Fix WG configuration
This commit is contained in:
parent
006406e9a6
commit
e031606f96
10 changed files with 236 additions and 143 deletions
|
|
@ -159,40 +159,109 @@
|
|||
shell = pkgs.zsh;
|
||||
};
|
||||
|
||||
boot.kernel.sysctl = {
|
||||
"net.ipv4.conf.all.forwarding" = true;
|
||||
"net.ipv4.conf.default.forwarding" = true;
|
||||
};
|
||||
|
||||
|
||||
services.dnsmasq = {
|
||||
enable = true;
|
||||
settings = {
|
||||
server = [ "1.1.1.1" "8.8.8.8" ];
|
||||
interface = "wg0";
|
||||
};
|
||||
# extraConfig = ''
|
||||
# interface=wg0
|
||||
# '';
|
||||
};
|
||||
|
||||
networking = {
|
||||
firewall = {
|
||||
enable = true;
|
||||
allowPing = true;
|
||||
allowedTCPPorts = [ 51235 80 443 ];
|
||||
# allowedUDPPorts = [ ];
|
||||
allowedTCPPorts = [ 80 443 53 ];
|
||||
allowedUDPPorts = [ 53 51820 ];
|
||||
# interfaces.ens3.allowedTCPPorts = [ 52123 53 ];
|
||||
# interfaces.ens3.allowedUDPPorts = [ 53 ];
|
||||
# extraCommands = ''iptables -t raw -A OUTPUT -p udp -m udp --dport 137 -j CT --helper netbios-ns'';
|
||||
};
|
||||
|
||||
nat = {
|
||||
enable = true;
|
||||
enableIPv6 = true;
|
||||
externalInterface = "ens3";
|
||||
internalInterfaces = [ "wg0" ];
|
||||
};
|
||||
|
||||
# wireguard = {
|
||||
# enable = true;
|
||||
# interfaces.wg0 = {
|
||||
# privateKeyFile = config.age.secrets.baldur_wg_priv.path;
|
||||
# ips = [ "10.10.10.1/24" "fc10:10:10::1/64" ];
|
||||
# listenPort = 52123;
|
||||
|
||||
# # # This allows the wireguard server to route your traffic to the internet and hence be like a VPN
|
||||
# # postSetup = ''
|
||||
# # ${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT
|
||||
# # ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.10.10.1/24 -o ens3 -j MASQUERADE
|
||||
# # ${pkgs.iptables}/bin/ip6tables -A FORWARD -i wg0 -j ACCEPT
|
||||
# # ${pkgs.iptables}/bin/ip6tables -t nat -A POSTROUTING -s fc10:10:10::1/64 -o ens3 -j MASQUERADE
|
||||
# # '';
|
||||
|
||||
# # # Undo the above
|
||||
# # postShutdown = ''
|
||||
# # ${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT
|
||||
# # ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.10.10.1/24 -o ens3 -j MASQUERADE
|
||||
# # ${pkgs.iptables}/bin/ip6tables -D FORWARD -i wg0 -j ACCEPT
|
||||
# # ${pkgs.iptables}/bin/ip6tables -t nat -D POSTROUTING -s fc10:10:10::1/64 -o ens3 -j MASQUERADE
|
||||
# # '';
|
||||
|
||||
# peers = [
|
||||
# # {
|
||||
# # # baldur
|
||||
# # allowedIPs = [ "10.10.10.2/32" "fc10:10:10::2/128" ];
|
||||
# # publicKey = "K57ikgFSR1O0CXWBxfQEu7uxSOsp3ePj/NMRets5pVc=";
|
||||
# # presharedKeyFile = config.age.secrets.baldur_wg_psk.path;
|
||||
# # }
|
||||
# {
|
||||
# # odin
|
||||
# allowedIPs = [ "10.10.10.2/32" "fc10:10:10::2/128" ];
|
||||
# publicKey = "LDBhvzeYmHJ0z5ch+N559GWjT3It1gZvGR/9WtCfURw=";
|
||||
# # presharedKeyFile = config.age.secrets.odin_wg_psk.path;
|
||||
# }
|
||||
# ];
|
||||
# };
|
||||
# };
|
||||
wg-quick.interfaces.wg0 = {
|
||||
address = [
|
||||
"192.168.10.2/24"
|
||||
];
|
||||
address = [ "10.0.0.1/24" "fdc9:281f:04d7:9ee9::1/64" ];
|
||||
listenPort = 51820;
|
||||
privateKeyFile = config.age.secrets.baldur_wg_priv.path;
|
||||
|
||||
# This allows the wireguard server to route your traffic to the internet and hence be like a VPN
|
||||
postUp = ''
|
||||
${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT
|
||||
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.0.0.1/24 -o ens3 -j MASQUERADE
|
||||
${pkgs.iptables}/bin/ip6tables -A FORWARD -i wg0 -j ACCEPT
|
||||
${pkgs.iptables}/bin/ip6tables -t nat -A POSTROUTING -s fdc9:281f:04d7:9ee9::1/64 -o ens3 -j MASQUERADE
|
||||
'';
|
||||
|
||||
# Undo the above
|
||||
preDown = ''
|
||||
${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT
|
||||
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.0.0.1/24 -o ens3 -j MASQUERADE
|
||||
${pkgs.iptables}/bin/ip6tables -D FORWARD -i wg0 -j ACCEPT
|
||||
${pkgs.iptables}/bin/ip6tables -t nat -D POSTROUTING -s fdc9:281f:04d7:9ee9::1/64 -o ens3 -j MASQUERADE
|
||||
'';
|
||||
|
||||
peers = [
|
||||
{
|
||||
# baldur
|
||||
allowedIPs = [
|
||||
"192.168.10.1/24"
|
||||
];
|
||||
# endpoint = "demo.wireguard.io:12913";
|
||||
publicKey = "K57ikgFSR1O0CXWBxfQEu7uxSOsp3ePj/NMRets5pVc=";
|
||||
# presharedKeyFile = config.age.secrets.baldur_wg_psk.path;
|
||||
}
|
||||
{
|
||||
# odin
|
||||
allowedIPs = [
|
||||
"192.168.10.1/24"
|
||||
];
|
||||
# endpoint = "demo.wireguard.io:12913";
|
||||
publicKey = "AY2kVl9Znp79wrgHjmTUX5aagJKay7barD4BcMir5SY=";
|
||||
# presharedKeyFile = config.age.secrets.odin_wg_psk.path;
|
||||
publicKey = "LDBhvzeYmHJ0z5ch+N559GWjT3It1gZvGR/9WtCfURw=";
|
||||
presharedKeyFile = config.age.secrets.odin_wg_psk.path;
|
||||
allowedIPs = [ "10.0.0.2/32" "fdc9:281f:04d7:9ee9::2/128" ];
|
||||
}
|
||||
];
|
||||
privateKeyFile = config.age.secrets."${config.networking.hostName}_wg_priv".path;
|
||||
listenPort = 51235;
|
||||
};
|
||||
};
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue