS: "{% if vpn_traffic is not defined %}{{ docker_pihole }}/32,{{ docker_webproxy }}/32{% elif vpn_traffic == 'dns' %}{{ docker_pihole }}/32,{{ docker_webproxy }}/32{% elif vpn_traffic == 'all' %}0.0.0.0/0{% else %}{{ docker_pihole }}/32,{{ docker_webproxy }}/32{% endif %}"
+          ALLOWEDIPS: "{% if vpn_traffic is not defined %}{{ docker_pihole }}/32,{{ docker_webproxy }}/32{% elif vpn_traffic == 'dns' %}{{ docker_pihole }}/32,{{ docker_webproxy }}/32{% elif vpn_traffic == 'peers' %}{{ docker_pihole }}/32,{{ docker_webproxy }}/32,{{ wireguard_network }}/24{% elif vpn_traffic == 'all' %}0.0.0.0/0{% else %}{{ docker_pihole }}/32,{{ docker_webproxy }}/32{% endif %}"
           PEERS: "{{ wireguard_peers }}"
           PEERDNS: "{{ docker_pihole }}"
           INTERNAL_SUBNET: "{{ wireguard_network }}"

diff --git a/playbooks/cloudblock_arm64.yml b/playbooks/cloudblock_arm64.yml
@@ -183,7 +183,7 @@
           TZ: "Etc/UTC"
           SERVERURL: "auto"
           SERVERPORT: "51820"
-          ALLOWEDIPS: "{% if vpn_traffic is not defined %}{{ docker_pihole }}/32,{{ docker_webproxy }}/32{% elif vpn_traffic == 'dns' %}{{ docker_pihole }}/32,{{ docker_webproxy }}/32{% elif vpn_traffic == 'all' %}0.0.0.0/0{% else %}{{ docker_pihole }}/32,{{ docker_webproxy }}/32{% endif %}"
+          ALLOWEDIPS: "{% if vpn_traffic is not defined %}{{ docker_pihole }}/32,{{ docker_webproxy }}/32{% elif vpn_traffic == 'dns' %}{{ docker_pihole }}/32,{{ docker_webproxy }}/32{% elif vpn_traffic == 'peers' %}{{ docker_pihole }}/32,{{ docker_webproxy }}/32,{{ wireguard_network }}/24{% elif vpn_traffic == 'all' %}0.0.0.0/0{% else %}{{ docker_pihole }}/32,{{ docker_webproxy }}/32{% endif %}"
           PEERS: "{{ wireguard_peers }}"
           PEERDNS: "{{ docker_pihole }}"
           INTERNAL_SUBNET: "{{ wireguard_network }}"

diff --git a/playbooks/cloudblock_aws_arm.yml b/playbooks/cloudblock_aws_arm.yml
@@ -196,7 +196,7 @@
           TZ: "Etc/UTC"
           SERVERURL: "auto"
           SERVERPORT: "51820"
-          ALLOWEDIPS: "{% if vpn_traffic is not defined %}{{ docker_pihole }}/32,{{ docker_webproxy }}/32{% elif vpn_traffic == 'dns' %}{{ docker_pihole }}/32,{{ docker_webproxy }}/32{% elif vpn_traffic == 'all' %}0.0.0.0/0{% else %}{{ docker_pihole }}/32,{{ docker_webproxy }}/32{% endif %}"
+          ALLOWEDIPS: "{% if vpn_traffic is not defined %}{{ docker_pihole }}/32,{{ docker_webproxy }}/32{% elif vpn_traffic == 'dns' %}{{ docker_pihole }}/32,{{ docker_webproxy }}/32{% elif vpn_traffic == 'peers' %}{{ docker_pihole }}/32,{{ docker_webproxy }}/32,{{ wireguard_network }}/24{% elif vpn_traffic == 'all' %}0.0.0.0/0{% else %}{{ docker_pihole }}/32,{{ docker_webproxy }}/32{% endif %}"
           PEERS: "{{ wireguard_peers }}"
           PEERDNS: "{{ docker_pihole }}"
           INTERNAL_SUBNET: "{{ wireguard_network }}"

