WIP: use two wg interfaces on both routers and route traffic via distinct ISPs

2024-05-26 22:32:38 +02:00 · 2024-05-26 22:32:38 +02:00 · 645371aca3
commit 645371aca3
parent cdf973208f
3 changed files with 164 additions and 46 deletions
--- a/nix/os/devices/router0-dmz0/configuration.nix
+++ b/nix/os/devices/router0-dmz0/configuration.nix
@ -211,7 +211,7 @@ in {
            vlan.interfaces = builtins.map (vlanid: (mkInterfaceName {inherit vlanid;})) vlanRange;
            # lan.ipv4Addresses = ["192.168.0.0/16"];
            wan.interfaces = ["wan" "lan0"];
-            wg.interfaces = ["wg0"];
+            wg.interfaces = ["wg0" "wg1"];
          }
          //
          # generate a zone for each vlan
@ -363,7 +363,7 @@ in {
  systemd.network = {
    wait-online.anyInterface = true;
    netdevs = let
-      router0-nmfk_wgEndpoint = "${repoFlake.colmena.router0-nfmnk.deployment.targetHost}:${
+      router0-nmfk_wg0Endpoint = "${repoFlake.colmena.router0-nfmnk.deployment.targetHost}:${
        builtins.toString
        repoFlake
        .nixosConfigurations
@ -376,6 +376,20 @@ in {
        .wireguardConfig
        .ListenPort
      }";
+
+      router0-nmfk_wg1Endpoint = "${repoFlake.colmena.router0-nfmnk.deployment.targetHost}:${
+        builtins.toString
+        repoFlake
+        .nixosConfigurations
+        .router0-nfmnk
+        .config
+        .systemd
+        .network
+        .netdevs
+        .wg1
+        .wireguardConfig
+        .ListenPort
+      }";
    in
      {
        # Create the bridge interface
@ -402,45 +416,47 @@ in {
          };
          wireguardConfig = {
            PrivateKeyFile = builtins.toString config.sops.secrets.wg0-privatekey.path;
+            FirewallMark = 100;
          };
          wireguardPeers = [
            {
              wireguardPeerConfig = {
                AllowedIPs = [
-                  "10.0.0.254/32"
+                  "10.0.0.0/32"
                ];
                PersistentKeepalive = 15;
                PresharedKeyFile = builtins.toString config.sops.secrets.wg0-peer0-psk.path;
                PublicKey = "/RPDdqPzr9iRc7zR0bRkt9aS2QCt+b2K3WbsNg8XamM=";
-                Endpoint = router0-nmfk_wgEndpoint;
+                Endpoint = router0-nmfk_wg0Endpoint;
              };
            }
          ];
        };

-        # wg1 = {
-        #   enable = true;
-        #   netdevConfig = {
-        #     Name = "wg1";
-        #     Kind = "wireguard";
-        #   };
-        #   wireguardConfig = {
-        #     PrivateKeyFile = builtins.toString config.sops.secrets.wg1-privatekey.path;
-        #   };
-        #   wireguardPeers = [
-        #     {
-        #       wireguardPeerConfig = {
-        #         AllowedIPs = [
-        #           "10.0.0.254/32"
-        #         ];
-        #         PersistentKeepalive = 15;
-        #         PresharedKeyFile = builtins.toString config.sops.secrets.wg1-peer0-psk.path;
-        #         PublicKey = "/RPDdqPzr9iRc7zR0bRkt9aS2QCt+b2K3WbsNg8XamM=";
-        #         Endpoint = "${router0-nmfk_variables.ipv4}:51820";
-        #       };
-        #     }
-        #   ];
-        # };
+        wg1 = {
+          enable = true;
+          netdevConfig = {
+            Name = "wg1";
+            Kind = "wireguard";
+          };
+          wireguardConfig = {
+            PrivateKeyFile = builtins.toString config.sops.secrets.wg1-privatekey.path;
+            FirewallMark = 101;
+          };
+          wireguardPeers = [
+            {
+              wireguardPeerConfig = {
+                AllowedIPs = [
+                  "10.0.0.2/32"
+                ];
+                PersistentKeepalive = 15;
+                PresharedKeyFile = builtins.toString config.sops.secrets.wg1-peer0-psk.path;
+                PublicKey = "/RPDdqPzr9iRc7zR0bRkt9aS2QCt+b2K3WbsNg8XamM=";
+                Endpoint = router0-nmfk_wg1Endpoint;
+              };
+            }
+          ];
+        };
      }
      # generate the vlan devices. these will be tagged on the main bridge
      // builtins.foldl'
@ -471,6 +487,48 @@ in {
      );
    networks =
      {
+        # places options here that should always exist
+        "lo" = {
+          matchConfig.Name = "lo";
+
+          # these are roughly equivalent to:
+          # ip rule add fwmark 100 priority 0 table 100
+          # ip rule add fwmark 100 priority 1 prohibit
+          # ip rule add fwmark 101 priority 0 table 101
+          # ip rule add fwmark 101 priority 1 prohibit
+          routingPolicyRules = [
+            {
+              routingPolicyRuleConfig = {
+                FirewallMark = 101;
+                Priority = 30000;
+                Table = 101;
+              };
+            }
+            {
+              routingPolicyRuleConfig = {
+                FirewallMark = 101;
+                Priority = 30001;
+                Table = 101;
+                Type = "prohibit";
+              };
+            }
+            {
+              routingPolicyRuleConfig = {
+                FirewallMark = 100;
+                Priority = 30000;
+                Table = 100;
+              };
+            }
+            {
+              routingPolicyRuleConfig = {
+                FirewallMark = 100;
+                Priority = 30001;
+                Table = 100;
+                Type = "prohibit";
+              };
+            }
+          ];
+        };
        # use lan0 as secondary WAN interface
        "10-lan0-wan" = {
          matchConfig.Name = "lan0";
@ -484,8 +542,18 @@ in {
            IPv6PrivacyExtensions = false;
            IPForward = true;
          };
-          # Don't wait for it as it also would wait for wlan and DFS which takes around 5 min
          linkConfig.RequiredForOnline = "no";
+
+          # similar to
+          # ip route add default via 172.16.0.1 table 101
+          routes = [
+            {
+              routeConfig = {
+                Gateway = "_dhcp4";
+                Table = 101;
+              };
+            }
+          ];
        };
        "10-wan" = {
          matchConfig.Name = "wan";
@ -500,7 +568,19 @@ in {
            IPForward = true;
          };
          # make routing on this interface a dependency for network-online.target
-          linkConfig.RequiredForOnline = "routable";
+          # linkConfig.RequiredForOnline = "routable";
+          linkConfig.RequiredForOnline = "no";
+
+          # similar to
+          # ip route add default via 192.168.0.1 table 100
+          routes = [
+            {
+              routeConfig = {
+                Gateway = "_dhcp4";
+                Table = 100;
+              };
+            }
+          ];
        };

