From 27e31aca2a52e40367a529a6f2caf87f7168f2e5 Mon Sep 17 00:00:00 2001
From: Dan Hiris <danhiris@banyansecurity.io>
Date: Tue, 7 Mar 2023 16:12:10 -0700
Subject: [PATCH 1/7] need iptables-persistent

---
 main.tf | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/main.tf b/main.tf
index 4476001..bafb67f 100644
--- a/main.tf
+++ b/main.tf
@@ -126,6 +126,8 @@ resource "google_compute_instance_template" "accesstier_template" {
     "echo '65536' > /proc/sys/net/netfilter/nf_conntrack_buckets \n",
     "echo '262144' > /proc/sys/net/netfilter/nf_conntrack_max \n",
     "# Setting up an iptables DNAT to fix google's UDP load balancers DSR implementation, which forward the traffic with an untranslated destination \n",
+    "apt-get update \n",
+    "apt-get --yes --force-yes install iptables-persistent \n",
     "mkdir /etc/iptables \n",
     "iptables -t nat -I PREROUTING -p udp --dport 51820 -j DNAT --to-destination $(hostname -i) \n",
     "iptables-save > /etc/iptables/rules.v4 \n",

From 7bcaf5aae838d58f6eb3e8f418056a6a844bf3f2 Mon Sep 17 00:00:00 2001
From: Dan Hiris <danhiris@banyansecurity.io>
Date: Tue, 7 Mar 2023 16:42:37 -0700
Subject: [PATCH 2/7] need iptables-persistent

---
 main.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/main.tf b/main.tf
index bafb67f..429d6ff 100644
--- a/main.tf
+++ b/main.tf
@@ -127,7 +127,7 @@ resource "google_compute_instance_template" "accesstier_template" {
     "echo '262144' > /proc/sys/net/netfilter/nf_conntrack_max \n",
     "# Setting up an iptables DNAT to fix google's UDP load balancers DSR implementation, which forward the traffic with an untranslated destination \n",
     "apt-get update \n",
-    "apt-get --yes --force-yes install iptables-persistent \n",
+    "apt-get -y install iptables-persistent \n",
     "mkdir /etc/iptables \n",
     "iptables -t nat -I PREROUTING -p udp --dport 51820 -j DNAT --to-destination $(hostname -i) \n",
     "iptables-save > /etc/iptables/rules.v4 \n",

From c737967afac57aacb0a9300396fbabe607280097 Mon Sep 17 00:00:00 2001
From: Dan Hiris <danhiris@banyansecurity.io>
Date: Tue, 7 Mar 2023 16:44:16 -0700
Subject: [PATCH 3/7] need iptables-persistent

---
 main.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/main.tf b/main.tf
index 429d6ff..4f0c507 100644
--- a/main.tf
+++ b/main.tf
@@ -127,7 +127,7 @@ resource "google_compute_instance_template" "accesstier_template" {
     "echo '262144' > /proc/sys/net/netfilter/nf_conntrack_max \n",
     "# Setting up an iptables DNAT to fix google's UDP load balancers DSR implementation, which forward the traffic with an untranslated destination \n",
     "apt-get update \n",
-    "apt-get -y install iptables-persistent \n",
+    "export DEBIAN_FRONTEND=noninteractive; apt-get -y install iptables-persistent \n",
     "mkdir /etc/iptables \n",
     "iptables -t nat -I PREROUTING -p udp --dport 51820 -j DNAT --to-destination $(hostname -i) \n",
     "iptables-save > /etc/iptables/rules.v4 \n",

From 419dbe5413233e8b1448c3278b5eb70682ec5c34 Mon Sep 17 00:00:00 2001
From: Dan Hiris <danhiris@banyansecurity.io>
Date: Tue, 7 Mar 2023 17:08:59 -0700
Subject: [PATCH 4/7] debug iptables-persistent

