summaryrefslogtreecommitdiffstats
path: root/makefu/2configs/wireguard/server.nix
diff options
context:
space:
mode:
authorlassulus <lassulus@lassul.us>2022-06-07 15:46:12 +0200
committerlassulus <lassulus@lassul.us>2022-06-07 15:46:12 +0200
commitb3786c3a74fce6a742649c37ab2ad1255f5864bf (patch)
treea5453da91d868781b2339722a4e7bf588993ac09 /makefu/2configs/wireguard/server.nix
parente6f67aa910f78ecf75f3a47a0794497148c60c2b (diff)
parent53855cd2d0dadb159215c5ed12e6d0be02dca98b (diff)
Merge remote-tracking branch 'gum/22.05'
Diffstat (limited to 'makefu/2configs/wireguard/server.nix')
-rw-r--r--makefu/2configs/wireguard/server.nix88
1 files changed, 49 insertions, 39 deletions
diff --git a/makefu/2configs/wireguard/server.nix b/makefu/2configs/wireguard/server.nix
index c8fbfe6fb..bda250702 100644
--- a/makefu/2configs/wireguard/server.nix
+++ b/makefu/2configs/wireguard/server.nix
@@ -1,59 +1,69 @@
-{ config, ... }:
+{ config,pkgs, ... }:
let
ext-if = config.makefu.server.primary-itf;
in { # wireguard server
# opkg install wireguard luci-proto-wireguard
- # TODO: networking.nat
-
# boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
# conf.all.proxy_arp =1
networking.firewall = {
allowedUDPPorts = [ 51820 ];
- extraCommands = ''
- iptables -t nat -A POSTROUTING -s 10.244.0.0/24 -o ${ext-if} -j MASQUERADE
- '';
+ };
+ networking.nat = {
+ enable = true;
+ #externalIP = "144.76.26.247";
+ #internalIPs = [ "10.244.0.0/24" ];
+ externalInterface = ext-if;
+ internalInterfaces = [ "wg0" ];
};
networking.wireguard.interfaces.wg0 = {
ips = [ "10.244.0.1/24" ];
listenPort = 51820;
privateKeyFile = (toString <secrets>) + "/wireguard.key";
- allowedIPsAsRoutes = true;
+ # allowedIPsAsRoutes = true;
+ postSetup = ''
+ ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.244.0.0/24 -o ${ext-if} -j MASQUERADE
+ '';
+
+ # This undoes the above command
+ postShutdown = ''
+ ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.244.0.0/24 -o ${ext-if} -j MASQUERADE
+ '';
peers = [
- {
- # x
- allowedIPs = [ "10.244.0.2/32" ];
- publicKey = "fe5smvKVy5GAn7EV4w4tav6mqIAKhGWQotm7dRuRt1g=";
- }
- {
- # vbob
- allowedIPs = [ "10.244.0.3/32" ];
- publicKey = "Lju7EsCu1OWXhkhdNR7c/uiN60nr0TUPHQ+s8ULPQTw=";
- }
- {
- # x-test
- allowedIPs = [ "10.244.0.4/32" ];
- publicKey = "vZ/AJpfDLJyU3DzvYeW70l4FNziVgSTumA89wGHG7XY=";
- }
- {
- # work-router
- persistentKeepalive = 25;
- allowedIPs = [ "10.244.0.5/32" ];
- publicKey = "QJMwwYu/92koCASbHnR/vqe/rN00EV6/o7BGwLockDw=";
- }
- {
- # workr
- persistentKeepalive = 25;
- allowedIPs = [ "10.244.0.6/32" ];
- publicKey = "OFhCF56BrV9tjqW1sxqXEKH/GdqamUT1SqZYSADl5GA=";
- }
- {
- # mobile
- allowedIPs = [ "10.244.0.7/32" ];
- publicKey = "Y6fOW2QDt0SsHT7hSVzzJYQVB3JI/txO4/FDB54Z52A=";
- }
+ {
+ # x
+ allowedIPs = [ "10.244.0.2/32" ];
+ publicKey = "fe5smvKVy5GAn7EV4w4tav6mqIAKhGWQotm7dRuRt1g=";
+ }
+ {
+ # vbob
+ allowedIPs = [ "10.244.0.3/32" ];
+ publicKey = "Lju7EsCu1OWXhkhdNR7c/uiN60nr0TUPHQ+s8ULPQTw=";
+ }
+ {
+ # x-test
+ allowedIPs = [ "10.244.0.4/32" ];
+ publicKey = "vZ/AJpfDLJyU3DzvYeW70l4FNziVgSTumA89wGHG7XY=";
+ }
+ {
+ # work-router
+ persistentKeepalive = 25;
+ allowedIPs = [ "10.244.0.5/32" ];
+ publicKey = "QJMwwYu/92koCASbHnR/vqe/rN00EV6/o7BGwLockDw=";
+ }
+ {
+ # workr
+ persistentKeepalive = 25;
+ allowedIPs = [ "10.244.0.6/32" ];
+ publicKey = "OFhCF56BrV9tjqW1sxqXEKH/GdqamUT1SqZYSADl5GA=";
+ }
+ {
+ # mobile
+ allowedIPs = [ "10.244.0.7/32" ];
+ publicKey = "Y6fOW2QDt0SsHT7hSVzzJYQVB3JI/txO4/FDB54Z52A=";
+ }
];
};
# TODO: this issue is related to the router which connects to the host but is