WireGuard-Secrets ins Repo (privates docu).

OPNsense- und VM101-Client-Configs plus Horus-Peer-Blöcke unter
shared/horus-opnsense-wireguard/.

Co-authored-by: Cursor <cursoragent@cursor.com>

pve1/guests/vm101-ubuntu/README.md

@@ -7,7 +7,7 @@
 | **Stacks** | `/opt/stacks/` |
 | **Stack-UI** | Dockge → `:5001` |
 | **Docker** | `iptables: false` → [docker-daemon.json](docker-daemon.json), NAT: [../../scripts/vm101-docker-nat-rules.sh](../../scripts/vm101-docker-nat-rules.sh) |
-| **Horus VPS** | WireGuard `wg0` 10.1.1.5 → Horus 10.1.1.1 · SSH-Keys: [shared/ssh](../../shared/ssh/README.md#horus-vps-wireguard) · **Direkt via OPNsense:** [shared/horus-opnsense-wireguard.md](../../shared/horus-opnsense-wireguard.md) |
+| **Horus VPS** | WireGuard `wg0` 10.1.1.5 → Horus 10.1.1.1 · SSH: [shared/ssh](../../shared/ssh/README.md#horus-vps-wireguard) · **OPNsense-WG:** [shared/horus-opnsense-wireguard/](../../shared/horus-opnsense-wireguard/README.md) |
 
 ## Netzwerk `docbr0`
 

shared/git-und-repos.md

@@ -68,7 +68,7 @@ export PATH="/usr/local/go/bin:$PATH"
 | Pfad | Inhalt |
 |------|--------|
 | [shared/ssh/](ssh/README.md) | Gemeinsame `authorized_keys`-Fragmente + Deploy-Skript |
-| [shared/horus-opnsense-wireguard.md](horus-opnsense-wireguard.md) | WireGuard OPNsense ↔ Horus (ohne VM) |
+| [shared/horus-opnsense-wireguard/](horus-opnsense-wireguard/README.md) | WireGuard OPNsense ↔ Horus (Configs inkl. Keys) |
 | `pve1/ansible/` | Fish-Setup für VM 101 |
 | `pve2/ansible/` | LXC Disk-Maintenance (Cron auf pve2) |
 

