Template: cloud-router/local_addrs
Type: string
Description: Local WAN IP address(es)
 Comma-separated list of local WAN IP addresses that strongSwan binds on
 for the site-to-site and road-warrior tunnels (e.g. 10.1.2.3).

Template: cloud-router/local_fqdn
Type: string
Description: Local router FQDN
 Fully-qualified domain name of this router (e.g. router.example.com).
 Used as the road-warrior server identity and certificate CN.

Template: cloud-router/local_id_mode
Type: select
Choices: fqdn, public_ip, internal_ip
Default: fqdn
Description: IKE local identity mode
 How to derive the IKE identity advertised to the remote site:
  fqdn        — use the FQDN (default; requires matching on remote side)
  public_ip   — resolve the public IP from DNS at first boot
  internal_ip — use the local WAN IP address

Template: cloud-router/local_cidrs
Type: string
Description: Local subnet CIDR(s)
 Comma-separated list of local subnet CIDRs to advertise into the
 site-to-site tunnel (e.g. 10.0.0.0/24 or 10.0.0.0/24,10.0.1.0/24).

Template: cloud-router/remote_addrs
Type: string
Description: Remote site WAN IP address(es)
 Comma-separated list of remote site WAN IP addresses for the
 site-to-site IPSec tunnel.

Template: cloud-router/remote_id
Type: string
Description: Remote site IKE identity
 IKE identity of the remote peer (FQDN, without leading @).

Template: cloud-router/psk
Type: password
Description: Pre-shared key (PSK)
 Pre-shared key for the site-to-site IKEv2 tunnel. Must match the
 value configured on the remote peer.

Template: cloud-router/remote_cidrs
Type: string
Description: Remote subnet CIDR(s)
 Comma-separated list of remote subnet CIDRs for the site-to-site
 tunnel (e.g. 192.168.0.0/24).

Template: cloud-router/router_int_gateway_ip
Type: string
Description: Internal network gateway IP
 IP address of the next-hop gateway on the internal NIC (eth1).
 Used in the netplan route for the local subnet.

Template: cloud-router/p2s_address_pool
Type: string
Description: Road-warrior address pool
 CIDR block assigned to road-warrior VPN clients (e.g. 172.16.0.0/24).

Template: cloud-router/wg_enabled
Type: boolean
Default: false
Description: Enable WireGuard VPN?
 If true, WireGuard is configured on wg0 and its UFW rules are installed.

Template: cloud-router/wg_address
Type: string
Default: 10.0.1.1/24
Description: WireGuard interface address
 IP address and prefix length for the wg0 interface (e.g. 10.0.1.1/24).
 Only used when WireGuard is enabled.

Template: cloud-router/wg_listen_port
Type: string
Default: 51820
Description: WireGuard listen port
 UDP port that WireGuard listens on. Only used when WireGuard is enabled.
