diff --git a/aws/aws.tfvars b/aws/aws.tfvars index c145b6a..0593355 100644 --- a/aws/aws.tfvars +++ b/aws/aws.tfvars @@ -14,9 +14,11 @@ wireguard_peers = 20 # dns over https provider, one of adguard applied-privacy cloudflare google hurricane-electric libre-dns opendns pi-dns quad9-recommended - see https://github.com/curl/curl/wiki/DNS-over-HTTPS doh_provider = "opendns" -# Generate wireguard client configurations to route only DNS traffic through VPN, or all traffic. +# Generate wireguard client configurations to route only "dns" traffic through VPN, or: +# "peers" - dns + other connected peers +# "all" - all traffic # The wireguard server container does NOT restrict clients, clients can change their AllowedIPs as desired. -# either "dns" or "all" +# either "dns" "peers" or "all" vpn_traffic = "dns" # a value of 1 permits mgmt_cidr access to DNS without the VPN diff --git a/azure/az.tfvars b/azure/az.tfvars index dbd769e..e7448db 100644 --- a/azure/az.tfvars +++ b/azure/az.tfvars @@ -9,9 +9,11 @@ wireguard_peers = 20 # dns over https provider, one of adguard applied-privacy cloudflare google hurricane-electric libre-dns opendns pi-dns quad9-recommended - see https://github.com/curl/curl/wiki/DNS-over-HTTPS doh_provider = "opendns" -# Generate wireguard client configurations to route only DNS traffic through VPN, or all traffic. -# The wireguard server container does NOT restrict clients, clients can change their AllowedIPs as desired. -# either "dns" or "all" +# Generate wireguard client configurations to route only "dns" traffic through VPN, or: +# # "peers" - dns + other connected peers +# # "all" - all traffic +# # The wireguard server container does NOT restrict clients, clients can change their AllowedIPs as desired. +# # either "dns" "peers" or "all" vpn_traffic = "dns" # a value of 1 permits mgmt_cidr access to DNS without the VPN diff --git a/gcp/gcp.tfvars b/gcp/gcp.tfvars index 6ed4153..8f152c6 100644 --- a/gcp/gcp.tfvars +++ b/gcp/gcp.tfvars @@ -12,9 +12,11 @@ wireguard_peers = 20 # dns over https provider, one of adguard applied-privacy cloudflare google hurricane-electric libre-dns opendns pi-dns quad9-recommended - see https://github.com/curl/curl/wiki/DNS-over-HTTPS doh_provider = "opendns" -# Generate wireguard client configurations to route only DNS traffic through VPN, or all traffic. +# Generate wireguard client configurations to route only "dns" traffic through VPN, or: +# "peers" - dns + other connected peers +# "all" - all traffic # The wireguard server container does NOT restrict clients, clients can change their AllowedIPs as desired. -# either "dns" or "all" +# either "dns" "peers" or "all" vpn_traffic = "dns" # a value of 1 permits mgmt_cidr access to DNS without the VPN diff --git a/oci/oci.tfvars b/oci/oci.tfvars index a2f3619..c75cf44 100644 --- a/oci/oci.tfvars +++ b/oci/oci.tfvars @@ -12,9 +12,11 @@ wireguard_peers = 20 # dns over https provider, one of adguard applied-privacy cloudflare google hurricane-electric libre-dns opendns pi-dns quad9-recommended - see https://github.com/curl/curl/wiki/DNS-over-HTTPS doh_provider = "opendns" -# Generate wireguard client configurations to route only DNS traffic through VPN, or all traffic. +# Generate wireguard client configurations to route only "dns" traffic through VPN, or: +# "peers" - dns + other connected peers +# "all" - all traffic # The wireguard server container does NOT restrict clients, clients can change their AllowedIPs as desired. -# either "dns" or "all" +# either "dns" "peers" or "all" vpn_traffic = "dns" # a value of 1 permits mgmt_cidr access to DNS without the VPN diff --git a/playbooks/README.md b/playbooks/README.md index 6e9cf47..5391b77 100644 --- a/playbooks/README.md +++ b/playbooks/README.md @@ -27,10 +27,12 @@ One of: adguard applied-privacy cloudflare google hurricane-electric libre-dns o Flag to allow DNS lookups directly to the pihole service without Wireguard VPN (exposes Pihole 53/tcp and 53/udp). Useful for local deployments where a traditional DNS service is required. 