From 14c7dbf743eb288c9a1b35bccf2db115a64afdef Mon Sep 17 00:00:00 2001
From: Stefan <stefan@freifunk-troisdorf.de>
Date: Sun, 12 Mar 2023 21:40:59 +0100
Subject: [PATCH] Added config for Edge Router

---
 edge1.md                                      | 121 ++++++++++++++++++
 edgerouter_configs/edge1.md                   | 121 ++++++++++++++++++
 er-test.yml                                   |   5 +
 host_vars/edge1.yml                           |  13 ++
 host_vars/vpn01/vars.yml                      |   7 +-
 hosts.yml                                     |   3 +
 roles/01-vpn-router-config/tasks/main.yml     |  11 ++
 .../templates/edgerouter.conf.j2              | 121 ++++++++++++++++++
 .../21-install-wireguard/templates/wg.conf.j2 |   1 +
 9 files changed, 401 insertions(+), 2 deletions(-)
 create mode 100644 edge1.md
 create mode 100755 edgerouter_configs/edge1.md
 create mode 100644 er-test.yml
 create mode 100644 host_vars/edge1.yml
 create mode 100644 roles/01-vpn-router-config/tasks/main.yml
 create mode 100644 roles/01-vpn-router-config/templates/edgerouter.conf.j2

diff --git a/edge1.md b/edge1.md
new file mode 100644
index 0000000..c2f493c
--- /dev/null
+++ b/edge1.md
@@ -0,0 +1,121 @@
+## Install Wireguard
+cd /tmp
+curl -OL https://github.com/WireGuard/wireguard-vyatta-ubnt/releases/download/1.0.20211208-1/e50-v2-v1.0.20211208-v1.0.20210914.deb
+sudo dpkg -i e50-v2-v1.0.20211208-v1.0.20210914.deb
+
+####
+cd /config/auth
+wg genkey | tee /config/auth/wg.key | wg pubkey >  wg.public
+cat wg.public
+cat wg.key
+####
+
+set firewall all-ping enable
+set firewall broadcast-ping disable
+set firewall group network-group LAN-VPN-V6 description 'Networks on LAN destined to go out VPN by default'
+set firewall group ipv6-network-group LAN-VPN-V6 ipv6-network '2a03:2260:121:603::/64'
+set firewall group network-group LAN-VPN description 'Networks on LAN destined to go out VPN by default'
+set firewall group network-group LAN-VPN network 10.1.0.0/16
+
+set firewall ipv6-modify LAN_to_VPN_V6 rule 1 action modify
+set firewall ipv6-modify LAN_to_VPN_V6 rule 1 modify table 2
+set firewall ipv6-modify LAN_to_VPN_V6 rule 1 source group ipv6-network-group LAN-VPN-V6
+set firewall ipv6-modify LAN_to_VPN_V6 rule 100 description 'Route traffic from group LAN-VPN through LAN_to_VPN_V6 table'
+set firewall ipv6-receive-redirects disable
+set firewall ipv6-src-route disable
+set firewall ip-src-route disable
+set firewall log-martians enable
+set firewall modify LAN_to_VPN rule 100 action modify
+set firewall modify LAN_to_VPN rule 100 description 'Route traffic from group LAN-VPN through LAN_to_VPN table'
+set firewall modify LAN_to_VPN rule 100 modify table 2
+set firewall modify LAN_to_VPN rule 100 source group network-group LAN-VPN
+set firewall name WAN_LOCAL default-action drop
+set firewall name WAN_LOCAL rule 20 action accept
+set firewall name WAN_LOCAL rule 20 description WireGuard
+set firewall name WAN_LOCAL rule 20 destination port 51821
+set firewall name WAN_LOCAL rule 20 protocol udp
+set firewall options mss-clamp interface-type all
+set firewall options mss-clamp mss 1350
+set firewall options mss-clamp6 interface-type all
+set firewall options mss-clamp6 mss 1350
+set firewall receive-redirects disable
+set firewall send-redirects enable
+set firewall source-validation disable
+set firewall syn-cookies enable
+set interfaces ethernet eth0 address dhcp
+set interfaces ethernet eth0 description 'Internet via DHCP'
+set interfaces ethernet eth0 duplex auto
