From 8d29de95be2b44cac6e2cc3d0643f542be05e4bd Mon Sep 17 00:00:00 2001
From: Ian Kelling <ian@iankelling.org>
Date: Wed, 5 Jul 2023 04:37:40 -0400
Subject: [PATCH] harmonize vpn, lan, and transmission ips

---
 brc                                           |   5 +
 brc2                                          | 162 ++++++++++++++++--
 distro-end                                    |  44 ++---
 .../systemd/system/openvpn-client-tr@.service |  36 ++++
 .../systemd/system/openvpn-client-tr@.service |  36 ++++
 .../systemd/system/openvpn-client-tr@.service |  10 +-
 .../systemd/system/openvpn-client-tr@.service |  36 ++++
 .../systemd/system/openvpn-client-tr@.service |  36 ++++
 .../systemd/system/openvpn-client-tr@.service |  36 ++++
 .../systemd/system/openvpn-client-tr@.service |  36 ++++
 ptr-data                                      |   7 +
 transmission-firewall/netns.rules             |   6 +-
 12 files changed, 398 insertions(+), 52 deletions(-)
 create mode 100644 machine_specific/bo/filesystem/etc/systemd/system/openvpn-client-tr@.service
 create mode 100644 machine_specific/frodo/filesystem/etc/systemd/system/openvpn-client-tr@.service
 rename {filesystem => machine_specific/kd/filesystem}/etc/systemd/system/openvpn-client-tr@.service (81%)
 create mode 100644 machine_specific/kw/filesystem/etc/systemd/system/openvpn-client-tr@.service
 create mode 100644 machine_specific/sy/filesystem/etc/systemd/system/openvpn-client-tr@.service
 create mode 100644 machine_specific/x2/filesystem/etc/systemd/system/openvpn-client-tr@.service
 create mode 100644 machine_specific/x3/filesystem/etc/systemd/system/openvpn-client-tr@.service
 create mode 100644 ptr-data

diff --git a/brc b/brc
index 8483735..f2793e8 100644
--- a/brc
+++ b/brc
@@ -1938,6 +1938,11 @@ reresolv() {
   fi
 }
 
+# add annoyingly long argument which should be the default
+sedi() {
+  sed -i --follow-symlinks "$@"
+}
+
 rmstrips() {
   ssh fencepost head -n 300 /gd/gnuorg/EventAndTravelInfo/rms-current-trips.txt | less
 }
diff --git a/brc2 b/brc2
index b6a4bd3..1be253a 100644
--- a/brc2
+++ b/brc2
@@ -401,8 +401,7 @@ glue() {
 
 # usage: $0 REPO_PATH [URL_OR_PATH]
 _iki-convert() {
-  local url path input err repo_dir domain filename dir path url_dir
-  local initial_oldpwd initial_pwd
+  local url domain path input err repo_dir dir url_dir url
   repo_dir="$1"
   domain="$2"
   shift 2
@@ -417,7 +416,7 @@ _iki-convert() {
   fi
   case $input in
     http*)
-      path="$repo_dir/${input##http*://$domain/wiki/}"
+      path="$repo_dir/${input##http*://"$domain"/wiki/}"
       if [[ $path == */ ]]; then
         path=${path%/}.mdwn
       fi
@@ -633,7 +632,7 @@ beetag-help() {
     cat <<'EOF'
 
 
-y other genres   z fg player      ' = toggle play  1-5 rate
+y other genres   z fg player      ' = toggle play  1-5 rate    ] repeat1
 ; previous       _ = delete       up/down skip     mpv vol,pause,seek
 EOF
     hr
@@ -697,12 +696,13 @@ mpvrpc-percent-pos() {
 # 1-5 rate
 # q quit
 # ret next
+#
 beetag() {
   local last_genre_i fstring tag id char new_item char_i genre tag remove doplay i j random path
   local do_rare_genres read_wait help line lsout tmp ls_line skip_lookback
   local escape_char escaped_input expected_input skip_input_regex right_pad erasable_line seek_sec
   local pl_state_path pl_state_dir pl_state_file tmpstr
-  local new_random pl_seed_path seed_num seed_file fmt first_play
+  local new_random pl_seed_path seed_num seed_file fmt first_play repeat1
   local -a buttons button_map ids tags tmp_tags initial_ls ls_lines paths
   local -A button_i
   local -i i j volume scrolled id_count line_int skip_start pre_j_count head_count skip_lookback
@@ -714,6 +714,7 @@ beetag() {
   scrolled=999 # more than any $LINES
   ### begin arg processing ###
   random=false
+  repeat1=false
   new_random=false
   case $1 in
     -r)
@@ -778,6 +779,7 @@ beetag() {
   fi
 
