[Interface]
Address = {{ wireguard_address }}
PrivateKey = {{ wg_server_private_key }}
ListenPort = {{ wireguard_port }}
{% if wireguard_mtu is defined %}
MTU = {{ wireguard_mtu }}
{% endif %}

# Einfache NAT-Regeln für VPN-Traffic
PostUp = iptables -t nat -I POSTROUTING -o {{ wireguard_exit_interface }} -s {{ wireguard_network }} -j MASQUERADE
PostUp = iptables -I FORWARD -i {{ wireguard_interface }} -j ACCEPT
PostUp = iptables -I FORWARD -o {{ wireguard_interface }} -j ACCEPT

PostDown = iptables -t nat -D POSTROUTING -o {{ wireguard_exit_interface }} -s {{ wireguard_network }} -j MASQUERADE
PostDown = iptables -D FORWARD -i {{ wireguard_interface }} -j ACCEPT
PostDown = iptables -D FORWARD -o {{ wireguard_interface }} -j ACCEPT

# Client-Peers
{% for client in wireguard_clients %}
[Peer]
# {{ client.name }}
PublicKey = {{ wg_client_public_keys[client.name] }}
AllowedIPs = {{ client.address }}/32
{% if wireguard_pre_shared_key | default(false) and wg_client_psk_keys is defined %}
PresharedKey = {{ wg_client_psk_keys[client.name] }}
{% endif %}

{% endfor %}