1 for true, 0 for false -# vpn_traffic -# Generate wireguard client configurations to route only DNS traffic through VPN, or all traffic. +# Generate wireguard client configurations to route only "dns" traffic through VPN, or: +# "peers" - dns + other connected peers +# "all" - all traffic # The wireguard server container does NOT restrict clients, clients can change their AllowedIPs as desired. -One of: dns all +# either "dns" "peers" or "all" +vpn_traffic = "dns" # others The IP address variables should be changed if they'll conflict/overlap local networks. wireguard_network must not be in the same /24 as docker_s diff --git a/playbooks/cloudblock_amd64.yml b/playbooks/cloudblock_amd64.yml index 7cbe858..190861d 100644 --- a/playbooks/cloudblock_amd64.yml +++ b/playbooks/cloudblock_amd64.yml @@ -181,7 +181,7 @@ TZ: "Etc/UTC" SERVERURL: "auto" SERVERPORT: "51820" - ALLOWEDIPS: "{% if vpn_traffic is not defined %}{{ docker_pihole }}/32,{{ docker_webproxy }}/32{% elif vpn_traffic == 'dns' %}{{ docker_pihole }}/32,{{ docker_webproxy }}/32{% elif vpn_traffic == 'all' %}0.0.0.0/0{% else %}{{ docker_pihole }}/32,{{ docker_webproxy }}/32{% endif %}" + ALLOWEDIPS: "{% if vpn_traffic is not defined %}{{ docker_pihole }}/32,{{ docker_webproxy }}/32{% elif vpn_traffic == 'dns' %}{{ docker_pihole }}/32,{{ docker_webproxy }}/32{% elif vpn_traffic == 'peers' %}{{ docker_pihole }}/32,{{ docker_webproxy }}/32,{{ wireguard_network }}/24{% elif vpn_traffic == 'all' %}0.0.0.0/0{% else %}{{ docker_pihole }}/32,{{ docker_webproxy }}/32{% endif %}" PEERS: "{{ wireguard_peers }}" PEERDNS: "{{ docker_pihole }}" INTERNAL_SUBNET: "{{ wireguard_network }}" diff --git a/playbooks/cloudblock_arm64.yml b/playbooks/cloudblock_arm64.yml index e357fad..55d6f16 100644 --- a/playbooks/cloudblock_arm64.yml +++ b/playbooks/cloudblock_arm64.yml @@ -183,7 +183,7 @@ TZ: "Etc/UTC" SERVERURL: "auto" SERVERPORT: "51820" - ALLOWEDIPS: "{% if vpn_traffic is not defined %}{{ docker_pihole }}/32,{{ docker_webproxy }}/32{% elif vpn_traffic == 'dns' %}{{ docker_pihole }}/32,{{ docker_webproxy }}/32{% elif vpn_traffic == 'all' %}0.0.0.0/0{% else %}{{ docker_pihole }}/32,{{ docker_webproxy }}/32{% endif %}" + ALLOWEDIPS: "{% if vpn_traffic is not defined %}{{ docker_pihole }}/32,{{ docker_webproxy }}/32{% elif vpn_traffic == 'dns' %}{{ docker_pihole }}/32,{{ docker_webproxy }}/32{% elif vpn_traffic == 'peers' %}{{ docker_pihole }}/32,{{ docker_webproxy }}/32,{{ wireguard_network }}/24{% elif vpn_traffic == 'all' %}0.0.0.0/0{% else %}{{ docker_pihole }}/32,{{ docker_webproxy }}/32{% endif %}" PEERS: "{{ wireguard_peers }}" PEERDNS: "{{ docker_pihole }}" INTERNAL_SUBNET: "{{ wireguard_network }}" diff --git a/playbooks/cloudblock_aws_arm.yml b/playbooks/cloudblock_aws_arm.yml index 41ba925..b3229f6 100644 --- a/playbooks/cloudblock_aws_arm.yml +++ b/playbooks/cloudblock_aws_arm.yml @@ -196,7 +196,7 @@ TZ: "Etc/UTC" SERVERURL: "auto" SERVERPORT: "51820" - ALLOWEDIPS: "{% if vpn_traffic is not defined %}{{ docker_pihole }}/32,{{ docker_webproxy }}/32{% elif vpn_traffic == 'dns' %}{{ docker_pihole }}/32,{{ docker_webproxy }}/32{% elif vpn_traffic == 'all' %}0.0.0.0/0{% else %}{{ docker_pihole }}/32,{{ docker_webproxy }}/32{% endif %}" + ALLOWEDIPS: "{% if vpn_traffic is not defined %}{{ docker_pihole }}/32,{{ docker_webproxy }}/32{% elif vpn_traffic == 'dns' %}{{ docker_pihole }}/32,{{ docker_webproxy }}/32{% elif vpn_traffic == 'peers' %}{{ docker_pihole }}/32,{{ docker_webproxy }}/32,{{ wireguard_network }}/24{% elif vpn_traffic == 'all' %}0.0.0.0/0{% else %}{{ docker_pihole }}/32,{{ docker_webproxy }}/32{% endif %}" PEERS: "{{ wireguard_peers }}" PEERDNS: "{{ docker_pihole }}" INTERNAL_SUBNET: "{{ wireguard_network }}" diff --git a/playbooks/cloudblock_azure.yml b/playbooks/cloudblock_azure.yml index 7e7843a..827aa51 100644 --- a/playbooks/cloudblock_azure.yml +++ b/playbooks/cloudblock_azure.yml @@ -193,7 +193,7 @@ TZ: "Etc/UTC" SERVERURL: "auto" SERVERPORT: "51820" - ALLOWEDIPS: "{% if vpn_traffic is not defined %}{{ docker_pihole }}/32,{{ docker_webproxy }}/32{% elif vpn_traffic == 'dns' %}{{ docker_pihole }}/32,{{ docker_webproxy }}/32{% elif vpn_traffic == 'all' %}0.0.0.0/0{% else %}{{ docker_pihole }}/32,{{ docker_webproxy }}/32{% endif %}" + ALLOWEDIPS: "{% if vpn_traffic is not defined %}{{ docker_pihole }}/32,{{ docker_webproxy }}/32{% elif vpn_traffic == 'dns' %}{{ docker_pihole }}/32,{{ docker_webproxy }}/32{% elif vpn_traffic == 'peers' %}{{ docker_pihole }}/32,{{ docker_webproxy }}/32,{{ wireguard_network }}/24{% elif vpn_traffic == 'all' %}0.0.0.0/0{% else %}{{ docker_pihole }}/32,{{ docker_webproxy }}/32{% endif %}" PEERS: "{{ wireguard_peers }}" PEERDNS: "{{ docker_pihole }}" INTERNAL_SUBNET: "{{ wireguard_network }}" diff --git a/playbooks/cloudblock_gcp.yml b/playbooks/cloudblock_gcp.yml index 7bfe80f..252682c 100644 --- a/playbooks/cloudblock_gcp.yml +++ b/playbooks/cloudblock_gcp.yml @@ -210,7 +210,7 @@ TZ: "Etc/UTC" SERVERURL: "auto" SERVERPORT: "51820" - ALLOWEDIPS: "{% if vpn_traffic is not defined %}{{ docker_pihole }}/32,{{ docker_webproxy }}/32{% elif vpn_traffic == 'dns' %}{{ docker_pihole }}/32,{{ docker_webproxy }}/32{% elif vpn_traffic == 'all' %}0.0.0.0/0{% else %}{{ docker_pihole }}/32,{{ docker_webproxy }}/32{% endif %}" + ALLOWEDIPS: "{% if vpn_traffic is not defined %}{{ docker_pihole }}/32,{{ docker_webproxy }}/32{% elif vpn_traffic == 'dns' %}{{ docker_pihole }}/32,{{ docker_webproxy }}/32{% elif vpn_traffic == 'peers' %}{{ docker_pihole }}/32,{{ docker_webproxy }}/32,{{ wireguard_network }}/24{% elif vpn_traffic == 'all' %}0.0.0.0/0{% else %}{{ docker_pihole }}/32,{{ docker_webproxy }}/32{% endif %}" PEERS: "{{ wireguard_peers }}" PEERDNS: "{{ docker_pihole }}" INTERNAL_SUBNET: "{{ wireguard_network }}" diff --git a/playbooks/cloudblock_oci.yml b/playbooks/cloudblock_oci.yml index 47c9756..482d699 100644 --- a/playbooks/cloudblock_oci.yml +++ b/playbooks/cloudblock_oci.yml @@ -193,7 +193,7 @@ TZ: "Etc/UTC" SERVERURL: "auto" SERVERPORT: "51820" - ALLOWEDIPS: "{% if vpn_traffic is not defined %}{{ docker_pihole }}/32,{{ docker_webproxy }}/32{% elif vpn_traffic == 'dns' %}{{ docker_pihole }}/32,{{ docker_webproxy }}/32{% elif vpn_traffic == 'all' %}0.0.0.0/0{% else %}{{ docker_pihole }}/32,{{ docker_webproxy }}/32{% endif %}" + ALLOWEDIPS: "{% if vpn_traffic is not defined %}{{ docker_pihole }}/32,{{ docker_webproxy }}/32{% elif vpn_traffic == 'dns' %}{{ docker_pihole }}/32,{{ docker_webproxy }}/32{% elif vpn_traffic == 'peers' %}{{ docker_pihole }}/32,{{ docker_webproxy }}/32,{{ wireguard_network }}/24{% elif vpn_traffic == 'all' %}0.0.0.0/0{% else %}{{ docker_pihole }}/32,{{ docker_webproxy }}/32{% endif %}" PEERS: "{{ wireguard_peers }}" PEERDNS: "{{ docker_pihole }}" INTERNAL_SUBNET: "{{ wireguard_network }}"