   # PijokVipiotOzeph is just a random string for a delimiter
+  # shellcheck disable=SC2016 # false positive
   fmt='%ifdef{rating,$rating }'"$fstring"'$genre | $title - $artist - $album   $length  $id PijokVipiotOzeph $path'
   # shellcheck disable=SC2016 # obvious reason
   tmpstr=$(beet ls -f "$fmt" "$@" | { if $random; then sort -R --random-source=$pl_seed_path; else cat; fi; } )
@@ -940,6 +942,15 @@ beetag() {
           echo volume=$volume
           continue
           ;;
+        ']')
+          if $repeat1; then
+            repeat1=false
+          else
+            repeat1=true
+          fi
+          echo repeat1=$repeat1
+          continue
+          ;;
         q)
           kill-bg-quiet
           return
@@ -1106,10 +1117,12 @@ beetag() {
         fi
       fi
     done
-    if (( j < id_count - 1 )); then
-      j+=1
-    else
-      j=0
+    if ! $repeat1; then
+      if (( j < id_count - 1 )); then
+        j+=1
+      else
+        j=0
+      fi
     fi
     if [[ $playlist ]]; then
       echo $j >$pl_state_path
@@ -2317,9 +2330,119 @@ wgkey() {
   umask $umask_orig
 }
 
+declare -A vpn_ips
+vpn_ips[kd]=2
+# note: 1, 4, 5 are occupied by mail wireguard
+vpn_ips[x3]=8
+vpn_ips[sy]=12
+vpn_ips[x2]=13
+vpn_ips[kw]=27
+vpn_ips[bo]=28
+vpn_ips[frodo]=34
+
+vpn-ips-update() {
+  local host ipsuf f files
+  for host in ${!vpn_ips[@]}; do
+    ipsuf=${vpn_ips[$host]}
+    wghole $host $ipsuf
+    u /a/bin/ds/machine_specific/$host/filesystem/etc/systemd/system/openvpn-client-tr@.service <<EOF
+[Unit]
+Description=OpenVPN tunnel for %I
+After=syslog.target network-online.target
+Wants=network-online.target
+Documentation=man:openvpn(8)
+Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
+Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO
+Requires=iptables.service
+
+[Service]
+Type=notify
+RuntimeDirectory=openvpn-client
+RuntimeDirectoryMode=0710
+WorkingDirectory=/etc/openvpn/client
+ExecStart=/usr/sbin/openvpn --suppress-timestamps --nobind --config /etc/openvpn/client/%i.conf
+# todo, try reenabling this from the default openvpn,
+# it was disabled so we could do bind mounts as a command,
+# but now systemd handles it
+#CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
+LimitNPROC=10
+# DeviceAllow=/dev/null rw
+# DeviceAllow=/dev/net/tun rw
+
+# we use .1 to make this be on a different network than kd, so that we can
+# talk to transmission on kd from remote host, and still use this
+# vpn.
+ExecStartPre=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns -n 10.174.$ipsuf start %i
+ExecStartPre=/sbin/iptables-restore /a/bin/distro-setup/transmission-firewall/netns.rules
+# allow wireguard network to connect
+ExecStartPre=/usr/sbin/ip r add 10.8.0.0/24 via 10.174.$ipsuf.1 dev veth1-client
+ExecStopPost=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns stop %i
+PrivateNetwork=true
+BindReadOnlyPaths=/etc/tr-resolv:/run/systemd/resolve:norbind /etc/basic-nsswitch:/etc/resolved-nsswitch:norbind
+
+[Install]
+WantedBy=multi-user.target
+EOF
+  done
+
+  {
+    for host in ${!vpn_ips[@]}; do
+      ipsuf=${vpn_ips[$host]}
+      cat <<EOF
+local-data-ptr: "10.2.0.$ipsuf $host.b8.nz"
+EOF
+    done
+  } | u /b/ds/ptr-data
+
+  {
+    for host in ${!vpn_ips[@]}; do
+      ipsuf=${vpn_ips[$host]}
+      cat <<EOF
+$host	A	10.2.0.$ipsuf
+${host}wg	A	10.8.0.$ipsuf
+${host}vp	A	10.5.5.$ipsuf
+${host}tr	A	10.174.$ipsuf.2
+EOF
+    done
+  } | cedit vpn-ips-update /p/c/machine_specific/vps/bind-initial/db.b8.nz ||:
+
+
+  echo checking for stray files:
 
