steveej/infra
1
0
Fork 0
Code Issues 2 Pull requests Projects Releases Packages Wiki Activity Actions

WIP: use two wg interfaces on both routers and route traffic via distinct ISPs

Browse source
This commit is contained in:
steveej 2024-05-26 22:32:38 +02:00
parent cdf973208f
commit 645371aca3
3 changed files with 164 additions and 46 deletions
Download patch file Download diff file Expand all files Collapse all files

158
nix/os/devices/router0-dmz0/configuration.nix
View file

@ -211,7 +211,7 @@ in {
vlan.interfaces = builtins.map (vlanid: (mkInterfaceName {inherit vlanid;})) vlanRange; vlan.interfaces = builtins.map (vlanid: (mkInterfaceName {inherit vlanid;})) vlanRange;
# lan.ipv4Addresses = ["192.168.0.0/16"]; # lan.ipv4Addresses = ["192.168.0.0/16"];
wan.interfaces = ["wan" "lan0"]; wan.interfaces = ["wan" "lan0"];
wg.interfaces = ["wg0"]; wg.interfaces = ["wg0" "wg1"];
} }
// //
# generate a zone for each vlan # generate a zone for each vlan
@ -363,7 +363,7 @@ in {
systemd.network = { systemd.network = {
wait-online.anyInterface = true; wait-online.anyInterface = true;
netdevs = let netdevs = let
router0-nmfk_wgEndpoint = "${repoFlake.colmena.router0-nfmnk.deployment.targetHost}:${ router0-nmfk_wg0Endpoint = "${repoFlake.colmena.router0-nfmnk.deployment.targetHost}:${
builtins.toString builtins.toString
repoFlake repoFlake
.nixosConfigurations .nixosConfigurations
@ -376,6 +376,20 @@ in {
.wireguardConfig .wireguardConfig
.ListenPort .ListenPort
}"; }";
router0-nmfk_wg1Endpoint = "${repoFlake.colmena.router0-nfmnk.deployment.targetHost}:${
builtins.toString
repoFlake
.nixosConfigurations
.router0-nfmnk
.config
.systemd
.network
.netdevs
.wg1
.wireguardConfig
.ListenPort
}";
in in
{ {
# Create the bridge interface # Create the bridge interface
@ -402,45 +416,47 @@ in {
}; };
wireguardConfig = { wireguardConfig = {
PrivateKeyFile = builtins.toString config.sops.secrets.wg0-privatekey.path; PrivateKeyFile = builtins.toString config.sops.secrets.wg0-privatekey.path;
FirewallMark = 100;
}; };
wireguardPeers = [ wireguardPeers = [
{ {
wireguardPeerConfig = { wireguardPeerConfig = {
AllowedIPs = [ AllowedIPs = [
"10.0.0.254/32" "10.0.0.0/32"
]; ];
PersistentKeepalive = 15; PersistentKeepalive = 15;
PresharedKeyFile = builtins.toString config.sops.secrets.wg0-peer0-psk.path; PresharedKeyFile = builtins.toString config.sops.secrets.wg0-peer0-psk.path;
PublicKey = "/RPDdqPzr9iRc7zR0bRkt9aS2QCt+b2K3WbsNg8XamM="; PublicKey = "/RPDdqPzr9iRc7zR0bRkt9aS2QCt+b2K3WbsNg8XamM=";
Endpoint = router0-nmfk_wgEndpoint; Endpoint = router0-nmfk_wg0Endpoint;
}; };
} }
]; ];
}; };
# wg1 = { wg1 = {
# enable = true; enable = true;
# netdevConfig = { netdevConfig = {
# Name = "wg1"; Name = "wg1";
# Kind = "wireguard"; Kind = "wireguard";
# }; };
# wireguardConfig = { wireguardConfig = {
# PrivateKeyFile = builtins.toString config.sops.secrets.wg1-privatekey.path; PrivateKeyFile = builtins.toString config.sops.secrets.wg1-privatekey.path;
# }; FirewallMark = 101;
# wireguardPeers = [ };
# { wireguardPeers = [
# wireguardPeerConfig = { {
# AllowedIPs = [ wireguardPeerConfig = {
# "10.0.0.254/32" AllowedIPs = [
# ]; "10.0.0.2/32"
# PersistentKeepalive = 15; ];
# PresharedKeyFile = builtins.toString config.sops.secrets.wg1-peer0-psk.path; PersistentKeepalive = 15;
# PublicKey = "/RPDdqPzr9iRc7zR0bRkt9aS2QCt+b2K3WbsNg8XamM="; PresharedKeyFile = builtins.toString config.sops.secrets.wg1-peer0-psk.path;
# Endpoint = "${router0-nmfk_variables.ipv4}:51820"; PublicKey = "/RPDdqPzr9iRc7zR0bRkt9aS2QCt+b2K3WbsNg8XamM=";
# }; Endpoint = router0-nmfk_wg1Endpoint;
# } };
# ]; }
# }; ];
};
} }
# generate the vlan devices. these will be tagged on the main bridge # generate the vlan devices. these will be tagged on the main bridge
// builtins.foldl' // builtins.foldl'
@ -471,6 +487,48 @@ in {
); );
networks = networks =
{ {
# places options here that should always exist
"lo" = {
matchConfig.Name = "lo";
# these are roughly equivalent to:
# ip rule add fwmark 100 priority 0 table 100
# ip rule add fwmark 100 priority 1 prohibit
# ip rule add fwmark 101 priority 0 table 101
# ip rule add fwmark 101 priority 1 prohibit
routingPolicyRules = [
{
routingPolicyRuleConfig = {
FirewallMark = 101;
Priority = 30000;
Table = 101;
};
}
{
routingPolicyRuleConfig = {
FirewallMark = 101;
Priority = 30001;
Table = 101;
Type = "prohibit";
};
}
{
routingPolicyRuleConfig = {
FirewallMark = 100;
Priority = 30000;
Table = 100;
};
}
{
routingPolicyRuleConfig = {
FirewallMark = 100;
Priority = 30001;
Table = 100;
Type = "prohibit";
};
}
];
};
# use lan0 as secondary WAN interface # use lan0 as secondary WAN interface
"10-lan0-wan" = { "10-lan0-wan" = {
matchConfig.Name = "lan0"; matchConfig.Name = "lan0";
@ -484,8 +542,18 @@ in {
IPv6PrivacyExtensions = false; IPv6PrivacyExtensions = false;
IPForward = true; IPForward = true;
}; };
# Don't wait for it as it also would wait for wlan and DFS which takes around 5 min
linkConfig.RequiredForOnline = "no"; linkConfig.RequiredForOnline = "no";
# similar to
# ip route add default via 172.16.0.1 table 101
routes = [
{
routeConfig = {
Gateway = "_dhcp4";
Table = 101;
};
}
];
}; };
"10-wan" = { "10-wan" = {
matchConfig.Name = "wan"; matchConfig.Name = "wan";
@ -500,7 +568,19 @@ in {
IPForward = true; IPForward = true;
}; };
# make routing on this interface a dependency for network-online.target # make routing on this interface a dependency for network-online.target
linkConfig.RequiredForOnline = "routable"; # linkConfig.RequiredForOnline = "routable";
linkConfig.RequiredForOnline = "no";
# similar to
# ip route add default via 192.168.0.1 table 100
routes = [
{
routeConfig = {
Gateway = "_dhcp4";
Table = 100;
};
}
];
}; };
# Connect the bridge ports to the bridge # Connect the bridge ports to the bridge
@ -594,16 +674,16 @@ in {
enable = true; enable = true;
matchConfig.Name = "wg0"; matchConfig.Name = "wg0";
address = [ address = [
"10.0.0.1/24" "10.0.0.1/31"
];
};
"50-wg1" = {
enable = true;
matchConfig.Name = "wg1";
address = [
"10.0.0.3/31"
]; ];
}; };
# "50-wg1" = {
# enable = true;
# matchConfig.Name = "wg1";
# address = [
# "10.0.0.2/24"
# ];
# };
} }
# configuration for the hostapd dynamic interfaces # configuration for the hostapd dynamic interfaces
# * netdev type vlan # * netdev type vlan
@ -1138,6 +1218,10 @@ in {
pkgs.ethtool pkgs.ethtool
pkgs.neovim pkgs.neovim
pkgs.wireguard-tools
pkgs.tshark
pkgs.tmux
(pkgs.writeShellScriptBin "dbg-ip" '' (pkgs.writeShellScriptBin "dbg-ip" ''
echo links: echo links:
ip -br -c l ip -br -c l

