From e8eeaace1a1efc3eaae2b0475de93be210f82558 Mon Sep 17 00:00:00 2001 From: makefu Date: Mon, 6 Jun 2022 21:25:30 +0200 Subject: ma wireguard/server: clean up --- makefu/2configs/wireguard/server.nix | 88 ++++++++++++++++++++---------------- 1 file changed, 49 insertions(+), 39 deletions(-) (limited to 'makefu/2configs/wireguard/server.nix') diff --git a/makefu/2configs/wireguard/server.nix b/makefu/2configs/wireguard/server.nix index c8fbfe6fb..bda250702 100644 --- a/makefu/2configs/wireguard/server.nix +++ b/makefu/2configs/wireguard/server.nix @@ -1,59 +1,69 @@ -{ config, ... }: +{ config,pkgs, ... }: let ext-if = config.makefu.server.primary-itf; in { # wireguard server # opkg install wireguard luci-proto-wireguard - # TODO: networking.nat - # boot.kernel.sysctl."net.ipv4.ip_forward" = 1; # conf.all.proxy_arp =1 networking.firewall = { allowedUDPPorts = [ 51820 ]; - extraCommands = '' - iptables -t nat -A POSTROUTING -s 10.244.0.0/24 -o ${ext-if} -j MASQUERADE - ''; + }; + networking.nat = { + enable = true; + #externalIP = "144.76.26.247"; + #internalIPs = [ "10.244.0.0/24" ]; + externalInterface = ext-if; + internalInterfaces = [ "wg0" ]; }; networking.wireguard.interfaces.wg0 = { ips = [ "10.244.0.1/24" ]; listenPort = 51820; privateKeyFile = (toString ) + "/wireguard.key"; - allowedIPsAsRoutes = true; + # allowedIPsAsRoutes = true; + postSetup = '' + ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.244.0.0/24 -o ${ext-if} -j MASQUERADE + ''; + + # This undoes the above command + postShutdown = '' + ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.244.0.0/24 -o ${ext-if} -j MASQUERADE + ''; peers = [ - { - # x - allowedIPs = [ "10.244.0.2/32" ]; - publicKey = "fe5smvKVy5GAn7EV4w4tav6mqIAKhGWQotm7dRuRt1g="; - } - { - # vbob - allowedIPs = [ "10.244.0.3/32" ]; - publicKey = "Lju7EsCu1OWXhkhdNR7c/uiN60nr0TUPHQ+s8ULPQTw="; - } - { - # x-test - allowedIPs = [ "10.244.0.4/32" ]; - publicKey = "vZ/AJpfDLJyU3DzvYeW70l4FNziVgSTumA89wGHG7XY="; - } - { - # work-router - persistentKeepalive = 25; - allowedIPs = [ "10.244.0.5/32" ]; - publicKey = "QJMwwYu/92koCASbHnR/vqe/rN00EV6/o7BGwLockDw="; - } - { - # workr - persistentKeepalive = 25; - allowedIPs = [ "10.244.0.6/32" ]; - publicKey = "OFhCF56BrV9tjqW1sxqXEKH/GdqamUT1SqZYSADl5GA="; - } - { - # mobile - allowedIPs = [ "10.244.0.7/32" ]; - publicKey = "Y6fOW2QDt0SsHT7hSVzzJYQVB3JI/txO4/FDB54Z52A="; - } + { + # x + allowedIPs = [ "10.244.0.2/32" ]; + publicKey = "fe5smvKVy5GAn7EV4w4tav6mqIAKhGWQotm7dRuRt1g="; + } + { + # vbob + allowedIPs = [ "10.244.0.3/32" ]; + publicKey = "Lju7EsCu1OWXhkhdNR7c/uiN60nr0TUPHQ+s8ULPQTw="; + } + { + # x-test + allowedIPs = [ "10.244.0.4/32" ]; + publicKey = "vZ/AJpfDLJyU3DzvYeW70l4FNziVgSTumA89wGHG7XY="; + } + { + # work-router + persistentKeepalive = 25; + allowedIPs = [ "10.244.0.5/32" ]; + publicKey = "QJMwwYu/92koCASbHnR/vqe/rN00EV6/o7BGwLockDw="; + } + { + # workr + persistentKeepalive = 25; + allowedIPs = [ "10.244.0.6/32" ]; + publicKey = "OFhCF56BrV9tjqW1sxqXEKH/GdqamUT1SqZYSADl5GA="; + } + { + # mobile + allowedIPs = [ "10.244.0.7/32" ]; + publicKey = "Y6fOW2QDt0SsHT7hSVzzJYQVB3JI/txO4/FDB54Z52A="; + } ]; }; # TODO: this issue is related to the router which connects to the host but is -- cgit v1.2.3