exclude peer ip

dappnode · Oct 26, 2021 · 79bbfdd · 79bbfdd
1 parent 928363d
commit 79bbfdd
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 3 deletions.
diff --git a/README.md b/README.md
@@ -80,7 +80,9 @@ The templates used for server and peer confs are saved under `/config/templates`
 ## Site-to-site VPN
 Site-to-site VPN requires customizing the `AllowedIPs` statement for a specific peer in `wg0.conf`. Since `wg0.conf` is autogenerated when server vars are changed, it is not recommended to edit it manually.
 
-In order to customize the `AllowedIPs` statement for a specific peer in `wg0.conf`, you can set an env var `SERVER_ALLOWEDIPS_PEER_<peer name or number>` to the full `AllowedIPS` you'd like to use (ie. `"192.168.1.0/24,10.13.13.5"`). Replace `<peer name or number>` with either the name or number of a peer (whichever is used in the `PEERS` var) so the full thing reads something like `SERVER_ALLOWEDIPS_PEER_laptop="192.168.1.0/24,10.13.13.5"`.
+In order to customize the `AllowedIPs` statement for a specific peer in `wg0.conf`, you can set an env var `SERVER_ALLOWEDIPS_PEER_<peer name or number>` to the additional subnets you'd like to add, comma separated and excluding the peer IP (ie. `"192.168.1.0/24,192.168.2.0/24"`). Replace `<peer name or number>` with either the name or number of a peer (whichever is used in the `PEERS` var).
+
+`SERVER_ALLOWEDIPS_PEER_laptop="192.168.1.0/24,192.168.2.0/24"` will result in the wg0.conf entry `AllowedIPs = 10.13.13.2,192.168.1.0/24,192.168.2.0/24` for the peer named `laptop`.
 
 Keep in mind that this var will only be considered when the confs are regenerated. Adding this var for an existing peer won't force a regeneration. You can remove and readd a peer to force regeneration if necessary.
 

diff --git a/readme-vars.yml b/readme-vars.yml
@@ -77,7 +77,9 @@ app_setup_block: |
   ## Site-to-site VPN
   Site-to-site VPN requires customizing the `AllowedIPs` statement for a specific peer in `wg0.conf`. Since `wg0.conf` is autogenerated when server vars are changed, it is not recommended to edit it manually.
 
-  In order to customize the `AllowedIPs` statement for a specific peer in `wg0.conf`, you can set an env var `SERVER_ALLOWEDIPS_PEER_<peer name or number>` to the full `AllowedIPS` you'd like to use (ie. `"192.168.1.0/24,10.13.13.5"`). Replace `<peer name or number>` with either the name or number of a peer (whichever is used in the `PEERS` var) so the full thing reads something like `SERVER_ALLOWEDIPS_PEER_laptop="192.168.1.0/24,10.13.13.5"`.
+  In order to customize the `AllowedIPs` statement for a specific peer in `wg0.conf`, you can set an env var `SERVER_ALLOWEDIPS_PEER_<peer name or number>` to the additional subnets you'd like to add, comma separated and excluding the peer IP (ie. `"192.168.1.0/24,192.168.2.0/24"`). Replace `<peer name or number>` with either the name or number of a peer (whichever is used in the `PEERS` var).
+  
+  `SERVER_ALLOWEDIPS_PEER_laptop="192.168.1.0/24,192.168.2.0/24"` will result in the wg0.conf entry `AllowedIPs = 10.13.13.2,192.168.1.0/24,192.168.2.0/24` for the peer named `laptop`.
   
   Keep in mind that this var will only be considered when the confs are regenerated. Adding this var for an existing peer won't force a regeneration. You can remove and readd a peer to force regeneration if necessary.
 

diff --git a/root/etc/cont-init.d/30-config b/root/etc/cont-init.d/30-config
@@ -207,7 +207,7 @@ DUDE"
 [Peer]
 # ${PEER_ID}
 PublicKey = $(cat /config/${PEER_ID}/publickey-${PEER_ID})
-AllowedIPs = ${!SERVER_ALLOWEDIPS}
+AllowedIPs = ${CLIENT_IP}/32,${!SERVER_ALLOWEDIPS}
 
 DUDE
     else