From b88fdbf4e208d4eda4b2433ec8bdeea2adea21b6 Mon Sep 17 00:00:00 2001
From: Kjetil Orbekk <kj@orbekk.com>
Date: Sun, 26 Feb 2023 17:47:28 -0500
Subject: vpn config

---
 modules/router.nix | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/modules/router.nix b/modules/router.nix
index 95d5d75..efd4f69 100644
--- a/modules/router.nix
+++ b/modules/router.nix
@@ -68,6 +68,9 @@ let
       ipv4.addresses = [{address = "10.10.255.18"; prefixLength = 24;}];
       ipv4.routes = [{address = "10.10.255.0"; prefixLength = 24;}];
     };
+    networking.interfaces.vpnlan-vport = {
+      ipv4.addresses = [{address = "172.20.30.1"; prefixLength = 24;}];
+    };
     networking.sits.he0 = {
      dev = "wan-vport";
      remote = "209.51.161.14";
@@ -128,6 +131,10 @@ let
         dhcp-option=tag:lan-vport,option:router,172.20.100.1
         dhcp-option=tag:lan-vport,option:dns-server,172.20.100.1
         dhcp-range=tag:lan-vport,::2,::1000,constructor:lan-vport,ra-only
+
+        dhcp-range=tag:vpnlan-vport,172.20.30.10,172.20.30.254,5m
+        dhcp-option=tag:vpnlan-vport,option:router,172.20.30.1
+        dhcp-option=tag:vpnlan-vport,option:dns-server,193.138.218.74
       '';
     };
 
@@ -190,6 +197,7 @@ let
             ct state vmap { established : accept, related : accept, invalid : drop }
             oif he0 counter accept
             oif wan-vport counter accept
+            oif mullvad counter accept
 
             oif servers-vport meta l4proto {tcp, udp} th dport $SERVER_WAN_PORTS counter accept
             iif lan-vport oif servers-vport meta l4proto {tcp, udp} th dport $SERVER_LAN_PORTS counter accept
@@ -204,16 +212,19 @@ let
             type filter hook prerouting priority -150
             # ip6 saddr 2001:470:8e2e::/48 ip6 daddr != 2001:470:8e2e::/48 ip6 daddr != fe80::/64 meta nftrace set 1
             ip6 saddr 2001:470:8e2e::/48 ip6 daddr != 2001:470:8e2e::/48 ip6 daddr != fe80::/64 meta mark set ${toString heMark}
+            iif vpnlan-vport meta mark set ${toString mullvadMark}
           }
         }
 
         table ip nat {
           chain prerouting {
             type nat hook prerouting priority -100; policy accept
+            iif wan-vport tcp dport $SERVER_WAN_PORTS dnat to 172.20.20.2
           }
           chain postrouting {
             type nat hook postrouting priority 100; policy accept
             ip saddr 172.16.0.0/12 oif {"wan-vport"} masquerade
+            ip saddr 172.16.0.0/12 oif {"mullvad"} masquerade
           }
         }
       '';
-- 
cgit v1.2.3