shared/horus-opnsense-wireguard/README.md

@@ -0,0 +1,115 @@
+# Horus ↔ OPNsense WireGuard (Site-to-Site)
+
+Direkter WireGuard-Tunnel zwischen **OPNsense** (lokales Netz) und **Horus** (VPS), ohne Umweg über VM 101.
+
+| | |
+|---|---|
+| **Horus** | `horus.jeanavril.com` / `207.180.222.207`, WG-Port **61951**, Tunnel-IP **10.1.1.1** |
+| **OPNsense** | Tunnel-IP **10.1.1.22** (Peer `opnsense-jeanavril`) |
+| **VM 101** (legacy) | Tunnel-IP **10.1.1.5** (Peer `server5`) |
+
+Configs inkl. Private Keys: **privates Repo** — siehe Dateien in diesem Ordner.
+
+| Datei | Inhalt |
+|-------|--------|
+| [opnsense-client.conf](opnsense-client.conf) | OPNsense Client (Private Key, PSK, Endpoint) |
+| [horus-server-peer-opnsense.conf](horus-server-peer-opnsense.conf) | Gegenstück auf Horus |
+| [vm101-client.conf](vm101-client.conf) | VM 101 Client (Referenz / Migration) |
+| [horus-server-peer-vm101.conf](horus-server-peer-vm101.conf) | VM-Peer auf Horus |
+
+## Topologie
+
+```
+LAN/VLANs (192.168.x.0/24, 10.2.2.0/24)
+        ↓
+   OPNsense (10.1.1.22)  ←——WireGuard——→  Horus (10.1.1.1)
+        ↓                                      ↓
+   10.2.2.0/24 → 192.168.10.10 (docbr0)    Services / SSH / …
+```
+
+**10.2.2.0/24 (docbr0):** Horus schickt Traffic dorthin an OPNsense; OPNsense leitet weiter an **192.168.10.10** (bestehende Route/Gateway `VM101_DOCKER` — siehe [opnsense-docker-subnet-routing.md](../opnsense-docker-subnet-routing.md)).
+
+## Public Keys
+
+| Rolle | Public Key |
+|-------|------------|
+| Horus (Server) | `qXxhgerS2ORypVadhKCBuxgIX5Pu4J75nSWazdtd+Qk=` |
+| OPNsense | `walbWTYXAGOD1mOxPK+NwKT6qUhLyY0qieWBeTIbdXU=` |
+| VM 101 | `VB3Cf8kDxpzO+FyMrLxPyJ0vUjm8yJ/qIKmhY2KeeyI=` |
+
+## OPNsense einrichten
+
+Werte aus [opnsense-client.conf](opnsense-client.conf) in die GUI übernehmen.
+
+**VPN → WireGuard → Local → +**
+
+| Feld | Wert |
+|------|------|
+| Enabled | ✓ |
+| Name | `wg_horus` |
+| Listen port | leer oder `51820` (nur ausgehend nötig) |
+| Tunnel Address | `10.1.1.22/32` |
+| MTU | `1250` |
+| Private key | `[Interface] PrivateKey` aus `opnsense-client.conf` |
+
+**VPN → WireGuard → Endpoints → +** (Peer Horus)
+
+| Feld | Wert |
+|------|------|
+| Enabled | ✓ |
+| Name | `horus` |
+| Public Key | `qXxhgerS2ORypVadhKCBuxgIX5Pu4J75nSWazdtd+Qk=` |
+| Shared Secret | `[Peer] PresharedKey` aus `opnsense-client.conf` |
+| Allowed IPs | `10.1.1.0/24, 10.1.2.0/24, 10.1.3.0/24, 10.1.4.0/24, 10.8.0.0/24` |
+| Endpoint Address | `horus.jeanavril.com` |
+| Endpoint Port | `61951` |
+| Persistent Keepalive | `25` |
+
+Instance und Endpoint verknüpfen (Peer der Instance zuweisen — je nach OPNsense-Version unter **Local → Peers** oder Endpoint an Instance binden).
+
+### Interface zuweisen
+
+**Interfaces → Assignments → New → `wg_horus` (optX) → Save**
+
+Interface aktivieren, ggf. **Block private networks** auf WG-Interface deaktivieren (Site-to-Site).
+
+### Firewall
+
+| Regel | Interface | Direction | Source | Destination | Beschreibung |
+|-------|-----------|-----------|--------|-------------|--------------|
+| Pass | LAN / VLAN10 / … | in | Netz(e) | `10.1.1.0/24`, `10.8.0.0/24`, … | LAN → Horus-Netze |
+| Pass | `optX` (WG) | in | `10.1.1.0/24` | LAN / VLANs | Horus → Heimnetz (Rückweg) |
+
+### Routing auf Horus
+
+Siehe [horus-server-peer-opnsense.conf](horus-server-peer-opnsense.conf) — bereits auf Horus aktiv.
+
+## Test
+
+```bash
+# Handshake auf Horus (nach OPNsense-Aktivierung):
+ssh jean@192.168.10.10 'ssh root@10.1.1.1 wg show wg0 | grep -A5 walbWTYX'
+
+# Von LAN-PC:
+ping 10.1.1.1
+ssh root@10.1.1.1    # Keys: ../ssh/assembled/horus-root.pub
+```
+
+## VM 101 (optional später)
+
+VM 101 nutzt **10.1.1.5** ([vm101-client.conf](vm101-client.conf)) und advertised u.a. `10.2.0.0/16` an Horus.
+
+Wenn OPNsense stabil läuft:
+
+1. **Horus:** beim Peer `server5` LAN-Routen aus `AllowedIPs` entfernen — nur `10.1.1.5/32` behalten.
+2. **VM:** `wg0` abschalten, wenn Cert-Sync angepasst ist.
+
+Nicht beides parallel dieselben Subnetze an Horus announcen.
+
+## Referenzen
+
+| Thema | Doc |
+|-------|-----|
+| Horus SSH-Keys | [../ssh/README.md](../ssh/README.md#horus-vps-wireguard) |
+| docbr0 / 10.2.2.0/24 | [../../pve1/guests/vm101-ubuntu/docbr0-opnsense-routing.md](../../pve1/guests/vm101-ubuntu/docbr0-opnsense-routing.md) |
+| VLAN-Übersicht | [../infrastruktur-netzwerk.md](../infrastruktur-netzwerk.md) |