diff --git a/playbooks/cloudblock_azure.yml b/playbooks/cloudblock_azure.yml
@@ -193,7 +193,7 @@
           TZ: "Etc/UTC"
           SERVERURL: "auto"
           SERVERPORT: "51820"
-          ALLOWEDIPS: "{% if vpn_traffic is not defined %}{{ docker_pihole }}/32,{{ docker_webproxy }}/32{% elif vpn_traffic == 'dns' %}{{ docker_pihole }}/32,{{ docker_webproxy }}/32{% elif vpn_traffic == 'all' %}0.0.0.0/0{% else %}{{ docker_pihole }}/32,{{ docker_webproxy }}/32{% endif %}"
+          ALLOWEDIPS: "{% if vpn_traffic is not defined %}{{ docker_pihole }}/32,{{ docker_webproxy }}/32{% elif vpn_traffic == 'dns' %}{{ docker_pihole }}/32,{{ docker_webproxy }}/32{% elif vpn_traffic == 'peers' %}{{ docker_pihole }}/32,{{ docker_webproxy }}/32,{{ wireguard_network }}/24{% elif vpn_traffic == 'all' %}0.0.0.0/0{% else %}{{ docker_pihole }}/32,{{ docker_webproxy }}/32{% endif %}"
           PEERS: "{{ wireguard_peers }}"
           PEERDNS: "{{ docker_pihole }}"
           INTERNAL_SUBNET: "{{ wireguard_network }}"

diff --git a/playbooks/cloudblock_gcp.yml b/playbooks/cloudblock_gcp.yml
@@ -210,7 +210,7 @@
           TZ: "Etc/UTC"
           SERVERURL: "auto"
           SERVERPORT: "51820"
-          ALLOWEDIPS: "{% if vpn_traffic is not defined %}{{ docker_pihole }}/32,{{ docker_webproxy }}/32{% elif vpn_traffic == 'dns' %}{{ docker_pihole }}/32,{{ docker_webproxy }}/32{% elif vpn_traffic == 'all' %}0.0.0.0/0{% else %}{{ docker_pihole }}/32,{{ docker_webproxy }}/32{% endif %}"
+          ALLOWEDIPS: "{% if vpn_traffic is not defined %}{{ docker_pihole }}/32,{{ docker_webproxy }}/32{% elif vpn_traffic == 'dns' %}{{ docker_pihole }}/32,{{ docker_webproxy }}/32{% elif vpn_traffic == 'peers' %}{{ docker_pihole }}/32,{{ docker_webproxy }}/32,{{ wireguard_network }}/24{% elif vpn_traffic == 'all' %}0.0.0.0/0{% else %}{{ docker_pihole }}/32,{{ docker_webproxy }}/32{% endif %}"
           PEERS: "{{ wireguard_peers }}"
           PEERDNS: "{{ docker_pihole }}"
           INTERNAL_SUBNET: "{{ wireguard_network }}"

diff --git a/playbooks/cloudblock_oci.yml b/playbooks/cloudblock_oci.yml
@@ -193,7 +193,7 @@
           TZ: "Etc/UTC"
           SERVERURL: "auto"
           SERVERPORT: "51820"
-          ALLOWEDIPS: "{% if vpn_traffic is not defined %}{{ docker_pihole }}/32,{{ docker_webproxy }}/32{% elif vpn_traffic == 'dns' %}{{ docker_pihole }}/32,{{ docker_webproxy }}/32{% elif vpn_traffic == 'all' %}0.0.0.0/0{% else %}{{ docker_pihole }}/32,{{ docker_webproxy }}/32{% endif %}"
+          ALLOWEDIPS: "{% if vpn_traffic is not defined %}{{ docker_pihole }}/32,{{ docker_webproxy }}/32{% elif vpn_traffic == 'dns' %}{{ docker_pihole }}/32,{{ docker_webproxy }}/32{% elif vpn_traffic == 'peers' %}{{ docker_pihole }}/32,{{ docker_webproxy }}/32,{{ wireguard_network }}/24{% elif vpn_traffic == 'all' %}0.0.0.0/0{% else %}{{ docker_pihole }}/32,{{ docker_webproxy }}/32{% endif %}"
           PEERS: "{{ wireguard_peers }}"
           PEERDNS: "{{ docker_pihole }}"
           INTERNAL_SUBNET: "{{ wireguard_network }}"