-
Notifications
You must be signed in to change notification settings - Fork 13
/
Copy pathbreakout-box.service.j2
54 lines (42 loc) · 2.3 KB
/
breakout-box.service.j2
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
[Unit]
Description=Breakout Box reverse VPN service (box)
After=network-online.target
[Install]
WantedBy=multi-user.target
[Service]
Type=oneshot
RemainAfterExit=true
#-
ExecStart=/sbin/ip link add {{ wg_if }} type wireguard
ExecStart=/usr/bin/wg setconf {{ wg_if }} {{ config_dir }}/{{ wg_if }}.conf
ExecStart=/sbin/ip -4 address add {{ wireguard_box_ipv4 }} dev {{ wg_if }}
{% if wireguard_use_ipv6 -%}
ExecStart=/sbin/ip -6 address add {{ wireguard_box_ipv6 }} dev {{ wg_if }}
{%- endif %}
ExecStart=/sbin/ip link set mtu 1420 up dev {{ wg_if }}
ExecStart=/sbin/iptables -A FORWARD -i {{ wg_if }} -o {{ inet_if }} -j ACCEPT
ExecStart=/sbin/iptables -A FORWARD -i {{ inet_if }} -o {{ wg_if }} -m state --state ESTABLISHED,RELATED -j ACCEPT
ExecStart=/sbin/iptables -t nat -A POSTROUTING -o {{ inet_if }} -j MASQUERADE
ExecStart=/sbin/sysctl -w net.ipv4.conf.{{ wg_if }}.forwarding=1
ExecStart=/sbin/sysctl -w net.ipv4.conf.{{ inet_if }}.forwarding=1
{% if wireguard_use_ipv6 -%}
ExecStart=/sbin/ip6tables -A FORWARD -i {{ wg_if }} -o {{ inet_if }} -j ACCEPT
ExecStart=/sbin/ip6tables -A FORWARD -i {{ inet_if }} -o {{ wg_if }} -m state --state ESTABLISHED,RELATED -j ACCEPT
ExecStart=/sbin/ip6tables -t nat -A POSTROUTING -o {{ inet_if }} -j MASQUERADE
ExecStart=/sbin/sysctl -w net.ipv6.conf.{{ wg_if }}.forwarding=1
ExecStart=/sbin/sysctl -w net.ipv6.conf.{{ inet_if }}.forwarding=1
{%- endif %}
#-
{% if wireguard_use_ipv6 -%}
ExecStopPost=-/sbin/sysctl -w net.ipv6.conf.{{ wg_if }}.forwarding=0
ExecStopPost=-/sbin/sysctl -w net.ipv6.conf.{{ inet_if }}.forwarding=0
ExecStopPost=-/sbin/ip6tables -D FORWARD -i {{ wg_if }} -o {{ inet_if }} -j ACCEPT
ExecStopPost=-/sbin/ip6tables -D FORWARD -i {{ inet_if }} -o {{ wg_if }} -m state --state ESTABLISHED,RELATED -j ACCEPT
ExecStopPost=-/sbin/ip6tables -t nat -D POSTROUTING -o {{ inet_if }} -j MASQUERADE
{%- endif %}
ExecStopPost=-/sbin/sysctl -w net.ipv4.conf.{{ wg_if }}.forwarding=0
ExecStopPost=-/sbin/sysctl -w net.ipv4.conf.{{ inet_if }}.forwarding=0
ExecStopPost=-/sbin/iptables -D FORWARD -i {{ wg_if }} -o {{ inet_if }} -j ACCEPT
ExecStopPost=-/sbin/iptables -D FORWARD -i {{ inet_if }} -o {{ wg_if }} -m state --state ESTABLISHED,RELATED -j ACCEPT
ExecStopPost=-/sbin/iptables -t nat -D POSTROUTING -o {{ inet_if }} -j MASQUERADE
ExecStopPost=/sbin/ip link delete dev {{ wg_if }}