steveej/infra
1
0
Fork 0
Code Issues 2 Pull requests Projects Releases Packages Wiki Activity Actions

fixup! WIP: use two wg interfaces on both routers and route traffic via distinct ISPs

Browse source
This commit is contained in:
steveej 2024-06-01 10:55:40 +02:00
parent c04dab34c4
commit 60fac3acbb
3 changed files with 96 additions and 16 deletions
Download patch file Download diff file Expand all files Collapse all files

42
nix/os/devices/router0-dmz0/configuration.nix
View file

@ -211,7 +211,7 @@ in {
vlan.interfaces = builtins.map (vlanid: (mkInterfaceName {inherit vlanid;})) vlanRange; vlan.interfaces = builtins.map (vlanid: (mkInterfaceName {inherit vlanid;})) vlanRange;
# lan.ipv4Addresses = ["192.168.0.0/16"]; # lan.ipv4Addresses = ["192.168.0.0/16"];
wan.interfaces = ["wan" "lan0"]; wan.interfaces = ["wan" "lan0"];
wg.interfaces = ["wg0" "wg1"]; vpn.interfaces = ["wg0" "wg1"];
} }
// //
# generate a zone for each vlan # generate a zone for each vlan
@ -338,6 +338,13 @@ in {
"drop" "drop"
]; ];
}; };
to-vpn-nat = {
from = ["lan" "vlan"];
to = ["vpn"];
masquerade = false;
verdict = "accept";
};
}; };
}; };
}; };
@ -422,7 +429,18 @@ in {
{ {
wireguardPeerConfig = { wireguardPeerConfig = {
AllowedIPs = [ AllowedIPs = [
"10.0.0.0/32" # this allows all traffic to be routed through this interface
"0.0.0.0/0"
# # alternatively, specific destinations could be allowed
# # remote peer wg addr
# "10.0.0.0/32"
# "1.1.1.1/32"
# # ifconfig.co.
# "172.67.168.106"
# "104.21.54.91"
]; ];
PersistentKeepalive = 15; PersistentKeepalive = 15;
PresharedKeyFile = builtins.toString config.sops.secrets.wg0-peer0-psk.path; PresharedKeyFile = builtins.toString config.sops.secrets.wg0-peer0-psk.path;
@ -447,7 +465,8 @@ in {
{ {
wireguardPeerConfig = { wireguardPeerConfig = {
AllowedIPs = [ AllowedIPs = [
"10.0.0.2/32" # this allows all traffic to be routed through this interface
"0.0.0.0/0"
]; ];
PersistentKeepalive = 15; PersistentKeepalive = 15;
PresharedKeyFile = builtins.toString config.sops.secrets.wg1-peer0-psk.path; PresharedKeyFile = builtins.toString config.sops.secrets.wg1-peer0-psk.path;
@ -676,6 +695,15 @@ in {
address = [ address = [
"10.0.0.1/31" "10.0.0.1/31"
]; ];
routes = [
{
routeConfig = {
Destination = "185.143.101.42/32";
MultiPathRoute = "10.0.0.0 1";
};
}
];
}; };
"50-wg1" = { "50-wg1" = {
enable = true; enable = true;
@ -683,6 +711,14 @@ in {
address = [ address = [
"10.0.0.3/31" "10.0.0.3/31"
]; ];
routes = [
{
routeConfig = {
Destination = "185.143.101.42/32";
MultiPathRoute = "10.0.0.2 1";
};
}
];
}; };
} }
# configuration for the hostapd dynamic interfaces # configuration for the hostapd dynamic interfaces

63
nix/os/devices/router0-nfmnk/configuration.nix
View file

@ -146,18 +146,8 @@
usePredictableInterfaceNames = false; usePredictableInterfaceNames = false;
# these will be configured via nftables # these will be configured via nftables
firewall.enable = lib.mkForce true; nat.enable = lib.mkForce false;
firewall.allowedTCPPorts = [ firewall.enable = lib.mkForce false;
5201
];
firewall.allowedUDPPorts = [
config.systemd.network.netdevs.wg0.wireguardConfig.ListenPort
config.systemd.network.netdevs.wg1.wireguardConfig.ListenPort
];
nat = {
enable = true;
};
# Use the nftables firewall instead of the base nixos scripted rules. # Use the nftables firewall instead of the base nixos scripted rules.
# This flake provides a similar utility to the base nixos scripting. # This flake provides a similar utility to the base nixos scripting.
@ -173,9 +163,36 @@
zones.wan = { zones.wan = {
interfaces = ["eth0"]; interfaces = ["eth0"];
}; };
zones.vpns = {
zones.vpn = {
interfaces = ["wg0" "wg1"]; interfaces = ["wg0" "wg1"];
}; };
rules = {
to-fw = {
from = "all";
to = ["fw"];
verdict = "drop";
allowedTCPPorts = [
22
5201
];
allowedUDPPorts = [
22
5201
config.systemd.network.netdevs.wg0.wireguardConfig.ListenPort
config.systemd.network.netdevs.wg1.wireguardConfig.ListenPort
];
};
vpn-to-wan-nat = {
from = ["vpn"];
to = ["wan"];
masquerade = true;
verdict = "accept";
};
};
}; };
}; };
}; };
@ -214,6 +231,7 @@
wireguardPeerConfig = { wireguardPeerConfig = {
AllowedIPs = [ AllowedIPs = [
"10.0.0.1/32" "10.0.0.1/32"
"192.168.0.0/16"
]; ];
PersistentKeepalive = 15; PersistentKeepalive = 15;
PresharedKeyFile = builtins.toString config.sops.secrets.wg0-peer0-psk.path; PresharedKeyFile = builtins.toString config.sops.secrets.wg0-peer0-psk.path;
@ -238,6 +256,7 @@
wireguardPeerConfig = { wireguardPeerConfig = {
AllowedIPs = [ AllowedIPs = [
"10.0.0.3/31" "10.0.0.3/31"
"192.168.0.0/16"
]; ];
PersistentKeepalive = 15; PersistentKeepalive = 15;
PresharedKeyFile = builtins.toString config.sops.secrets.wg1-peer0-psk.path; PresharedKeyFile = builtins.toString config.sops.secrets.wg1-peer0-psk.path;
@ -252,6 +271,15 @@
address = [ address = [
"10.0.0.0/31" "10.0.0.0/31"
]; ];
routes = [
{
routeConfig = {
Destination = "192.168.0.0/16";
MultiPathRoute = "10.0.0.1 1";
};
}
];
}; };
systemd.network.networks.wg1 = { systemd.network.networks.wg1 = {
enable = true; enable = true;
@ -259,6 +287,15 @@
address = [ address = [
"10.0.0.2/31" "10.0.0.2/31"
]; ];
routes = [
{
routeConfig = {
Destination = "192.168.0.0/16";
MultiPathRoute = "10.0.0.3 1";
};
}
];
}; };
environment.systemPackages = [ environment.systemPackages = [

7
nix/os/devices/sj-bm-hostkey0/configuration.nix
View file

@ -120,6 +120,13 @@ in {
# No local firewall. # No local firewall.
nat.enable = true; nat.enable = true;
firewall.enable = false; firewall.enable = false;
firewall.allowedTCPPorts = [
5201
];
firewall.allowedUDPPorts = [
5201
];
}; };
disko.devices = let disko.devices = let