diff options
Diffstat (limited to 'modules')
| -rw-r--r-- | modules/router.nix | 15 | ||||
| -rw-r--r-- | modules/vpn.nix | 9 |
2 files changed, 10 insertions, 14 deletions
diff --git a/modules/router.nix b/modules/router.nix index fa5b19c..3bc7dab 100644 --- a/modules/router.nix +++ b/modules/router.nix @@ -147,6 +147,9 @@ let wantedBy = [ "multi-user.target" ]; path = [ pkgs.iproute ]; script = '' + ip -6 rule add from 2001:470:1f06:1194::2 table main priority 19000 suppress_prefixlength 0 || true + ip -6 rule add from 2001:470:1f06:1194::2 table he priority 20000 || true + ip -6 rule add fwmark ${toString heMark} table main priority 19000 suppress_prefixlength 0 || true ip -6 rule add fwmark ${toString heMark} table he priority 20000 || true ip -6 route replace default dev he0 table he @@ -201,8 +204,8 @@ let dhcp-option=tag:servers-vport,option:dns-server,172.20.20.1 dhcp-range=tag:servers-vport,::,static,constructor:servers-vport,5m dhcp-host=id:*,tag:servers-vport,172.20.20.2 - dhcp-host=id:00:01:00:01:21:a2:4e:a8:d0:bf:9c:45:a6:ec,tag:servers-vport,[::d] - # dhcp-host=id:dragon,::d + dhcp-host=id:00:01:00:01:2e:a3:07:37:d0:bf:9c:45:a6:ec,tag:servers-vport,[::d] + #dhcp-host=tag:servers-vport,id:dragon,::d dhcp-range=tag:lan-vport,172.20.100.10,172.20.100.254,5m dhcp-option=tag:lan-vport,option:router,172.20.100.1 @@ -267,7 +270,6 @@ let ip6 nexthdr ipv6-icmp counter accept comment "accept all ICMP types" iifname wan-vport counter drop - meta nftrace set 1 counter drop } @@ -310,7 +312,8 @@ let chain prerouting { type filter hook prerouting priority -150 # ip6 saddr 2001:470:8e2e::/48 ip6 daddr != 2001:470:8e2e::/48 ip6 daddr != fe80::/64 meta nftrace set 1 - ip6 saddr 2001:470:8e2e::/48 ip6 daddr != 2001:470:8e2e::/48 ip6 daddr != fe80::/64 meta mark set ${toString heMark} + ip6 saddr 2001:470:8e2e::/48 ip6 daddr != 2001:470:8e2e::/48 ip6 daddr != fe80::/64 meta mark set ${toString heMark} counter + ip6 saddr 2001:470:1f06:1194::/64 ip6 daddr != 2001:470:8e2e::/48 ip6 daddr != fe80::/64 meta mark set ${toString heMark} counter meta nfproto ipv4 iifname vpnlan-vport ip daddr != 172.20.0.0/16 meta mark set ${toString mullvadMark} meta nfproto ipv6 ip6 daddr != 2001:470:8e2e::/48 ip6 daddr != fe80::/60 iifname vpnlan-vport meta mark set ${toString mullvadMark} } @@ -394,14 +397,12 @@ in { additionalCapabilities = ["CAP_NET_ADMIN"]; }; - age.secrets.dragon-wireguard-key.file = ./. - + "/../secrets/dragon-wireguard-key.age"; networking.wireguard.interfaces.wg-vpn = { # fwMark = "${toString vpnMark}"; socketNamespace = "router"; interfaceNamespace = "router"; ips = [ "${vpnPrefix}::1/128" ]; - privateKeyFile = config.age.secrets.dragon-wireguard-key.path; + privateKeyFile = "/opt/secret/wireguard/dragon-wireguard-key.priv"; listenPort = vpnPort; peers = let mkPeer = host: ip: { name = host; diff --git a/modules/vpn.nix b/modules/vpn.nix index b99b73e..fb6b255 100644 --- a/modules/vpn.nix +++ b/modules/vpn.nix @@ -48,11 +48,6 @@ in { orbekk.vpn = { enable = lib.mkEnableOption "Enable VPN"; - is_server = lib.mkOption { - type = lib.types.bool; - default = false; - }; - listenPort = lib.mkOption { type = lib.types.port; default = 40422; @@ -76,14 +71,14 @@ in { interfaces.vpn = { ips = hosts.${config.networking.hostName}.ips; privateKeyFile = - "${config.age.secrets."${config.networking.hostName}-wireguard-key".path}"; + "/opt/secret/wireguard/${config.networking.hostName}-wireguard-key.priv"; allowedIPsAsRoutes = true; listenPort = cfg.listenPort; peers = [ { name = "dragon"; endpoint = "vpn.orbekk.com:${toString cfg.listenPort}"; - publicKey = "9q8aH3R8YBfP3xiTmN5bNiLQswY5dy3grB/P0vDqP0M="; + publicKey = "msfXBbmViSmxLKD3R0WrcQSRTyMrcoM67FoD7VevEn0="; allowedIPs = ["${vpn-prefix}::/64"]; persistentKeepalive = 60; } |