From 1ff6fefe39521844872cb7aad165cf8ee9f6a1cc Mon Sep 17 00:00:00 2001
From: Kjetil Orbekk <kj@orbekk.com>
Date: Wed, 1 Mar 2023 14:10:25 -0500
Subject: vpn setup

---
 machines/dragon.nix |  6 +++---
 modules/router.nix  | 11 ++++++++---
 2 files changed, 11 insertions(+), 6 deletions(-)

diff --git a/machines/dragon.nix b/machines/dragon.nix
index 9174c15..16ae1cf 100644
--- a/machines/dragon.nix
+++ b/machines/dragon.nix
@@ -50,10 +50,10 @@ in {
 
   services.transmission = {
     enable = true;
-    openPeerPorts = true;
-    openRPCPort = true;
     settings.download-dir = "/storage/upload";
-    settings.peer-port = 51413;
+    settings.peer-port = 55324;
+    settings.rpc-bind-address = "0.0.0.0";
+    settings.rpc-whitelist = "172.20.*.*";
   };
   systemd.services.transmission.serviceConfig.NetworkNamespacePath = "/var/run/netns/vpn";
   # services.tailscale.enable = true;
diff --git a/modules/router.nix b/modules/router.nix
index 65b8ea7..9251229 100644
--- a/modules/router.nix
+++ b/modules/router.nix
@@ -147,8 +147,9 @@ let
         dhcp-range=tag:vpnlan-vport,172.20.30.10,172.20.30.254,5m
         dhcp-option=tag:vpnlan-vport,option:router,172.20.30.1
         dhcp-option=tag:vpnlan-vport,option:dns-server,193.138.218.74
-        dhcp-range=tag:vpnlan-vport,::2,::1000,constructor:vpnlan-vport,ra-only
+        dhcp-range=tag:vpnlan-vport,::2,::1000,constructor:vpnlan-vport,ra-only,5m
         dhcp-host=id:00:04:33:32:31:37:37:31:58:4d:32:35:31:37:30:30:4a:44,tag:vpnlan-vport,[::2]
+        dhcp-host=id:vpn,tag:vpnlan-vport,172.20.30.2
       '';
     };
 
@@ -157,7 +158,6 @@ let
       extraConfig = ''
         noipv6rs
         noipv6
-        nohook resolv.conf
         interface wan-vport
         dhcp
       '';
@@ -210,7 +210,7 @@ let
             oifname wan-vport counter accept
             oifname mullvad counter accept
 
-            ip6 daddr 2001:470:8e2e:30::2 th dport 9091 counter accept;
+            ip daddr 172.20.30.2 th dport 9091 counter accept;
             oifname servers-vport meta l4proto {tcp, udp} th dport $SERVER_WAN_PORTS counter accept
             iifname lan-vport oifname servers-vport meta l4proto {tcp, udp} th dport $SERVER_LAN_PORTS counter accept
             iifname servers-vport counter accept
@@ -233,6 +233,7 @@ let
           chain prerouting {
             type nat hook prerouting priority -100; policy accept
             meta nfproto ipv4 iifname wan-vport tcp dport $SERVER_WAN_PORTS dnat to 172.20.20.2
+            meta nfproto ipv4 iifname vpn-vport tcp dport 55324 dnat to 172.20.30.2
           }
           chain postrouting {
             type nat hook postrouting priority 100; policy accept
@@ -296,7 +297,11 @@ in {
       privateNetwork = false;
       config = { config, lib, pkgs, ... }: {
         system.stateVersion = "22.11";
+        networking.firewall.enable = false;
         networking.interfaces.vpn-vport.useDHCP = true;
+        networking.dhcpcd.extraConfig = ''
+          clientid vpn
+        '';
       };
       additionalCapabilities = ["CAP_NET_ADMIN"];
     };
-- 
cgit v1.2.3