From 34dcd945d67a3644c6c8827229dd2c9833b09543 Mon Sep 17 00:00:00 2001 From: Astro Date: Tue, 22 Mar 2022 22:27:47 +0100 Subject: [PATCH] freifunk: add vpn6 ipip tunnel --- hosts/containers/freifunk/default.nix | 55 +++++++++++++++++---------- 1 file changed, 35 insertions(+), 20 deletions(-) diff --git a/hosts/containers/freifunk/default.nix b/hosts/containers/freifunk/default.nix index 6ab8f7f7..5b301661 100644 --- a/hosts/containers/freifunk/default.nix +++ b/hosts/containers/freifunk/default.nix @@ -18,6 +18,8 @@ let upstreams = [ "upstream4" "upstream3" "upstream1" ]; upstreamMark = 3; rt_table_upstream = 100; + + vpn6AddrPart = "200.16"; in { imports = [ "${modulesPath}/profiles/minimal.nix" @@ -84,7 +86,7 @@ in { systemd.network = { netdevs = { # Dummy interface for primary (10.200) address - bmx_prime = { + bmx-prime = { enable = true; netdevConfig = { Kind = "bridge"; @@ -92,10 +94,10 @@ in { }; }; # Freifunk Dresden Backbone - vpn6 = { + wg-vpn6 = { enable = true; netdevConfig = { - Name = "vpn6"; + Name = "wg-vpn6"; Kind = "wireguard"; }; wireguardConfig = { @@ -108,10 +110,21 @@ in { wireguardPeerConfig = { Endpoint = "vpn4.freifunk-dresden.de:5007"; PublicKey = "7R3K3rGtCZprgqz5/iWql4yLg9BrsaNiv5XQwJ7csn4="; - AllowedIPs = "0.0.0.0/0"; + AllowedIPs = "10.203.${vpn6AddrPart}/32"; }; } ]; }; + ipip-vpn6 = { + enable = true; + netdevConfig = { + Name = "ipip-vpn6"; + Kind = "ipip"; + }; + tunnelConfig = { + Local = "10.203.${ddmeshAddrPart}"; + Remote = "10.203.${vpn6AddrPart}"; + }; + }; }; networks = { # Wired mesh interface @@ -119,10 +132,7 @@ in { enable = true; matchConfig = { Name = meshInterface; }; addresses = [{ - addressConfig = { - Address = "10.201.${ddmeshAddrPart}/16"; - Broadcast = "10.255.255.255"; - }; + addressConfig.Address = "10.201.${ddmeshAddrPart}/16"; }]; }; # Dummy interface for primary (10.200) address @@ -130,20 +140,24 @@ in { enable = true; matchConfig = { Name = meshLoopback; }; addresses = [{ - addressConfig = { - Address = "10.200.${ddmeshAddrPart}/32"; - Broadcast = "10.255.255.255"; - }; + addressConfig.Address = "10.200.${ddmeshAddrPart}/32"; }]; }; - "12-vpn6" = { + "31-wg-vpn6" = { enable = true; - matchConfig.Name = "vpn6"; + matchConfig.Name = "wg-vpn6"; addresses = [{ - addressConfig = { - Address = "10.203.${ddmeshAddrPart}/16"; - Broadcast = "10.203.255.255"; - }; + addressConfig.Address = "10.203.${ddmeshAddrPart}/32"; + }]; + routes = [ { + routeConfig.Destination = "10.203.${vpn6AddrPart}/32"; + } ]; + }; + "32-ipip-vpn6" = { + enable = true; + matchConfig.Name = "ipip-vpn6"; + addresses = [{ + addressConfig.Address = "10.201.${ddmeshAddrPart}/16"; }]; }; # ZW @@ -183,8 +197,9 @@ in { --purge_timeout 20 \ --one_way_tunnel 1 \ -r 3 --gateway_hysteresis 20 \ - dev=bmx_prime /linklayer 0 \ - dev=${meshInterface} /linklayer 1 + dev=${meshLoopback} /linklayer 0 \ + dev=${meshInterface} /linklayer 1 \ + dev=ipip-vpn6 /linklayer 1 ''; Restart = "always"; };