summaryrefslogtreecommitdiffstats
path: root/makefu/2configs/wireguard
diff options
context:
space:
mode:
authormakefu <github@syntax-fehler.de>2022-06-06 21:25:30 +0200
committermakefu <github@syntax-fehler.de>2022-06-06 21:25:30 +0200
commite8eeaace1a1efc3eaae2b0475de93be210f82558 (patch)
tree17e8bfc7d36f22169806399a751de781db12d9c8 /makefu/2configs/wireguard
parent6630d29d4477c3e45bc57dced6fa97f49eb4886f (diff)
ma wireguard/server: clean up
Diffstat (limited to 'makefu/2configs/wireguard')
-rw-r--r--makefu/2configs/wireguard/server.nix88
1 files changed, 49 insertions, 39 deletions
diff --git a/makefu/2configs/wireguard/server.nix b/makefu/2configs/wireguard/server.nix
index c8fbfe6fb..bda250702 100644
--- a/makefu/2configs/wireguard/server.nix
+++ b/makefu/2configs/wireguard/server.nix
@@ -1,59 +1,69 @@
-{ config, ... }:
+{ config,pkgs, ... }:
let
ext-if = config.makefu.server.primary-itf;
in { # wireguard server
# opkg install wireguard luci-proto-wireguard
- # TODO: networking.nat
-
# boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
# conf.all.proxy_arp =1
networking.firewall = {
allowedUDPPorts = [ 51820 ];
- extraCommands = ''
- iptables -t nat -A POSTROUTING -s 10.244.0.0/24 -o ${ext-if} -j MASQUERADE
- '';
+ };
+ networking.nat = {
+ enable = true;
+ #externalIP = "144.76.26.247";
+ #internalIPs = [ "10.244.0.0/24" ];
+ externalInterface = ext-if;
+ internalInterfaces = [ "wg0" ];
};
networking.wireguard.interfaces.wg0 = {
ips = [ "10.244.0.1/24" ];
listenPort = 51820;
privateKeyFile = (toString <secrets>) + "/wireguard.key";
- allowedIPsAsRoutes = true;
+ # allowedIPsAsRoutes = true;
+ postSetup = ''
+ ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.244.0.0/24 -o ${ext-if} -j MASQUERADE
+ '';
+
+ # This undoes the above command
+ postShutdown = ''
+ ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.244.0.0/24 -o ${ext-if} -j MASQUERADE
+ '';
peers = [
- {
- # x
- allowedIPs = [ "10.244.0.2/32" ];
- publicKey = "fe5smvKVy5GAn7EV4w4tav6mqIAKhGWQotm7dRuRt1g=";
- }
- {
- # vbob
- allowedIPs = [ "10.244.0.3/32" ];
- publicKey = "Lju7EsCu1OWXhkhdNR7c/uiN60nr0TUPHQ+s8ULPQTw=";
- }
- {
- # x-test
- allowedIPs = [ "10.244.0.4/32" ];
- publicKey = "vZ/AJpfDLJyU3DzvYeW70l4FNziVgSTumA89wGHG7XY=";
- }
- {
- # work-router
- persistentKeepalive = 25;
- allowedIPs = [ "10.244.0.5/32" ];
- publicKey = "QJMwwYu/92koCASbHnR/vqe/rN00EV6/o7BGwLockDw=";
- }
- {
- # workr
- persistentKeepalive = 25;
- allowedIPs = [ "10.244.0.6/32" ];
- publicKey = "OFhCF56BrV9tjqW1sxqXEKH/GdqamUT1SqZYSADl5GA=";
- }
- {
- # mobile
- allowedIPs = [ "10.244.0.7/32" ];
- publicKey = "Y6fOW2QDt0SsHT7hSVzzJYQVB3JI/txO4/FDB54Z52A=";
- }
+ {
+ # x
+ allowedIPs = [ "10.244.0.2/32" ];
+ publicKey = "fe5smvKVy5GAn7EV4w4tav6mqIAKhGWQotm7dRuRt1g=";
+ }
+ {
+ # vbob
+ allowedIPs = [ "10.244.0.3/32" ];
+ publicKey = "Lju7EsCu1OWXhkhdNR7c/uiN60nr0TUPHQ+s8ULPQTw=";
+ }
+ {
+ # x-test
+ allowedIPs = [ "10.244.0.4/32" ];
+ publicKey = "vZ/AJpfDLJyU3DzvYeW70l4FNziVgSTumA89wGHG7XY=";
+ }
+ {
+ # work-router
+ persistentKeepalive = 25;
+ allowedIPs = [ "10.244.0.5/32" ];
+ publicKey = "QJMwwYu/92koCASbHnR/vqe/rN00EV6/o7BGwLockDw=";
+ }
+ {
+ # workr
+ persistentKeepalive = 25;
+ allowedIPs = [ "10.244.0.6/32" ];
+ publicKey = "OFhCF56BrV9tjqW1sxqXEKH/GdqamUT1SqZYSADl5GA=";
+ }
+ {
+ # mobile
+ allowedIPs = [ "10.244.0.7/32" ];
+ publicKey = "Y6fOW2QDt0SsHT7hSVzzJYQVB3JI/txO4/FDB54Z52A=";
+ }
];
};
# TODO: this issue is related to the router which connects to the host but is