---
 main.tf | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/main.tf b/main.tf
index 4f0c507..6502540 100644
--- a/main.tf
+++ b/main.tf
@@ -127,10 +127,10 @@ resource "google_compute_instance_template" "accesstier_template" {
     "echo '262144' > /proc/sys/net/netfilter/nf_conntrack_max \n",
     "# Setting up an iptables DNAT to fix google's UDP load balancers DSR implementation, which forward the traffic with an untranslated destination \n",
     "apt-get update \n",
-    "export DEBIAN_FRONTEND=noninteractive; apt-get -y install iptables-persistent \n",
-    "mkdir /etc/iptables \n",
-    "iptables -t nat -I PREROUTING -p udp --dport 51820 -j DNAT --to-destination $(hostname -i) \n",
+    "export DEBIAN_FRONTEND=noninteractive; apt-get -y install iptables-persistent && echo 'iptables persistent installed' \n",
+    "iptables -t nat -I PREROUTING -p udp --dport 51820 -j DNAT --to-destination $(hostname -i) && echo 'DNAT rule applied' \n",
     "iptables-save > /etc/iptables/rules.v4 \n",
+    "echo 'installing Netagent' \n",
     var.datadog_api_key != null ? "curl -L https://s3.amazonaws.com/dd-agent/scripts/install_script.sh | DD_AGENT_MAJOR_VERSION=7 DD_API_KEY=${var.datadog_api_key} DD_SITE=datadoghq.com bash -v \n" : "",
     "curl https://www.banyanops.com/onramp/deb-repo/banyan.key | apt-key add -\n",
     var.staging_repo != null ? "apt-add-repository \"deb https://www-stage.bnntest.com/onramp/deb-repo xenial main\" \n" : "apt-add-repository \"deb https://www.banyanops.com/onramp/deb-repo xenial main\" \n",

From 9636504ea2f40b9fcb3db4ac0bfa470040415faf Mon Sep 17 00:00:00 2001
From: Dan Hiris <danhiris@banyansecurity.io>
Date: Tue, 7 Mar 2023 20:48:50 -0700
Subject: [PATCH 5/7] debug iptables-persistent

---
 main.tf | 1 -
 1 file changed, 1 deletion(-)

diff --git a/main.tf b/main.tf
index 6502540..65d8147 100644
--- a/main.tf
+++ b/main.tf
@@ -129,7 +129,6 @@ resource "google_compute_instance_template" "accesstier_template" {
     "apt-get update \n",
     "export DEBIAN_FRONTEND=noninteractive; apt-get -y install iptables-persistent && echo 'iptables persistent installed' \n",
     "iptables -t nat -I PREROUTING -p udp --dport 51820 -j DNAT --to-destination $(hostname -i) && echo 'DNAT rule applied' \n",
-    "iptables-save > /etc/iptables/rules.v4 \n",
     "echo 'installing Netagent' \n",
     var.datadog_api_key != null ? "curl -L https://s3.amazonaws.com/dd-agent/scripts/install_script.sh | DD_AGENT_MAJOR_VERSION=7 DD_API_KEY=${var.datadog_api_key} DD_SITE=datadoghq.com bash -v \n" : "",
     "curl https://www.banyanops.com/onramp/deb-repo/banyan.key | apt-key add -\n",

From bf82d526c1553a91fe324417aee9ae3f924d2999 Mon Sep 17 00:00:00 2001
From: Dan Hiris <danhiris@banyansecurity.io>
Date: Wed, 8 Mar 2023 11:19:25 -0700
Subject: [PATCH 6/7] variablizing the wireguard port for custom configs

---
 main.tf      | 6 +++---
 variables.tf | 8 +++++++-
 2 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/main.tf b/main.tf
index 65d8147..1f17d4c 100644
--- a/main.tf
+++ b/main.tf
@@ -33,7 +33,7 @@ resource "google_compute_forwarding_rule" "accesstier" {
   region                = var.region
   ip_protocol           = "TCP"
   load_balancing_scheme = "EXTERNAL"
-  ports                 = [80, 443, 8443, 9998, 51820]
+  ports                 = [80, 443, 8443, 9998, var.wireguard_port]
   backend_service       = google_compute_region_backend_service.accesstier.id
   ip_address            = google_compute_address.external.address
 }
@@ -128,7 +128,7 @@ resource "google_compute_instance_template" "accesstier_template" {
     "# Setting up an iptables DNAT to fix google's UDP load balancers DSR implementation, which forward the traffic with an untranslated destination \n",
     "apt-get update \n",
     "export DEBIAN_FRONTEND=noninteractive; apt-get -y install iptables-persistent && echo 'iptables persistent installed' \n",
-    "iptables -t nat -I PREROUTING -p udp --dport 51820 -j DNAT --to-destination $(hostname -i) && echo 'DNAT rule applied' \n",
+    "iptables -t nat -I PREROUTING -p udp --dport ${var.wireguard_port} -j DNAT --to-destination $(hostname -i) && echo 'DNAT rule applied' \n",
     "echo 'installing Netagent' \n",
     var.datadog_api_key != null ? "curl -L https://s3.amazonaws.com/dd-agent/scripts/install_script.sh | DD_AGENT_MAJOR_VERSION=7 DD_API_KEY=${var.datadog_api_key} DD_SITE=datadoghq.com bash -v \n" : "",
     "curl https://www.banyanops.com/onramp/deb-repo/banyan.key | apt-key add -\n",
@@ -171,7 +171,7 @@ resource "google_compute_firewall" "accesstier_ports_tunnel" {
   source_ranges = ["0.0.0.0/0"]
   allow {
     protocol = "udp"
-    ports    = ["51820"]
+    ports    = [tostring(var.wireguard_port)]
   }
 }
 
