diff --git a/web/__init__.py b/web/__init__.py index 966e54e..7ce67ee 100644 --- a/web/__init__.py +++ b/web/__init__.py @@ -15,20 +15,21 @@ def create_app(test_config=None): 'ldap_host': '', 'ldap_user': '', 'ldap_pass': '', - 'ldap_base_dn': '', - 'user_group': '', + 'ldap_base_dn': '', # search for VPN users under this DN + 'user_group': '', # limit VPN users to this LDAP group 'oidc_server': '', 'oidc_client_id': '', 'oidc_client_secret': '', - 'admin_group': '', - 'admin_mail': '', + 'admin_group': '', # OIDC group for admin access + 'admin_mail': '', # where to report errors + 'no_nat_set': '', # name of destination IP set for which no NAT should be done 'wg_endpoint': '', 'wg_port': '51820', 'wg_allowed_nets': '', 'wg_dns': '', 'wg_key': '', - 'wg_net': '', - 'wg_net6': '', + 'wg_net': '', # allocate wireguard IPv4 addresses from this prefix + 'wg_net6': '', # allocate wireguard IPv6 addresses from this prefix 'version': 0, } diff --git a/web/system.py b/web/system.py index 3122967..cf0f056 100644 --- a/web/system.py +++ b/web/system.py @@ -131,10 +131,15 @@ def save_config(): # Print dynamic NAT rules. with open(output / 'etc/nftables.d/nat.nft', 'w', encoding='utf-8') as f: - nft_nat = 'iif @inside oif @outside ip saddr @{name} snat to {nat}\n' + no_nat_set = settings.get('no_nat_set') + nft_nat = 'iif @inside oif @outside ip saddr @{name}' + if no_nat_set: + # don’t NAT for these destination addresses + nft_nat += ' ip daddr != @{no_nat_set}' + nft_nat += ' snat to {nat}\n' for name, data in sets.items(): if nat := data.get('nat'): - f.write(nft_nat.format(name=name, nat=nat)) + f.write(nft_nat.format(name=name, nat=nat, no_nat_set=no_nat_set)) # Print forwarding rules. with open(output / 'etc/nftables.d/forward.nft', 'w', encoding='utf-8') as f: