From ff7006318cd00a9b059927edd10e772c7e854dd2 Mon Sep 17 00:00:00 2001
From: Kjetil Orbekk <kj@orbekk.com>
Date: Mon, 8 Mar 2021 19:57:51 -0500
Subject: mullvad setup

---
 config/router.nix           |  4 ++++
 modules/mullvad.nix         | 39 +++++++++++++++++++++++++++++++++++++++
 modules/simple-firewall.nix | 12 +++++-------
 3 files changed, 48 insertions(+), 7 deletions(-)
 create mode 100644 modules/mullvad.nix

diff --git a/config/router.nix b/config/router.nix
index 3003c0e..83a2d64 100644
--- a/config/router.nix
+++ b/config/router.nix
@@ -2,8 +2,11 @@
 let
   wan-dev = "eno1";
   lan-dev = "eno2";
+  mullvadPort = config.orbekk.mullvad.listenPort;
 in
 {
+  orbekk.mullvad.enable = true;
+
   networking.networkmanager.enable = lib.mkForce false;
 
   networking.nameservers = [ "8.8.8.8" ];
@@ -61,6 +64,7 @@ in
             proto tcp dport ssh ACCEPT;
             proto (tcp udp) dport domain ACCEPT;
             proto tcp dport (http https) ACCEPT;
+            proto udp dport ${mullvadPort} ACCEPT;
           }
 
           interface $DEV_LAN @subchain "lan_services" {
diff --git a/modules/mullvad.nix b/modules/mullvad.nix
new file mode 100644
index 0000000..436a3b2
--- /dev/null
+++ b/modules/mullvad.nix
@@ -0,0 +1,39 @@
+{ config, lib, pkgs, ... }:
+
+let
+  cfg = config.orbekk.mullvad;
+in
+{
+  options = {
+    orbekk.mullvad = {
+      enable = lib.mkEnableOption "Enable VPN";
+
+      listenPort = lib.mkOption {
+        type = lib.types.port;
+        default = 40421;
+        description = "wireguard local port";
+      };
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    orbekk.simple-firewall.allowedUDPPorts = [ cfg.listenPort ];
+
+    networking.wireguard = {
+      enable = true;
+      interfaces.mullvad = {
+        privateKeyFile = "/opt/secret/wireguard/mullvad.private";
+        ips = [ "10.70.90.245/32" "fc00:bbbb:bbbb:bb01::7:5af4/128" ];
+        allowedIPsAsRoutes = false;
+        listenPort = cfg.listenPort;
+        peers = [
+          {
+            endpoint = "ca10-wireguard.mullvad.net:51820";
+            publicKey = "pAVh6WJtyF7ktvavez399L4A615TXOAaUHQgpwJ4EHU=";
+            allowedIPs = [ "0.0.0.0/0" "::0/0" ];
+          }
+        ];
+      };
+    };
+  };
+}
diff --git a/modules/simple-firewall.nix b/modules/simple-firewall.nix
index f2b4405..7a3ad3e 100644
--- a/modules/simple-firewall.nix
+++ b/modules/simple-firewall.nix
@@ -23,8 +23,6 @@ in
 
   config = lib.mkIf cfg.enable {
     networking.firewall.enable = lib.mkForce false;
-
-    boot.blacklistedKernelModules = ["ip_tables"];
     networking.nftables.enable = true;
 
     networking.nftables.ruleset =
@@ -52,13 +50,13 @@ in
 
           ct state {established, related} accept
 
-          ip protocol icmp limit rate 4/second counter name icmp-allowed accept
-          ip6 nexthdr ipv6-icmp limit rate 4/second counter name icmp6-allowed accept
+          ip protocol icmp limit rate 4/second counter accept
+          ip6 nexthdr ipv6-icmp limit rate 4/second counter accept
 
-          tcp dport @allowed_tcp_ports counter name tcp-allowed accept
-          udp dport @allowed_udp_ports counter name udp-allowed accept
+          tcp dport @allowed_tcp_ports counter accept
+          udp dport @allowed_udp_ports counter accept
 
-          counter name dropped drop
+          counter drop
         }
 
         chain output {
-- 
cgit v1.2.3