diff options
| author | Kjetil Orbekk <kj@orbekk.com> | 2023-10-07 10:45:22 -0400 |
|---|---|---|
| committer | Kjetil Orbekk <kj@orbekk.com> | 2023-10-07 10:45:22 -0400 |
| commit | 5631d50db8d9aaa76dfaf8cfd3cc8b0f7f12d0a6 (patch) | |
| tree | 2ff76c63efa1cfb18dacb8b77e8c55db9605e027 | |
| parent | 722ef53db99dc73ba7afe1a2b362b142a6da42e6 (diff) | |
vpn routing
| -rw-r--r-- | modules/router.nix | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/modules/router.nix b/modules/router.nix index 9de3700..61fe023 100644 --- a/modules/router.nix +++ b/modules/router.nix @@ -4,6 +4,7 @@ let cfg = config.orbekk.router; devices = ["eno1" "eno2"]; + vpnMark = 3; mullvadMark = 2; heMark = 1; @@ -94,6 +95,7 @@ let networking.iproute2.enable = true; networking.iproute2.rttablesExtraConfig = '' + ${toString vpnMark} vpn ${toString mullvadMark} mullvad ${toString heMark} he ''; @@ -107,10 +109,18 @@ let ip -6 rule add fwmark ${toString heMark} table he || true ip -6 route replace default dev he0 table he + ip rule add fwmark ${toString vpnMark} table vpn || true + ip -6 rule add fwmark ${toString vpnMark} table vpn || true + ip rule add fwmark ${toString mullvadMark} table mullvad || true ip -6 rule add fwmark ${toString mullvadMark} table mullvad || true + ip route replace default dev mullvad table mullvad ip -6 route replace default dev mullvad table mullvad + + ip route replace default dev mullvad table vpn + ip -6 route replace default dev mullvad table vpn + ip -6 route flush cache ip route flush cache ''; @@ -322,6 +332,8 @@ in { age.secrets.dragon-wireguard-key.file = ./. + "/../secrets/dragon-wireguard-key.age"; networking.wireguard.interfaces.wg-vpn = { + fwmark = "${toString vpnMark}"; + table = "vpn"; socketNamespace = "router"; interfaceNamespace = "router"; ips = [ "${vpnPrefix}::1/128" ]; |