WIP: use two wg interfaces on both routers and route traffic via distinct ISPs
This commit is contained in:
parent
cdf973208f
commit
645371aca3
3 changed files with 164 additions and 46 deletions
|
|
@ -147,8 +147,12 @@
|
|||
|
||||
# these will be configured via nftables
|
||||
firewall.enable = lib.mkForce true;
|
||||
firewall.allowedTCPPorts = [
|
||||
5201
|
||||
];
|
||||
firewall.allowedUDPPorts = [
|
||||
config.systemd.network.netdevs.wg0.wireguardConfig.ListenPort
|
||||
config.systemd.network.netdevs.wg1.wireguardConfig.ListenPort
|
||||
];
|
||||
|
||||
nat = {
|
||||
|
|
@ -170,7 +174,7 @@
|
|||
interfaces = ["eth0"];
|
||||
};
|
||||
zones.vpns = {
|
||||
interfaces = ["wg0"];
|
||||
interfaces = ["wg0" "wg1"];
|
||||
};
|
||||
};
|
||||
};
|
||||
|
|
@ -184,7 +188,11 @@
|
|||
mode = "440";
|
||||
group = "systemd-network";
|
||||
};
|
||||
sops.secrets.wg0-peer1-psk = {
|
||||
sops.secrets.wg1-privatekey = {
|
||||
mode = "440";
|
||||
group = "systemd-network";
|
||||
};
|
||||
sops.secrets.wg1-peer0-psk = {
|
||||
mode = "440";
|
||||
group = "systemd-network";
|
||||
};
|
||||
|
|
@ -212,14 +220,27 @@
|
|||
PublicKey = "hsjIenUFV/FBqplIKxSL/Zn2zDAfojlIKHMxPA6RC04=";
|
||||
};
|
||||
}
|
||||
|
||||
];
|
||||
};
|
||||
systemd.network.netdevs.wg1 = {
|
||||
enable = true;
|
||||
netdevConfig = {
|
||||
Name = "wg1";
|
||||
Kind = "wireguard";
|
||||
};
|
||||
wireguardConfig = {
|
||||
ListenPort = 51821;
|
||||
# PublicKey /RPDdqPzr9iRc7zR0bRkt9aS2QCt+b2K3WbsNg8XamM=
|
||||
PrivateKeyFile = builtins.toString config.sops.secrets.wg1-privatekey.path;
|
||||
};
|
||||
wireguardPeers = [
|
||||
{
|
||||
wireguardPeerConfig = {
|
||||
AllowedIPs = [
|
||||
"10.0.0.2/32"
|
||||
"10.0.0.3/31"
|
||||
];
|
||||
PersistentKeepalive = 15;
|
||||
PresharedKeyFile = builtins.toString config.sops.secrets.wg0-peer1-psk.path;
|
||||
PresharedKeyFile = builtins.toString config.sops.secrets.wg1-peer0-psk.path;
|
||||
PublicKey = "Ha5hsarCRO8LX9SrkopUeP14ebLdFgxXUC0ezrobax4=";
|
||||
};
|
||||
}
|
||||
|
|
@ -229,13 +250,24 @@
|
|||
enable = true;
|
||||
matchConfig.Name = "wg0";
|
||||
address = [
|
||||
"10.0.0.254/24"
|
||||
"10.0.0.0/31"
|
||||
];
|
||||
};
|
||||
systemd.network.networks.wg1 = {
|
||||
enable = true;
|
||||
matchConfig.Name = "wg1";
|
||||
address = [
|
||||
"10.0.0.2/31"
|
||||
];
|
||||
};
|
||||
|
||||
environment.systemPackages = [
|
||||
pkgs.ethtool
|
||||
pkgs.neovim
|
||||
pkgs.tmux
|
||||
|
||||
pkgs.wireguard-tools
|
||||
pkgs.tshark
|
||||
|
||||
(pkgs.writeShellScriptBin "dbg-ip" ''
|
||||
echo links:
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue