punch some firewall holes

author: Kjetil Ørbekk <kj@orbekk.com> 2017-11-24 13:24:53 -0500
committer: Kjetil Ørbekk <kj@orbekk.com> 2017-11-24 13:24:53 -0500
commit: 8fdab961a3f5e86e700a982b073e80583ec14f75 (patch)
tree: 31a31cb938ee6977fb43242892ccbd8ae3507112 /config/vpn-server.nix
parent: bf92021a2c4bb75af2732fc79540b3d035016cb4 (diff)
1 files changed, 18 insertions, 12 deletions
diff --git a/config/vpn-server.nix b/config/vpn-server.nix
index f2663d5..10b0c17 100644
--- a/config/vpn-server.nix
+++ b/config/vpn-server.nix
@@ -3,18 +3,24 @@ let
   port = (import ../data/aliases.nix).services.wireguard.port;
 in
 {
-  networking.wireguard = {
-    interfaces = {
-      wg0 = {
-        ips = [ "10.35.190.1/23" ];
-	privateKeyFile = "/opt/secret/wireguard/wg0.key";
-	listenPort = port;
-	peers = [
-	  {
-	    publicKey = "ULWhaOsAaTu4cu84v3PM4DL7arxc/WNnzI/ic2k1KBU=";
-	    allowedIPs = ["0.0.0.0/0" "::/0"];
-	  }
-	];
+  networking = {
+    firewall.allowedTCPPorts = [ port ];
+    firewall.allowedUDPPorts = [ port ];
+
+    wireguard = {
+      interfaces = {
+        wg0 = {
+          ips = [ "10.35.190.1/23" ];
+          privateKeyFile = "/opt/secret/wireguard/wg0.key";
+          listenPort = port;
+          allowedIPsAsRoutes = false;
+          peers = [
+            {
+              publicKey = "ULWhaOsAaTu4cu84v3PM4DL7arxc/WNnzI/ic2k1KBU=";
+              allowedIPs = ["0.0.0.0/0" "::/0"];
+            }
+          ];
+        };
       };
     };
   };
author	Kjetil Ørbekk <kj@orbekk.com>	2017-11-24 13:24:53 -0500
committer	Kjetil Ørbekk <kj@orbekk.com>	2017-11-24 13:24:53 -0500
commit	8fdab961a3f5e86e700a982b073e80583ec14f75 (patch)
tree	31a31cb938ee6977fb43242892ccbd8ae3507112 /config/vpn-server.nix
parent	bf92021a2c4bb75af2732fc79540b3d035016cb4 (diff)