shared/horus-opnsense-wireguard/horus-server-peer-opnsense.conf

@@ -0,0 +1,5 @@
+# Horus wg0 — Peer opnsense-jeanavril (Eintrag in /etc/wireguard/wg0.conf)
+[Peer]
+PublicKey = walbWTYXAGOD1mOxPK+NwKT6qUhLyY0qieWBeTIbdXU=
+PresharedKey = z4VXyOG41/+4JbiUdkb055Bpyxlte+ecW7Bzdvb1s+w=
+AllowedIPs = 10.1.1.22/32, 192.168.10.0/24, 192.168.20.0/24, 192.168.30.0/24, 192.168.40.0/24, 192.168.50.0/24, 192.168.60.0/24, 10.2.2.0/24

shared/horus-opnsense-wireguard/horus-server-peer-vm101.conf

@@ -0,0 +1,5 @@
+# Horus wg0 — Peer server5 / VM 101 (Eintrag in /etc/wireguard/wg0.conf)
+[Peer]
+PublicKey = VB3Cf8kDxpzO+FyMrLxPyJ0vUjm8yJ/qIKmhY2KeeyI=
+PresharedKey = xeXr67LSX7phEAAz6U+D+UhIFoLEvcSLs8qFu2/L4Cs=
+AllowedIPs = 10.1.1.5/32, 192.168.2.0/24, 192.168.178.0/24, 10.1.2.0/24, 10.2.0.0/16

shared/horus-opnsense-wireguard/opnsense-client.conf

@@ -0,0 +1,12 @@
+[Interface]
+PrivateKey = AGEam06B9IKmy3wSNRUOLoeLIaGJ5q1ftasOs3qlHEI=
+Address = 10.1.1.22/32
+MTU = 1250
+DNS = 10.1.1.1
+
+[Peer]
+PublicKey = qXxhgerS2ORypVadhKCBuxgIX5Pu4J75nSWazdtd+Qk=
+PresharedKey = z4VXyOG41/+4JbiUdkb055Bpyxlte+ecW7Bzdvb1s+w=
+Endpoint = horus.jeanavril.com:61951
+AllowedIPs = 10.1.1.0/24, 10.1.2.0/24, 10.1.3.0/24, 10.1.4.0/24, 10.8.0.0/24
+PersistentKeepalive = 25

shared/horus-opnsense-wireguard/vm101-client.conf

@@ -0,0 +1,13 @@
+# VM 101 ubuntu — WireGuard Client zu Horus (Peer „server5“, 10.1.1.5)
+# Quelle: /etc/wireguard/wg0.conf auf jean@192.168.10.10
+[Interface]
+Address = 10.1.1.5/32
+ListenPort = 61951
+PrivateKey = SKMnLpkjSyCHCoKuKGEmd18uDk1u5UALgHKvL8FEr2E=
+
+[Peer]
+PublicKey = qXxhgerS2ORypVadhKCBuxgIX5Pu4J75nSWazdtd+Qk=
+PresharedKey = xeXr67LSX7phEAAz6U+D+UhIFoLEvcSLs8qFu2/L4Cs=
+AllowedIPs = 10.1.1.0/24, 10.8.0.0/24, 10.1.3.0/24, 10.1.4.0/24, 192.168.0.0/24
+Endpoint = 207.180.222.207:61951
+PersistentKeepalive = 15