diff options
| author | Kjetil Orbekk <kj@orbekk.com> | 2021-03-08 19:57:51 -0500 |
|---|---|---|
| committer | Kjetil Orbekk <kj@orbekk.com> | 2021-03-08 19:57:51 -0500 |
| commit | ff7006318cd00a9b059927edd10e772c7e854dd2 (patch) | |
| tree | 5da14b2082ed6138beeffef935fe0e00d0c0cd85 /modules | |
| parent | 70b4fd29a6ea366bcdc70b40dd1dfd7f8501b48f (diff) | |
mullvad setup
Diffstat (limited to 'modules')
| -rw-r--r-- | modules/mullvad.nix | 39 | ||||
| -rw-r--r-- | modules/simple-firewall.nix | 12 |
2 files changed, 44 insertions, 7 deletions
diff --git a/modules/mullvad.nix b/modules/mullvad.nix new file mode 100644 index 0000000..436a3b2 --- /dev/null +++ b/modules/mullvad.nix @@ -0,0 +1,39 @@ +{ config, lib, pkgs, ... }: + +let + cfg = config.orbekk.mullvad; +in +{ + options = { + orbekk.mullvad = { + enable = lib.mkEnableOption "Enable VPN"; + + listenPort = lib.mkOption { + type = lib.types.port; + default = 40421; + description = "wireguard local port"; + }; + }; + }; + + config = lib.mkIf cfg.enable { + orbekk.simple-firewall.allowedUDPPorts = [ cfg.listenPort ]; + + networking.wireguard = { + enable = true; + interfaces.mullvad = { + privateKeyFile = "/opt/secret/wireguard/mullvad.private"; + ips = [ "10.70.90.245/32" "fc00:bbbb:bbbb:bb01::7:5af4/128" ]; + allowedIPsAsRoutes = false; + listenPort = cfg.listenPort; + peers = [ + { + endpoint = "ca10-wireguard.mullvad.net:51820"; + publicKey = "pAVh6WJtyF7ktvavez399L4A615TXOAaUHQgpwJ4EHU="; + allowedIPs = [ "0.0.0.0/0" "::0/0" ]; + } + ]; + }; + }; + }; +} diff --git a/modules/simple-firewall.nix b/modules/simple-firewall.nix index f2b4405..7a3ad3e 100644 --- a/modules/simple-firewall.nix +++ b/modules/simple-firewall.nix @@ -23,8 +23,6 @@ in config = lib.mkIf cfg.enable { networking.firewall.enable = lib.mkForce false; - - boot.blacklistedKernelModules = ["ip_tables"]; networking.nftables.enable = true; networking.nftables.ruleset = @@ -52,13 +50,13 @@ in ct state {established, related} accept - ip protocol icmp limit rate 4/second counter name icmp-allowed accept - ip6 nexthdr ipv6-icmp limit rate 4/second counter name icmp6-allowed accept + ip protocol icmp limit rate 4/second counter accept + ip6 nexthdr ipv6-icmp limit rate 4/second counter accept - tcp dport @allowed_tcp_ports counter name tcp-allowed accept - udp dport @allowed_udp_ports counter name udp-allowed accept + tcp dport @allowed_tcp_ports counter accept + udp dport @allowed_udp_ports counter accept - counter name dropped drop + counter drop } chain output { |