machines: add wireguard vpn

This commit is contained in:
Dmitriy Pleshevskiy 2023-03-02 16:00:19 +03:00
parent 26dd3d4db1
commit dcb2d428d7
Signed by: pleshevskiy
GPG key ID: 79C4487B44403985
14 changed files with 171 additions and 14 deletions

Binary file not shown.

View file

@ -12,6 +12,7 @@
../modules/nix.nix
../modules/garbage-collector.nix
../modules/networking.secret.nix
../modules/wireguard-client.nix
];
# Use latest kernel
@ -65,5 +66,14 @@
localDiscovery = true;
};
# Additional nix configs
local.nix.enableMyRegistry = true;
# Wireguard client
age.secrets.wireguard-asus-gl553vd-private.file = ../../secrets/wireguard-asus-gl553vd-private.age;
local.wireguard = {
enable = false;
ip = "10.100.0.3/24";
privateKeyFile = config.age.secrets.wireguard-asus-gl553vd-private.path;
};
}

Binary file not shown.

View file

@ -10,6 +10,8 @@ in
../modules/common.nix
../modules/fail2ban.nix
./services/wireguard.nix
];
boot.cleanTmpDir = true;

View file

@ -0,0 +1,62 @@
{ config, pkgs, ... }:
let
port = 51820;
in
{
# enable NAT
networking.nat = {
enable = true;
externalInterface = "eth0";
internalInterfaces = [ "wg0" ];
};
networking.firewall = {
allowedUDPPorts = [ port ];
};
networking.wireguard.interfaces = {
# "wg0" is the network interface name. You can name the interface arbitrarily.
wg0 = {
# Determines the IP address and subnet of the server's end of the tunnel interface.
ips = [ "10.100.0.1/24" ];
# The port that WireGuard listens to. Must be accessible by the client.
listenPort = port;
# This allows the wireguard server to route your traffic to the internet and hence be like a VPN
# For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients
postSetup = ''
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
'';
# This undoes the above command
postShutdown = ''
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
'';
# Path to the private key file.
privateKeyFile = config.age.secrets.wireguard-canigou-private.path;
peers = [
# List of allowed peers.
{
# Home
publicKey = "Gg+p7tysAhu2X841weBiQrqoKXh6kvcmDiCY62rLwQg=";
# List of IPs assigned to this peer within the tunnel subnet. Used to configure routing.
allowedIPs = [ "10.100.0.2/32" ];
}
{
# Asus
publicKey = "mzVH0N3q7UE/XjMwgRks+D8KFuIj91VkOK2ytgjsnkw=";
allowedIPs = [ "10.100.0.3/32" ];
}
];
};
};
age.secrets.wireguard-canigou-private = {
file = ../../../secrets/wireguard-canigou-private.age;
mode = "0400";
};
}

View file

@ -2,15 +2,6 @@
let
hardware = inputs.hardware.nixosModules;
inherit (inputs.nixpkgs) lib;
inherit (builtins) head;
getTargetHost = file:
let
net = import file { inherit lib; };
ipv4addrs = net.networking.interfaces.eth0.ipv4.addresses;
in
(head ipv4addrs).address;
in
{
home = {
@ -46,8 +37,7 @@ in
magenta = {
system = "x86_64-linux";
targetHost =
getTargetHost ./magenta/networking.secret.nix;
targetHost = (import ./magenta/data.secret.nix).addr;
extraModules = [
inputs.mailserver.nixosModule
@ -57,7 +47,6 @@ in
canigou = {
system = "x86_64-linux";
targetHost =
getTargetHost ./canigou/networking.secret.nix;
targetHost = (import ./canigou/data.secret.nix).addr;
};
}

View file

@ -12,6 +12,7 @@
../modules/nix.nix
../modules/garbage-collector.nix
../modules/networking.secret.nix
../modules/wireguard-client.nix
];
# Configure kernel
@ -84,5 +85,17 @@
localDiscovery = true;
};
# Additional nix configs
local.nix.enableMyRegistry = true;
# Wireguard client
age.secrets.wireguard-home-private = {
file = ../../secrets/wireguard-home-private.age;
mode = "0400";
};
local.wireguard = {
enable = true;
ip = "10.100.0.2/24";
privateKeyFile = config.age.secrets.wireguard-home-private.path;
};
}

Binary file not shown.

View file

@ -12,7 +12,7 @@ in
description = "Enable my custom nix registry";
};
allowUnfreePackages = mkOption {
type = types.listOf types.string;
type = types.listOf types.str;
default = [ ];
};
};

View file

@ -0,0 +1,68 @@
{ config, lib, pkgs, ... }:
let
cfg = config.local.wireguard;
port = 51820;
serverAddr = (import ../canigou/data.secret.nix).addr;
defaultGateway = "192.168.0.1";
in
{
options.local.wireguard = with lib; {
enable = mkOption {
type = types.bool;
default = false;
description = "Enable wireguard vpn";
};
ip = mkOption {
type = types.str;
description = "10.100.0.<num>/24";
example = "10.100.0.1/24";
};
privateKeyFile = mkOption {
type = types.str;
};
};
config = lib.mkIf cfg.enable {
networking.firewall = {
allowedUDPPorts = [ port ]; # Clients and peers can use the same port, see listenport
};
# Enable WireGuard
networking.wireguard.interfaces = {
# "wg0" is the network interface name. You can name the interface arbitrarily.
wg0 = {
# Determines the IP address and subnet of the client's end of the tunnel interface.
ips = [ cfg.ip ];
listenPort = port; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
# Path to the private key file.
privateKeyFile = cfg.privateKeyFile;
postSetup = "${pkgs.iproute}/bin/ip route add ${serverAddr} via ${defaultGateway}";
postShutdown = "${pkgs.iproute}/bin/ip route del ${serverAddr} via ${defaultGateway}";
peers = [
# For a client configuration, one peer entry for the server will suffice.
{
# Public key of the server (not a file path).
publicKey = "nFqvL30dkKkhOt+fLJ+EJNmp9GjkXVjmpz1WRI1pG0A=";
# Forward all the traffic via VPN.
allowedIPs = [ "0.0.0.0/0" ];
# Or forward only particular subnets
# allowedIPs = [ "192.168.0.0/24" ];
# Set this to the server IP and port.
endpoint = "${serverAddr}:${toString port}";
# Send keepalives every 25 seconds. Important to keep NAT tables alive.
persistentKeepalive = 25;
}
];
};
};
};
}

13
notes/vpn.md Normal file
View file

@ -0,0 +1,13 @@
# WireGuard
## Generate keypair
```sh
umask 077
wg genkey > ./private
wg pubkey < ./private > ./public
```
# References:
- https://nixos.wiki/wiki/WireGuard

Binary file not shown.

Binary file not shown.

Binary file not shown.