makefu/stockholm
1
0
Fork 0
Code Issues Pull requests Actions 1 Packages Projects Releases Wiki Activity

ma wireguard/server: clean up

Browse source
This commit is contained in:
makefu 2022-06-06 21:25:30 +02:00
parent 6630d29d44
commit e8eeaace1a
No known key found for this signature in database
GPG key ID: 36F7711F3FC0F225
1 changed files with 49 additions and 39 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

88
makefu/2configs/wireguard/server.nix
View file

@ -1,59 +1,69 @@
{ config, ... }: { config,pkgs, ... }:
let let
ext-if = config.makefu.server.primary-itf; ext-if = config.makefu.server.primary-itf;
in { # wireguard server in { # wireguard server
# opkg install wireguard luci-proto-wireguard # opkg install wireguard luci-proto-wireguard
# TODO: networking.nat
# boot.kernel.sysctl."net.ipv4.ip_forward" = 1; # boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
# conf.all.proxy_arp =1 # conf.all.proxy_arp =1
networking.firewall = { networking.firewall = {
allowedUDPPorts = [ 51820 ]; allowedUDPPorts = [ 51820 ];
extraCommands = '' };
iptables -t nat -A POSTROUTING -s 10.244.0.0/24 -o ${ext-if} -j MASQUERADE networking.nat = {
''; enable = true;
#externalIP = "144.76.26.247";
#internalIPs = [ "10.244.0.0/24" ];
externalInterface = ext-if;
internalInterfaces = [ "wg0" ];
}; };
networking.wireguard.interfaces.wg0 = { networking.wireguard.interfaces.wg0 = {
ips = [ "10.244.0.1/24" ]; ips = [ "10.244.0.1/24" ];
listenPort = 51820; listenPort = 51820;
privateKeyFile = (toString <secrets>) + "/wireguard.key"; privateKeyFile = (toString <secrets>) + "/wireguard.key";
allowedIPsAsRoutes = true; # allowedIPsAsRoutes = true;
postSetup = ''
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.244.0.0/24 -o ${ext-if} -j MASQUERADE
'';
# This undoes the above command
postShutdown = ''
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.244.0.0/24 -o ${ext-if} -j MASQUERADE
'';
peers = [ peers = [
{ {
# x # x
allowedIPs = [ "10.244.0.2/32" ]; allowedIPs = [ "10.244.0.2/32" ];
publicKey = "fe5smvKVy5GAn7EV4w4tav6mqIAKhGWQotm7dRuRt1g="; publicKey = "fe5smvKVy5GAn7EV4w4tav6mqIAKhGWQotm7dRuRt1g=";
} }
{ {
# vbob # vbob
allowedIPs = [ "10.244.0.3/32" ]; allowedIPs = [ "10.244.0.3/32" ];
publicKey = "Lju7EsCu1OWXhkhdNR7c/uiN60nr0TUPHQ+s8ULPQTw="; publicKey = "Lju7EsCu1OWXhkhdNR7c/uiN60nr0TUPHQ+s8ULPQTw=";
} }
{ {
# x-test # x-test
allowedIPs = [ "10.244.0.4/32" ]; allowedIPs = [ "10.244.0.4/32" ];
publicKey = "vZ/AJpfDLJyU3DzvYeW70l4FNziVgSTumA89wGHG7XY="; publicKey = "vZ/AJpfDLJyU3DzvYeW70l4FNziVgSTumA89wGHG7XY=";
} }
{ {
# work-router # work-router
persistentKeepalive = 25; persistentKeepalive = 25;
allowedIPs = [ "10.244.0.5/32" ]; allowedIPs = [ "10.244.0.5/32" ];
publicKey = "QJMwwYu/92koCASbHnR/vqe/rN00EV6/o7BGwLockDw="; publicKey = "QJMwwYu/92koCASbHnR/vqe/rN00EV6/o7BGwLockDw=";
} }
{ {
# workr # workr
persistentKeepalive = 25; persistentKeepalive = 25;
allowedIPs = [ "10.244.0.6/32" ]; allowedIPs = [ "10.244.0.6/32" ];
publicKey = "OFhCF56BrV9tjqW1sxqXEKH/GdqamUT1SqZYSADl5GA="; publicKey = "OFhCF56BrV9tjqW1sxqXEKH/GdqamUT1SqZYSADl5GA=";
} }
{ {
# mobile # mobile
allowedIPs = [ "10.244.0.7/32" ]; allowedIPs = [ "10.244.0.7/32" ];
publicKey = "Y6fOW2QDt0SsHT7hSVzzJYQVB3JI/txO4/FDB54Z52A="; publicKey = "Y6fOW2QDt0SsHT7hSVzzJYQVB3JI/txO4/FDB54Z52A=";
} }
]; ];
}; };
# TODO: this issue is related to the router which connects to the host but is # TODO: this issue is related to the router which connects to the host but is