diff --git a/variables.tf b/variables.tf
index 33efb11..48382bc 100644
--- a/variables.tf
+++ b/variables.tf
@@ -194,7 +194,13 @@ variable "datadog_api_key" {
 }
 
 variable "staging_repo" {
-  type = string
+  type        = string
   description = "If set, the staging deb repository will be used for the netagent install. For internal use only."
   default     = null
+}
+
+variable "wireguard_port" {
+  type        = number
+  description = "wireguard port used to set custom wireguard ports if needed"
+  default     = 51820
 }
\ No newline at end of file

From 7eb3a69a75ca99885888bc0c6b4703f194ff048e Mon Sep 17 00:00:00 2001
From: Dan Hiris <danhiris@banyansecurity.io>
Date: Wed, 8 Mar 2023 11:46:59 -0700
Subject: [PATCH 7/7] changing wireguard port variable to tunnel port

---
 main.tf      |  6 +++---
 variables.tf | 10 ++--------
 2 files changed, 5 insertions(+), 11 deletions(-)

diff --git a/main.tf b/main.tf
index 1f17d4c..0ec72ed 100644
--- a/main.tf
+++ b/main.tf
@@ -33,7 +33,7 @@ resource "google_compute_forwarding_rule" "accesstier" {
   region                = var.region
   ip_protocol           = "TCP"
   load_balancing_scheme = "EXTERNAL"
-  ports                 = [80, 443, 8443, 9998, var.wireguard_port]
+  ports                 = [80, 443, 8443, 9998, var.tunnel_port]
   backend_service       = google_compute_region_backend_service.accesstier.id
   ip_address            = google_compute_address.external.address
 }
@@ -128,7 +128,7 @@ resource "google_compute_instance_template" "accesstier_template" {
     "# Setting up an iptables DNAT to fix google's UDP load balancers DSR implementation, which forward the traffic with an untranslated destination \n",
     "apt-get update \n",
     "export DEBIAN_FRONTEND=noninteractive; apt-get -y install iptables-persistent && echo 'iptables persistent installed' \n",
-    "iptables -t nat -I PREROUTING -p udp --dport ${var.wireguard_port} -j DNAT --to-destination $(hostname -i) && echo 'DNAT rule applied' \n",
+    "iptables -t nat -I PREROUTING -p udp --dport ${var.tunnel_port} -j DNAT --to-destination $(hostname -i) && echo 'DNAT rule applied' \n",
     "echo 'installing Netagent' \n",
     var.datadog_api_key != null ? "curl -L https://s3.amazonaws.com/dd-agent/scripts/install_script.sh | DD_AGENT_MAJOR_VERSION=7 DD_API_KEY=${var.datadog_api_key} DD_SITE=datadoghq.com bash -v \n" : "",
     "curl https://www.banyanops.com/onramp/deb-repo/banyan.key | apt-key add -\n",
@@ -171,7 +171,7 @@ resource "google_compute_firewall" "accesstier_ports_tunnel" {
   source_ranges = ["0.0.0.0/0"]
   allow {
     protocol = "udp"
-    ports    = [tostring(var.wireguard_port)]
+    ports    = [tostring(var.tunnel_port)]
   }
 }
 
diff --git a/variables.tf b/variables.tf
index 48382bc..43bf32f 100644
--- a/variables.tf
+++ b/variables.tf
@@ -60,8 +60,8 @@ variable "src_nat_cidr_range" {
 
 variable "tunnel_port" {
   type        = number
-  description = "UDP port for end users to this access tier to utilize when using service tunnel"
-  default     = null
+  description = "UDP port for end users to this access tier to utilize when using wireguard service tunnel"
+  default     = 51820
 }
 
 variable "tunnel_private_domains" {
@@ -198,9 +198,3 @@ variable "staging_repo" {
   description = "If set, the staging deb repository will be used for the netagent install. For internal use only."
   default     = null
 }
-
-variable "wireguard_port" {
-  type        = number
-  description = "wireguard port used to set custom wireguard ports if needed"
-  default     = 51820
-}
\ No newline at end of file