wireguard: derive allowed ips from given id

PolynomialDivision · PolynomialDivision · commit a878f46ff7e5 · 2026-03-22T20:48:25.000+01:00
Instead of having to manually write down entire ip addresses, just use
an id to identify a peer.
diff --git a/locations/scharni.yml b/locations/scharni.yml
@@ -122,15 +122,11 @@ wireguard_access:
   peers:
     - description: "Test"
       public_key: "5dkLlAtOqcoT7ocNYnLvyJ5pIippsxBXgFJvtVoI0yI=" # gitleaks:allow
-      allowed_ips:
-        - "10.248.105.130/32"
-        - "2001:bf7:830:842a::2/128"
+      id: 2
       persistent_keepalive: 25
     - description: "Friend"
       public_key: "iBUwLV7EU5odRoiK1GxQGNP1QruBbPp8Lk50yJ/iMno=" # gitleaks:allow
-      allowed_ips:
-        - "10.248.105.131/32"
-        - "2001:bf7:830:842a::3/128"
+      id: 3
       persistent_keepalive: 25
 
 location_scharni__channel_assignments_11a_standard__to_merge:
diff --git a/roles/cfg_openwrt/templates/common/config/network.j2 b/roles/cfg_openwrt/templates/common/config/network.j2
@@ -137,9 +137,16 @@ config wireguard_wg_access
 {% if 'preshared_key' in peer %}
 	option preshared_key '{{ peer['preshared_key'] }}'
 {% endif %}
+{% if 'id' in peer %}
+	list allowed_ips '{{ wg_ipv6_subnet | ansible.utils.ipaddr(peer['id']) | ansible.utils.ipaddr('address') }}/128'
+{% if wg_has_ipv4 %}
+	list allowed_ips '{{ wireguard_access['prefix'] | ansible.utils.ipaddr(peer['id']) | ansible.utils.ipaddr('address') }}/32'
+{% endif %}
+{% else %}
 {% for allowed_ip in peer['allowed_ips'] %}
 	list allowed_ips '{{ allowed_ip }}'
 {% endfor %}
+{% endif %}
 {% if 'persistent_keepalive' in peer %}
 	option persistent_keepalive '{{ peer['persistent_keepalive'] }}'
 {% endif %}
