From bf8a48eae55bec89f06508136d65ee98ceace558 Mon Sep 17 00:00:00 2001 From: sinanmohd Date: Sun, 17 Sep 2023 13:59:03 +0530 Subject: networking/wireguard: init --- hosts/kay/modules/wireguard.nix | 54 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 54 insertions(+) create mode 100644 hosts/kay/modules/wireguard.nix (limited to 'hosts/kay/modules/wireguard.nix') diff --git a/hosts/kay/modules/wireguard.nix b/hosts/kay/modules/wireguard.nix new file mode 100644 index 0000000..4839280 --- /dev/null +++ b/hosts/kay/modules/wireguard.nix @@ -0,0 +1,54 @@ +{ config, ... }: + +let + wgInterface = "wg"; + wanInterface = "ppp0"; + subnet = "10.0.1.0"; + prefix = 24; + port = 51820; +in +{ + sops.secrets."misc/wireguard" = {}; + + networking = { + nat.enable = true; + firewall = { + allowedUDPPorts = [ port ]; + extraCommands = '' + # nat datagrams comming through lanInterface to wanInterface + iptables -t nat -I POSTROUTING 1 -s ${subnet}/${toString prefix} -o ${wanInterface} -j MASQUERADE + + # allow all traffic on lanInterface interface + iptables -I INPUT 1 -i ${wgInterface} -j ACCEPT + + # forward rules + iptables -I FORWARD 1 -i ${wgInterface} -o ${wgInterface} -j ACCEPT + iptables -I FORWARD 1 -i ${wanInterface} -o ${wgInterface} -j ACCEPT + iptables -I FORWARD 1 -i ${wgInterface} -o ${wanInterface} -j ACCEPT + ''; + }; + + wireguard.interfaces.${wgInterface} = { + ips = [ "10.0.1.1/${toString prefix}" ]; + listenPort = port; + mtu = 1380; # 1460 (ppp0) - 80 + privateKeyFile = config.sops.secrets."misc/wireguard".path; + + peers = [ + { # cez + publicKey = "IcMpAs/D0u8O/AcDBPC7pFUYSeFQXQpTqHpGOeVpjS8="; + allowedIPs = [ "10.0.1.2/32" ]; + } + { # veu + publicKey = "bJ9aqGYD2Jh4MtWIL7q3XxVHFuUdwGJwO8p7H3nNPj8="; + allowedIPs = [ "10.0.1.3/32" ]; + } + ]; + }; + }; + + services.dnsmasq.settings = { + no-dhcp-interface = wgInterface; + interface = [ wgInterface ]; + }; +} -- cgit v1.2.3