+set interfaces ethernet eth0 speed auto
+set interfaces ethernet eth1 description Local
+set interfaces ethernet eth1 duplex auto
+set interfaces ethernet eth1 speed auto
+set interfaces ethernet eth2 description Local
+set interfaces ethernet eth2 duplex auto
+set interfaces ethernet eth2 speed auto
+set interfaces ethernet eth3 description Local
+set interfaces ethernet eth3 duplex auto
+set interfaces ethernet eth3 speed auto
+set interfaces ethernet eth4 description Local
+set interfaces ethernet eth4 duplex auto
+set interfaces ethernet eth4 poe output off
+set interfaces ethernet eth4 speed auto
+set interfaces loopback lo
+set interfaces switch switch0 address 10.1.0.1/24
+set interfaces switch switch0 address '2a03:2260:121:603::1/64'
+set interfaces switch switch0 description Local
+set interfaces switch switch0 firewall in ipv6-modify LAN_to_VPN_V6
+set interfaces switch switch0 firewall in modify LAN_to_VPN
+set interfaces switch switch0 ipv6 dup-addr-detect-transmits 1
+set interfaces switch switch0 ipv6 router-advert cur-hop-limit 64
+set interfaces switch switch0 ipv6 router-advert link-mtu 0
+set interfaces switch switch0 ipv6 router-advert managed-flag true
+set interfaces switch switch0 ipv6 router-advert max-interval 600
+set interfaces switch switch0 ipv6 router-advert name-server '2606:4700:4700::1111'
+set interfaces switch switch0 ipv6 router-advert other-config-flag false
+set interfaces switch switch0 ipv6 router-advert prefix '2a03:2260:121:603::/64' autonomous-flag true
+set interfaces switch switch0 ipv6 router-advert prefix '2a03:2260:121:603::/64' on-link-flag true
+set interfaces switch switch0 ipv6 router-advert prefix '2a03:2260:121:603::/64' valid-lifetime 2592000
+set interfaces switch switch0 ipv6 router-advert reachable-time 0
+set interfaces switch switch0 ipv6 router-advert retrans-timer 0
+set interfaces switch switch0 ipv6 router-advert send-advert true
+set interfaces switch switch0 mtu 1500
+set interfaces switch switch0 switch-port interface eth1
+set interfaces switch switch0 switch-port interface eth2
+set interfaces switch switch0 switch-port interface eth3
+set interfaces switch switch0 switch-port interface eth4
+set interfaces switch switch0 switch-port vlan-aware disable
+set interfaces wireguard wg0 address 10.255.1.2/24
+set interfaces wireguard wg0 listen-port 51822
+set interfaces wireguard wg0 mtu 1384
+set interfaces wireguard wg0 peer 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= allowed-ips 0.0.0.0/0
+set interfaces wireguard wg0 peer 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= allowed-ips '::0/0'
+set interfaces wireguard wg0 peer 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= endpoint 'vpn01.fftdf.de:42001'
+set interfaces wireguard wg0 private-key /config/auth/wg.key
+set interfaces wireguard wg0 route-allowed-ips false
+set protocols static interface-route6 '::/0' next-hop-interface wg0
+set protocols static table 2 route 0.0.0.0/0 next-hop 10.255.1.1
+set protocols static table 2 route6 '::0/0' next-hop '2a03:2260:121:602::2'
+set protocols static table 2 route6 '::/0' next-hop '2a03:2260:121:602::2'
+set service dhcp-server disabled false
+set service dhcp-server hostfile-update disable
+set service dhcp-server shared-network-name LAN authoritative enable
+set service dhcp-server shared-network-name LAN subnet 10.1.0.1/24 default-router 10.1.0.1/24
+set service dhcp-server shared-network-name LAN subnet 10.1.0.1/24 dns-server 10.1.0.1/24
+set service dhcp-server shared-network-name LAN subnet 10.1.0.1/24 lease 86400
+set service dhcp-server shared-network-name LAN subnet 10.1.0.1/24 start 10.1.0.38 stop 10.1.0.243
+set service dhcp-server static-arp disable
+set service dhcp-server use-dnsmasq disable
+set service dns forwarding cache-size 150
+set service dns forwarding listen-on switch0
+set service gui http-port 80
+set service gui https-port 443
+set service gui older-ciphers enable
+set service nat rule 5010 description 'masquerade for VPN'
+set service nat rule 5010 outbound-interface wg0
+set service nat rule 5010 protocol all
+set service nat rule 5010 type masquerade
+set service ssh port 22
+set service ssh protocol-version v2
+set service unms
+set system host-name edge1
+set system time-zone UTC
\ No newline at end of file
diff --git a/edgerouter_configs/edge1.md b/edgerouter_configs/edge1.md
new file mode 100755
index 0000000..2a7c6c3
--- /dev/null
+++ b/edgerouter_configs/edge1.md
@@ -0,0 +1,121 @@
+## Install Wireguard
+cd /tmp
+curl -OL https://github.com/WireGuard/wireguard-vyatta-ubnt/releases/download/1.0.20211208-1/e50-v2-v1.0.20211208-v1.0.20210914.deb
+sudo dpkg -i e50-v2-v1.0.20211208-v1.0.20210914.deb
+
+####
+cd /config/auth
+wg genkey | tee /config/auth/wg.key | wg pubkey >  wg.public
+cat wg.public
+cat wg.key
+####
+
+set firewall all-ping enable
+set firewall broadcast-ping disable
+set firewall group network-group LAN-VPN-V6 description 'Networks on LAN destined to go out VPN by default'
+set firewall group ipv6-network-group LAN-VPN-V6 ipv6-network '2a03:2260:121:603::/64'
+set firewall group network-group LAN-VPN description 'Networks on LAN destined to go out VPN by default'
+set firewall group network-group LAN-VPN network 10.1.0.0/16
+
+set firewall ipv6-modify LAN_to_VPN_V6 rule 1 action modify
+set firewall ipv6-modify LAN_to_VPN_V6 rule 1 modify table 2
+set firewall ipv6-modify LAN_to_VPN_V6 rule 1 source group ipv6-network-group LAN-VPN-V6
+set firewall ipv6-modify LAN_to_VPN_V6 rule 100 description 'Route traffic from group LAN-VPN through LAN_to_VPN_V6 table'
+set firewall ipv6-receive-redirects disable
+set firewall ipv6-src-route disable
+set firewall ip-src-route disable
+set firewall log-martians enable
+set firewall modify LAN_to_VPN rule 100 action modify
+set firewall modify LAN_to_VPN rule 100 description 'Route traffic from group LAN-VPN through LAN_to_VPN table'
+set firewall modify LAN_to_VPN rule 100 modify table 2
+set firewall modify LAN_to_VPN rule 100 source group network-group LAN-VPN
+set firewall name WAN_LOCAL default-action drop
+set firewall name WAN_LOCAL rule 20 action accept
+set firewall name WAN_LOCAL rule 20 description WireGuard
+set firewall name WAN_LOCAL rule 20 destination port 51821
+set firewall name WAN_LOCAL rule 20 protocol udp
+set firewall options mss-clamp interface-type all
+set firewall options mss-clamp mss 1350
+set firewall options mss-clamp6 interface-type all
+set firewall options mss-clamp6 mss 1350
+set firewall receive-redirects disable
+set firewall send-redirects enable
+set firewall source-validation disable
+set firewall syn-cookies enable
+set interfaces ethernet eth0 address dhcp
+set interfaces ethernet eth0 description 'Internet via DHCP'
+set interfaces ethernet eth0 duplex auto
+set interfaces ethernet eth0 speed auto
+set interfaces ethernet eth1 description Local
+set interfaces ethernet eth1 duplex auto
+set interfaces ethernet eth1 speed auto
+set interfaces ethernet eth2 description Local
+set interfaces ethernet eth2 duplex auto
+set interfaces ethernet eth2 speed auto