-# extrahost is a host/cidr that is allowed to go be routed through the vpn by this host.
+  initial_dir=$PWD
+  cd /a/bin/ds/machine_specific
+  ngset
+  files=( */filesystem/etc/systemd/system/openvpn-client-tr@.service )
+  ngreset
+  cd $initial_dir
+  for f in "${files[@]}"; do
+    host=${f%%/*}
+    if [[ ! ${vpn_ips[$host]} ]]; then
+      e /a/bin/ds/machine_specific/$host/filesystem/etc/systemd/system/openvpn-client-tr@.service
+    fi
+  done
+
+  cd /p/c/machine_specific
+  ngset
+  files=( */filesystem/etc/wireguard/wghole.conf )
+  ngreset
+  cd $initial_dir
+  for f in "${files[@]}"; do
+    host=${f%%/*}
+    if [[ ! ${vpn_ips[$host]} ]]; then
+      e /p/c/machine_specific/$host/filesystem/etc/wireguard/wghole.conf
+      e cedit -s $host /p/c/machine_specific/li/filesystem/etc/wireguard/wgmail.conf '<<<""'
+    fi
+  done
+}
+
+# usage host ipsuf [extrahost]
 #
+# If the keys already exist and you want new ones, remove them:
+# rm /p/c/machine_specific/$host/filesystem/etc/wireguard/hole-{priv,pub}.key
+#
+# extrahost is a host/cidr that is allowed to go be routed through the
+# vpn by this host.
 wghole() {
   if (( $# < 2 || $# > 3 )); then
     e expected 2-3 arg of hostname, ip suffix, and extrahost >&2
@@ -2331,12 +2454,20 @@ wghole() {
   if [[ $3 ]]; then
     extrahost=,$3
   fi
+  for vpn_host in ${!vpn_ips[@]}; do
+    if [[ $vpn_host == "$host" ]]; then
+      continue
+    fi
+    vpn_allowed+=",10.174.${vpn_ips[$vpn_host]}.2/32"
+  done
   mkdir -p /p/c/machine_specific/$host/filesystem/etc/wireguard
   (
     cd /p/c/machine_specific/$host/filesystem/etc/wireguard
     umask_orig=$(umask)
     umask 0077
-    wg genkey | tee hole-priv.key | wg pubkey > hole-pub.key
+    if [[ ! -s hole-priv.key || ! -s hole-pub.key ]]; then
+      wg genkey | tee hole-priv.key | wg pubkey > hole-pub.key
+    fi
     cat >wghole.conf <<EOF
 [Interface]
 # contents hole-priv.key
@@ -2345,12 +2476,12 @@ ListenPort = 1194
 Address = 10.8.0.$ipsuf/24
 # https://dev.to/tangramvision/what-they-don-t-tell-you-about-setting-up-a-wireguard-vpn-1h2g
 # ||: makes the systemd service not fail due to the failed command
-PostUp = ping -c1 10.8.0.1 ||:
+PostUp = ping -w10 -c1 10.8.0.1 ||:
 
 [Peer]
 # li. called wgmail on that server
 PublicKey = CTFsje45qLAU44AbX71Vo+xFJ6rt7Cu6+vdMGyWjBjU=
-AllowedIPs = 10.8.0.0/24$extrahost
+AllowedIPs = 10.8.0.0/24$vpn_allowed$extrahost
 Endpoint = 72.14.176.105:1194
 PersistentKeepalive = 25
 EOF
@@ -2360,7 +2491,7 @@ EOF
     cedit -q $host /p/c/machine_specific/li/filesystem/etc/wireguard/wgmail.conf <<EOF || [[ $? == 1 ]]
 [Peer]
 PublicKey = $(cat hole-pub.key)
-AllowedIPs = 10.8.0.$ipsuf/32
+AllowedIPs = 10.8.0.$ipsuf/32,10.174.${vpn_ips[$host]}.2/32
 EOF
   )
 }
@@ -3457,6 +3588,7 @@ calvis() { # calendar visualize
   install -m 600 /dev/null /tmp/calendar-bytes
   while read -r l; do
     for char in $l; do
+      # shellcheck disable=SC2059 # intentional for the hex formatting
       printf "\x$(printf "%x" $char)" >>/tmp/calendar-bytes
     done
   done < <(grep -v '[#-]' /p/calendar-data)
@@ -3504,7 +3636,7 @@ rem() {
        -o -name .hg -prune -o -name .editor-backups -prune \
        -o -name .undo-tree-history -prune \) 2>/dev/null | grep -iP --color=auto "$*"
   rgv -m 5 "$*" $paths ||:
-  }
+}
 
 # setup:
 # pip3 install linode-cli
diff --git a/distro-end b/distro-end
index 80aec6e..593e91e 100755
--- a/distro-end
+++ b/distro-end
@@ -671,34 +671,18 @@ EOF
 client-to-client
 EOF
 
-    sd /etc/openvpn/client-config-hole/kd <<'EOF'
-ifconfig-push 10.5.5.2 255.255.255.0
-EOF
-    sd /etc/openvpn/client-config-hole/tp <<'EOF'
-ifconfig-push 10.5.5.3 255.255.255.0
-EOF
-    sd /etc/openvpn/client-config-hole/frodo <<'EOF'
-ifconfig-push 10.5.5.5 255.255.255.0
-EOF
-    sd /etc/openvpn/client-config-hole/x2 <<'EOF'
-ifconfig-push 10.5.5.7 255.255.255.0
-EOF
-    sd /etc/openvpn/client-config-hole/x3 <<'EOF'
-ifconfig-push 10.5.5.8 255.255.255.0
-EOF
-    sd /etc/openvpn/client-config-hole/kw <<'EOF'
-ifconfig-push 10.5.5.9 255.255.255.0
-EOF
-    sd /etc/openvpn/client-config-hole/sy <<'EOF'
-ifconfig-push 10.5.5.12 255.255.255.0
-EOF
-    sd /etc/openvpn/client-config-hole/bo <<'EOF'
-ifconfig-push 10.5.5.13 255.255.255.0
-EOF
-    sd /etc/openvpn/client-config-hole/onep9 <<'EOF'
-ifconfig-push 10.5.5.14 255.255.255.0
+
+    ngset
+    files=(/etc/openvpn/client-config-hole/*)
+    if (( ${#files[@]} >= 1 )); then
+      rm -f ${files[@]}
+    fi
+    ngreset
+    for host in ${!vpn_ips[@]}; do
+      sd /etc/openvpn/client-config-hole/$host <<EOF
+ifconfig-push 10.5.5.${vpn_ips[$host]} 255.255.255.0
 EOF
-    # todo: add x8?
+    done
 
 
     # for adding cert to system with /p
@@ -716,7 +700,7 @@ EOF
     # eg:
     # wghole bo 28
     # if it is going to want to connect to transmission-daemon on ok
-    # wghole bo 28 10.173.0.2/32
+    # wghole bo 28 10.174.2.2/32
 
     # requested from linode via a support ticket.
     # https://www.linode.com/docs/networking/an-overview-of-ipv6-on-linode/
@@ -1653,7 +1637,7 @@ EOF
   "profiles" : [
       {
       "profile-name" : "Default",
-      "hostname" : "10.173.0.2",
+      "hostname" : "10.174.2.2",
       "rpc-url-path" : "/transmission/rpc",
       "username" : "",
       "password" : "$rpc_pass",
@@ -2023,7 +2007,7 @@ EOF
       ser restart prometheus-alertmanager
     fi
 
-    s /c/roles/prom-export/files/simple/usr/local/bin/fsf-install-node-exporter -l
+    s /c/roles/prom_export/files/simple/usr/local/bin/fsf-install-node-exporter -l
 
     for ser in prometheus-node-exporter prometheus-alertmanager prometheus; do
       sysd-prom-fail-install $ser
diff --git a/machine_specific/bo/filesystem/etc/systemd/system/openvpn-client-tr@.service b/machine_specific/bo/filesystem/etc/systemd/system/openvpn-client-tr@.service
new file mode 100644
index 0000000..9d386a8
--- /dev/null
+++ b/machine_specific/bo/filesystem/etc/systemd/system/openvpn-client-tr@.service
@@ -0,0 +1,36 @@
+[Unit]
+Description=OpenVPN tunnel for %I
+After=syslog.target network-online.target
+Wants=network-online.target
+Documentation=man:openvpn(8)
+Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
+Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO
+Requires=iptables.service
+
+[Service]
+Type=notify
+RuntimeDirectory=openvpn-client
+RuntimeDirectoryMode=0710
+WorkingDirectory=/etc/openvpn/client
+ExecStart=/usr/sbin/openvpn --suppress-timestamps --nobind --config /etc/openvpn/client/%i.conf
+# todo, try reenabling this from the default openvpn,
+# it was disabled so we could do bind mounts as a command,
+# but now systemd handles it
+#CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
+LimitNPROC=10
+# DeviceAllow=/dev/null rw
+# DeviceAllow=/dev/net/tun rw
+
+# we use .1 to make this be on a different network than kd, so that we can
+# talk to transmission on kd from remote host, and still use this
+# vpn.
+ExecStartPre=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns -n 10.174.28 start %i
+ExecStartPre=/sbin/iptables-restore /a/bin/distro-setup/transmission-firewall/netns.rules
+# allow wireguard network to connect
+ExecStartPre=/usr/sbin/ip r add 10.8.0.0/24 via 10.174.28.1 dev veth1-client
+ExecStopPost=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns stop %i
+PrivateNetwork=true
+BindReadOnlyPaths=/etc/tr-resolv:/run/systemd/resolve:norbind /etc/basic-nsswitch:/etc/resolved-nsswitch:norbind
+
+[Install]
+WantedBy=multi-user.target
diff --git a/machine_specific/frodo/filesystem/etc/systemd/system/openvpn-client-tr@.service b/machine_specific/frodo/filesystem/etc/systemd/system/openvpn-client-tr@.service
new file mode 100644
index 0000000..e96fdd7
--- /dev/null
+++ b/machine_specific/frodo/filesystem/etc/systemd/system/openvpn-client-tr@.service
@@ -0,0 +1,36 @@
+[Unit]
+Description=OpenVPN tunnel for %I
+After=syslog.target network-online.target
+Wants=network-online.target
+Documentation=man:openvpn(8)
+Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
+Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO
+Requires=iptables.service
+
+[Service]
+Type=notify
+RuntimeDirectory=openvpn-client
+RuntimeDirectoryMode=0710
+WorkingDirectory=/etc/openvpn/client
+ExecStart=/usr/sbin/openvpn --suppress-timestamps --nobind --config /etc/openvpn/client/%i.conf
+# todo, try reenabling this from the default openvpn,
+# it was disabled so we could do bind mounts as a command,
+# but now systemd handles it
+#CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
+LimitNPROC=10
+# DeviceAllow=/dev/null rw
+# DeviceAllow=/dev/net/tun rw
+
+# we use .1 to make this be on a different network than kd, so that we can
+# talk to transmission on kd from remote host, and still use this
+# vpn.
+ExecStartPre=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns -n 10.174.34 start %i
+ExecStartPre=/sbin/iptables-restore /a/bin/distro-setup/transmission-firewall/netns.rules
+# allow wireguard network to connect
+ExecStartPre=/usr/sbin/ip r add 10.8.0.0/24 via 10.174.34.1 dev veth1-client
+ExecStopPost=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns stop %i
+PrivateNetwork=true
+BindReadOnlyPaths=/etc/tr-resolv:/run/systemd/resolve:norbind /etc/basic-nsswitch:/etc/resolved-nsswitch:norbind
+
+[Install]
+WantedBy=multi-user.target
diff --git a/filesystem/etc/systemd/system/openvpn-client-tr@.service b/machine_specific/kd/filesystem/etc/systemd/system/openvpn-client-tr@.service
similarity index 81%
rename from filesystem/etc/systemd/system/openvpn-client-tr@.service
rename to machine_specific/kd/filesystem/etc/systemd/system/openvpn-client-tr@.service
index db6e7eb..4e488e2 100644
--- a/filesystem/etc/systemd/system/openvpn-client-tr@.service
+++ b/machine_specific/kd/filesystem/etc/systemd/system/openvpn-client-tr@.service
@@ -1,7 +1,6 @@
 [Unit]
 Description=OpenVPN tunnel for %I
-After=syslog.target network-online.target vpn-static-ip@%i.service
-Requires=vpn-static-ip@%i.service
+After=syslog.target network-online.target
 Wants=network-online.target
 Documentation=man:openvpn(8)
 Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
@@ -22,10 +21,13 @@ LimitNPROC=10
 # DeviceAllow=/dev/null rw
 # DeviceAllow=/dev/net/tun rw
 
