machines: add wireguard vpn
This commit is contained in:
parent
26dd3d4db1
commit
dcb2d428d7
14 changed files with 171 additions and 14 deletions
Binary file not shown.
|
@ -12,6 +12,7 @@
|
|||
../modules/nix.nix
|
||||
../modules/garbage-collector.nix
|
||||
../modules/networking.secret.nix
|
||||
../modules/wireguard-client.nix
|
||||
];
|
||||
|
||||
# Use latest kernel
|
||||
|
@ -65,5 +66,14 @@
|
|||
localDiscovery = true;
|
||||
};
|
||||
|
||||
# Additional nix configs
|
||||
local.nix.enableMyRegistry = true;
|
||||
|
||||
# Wireguard client
|
||||
age.secrets.wireguard-asus-gl553vd-private.file = ../../secrets/wireguard-asus-gl553vd-private.age;
|
||||
local.wireguard = {
|
||||
enable = false;
|
||||
ip = "10.100.0.3/24";
|
||||
privateKeyFile = config.age.secrets.wireguard-asus-gl553vd-private.path;
|
||||
};
|
||||
}
|
||||
|
|
BIN
machines/canigou/data.secret.nix
Normal file
BIN
machines/canigou/data.secret.nix
Normal file
Binary file not shown.
|
@ -10,6 +10,8 @@ in
|
|||
|
||||
../modules/common.nix
|
||||
../modules/fail2ban.nix
|
||||
|
||||
./services/wireguard.nix
|
||||
];
|
||||
|
||||
boot.cleanTmpDir = true;
|
||||
|
|
62
machines/canigou/services/wireguard.nix
Normal file
62
machines/canigou/services/wireguard.nix
Normal file
|
@ -0,0 +1,62 @@
|
|||
{ config, pkgs, ... }:
|
||||
|
||||
let
|
||||
port = 51820;
|
||||
in
|
||||
{
|
||||
# enable NAT
|
||||
networking.nat = {
|
||||
enable = true;
|
||||
externalInterface = "eth0";
|
||||
internalInterfaces = [ "wg0" ];
|
||||
};
|
||||
|
||||
networking.firewall = {
|
||||
allowedUDPPorts = [ port ];
|
||||
};
|
||||
|
||||
networking.wireguard.interfaces = {
|
||||
# "wg0" is the network interface name. You can name the interface arbitrarily.
|
||||
wg0 = {
|
||||
# Determines the IP address and subnet of the server's end of the tunnel interface.
|
||||
ips = [ "10.100.0.1/24" ];
|
||||
|
||||
# The port that WireGuard listens to. Must be accessible by the client.
|
||||
listenPort = port;
|
||||
|
||||
# This allows the wireguard server to route your traffic to the internet and hence be like a VPN
|
||||
# For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients
|
||||
postSetup = ''
|
||||
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
|
||||
'';
|
||||
|
||||
# This undoes the above command
|
||||
postShutdown = ''
|
||||
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
|
||||
'';
|
||||
|
||||
# Path to the private key file.
|
||||
privateKeyFile = config.age.secrets.wireguard-canigou-private.path;
|
||||
|
||||
peers = [
|
||||
# List of allowed peers.
|
||||
{
|
||||
# Home
|
||||
publicKey = "Gg+p7tysAhu2X841weBiQrqoKXh6kvcmDiCY62rLwQg=";
|
||||
# List of IPs assigned to this peer within the tunnel subnet. Used to configure routing.
|
||||
allowedIPs = [ "10.100.0.2/32" ];
|
||||
}
|
||||
{
|
||||
# Asus
|
||||
publicKey = "mzVH0N3q7UE/XjMwgRks+D8KFuIj91VkOK2ytgjsnkw=";
|
||||
allowedIPs = [ "10.100.0.3/32" ];
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
age.secrets.wireguard-canigou-private = {
|
||||
file = ../../../secrets/wireguard-canigou-private.age;
|
||||
mode = "0400";
|
||||
};
|
||||
}
|
|
@ -2,15 +2,6 @@
|
|||
|
||||
let
|
||||
hardware = inputs.hardware.nixosModules;
|
||||
|
||||
inherit (inputs.nixpkgs) lib;
|
||||
inherit (builtins) head;
|
||||
getTargetHost = file:
|
||||
let
|
||||
net = import file { inherit lib; };
|
||||
ipv4addrs = net.networking.interfaces.eth0.ipv4.addresses;
|
||||
in
|
||||
(head ipv4addrs).address;
|
||||
in
|
||||
{
|
||||
home = {
|
||||
|
@ -46,8 +37,7 @@ in
|
|||
magenta = {
|
||||
system = "x86_64-linux";
|
||||
|
||||
targetHost =
|
||||
getTargetHost ./magenta/networking.secret.nix;
|
||||
targetHost = (import ./magenta/data.secret.nix).addr;
|
||||
|
||||
extraModules = [
|
||||
inputs.mailserver.nixosModule
|
||||
|
@ -57,7 +47,6 @@ in
|
|||
canigou = {
|
||||
system = "x86_64-linux";
|
||||
|
||||
targetHost =
|
||||
getTargetHost ./canigou/networking.secret.nix;
|
||||
targetHost = (import ./canigou/data.secret.nix).addr;
|
||||
};
|
||||
}
|
||||
|
|
|
@ -12,6 +12,7 @@
|
|||
../modules/nix.nix
|
||||
../modules/garbage-collector.nix
|
||||
../modules/networking.secret.nix
|
||||
../modules/wireguard-client.nix
|
||||
];
|
||||
|
||||
# Configure kernel
|
||||
|
@ -84,5 +85,17 @@
|
|||
localDiscovery = true;
|
||||
};
|
||||
|
||||
# Additional nix configs
|
||||
local.nix.enableMyRegistry = true;
|
||||
|
||||
# Wireguard client
|
||||
age.secrets.wireguard-home-private = {
|
||||
file = ../../secrets/wireguard-home-private.age;
|
||||
mode = "0400";
|
||||
};
|
||||
local.wireguard = {
|
||||
enable = true;
|
||||
ip = "10.100.0.2/24";
|
||||
privateKeyFile = config.age.secrets.wireguard-home-private.path;
|
||||
};
|
||||
}
|
||||
|
|
BIN
machines/magenta/data.secret.nix
Normal file
BIN
machines/magenta/data.secret.nix
Normal file
Binary file not shown.