+set interfaces ethernet eth3 description Local
+set interfaces ethernet eth3 duplex auto
+set interfaces ethernet eth3 speed auto
+set interfaces ethernet eth4 description Local
+set interfaces ethernet eth4 duplex auto
+set interfaces ethernet eth4 poe output off
+set interfaces ethernet eth4 speed auto
+set interfaces loopback lo
+set interfaces switch switch0 address 10.1.0.1/24
+set interfaces switch switch0 address '2a03:2260:121:603::1/64'
+set interfaces switch switch0 description Local
+set interfaces switch switch0 firewall in ipv6-modify LAN_to_VPN_V6
+set interfaces switch switch0 firewall in modify LAN_to_VPN
+set interfaces switch switch0 ipv6 dup-addr-detect-transmits 1
+set interfaces switch switch0 ipv6 router-advert cur-hop-limit 64
+set interfaces switch switch0 ipv6 router-advert link-mtu 0
+set interfaces switch switch0 ipv6 router-advert managed-flag true
+set interfaces switch switch0 ipv6 router-advert max-interval 600
+set interfaces switch switch0 ipv6 router-advert name-server '2606:4700:4700::1111'
+set interfaces switch switch0 ipv6 router-advert other-config-flag false
+set interfaces switch switch0 ipv6 router-advert prefix '2a03:2260:121:603::/64' autonomous-flag true
+set interfaces switch switch0 ipv6 router-advert prefix '2a03:2260:121:603::/64' on-link-flag true
+set interfaces switch switch0 ipv6 router-advert prefix '2a03:2260:121:603::/64' valid-lifetime 2592000
+set interfaces switch switch0 ipv6 router-advert reachable-time 0
+set interfaces switch switch0 ipv6 router-advert retrans-timer 0
+set interfaces switch switch0 ipv6 router-advert send-advert true
+set interfaces switch switch0 mtu 1500
+set interfaces switch switch0 switch-port interface eth1
+set interfaces switch switch0 switch-port interface eth2
+set interfaces switch switch0 switch-port interface eth3
+set interfaces switch switch0 switch-port interface eth4
+set interfaces switch switch0 switch-port vlan-aware disable
+set interfaces wireguard wg0 address 10.255.1.2/24
+set interfaces wireguard wg0 listen-port 51822
+set interfaces wireguard wg0 mtu 1355
+set interfaces wireguard wg0 peer 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= allowed-ips 0.0.0.0/0
+set interfaces wireguard wg0 peer 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= allowed-ips '::0/0'
+set interfaces wireguard wg0 peer 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= endpoint 'vpn01.fftdf.de:42001'
+set interfaces wireguard wg0 private-key /config/auth/wg.key
+set interfaces wireguard wg0 route-allowed-ips false
+set protocols static interface-route6 '::/0' next-hop-interface wg0
+set protocols static table 2 route 0.0.0.0/0 next-hop 10.255.1.1
+set protocols static table 2 route6 '::0/0' next-hop '2a03:2260:121:602::2'
+set protocols static table 2 route6 '::/0' next-hop '2a03:2260:121:602::2'
+set service dhcp-server disabled false
+set service dhcp-server hostfile-update disable
+set service dhcp-server shared-network-name LAN authoritative enable
+set service dhcp-server shared-network-name LAN subnet 10.1.0.1/24 default-router 10.1.0.1/24
+set service dhcp-server shared-network-name LAN subnet 10.1.0.1/24 dns-server 10.1.0.1/24
+set service dhcp-server shared-network-name LAN subnet 10.1.0.1/24 lease 86400
+set service dhcp-server shared-network-name LAN subnet 10.1.0.1/24 start 10.1.0.38 stop 10.1.0.243
+set service dhcp-server static-arp disable
+set service dhcp-server use-dnsmasq disable
+set service dns forwarding cache-size 150
+set service dns forwarding listen-on switch0
