summaryrefslogtreecommitdiffstats
path: root/makefu/2configs/wireguard
diff options
context:
space:
mode:
authortv <tv@krebsco.de>2018-09-16 02:11:05 +0200
committertv <tv@krebsco.de>2018-09-16 02:11:05 +0200
commit45c39cddad6d8d2d65b3a145648611c1e9c78737 (patch)
tree66f5ed7d2f09bf422b0e3128fadf449da428858e /makefu/2configs/wireguard
parent5487d466d0d9b596b054c545b499aecbbe56b5aa (diff)
parent0b3497384e7e67e734f5f771fcb5aa649ad964d2 (diff)
Merge remote-tracking branch 'prism/master'
Diffstat (limited to 'makefu/2configs/wireguard')
-rw-r--r--makefu/2configs/wireguard/server.nix52
1 files changed, 52 insertions, 0 deletions
diff --git a/makefu/2configs/wireguard/server.nix b/makefu/2configs/wireguard/server.nix
new file mode 100644
index 000000000..e38fa05cb
--- /dev/null
+++ b/makefu/2configs/wireguard/server.nix
@@ -0,0 +1,52 @@
+{ config, ... }:
+let
+ ext-if = config.makefu.server.primary-itf;
+in { # wireguard server
+
+ # opkg install wireguard luci-proto-wireguard
+
+ # TODO: networking.nat
+
+ # boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
+ # conf.all.proxy_arp =1
+ networking.firewall = {
+ allowedUDPPorts = [ 51820 ];
+ extraCommands = ''
+ iptables -t nat -A POSTROUTING -s 10.244.0.0/24 -o ${ext-if} -j MASQUERADE
+ '';
+ };
+
+ networking.wireguard.interfaces.wg0 = {
+ ips = [ "10.244.0.1/24" ];
+ listenPort = 51820;
+ privateKeyFile = (toString <secrets>) + "/wireguard.key";
+ allowedIPsAsRoutes = true;
+ peers = [
+ {
+ # x
+ allowedIPs = [ "10.244.0.2/32" ];
+ publicKey = "fe5smvKVy5GAn7EV4w4tav6mqIAKhGWQotm7dRuRt1g=";
+ }
+ {
+ # vbob
+ allowedIPs = [ "10.244.0.3/32" ];
+ publicKey = "Lju7EsCu1OWXhkhdNR7c/uiN60nr0TUPHQ+s8ULPQTw=";
+ }
+ {
+ # x-test
+ allowedIPs = [ "10.244.0.4/32" ];
+ publicKey = "vZ/AJpfDLJyU3DzvYeW70l4FNziVgSTumA89wGHG7XY=";
+ }
+ {
+ # work-router
+ allowedIPs = [ "10.244.0.5/32" ];
+ publicKey = "QJMwwYu/92koCASbHnR/vqe/rN00EV6/o7BGwLockDw=";
+ }
+ {
+ # workr
+ allowedIPs = [ "10.244.0.6/32" ];
+ publicKey = "OFhCF56BrV9tjqW1sxqXEKH/GdqamUT1SqZYSADl5GA=";
+ }
+ ];
+ };
+}