2024-02-09 19:39:50 +00:00
|
|
|
{ pkgs, ... }:
|
2024-02-04 00:11:26 +00:00
|
|
|
{
|
|
|
|
networking.useDHCP = false;
|
|
|
|
networking.bridges = {
|
|
|
|
"br0" = {
|
|
|
|
interfaces = [
|
|
|
|
"eno2"
|
|
|
|
"enp23s0"
|
|
|
|
];
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
networking.interfaces.br0.ipv4.addresses = [
|
|
|
|
{
|
|
|
|
address = "192.168.0.42";
|
|
|
|
prefixLength = 22;
|
|
|
|
}
|
|
|
|
];
|
|
|
|
|
|
|
|
networking.defaultGateway = "192.168.0.1";
|
|
|
|
networking.nameservers = [ "192.168.0.1" ];
|
2024-02-04 18:34:52 +00:00
|
|
|
|
2024-02-06 19:33:35 +00:00
|
|
|
networking.firewall.enable = false;
|
|
|
|
|
2024-02-04 18:34:52 +00:00
|
|
|
networking.wireguard.interfaces = {
|
|
|
|
wg0 = {
|
|
|
|
ips = [ "10.175.197.82/32" "fd7d:76ee:e68f:a993:f6b2:9dab:ddd3:a02/128" ];
|
|
|
|
privateKeyFile = "/run/secrets/services/wireguard/airvpn.private";
|
2024-02-06 19:33:35 +00:00
|
|
|
|
|
|
|
allowedIPsAsRoutes = false;
|
2024-02-04 18:34:52 +00:00
|
|
|
peers = [
|
|
|
|
{
|
|
|
|
publicKey = "PyLCXAQT8KkM4T+dUsOQfn+Ub3pGxfGlxkIApuig+hk=";
|
|
|
|
presharedKeyFile = "/run/secrets/services/wireguard/airvpn.psk";
|
2024-02-06 19:33:35 +00:00
|
|
|
allowedIPs = [ "0.0.0.0/0" ];
|
2024-02-04 18:34:52 +00:00
|
|
|
endpoint = "134.19.179.213:1637";
|
|
|
|
persistentKeepalive = 25;
|
|
|
|
}
|
|
|
|
];
|
2024-02-09 18:13:52 +00:00
|
|
|
postSetup = [
|
|
|
|
# Force traffic from container networks through wg0
|
|
|
|
"ip route add table 2 default dev wg0"
|
|
|
|
"ip rule add from 192.168.100.0/24 table 2"
|
|
|
|
"ip rule add from 192.168.5.0/24 table 2"
|
|
|
|
# NAT
|
2024-02-09 19:39:50 +00:00
|
|
|
"${pkgs.iptables}/bin/iptables -I POSTROUTING -t nat -o wg0 -j MASQUERADE"
|
2024-02-09 18:13:52 +00:00
|
|
|
# Port forwarding
|
2024-02-09 19:39:50 +00:00
|
|
|
"${pkgs.iptables}/bin/iptables -A PREROUTING -t nat -p tcp -i wg0 --dport 51506 -j DNAT --to-destination 192.168.100.11:51506"
|
2024-02-09 18:13:52 +00:00
|
|
|
];
|
2024-02-04 18:34:52 +00:00
|
|
|
};
|
|
|
|
};
|
2024-02-09 19:39:50 +00:00
|
|
|
systemd.services.wireguard-wg0.preStop = [
|
|
|
|
# Force traffic from container networks through wg0
|
|
|
|
"ip rule del from 192.168.100.0/24 table 2"
|
|
|
|
"ip rule del from 192.168.5.0/24 table 2"
|
|
|
|
"ip route del table 2 default dev wg0"
|
|
|
|
# NAT
|
|
|
|
"${pkgs.iptables}/bin/iptables -D POSTROUTING -t nat -o wg0 -j MASQUERADE"
|
|
|
|
# Port forwarding
|
|
|
|
"${pkgs.iptables}/bin/iptables -D PREROUTING -t nat -p tcp -i wg0 --dport 51506 -j DNAT --to-destination 192.168.100.11:51506"
|
|
|
|
];
|
2024-02-04 00:11:26 +00:00
|
|
|
}
|