+set service gui http-port 80
+set service gui https-port 443
+set service gui older-ciphers enable
+set service nat rule 5010 description 'masquerade for VPN'
+set service nat rule 5010 outbound-interface wg0
+set service nat rule 5010 protocol all
+set service nat rule 5010 type masquerade
+set service ssh port 22
+set service ssh protocol-version v2
+set service unms
+set system host-name edge1
+set system time-zone UTC
\ No newline at end of file
diff --git a/er-test.yml b/er-test.yml
new file mode 100644
index 0000000..05f9ff9
--- /dev/null
+++ b/er-test.yml
@@ -0,0 +1,5 @@
+# ansible-playbook -i hosts.yml er-test.yml
+- name: System preperation
+  hosts: edge_router
+  roles:
+     - 01-vpn-router-config
\ No newline at end of file
diff --git a/host_vars/edge1.yml b/host_vars/edge1.yml
new file mode 100644
index 0000000..56e2c82
--- /dev/null
+++ b/host_vars/edge1.yml
@@ -0,0 +1,13 @@
+ansible_host: localhost
+ansible_connection: local
+ansible_python_interpreter: /usr/bin/python3
+
+ipv4_network: 10.1.0.0/16
+ipv4_address: 10.1.0.1/24
+ipv6_network: 2a03:2260:121:603::/64
+ipv6_address: 2a03:2260:121:603::1/64
+wireguard_address: 10.255.1.2/24
+wireguard_public: 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s=
+wiregurad_v4: 10.255.1.1
+wireguard_v6: 2a03:2260:121:602::2
+
diff --git a/host_vars/vpn01/vars.yml b/host_vars/vpn01/vars.yml
index b83f6b2..23abd4b 100644
--- a/host_vars/vpn01/vars.yml
+++ b/host_vars/vpn01/vars.yml
@@ -19,10 +19,13 @@ core_router: 172.16.7.1
 ipv6_network: 2a03:2260:121:600::/58
 wireguard_address: "10.255.1.1/24, 2a03:2260:121:602::2/64"
 wireguard_port: 42001
+wireguard_public: 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s=
+wiregurad_v4: 10.255.1.1
+wireguard_v6: 2a03:2260:121:602::2
 
 wireguard_unmanaged_peers:
   vpn1-testing:
-    public_key: dEqGBiASx0gY1T/m4chRkeWhF+4XmzmjLKLXXbe+rmg=
+    public_key: eoC9nkNTO+aWn1rkMPGguzeBAwBvK8Ob5N52MGoHEBA=
     allowed_ips: 10.255.1.2/32, 10.1.0.0/16, fd80:3ea2:e399:203a::2/128
     persistent_keepalive: 25
   vpn2-lindenstr-h07:
@@ -40,4 +43,4 @@ wireguard_unmanaged_peers:
   vpn5-stefan:
     public_key: UHaYitx18sO71Ssk2SVUgdjLaAILbCthCmosU+Fs5Es=
     allowed_ips: 10.255.1.6/32, 10.5.0.0/16, 2a03:2260:121:601::/64
-    persistent_keepalive: 25
\ No newline at end of file
+    persistent_keepalive: 25
diff --git a/hosts.yml b/hosts.yml
index 865aa5d..48bb710 100644
--- a/hosts.yml
+++ b/hosts.yml
@@ -15,4 +15,7 @@ all:
         vpn-offloader:
           hosts:
             vpn01:
+    edge_router:
+      hosts:
+        edge1:
             
\ No newline at end of file
diff --git a/roles/01-vpn-router-config/tasks/main.yml b/roles/01-vpn-router-config/tasks/main.yml
new file mode 100644
index 0000000..c21e3a4
--- /dev/null
+++ b/roles/01-vpn-router-config/tasks/main.yml
@@ -0,0 +1,11 @@
+- name: create config directory
+  file:
+    path: '{{ playbook_dir }}/edgerouter_configs/'
+    state: directory
+
+- name: Generate EdgeOS Config
+  ansible.builtin.template:
+    src: edgerouter.conf.j2
+    dest: '{{ playbook_dir }}/edgerouter_configs/{{ inventory_hostname }}.md'
+    mode: 0755
+  
\ No newline at end of file
diff --git a/roles/01-vpn-router-config/templates/edgerouter.conf.j2 b/roles/01-vpn-router-config/templates/edgerouter.conf.j2
new file mode 100644
index 0000000..cc0f367
--- /dev/null
+++ b/roles/01-vpn-router-config/templates/edgerouter.conf.j2
@@ -0,0 +1,121 @@
+## Install Wireguard
+cd /tmp
+curl -OL https://github.com/WireGuard/wireguard-vyatta-ubnt/releases/download/1.0.20211208-1/e50-v2-v1.0.20211208-v1.0.20210914.deb
+sudo dpkg -i e50-v2-v1.0.20211208-v1.0.20210914.deb
+
+####
+cd /config/auth
+wg genkey | tee /config/auth/wg.key | wg pubkey >  wg.public
+cat wg.public
+cat wg.key
+####
+
+set firewall all-ping enable
+set firewall broadcast-ping disable
+set firewall group network-group LAN-VPN-V6 description 'Networks on LAN destined to go out VPN by default'
+set firewall group ipv6-network-group LAN-VPN-V6 ipv6-network '{{ ipv6_network }}'
+set firewall group network-group LAN-VPN description 'Networks on LAN destined to go out VPN by default'
+set firewall group network-group LAN-VPN network {{ ipv4_network }}
+
+set firewall ipv6-modify LAN_to_VPN_V6 rule 1 action modify
+set firewall ipv6-modify LAN_to_VPN_V6 rule 1 modify table 2
+set firewall ipv6-modify LAN_to_VPN_V6 rule 1 source group ipv6-network-group LAN-VPN-V6
+set firewall ipv6-modify LAN_to_VPN_V6 rule 100 description 'Route traffic from group LAN-VPN through LAN_to_VPN_V6 table'
+set firewall ipv6-receive-redirects disable
+set firewall ipv6-src-route disable
+set firewall ip-src-route disable
+set firewall log-martians enable
+set firewall modify LAN_to_VPN rule 100 action modify
+set firewall modify LAN_to_VPN rule 100 description 'Route traffic from group LAN-VPN through LAN_to_VPN table'
+set firewall modify LAN_to_VPN rule 100 modify table 2
+set firewall modify LAN_to_VPN rule 100 source group network-group LAN-VPN
+set firewall name WAN_LOCAL default-action drop
+set firewall name WAN_LOCAL rule 20 action accept
+set firewall name WAN_LOCAL rule 20 description WireGuard
+set firewall name WAN_LOCAL rule 20 destination port 51821
+set firewall name WAN_LOCAL rule 20 protocol udp
+set firewall options mss-clamp interface-type all
+set firewall options mss-clamp mss 1350
+set firewall options mss-clamp6 interface-type all
+set firewall options mss-clamp6 mss 1350
+set firewall receive-redirects disable
+set firewall send-redirects enable
+set firewall source-validation disable
+set firewall syn-cookies enable
+set interfaces ethernet eth0 address dhcp
+set interfaces ethernet eth0 description 'Internet via DHCP'
+set interfaces ethernet eth0 duplex auto
+set interfaces ethernet eth0 speed auto
+set interfaces ethernet eth1 description Local
+set interfaces ethernet eth1 duplex auto
+set interfaces ethernet eth1 speed auto
+set interfaces ethernet eth2 description Local
+set interfaces ethernet eth2 duplex auto
+set interfaces ethernet eth2 speed auto
+set interfaces ethernet eth3 description Local
+set interfaces ethernet eth3 duplex auto
+set interfaces ethernet eth3 speed auto
+set interfaces ethernet eth4 description Local
+set interfaces ethernet eth4 duplex auto
+set interfaces ethernet eth4 poe output off
+set interfaces ethernet eth4 speed auto
+set interfaces loopback lo
+set interfaces switch switch0 address {{ ipv4_address }}
+set interfaces switch switch0 address '{{ ipv6_address }}'
+set interfaces switch switch0 description Local
+set interfaces switch switch0 firewall in ipv6-modify LAN_to_VPN_V6
+set interfaces switch switch0 firewall in modify LAN_to_VPN
+set interfaces switch switch0 ipv6 dup-addr-detect-transmits 1
+set interfaces switch switch0 ipv6 router-advert cur-hop-limit 64
+set interfaces switch switch0 ipv6 router-advert link-mtu 0
+set interfaces switch switch0 ipv6 router-advert managed-flag true
+set interfaces switch switch0 ipv6 router-advert max-interval 600
+set interfaces switch switch0 ipv6 router-advert name-server '2606:4700:4700::1111'
+set interfaces switch switch0 ipv6 router-advert other-config-flag false
+set interfaces switch switch0 ipv6 router-advert prefix '{{ ipv6_network }}' autonomous-flag true
+set interfaces switch switch0 ipv6 router-advert prefix '{{ ipv6_network }}' on-link-flag true
+set interfaces switch switch0 ipv6 router-advert prefix '{{ ipv6_network }}' valid-lifetime 2592000
+set interfaces switch switch0 ipv6 router-advert reachable-time 0
+set interfaces switch switch0 ipv6 router-advert retrans-timer 0
+set interfaces switch switch0 ipv6 router-advert send-advert true
+set interfaces switch switch0 mtu 1500
+set interfaces switch switch0 switch-port interface eth1
+set interfaces switch switch0 switch-port interface eth2
+set interfaces switch switch0 switch-port interface eth3
+set interfaces switch switch0 switch-port interface eth4
+set interfaces switch switch0 switch-port vlan-aware disable
+set interfaces wireguard wg0 address {{ wireguard_address }}
+set interfaces wireguard wg0 listen-port 51822
+set interfaces wireguard wg0 mtu 1355
+set interfaces wireguard wg0 peer {{ wireguard_public }} allowed-ips 0.0.0.0/0
+set interfaces wireguard wg0 peer {{ wireguard_public }} allowed-ips '::0/0'
+set interfaces wireguard wg0 peer {{ wireguard_public }} endpoint 'vpn01.fftdf.de:42001'
+set interfaces wireguard wg0 private-key /config/auth/wg.key
+set interfaces wireguard wg0 route-allowed-ips false
+set protocols static interface-route6 '::/0' next-hop-interface wg0
+set protocols static table 2 route 0.0.0.0/0 next-hop {{ wiregurad_v4 }}
+set protocols static table 2 route6 '::0/0' next-hop '{{ wireguard_v6 }}'
+set protocols static table 2 route6 '::/0' next-hop '{{ wireguard_v6 }}'
+set service dhcp-server disabled false
+set service dhcp-server hostfile-update disable
+set service dhcp-server shared-network-name LAN authoritative enable
+set service dhcp-server shared-network-name LAN subnet {{ ipv4_address }} default-router {{ ipv4_address }}
+set service dhcp-server shared-network-name LAN subnet {{ ipv4_address }} dns-server {{ ipv4_address }}
+set service dhcp-server shared-network-name LAN subnet {{ ipv4_address }} lease 86400
+set service dhcp-server shared-network-name LAN subnet {{ ipv4_address }} start 10.1.0.38 stop 10.1.0.243
+set service dhcp-server static-arp disable
+set service dhcp-server use-dnsmasq disable
+set service dns forwarding cache-size 150
+set service dns forwarding listen-on switch0
+set service gui http-port 80
+set service gui https-port 443
+set service gui older-ciphers enable
+set service nat rule 5010 description 'masquerade for VPN'
+set service nat rule 5010 outbound-interface wg0
+set service nat rule 5010 protocol all
+set service nat rule 5010 type masquerade
+set service ssh port 22
+set service ssh protocol-version v2
+set service unms
+set system host-name {{ inventory_hostname }}
+set system time-zone UTC
\ No newline at end of file
diff --git a/roles/21-install-wireguard/templates/wg.conf.j2 b/roles/21-install-wireguard/templates/wg.conf.j2
index f122784..1661f01 100644
--- a/roles/21-install-wireguard/templates/wg.conf.j2
+++ b/roles/21-install-wireguard/templates/wg.conf.j2
@@ -7,6 +7,7 @@
 Address = {{ wireguard_address }}
 PrivateKey = {{ wireguard_private_key }}
 ListenPort = {{ wireguard_port }}
+MTU = 1355
 
 PostUp = ip rule add fwmark 0x4 table 42 && iptables -t mangle -A PREROUTING -s 10.255.0.0/16 ! -d 10.0.0.0/8 -j MARK --set-mark 4 && ip route add default via 172.16.7.1 table 42