gitops/config/sit/vpn-overlay.yaml

# 基础网络参数
wg_network: 172.30.0.0/16
bridge_network: 10.253.0.0/16
vxlan_id: 100
hub_port: 51820

# 全局功能开关
features:
  enable_vless: true               # 是否通过 VLESS 中转 WG 流量
  enable_multi_hub: true           # 是否支持多 Hub 架构（false 则为单 Hub star 架构）
  enable_vxlan_between_sits: true  # 是否开启 vxlan 桥接（站点接入 Hub）
  enable_vxlan_between_hubs: true  # 是否开启 Hub 之间的 VXLAN Mesh
  only_wireguard: false            # 若为 true，仅使用 WireGuard 点对点，忽略 gretap/vxlan

# WireGuard Hub 节点配置
hubs:
  - name: cn-hub
    interface: eth0
    public_ip: 1.15.155.245
    pod_cidr: 10.42.0.0/16
    wireguard_cidr: 172.30.0.0/16
    wg_ip: 172.30.0.1
    br_ip: 10.253.253.1
    local_ip: 172.30.0.1
    remote_ip: 172.31.0.10
    xray:
      uuid: "18d270a9-533d-4b13-b3f1-e7f55540a9b2"
      relay_address: "global-proxy.onwalk.net"
      relay_port: '51820'
      remote_domain: "global-proxy.onwalk.net"
      cert_path: "/etc/ssl/onwalk.net.pem"
      key_path: "/etc/ssl/onwalk.net.key"
    wireguard_peer:
      - master-1
      - slave-1
      - agent-1
      - agent-1

  - name: global-hub
    interface: ens5
    public_ip: 1.15.155.245
    wg_ip: 172.31.0.1
    br_ip: 10.253.253.2
    local_ip: 172.31.0.1
    remote_ip: 172.30.0.1
    xray:
      uuid: "18d270a9-533d-4b13-b3f1-e7f55540a9b2"
      cert_path: "/etc/ssl/onwalk.net.pem"
      key_path: "/etc/ssl/onwalk.net.key"
      relay_address: "cn-proxy.onwalk.net"
      relay_port: '51820'
      remote_domain: "cn-proxy.onwalk.net"
    wireguard_peer:
      - master-1
      - slave-1
      - agent-1
      - agent-1

sites:
  - name: tky-proxy
    interface: ens5
    public_ip: 52.196.108.28
    wg_ip: 172.31.0.2
    br_ip: 10.253.254.2
    local_ip: 172.31.0.2
    remote_ip: 172.31.0.1
    wireguard_peer:
      - global-hub
    allowed_ips: "172.30.0.0/16,172.31.0.0/16"
    xray:
      uuid: "18d270a9-533d-4b13-b3f1-e7f55540a9b2"
      cert_path: "/etc/ssl/onwalk.net.pem"
      key_path: "/etc/ssl/onwalk.net.key"
      relay_address: "global-proxy.onwalk.net"
      relay_port: '51820'
      remote_domain: "global-proxy.onwalk.net"

  - name: us-proxy
    interface: enX0
    public_ip: 54.183.32.0
    wg_ip: 172.31.0.3
    br_ip: 10.253.254.3
    local_ip: 172.31.0.3
    remote_ip: 172.31.0.1
    wireguard_peer:
      - global-hub
    allowed_ips: "172.30.0.0/16,172.31.0.0/16"
    xray:
      uuid: "18d270a9-533d-4b13-b3f1-e7f55540a9b2"
      remote_domain: "global-proxy.onwalk.net"
      cert_path: "/etc/ssl/onwalk.net.pem"
      key_path: "/etc/ssl/onwalk.net.key"

  - name: ca-proxy
    interface: ens5
    wg_ip: 172.31.0.4
    br_ip: 10.253.254.4
    local_ip: 172.31.0.4
    remote_ip: 172.31.0.1
    wireguard_peer:
    - global-hub
    allowed_ips: "172.30.0.0/16,172.31.0.0/16"
    xray:
      uuid: "18d270a9-533d-4b13-b3f1-e7f55540a9b2"
      remote_domain: "global-proxy.onwalk.net"
      cert_path: "/etc/ssl/onwalk.net.pem"
      key_path: "/etc/ssl/onwalk.net.key"

  - name: deepflow-demo
    interface: wlp0s20f3
    public_ip: 172.30.0.10
    wg_ip: 172.30.0.10
    br_ip: 10.253.253.2
    local_ip: 172.30.0.10
    remote_ip: 172.30.0.1
    wireguard_peer: cn-hub
    allowed_ips: "172.30.0.0/16"

  - name: icp-aliyun
    interface: eth0
    public_ip: 47.120.61.35
    wg_ip: 172.30.0.11
    pod_cidr: 10.42.0.0/16
    wireguard_cidr: 172.30.0.0/16
    br_ip: 10.253.253.11
    local_ip: 172.30.0.11
    remote_ip: 172.30.0.1
    wireguard_peer: cn-hub
    allowed_ips: "172.30.0.0/16"
    xray:
      uuid: "18d270a9-533d-4b13-b3f1-e7f55540a9b2"
      cert_path: "/etc/ssl/onwalk.net.pem"
      key_path: "/etc/ssl/onwalk.net.key"
      relay_address: "cn-proxy.onwalk.net"
      relay_port: '51820'
      remote_domain: "cn-proxy.onwalk.net"

  - name: icp-huawei
    interface: eth0
    public_ip: 139.9.139.22
    pod_cidr: 10.42.0.0/16
    wireguard_cidr: 172.30.0.0/16
    wg_ip: 172.30.0.12
    br_ip: 10.253.253.12
    local_ip: 172.30.0.12
    remote_ip: 172.30.0.1
    wireguard_peer: cn-hub
    allowed_ips: "172.30.0.0/16"
    xray:
      uuid: "18d270a9-533d-4b13-b3f1-e7f55540a9b2"
      cert_path: "/etc/ssl/onwalk.net.pem"
      key_path: "/etc/ssl/onwalk.net.key"
      relay_address: "cn-proxy.onwalk.net"
      relay_port: '51820'
      remote_domain: "cn-proxy.onwalk.net"