vdip

files/vdip/client.conf.j2

+[Interface]
+Address = {{clientAddress}}/32
+PrivateKey = {{clientKey.priv}}
+Table = 100
+PostUp = /sbin/ip rule add pref 80 to 10.0.0.0/7 lookup main; /sbin/ip rule add pref 80 to 172.16.0.0/12 lookup main; /sbin/ip rule add pref 80 to 192.168.0.0/16 lookup main; /sbin/ip rule add pref 100 fwmark 100 lookup 100; /sbin/ip route replace {{address}}/32 dev %i; ipset create vdiplocal hash:net maxelem 1000000; /sbin/ipset add vdiplocal 10.0.0.0/7; /sbin/ipset add vdiplocal 172.16.0.0/12; /sbin/ipset add vdiplocal 192.168.0.0/16; /sbin/iptables -t mangle -A PREROUTING -i %i ! -d 224.0.0.0/3 -m set ! --match-set vdiplocal src -j CONNMARK --set-xmark 100; /sbin/iptables -t mangle -A PREROUTING -m connmark --mark 100 -j CONNMARK --restore-mark; /sbin/iptables -t mangle -A OUTPUT -m connmark --mark 100 -j CONNMARK --restore-mark; true
+PreDown = /sbin/ip rule del pref 80 to 10.0.0.0/7 lookup main; /sbin/ip rule del pref 80 to 172.16.0.0/12 lookup main; /sbin/ip rule del pref 80 to 192.168.0.0/16 lookup main; /sbin/ip rule del pref 100 fwmark 100 lookup 100; /sbin/iptables -t mangle -D PREROUTING -i %i ! -d 224.0.0.0/3 -m set ! --match-set vdiplocal src -j CONNMARK --set-xmark 100; /sbin/iptables -t mangle -D PREROUTING -m connmark --mark 100 -j CONNMARK --restore-mark; /sbin/iptables -t mangle -D OUTPUT -m connmark --mark 100 -j CONNMARK --restore-mark; ipset destroy vdiplocal; true
+
+[Peer]
+PublicKey = {{serverKey.pub}}
+AllowedIPs = 0.0.0.0/0, ::/0
+Endpoint = {{ansible_ssh_host}}:{{port}}
+PersistentKeepalive = 1

files/vdip/server.conf.j2

+[Interface]
+Address = {{address}}/32
+PrivateKey = {{serverKey.priv}}
+ListenPort = {{port}}
+
+PostUp = /etc/wireguard/server.sh up
+PreDown = /etc/wireguard/server.sh down
+
+[Peer]
+PublicKey = {{clientKey.pub}}
+AllowedIPs = {{clientAddress}}/32

files/vdip/server.sh.j2

+#!/bin/bash
+
+up () {
+	iptables -t nat -N VDIP
+	iptables -t nat -A VDIP -p tcp -m multiport --dports {{ansible_ssh_port}} -j RETURN
+	iptables -t nat -A VDIP -p udp -m multiport --dports {{port}} -j RETURN
+	iptables -t nat -A VDIP -j DNAT --to-destination {{clientAddress}}
+	iptables -t nat -A PREROUTING -m addrtype --dst-type LOCAL -j VDIP
+}
+
+down() {
+	iptables -t nat -D PREROUTING -m addrtype --dst-type LOCAL -j VDIP
+	iptables -t nat -F VDIP
+	iptables -t nat -X VDIP
+}
+
+"$@"

vdip.yml

+---
+- hosts: vdip
+  remote_user: root
+  tasks:
+    - name: wireguard
+      become: true
+      apt:
+        update_cache: true
+        name: wireguard
+      when: ansible_os_family == "Debian"
+    - name: wg directory
+      become: true
+      file:
+        path: /etc/wireguard
+        state: directory
+    - name: server conf
+      become: true
+      template:
+        src: ./files/vdip/server.conf.j2
+        dest: /etc/wireguard/wgvdip.conf
+      notify: restart_wg
+    - name: server sh
+      become: true
+      template:
+        src: ./files/vdip/server.sh.j2
+        dest: /etc/wireguard/server.sh
+        mode: 0777
+      notify: restart_wg
+    - name: client conf
+      template:
+        src: ./files/vdip/client.conf.j2
+        dest: '{{ansible_user_dir}}/client.conf'
+    - name: start wg
+      become: true
+      systemd:
+        name: 'wg-quick@wgvdip'
+        state: started
+        enabled: true
+  handlers:
+    - name: restart_wg
+      become: true
+      systemd:
+        name: 'wg-quick@wgvdip'
+        state: restarted