From 60fac3acbb3b8f914b23cee7db20be44ddf2b2d6 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Sat, 1 Jun 2024 10:55:40 +0200 Subject: [PATCH] fixup! WIP: use two wg interfaces on both routers and route traffic via distinct ISPs --- nix/os/devices/router0-dmz0/configuration.nix | 42 ++++++++++++- .../devices/router0-nfmnk/configuration.nix | 63 +++++++++++++++---- .../devices/sj-bm-hostkey0/configuration.nix | 7 +++ 3 files changed, 96 insertions(+), 16 deletions(-) diff --git a/nix/os/devices/router0-dmz0/configuration.nix b/nix/os/devices/router0-dmz0/configuration.nix index 0c51354..5ee4b53 100644 --- a/nix/os/devices/router0-dmz0/configuration.nix +++ b/nix/os/devices/router0-dmz0/configuration.nix @@ -211,7 +211,7 @@ in { vlan.interfaces = builtins.map (vlanid: (mkInterfaceName {inherit vlanid;})) vlanRange; # lan.ipv4Addresses = ["192.168.0.0/16"]; wan.interfaces = ["wan" "lan0"]; - wg.interfaces = ["wg0" "wg1"]; + vpn.interfaces = ["wg0" "wg1"]; } // # generate a zone for each vlan @@ -338,6 +338,13 @@ in { "drop" ]; }; + + to-vpn-nat = { + from = ["lan" "vlan"]; + to = ["vpn"]; + masquerade = false; + verdict = "accept"; + }; }; }; }; @@ -422,7 +429,18 @@ in { { wireguardPeerConfig = { AllowedIPs = [ - "10.0.0.0/32" + # this allows all traffic to be routed through this interface + "0.0.0.0/0" + + # # alternatively, specific destinations could be allowed + + # # remote peer wg addr + # "10.0.0.0/32" + + # "1.1.1.1/32" + # # ifconfig.co. + # "172.67.168.106" + # "104.21.54.91" ]; PersistentKeepalive = 15; PresharedKeyFile = builtins.toString config.sops.secrets.wg0-peer0-psk.path; @@ -447,7 +465,8 @@ in { { wireguardPeerConfig = { AllowedIPs = [ - "10.0.0.2/32" + # this allows all traffic to be routed through this interface + "0.0.0.0/0" ]; PersistentKeepalive = 15; PresharedKeyFile = builtins.toString config.sops.secrets.wg1-peer0-psk.path; @@ -676,6 +695,15 @@ in { address = [ "10.0.0.1/31" ]; + + routes = [ + { + routeConfig = { + Destination = "185.143.101.42/32"; + MultiPathRoute = "10.0.0.0 1"; + }; + } + ]; }; "50-wg1" = { enable = true; @@ -683,6 +711,14 @@ in { address = [ "10.0.0.3/31" ]; + routes = [ + { + routeConfig = { + Destination = "185.143.101.42/32"; + MultiPathRoute = "10.0.0.2 1"; + }; + } + ]; }; } # configuration for the hostapd dynamic interfaces diff --git a/nix/os/devices/router0-nfmnk/configuration.nix b/nix/os/devices/router0-nfmnk/configuration.nix index 2864383..9dcb55d 100644 --- a/nix/os/devices/router0-nfmnk/configuration.nix +++ b/nix/os/devices/router0-nfmnk/configuration.nix @@ -146,18 +146,8 @@ usePredictableInterfaceNames = false; # these will be configured via nftables - firewall.enable = lib.mkForce true; - firewall.allowedTCPPorts = [ - 5201 - ]; - firewall.allowedUDPPorts = [ - config.systemd.network.netdevs.wg0.wireguardConfig.ListenPort - config.systemd.network.netdevs.wg1.wireguardConfig.ListenPort - ]; - - nat = { - enable = true; - }; + nat.enable = lib.mkForce false; + firewall.enable = lib.mkForce false; # Use the nftables firewall instead of the base nixos scripted rules. # This flake provides a similar utility to the base nixos scripting. @@ -173,9 +163,36 @@ zones.wan = { interfaces = ["eth0"]; }; - zones.vpns = { + + zones.vpn = { interfaces = ["wg0" "wg1"]; }; + + rules = { + to-fw = { + from = "all"; + to = ["fw"]; + verdict = "drop"; + + allowedTCPPorts = [ + 22 + 5201 + ]; + allowedUDPPorts = [ + 22 + 5201 + config.systemd.network.netdevs.wg0.wireguardConfig.ListenPort + config.systemd.network.netdevs.wg1.wireguardConfig.ListenPort + ]; + }; + + vpn-to-wan-nat = { + from = ["vpn"]; + to = ["wan"]; + masquerade = true; + verdict = "accept"; + }; + }; }; }; }; @@ -214,6 +231,7 @@ wireguardPeerConfig = { AllowedIPs = [ "10.0.0.1/32" + "192.168.0.0/16" ]; PersistentKeepalive = 15; PresharedKeyFile = builtins.toString config.sops.secrets.wg0-peer0-psk.path; @@ -238,6 +256,7 @@ wireguardPeerConfig = { AllowedIPs = [ "10.0.0.3/31" + "192.168.0.0/16" ]; PersistentKeepalive = 15; PresharedKeyFile = builtins.toString config.sops.secrets.wg1-peer0-psk.path; @@ -252,6 +271,15 @@ address = [ "10.0.0.0/31" ]; + + routes = [ + { + routeConfig = { + Destination = "192.168.0.0/16"; + MultiPathRoute = "10.0.0.1 1"; + }; + } + ]; }; systemd.network.networks.wg1 = { enable = true; @@ -259,6 +287,15 @@ address = [ "10.0.0.2/31" ]; + + routes = [ + { + routeConfig = { + Destination = "192.168.0.0/16"; + MultiPathRoute = "10.0.0.3 1"; + }; + } + ]; }; environment.systemPackages = [ diff --git a/nix/os/devices/sj-bm-hostkey0/configuration.nix b/nix/os/devices/sj-bm-hostkey0/configuration.nix index fd11bc0..37e1468 100644 --- a/nix/os/devices/sj-bm-hostkey0/configuration.nix +++ b/nix/os/devices/sj-bm-hostkey0/configuration.nix @@ -120,6 +120,13 @@ in { # No local firewall. nat.enable = true; firewall.enable = false; + + firewall.allowedTCPPorts = [ + 5201 + ]; + firewall.allowedUDPPorts = [ + 5201 + ]; }; disko.devices = let