76 lines
2.3 KiB
Nix
76 lines
2.3 KiB
Nix
{ pkgs, ... }:
|
|
{
|
|
networking.useDHCP = false;
|
|
networking.bridges = {
|
|
"br0" = {
|
|
interfaces = [
|
|
"eno2"
|
|
"enp2s0"
|
|
"enp101s0"
|
|
"enp101s0d1"
|
|
];
|
|
};
|
|
};
|
|
|
|
networking.nat = {
|
|
enable = true;
|
|
internalInterfaces = ["ve-+"];
|
|
externalInterface = "br0";
|
|
enableIPv6 = true;
|
|
};
|
|
|
|
networking.interfaces.br0.ipv4.addresses = [
|
|
{
|
|
address = "192.168.0.42";
|
|
prefixLength = 22;
|
|
}
|
|
];
|
|
# networking.defaultGateway = "10.0.0.1";
|
|
networking.defaultGateway = "192.168.0.1";
|
|
networking.nameservers = [ "1.1.1.1" ];
|
|
|
|
networking.firewall.enable = false;
|
|
|
|
networking.wireguard.interfaces = {
|
|
wg0 = {
|
|
ips = [ "10.175.197.82/32" "fd7d:76ee:e68f:a993:f6b2:9dab:ddd3:a02/128" ];
|
|
privateKeyFile = "/run/secrets/services/wireguard/airvpn.private";
|
|
|
|
allowedIPsAsRoutes = false;
|
|
peers = [
|
|
{
|
|
publicKey = "PyLCXAQT8KkM4T+dUsOQfn+Ub3pGxfGlxkIApuig+hk=";
|
|
presharedKeyFile = "/run/secrets/services/wireguard/airvpn.psk";
|
|
allowedIPs = [ "0.0.0.0/0" ];
|
|
endpoint = "134.19.179.213:1637";
|
|
persistentKeepalive = 25;
|
|
}
|
|
];
|
|
postSetup = [
|
|
# Force traffic from container networks through wg0
|
|
"ip route add table 2 default dev wg0"
|
|
"ip rule add from 192.168.100.0/24 table 2"
|
|
"ip rule add from 192.168.5.0/24 table 2"
|
|
# NAT
|
|
"${pkgs.iptables}/bin/iptables -I POSTROUTING -t nat -o wg0 -j MASQUERADE"
|
|
# c3moc NAT
|
|
"${pkgs.iptables}/bin/iptables -I POSTROUTING -t nat -o br0 -j MASQUERADE"
|
|
# Port forwarding
|
|
"${pkgs.iptables}/bin/iptables -A PREROUTING -t nat -p tcp -i wg0 --dport 51506 -j DNAT --to-destination 192.168.100.11:51506"
|
|
];
|
|
};
|
|
};
|
|
systemd.services.wireguard-wg0.preStop =
|
|
# Force traffic from container networks through wg0
|
|
"ip rule del from 192.168.100.0/24 table 2" +
|
|
"ip rule del from 192.168.5.0/24 table 2" +
|
|
"ip route del table 2 default dev wg0" +
|
|
# NAT
|
|
"${pkgs.iptables}/bin/iptables -D POSTROUTING -t nat -o wg0 -j MASQUERADE" +
|
|
# c3moc NAT
|
|
"${pkgs.iptables}/bin/iptables -D POSTROUTING -t nat -o br0 -j MASQUERADE" +
|
|
# Port Forwarding
|
|
"${pkgs.iptables}/bin/iptables -D PREROUTING -t nat -p tcp -i wg0 --dport 51506 -j DNAT --to-destination 192.168.100.11:51506"
|
|
;
|
|
}
|