44
nix/os/devices/router0-nfmnk/configuration.nix
View file

@ -147,8 +147,12 @@
# these will be configured via nftables # these will be configured via nftables
firewall.enable = lib.mkForce true; firewall.enable = lib.mkForce true;
firewall.allowedTCPPorts = [
5201
];
firewall.allowedUDPPorts = [ firewall.allowedUDPPorts = [
config.systemd.network.netdevs.wg0.wireguardConfig.ListenPort config.systemd.network.netdevs.wg0.wireguardConfig.ListenPort
config.systemd.network.netdevs.wg1.wireguardConfig.ListenPort
]; ];
nat = { nat = {
@ -170,7 +174,7 @@
interfaces = ["eth0"]; interfaces = ["eth0"];
}; };
zones.vpns = { zones.vpns = {
interfaces = ["wg0"]; interfaces = ["wg0" "wg1"];
}; };
}; };
}; };
@ -184,7 +188,11 @@
mode = "440"; mode = "440";
group = "systemd-network"; group = "systemd-network";
}; };
sops.secrets.wg0-peer1-psk = { sops.secrets.wg1-privatekey = {
mode = "440";
group = "systemd-network";
};
sops.secrets.wg1-peer0-psk = {
mode = "440"; mode = "440";
group = "systemd-network"; group = "systemd-network";
}; };
@ -212,14 +220,27 @@
PublicKey = "hsjIenUFV/FBqplIKxSL/Zn2zDAfojlIKHMxPA6RC04="; PublicKey = "hsjIenUFV/FBqplIKxSL/Zn2zDAfojlIKHMxPA6RC04=";
}; };
} }
];
};
systemd.network.netdevs.wg1 = {
enable = true;
netdevConfig = {
Name = "wg1";
Kind = "wireguard";
};
wireguardConfig = {
ListenPort = 51821;
# PublicKey /RPDdqPzr9iRc7zR0bRkt9aS2QCt+b2K3WbsNg8XamM=
PrivateKeyFile = builtins.toString config.sops.secrets.wg1-privatekey.path;
};
wireguardPeers = [
{ {
wireguardPeerConfig = { wireguardPeerConfig = {
AllowedIPs = [ AllowedIPs = [
"10.0.0.2/32" "10.0.0.3/31"
]; ];
PersistentKeepalive = 15; PersistentKeepalive = 15;
PresharedKeyFile = builtins.toString config.sops.secrets.wg0-peer1-psk.path; PresharedKeyFile = builtins.toString config.sops.secrets.wg1-peer0-psk.path;
PublicKey = "Ha5hsarCRO8LX9SrkopUeP14ebLdFgxXUC0ezrobax4="; PublicKey = "Ha5hsarCRO8LX9SrkopUeP14ebLdFgxXUC0ezrobax4=";
}; };
} }
@ -229,13 +250,24 @@
enable = true; enable = true;
matchConfig.Name = "wg0"; matchConfig.Name = "wg0";
address = [ address = [
"10.0.0.254/24" "10.0.0.0/31"
];
};
systemd.network.networks.wg1 = {
enable = true;
matchConfig.Name = "wg1";
address = [
"10.0.0.2/31"
]; ];
}; };
environment.systemPackages = [ environment.systemPackages = [
pkgs.ethtool pkgs.ethtool
pkgs.neovim pkgs.neovim
pkgs.tmux
pkgs.wireguard-tools
pkgs.tshark
(pkgs.writeShellScriptBin "dbg-ip" '' (pkgs.writeShellScriptBin "dbg-ip" ''
echo links: echo links:

