diff options
| author | Kjetil Orbekk <kj@orbekk.com> | 2023-02-26 17:47:28 -0500 |
|---|---|---|
| committer | Kjetil Orbekk <kj@orbekk.com> | 2023-02-26 17:47:28 -0500 |
| commit | b88fdbf4e208d4eda4b2433ec8bdeea2adea21b6 (patch) | |
| tree | 6a3a8232a25b775a8617559958a716a57c3d15a5 /modules/router.nix | |
| parent | d7e7271306957131ed42f2ede04038d745468fd3 (diff) | |
vpn config
Diffstat (limited to 'modules/router.nix')
| -rw-r--r-- | modules/router.nix | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/modules/router.nix b/modules/router.nix index 95d5d75..efd4f69 100644 --- a/modules/router.nix +++ b/modules/router.nix @@ -68,6 +68,9 @@ let ipv4.addresses = [{address = "10.10.255.18"; prefixLength = 24;}]; ipv4.routes = [{address = "10.10.255.0"; prefixLength = 24;}]; }; + networking.interfaces.vpnlan-vport = { + ipv4.addresses = [{address = "172.20.30.1"; prefixLength = 24;}]; + }; networking.sits.he0 = { dev = "wan-vport"; remote = "209.51.161.14"; @@ -128,6 +131,10 @@ let dhcp-option=tag:lan-vport,option:router,172.20.100.1 dhcp-option=tag:lan-vport,option:dns-server,172.20.100.1 dhcp-range=tag:lan-vport,::2,::1000,constructor:lan-vport,ra-only + + dhcp-range=tag:vpnlan-vport,172.20.30.10,172.20.30.254,5m + dhcp-option=tag:vpnlan-vport,option:router,172.20.30.1 + dhcp-option=tag:vpnlan-vport,option:dns-server,193.138.218.74 ''; }; @@ -190,6 +197,7 @@ let ct state vmap { established : accept, related : accept, invalid : drop } oif he0 counter accept oif wan-vport counter accept + oif mullvad counter accept oif servers-vport meta l4proto {tcp, udp} th dport $SERVER_WAN_PORTS counter accept iif lan-vport oif servers-vport meta l4proto {tcp, udp} th dport $SERVER_LAN_PORTS counter accept @@ -204,16 +212,19 @@ let type filter hook prerouting priority -150 # ip6 saddr 2001:470:8e2e::/48 ip6 daddr != 2001:470:8e2e::/48 ip6 daddr != fe80::/64 meta nftrace set 1 ip6 saddr 2001:470:8e2e::/48 ip6 daddr != 2001:470:8e2e::/48 ip6 daddr != fe80::/64 meta mark set ${toString heMark} + iif vpnlan-vport meta mark set ${toString mullvadMark} } } table ip nat { chain prerouting { type nat hook prerouting priority -100; policy accept + iif wan-vport tcp dport $SERVER_WAN_PORTS dnat to 172.20.20.2 } chain postrouting { type nat hook postrouting priority 100; policy accept ip saddr 172.16.0.0/12 oif {"wan-vport"} masquerade + ip saddr 172.16.0.0/12 oif {"mullvad"} masquerade } } ''; |