From 5172f21a5474c854af9e6ac151b4a962ff165e4e Mon Sep 17 00:00:00 2001 From: muon Date: Tue, 27 Aug 2024 23:15:09 +0000 Subject: [PATCH] Add wg-quick --- modules/nixos/core/network.nix | 32 ++++++++--- modules/nixos/server/wireguard.nix | 86 +++++++++++++++++++++++------- 2 files changed, 92 insertions(+), 26 deletions(-) diff --git a/modules/nixos/core/network.nix b/modules/nixos/core/network.nix index 72efa7e..c07f5b5 100644 --- a/modules/nixos/core/network.nix +++ b/modules/nixos/core/network.nix @@ -22,21 +22,20 @@ remote.config = ''config ${config.mods.openvpn.config}''; }; - networking.firewall = lib.mkIf config.mods.wireguard.enable { allowedUDPPorts = [ 51820 ]; # Clients and peers can use the same port, see listenport }; - networking.wireguard.interfaces = lib.mkIf config.mods.wireguard.enable { + networking.wg-quick.interfaces = lib.mkIf config.mods.wireguard.enable { wg0 = { - ips = [ "10.100.0.2/24" ]; - listenPort = 51820; - + address = [ "10.0.0.2/24" "fdc9:281f:04d7:9ee9::2/64" ]; + dns = [ "10.0.0.1" "fdc9:281f:04d7:9ee9::1" ]; privateKeyFile = "/home/muon/wireguard-keys/private"; - + peers = [ { publicKey = "2RF8GmTZwQdzVm2l2piYy6U0qiMU3wSxC7Lt8urAjwA="; - allowedIPs = [ "0.0.0.0/0" ]; + presharedKeyFile = "/home/muon/wireguard-keys/psk-muon"; + allowedIPs = [ "0.0.0.0/0" "::/0" ]; # ip route add 93.95.230.11 via 192.168.0.1 endpoint = "93.95.230.11:51820"; persistentKeepalive = 25; @@ -45,5 +44,24 @@ }; }; + # networking.wireguard.interfaces = lib.mkIf config.mods.wireguard.enable { + # wg0 = { + # ips = [ "10.100.0.2/24" ]; + # listenPort = 51820; + + # privateKeyFile = "/home/muon/wireguard-keys/private"; + + # peers = [ + # { + # publicKey = "2RF8GmTZwQdzVm2l2piYy6U0qiMU3wSxC7Lt8urAjwA="; + # allowedIPs = [ "0.0.0.0/0" ]; + # # ip route add 93.95.230.11 via 192.168.0.1 + # endpoint = "93.95.230.11:51820"; + # persistentKeepalive = 25; + # } + # ]; + # }; + # }; + }; } diff --git a/modules/nixos/server/wireguard.nix b/modules/nixos/server/wireguard.nix index 5b21e65..ca61000 100644 --- a/modules/nixos/server/wireguard.nix +++ b/modules/nixos/server/wireguard.nix @@ -8,38 +8,86 @@ config = lib.mkIf config.mods.server.wireguard.enable { - networking.nat.enable = true; - networking.nat.externalInterface = "ens3"; - networking.nat.internalInterfaces = [ "wg0" ]; + networking.nat = { + enable = true; + enableIPv6 = true; + externalInterface = "ens3"; + internalInterfaces = [ "wg0" ]; + }; networking.firewall = { - allowedUDPPorts = [ 51820 ]; + allowedTCPPorts = [ 53 ]; + allowedUDPPorts = [ 53 51820 ]; }; - networking.wireguard.interfaces = { + networking.wg-quick.interfaces = { + # "wg0" is the network interface name. You can name the interface arbitrarily. wg0 = { - ips = [ "10.100.0.1/24" ]; - + # Determines the IP/IPv6 address and subnet of the client's end of the tunnel interface + address = [ "10.0.0.1/24" "fdc9:281f:04d7:9ee9::1/64" ]; + # The port that WireGuard listens to - recommended that this be changed from default listenPort = 51820; - - postSetup = '' - ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE - ''; - - # This undoes the above command - postShutdown = '' - ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE - ''; - + # Path to the server's private key privateKeyFile = "/home/muon/wireguard-keys/private"; + # This allows the wireguard server to route your traffic to the internet and hence be like a VPN + postUp = '' + ${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT + ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.0.0.1/24 -o ens3 -j MASQUERADE + ${pkgs.iptables}/bin/ip6tables -A FORWARD -i wg0 -j ACCEPT + ${pkgs.iptables}/bin/ip6tables -t nat -A POSTROUTING -s fdc9:281f:04d7:9ee9::1/64 -o ens3 -j MASQUERADE + ''; + + # Undo the above + preDown = '' + ${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT + ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.0.0.1/24 -o ens3 -j MASQUERADE + ${pkgs.iptables}/bin/ip6tables -D FORWARD -i wg0 -j ACCEPT + ${pkgs.iptables}/bin/ip6tables -t nat -D POSTROUTING -s fdc9:281f:04d7:9ee9::1/64 -o ens3 -j MASQUERADE + ''; + peers = [ - { + { # peer0 publicKey = "MDBdADwP/SE/T9cadXB1Mup7Dr3x+l6gBFBN83BU4Dg="; - allowedIPs = [ "10.100.0.2/32" ]; + presharedKeyFile = "/home/muon/wireguard-keys/psk-muon"; + allowedIPs = [ "10.0.0.2/32" "fdc9:281f:04d7:9ee9::2/128" ]; } + # More peers can be added here. ]; }; }; + services.dnsmasq = { + enable = true; + extraConfig = '' + interface=wg0 + ''; + }; + + # networking.wireguard.interfaces = { + # wg0 = { + # ips = [ "10.100.0.1/24" ]; + + # listenPort = 51820; + + # postSetup = '' + # ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE + # ''; + + # # This undoes the above command + # postShutdown = '' + # ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE + # ''; + + # privateKeyFile = "/home/muon/wireguard-keys/private"; + + # peers = [ + # { + # publicKey = "MDBdADwP/SE/T9cadXB1Mup7Dr3x+l6gBFBN83BU4Dg="; + # allowedIPs = [ "10.100.0.2/32" ]; + # } + # ]; + # }; + # }; + }; }