From d1ea4f2e3503bfed5cd372e62a83b617d18b4221 Mon Sep 17 00:00:00 2001
From: "David E. Myers" <dem@myersnet.net>
Date: Sun, 6 Oct 2019 14:01:43 -0400
Subject: [PATCH] Use a variable for the port to avoid

---
 roles/common/templates/rules.v4.j2       | 9 +++++----
 roles/common/templates/rules.v6.j2       | 9 +++++----
 roles/wireguard/defaults/main.yml        | 3 ++-
 roles/wireguard/templates/server.conf.j2 | 2 +-
 4 files changed, 13 insertions(+), 10 deletions(-)

diff --git a/roles/common/templates/rules.v4.j2 b/roles/common/templates/rules.v4.j2
index 3e9934c..9708435 100644
--- a/roles/common/templates/rules.v4.j2
+++ b/roles/common/templates/rules.v4.j2
@@ -1,5 +1,5 @@
 {% set subnets = ([strongswan_network] if ipsec_enabled else []) + ([wireguard_network_ipv4] if wireguard_enabled else []) %}
-{% set ports = (['500', '4500'] if ipsec_enabled else []) + ([wireguard_port] if wireguard_enabled else []) + ([wireguard_port_alt] if wireguard_enabled and wireguard_port|int == 53 else []) %}
+{% set ports = (['500', '4500'] if ipsec_enabled else []) + ([wireguard_port] if wireguard_enabled else []) + ([wireguard_port_actual] if wireguard_enabled and wireguard_port|int == wireguard_port_avoid|int else []) %}
 
 #### The mangle table
 # This table allows us to modify packet headers
@@ -29,9 +29,10 @@ COMMIT
 :PREROUTING ACCEPT [0:0]
 :POSTROUTING ACCEPT [0:0]
 
-{% if wireguard_enabled and wireguard_port|int == 53 %}
-# Handle the special case of allowing access to WireGuard over port 53
--A PREROUTING --in-interface {{ ansible_default_ipv4['interface'] }} -p udp --dport 53 -j REDIRECT --to-port {{ wireguard_port_alt }}
+{% if wireguard_enabled and wireguard_port|int == wireguard_port_avoid|int %}
+# Handle the special case of allowing access to WireGuard over an already used
+# port like 53
+-A PREROUTING --in-interface {{ ansible_default_ipv4['interface'] }} -p udp --dport {{ wireguard_port_avoid }} -j REDIRECT --to-port {{ wireguard_port_actual }}
 {% endif %}
 # Allow traffic from the VPN network to the outside world, and replies
 -A POSTROUTING -s {{ subnets|join(',') }} -m policy --pol none --dir out -j MASQUERADE
diff --git a/roles/common/templates/rules.v6.j2 b/roles/common/templates/rules.v6.j2
index c3d96a4..5969a95 100644
--- a/roles/common/templates/rules.v6.j2
+++ b/roles/common/templates/rules.v6.j2
@@ -1,5 +1,5 @@
 {% set subnets = ([strongswan_network_ipv6] if ipsec_enabled else []) + ([wireguard_network_ipv6] if wireguard_enabled else []) %}
-{% set ports = (['500', '4500'] if ipsec_enabled else []) + ([wireguard_port] if wireguard_enabled else []) + ([wireguard_port_alt] if wireguard_enabled and wireguard_port|int == 53 else []) %}
+{% set ports = (['500', '4500'] if ipsec_enabled else []) + ([wireguard_port] if wireguard_enabled else []) + ([wireguard_port_actual] if wireguard_enabled and wireguard_port|int == wireguard_port_avoid|int else []) %}
 
 #### The mangle table
 # This table allows us to modify packet headers
@@ -28,9 +28,10 @@ COMMIT
 :PREROUTING ACCEPT [0:0]
 :POSTROUTING ACCEPT [0:0]
 
-{% if wireguard_enabled and wireguard_port|int == 53 %}
-# Handle the special case of allowing access to WireGuard over port 53
--A PREROUTING --in-interface {{ ansible_default_ipv6['interface'] }} -p udp --dport 53 -j REDIRECT --to-port {{ wireguard_port_alt }}
+{% if wireguard_enabled and wireguard_port|int == wireguard_port_avoid|int %}
+# Handle the special case of allowing access to WireGuard over an already used
+# port like 53
+-A PREROUTING --in-interface {{ ansible_default_ipv6['interface'] }} -p udp --dport {{ wireguard_port_avoid }} -j REDIRECT --to-port {{ wireguard_port_actual }}
 {% endif %}
 # Allow traffic from the VPN network to the outside world, and replies
 -A POSTROUTING -s {{ subnets|join(',') }} -m policy --pol none --dir out -j MASQUERADE
diff --git a/roles/wireguard/defaults/main.yml b/roles/wireguard/defaults/main.yml
index ebbb598..030511f 100644
--- a/roles/wireguard/defaults/main.yml
+++ b/roles/wireguard/defaults/main.yml
@@ -3,7 +3,8 @@ wireguard_PersistentKeepalive: 0
 wireguard_config_path: "configs/{{ IP_subject_alt_name }}/wireguard/"
 wireguard_pki_path: "{{ wireguard_config_path }}/.pki/"
 wireguard_interface: wg0
-wireguard_port_alt: 51820
+wireguard_port_avoid: 53
+wireguard_port_actual: 51820
 keys_clean_all: false
 wireguard_dns_servers: >-
   {% if algo_dns_adblocking|default(false)|bool or dns_encryption|default(false)|bool %}
diff --git a/roles/wireguard/templates/server.conf.j2 b/roles/wireguard/templates/server.conf.j2
index aba5d9b..0104f5f 100644
--- a/roles/wireguard/templates/server.conf.j2
+++ b/roles/wireguard/templates/server.conf.j2
@@ -1,6 +1,6 @@
 [Interface]
 Address = {{ wireguard_server_ip }}
-ListenPort = {{ wireguard_port_alt if wireguard_port|int == 53 else wireguard_port }}
+ListenPort = {{ wireguard_port_actual if wireguard_port|int == wireguard_port_avoid|int else wireguard_port }}
 PrivateKey = {{ lookup('file', wireguard_pki_path + '/private/' + IP_subject_alt_name) }}
 SaveConfig = false