steveej/infra
1
0
Fork 0
Code Issues 2 Pull requests Projects Releases Packages Wiki Activity Actions

fixup! WIP: use two wg interfaces on both routers and route traffic via distinct ISPs

Browse source
This commit is contained in:
steveej 2024-06-01 10:55:40 +02:00
parent c04dab34c4
commit 60fac3acbb
3 changed files with 96 additions and 16 deletions
Download patch file Download diff file Expand all files Collapse all files

42
nix/os/devices/router0-dmz0/configuration.nix
View file

@ -211,7 +211,7 @@ in {
vlan.interfaces = builtins.map (vlanid: (mkInterfaceName {inherit vlanid;})) vlanRange;
# lan.ipv4Addresses = ["192.168.0.0/16"];
wan.interfaces = ["wan" "lan0"];
wg.interfaces = ["wg0" "wg1"];
vpn.interfaces = ["wg0" "wg1"];
}
//
# generate a zone for each vlan
@ -338,6 +338,13 @@ in {
"drop"
];
};
to-vpn-nat = {
from = ["lan" "vlan"];
to = ["vpn"];
masquerade = false;
verdict = "accept";
};
};
};
};
@ -422,7 +429,18 @@ in {
{
wireguardPeerConfig = {
AllowedIPs = [
"10.0.0.0/32"
# this allows all traffic to be routed through this interface
"0.0.0.0/0"
# # alternatively, specific destinations could be allowed
# # remote peer wg addr
# "10.0.0.0/32"
# "1.1.1.1/32"
# # ifconfig.co.
# "172.67.168.106"
# "104.21.54.91"
];
PersistentKeepalive = 15;
PresharedKeyFile = builtins.toString config.sops.secrets.wg0-peer0-psk.path;
@ -447,7 +465,8 @@ in {
{
wireguardPeerConfig = {
AllowedIPs = [
"10.0.0.2/32"
# this allows all traffic to be routed through this interface
"0.0.0.0/0"
];
PersistentKeepalive = 15;
PresharedKeyFile = builtins.toString config.sops.secrets.wg1-peer0-psk.path;
@ -676,6 +695,15 @@ in {
address = [
"10.0.0.1/31"
];
routes = [
{
routeConfig = {
Destination = "185.143.101.42/32";
MultiPathRoute = "10.0.0.0 1";
};
}
];
};
"50-wg1" = {
enable = true;
@ -683,6 +711,14 @@ in {
address = [
"10.0.0.3/31"
];
routes = [
{
routeConfig = {
Destination = "185.143.101.42/32";
MultiPathRoute = "10.0.0.2 1";
};
}
];
};
}
# configuration for the hostapd dynamic interfaces