diff options
-rw-r--r-- | config/router.nix | 19 | ||||
-rw-r--r-- | modules/wireguard.nix (renamed from modules/mullvad.nix) | 22 |
2 files changed, 33 insertions, 8 deletions
diff --git a/config/router.nix b/config/router.nix index 419faf0..33bd37b 100644 --- a/config/router.nix +++ b/config/router.nix @@ -2,10 +2,11 @@ let wan-dev = "bond0.10"; lan-dev = "bond0"; - mullvadPort = config.orbekk.mullvad.listenPort; + wireguardPort = config.orbekk.wireguard.listenPort; mullvadMark = 30; + nycmeshMark = 32; in { - orbekk.mullvad.enable = true; + orbekk.wireguard.enable = true; services.tftpd.enable = true; services.openntpd.enable = true; @@ -60,10 +61,10 @@ in { services.ferm = { enable = true; config = '' - @def $DEV_UNTRUSTED_LAN = (${lan-dev}.30); + @def $DEV_UNTRUSTED_LAN = (${lan-dev}.30 ${lan-dev}.32); @def $DEV_LAN = (${lan-dev}.100); @def $DEV_ADMIN = (${lan-dev}.255); - @def $DEV_WAN = (${wan-dev} he0 mullvad); + @def $DEV_WAN = (${wan-dev} he0 mullvad nycmesh); @def $NET_LAN = 10.0.0.0/8; domain (ip ip6) table filter { @@ -88,7 +89,7 @@ in { proto tcp dport ssh ACCEPT; proto (tcp udp) dport domain ACCEPT; proto tcp dport (http https) ACCEPT; - proto udp dport ${toString mullvadPort} ACCEPT; + proto udp dport ${toString wireguardPort} ACCEPT; } interface ($DEV_LAN $DEV_ADMIN) @subchain "lan_services" { @@ -156,6 +157,7 @@ in { domain (ip ip6) table mangle { chain PREROUTING { interface ${lan-dev}.30 MARK set-mark ${toString mullvadMark}; + interface ${lan-dev}.32 MARK set-mark ${toString nycmeshMark}; } } ''; @@ -234,6 +236,7 @@ in { networking.iproute2.enable = true; networking.iproute2.rttablesExtraConfig = '' ${toString mullvadMark} mullvad + ${toString nycmeshMark} nycmesh 200 he ''; @@ -256,6 +259,12 @@ in { ip route flush cache ''; + networking.wireguard.interfaces.nycmesh.postSetup = '' + ip rule add fwmark ${toString nycmeshMark} table nycmesh + ip route replace default dev nycmesh table nycmesh + ip route flush cache + ''; + # boot.kernel.sysctl."net.ipv6.conf.${wan-dev}.disable_ipv6" = true; networking.interfaces.${wan-dev} = { diff --git a/modules/mullvad.nix b/modules/wireguard.nix index 436a3b2..0188d90 100644 --- a/modules/mullvad.nix +++ b/modules/wireguard.nix @@ -1,12 +1,14 @@ { config, lib, pkgs, ... }: let - cfg = config.orbekk.mullvad; + cfg = config.orbekk.wireguard; in { options = { - orbekk.mullvad = { + orbekk.wireguard = { enable = lib.mkEnableOption "Enable VPN"; + enableMullvad = lib.mkEnableOption "Enable Mullvad"; + enableNycmesh = lib.mkEnableOption "Enable NYC Mesh"; listenPort = lib.mkOption { type = lib.types.port; @@ -21,7 +23,7 @@ in networking.wireguard = { enable = true; - interfaces.mullvad = { + interfaces.mullvad = lib.mkIf cfg.enableMullvad { privateKeyFile = "/opt/secret/wireguard/mullvad.private"; ips = [ "10.70.90.245/32" "fc00:bbbb:bbbb:bb01::7:5af4/128" ]; allowedIPsAsRoutes = false; @@ -34,6 +36,20 @@ in } ]; }; + + interfaces.nycmesh = lib.mkIf cfg.enableNycmesh { + privateKeyFile = "/opt/secret/wireguard/nycmesh.private"; + ips = [ "10.70.73.50/32" ]; + allowedIPsAsRoutes = false; + listenPort = cfg.listenPort; + peers = [ + { + endpoint = "wgvpn.sn1.mesh.nycmesh.net:51822"; + publicKey = "W5AQ3LmNVr2bW/IQrIY1GpyacplGc2lpavoeSzU/KhQ="; + allowedIPs = [ "0.0.0.0/0" "::0/0" ]; + } + ]; + }; }; }; } |