Template: cloud-router/local_addrs Type: string Description: Local WAN IP address(es) Comma-separated list of local WAN IP addresses that strongSwan binds on for the site-to-site and road-warrior tunnels (e.g. 10.1.2.3). Template: cloud-router/local_fqdn Type: string Description: Local router FQDN Fully-qualified domain name of this router (e.g. router.example.com). Used as the road-warrior server identity and certificate CN. Template: cloud-router/local_id_mode Type: select Choices: fqdn, public_ip, internal_ip Default: fqdn Description: IKE local identity mode How to derive the IKE identity advertised to the remote site: fqdn — use the FQDN (default; requires matching on remote side) public_ip — resolve the public IP from DNS at first boot internal_ip — use the local WAN IP address Template: cloud-router/local_cidrs Type: string Description: Local subnet CIDR(s) Comma-separated list of local subnet CIDRs to advertise into the site-to-site tunnel (e.g. 10.0.0.0/24 or 10.0.0.0/24,10.0.1.0/24). Template: cloud-router/remote_addrs Type: string Description: Remote site WAN IP address(es) Comma-separated list of remote site WAN IP addresses for the site-to-site IPSec tunnel. Template: cloud-router/remote_id Type: string Description: Remote site IKE identity IKE identity of the remote peer (FQDN, without leading @). Template: cloud-router/psk Type: password Description: Pre-shared key (PSK) Pre-shared key for the site-to-site IKEv2 tunnel. Must match the value configured on the remote peer. Template: cloud-router/remote_cidrs Type: string Description: Remote subnet CIDR(s) Comma-separated list of remote subnet CIDRs for the site-to-site tunnel (e.g. 192.168.0.0/24). Template: cloud-router/router_int_gateway_ip Type: string Description: Internal network gateway IP IP address of the next-hop gateway on the internal NIC (eth1). Used in the netplan route for the local subnet. Template: cloud-router/p2s_address_pool Type: string Description: Road-warrior address pool CIDR block assigned to road-warrior VPN clients (e.g. 172.16.0.0/24). Template: cloud-router/wg_enabled Type: boolean Default: false Description: Enable WireGuard VPN? If true, WireGuard is configured on wg0 and its UFW rules are installed. Template: cloud-router/wg_address Type: string Default: 10.0.1.1/24 Description: WireGuard interface address IP address and prefix length for the wg0 interface (e.g. 10.0.1.1/24). Only used when WireGuard is enabled. Template: cloud-router/wg_listen_port Type: string Default: 51820 Description: WireGuard listen port UDP port that WireGuard listens on. Only used when WireGuard is enabled.