machines: add wireguard vpn

2023-03-02 16:00:19 +03:00 · 2023-03-02 16:00:19 +03:00 · dcb2d428d7
commit dcb2d428d7
parent 26dd3d4db1
14 changed files with 171 additions and 14 deletions
--- a/.agenix_config.nix
+++ b/.agenix_config.nix
--- a/machines/asus-gl553vd/default.nix
+++ b/machines/asus-gl553vd/default.nix
@ -12,6 +12,7 @@
    ../modules/nix.nix
    ../modules/garbage-collector.nix
    ../modules/networking.secret.nix
+    ../modules/wireguard-client.nix
  ];

  # Use latest kernel
@ -65,5 +66,14 @@
    localDiscovery = true;
  };

+  # Additional nix configs
  local.nix.enableMyRegistry = true;
+
+  # Wireguard client
+  age.secrets.wireguard-asus-gl553vd-private.file = ../../secrets/wireguard-asus-gl553vd-private.age;
+  local.wireguard = {
+    enable = false;
+    ip = "10.100.0.3/24";
+    privateKeyFile = config.age.secrets.wireguard-asus-gl553vd-private.path;
+  };
 }
--- a/machines/canigou/data.secret.nix
+++ b/machines/canigou/data.secret.nix
--- a/machines/canigou/default.nix
+++ b/machines/canigou/default.nix
@ -10,6 +10,8 @@ in

    ../modules/common.nix
    ../modules/fail2ban.nix
+
+    ./services/wireguard.nix
  ];

  boot.cleanTmpDir = true;
--- a/machines/canigou/services/wireguard.nix
+++ b/machines/canigou/services/wireguard.nix
@ -0,0 +1,62 @@
+{ config, pkgs, ... }:
+
+let
+  port = 51820;
+in
+{
+  # enable NAT
+  networking.nat = {
+    enable = true;
+    externalInterface = "eth0";
+    internalInterfaces = [ "wg0" ];
+  };
+
+  networking.firewall = {
+    allowedUDPPorts = [ port ];
+  };
+
+  networking.wireguard.interfaces = {
+    # "wg0" is the network interface name. You can name the interface arbitrarily.
+    wg0 = {
+      # Determines the IP address and subnet of the server's end of the tunnel interface.
+      ips = [ "10.100.0.1/24" ];
+
+      # The port that WireGuard listens to. Must be accessible by the client.
+      listenPort = port;
+
+      # This allows the wireguard server to route your traffic to the internet and hence be like a VPN
+      # For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients
+      postSetup = ''
+        ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
+      '';
+
+      # This undoes the above command
+      postShutdown = ''
+        ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
+      '';
+
+      # Path to the private key file.
+      privateKeyFile = config.age.secrets.wireguard-canigou-private.path;
+
+      peers = [
+        # List of allowed peers.
+        {
+          # Home
+          publicKey = "Gg+p7tysAhu2X841weBiQrqoKXh6kvcmDiCY62rLwQg=";
+          # List of IPs assigned to this peer within the tunnel subnet. Used to configure routing.
+          allowedIPs = [ "10.100.0.2/32" ];
+        }
+        {
+          # Asus
+          publicKey = "mzVH0N3q7UE/XjMwgRks+D8KFuIj91VkOK2ytgjsnkw=";
+          allowedIPs = [ "10.100.0.3/32" ];
+        }
+      ];
+    };
+  };
+
+  age.secrets.wireguard-canigou-private = {
+    file = ../../../secrets/wireguard-canigou-private.age;
+    mode = "0400";
+  };
+}
--- a/machines/default.nix
+++ b/machines/default.nix
@ -2,15 +2,6 @@

 let
  hardware = inputs.hardware.nixosModules;
-
-  inherit (inputs.nixpkgs) lib;
-  inherit (builtins) head;
-  getTargetHost = file:
-    let
-      net = import file { inherit lib; };
-      ipv4addrs = net.networking.interfaces.eth0.ipv4.addresses;
-    in
-    (head ipv4addrs).address;
 in
 {
  home = {
@ -46,8 +37,7 @@ in
  magenta = {
    system = "x86_64-linux";

-    targetHost =
-      getTargetHost ./magenta/networking.secret.nix;
+    targetHost = (import ./magenta/data.secret.nix).addr;

    extraModules = [
      inputs.mailserver.nixosModule
@ -57,7 +47,6 @@ in
  canigou = {
    system = "x86_64-linux";

-    targetHost =
-      getTargetHost ./canigou/networking.secret.nix;
+    targetHost = (import ./canigou/data.secret.nix).addr;
  };
 }
--- a/machines/home/default.nix
+++ b/machines/home/default.nix
@ -12,6 +12,7 @@
    ../modules/nix.nix
    ../modules/garbage-collector.nix
    ../modules/networking.secret.nix
+    ../modules/wireguard-client.nix
  ];

  # Configure kernel
@ -84,5 +85,17 @@
    localDiscovery = true;
  };

+  # Additional nix configs
  local.nix.enableMyRegistry = true;
+
+  # Wireguard client
+  age.secrets.wireguard-home-private = {
+    file = ../../secrets/wireguard-home-private.age;
+    mode = "0400";
+  };
+  local.wireguard = {
+    enable = true;
+    ip = "10.100.0.2/24";
+    privateKeyFile = config.age.secrets.wireguard-home-private.path;
+  };
 }
--- a/machines/magenta/data.secret.nix
+++ b/machines/magenta/data.secret.nix
--- a/machines/modules/nix.nix
+++ b/machines/modules/nix.nix
@ -12,7 +12,7 @@ in
      description = "Enable my custom nix registry";
    };
    allowUnfreePackages = mkOption {
-      type = types.listOf types.string;
+      type = types.listOf types.str;
      default = [ ];
    };
  };
--- a/machines/modules/wireguard-client.nix
+++ b/machines/modules/wireguard-client.nix
@ -0,0 +1,68 @@
+{ config, lib, pkgs, ... }:
+
+let
+  cfg = config.local.wireguard;
+
+  port = 51820;
+
+  serverAddr = (import ../canigou/data.secret.nix).addr;
+  defaultGateway = "192.168.0.1";
+in
+{
+  options.local.wireguard = with lib; {
+    enable = mkOption {
+      type = types.bool;
+      default = false;
+      description = "Enable wireguard vpn";
+    };
+    ip = mkOption {
+      type = types.str;
+      description = "10.100.0.<num>/24";
+      example = "10.100.0.1/24";
+    };
+    privateKeyFile = mkOption {
+      type = types.str;
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    networking.firewall = {
+      allowedUDPPorts = [ port ]; # Clients and peers can use the same port, see listenport
+    };
+    # Enable WireGuard
+    networking.wireguard.interfaces = {
+      # "wg0" is the network interface name. You can name the interface arbitrarily.
+      wg0 = {
+        # Determines the IP address and subnet of the client's end of the tunnel interface.
+        ips = [ cfg.ip ];
+        listenPort = port; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
+
+        # Path to the private key file.
+        privateKeyFile = cfg.privateKeyFile;
+
+        postSetup = "${pkgs.iproute}/bin/ip route add ${serverAddr} via ${defaultGateway}";
+        postShutdown = "${pkgs.iproute}/bin/ip route del ${serverAddr} via ${defaultGateway}";
+
+        peers = [
+          # For a client configuration, one peer entry for the server will suffice.
+
+          {
+            # Public key of the server (not a file path).
+            publicKey = "nFqvL30dkKkhOt+fLJ+EJNmp9GjkXVjmpz1WRI1pG0A=";
+
+            # Forward all the traffic via VPN.
+            allowedIPs = [ "0.0.0.0/0" ];
+            # Or forward only particular subnets
+            # allowedIPs = [ "192.168.0.0/24" ];
+
+            # Set this to the server IP and port.
+            endpoint = "${serverAddr}:${toString port}";
+
+            # Send keepalives every 25 seconds. Important to keep NAT tables alive.
+            persistentKeepalive = 25;
+          }
+        ];
+      };
+    };
+  };
+}
--- a/notes/vpn.md
+++ b/notes/vpn.md
@ -0,0 +1,13 @@
+# WireGuard
+
+## Generate keypair
+
+```sh
+umask 077
+wg genkey > ./private
+wg pubkey < ./private > ./public
+```
+
+# References:
+
+- https://nixos.wiki/wiki/WireGuard
--- a/secrets/wireguard-asus-gl553vd-private.age
+++ b/secrets/wireguard-asus-gl553vd-private.age
--- a/secrets/wireguard-canigou-private.age
+++ b/secrets/wireguard-canigou-private.age
--- a/secrets/wireguard-home-private.age
+++ b/secrets/wireguard-home-private.age