Allow all IPs for wireguard interface without routing them
ci / deploy (push) Blocked by required conditions Details
ci / test (push) Has been cancelled Details

This commit is contained in:
Ciapa 2024-02-04 20:12:00 +01:00
parent cb2ac4c8da
commit 855d3ada0a
2 changed files with 40 additions and 19 deletions

View File

@ -1,4 +1,4 @@
{ ... }:
{ config, pkgs, lib, ... }:
{
networking.useDHCP = false;
networking.bridges = {
@ -27,20 +27,41 @@
enableIPv6 = true;
};
networking.wireguard.interfaces = {
wg0 = {
ips = [ "10.175.197.82/32" "fd7d:76ee:e68f:a993:f6b2:9dab:ddd3:a02/128" ];
privateKeyFile = "/run/secrets/services/wireguard/airvpn.private";
peers = [
{
publicKey = "PyLCXAQT8KkM4T+dUsOQfn+Ub3pGxfGlxkIApuig+hk=";
presharedKeyFile = "/run/secrets/services/wireguard/airvpn.psk";
allowedIPs = [ "10.128.0.1" ];
endpoint = "134.19.179.213:1637";
persistentKeepalive = 25;
}
];
boot.extraModulePackages = [config.boot.kernelPackages.wireguard];
systemd.network = {
enable = true;
netdevs = {
"10-wg0" = {
netdevConfig = {
Kind = "wireguard";
Name = "wg0";
MTUBytes = "1300";
};
wireguardConfig = {
PrivateKeyFile = "/run/secrets/services/wireguard/airvpn.private";
ListenPort = 9918;
};
wireguardPeers = [
{
wireguardPeerConfig = {
PublicKey = "PyLCXAQT8KkM4T+dUsOQfn+Ub3pGxfGlxkIApuig+hk=";
PresharedKeyFile = "/run/secrets/services/wireguard/airvpn.psk";
AllowedIPs = ["10.128.0.1/32"];
Endpoint = "134.19.179.213:1637";
};
}
];
};
};
networks.wg0 = {
matchConfig.Name = "wg0";
address = [ "10.175.197.82/32" ];
DHCP = "no";
dns = [ "10.128.0.1" ];
gateway = [ "10.128.0.1" ];
networkConfig = {
IPv6AcceptRA = false;
};
};
};
}

View File

@ -11,14 +11,14 @@
# Wireguard
sops.secrets."services/wireguard/airvpn.private" = {
mode = "0400";
owner = config.users.users.root.name;
group = config.users.users.root.group;
owner = config.users.users.systemd-network.name;
group = config.users.users.systemd-network.group;
sopsFile = ./secrets/wireguard.yaml;
};
sops.secrets."services/wireguard/airvpn.psk" = {
mode = "0400";
owner = config.users.users.root.name;
group = config.users.users.root.group;
owner = config.users.users.systemd-network.name;
group = config.users.users.systemd-network.group;
sopsFile = ./secrets/wireguard.yaml;
};
}