8
secrets/router0-nfmnk/secrets.yaml
View file

@ -5,7 +5,9 @@ passwords-root: ENC[AES256_GCM,data:ummvEe+5HipUvVEyHLA6NULuWJuPyv2VqlXEZFp/Udyb
wg0-privatekey: ENC[AES256_GCM,data:6BR3zB5oDPu5XyM5pgrdXoYKvwf+rAK7ngDzLcIQZnr4JH2YXH9UWERjVpg=,iv:2Z3yG+fWC4diGANCurCEpA5ybEpMdE1t/rviRJtUE0Q=,tag:4sqnLfAnxQOAci37RCY6jQ==,type:str] wg0-privatekey: ENC[AES256_GCM,data:6BR3zB5oDPu5XyM5pgrdXoYKvwf+rAK7ngDzLcIQZnr4JH2YXH9UWERjVpg=,iv:2Z3yG+fWC4diGANCurCEpA5ybEpMdE1t/rviRJtUE0Q=,tag:4sqnLfAnxQOAci37RCY6jQ==,type:str]
wg0-publickey: ENC[AES256_GCM,data:7QLstpkyVDFU5oxgRdVYdBOZB1tjKMbzxgZtCYp3G1+AO85ir6kNXo8P65U=,iv:XRnPg93nnSR3h+R/K2rh1QYgmdJTE6i17ZomMf0BJ9k=,tag:fhyySGI0y5swGp3ot+q3pA==,type:str] wg0-publickey: ENC[AES256_GCM,data:7QLstpkyVDFU5oxgRdVYdBOZB1tjKMbzxgZtCYp3G1+AO85ir6kNXo8P65U=,iv:XRnPg93nnSR3h+R/K2rh1QYgmdJTE6i17ZomMf0BJ9k=,tag:fhyySGI0y5swGp3ot+q3pA==,type:str]
wg0-peer0-psk: ENC[AES256_GCM,data:p5V/8fFEmozG6nFCpHNcWNdunYlHxnsnW+YjTAIEXlm2ku4yEL45H9t9/Sw=,iv:jDZMhrZIJwaDWm+s6aXVWovdo116q2D5cUyHzMdWCIU=,tag:M5IebfGfeL6VW+OOgtARpA==,type:str] wg0-peer0-psk: ENC[AES256_GCM,data:p5V/8fFEmozG6nFCpHNcWNdunYlHxnsnW+YjTAIEXlm2ku4yEL45H9t9/Sw=,iv:jDZMhrZIJwaDWm+s6aXVWovdo116q2D5cUyHzMdWCIU=,tag:M5IebfGfeL6VW+OOgtARpA==,type:str]
wg0-peer1-psk: ENC[AES256_GCM,data:l8H0bDF2XXq6W5sJCXHUEWqIJu7YvAyqhPaCEK/Dcviv7lnwvKNLxO55i10=,iv:ADAFkWG+cbqvqfwNdaHv7ONqFtWjmAhIf0hRFBW6X6c=,tag:hwsljm8GlcF9NeHHE5WTXg==,type:str] wg1-privatekey: ENC[AES256_GCM,data:dcD5isfYT+diae7tS6OSEQiqEkrpUxw0io8EqaSUaaFxKf2RAqSqxEXkhzU=,iv:HVB+uJG0SwxH3gbSpyZJZnzadVK2MYWvaZ3t7vPXn3E=,tag:/q7hgBA45Hq3446w83ConA==,type:str]
wg1-publickey: ENC[AES256_GCM,data:08fRjmGysmgGwXgwGqtMmO4iMWNIOucRnD7l4qaCh1hVWAk2BbO3OcHw010=,iv:PfKUVRyjEVT2BBUCmruR026n/P2kT2Papq46DOFq3rE=,tag:AhyI1yHdEucmQEo6iHnznQ==,type:str]
wg1-peer0-psk: ENC[AES256_GCM,data:zlQv7B2Xm+QUzevsYDD2ckIp3PdEAOSEPv6UKYLKRUGWXKE9eLhC1dNq5t8=,iv:kehiDKfew68S2pfRFq5OyTm+Ixo05uiAiHDg30xhP4Y=,tag:0GSr1d26ALehewMF5b6woQ==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
@ -21,8 +23,8 @@ sops:
cVlibElsOVR4RG15RTR3bnh0MVgvK3MKhaZLzdlPmFW04Qjk8V7Lkr2EZW8nZT4Z cVlibElsOVR4RG15RTR3bnh0MVgvK3MKhaZLzdlPmFW04Qjk8V7Lkr2EZW8nZT4Z
X3yM7cyoinI9N0zwfArXMnThp2u8w86romQ52e6oy7LCKeKqrLpQ+A== X3yM7cyoinI9N0zwfArXMnThp2u8w86romQ52e6oy7LCKeKqrLpQ+A==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2024-05-25T19:21:33Z" lastmodified: "2024-05-26T17:23:41Z"
mac: ENC[AES256_GCM,data:zw79GU+OINSJWy0hHeV33ZOPkrxrRCyd31XpcbWAIkactRL4rumXhHWxcd5QAvmloFa8Rb7q6drRIu9kt7nXrr8+HK/xWoj+AxmXHFMEi6aC0xdhsyBfl7+Jq3SRTUf6tHFxyHVRVWyZXnhV59xf2Vwmy3R5/0vq50c8UQ8vJww=,iv:czqwgGcLXR+FyXpTuuXIH8pF/P1s1FrZxtqI3joLZCg=,tag:DUq+cACVStNX6u8LfYIQTw==,type:str] mac: ENC[AES256_GCM,data:Ez/79vUHs+9B/v2qlUiPQeuYHRdvjUg1jJOt3C6xEnncDQ2fH0CUxKEIfjgJR7eatwvZSznprv2wCD8Ik0SKunjRI1UGe5JmrVstqoSDbo+MxpdwrqA8zC5unpRUYenvyo9m8ZW/DnjKz0ArorYjA9vid878MdemkHtSjjZzik8=,iv:2CkmPRjYYt7q7HAdEjIbJHaSUG6Yr92pEkk+Dd3E7LE=,tag:S8LPb0mEjRZQqawX310SOg==,type:str]
pgp: pgp:
- created_at: "2024-05-25T18:38:40Z" - created_at: "2024-05-25T18:38:40Z"
enc: |- enc: |-