fixup! WIP: use two wg interfaces on both routers and route traffic via distinct ISPs

2024-06-01 10:55:40 +02:00 · 2024-06-01 10:55:40 +02:00 · 60fac3acbb
commit 60fac3acbb
parent c04dab34c4
3 changed files with 96 additions and 16 deletions
--- a/nix/os/devices/router0-nfmnk/configuration.nix
+++ b/nix/os/devices/router0-nfmnk/configuration.nix
@ -146,18 +146,8 @@
    usePredictableInterfaceNames = false;

    # these will be configured via nftables
-    firewall.enable = lib.mkForce true;
-    firewall.allowedTCPPorts = [
-      5201
-    ];
-    firewall.allowedUDPPorts = [
-      config.systemd.network.netdevs.wg0.wireguardConfig.ListenPort
-      config.systemd.network.netdevs.wg1.wireguardConfig.ListenPort
-    ];
-
-    nat = {
-      enable = true;
-    };
+    nat.enable = lib.mkForce false;
+    firewall.enable = lib.mkForce false;

    # Use the nftables firewall instead of the base nixos scripted rules.
    # This flake provides a similar utility to the base nixos scripting.
@ -173,9 +163,36 @@
        zones.wan = {
          interfaces = ["eth0"];
        };
-        zones.vpns = {
+
+        zones.vpn = {
          interfaces = ["wg0" "wg1"];
        };
+
+        rules = {
+          to-fw = {
+            from = "all";
+            to = ["fw"];
+            verdict = "drop";
+
+            allowedTCPPorts = [
+              22
+              5201
+            ];
+            allowedUDPPorts = [
+              22
+              5201
+              config.systemd.network.netdevs.wg0.wireguardConfig.ListenPort
+              config.systemd.network.netdevs.wg1.wireguardConfig.ListenPort
+            ];
+          };
+
+          vpn-to-wan-nat = {
+            from = ["vpn"];
+            to = ["wan"];
+            masquerade = true;
+            verdict = "accept";
+          };
+        };
      };
    };
  };
@ -214,6 +231,7 @@
        wireguardPeerConfig = {
          AllowedIPs = [
            "10.0.0.1/32"
+            "192.168.0.0/16"
          ];
          PersistentKeepalive = 15;
          PresharedKeyFile = builtins.toString config.sops.secrets.wg0-peer0-psk.path;
@ -238,6 +256,7 @@
        wireguardPeerConfig = {
          AllowedIPs = [
            "10.0.0.3/31"
+            "192.168.0.0/16"
          ];
          PersistentKeepalive = 15;
          PresharedKeyFile = builtins.toString config.sops.secrets.wg1-peer0-psk.path;
@ -252,6 +271,15 @@
    address = [
      "10.0.0.0/31"
    ];
+
+    routes = [
+      {
+        routeConfig = {
+          Destination = "192.168.0.0/16";
+          MultiPathRoute = "10.0.0.1 1";
+        };
+      }
+    ];
  };
  systemd.network.networks.wg1 = {
    enable = true;
@ -259,6 +287,15 @@
    address = [
      "10.0.0.2/31"
    ];
+
+    routes = [
+      {
+        routeConfig = {
+          Destination = "192.168.0.0/16";
+          MultiPathRoute = "10.0.0.3 1";
+        };
+      }
+    ];
  };

  environment.systemPackages = [