-ExecStartPre=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns -n 10.173.0 start %i
+# we use .1 to make this be on a different network than kd, so that we can
+# talk to transmission on kd from remote host, and still use this
+# vpn.
+ExecStartPre=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns -n 10.174.2 start %i
 ExecStartPre=/sbin/iptables-restore /a/bin/distro-setup/transmission-firewall/netns.rules
 # allow wireguard network to connect
-ExecStartPre=/usr/sbin/ip r add 10.8.0.0/24 via 10.173.0.1 dev veth1-client
+ExecStartPre=/usr/sbin/ip r add 10.8.0.0/24 via 10.174.2.1 dev veth1-client
 ExecStopPost=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns stop %i
 PrivateNetwork=true
 BindReadOnlyPaths=/etc/tr-resolv:/run/systemd/resolve:norbind /etc/basic-nsswitch:/etc/resolved-nsswitch:norbind
diff --git a/machine_specific/kw/filesystem/etc/systemd/system/openvpn-client-tr@.service b/machine_specific/kw/filesystem/etc/systemd/system/openvpn-client-tr@.service
new file mode 100644
index 0000000..f6ac66a
--- /dev/null
+++ b/machine_specific/kw/filesystem/etc/systemd/system/openvpn-client-tr@.service
@@ -0,0 +1,36 @@
+[Unit]
+Description=OpenVPN tunnel for %I
+After=syslog.target network-online.target
+Wants=network-online.target
+Documentation=man:openvpn(8)
+Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
+Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO
+Requires=iptables.service
+
+[Service]
+Type=notify
+RuntimeDirectory=openvpn-client
+RuntimeDirectoryMode=0710
+WorkingDirectory=/etc/openvpn/client
+ExecStart=/usr/sbin/openvpn --suppress-timestamps --nobind --config /etc/openvpn/client/%i.conf
+# todo, try reenabling this from the default openvpn,
+# it was disabled so we could do bind mounts as a command,
+# but now systemd handles it
+#CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
+LimitNPROC=10
+# DeviceAllow=/dev/null rw
+# DeviceAllow=/dev/net/tun rw
+
+# we use .1 to make this be on a different network than kd, so that we can
+# talk to transmission on kd from remote host, and still use this
+# vpn.
+ExecStartPre=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns -n 10.174.27 start %i
+ExecStartPre=/sbin/iptables-restore /a/bin/distro-setup/transmission-firewall/netns.rules
+# allow wireguard network to connect
+ExecStartPre=/usr/sbin/ip r add 10.8.0.0/24 via 10.174.27.1 dev veth1-client
+ExecStopPost=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns stop %i
+PrivateNetwork=true
+BindReadOnlyPaths=/etc/tr-resolv:/run/systemd/resolve:norbind /etc/basic-nsswitch:/etc/resolved-nsswitch:norbind
+
+[Install]
+WantedBy=multi-user.target
diff --git a/machine_specific/sy/filesystem/etc/systemd/system/openvpn-client-tr@.service b/machine_specific/sy/filesystem/etc/systemd/system/openvpn-client-tr@.service
new file mode 100644
index 0000000..d6010de
--- /dev/null
+++ b/machine_specific/sy/filesystem/etc/systemd/system/openvpn-client-tr@.service
@@ -0,0 +1,36 @@
+[Unit]
+Description=OpenVPN tunnel for %I
