From 66a3255d3d05db54d649e61c9c29e6dbf9b56c85 Mon Sep 17 00:00:00 2001 From: Astro Date: Wed, 23 Mar 2022 22:46:22 +0100 Subject: [PATCH] freifunk: get backbone tunnel to work --- hosts/containers/freifunk/default.nix | 48 +++++++++++++++++---------- 1 file changed, 31 insertions(+), 17 deletions(-) diff --git a/hosts/containers/freifunk/default.nix b/hosts/containers/freifunk/default.nix index 5d5a00d5..47550be5 100644 --- a/hosts/containers/freifunk/default.nix +++ b/hosts/containers/freifunk/default.nix @@ -7,6 +7,7 @@ let meshInterface = "bmx"; meshLoopback = "bmx_prime"; ddmeshRegisterUrl = "https://register.freifunk-dresden.de/bot.php"; + ddmeshBroadcast = "10.255.255.255"; inherit (pkgs.c3d2-freifunk) ddmeshRegisterKey; ddmeshNode = 51073; ddmeshAddrPart = "200.74"; @@ -19,7 +20,7 @@ let upstreamMark = 3; rt_table_upstream = 100; - vpn6AddrPart = "200.2"; + node51001AddrPart = "200.2"; in { imports = [ "${modulesPath}/profiles/minimal.nix" @@ -60,6 +61,8 @@ in { ${pkgs.iptables}/bin/iptables -t nat -F POSTROUTING ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING \ \! --source 10.200.0.0/15 -o ${meshInterface} -j SNAT --to 10.200.${ddmeshAddrPart} + ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING \ + \! --source 10.200.0.0/15 -o ipip-node51001 -j SNAT --to 10.200.${ddmeshAddrPart} ${pkgs.iptables}/bin/iptables -t nat -o bat0 -A POSTROUTING -j MASQUERADE set -e ''; @@ -75,7 +78,7 @@ in { ''; }; - environment.systemPackages = with pkgs; [ tcpdump bmon wireguard-tools ]; + environment.systemPackages = with pkgs; [ tcpdump bmon wireguard-tools iperf ]; sops.secrets."wireguard/vpn6/privateKey" = { group = "systemd-network"; @@ -83,10 +86,13 @@ in { }; sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + # unbreak wg-vpn6 ingress path + boot.kernel.sysctl."net.ipv4.conf.core.rp_filter" = 0; + systemd.network = { netdevs = { # Dummy interface for primary (10.200) address - bmx-prime = { + "10-bmx-prime" = { enable = true; netdevConfig = { Kind = "bridge"; @@ -94,11 +100,12 @@ in { }; }; # Freifunk Dresden Backbone - wg-vpn6 = { + "31-wg-vpn6" = { enable = true; netdevConfig = { Name = "wg-vpn6"; Kind = "wireguard"; + MTUBytes = "1320"; }; wireguardConfig = { PrivateKeyFile = config.sops.secrets."wireguard/vpn6/privateKey".path; @@ -111,19 +118,19 @@ in { # vpn6.freifunk-dresden.de Endpoint = "85.195.253.169:5006"; PublicKey = "CIJa7xiRRIrLtEB7uyzwoyaQcpe0b8F2d16+3hk8KjU="; - AllowedIPs = "10.203.${vpn6AddrPart}/32"; + AllowedIPs = "10.203.0.0/16"; }; } ]; }; - ipip-vpn6 = { + "32-ipip-node51001" = { enable = true; netdevConfig = { - Name = "ipip-vpn6"; + Name = "ipip-node51001"; Kind = "ipip"; }; tunnelConfig = { Local = "10.203.${ddmeshAddrPart}"; - Remote = "10.203.${vpn6AddrPart}"; + Remote = "10.203.${node51001AddrPart}"; }; }; }; @@ -133,7 +140,10 @@ in { enable = true; matchConfig = { Name = meshInterface; }; addresses = [{ - addressConfig.Address = "10.201.${ddmeshAddrPart}/16"; + addressConfig = { + Address = "10.201.${ddmeshAddrPart}/16"; + Broadcast = ddmeshBroadcast; + }; }]; }; # Dummy interface for primary (10.200) address @@ -148,17 +158,19 @@ in { enable = true; matchConfig.Name = "wg-vpn6"; addresses = [{ - addressConfig.Address = "10.203.${ddmeshAddrPart}/32"; + addressConfig.Address = "10.203.${ddmeshAddrPart}/16"; }]; - routes = [ { - routeConfig.Destination = "10.203.${vpn6AddrPart}/32"; - } ]; + # reverse dependency + networkConfig.Tunnel = [ "ipip-node51001" ]; }; - "32-ipip-vpn6" = { + "32-ipip-node51001" = { enable = true; - matchConfig.Name = "ipip-vpn6"; + matchConfig.Name = "ipip-node51001"; addresses = [{ - addressConfig.Address = "10.201.${ddmeshAddrPart}/16"; + addressConfig = { + Address = "10.201.${ddmeshAddrPart}/16"; + Broadcast = ddmeshBroadcast; + }; }]; }; # ZW @@ -180,6 +192,8 @@ in { FirewallMark = upstreamMark; }; } ]; + # reverse dependency + networkConfig.Tunnel = [ "wg-vpn6" ]; }; }; }; @@ -200,7 +214,7 @@ in { -r 3 --gateway_hysteresis 20 \ dev=${meshLoopback} /linklayer 0 \ dev=${meshInterface} /linklayer 1 \ - dev=ipip-vpn6 /linklayer 1 + dev=ipip-node51001 /linklayer 1 ''; Restart = "always"; };