diff options
| author | Paul Buetow <paul@buetow.org> | 2026-01-11 21:22:21 +0200 |
|---|---|---|
| committer | Paul Buetow <paul@buetow.org> | 2026-01-11 21:22:21 +0200 |
| commit | a6984e1a9c59f19444bbc9013c59604e48cbf371 (patch) | |
| tree | 0b50f83e08dd4217da3799eb9f81184c0ca7b463 /wireguardmeshgenerator.yaml | |
| parent | d3fe29187a6bb8b78bea2791e95c3d061d9f6aec (diff) | |
Add roaming client support for earth (Fedora laptop) and pixel7pro (Android)
Core changes to wireguardmeshgenerator.rb:
- Add roaming client detection (hosts without 'lan' or 'internet' sections)
- Enable PersistentKeepalive for all roaming client peer connections
- Route all traffic (0.0.0.0/0, ::/0) through VPN for roaming clients
- Add DNS configuration (1.1.1.1, 8.8.8.8) for roaming clients
- Handle CIDR notation in AllowedIPs without adding /32
- Support configurable SSH port per host (default 22, OpenBSD hosts use 2)
YAML configuration changes:
- Add earth roaming client (192.168.2.200, Fedora laptop)
- Add pixel7pro roaming client (192.168.2.201, Android phone)
- Configure client-only architecture via exclude_peers
- Roaming clients connect only to blowfish and fishfinger gateways
- LAN hosts (f0-f2, r0-r2) exclude roaming clients from peering
- Add SSH port 2 for OpenBSD hosts (blowfish, fishfinger)
Dependency updates:
- Add 'rake' gem to Gemfile for task management
- Add 'logger' gem to suppress Ruby 4.0 deprecation warnings
Implementation notes:
- Roaming clients have no fixed 'lan' or 'internet' section
- All-traffic routing enables internet access through VPN gateways
- NAT rules on OpenBSD gateways required for internet access
- WireGuard does not support automatic failover between peers
- Manual reconnection required if active gateway fails
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Diffstat (limited to 'wireguardmeshgenerator.yaml')
| -rw-r--r-- | wireguardmeshgenerator.yaml | 55 |
1 files changed, 54 insertions, 1 deletions
diff --git a/wireguardmeshgenerator.yaml b/wireguardmeshgenerator.yaml index d984ca5..020854f 100644 --- a/wireguardmeshgenerator.yaml +++ b/wireguardmeshgenerator.yaml @@ -13,6 +13,9 @@ hosts: wg0: domain: 'wg0.wan.buetow.org' ip: '192.168.2.130' + exclude_peers: + - earth + - pixel7pro f1: os: FreeBSD ssh: @@ -26,6 +29,9 @@ hosts: wg0: domain: 'wg0.wan.buetow.org' ip: '192.168.2.131' + exclude_peers: + - earth + - pixel7pro f2: os: FreeBSD ssh: @@ -39,6 +45,9 @@ hosts: wg0: domain: 'wg0.wan.buetow.org' ip: '192.168.2.132' + exclude_peers: + - earth + - pixel7pro r0: os: Linux ssh: @@ -52,6 +61,9 @@ hosts: wg0: domain: 'wg0.wan.buetow.org' ip: '192.168.2.120' + exclude_peers: + - earth + - pixel7pro r1: os: Linux ssh: @@ -65,6 +77,9 @@ hosts: wg0: domain: 'wg0.wan.buetow.org' ip: '192.168.2.121' + exclude_peers: + - earth + - pixel7pro r2: os: Linux ssh: @@ -78,10 +93,14 @@ hosts: wg0: domain: 'wg0.wan.buetow.org' ip: '192.168.2.122' + exclude_peers: + - earth + - pixel7pro blowfish: os: OpenBSD ssh: user: rex + port: 2 conf_dir: /etc/wireguard sudo_cmd: doas reload_cmd: sh /etc/netstart wg0 @@ -95,6 +114,7 @@ hosts: os: OpenBSD ssh: user: rex + port: 2 conf_dir: /etc/wireguard sudo_cmd: doas reload_cmd: sh /etc/netstart wg0 @@ -102,4 +122,37 @@ hosts: domain: 'buetow.org' ip: '46.23.94.99' wg0: - domain: 'wg0.wan.buetow.org' ip: '192.168.2.111' + domain: 'wg0.wan.buetow.org' + ip: '192.168.2.111' + earth: + os: Linux + wg0: + domain: 'wg0.wan.buetow.org' + ip: '192.168.2.200' + exclude_peers: + - f0 + - f1 + - f2 + - r0 + - r1 + - r2 + - pixel7pro + # Note: No 'lan' or 'internet' section = roaming client + # Note: No 'ssh' section = manual installation + # Note: Only connects to blowfish and fishfinger (internet gateways) + pixel7pro: + os: Android + wg0: + domain: 'wg0.wan.buetow.org' + ip: '192.168.2.201' + exclude_peers: + - f0 + - f1 + - f2 + - r0 + - r1 + - r2 + - earth + # Note: No 'lan' or 'internet' section = roaming client + # Note: No 'ssh' section = manual installation + # Note: Only connects to blowfish and fishfinger (internet gateways) |