|
@ -12,7 +12,7 @@ in
|
|||
description = "Enable my custom nix registry";
|
||||
};
|
||||
allowUnfreePackages = mkOption {
|
||||
type = types.listOf types.string;
|
||||
type = types.listOf types.str;
|
||||
default = [ ];
|
||||
};
|
||||
};
|
||||
|
|
68
machines/modules/wireguard-client.nix
Normal file
68
machines/modules/wireguard-client.nix
Normal file
|
@ -0,0 +1,68 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
let
|
||||
cfg = config.local.wireguard;
|
||||
|
||||
port = 51820;
|
||||
|
||||
serverAddr = (import ../canigou/data.secret.nix).addr;
|
||||
defaultGateway = "192.168.0.1";
|
||||
in
|
||||
{
|
||||
options.local.wireguard = with lib; {
|
||||
enable = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = "Enable wireguard vpn";
|
||||
};
|
||||
ip = mkOption {
|
||||
type = types.str;
|
||||
description = "10.100.0.<num>/24";
|
||||
example = "10.100.0.1/24";
|
||||
};
|
||||
privateKeyFile = mkOption {
|
||||
type = types.str;
|
||||
};
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
networking.firewall = {
|
||||
allowedUDPPorts = [ port ]; # Clients and peers can use the same port, see listenport
|
||||
};
|
||||
# Enable WireGuard
|
||||
networking.wireguard.interfaces = {
|
||||
# "wg0" is the network interface name. You can name the interface arbitrarily.
|
||||
wg0 = {
|
||||
# Determines the IP address and subnet of the client's end of the tunnel interface.
|
||||
ips = [ cfg.ip ];
|
||||
listenPort = port; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
|
||||
|
||||
# Path to the private key file.
|
||||
privateKeyFile = cfg.privateKeyFile;
|
||||
|
||||
postSetup = "${pkgs.iproute}/bin/ip route add ${serverAddr} via ${defaultGateway}";
|
||||
postShutdown = "${pkgs.iproute}/bin/ip route del ${serverAddr} via ${defaultGateway}";
|
||||
|
||||
peers = [
|
||||
# For a client configuration, one peer entry for the server will suffice.
|
||||
|
||||
{
|
||||
# Public key of the server (not a file path).
|
||||
publicKey = "nFqvL30dkKkhOt+fLJ+EJNmp9GjkXVjmpz1WRI1pG0A=";
|
||||
|
||||
# Forward all the traffic via VPN.
|
||||
allowedIPs = [ "0.0.0.0/0" ];
|
||||
# Or forward only particular subnets
|
||||
# allowedIPs = [ "192.168.0.0/24" ];
|
||||
|
||||
# Set this to the server IP and port.
|
||||
endpoint = "${serverAddr}:${toString port}";
|
||||
|
||||
# Send keepalives every 25 seconds. Important to keep NAT tables alive.
|
||||
persistentKeepalive = 25;
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
13
notes/vpn.md
Normal file
13
notes/vpn.md
Normal file
|
@ -0,0 +1,13 @@
|
|||
# WireGuard
|
||||
|
||||
## Generate keypair
|
||||
|
||||
```sh
|
||||
umask 077
|
||||
wg genkey > ./private
|
||||
wg pubkey < ./private > ./public
|
||||
```
|
||||
|
||||
# References:
|
||||
|
||||
- https://nixos.wiki/wiki/WireGuard
|
BIN
secrets/wireguard-asus-gl553vd-private.age
Normal file
BIN
secrets/wireguard-asus-gl553vd-private.age
Normal file
Binary file not shown.
BIN
secrets/wireguard-canigou-private.age
Normal file
BIN
secrets/wireguard-canigou-private.age
Normal file
Binary file not shown.
BIN
secrets/wireguard-home-private.age
Normal file
BIN
secrets/wireguard-home-private.age
Normal file
Binary file not shown.
Loading…
Reference in a new issue