From d0a5776d5ffe07fa286b1ef0f2b27f422cf301b5 Mon Sep 17 00:00:00 2001
From: Kjetil Orbekk <kj@orbekk.com>
Date: Wed, 4 Aug 2021 17:12:58 -0400
Subject: add wireguard config

---
 config/router.nix     | 19 +++++++++++++-----
 modules/mullvad.nix   | 39 ------------------------------------
 modules/wireguard.nix | 55 +++++++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 69 insertions(+), 44 deletions(-)
 delete mode 100644 modules/mullvad.nix
 create mode 100644 modules/wireguard.nix

diff --git a/config/router.nix b/config/router.nix
index 419faf0..33bd37b 100644
--- a/config/router.nix
+++ b/config/router.nix
@@ -2,10 +2,11 @@
 let
   wan-dev = "bond0.10";
   lan-dev = "bond0";
-  mullvadPort = config.orbekk.mullvad.listenPort;
+  wireguardPort = config.orbekk.wireguard.listenPort;
   mullvadMark = 30;
+  nycmeshMark = 32;
 in {
-  orbekk.mullvad.enable = true;
+  orbekk.wireguard.enable = true;
 
   services.tftpd.enable = true;
   services.openntpd.enable = true;
@@ -60,10 +61,10 @@ in {
   services.ferm = {
     enable = true;
     config = ''
-      @def $DEV_UNTRUSTED_LAN = (${lan-dev}.30);
+      @def $DEV_UNTRUSTED_LAN = (${lan-dev}.30 ${lan-dev}.32);
       @def $DEV_LAN = (${lan-dev}.100);
       @def $DEV_ADMIN = (${lan-dev}.255);
-      @def $DEV_WAN = (${wan-dev} he0 mullvad);
+      @def $DEV_WAN = (${wan-dev} he0 mullvad nycmesh);
       @def $NET_LAN = 10.0.0.0/8;
 
       domain (ip ip6) table filter {
@@ -88,7 +89,7 @@ in {
             proto tcp dport ssh ACCEPT;
             proto (tcp udp) dport domain ACCEPT;
             proto tcp dport (http https) ACCEPT;
-            proto udp dport ${toString mullvadPort} ACCEPT;
+            proto udp dport ${toString wireguardPort} ACCEPT;
           }
 
           interface ($DEV_LAN $DEV_ADMIN) @subchain "lan_services" {
@@ -156,6 +157,7 @@ in {
       domain (ip ip6) table mangle {
         chain PREROUTING {
           interface ${lan-dev}.30 MARK set-mark ${toString mullvadMark};
+          interface ${lan-dev}.32 MARK set-mark ${toString nycmeshMark};
         }
       }
     '';
@@ -234,6 +236,7 @@ in {
   networking.iproute2.enable = true;
   networking.iproute2.rttablesExtraConfig = ''
      ${toString mullvadMark} mullvad
+     ${toString nycmeshMark} nycmesh
     200 he
   '';
 
@@ -256,6 +259,12 @@ in {
     ip route flush cache
   '';
 
+  networking.wireguard.interfaces.nycmesh.postSetup = ''
+    ip rule add fwmark ${toString nycmeshMark} table nycmesh
+    ip route replace default dev nycmesh table nycmesh
+    ip route flush cache
+  '';
+
   # boot.kernel.sysctl."net.ipv6.conf.${wan-dev}.disable_ipv6" = true;
 
   networking.interfaces.${wan-dev} = {
diff --git a/modules/mullvad.nix b/modules/mullvad.nix
deleted file mode 100644
index 436a3b2..0000000
--- a/modules/mullvad.nix
+++ /dev/null
@@ -1,39 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-let
-  cfg = config.orbekk.mullvad;
-in
-{
-  options = {
-    orbekk.mullvad = {
-      enable = lib.mkEnableOption "Enable VPN";
-
-      listenPort = lib.mkOption {
-        type = lib.types.port;
-        default = 40421;
-        description = "wireguard local port";
-      };
-    };
-  };
-
-  config = lib.mkIf cfg.enable {
-    orbekk.simple-firewall.allowedUDPPorts = [ cfg.listenPort ];
-
-    networking.wireguard = {
-      enable = true;
-      interfaces.mullvad = {
-        privateKeyFile = "/opt/secret/wireguard/mullvad.private";
-        ips = [ "10.70.90.245/32" "fc00:bbbb:bbbb:bb01::7:5af4/128" ];
-        allowedIPsAsRoutes = false;
-        listenPort = cfg.listenPort;
-        peers = [
-          {
-            endpoint = "ca10-wireguard.mullvad.net:51820";
-            publicKey = "pAVh6WJtyF7ktvavez399L4A615TXOAaUHQgpwJ4EHU=";
-            allowedIPs = [ "0.0.0.0/0" "::0/0" ];
-          }
-        ];
-      };
-    };
-  };
-}
diff --git a/modules/wireguard.nix b/modules/wireguard.nix
new file mode 100644
index 0000000..0188d90
--- /dev/null
+++ b/modules/wireguard.nix
@@ -0,0 +1,55 @@
+{ config, lib, pkgs, ... }:
+
+let
+  cfg = config.orbekk.wireguard;
+in
+{
+  options = {
+    orbekk.wireguard = {
+      enable = lib.mkEnableOption "Enable VPN";
+      enableMullvad = lib.mkEnableOption "Enable Mullvad";
+      enableNycmesh = lib.mkEnableOption "Enable NYC Mesh";
+
+      listenPort = lib.mkOption {
+        type = lib.types.port;
+        default = 40421;
+        description = "wireguard local port";
+      };
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    orbekk.simple-firewall.allowedUDPPorts = [ cfg.listenPort ];
+
+    networking.wireguard = {
+      enable = true;
+      interfaces.mullvad = lib.mkIf cfg.enableMullvad {
+        privateKeyFile = "/opt/secret/wireguard/mullvad.private";
+        ips = [ "10.70.90.245/32" "fc00:bbbb:bbbb:bb01::7:5af4/128" ];
+        allowedIPsAsRoutes = false;
+        listenPort = cfg.listenPort;
+        peers = [
+          {
+            endpoint = "ca10-wireguard.mullvad.net:51820";
+            publicKey = "pAVh6WJtyF7ktvavez399L4A615TXOAaUHQgpwJ4EHU=";
+            allowedIPs = [ "0.0.0.0/0" "::0/0" ];
+          }
+        ];
+      };
+
+      interfaces.nycmesh = lib.mkIf cfg.enableNycmesh {
+        privateKeyFile = "/opt/secret/wireguard/nycmesh.private";
+        ips = [ "10.70.73.50/32" ];
+        allowedIPsAsRoutes = false;
+        listenPort = cfg.listenPort;
+        peers = [
+          {
+            endpoint = "wgvpn.sn1.mesh.nycmesh.net:51822";
+            publicKey = "W5AQ3LmNVr2bW/IQrIY1GpyacplGc2lpavoeSzU/KhQ=";
+            allowedIPs = [ "0.0.0.0/0" "::0/0" ];
+          }
+        ];
+      };
+    };
+  };
+}
-- 
cgit v1.2.3