2024-06-28 19:12:55 +01:00
|
|
|
{ config, ... }: {
|
2023-04-23 23:42:25 +01:00
|
|
|
# iptables needs to permit forwarding from wg0 to wg0
|
|
|
|
networking.firewall.extraCommands = ''
|
|
|
|
iptables -A FORWARD -i wg0 -o wg0 -j ACCEPT
|
|
|
|
# This ensures that we send messages with the correct MTU to any
|
|
|
|
# connecting host; without it, the weirdest errors occur
|
|
|
|
iptables -A FORWARD -i wg0 -o wg0 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
|
|
|
|
'';
|
|
|
|
|
|
|
|
systemd.network = {
|
|
|
|
netdevs = {
|
|
|
|
"20-wg0" = {
|
|
|
|
netdevConfig = {
|
|
|
|
Name = "wg0";
|
|
|
|
Kind = "wireguard";
|
|
|
|
Description = "wg0 - wireguard tunnel";
|
|
|
|
};
|
|
|
|
|
|
|
|
wireguardConfig = {
|
|
|
|
ListenPort = 51820;
|
|
|
|
PrivateKeyFile = config.sops.secrets."wireguard/server-key".path;
|
|
|
|
# Public key: 73z3Pga/2BCxETYM/qCT2FM1JUCUvQ+Cp+8ROxjhu0w=
|
|
|
|
};
|
|
|
|
|
|
|
|
wireguardPeers = [
|
|
|
|
{
|
|
|
|
# yui
|
|
|
|
wireguardPeerConfig = {
|
2024-06-28 19:12:55 +01:00
|
|
|
AllowedIPs = [ "10.45.249.2/32" ];
|
2023-04-23 23:42:25 +01:00
|
|
|
PublicKey = "5mlnqEVJWks5OqgeFA2bLIrvST9TlCE81Btl+j4myz0=";
|
|
|
|
};
|
|
|
|
}
|
|
|
|
|
|
|
|
{
|
|
|
|
# yuanyuan
|
|
|
|
wireguardPeerConfig = {
|
2024-06-28 19:12:55 +01:00
|
|
|
AllowedIPs = [ "10.45.249.10/32" ];
|
2023-04-23 23:42:25 +01:00
|
|
|
PublicKey = "0UsFE2atz/O5P3OKQ8UHyyyGQNJbp1MeIWUJLuoerwE=";
|
|
|
|
};
|
|
|
|
}
|
|
|
|
];
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
networks = {
|
|
|
|
"20-wg0" = {
|
|
|
|
matchConfig.Name = "wg0";
|
|
|
|
|
|
|
|
networkConfig = {
|
|
|
|
Address = [
|
|
|
|
"10.45.249.1/32"
|
|
|
|
# TODO(tlater): Add IPv6 whenever that becomes relevant
|
|
|
|
];
|
|
|
|
|
|
|
|
IPForward = "yes";
|
|
|
|
IPv4ProxyARP = "yes";
|
|
|
|
};
|
|
|
|
|
|
|
|
routes = [
|
|
|
|
{
|
|
|
|
routeConfig = {
|
|
|
|
Source = "10.45.249.0/24";
|
|
|
|
Destination = "10.45.249.0/24";
|
|
|
|
Gateway = "10.45.249.1";
|
|
|
|
GatewayOnLink = "no";
|
|
|
|
};
|
|
|
|
}
|
|
|
|
];
|
|
|
|
|
|
|
|
linkConfig.RequiredForOnline = "no";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
}
|