foodogsquared/nixos-config
1
0
Fork 0
mirror of https://github.com/foo-dogsquared/nixos-config.git synced 2025-01-31 04:58:01 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

hosts/plover: update Wireguard "server" configuration

Browse Source
This commit is contained in:
Gabriel Arazas 2023-06-11 14:11:35 +08:00
parent 9857cabb07
commit 5949475aee
No known key found for this signature in database
GPG Key ID: ADE0C41DAB221FCC
1 changed files with 14 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
hosts/plover/modules/services/wireguard.nix
View File

@ -7,7 +7,8 @@ let
inherit (builtins) toString; inherit (builtins) toString;
inherit (import ../hardware/networks.nix) interfaces wireguardPort wireguardPeers; inherit (import ../hardware/networks.nix) interfaces wireguardPort wireguardPeers;
wireguardIFName = "wireguard0"; wireguardIFName = interfaces.wireguard0.ifname;
lanIFName = interfaces.internal.ifname;
desktopPeerAddresses = with wireguardPeers.desktop; [ "${IPv4}/32" "${IPv6}/128" ]; desktopPeerAddresses = with wireguardPeers.desktop; [ "${IPv4}/32" "${IPv6}/128" ];
phonePeerAddresses = with wireguardPeers.phone; [ "${IPv4}/32" "${IPv6}/128" ]; phonePeerAddresses = with wireguardPeers.phone; [ "${IPv4}/32" "${IPv6}/128" ];
@ -20,13 +21,22 @@ in
# Allow the UDP traffic for the Wireguard service. # Allow the UDP traffic for the Wireguard service.
allowedUDPPorts = [ wireguardPort ]; allowedUDPPorts = [ wireguardPort ];
# Accept the traffic from the Wireguard interface.
trustedInterfaces = [ wireguardIFName ];
# IP forwarding for specific interfaces. # IP forwarding for specific interfaces.
filterForward = true; filterForward = true;
extraForwardRules = ''
iifname ${wireguardIFName} oifname ${lanIFName} accept comment "IP forward from Wireguard interface to LAN"
'';
}; };
networking.nftables.ruleset = ''
table ip wireguard-${wireguardIFName} {
chain postrouting {
type nat hook postrouting priority srcnat; policy accept;
iifname ${wireguardIFName} oifname ${lanIFName} masquerade comment "Masquerade packets from Wireguard interface to LAN"
}
}
'';
# Since we're using systemd-networkd to configure interfaces, we can control # Since we're using systemd-networkd to configure interfaces, we can control
# how each interface can handle things such as IP masquerading so no need for # how each interface can handle things such as IP masquerading so no need for
# modifying sysctl settings like 'ipv4.ip_forward' or similar. # modifying sysctl settings like 'ipv4.ip_forward' or similar.