## Webinterface Wizard ausführen
WAN auf eth0
Ein LAN mit Adresse: {{ ipv4_address }}

Dann auf der Konsole weiter

## Install Wireguard
cd /tmp
curl -OL https://github.com/WireGuard/wireguard-vyatta-ubnt/releases/download/1.0.20211208-1/e50-v2-v1.0.20211208-v1.0.20210914.deb
sudo dpkg -i e50-v2-v1.0.20211208-v1.0.20210914.deb

####
cd /config/auth
wg genkey | tee /config/auth/wg.key | wg pubkey >  wg.public
cat wg.public
cat wg.key
####

set firewall all-ping enable
set firewall broadcast-ping disable
set firewall group ipv6-network-group LAN-VPN-V6 description 'Networks on LAN destined to go out VPN by default'
set firewall group ipv6-network-group LAN-VPN-V6 ipv6-network '{{ ipv6_network }}'
set firewall group network-group LAN-VPN description 'Networks on LAN destined to go out VPN by default'
set firewall group network-group LAN-VPN network {{ ipv4_network }}

set firewall ipv6-modify LAN_to_VPN_V6 rule 1 action modify
set firewall ipv6-modify LAN_to_VPN_V6 rule 1 modify table 2
set firewall ipv6-modify LAN_to_VPN_V6 rule 1 source group ipv6-network-group LAN-VPN-V6
set firewall ipv6-modify LAN_to_VPN_V6 rule 1 description 'Route traffic from group LAN-VPN through LAN_to_VPN_V6 table'
set firewall ipv6-receive-redirects disable
set firewall ipv6-src-route disable
set firewall ip-src-route disable
set firewall log-martians enable
set firewall modify LAN_to_VPN rule 100 action modify
set firewall modify LAN_to_VPN rule 100 description 'Route traffic from group LAN-VPN through LAN_to_VPN table'
set firewall modify LAN_to_VPN rule 100 modify table 2
set firewall modify LAN_to_VPN rule 100 source group network-group LAN-VPN
set firewall name WAN_LOCAL default-action drop
set firewall name WAN_LOCAL rule 20 action accept
set firewall name WAN_LOCAL rule 20 description WireGuard
set firewall name WAN_LOCAL rule 20 destination port 51821
set firewall name WAN_LOCAL rule 20 protocol udp
set firewall options mss-clamp interface-type all
set firewall options mss-clamp mss 1340
set firewall options mss-clamp6 interface-type all
set firewall options mss-clamp6 mss 1340
set firewall receive-redirects disable
set firewall send-redirects enable
set firewall source-validation disable
set firewall syn-cookies enable
set interfaces switch switch0 address {{ ipv4_address }}/24
set interfaces switch switch0 address '{{ ipv6_address }}/24'
set interfaces switch switch0 description Local
set interfaces switch switch0 firewall in ipv6-modify LAN_to_VPN_V6
set interfaces switch switch0 firewall in modify LAN_to_VPN
set interfaces switch switch0 ipv6 dup-addr-detect-transmits 1
set interfaces switch switch0 ipv6 router-advert cur-hop-limit 64
set interfaces switch switch0 ipv6 router-advert link-mtu 1328
set interfaces switch switch0 ipv6 router-advert managed-flag true
set interfaces switch switch0 ipv6 router-advert max-interval 600
set interfaces switch switch0 ipv6 router-advert name-server '2606:4700:4700::1111'
set interfaces switch switch0 ipv6 router-advert other-config-flag false
set interfaces switch switch0 ipv6 router-advert prefix '{{ ipv6_network }}' autonomous-flag true
set interfaces switch switch0 ipv6 router-advert prefix '{{ ipv6_network }}' on-link-flag true
set interfaces switch switch0 ipv6 router-advert prefix '{{ ipv6_network }}' valid-lifetime 2592000
set interfaces switch switch0 ipv6 router-advert reachable-time 0
set interfaces switch switch0 ipv6 router-advert retrans-timer 0
set interfaces switch switch0 ipv6 router-advert send-advert true
set interfaces switch switch0 mtu 1500
set interfaces switch switch0 switch-port interface eth1
set interfaces switch switch0 switch-port interface eth2
set interfaces switch switch0 switch-port interface eth3
set interfaces switch switch0 switch-port interface eth4
set interfaces switch switch0 switch-port vlan-aware disable
set interfaces wireguard wg0 address {{ wireguard_address }}
set interfaces wireguard wg0 address 2a03:2260:121:600::1/64
set interfaces wireguard wg0 listen-port 51822
set interfaces wireguard wg0 mtu 1380
set interfaces wireguard wg0 peer {{ wireguard_public }} allowed-ips 0.0.0.0/0
set interfaces wireguard wg0 peer {{ wireguard_public }} allowed-ips '::0/0'
set interfaces wireguard wg0 peer {{ wireguard_public }} endpoint 'vpn01.fftdf.de:42001'
set interfaces wireguard wg0 private-key /config/auth/wg.key
set interfaces wireguard wg0 route-allowed-ips false
set protocols static table 2 interface-route 0.0.0.0/0 next-hop-interface wg0
set protocols static table 2 interface-route6 '::/0' next-hop-interface wg0
delete service dhcp-server
set service dhcp-server disabled false
set service dhcp-server hostfile-update disable
set service dhcp-server shared-network-name LAN authoritative enable
set service dhcp-server shared-network-name LAN subnet {{ ipv4_address }}/24 default-router {{ ipv4_address }}
set service dhcp-server shared-network-name LAN subnet {{ ipv4_address }}/24 dns-server {{ ipv4_address }}
set service dhcp-server shared-network-name LAN subnet {{ ipv4_address }}/24 lease 86400
set service dhcp-server shared-network-name LAN subnet {{ ipv4_address }}/24 start {{ ipv4_dhcp_start }} stop {{ ipv4_dhcp_stop }}
set service dhcp-server static-arp disable
set service dhcp-server use-dnsmasq disable
set service dns forwarding cache-size 150
set service dns forwarding listen-on switch0
set service nat rule 5010 description 'masquerade for VPN'
set service nat rule 5010 outbound-interface wg0
set service nat rule 5010 protocol all
set service nat rule 5010 type masquerade
set service unms
set service unms connection '{{ unms_vault_URL }}'
set system host-name {{ inventory_hostname }}
set system time-zone UTC