        # Connect the bridge ports to the bridge
@ -594,16 +674,16 @@ in {
          enable = true;
          matchConfig.Name = "wg0";
          address = [
-            "10.0.0.1/24"
+            "10.0.0.1/31"
+          ];
+        };
+        "50-wg1" = {
+          enable = true;
+          matchConfig.Name = "wg1";
+          address = [
+            "10.0.0.3/31"
          ];
        };
-        # "50-wg1" = {
-        #   enable = true;
-        #   matchConfig.Name = "wg1";
-        #   address = [
-        #     "10.0.0.2/24"
-        #   ];
-        # };
      }
      # configuration for the hostapd dynamic interfaces
      # * netdev type vlan
@ -1138,6 +1218,10 @@ in {
    pkgs.ethtool
    pkgs.neovim

+    pkgs.wireguard-tools
+    pkgs.tshark
+    pkgs.tmux
+
    (pkgs.writeShellScriptBin "dbg-ip" ''
      echo links:
      ip -br -c l
--- a/nix/os/devices/router0-nfmnk/configuration.nix
+++ b/nix/os/devices/router0-nfmnk/configuration.nix
@ -147,8 +147,12 @@

    # these will be configured via nftables
    firewall.enable = lib.mkForce true;
+    firewall.allowedTCPPorts = [
+      5201
+    ];
    firewall.allowedUDPPorts = [
      config.systemd.network.netdevs.wg0.wireguardConfig.ListenPort
+      config.systemd.network.netdevs.wg1.wireguardConfig.ListenPort
    ];

    nat = {
@ -170,7 +174,7 @@
          interfaces = ["eth0"];
        };
        zones.vpns = {
-          interfaces = ["wg0"];
+          interfaces = ["wg0" "wg1"];
        };
      };
    };
@ -184,7 +188,11 @@
    mode = "440";
    group = "systemd-network";
  };
-  sops.secrets.wg0-peer1-psk = {
+  sops.secrets.wg1-privatekey = {
+    mode = "440";
+    group = "systemd-network";
+  };
+  sops.secrets.wg1-peer0-psk = {
    mode = "440";
    group = "systemd-network";
  };
@ -212,14 +220,27 @@
          PublicKey = "hsjIenUFV/FBqplIKxSL/Zn2zDAfojlIKHMxPA6RC04=";
        };
      }
-
+    ];
+  };
+  systemd.network.netdevs.wg1 = {
+    enable = true;
+    netdevConfig = {
+      Name = "wg1";
+      Kind = "wireguard";
+    };
+    wireguardConfig = {
+      ListenPort = 51821;
+      # PublicKey /RPDdqPzr9iRc7zR0bRkt9aS2QCt+b2K3WbsNg8XamM=
+      PrivateKeyFile = builtins.toString config.sops.secrets.wg1-privatekey.path;
+    };
+    wireguardPeers = [
      {
        wireguardPeerConfig = {
          AllowedIPs = [
-            "10.0.0.2/32"
+            "10.0.0.3/31"
          ];
          PersistentKeepalive = 15;
-          PresharedKeyFile = builtins.toString config.sops.secrets.wg0-peer1-psk.path;
+          PresharedKeyFile = builtins.toString config.sops.secrets.wg1-peer0-psk.path;
          PublicKey = "Ha5hsarCRO8LX9SrkopUeP14ebLdFgxXUC0ezrobax4=";
        };
      }
@ -229,13 +250,24 @@
    enable = true;
    matchConfig.Name = "wg0";
    address = [
-      "10.0.0.254/24"
+      "10.0.0.0/31"
+    ];
+  };
+  systemd.network.networks.wg1 = {
+    enable = true;
+    matchConfig.Name = "wg1";
+    address = [
+      "10.0.0.2/31"
    ];
  };

  environment.systemPackages = [
    pkgs.ethtool
    pkgs.neovim
+    pkgs.tmux
+
+    pkgs.wireguard-tools
+    pkgs.tshark

    (pkgs.writeShellScriptBin "dbg-ip" ''
      echo links: