tlaternet/tlaternet-server
1
0
Fork 0
Code Issues 10 Pull requests Activity

services: Add wireguard service

Browse source
This commit is contained in:
Tristan Daniël Maat 2023-04-23 23:42:25 +01:00
parent acd7cc802b
commit 14d29fa49d
Signed by: tlater
GPG key ID: 49670FD774E43268
4 changed files with 110 additions and 20 deletions
Download patch file Download diff file Expand all files Collapse all files

74
configuration/services/wireguard.nix Normal file
View file

@ -0,0 +1,74 @@
{config, ...}: {
# iptables needs to permit forwarding from wg0 to wg0
networking.firewall.extraCommands = ''
iptables -A FORWARD -i wg0 -o wg0 -j ACCEPT
# This ensures that we send messages with the correct MTU to any
# connecting host; without it, the weirdest errors occur
iptables -A FORWARD -i wg0 -o wg0 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
'';
systemd.network = {
netdevs = {
"20-wg0" = {
netdevConfig = {
Name = "wg0";
Kind = "wireguard";
Description = "wg0 - wireguard tunnel";
};
wireguardConfig = {
ListenPort = 51820;
PrivateKeyFile = config.sops.secrets."wireguard/server-key".path;
# Public key: 73z3Pga/2BCxETYM/qCT2FM1JUCUvQ+Cp+8ROxjhu0w=
};
wireguardPeers = [
{
# yui
wireguardPeerConfig = {
AllowedIPs = ["10.45.249.2/32"];
PublicKey = "5mlnqEVJWks5OqgeFA2bLIrvST9TlCE81Btl+j4myz0=";
};
}
{
# yuanyuan
wireguardPeerConfig = {
AllowedIPs = ["10.45.249.10/32"];
PublicKey = "0UsFE2atz/O5P3OKQ8UHyyyGQNJbp1MeIWUJLuoerwE=";
};
}
];
};
};
networks = {
"20-wg0" = {
matchConfig.Name = "wg0";
networkConfig = {
Address = [
"10.45.249.1/32"
# TODO(tlater): Add IPv6 whenever that becomes relevant
];
IPForward = "yes";
IPv4ProxyARP = "yes";
};
routes = [
{
routeConfig = {
Source = "10.45.249.0/24";
Destination = "10.45.249.0/24";
Gateway = "10.45.249.1";
GatewayOnLink = "no";
};
}
];
linkConfig.RequiredForOnline = "no";
};
};
};
}