+After=syslog.target network-online.target
+Wants=network-online.target
+Documentation=man:openvpn(8)
+Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
+Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO
+Requires=iptables.service
+
+[Service]
+Type=notify
+RuntimeDirectory=openvpn-client
+RuntimeDirectoryMode=0710
+WorkingDirectory=/etc/openvpn/client
+ExecStart=/usr/sbin/openvpn --suppress-timestamps --nobind --config /etc/openvpn/client/%i.conf
+# todo, try reenabling this from the default openvpn,
+# it was disabled so we could do bind mounts as a command,
+# but now systemd handles it
+#CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
+LimitNPROC=10
+# DeviceAllow=/dev/null rw
+# DeviceAllow=/dev/net/tun rw
+
+# we use .1 to make this be on a different network than kd, so that we can
+# talk to transmission on kd from remote host, and still use this
+# vpn.
+ExecStartPre=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns -n 10.174.12 start %i
+ExecStartPre=/sbin/iptables-restore /a/bin/distro-setup/transmission-firewall/netns.rules
+# allow wireguard network to connect
+ExecStartPre=/usr/sbin/ip r add 10.8.0.0/24 via 10.174.12.1 dev veth1-client
+ExecStopPost=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns stop %i
+PrivateNetwork=true
+BindReadOnlyPaths=/etc/tr-resolv:/run/systemd/resolve:norbind /etc/basic-nsswitch:/etc/resolved-nsswitch:norbind
+
+[Install]
+WantedBy=multi-user.target
diff --git a/machine_specific/x2/filesystem/etc/systemd/system/openvpn-client-tr@.service b/machine_specific/x2/filesystem/etc/systemd/system/openvpn-client-tr@.service
new file mode 100644
index 0000000..d16312d
--- /dev/null
+++ b/machine_specific/x2/filesystem/etc/systemd/system/openvpn-client-tr@.service
@@ -0,0 +1,36 @@
+[Unit]
+Description=OpenVPN tunnel for %I
+After=syslog.target network-online.target
+Wants=network-online.target
+Documentation=man:openvpn(8)
+Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
+Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO
+Requires=iptables.service
+
+[Service]
+Type=notify
+RuntimeDirectory=openvpn-client
+RuntimeDirectoryMode=0710
+WorkingDirectory=/etc/openvpn/client
+ExecStart=/usr/sbin/openvpn --suppress-timestamps --nobind --config /etc/openvpn/client/%i.conf
+# todo, try reenabling this from the default openvpn,
+# it was disabled so we could do bind mounts as a command,
+# but now systemd handles it
+#CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
+LimitNPROC=10
+# DeviceAllow=/dev/null rw
+# DeviceAllow=/dev/net/tun rw
+
+# we use .1 to make this be on a different network than kd, so that we can
+# talk to transmission on kd from remote host, and still use this
+# vpn.
+ExecStartPre=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns -n 10.174.13 start %i
+ExecStartPre=/sbin/iptables-restore /a/bin/distro-setup/transmission-firewall/netns.rules
+# allow wireguard network to connect
+ExecStartPre=/usr/sbin/ip r add 10.8.0.0/24 via 10.174.13.1 dev veth1-client
+ExecStopPost=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns stop %i
+PrivateNetwork=true
+BindReadOnlyPaths=/etc/tr-resolv:/run/systemd/resolve:norbind /etc/basic-nsswitch:/etc/resolved-nsswitch:norbind
+
+[Install]
+WantedBy=multi-user.target
diff --git a/machine_specific/x3/filesystem/etc/systemd/system/openvpn-client-tr@.service b/machine_specific/x3/filesystem/etc/systemd/system/openvpn-client-tr@.service
new file mode 100644
index 0000000..b1ca9c2
--- /dev/null
+++ b/machine_specific/x3/filesystem/etc/systemd/system/openvpn-client-tr@.service
@@ -0,0 +1,36 @@
+[Unit]
+Description=OpenVPN tunnel for %I
+After=syslog.target network-online.target
+Wants=network-online.target
+Documentation=man:openvpn(8)
+Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
+Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO
+Requires=iptables.service
+
+[Service]
+Type=notify
+RuntimeDirectory=openvpn-client
+RuntimeDirectoryMode=0710
+WorkingDirectory=/etc/openvpn/client
+ExecStart=/usr/sbin/openvpn --suppress-timestamps --nobind --config /etc/openvpn/client/%i.conf
+# todo, try reenabling this from the default openvpn,
+# it was disabled so we could do bind mounts as a command,
+# but now systemd handles it
+#CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
+LimitNPROC=10
+# DeviceAllow=/dev/null rw
+# DeviceAllow=/dev/net/tun rw
+
+# we use .1 to make this be on a different network than kd, so that we can
+# talk to transmission on kd from remote host, and still use this
+# vpn.
+ExecStartPre=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns -n 10.174.8 start %i
+ExecStartPre=/sbin/iptables-restore /a/bin/distro-setup/transmission-firewall/netns.rules
+# allow wireguard network to connect
+ExecStartPre=/usr/sbin/ip r add 10.8.0.0/24 via 10.174.8.1 dev veth1-client
+ExecStopPost=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns stop %i
+PrivateNetwork=true
+BindReadOnlyPaths=/etc/tr-resolv:/run/systemd/resolve:norbind /etc/basic-nsswitch:/etc/resolved-nsswitch:norbind
+
+[Install]
+WantedBy=multi-user.target
diff --git a/ptr-data b/ptr-data
new file mode 100644
index 0000000..c8dfa67
--- /dev/null
+++ b/ptr-data
@@ -0,0 +1,7 @@
+local-data-ptr: "10.2.0.8 x3.b8.nz"
+local-data-ptr: "10.2.0.13 x2.b8.nz"
+local-data-ptr: "10.2.0.12 sy.b8.nz"
+local-data-ptr: "10.2.0.34 frodo.b8.nz"
+local-data-ptr: "10.2.0.27 kw.b8.nz"
+local-data-ptr: "10.2.0.2 kd.b8.nz"
+local-data-ptr: "10.2.0.28 bo.b8.nz"
diff --git a/transmission-firewall/netns.rules b/transmission-firewall/netns.rules
index 5d3a1cb..3544f5b 100644
--- a/transmission-firewall/netns.rules
+++ b/transmission-firewall/netns.rules
@@ -36,9 +36,9 @@
 -A OUTPUT -p tcp -m tcp --sport 9091 -j ACCEPT
 -A INPUT -p tcp -m tcp --dport 9091 -j ACCEPT
 
-# 1300 is used by mullvad
--A OUTPUT -p udp -m udp --dport 1300 -j ACCEPT
--A INPUT -p udp -m udp --sport 1300 -j ACCEPT
+# 1302 is used by mullvad
+-A OUTPUT -p udp -m udp --dport 1302 -j ACCEPT
+-A INPUT -p udp -m udp --sport 1302 -j ACCEPT
 
 -A OUTPUT -o tun0 -j ACCEPT
 -A INPUT -i tun0 -j ACCEPT
-- 
2.30.2