diff options
| author | Kjetil Orbekk <kj@orbekk.com> | 2021-08-04 17:12:58 -0400 |
|---|---|---|
| committer | Kjetil Orbekk <kj@orbekk.com> | 2021-08-04 17:13:36 -0400 |
| commit | d0a5776d5ffe07fa286b1ef0f2b27f422cf301b5 (patch) | |
| tree | 93d5efb344a724d57aa9dfb7698cc20b77ef0e24 /config | |
| parent | bb9e37472da4885448ddb34ff009aadddbc9faf2 (diff) | |
add wireguard config
Diffstat (limited to 'config')
| -rw-r--r-- | config/router.nix | 19 |
1 files changed, 14 insertions, 5 deletions
diff --git a/config/router.nix b/config/router.nix index 419faf0..33bd37b 100644 --- a/config/router.nix +++ b/config/router.nix @@ -2,10 +2,11 @@ let wan-dev = "bond0.10"; lan-dev = "bond0"; - mullvadPort = config.orbekk.mullvad.listenPort; + wireguardPort = config.orbekk.wireguard.listenPort; mullvadMark = 30; + nycmeshMark = 32; in { - orbekk.mullvad.enable = true; + orbekk.wireguard.enable = true; services.tftpd.enable = true; services.openntpd.enable = true; @@ -60,10 +61,10 @@ in { services.ferm = { enable = true; config = '' - @def $DEV_UNTRUSTED_LAN = (${lan-dev}.30); + @def $DEV_UNTRUSTED_LAN = (${lan-dev}.30 ${lan-dev}.32); @def $DEV_LAN = (${lan-dev}.100); @def $DEV_ADMIN = (${lan-dev}.255); - @def $DEV_WAN = (${wan-dev} he0 mullvad); + @def $DEV_WAN = (${wan-dev} he0 mullvad nycmesh); @def $NET_LAN = 10.0.0.0/8; domain (ip ip6) table filter { @@ -88,7 +89,7 @@ in { proto tcp dport ssh ACCEPT; proto (tcp udp) dport domain ACCEPT; proto tcp dport (http https) ACCEPT; - proto udp dport ${toString mullvadPort} ACCEPT; + proto udp dport ${toString wireguardPort} ACCEPT; } interface ($DEV_LAN $DEV_ADMIN) @subchain "lan_services" { @@ -156,6 +157,7 @@ in { domain (ip ip6) table mangle { chain PREROUTING { interface ${lan-dev}.30 MARK set-mark ${toString mullvadMark}; + interface ${lan-dev}.32 MARK set-mark ${toString nycmeshMark}; } } ''; @@ -234,6 +236,7 @@ in { networking.iproute2.enable = true; networking.iproute2.rttablesExtraConfig = '' ${toString mullvadMark} mullvad + ${toString nycmeshMark} nycmesh 200 he ''; @@ -256,6 +259,12 @@ in { ip route flush cache ''; + networking.wireguard.interfaces.nycmesh.postSetup = '' + ip rule add fwmark ${toString nycmeshMark} table nycmesh + ip route replace default dev nycmesh table nycmesh + ip route flush cache + ''; + # boot.kernel.sysctl."net.ipv6.conf.${wan-dev}.disable_ipv6" = true; networking.interfaces.${wan-dev} = { |