81 lines
2.6 KiB
Plaintext
81 lines
2.6 KiB
Plaintext
Template: cloud-router/local_addrs
|
|
Type: string
|
|
Description: Local WAN IP address(es)
|
|
Comma-separated list of local WAN IP addresses that strongSwan binds on
|
|
for the site-to-site and road-warrior tunnels (e.g. 10.1.2.3).
|
|
|
|
Template: cloud-router/local_fqdn
|
|
Type: string
|
|
Description: Local router FQDN
|
|
Fully-qualified domain name of this router (e.g. router.example.com).
|
|
Used as the road-warrior server identity and certificate CN.
|
|
|
|
Template: cloud-router/local_id_mode
|
|
Type: select
|
|
Choices: fqdn, public_ip, internal_ip
|
|
Default: fqdn
|
|
Description: IKE local identity mode
|
|
How to derive the IKE identity advertised to the remote site:
|
|
fqdn — use the FQDN (default; requires matching on remote side)
|
|
public_ip — resolve the public IP from DNS at first boot
|
|
internal_ip — use the local WAN IP address
|
|
|
|
Template: cloud-router/local_cidrs
|
|
Type: string
|
|
Description: Local subnet CIDR(s)
|
|
Comma-separated list of local subnet CIDRs to advertise into the
|
|
site-to-site tunnel (e.g. 10.0.0.0/24 or 10.0.0.0/24,10.0.1.0/24).
|
|
|
|
Template: cloud-router/remote_addrs
|
|
Type: string
|
|
Description: Remote site WAN IP address(es)
|
|
Comma-separated list of remote site WAN IP addresses for the
|
|
site-to-site IPSec tunnel.
|
|
|
|
Template: cloud-router/remote_id
|
|
Type: string
|
|
Description: Remote site IKE identity
|
|
IKE identity of the remote peer (FQDN, without leading @).
|
|
|
|
Template: cloud-router/psk
|
|
Type: password
|
|
Description: Pre-shared key (PSK)
|
|
Pre-shared key for the site-to-site IKEv2 tunnel. Must match the
|
|
value configured on the remote peer.
|
|
|
|
Template: cloud-router/remote_cidrs
|
|
Type: string
|
|
Description: Remote subnet CIDR(s)
|
|
Comma-separated list of remote subnet CIDRs for the site-to-site
|
|
tunnel (e.g. 192.168.0.0/24).
|
|
|
|
Template: cloud-router/router_int_gateway_ip
|
|
Type: string
|
|
Description: Internal network gateway IP
|
|
IP address of the next-hop gateway on the internal NIC (eth1).
|
|
Used in the netplan route for the local subnet.
|
|
|
|
Template: cloud-router/p2s_address_pool
|
|
Type: string
|
|
Description: Road-warrior address pool
|
|
CIDR block assigned to road-warrior VPN clients (e.g. 172.16.0.0/24).
|
|
|
|
Template: cloud-router/wg_enabled
|
|
Type: boolean
|
|
Default: false
|
|
Description: Enable WireGuard VPN?
|
|
If true, WireGuard is configured on wg0 and its UFW rules are installed.
|
|
|
|
Template: cloud-router/wg_address
|
|
Type: string
|
|
Default: 10.0.1.1/24
|
|
Description: WireGuard interface address
|
|
IP address and prefix length for the wg0 interface (e.g. 10.0.1.1/24).
|
|
Only used when WireGuard is enabled.
|
|
|
|
Template: cloud-router/wg_listen_port
|
|
Type: string
|
|
Default: 51820
|
|
Description: WireGuard listen port
|
|
UDP port that WireGuard listens on. Only used when WireGuard is enabled.
|